Ticket #13661: asan-ihnm-benny-stairs.txt

File asan-ihnm-benny-stairs.txt, 5.0 KB (added by dwatteau, 19 months ago)

ASAN trace when falling from the stairs with Benny

Line 
1==13418==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011d412a38 at pc 0x000100775ccc bp 0x00016fd61760 sp 0x00016fd61758
2READ of size 4 at 0x00011d412a38 thread T0
3 #0 0x100775cc8 in Saga::HitZone::getFlags() const objectmap.h:56
4 #1 0x1006ec924 in Saga::Actor::stepZoneAction(Saga::ActorData*, Saga::HitZone const*, bool, bool) actor.cpp:551
5 #2 0x100712a0c in Saga::Actor::handleActions(int, bool) actor_walk.cpp:695
6 #3 0x10071da30 in Saga::Actor::direct(int) actor_walk.cpp:727
7 #4 0x1007d2f48 in Saga::SagaEngine::run() saga.cpp:357
8 #5 0x1000dc7e0 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:318
9 #6 0x1000d8130 in scummvm_main main.cpp:619
10 #7 0x1000cf19c in main macosx-main.cpp:44
11 #8 0x1024b1088 in start+0x204 (dyld:arm64e+0x5088)
12
130x00011d412a38 is located 40 bytes inside of 80-byte region [0x00011d412a10,0x00011d412a60)
14freed by thread T0 here:
15 #0 0x102bd2de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
16 #1 0x1007f6284 in Common::Array<Saga::HitZone>::freeStorage(Saga::HitZone*, unsigned int) array.h:414
17 #2 0x1007af720 in Common::Array<Saga::HitZone>::clear() array.h:278
18 #3 0x1007af660 in Saga::ObjectMap::clear() objectmap.cpp:187
19 #4 0x1007e888c in Saga::Scene::endScene() scene.cpp:1145
20 #5 0x1007eb1fc in Saga::Scene::changeScene(short, int, Saga::SceneTransitionType, int) scene.cpp:482
21 #6 0x100811e70 in Saga::Script::sfScriptGotoScene(Saga::ScriptThread*, int, bool&) sfuncs.cpp:469
22 #7 0x1007fc4cc in Saga::Script::opCcallV(Saga::ScriptThread*, Common::SeekableReadStream*, bool&, bool&) script.cpp:467
23 #8 0x100834b00 in Saga::Script::runThread(Saga::ScriptThread&) sthread.cpp:210
24 #9 0x100833e40 in Saga::Script::executeThreads(unsigned int) sthread.cpp:158
25 #10 0x1007d2fcc in Saga::SagaEngine::run() saga.cpp:361
26 #11 0x1000dc7e0 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:318
27 #12 0x1000d8130 in scummvm_main main.cpp:619
28 #13 0x1000cf19c in main macosx-main.cpp:44
29 #14 0x1024b1088 in start+0x204 (dyld:arm64e+0x5088)
30
31previously allocated by thread T0 here:
32 #0 0x102bd2ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3eca8)
33 #1 0x1007b00f0 in Common::Array<Saga::HitZone>::allocCapacity(unsigned int) array.h:402
34 #2 0x1007afee0 in Common::Array<Saga::HitZone>::reserve(unsigned int) array.h:358
35 #3 0x1007af2ec in Common::Array<Saga::HitZone>::resize(unsigned int) array.h:369
36 #4 0x1007af058 in Saga::ObjectMap::load(Saga::ByteArray const&) objectmap.cpp:178
37 #5 0x1007ef1ac in Saga::Scene::processSceneResources(Common::Array<Saga::SceneResourceData>&) scene.cpp:994
38 #6 0x1007e4b58 in Saga::Scene::loadScene(Saga::LoadSceneParams&) scene.cpp:663
39 #7 0x1007eb20c in Saga::Scene::changeScene(short, int, Saga::SceneTransitionType, int) scene.cpp:485
40 #8 0x100811e70 in Saga::Script::sfScriptGotoScene(Saga::ScriptThread*, int, bool&) sfuncs.cpp:469
41 #9 0x1007fc4cc in Saga::Script::opCcallV(Saga::ScriptThread*, Common::SeekableReadStream*, bool&, bool&) script.cpp:467
42 #10 0x100834b00 in Saga::Script::runThread(Saga::ScriptThread&) sthread.cpp:210
43 #11 0x100833e40 in Saga::Script::executeThreads(unsigned int) sthread.cpp:158
44 #12 0x1007d2fcc in Saga::SagaEngine::run() saga.cpp:361
45 #13 0x1000dc7e0 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:318
46 #14 0x1000d8130 in scummvm_main main.cpp:619
47 #15 0x1000cf19c in main macosx-main.cpp:44
48 #16 0x1024b1088 in start+0x204 (dyld:arm64e+0x5088)
49
50SUMMARY: AddressSanitizer: heap-use-after-free objectmap.h:56 in Saga::HitZone::getFlags() const
51Shadow bytes around the buggy address:
52 0x007023aa24f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
53 0x007023aa2500: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
54 0x007023aa2510: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
55 0x007023aa2520: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
56 0x007023aa2530: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
57=>0x007023aa2540: fa fa fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
58 0x007023aa2550: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
59 0x007023aa2560: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
60 0x007023aa2570: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
61 0x007023aa2580: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
62 0x007023aa2590: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
63Shadow byte legend (one shadow byte represents 8 application bytes):
64 Addressable: 00
65 Partially addressable: 01 02 03 04 05 06 07
66 Heap left redzone: fa
67 Freed heap region: fd
68 Stack left redzone: f1
69 Stack mid redzone: f2
70 Stack right redzone: f3
71 Stack after return: f5
72 Stack use after scope: f8
73 Global redzone: f9
74 Global init order: f6
75 Poisoned by user: f7
76 Container overflow: fc
77 Array cookie: ac
78 Intra object redzone: bb
79 ASan internal: fe
80 Left alloca redzone: ca
81 Right alloca redzone: cb
82==13418==ABORTING
83Abort trap: 6