Crash on revolved sketch change #468

phkahler · 2019-08-27T18:00:32Z

System information

Recent master
Operating system: Fedora 30

Expected behavior

File->New
Create a rectangle to the right of the origin.
Select the vertical axis and the origin.
Shift->V to revolve the rectangle
Select the sketch group in the text window
Select a corner of the rectangle and Shift->A to round the corner.

What should have happened?
The corner should be rounded
Going back to the revolved group the edge should be rounded.

Actual behavior

What actually happened?
It crashed when trying to round the corner on the sketch.
Sometimes it's the first corner, sometimes it's the opposite corner.

Additional information

/solvespace/src/dsc.h, line 425, function FindById:
Assertion failed: t != NULL.

ruevs · 2019-08-28T12:27:22Z

Does not crash for me with the version I attached here:
http://solvespace.com/forum.pl?action=viewthread&parent=2797&tt=1566914885
built from 22e4011 with the OpenGL 1 rendering interface.

phkahler · 2019-08-28T14:50:04Z

To clarify, to reproduce this issue we try to create this:

But revolve the rectangle first, then go back to the sketch and try to round the corners. At that point it crashes. The image here was created from one of my branches (helix) which deviated from master a while back.

ruevs · 2019-08-28T15:18:24Z

Your bug description is very clear and I did revolve the rectangle first and then went back to the sketch and rounded the corners. No crash.
Compiled with "gcc (MinGW.org GCC-6.3.0-1) 6.3.0" under Windows 10.

phkahler · 2019-09-06T19:28:35Z

@rpavlik I tried several revisions in an attempt to narrow this down:

13820bf Bug exists. Crash on modify sketch.
Revert "IdList::RemoveTagged switch to std::remove_if from iteration.…

b284e80 can not revolve the rectangle - it crashes.
Improve NextAfter. NFC.

533ca61 can not revolve the rectangle - it crashes.
Fix a manual manipulation of List::n. NFC.

9fd09dd can not revolve the rectangle - it crashes.
Add IdList::AllocForOneMore() based on List. NFC.

0bfbbe2 can not revolve the rectangle - it crashes.
Improve implementation hiding in IdList/List. NFC.

482f0e8 build error
Replace qsort with std::sort and lambda. NFC.
solvespace/src/groupmesh.cpp:709:38: error: no match for ‘operator[]’ (operand types are ‘const SolveSpace::ListSolveSpace::SBezierLoop’ and ‘int’)
709 | if(sbls.l.IsEmpty() || sbls.l[0].l.IsEmpty())

1b97a00 build error
Add and use List::IsEmpty, range-for, etc. NFC.
solvespace/src/graphicswin.cpp:386:32: error: no match for ‘operator[]’ (operand types are ‘SolveSpace::ListSolveSpace::hGroup’ and ‘int’)
386 | activeGroup = SK.groupOrder[SK.groupOrder.n - 1];

b5f36a4 build errors
Provide cbegin(), cend() in containers. NFC.

86f20cc build error
Convert many loops to range-for or std algorithms. NFC.
solvespace/src/graphicswin.cpp:384:29: error: ‘class SolveSpace::ListSolveSpace::hGroup’ has no member named ‘IsEmpty’
384 | ssassert(!SK.groupOrder.IsEmpty(),

The 97c8cb7 commit prior to that by @whitequark works fine. Most of the commits in that series don't build on my Fedora box, and then a couple have the seemingly worse bug where the initial revolve in the bug report crashes. When that finally got fixed, the bug reported here is present.

phkahler · 2019-09-07T18:16:52Z

Has anyone else reproduced this crash?

It doesn't happen with Lathe or Helix - which is strange because Helix is mostly the same as Revolve. It happens if I disable the mesh for the group. It happens if I modify Revolve to copy entities the same was as Helix. But it doesn't happen if I comment out the copying of Revolve entities in Group::Generate.

rpavlik · 2019-09-09T14:50:42Z

This sounds a bit like the bug I fixed shortly after that commit series. (the revert) Here's that commit series fixed to actually build each commit (oops) https://github.com/rpavlik/solvespace/tree/asan-bad

(note that in that commit, I get a crash at the revolve stage.)

