Crash in osgEarth::Annotation::PlaceNode::init due to call to __dynamic_cast with nullptr argument

Bug #1803971 reported by Ruslan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
osgearth (Ubuntu)
New
Undecided
Unassigned

Bug Description

Starting with gcc 6.x, some optimizations result in omission of null pointer checks in some places. This affects the osgearth package on Ubuntu 18.04, where osgEarth::Annotation::PlaceNode::init crashes on calling __dynamic_cast with null `this` pointer passed as argument.

The full test case reproducing the problem:

// -------- begin -----------
#include <fstream>
#include <osgEarthAnnotation/PlaceNode>

int main(int argc, char** argv)
{
    const auto earthFileName="/tmp/test.earth";
    std::ofstream earthFile(earthFileName);
    const char data[]="<map><options><terrain><color>#555555ff</color></terrain></options></map>";
    earthFile.write(data, sizeof data-1);
    earthFile.close();
    const auto earthNode = osgDB::readNodeFile(earthFileName);
    if(!earthNode)
    {
        OE_WARN << "Unable to load earth model \"" << earthFileName << "\"\n";
        return EXIT_FAILURE;
    }

    const auto mapNode = osgEarth::MapNode::findMapNode(earthNode);
    new osgEarth::Annotation::PlaceNode(mapNode, osgEarth::GeoPoint(mapNode->getMapSRS(), 37, 55, 0), "Icon on map");
}
// --------- end --------------

Backtrace from the SIGSEGV looks like this:

#0 0x00007ffff661b35d in __dynamic_cast () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1 0x00007ffff6cfad6f in osgEarth::Annotation::PlaceNode::init (this=this@entry=0x5555559a5d30)
    at ./src/osgEarthAnnotation/PlaceNode.cpp:157
#2 0x00007ffff6cfc694 in osgEarth::Annotation::PlaceNode::PlaceNode (this=0x5555559a5d30, mapNode=<optimized out>, position=...,
    text=..., style=...) at ./src/osgEarthAnnotation/PlaceNode.cpp:85
#3 0x00005555555563f7 in main (argc=1, argv=0x7fffffffe1f8) at /home/ruslan/bak/osgearth-dynamic_cast-crash-demo.cpp:19

Here, if you look at the `instance` pointer variable in the frame #1, it appears equal 0x0. With this, `instance->asIcon()` has been called with `this==nullptr`. `asIcon` function does a `dynamic_cast`, which would check for null pointer and avoid calling `__dynamic_cast`, but due to an optimization relying on `this==nullptr` having Undefined Behavior, this check is omitted.

One easy way to "fix" this package is to use `-fno-delete-null-pointer-checks` g++ option when building osgEarth.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libosgearthannotation5 2.9.0+dfsg-1
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
Uname: Linux 4.15.0-36-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
Date: Mon Nov 19 13:32:55 2018
InstallationDate: Installed on 2015-04-22 (1307 days ago)
InstallationMedia: Kubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150219.1)
SourcePackage: osgearth
UpgradeStatus: Upgraded to bionic on 2018-10-09 (40 days ago)

Revision history for this message
Ruslan (b7-10110111) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.