widelands

Use of deallocated memory from statistics menu

Bug #1734046 reported by Klaus Halfmann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
widelands
Fix Released
Undecided
Unassigned
widelands build20-rc1

Bug Description

When closing the statistics menu (window with 4 buttons)
and closing one of the other statistics menus. The code
tries to change the style of a button that has already beend freed:

==39835==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000a7fdc4 at pc 0x00010236a898 bp 0x7ffeee7bd4d0 sp 0x7ffeee7bd4c8
WRITE of size 4 at 0x613000a7fdc4 thread T0
    #0 0x10236a897 in UI::Button::set_style(UI::Button::Style) (/Users/klaus/develop/widelands-repo/bug_1730204-crash/./widelands:x86_64+0x100f36897)
...
    #7 0x10253f36b in UI::UniqueWindow::~UniqueWindow() (/Users/klaus/develop/widelands-repo/bug_1730204-crash/./widelands:x86_64+0x10110b36b)
    #8 0x102990787 in GeneralStatisticsMenu::~GeneralStatisticsMenu() (/Users/klaus/develop/widelands-repo/bug_1730204-crash/./widelands:x86_64+0x10155c787)

0x613000a7fdc4 is located 260 bytes inside of 328-byte region [0x613000a7fcc0,0x613000a7fe08)
freed by thread T0 here:
    #1 0x102361701 in UI::Button::~Button() (/Users/klaus/develop/widelands-repo/bug_1730204-crash/./widelands:x86_64+0x100f2d701)
    #2 0x10246fd77 in UI::Panel::free_children() (/Users/klaus/develop/widelands-repo/bug_1730204-crash/./widelands:x86_64+0x10103bd77)
..
    #6 0x1028e5cc3 in GameStatisticsMenu::~GameStatisticsMenu() (/Users/klaus/develop/widelands-repo/bug_1730204-crash/./widelands:x86_64+0x1014b1cc3)

reviously allocated by thread T0 here:
    #1 0x1028e3fae in GameStatisticsMenu::add_button(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::c

This will result in memory corruption with +/- bad results.
The same will happen if you reopen any statics menu, so
keeping the window open as a workaround will not help.

I will spend some hour now to find some workaround, but maybe this is broken by design.

Tags: asan crash

Related branches

lp://staging/~widelands-dev/widelands/bug-1734046-statistics_menu
SirVer: Approve
Diff: 199 lines (+20/-56)
7 files modified
src/ui_basic/unique_window.cc (+2/-21)
src/ui_basic/unique_window.h (+6/-14)
src/wui/game_options_menu.cc (+5/-2)
src/wui/game_statistics_menu.cc (+4/-6)
src/wui/game_statistics_menu.h (+0/-4)
src/wui/interactive_base.cc (+3/-5)
src/wui/interactive_base.h (+0/-4)
Revision history for this message
Klaus Halfmann (klaus-halfmann) wrote :

This will _not_ happen when using the 'I' command alow.
I _will_ happen if the statitics menu was opend and then closed.

Revision history for this message
Klaus Halfmann (klaus-halfmann) wrote :

Looks like the Problem is in the Registry for UniqueWindow,
buz on debugging first sight this looks. I have no idea what
Button his actually is (as it is alreaday deleted I can see its name :-)

GunChleoc (gunchleoc)
tags: added: crash
GunChleoc (gunchleoc)
tags: added: asan
GunChleoc (gunchleoc)
Changed in widelands:
status: New → In Progress
assignee: nobody → GunChleoc (gunchleoc)
milestone: none → build20-rc1
GunChleoc (gunchleoc)
Changed in widelands:
status: In Progress → Fix Committed
assignee: GunChleoc (gunchleoc) → nobody
Revision history for this message
GunChleoc (gunchleoc) wrote :

Fixed in build20-rc1

Changed in widelands:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.