I can reproduce this in the latest master on Debian.

rpavlik · 2019-09-09T14:57:41Z

Hmm, and if I build and run with sanitizers (and then have it set to not halt on error) I actually get a crash at the revolve again, with a "use after free"

==26055==ERROR: AddressSanitizer: heap-use-after-free on address 0x626000a2415c at pc 0x000000907c2b bp 0x7fffffffacb0 sp 0x7fffffffaca8
READ of size 4 at 0x626000a2415c thread T0
    #0 0x907c2a in std::enable_if<IsHandleOracle<SolveSpace::hGroup>::value, bool>::type SolveSpace::operator==<SolveSpace::hGroup>(SolveSpace::hGroup const&, SolveSpace::hGroup const&) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:23:16
    #1 0x90caf2 in std::enable_if<IsHandleOracle<SolveSpace::hGroup>::value, bool>::type SolveSpace::operator!=<SolveSpace::hGroup>(SolveSpace::hGroup const&, SolveSpace::hGroup const&) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:30:18
    #2 0x90a25b in SolveSpace::Group::Generate(SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>*, SolveSpace::IdList<SolveSpace::Param, SolveSpace::hParam>*) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:582:33
    #3 0x8d2307 in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:237:12
    #4 0x8d1edd in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:195:9
    #5 0x906199 in SolveSpace::Group::MenuGroup(SolveSpace::Command, SolveSpace::Platform::Path) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:341:8
    #6 0x9039ca in SolveSpace::Group::MenuGroup(SolveSpace::Command) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:67:5
    #7 0x8f5123 in void std::__invoke_impl<void, void (*&)(SolveSpace::Command), SolveSpace::Command&>(std::__invoke_other, void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #8 0x8f4fa6 in std::__invoke_result<void (*&)(SolveSpace::Command), SolveSpace::Command&>::type std::__invoke<void (*&)(SolveSpace::Command), SolveSpace::Command&>(void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #9 0x8f4ec0 in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:400:11
    #10 0x8f4d0b in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:482:17
    #11 0x8f48cf in std::_Function_handler<void (), std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)> >::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
    #12 0x78a98d in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #13 0x78f894 in SolveSpace::Platform::GtkMenuItem::on_activate() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:268:13
    #14 0x7ffff7ccfe6d in Gtk::MenuItem_Class::activate_callback(_GtkMenuItem*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x37ae6d)
    #15 0x7ffff632bc8c in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10c8c)
    #16 0x7ffff633f4b3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x244b3)
    #17 0x7ffff63482bd in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2d2bd)
    #18 0x7ffff634897e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2d97e)
    #19 0x7ffff7530c0f  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x37ac0f)
    #20 0x7ffff632bc8c in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10c8c)
    #21 0x7ffff633f364  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x24364)
    #22 0x7ffff63479aa in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2c9aa)
    #23 0x7ffff634897e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2d97e)
    #24 0x7ffff72baa97 in gtk_accel_group_activate (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x104a97)
    #25 0x7ffff72bc3dc in gtk_accel_groups_activate (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1063dc)
    #26 0x7ffff7553131 in gtk_window_activate_key (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x39d131)
    #27 0x7ffff7553410  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x39d410)
    #28 0x7ffff7d2ac36 in Gtk::Widget::on_key_press_event(_GdkEventKey*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x3d5c36)
    #29 0x7ffff7d2cda3 in Gtk::Widget_Class::key_press_event_callback(_GtkWidget*, _GdkEventKey*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x3d7da3)
    #30 0x7ffff7581273  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x3cb273)
    #31 0x7ffff632bec5  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10ec5)
    #32 0x7ffff6347d73 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2cd73)
    #33 0x7ffff634897e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2d97e)
    #34 0x7ffff752f323  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x379323)
    #35 0x7ffff73efa3e  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x239a3e)
    #36 0x7ffff73f1a82 in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x23ba82)
    #37 0x7ffff70f3464  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x39464)
    #38 0x7ffff7124111  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x6a111)
    #39 0x7ffff6f22f2d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4df2d)
    #40 0x7ffff6f231c7  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e1c7)
    #41 0x7ffff6f234c1 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e4c1)
    #42 0x7ffff73f0b14 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x23ab14)
    #43 0x783168 in SolveSpace::Platform::RunGui() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:1473:5
    #44 0x780e23 in main /home/ryan/src/third-party/solvespace/build/../src/platform/entrygui.cpp:28:5
    #45 0x7ffff667d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #46 0x627499 in _start (/home/ryan/src/third-party/solvespace/build/bin/solvespace+0x627499)

