easy_profiler icon indicating copy to clipboard operation
easy_profiler copied to clipboard
verified publisher icon yse

container overflow

Open conradjones opened this issue 6 years ago • 1 comments

built from source 10 minutes ago

`================================================================= ==50180==ERROR: AddressSanitizer: container-overflow on address 0x6170000f9528 at pc 0x0001079d0637 bp 0x7ffee833d490 sp 0x7ffee833d488 READ of size 8 at 0x6170000f9528 thread T0 #0 0x1079d0636 in profiler_gui::EasyBlockItem::left() const common_types.h:94 #1 0x107b849dd in GraphicsBlockItem::intersect(QPointF const&, unsigned int&) const::$_6::operator()(profiler_gui::EasyBlockItem const&, double) const graphics_block_item.cpp:1278 #2 0x107b84851 in std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*> std::__1::__lower_bound<GraphicsBlockItem::intersect(QPointF const&, unsigned int&) const::$_6&, std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*>, double>(std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*>, std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*>, double const&, GraphicsBlockItem::intersect(QPointF const&, unsigned int&) const::$_6&) algorithm:4102 #3 0x107b77116 in std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*> std::__1::lower_bound<std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*>, double, GraphicsBlockItem::intersect(QPointF const&, unsigned int&) const::$_6>(std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*>, std::__1::__wrap_iter<profiler_gui::EasyBlockItem const*>, double const&, GraphicsBlockItem::intersect(QPointF const&, unsigned int&) const::$_6) algorithm:4119 #4 0x107b75801 in GraphicsBlockItem::intersect(QPointF const&, unsigned int&) const graphics_block_item.cpp:1276 #5 0x1079ea4d6 in BlocksGraphicsView::onIdleTimeout() blocks_graphics_view.cpp:2407 #6 0x107a26438 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (BlocksGraphicsView::)()>::call(void (BlocksGraphicsView::)(), BlocksGraphicsView*, void**) qobjectdefs_impl.h:152 #7 0x107a26135 in void QtPrivate::FunctionPointer<void (BlocksGraphicsView::)()>::call<QtPrivate::List<>, void>(void (BlocksGraphicsView::)(), BlocksGraphicsView*, void**) qobjectdefs_impl.h:185 #8 0x107a25ce1 in QtPrivate::QSlotObject<void (BlocksGraphicsView::)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase, QObject*, void**, bool*) qobjectdefs_impl.h:414 #9 0x10cdb9384 in QtPrivate::QSlotObjectBase::call(QObject*, void**) qobjectdefs_impl.h:394 #10 0x10ce97a3a in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3789 #11 0x10ce9662c in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) qobject.cpp:3660 #12 0x10cec8b05 in QTimer::timeout(QTimer::QPrivateSignal) moc_qtimer.cpp:205 #13 0x10cec896c in QTimer::timerEvent(QTimerEvent*) qtimer.cpp:255 #14 0x10ce7e499 in QObject::event(QEvent*) qobject.cpp:1241 #15 0x1085bd737 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3703 #16 0x1085c3fbb in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3059 #17 0x10cd87345 in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1095 #18 0x10cd89a9a in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.cpp:1490 #19 0x10cf9f02c in QTimerInfoList::activateTimers() qtimerinfo_unix.cpp:643 #20 0x1147a2874 in QCocoaEventDispatcherPrivate::processTimers() qcocoaeventdispatcher.mm:129 #21 0x1147a283c in QCocoaEventDispatcherPrivate::activateTimersSourceCallback(void*) qcocoaeventdispatcher.mm:123 #22 0x7fff2f7e4e32 in CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION (CoreFoundation:x86_64h+0x57e32) #23 0x7fff2f7e4dd8 in __CFRunLoopDoSource0 (CoreFoundation:x86_64h+0x57dd8) #24 0x7fff2f7c879a in __CFRunLoopDoSources0 (CoreFoundation:x86_64h+0x3b79a) #25 0x7fff2f7c7d64 in __CFRunLoopRun (CoreFoundation:x86_64h+0x3ad64) #26 0x7fff2f7c766d in CFRunLoopRunSpecific (CoreFoundation:x86_64h+0x3a66d) #27 0x7fff2ea261aa in RunCurrentEventLoopInMode (HIToolbox:x86_64+0xb1aa) #28 0x7fff2ea25ee4 in ReceiveNextEventCommon (HIToolbox:x86_64+0xaee4) #29 0x7fff2ea25c75 in _BlockUntilNextEventMatchingListInModeWithFilter (HIToolbox:x86_64+0xac75) #30 0x7fff2cdbd77c in _DPSNextEvent (AppKit:x86_64+0x1a77c) #31 0x7fff2cdbc46a in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (AppKit:x86_64+0x1946a) #32 0x7fff2cdb6587 in -[NSApplication run] (AppKit:x86_64+0x13587) #33 0x1147a4fed in QCocoaEventDispatcher::processEvents(QFlagsQEventLoop::ProcessEventsFlag) qcocoaeventdispatcher.mm:429 #34 0x10cd759a4 in QEventLoop::processEvents(QFlagsQEventLoop::ProcessEventsFlag) qeventloop.cpp:138 #35 0x10cd760b9 in QEventLoop::exec(QFlagsQEventLoop::ProcessEventsFlag) qeventloop.cpp:225 #36 0x10cd89225 in QCoreApplication::exec() qcoreapplication.cpp:1403 #37 0x10abdd445 in QGuiApplication::exec() qguiapplication.cpp:1788 #38 0x1085c2268 in QApplication::exec() qapplication.cpp:2859 #39 0x1078d1c95 in main main.cpp:77 #40 0x7fff5b74f3d4 in start (libdyld.dylib:x86_64+0x163d4)