0x626000a2415c is located 4188 bytes inside of 11136-byte region [0x626000a23100,0x626000a25c80)
freed by thread T0 here:
    #0 0x6d2ac2 in free (/home/ryan/src/third-party/solvespace/build/bin/solvespace+0x6d2ac2)
    #1 0x7bb818 in SolveSpace::MemFree(void*) /home/ryan/src/third-party/solvespace/build/../src/platform/utilunix.cpp:75:5
    #2 0x8c03fc in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::ReserveMore(int) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:405:13
    #3 0x8c00e6 in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::AllocForOneMore() /home/ryan/src/third-party/solvespace/build/../src/dsc.h:353:13
    #4 0x8a34e3 in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::Add(SolveSpace::Entity*) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:411:9
    #5 0x90d8ef in SolveSpace::Group::CopyEntity(SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>*, SolveSpace::Entity*, int, int, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::Group::CopyAs) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:1103:9
    #6 0x90a23c in SolveSpace::Group::Generate(SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>*, SolveSpace::IdList<SolveSpace::Param, SolveSpace::hParam>*) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:578:17
    #7 0x8d2307 in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:237:12
    #8 0x8d1edd in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:195:9
    #9 0x906199 in SolveSpace::Group::MenuGroup(SolveSpace::Command, SolveSpace::Platform::Path) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:341:8
    #10 0x9039ca in SolveSpace::Group::MenuGroup(SolveSpace::Command) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:67:5
    #11 0x8f5123 in void std::__invoke_impl<void, void (*&)(SolveSpace::Command), SolveSpace::Command&>(std::__invoke_other, void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #12 0x8f4fa6 in std::__invoke_result<void (*&)(SolveSpace::Command), SolveSpace::Command&>::type std::__invoke<void (*&)(SolveSpace::Command), SolveSpace::Command&>(void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #13 0x8f4ec0 in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:400:11
    #14 0x8f4d0b in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:482:17
    #15 0x8f48cf in std::_Function_handler<void (), std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)> >::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
    #16 0x78a98d in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #17 0x78f894 in SolveSpace::Platform::GtkMenuItem::on_activate() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:268:13
    #18 0x7ffff7ccfe6d in Gtk::MenuItem_Class::activate_callback(_GtkMenuItem*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x37ae6d)

previously allocated by thread T0 here:
    #0 0x6d2e43 in __interceptor_malloc (/home/ryan/src/third-party/solvespace/build/bin/solvespace+0x6d2e43)
    #1 0x7bb7d8 in SolveSpace::MemAlloc(unsigned long) /home/ryan/src/third-party/solvespace/build/../src/platform/utilunix.cpp:69:15
    #2 0x8c02c5 in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::ReserveMore(int) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:400:31
    #3 0x8d2127 in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:214:15
    #4 0x8d1edd in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:195:9
    #5 0x906199 in SolveSpace::Group::MenuGroup(SolveSpace::Command, SolveSpace::Platform::Path) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:341:8
    #6 0x9039ca in SolveSpace::Group::MenuGroup(SolveSpace::Command) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:67:5
    #7 0x8f5123 in void std::__invoke_impl<void, void (*&)(SolveSpace::Command), SolveSpace::Command&>(std::__invoke_other, void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #8 0x8f4fa6 in std::__invoke_result<void (*&)(SolveSpace::Command), SolveSpace::Command&>::type std::__invoke<void (*&)(SolveSpace::Command), SolveSpace::Command&>(void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #9 0x8f4ec0 in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:400:11
    #10 0x8f4d0b in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:482:17
    #11 0x8f48cf in std::_Function_handler<void (), std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)> >::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
    #12 0x78a98d in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #13 0x78f894 in SolveSpace::Platform::GtkMenuItem::on_activate() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:268:13
    #14 0x7ffff7ccfe6d in Gtk::MenuItem_Class::activate_callback(_GtkMenuItem*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x37ae6d)

SUMMARY: AddressSanitizer: heap-use-after-free /home/ryan/src/third-party/solvespace/build/../src/dsc.h:23:16 in std::enable_if<IsHandleOracle<SolveSpace::hGroup>::value, bool>::type SolveSpace::operator==<SolveSpace::hGroup>(SolveSpace::hGroup const&, SolveSpace::hGroup const&)
Shadow bytes around the buggy address:
  0x0c4c8013c7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c7f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4c8013c820: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c4c8013c830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c8013c870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26055==ABORTING
[1] + Done                       "/usr/bin/gdb" --interpreter=mi --tty=${DbgTerm} 0<"/tmp/Microsoft-MIEngine-In-133yu7eb.5da" 1>"/tmp/Microsoft-MIEngine-Out-tnakgq1b.zmo"

I also get the crash if I try Helix.

==27146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6260009c4158 at pc 0x000000802f11 bp 0x7fffffffb070 sp 0x7fffffffb068
READ of size 4 at 0x6260009c4158 thread T0
    #0 0x802f10 in SolveSpace::EntityBase::IsPoint() const /home/ryan/src/third-party/solvespace/build/../src/entity.cpp:241:12
    #1 0x7f4f79 in SolveSpace::Entity::CalculateNumerical(bool) /home/ryan/src/third-party/solvespace/build/../src/drawentity.cpp:183:8
    #2 0x90a8e9 in SolveSpace::Group::Generate(SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>*, SolveSpace::IdList<SolveSpace::Param, SolveSpace::hParam>*) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:630:24
    #3 0x8d2307 in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:237:12
    #4 0x8d1edd in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:195:9
    #5 0x906199 in SolveSpace::Group::MenuGroup(SolveSpace::Command, SolveSpace::Platform::Path) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:341:8
    #6 0x9039ca in SolveSpace::Group::MenuGroup(SolveSpace::Command) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:67:5
    #7 0x8f5123 in void std::__invoke_impl<void, void (*&)(SolveSpace::Command), SolveSpace::Command&>(std::__invoke_other, void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #8 0x8f4fa6 in std::__invoke_result<void (*&)(SolveSpace::Command), SolveSpace::Command&>::type std::__invoke<void (*&)(SolveSpace::Command), SolveSpace::Command&>(void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #9 0x8f4ec0 in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:400:11
    #10 0x8f4d0b in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:482:17
    #11 0x8f48cf in std::_Function_handler<void (), std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)> >::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
    #12 0x78a98d in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #13 0x78f894 in SolveSpace::Platform::GtkMenuItem::on_activate() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:268:13
    #14 0x7ffff7ccfe6d in Gtk::MenuItem_Class::activate_callback(_GtkMenuItem*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x37ae6d)
    #15 0x7ffff632bc8c in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10c8c)
    #16 0x7ffff633f4b3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x244b3)
    #17 0x7ffff63482bd in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2d2bd)
    #18 0x7ffff634897e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2d97e)
    #19 0x7ffff7531889 in gtk_widget_activate (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x37b889)
    #20 0x7ffff7404a85 in gtk_menu_shell_activate_item (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x24ea85)
    #21 0x7ffff7404d22  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x24ed22)
    #22 0x7ffff7581273  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x3cb273)
    #23 0x7ffff632bec5  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10ec5)
    #24 0x7ffff6347d73 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2cd73)
    #25 0x7ffff634897e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2d97e)
    #26 0x7ffff752f323  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x379323)
    #27 0x7ffff73ef975  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x239975)
    #28 0x7ffff73f1a82 in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x23ba82)
    #29 0x7ffff70f3464  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x39464)
    #30 0x7ffff7124111  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x6a111)
    #31 0x7ffff6f22f2d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4df2d)
    #32 0x7ffff6f231c7  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e1c7)
    #33 0x7ffff6f234c1 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e4c1)
    #34 0x7ffff73f0b14 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x23ab14)
    #35 0x783168 in SolveSpace::Platform::RunGui() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:1473:5
    #36 0x780e23 in main /home/ryan/src/third-party/solvespace/build/../src/platform/entrygui.cpp:28:5
    #37 0x7ffff667d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #38 0x627499 in _start (/home/ryan/src/third-party/solvespace/build/bin/solvespace+0x627499)