0x6170000f9528 is located 552 bytes inside of 768-byte region [0x6170000f9300,0x6170000f9600) allocated by thread T0 here: #0 0x10dba2502 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6e502) #1 0x107b83108 in std::__1::__libcpp_allocate(unsigned long, unsigned long) new:239 #2 0x107b8d4e1 in std::__1::allocator<profiler_gui::EasyBlockItem>::allocate(unsigned long, void const*) memory:1814 #3 0x107b8d370 in std::__1::allocator_traits<std::__1::allocator<profiler_gui::EasyBlockItem> >::allocate(std::__1::allocator<profiler_gui::EasyBlockItem>&, unsigned long) memory:1547 #4 0x107b8d129 in std::__1::__split_buffer<profiler_gui::EasyBlockItem, std::__1::allocator<profiler_gui::EasyBlockItem>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<profiler_gui::EasyBlockItem>&) __split_buffer:311 #5 0x107b8cd9c in std::__1::__split_buffer<profiler_gui::EasyBlockItem, std::__1::allocator<profiler_gui::EasyBlockItem>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<profiler_gui::EasyBlockItem>&) __split_buffer:310 #6 0x107b8e0e3 in void std::__1::vector<profiler_gui::EasyBlockItem, std::__1::allocator<profiler_gui::EasyBlockItem> >::__emplace_back_slow_path<>() vector:1668 #7 0x107b79540 in void std::__1::vector<profiler_gui::EasyBlockItem, std::__1::allocator<profiler_gui::EasyBlockItem> >::emplace_back<>() vector:1695 #8 0x107b79274 in GraphicsBlockItem::addItem(unsigned char) graphics_block_item.cpp:1478 #9 0x1079ce1fa in BlocksGraphicsView::setTree(GraphicsBlockItem*, std::__1::vector<unsigned int, std::__1::allocator > const&, double&, unsigned int&, double, short) blocks_graphics_view.cpp:1137 #10 0x1079ce72c in BlocksGraphicsView::setTree(GraphicsBlockItem*, std::__1::vector<unsigned int, std::__1::allocator > const&, double&, unsigned int&, double, short) blocks_graphics_view.cpp:1159 #11 0x1079ce72c in BlocksGraphicsView::setTree(GraphicsBlockItem*, std::__1::vector<unsigned int, std::__1::allocator > const&, double&, unsigned int&, double, short) blocks_graphics_view.cpp:1159 #12 0x1079ca297 in BlocksGraphicsView::setTree(std::__1::unordered_map<unsigned long long, profiler::BlocksTreeRoot, estd::hash, std::__1::equal_to, std::__1::allocator<std::__1::pair<unsigned long long const, profiler::BlocksTreeRoot> > > const&) blocks_graphics_view.cpp:972 #13 0x107a2de7b in BlocksGraphicsView::initMode()::$_6::operator()() const blocks_graphics_view.cpp:2117 #14 0x107a2dd6b in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, BlocksGraphicsView::initMode()::$_6>::call(BlocksGraphicsView::initMode()::$_6&, void**) qobjectdefs_impl.h:146 #15 0x107a2dc50 in void QtPrivate::Functor<BlocksGraphicsView::initMode()::$_6, 0>::call<QtPrivate::List<>, void>(BlocksGraphicsView::initMode()::$_6&, void*, void**) qobjectdefs_impl.h:256 #16 0x107a2dbfc in