0x6260009c4158 is located 4184 bytes inside of 11136-byte region [0x6260009c3100,0x6260009c5c80)
freed by thread T0 here:
    #0 0x6d2ac2 in free (/home/ryan/src/third-party/solvespace/build/bin/solvespace+0x6d2ac2)
    #1 0x7bb818 in SolveSpace::MemFree(void*) /home/ryan/src/third-party/solvespace/build/../src/platform/utilunix.cpp:75:5
    #2 0x8c03fc in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::ReserveMore(int) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:405:13
    #3 0x8c00e6 in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::AllocForOneMore() /home/ryan/src/third-party/solvespace/build/../src/dsc.h:353:13
    #4 0x8a34e3 in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::Add(SolveSpace::Entity*) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:411:9
    #5 0x90d8ef in SolveSpace::Group::CopyEntity(SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>*, SolveSpace::Entity*, int, int, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::hParam, SolveSpace::Group::CopyAs) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:1103:9
    #6 0x90a8cf in SolveSpace::Group::Generate(SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>*, SolveSpace::IdList<SolveSpace::Param, SolveSpace::hParam>*) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:626:17
    #7 0x8d2307 in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:237:12
    #8 0x8d1edd in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:195:9
    #9 0x906199 in SolveSpace::Group::MenuGroup(SolveSpace::Command, SolveSpace::Platform::Path) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:341:8
    #10 0x9039ca in SolveSpace::Group::MenuGroup(SolveSpace::Command) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:67:5
    #11 0x8f5123 in void std::__invoke_impl<void, void (*&)(SolveSpace::Command), SolveSpace::Command&>(std::__invoke_other, void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #12 0x8f4fa6 in std::__invoke_result<void (*&)(SolveSpace::Command), SolveSpace::Command&>::type std::__invoke<void (*&)(SolveSpace::Command), SolveSpace::Command&>(void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #13 0x8f4ec0 in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:400:11
    #14 0x8f4d0b in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:482:17
    #15 0x8f48cf in std::_Function_handler<void (), std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)> >::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
    #16 0x78a98d in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #17 0x78f894 in SolveSpace::Platform::GtkMenuItem::on_activate() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:268:13
    #18 0x7ffff7ccfe6d in Gtk::MenuItem_Class::activate_callback(_GtkMenuItem*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x37ae6d)

previously allocated by thread T0 here:
    #0 0x6d2e43 in __interceptor_malloc (/home/ryan/src/third-party/solvespace/build/bin/solvespace+0x6d2e43)
    #1 0x7bb7d8 in SolveSpace::MemAlloc(unsigned long) /home/ryan/src/third-party/solvespace/build/../src/platform/utilunix.cpp:69:15
    #2 0x8c02c5 in SolveSpace::IdList<SolveSpace::Entity, SolveSpace::hEntity>::ReserveMore(int) /home/ryan/src/third-party/solvespace/build/../src/dsc.h:400:31
    #3 0x8d2127 in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:214:15
    #4 0x8d1edd in SolveSpace::SolveSpaceUI::GenerateAll(SolveSpace::SolveSpaceUI::Generate, bool, bool) /home/ryan/src/third-party/solvespace/build/../src/generate.cpp:195:9
    #5 0x906199 in SolveSpace::Group::MenuGroup(SolveSpace::Command, SolveSpace::Platform::Path) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:341:8
    #6 0x9039ca in SolveSpace::Group::MenuGroup(SolveSpace::Command) /home/ryan/src/third-party/solvespace/build/../src/group.cpp:67:5
    #7 0x8f5123 in void std::__invoke_impl<void, void (*&)(SolveSpace::Command), SolveSpace::Command&>(std::__invoke_other, void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #8 0x8f4fa6 in std::__invoke_result<void (*&)(SolveSpace::Command), SolveSpace::Command&>::type std::__invoke<void (*&)(SolveSpace::Command), SolveSpace::Command&>(void (*&)(SolveSpace::Command), SolveSpace::Command&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #9 0x8f4ec0 in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:400:11
    #10 0x8f4d0b in void std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/functional:482:17
    #11 0x8f48cf in std::_Function_handler<void (), std::_Bind<void (* (SolveSpace::Command))(SolveSpace::Command)> >::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
    #12 0x78a98d in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #13 0x78f894 in SolveSpace::Platform::GtkMenuItem::on_activate() /home/ryan/src/third-party/solvespace/build/../src/platform/guigtk.cpp:268:13
    #14 0x7ffff7ccfe6d in Gtk::MenuItem_Class::activate_callback(_GtkMenuItem*) (/usr/lib/x86_64-linux-gnu/libgtkmm-3.0.so.1+0x37ae6d)