QtPrivate::QFunctorSlotObject<BlocksGraphicsView::initMode()::$_6, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:439 #17 0x10cdb9384 in QtPrivate::QSlotObjectBase::call(QObject*, void**) qobjectdefs_impl.h:394 #18 0x10ce97a3a in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3789 #19 0x10ce9662c in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) qobject.cpp:3660 #20 0x1078c5af4 in profiler_gui::GlobalSignals::fileOpened() moc_globals_qobjects.cpp:512 #21 0x107c2c995 in MainWindow::onFileReaderTimeout() main_window.cpp:2374 #22 0x107c7aea8 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (MainWindow::)()>::call(void (MainWindow::)(), MainWindow*, void**) qobjectdefs_impl.h:152 #23 0x107c7aba5 in void QtPrivate::FunctionPointer<void (MainWindow::)()>::call<QtPrivate::List<>, void>(void (MainWindow::)(), MainWindow*, void**) qobjectdefs_impl.h:185 #24 0x107c7a751 in QtPrivate::QSlotObject<void (MainWindow::)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase, QObject*, void**, bool*) qobjectdefs_impl.h:414 #25 0x10cdb9384 in QtPrivate::QSlotObjectBase::call(QObject*, void**) qobjectdefs_impl.h:394 #26 0x10ce97a3a in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3789 #27 0x10ce9662c in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) qobject.cpp:3660 #28 0x10cec8b05 in QTimer::timeout(QTimer::QPrivateSignal) moc_qtimer.cpp:205 #29 0x10cec896c in QTimer::timerEvent(QTimerEvent*) qtimer.cpp:255

HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0. If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow. SUMMARY: AddressSanitizer: container-overflow common_types.h:94 in profiler_gui::EasyBlockItem::left() const Shadow bytes around the buggy address: 0x1c2e0001f250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c2e0001f260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e0001f270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e0001f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e0001f290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1c2e0001f2a0: 00 00 fc fc fc[fc]fc fc fc fc fc fc fc fc fc fc 0x1c2e0001f2b0: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0x1c2e0001f2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c2e0001f2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c2e0001f2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c2e0001f2f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==50180==ABORTING [1] 50180 abort
`

conradjones avatar Jan 26 '20 23:01 conradjones

graphics_block_item.cpp

you are getting the size of a vector called level0 and using that added to the begin iterator of a different vector and these two vectors are not the same size.

surely it would be easy to just use std::end anyway..? Not sure why it's referencing a different vector are they supposed to be in sync ?

Screenshot 2020-01-26 at 23 51 56

conradjones avatar Jan 26 '20 23:01 conradjones