SUMMARY: AddressSanitizer: heap-use-after-free /home/ryan/src/third-party/solvespace/build/../src/entity.cpp:241:12 in SolveSpace::EntityBase::IsPoint() const
Shadow bytes around the buggy address:
  0x0c4c801307d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c801307e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c801307f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80130800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80130810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4c80130820: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c4c80130830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80130840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80130850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80130860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80130870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27146==ABORTING
[1] + Done                       "/usr/bin/gdb" --interpreter=mi --tty=${DbgTerm} 0<"/tmp/Microsoft-MIEngine-In-1m5ymevl.958" 1>"/tmp/Microsoft-MIEngine-Out-nf0mz8g1.470"

And, while the ReserveMore function is a bit more raw memory management than I usually enjoy, I don't particularly see how it could fail to work in such a way as to not update things, unless there was maybe a shallow copy performed?

rpavlik · 2019-09-09T18:56:32Z

Ah, got it. So CopyEntity can invalidate pointers into lists because it may force a re-allocation. Thus, this access thru a pointer (among presumably others) is unsafe. https://github.com/solvespace/solvespace/blob/master/src/group.cpp#L582 Re-defining e there fixes the crash/use after free I saw

rpavlik · 2019-09-09T19:02:06Z

Yep, and the full repro now correctly doesn't fail. Looks like the crash was just an artifact of the use-after-free - it was deadly in one place and not in another.

phkahler · 2019-09-09T19:03:16Z

I just tried commenting out that check (it's redundant due to the one outside the loop) and it still crashed. Or did you make changes somewhere else?

rpavlik · 2019-09-09T19:03:42Z

well, the subsequent uses of e would also trigger it. PR incoming in a moment

whitequark · 2019-09-10T04:12:59Z

Fixed in d514a26.

whitequark added the bug label Aug 28, 2019

This was referenced Sep 9, 2019

Fix 468 #474

Closed

WIP/RFC: Iteration #475

Closed

whitequark closed this as completed Sep 10, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Crash on revolved sketch change #468

Crash on revolved sketch change #468

phkahler commented Aug 27, 2019

ruevs commented Aug 28, 2019

phkahler commented Aug 28, 2019

ruevs commented Aug 28, 2019

phkahler commented Sep 6, 2019

phkahler commented Sep 7, 2019

rpavlik commented Sep 9, 2019 •

edited

rpavlik commented Sep 9, 2019 •

edited

rpavlik commented Sep 9, 2019

rpavlik commented Sep 9, 2019

phkahler commented Sep 9, 2019

rpavlik commented Sep 9, 2019

whitequark commented Sep 10, 2019

Crash on revolved sketch change #468

Crash on revolved sketch change #468

Comments

phkahler commented Aug 27, 2019

System information

Expected behavior

Actual behavior

Additional information

ruevs commented Aug 28, 2019

phkahler commented Aug 28, 2019

ruevs commented Aug 28, 2019

phkahler commented Sep 6, 2019

phkahler commented Sep 7, 2019

rpavlik commented Sep 9, 2019 • edited

rpavlik commented Sep 9, 2019 • edited

rpavlik commented Sep 9, 2019

rpavlik commented Sep 9, 2019

phkahler commented Sep 9, 2019

rpavlik commented Sep 9, 2019

whitequark commented Sep 10, 2019

rpavlik commented Sep 9, 2019 •

edited

rpavlik commented Sep 9, 2019 •

edited