use-after-free in xray::render::render_gl::R_dsgraph_structure::render_graph #1975
Description
While playing around in CoC with ASAN I encountered the following crash:
AddressSanitizer: heap-use-after-free on address 0x7de79f82f390 at pc 0x7fe7c97c1fe3 bp 0x7fff94333ed0 sp 0x7fff94333ec0
READ of size 8 at 0x7de79f82f390 thread T0
#0 0x7fe7c97c1fe2 in bool xray::render::render_gl::cmp_pass<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*>(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&) /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_render.cpp:34
#1 0x7fe7c97c62ce in bool __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>::operator()<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > > >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >) /usr/include/c++/15.2.1/bits/predefined_ops.h:158
#2 0x7fe7c97cabf4 in __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > > std::__unguarded_partition<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)> >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>) /usr/include/c++/15.2.1/bits/stl_algo.h:1836
#3 0x7fe7c97cb38b in __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > > std::__unguarded_partition_pivot<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)> >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>) /usr/include/c++/15.2.1/bits/stl_algo.h:1858
#4 0x7fe7c97d22ae in void std::__introsort_loop<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)> >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>) /usr/include/c++/15.2.1/bits/stl_algo.h:1890
#5 0x7fe7c97d22c4 in void std::__introsort_loop<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)> >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>) /usr/include/c++/15.2.1/bits/stl_algo.h:1891
#6 0x7fe7c97d22c4 in void std::__introsort_loop<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)> >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>) /usr/include/c++/15.2.1/bits/stl_algo.h:1891
#7 0x7fe7c97d22c4 in void std::__introsort_loop<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)> >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, long, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>) /usr/include/c++/15.2.1/bits/stl_algo.h:1891
#8 0x7fe7c97da0ee in void std::__sort<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)> >(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>) /usr/include/c++/15.2.1/bits/stl_algo.h:1906
#9 0x7fe7c97da2ab in void std::sort<__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)>(__gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, __gnu_cxx::__normal_iterator<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>**, std::vector<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*> > >, bool (*)(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)) /usr/include/c++/15.2.1/bits/stl_algo.h:4874
#10 0x7fe7c97c01ad in xray::render::render_gl::R_dsgraph_structure::render_graph(unsigned int) /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_render.cpp:59
#11 0x7fe7c9a08e6e in xray::render::render_gl::CRender::Render() /mnt/data/dev/xray-16/src/Layers/xrRender_R2/r2_R_render.cpp:193
#12 0x7fe7a56012cc in IGame_Level::OnRender() /mnt/data/dev/xray-16/src/xrEngine/IGame_Level.cpp:178
#13 0x7fe7b592ad3f in CLevel::OnRender() /mnt/data/dev/xray-16/src/xrGame/Level.cpp:639
#14 0x7fe7a56fcd12 in pureRender::OnPure(pureRender*) /mnt/data/dev/xray-16/src/xrEngine/pure.h:20
#15 0x7fe7a56fcd12 in MessageRegistry<pureRender>::Process() /mnt/data/dev/xray-16/src/xrEngine/pure.h:101
#16 0x7fe7a56eb9f5 in CRenderDevice::DoRender() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:240
#17 0x7fe7a56ecb81 in CRenderDevice::ProcessFrame() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:283
#18 0x7fe7a56a1e0e in CApplication::Run() /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:433
#19 0x55fd673594d5 in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:53
#20 0x55fd6735995b in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:109
#21 0x7fe7a3027b8a (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
#22 0x7fe7a3027c4a in __libc_start_main (/usr/lib/libc.so.6+0x27c4a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
#23 0x55fd67359304 in _start (/mnt/data/dev/xray-16/bin/x86_64/Debug/xr_3da+0x7304) (BuildId: 641967ad2a0d49a0875fb3a38754d6f887123692)
0x7de79f82f390 is located 784 bytes inside of 3584-byte region [0x7de79f82f080,0x7de79f82fe80)
freed by thread T0 here:
#0 0x7fe7cbb5103d in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x7fe7a448acab in xrMemory::mem_free(void*) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:260
#2 0x7fe7c92ff26e in void xr_free<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> >(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*&) /mnt/data/dev/xray-16/src/xrCore/xrMemory.h:105
#3 0x7fe7c931fd5c in xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> >::deallocate(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*, unsigned long) /mnt/data/dev/xray-16/src/xrCore/Memory/xalloc.h:41
#4 0x7fe7c931fd5c in xr_fixed_map<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems, 2ul, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> > >::destroy() /mnt/data/dev/xray-16/src/xrCore/Containers/FixedMap.h:234
#5 0x7fe7c9320985 in xray::render::render_gl::R_dsgraph_structure::reset() /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_structure.h:134
#6 0x7fe7c94ecddb in xray::render::render_gl::D3DXRenderBase::cleanup_contexts() /mnt/data/dev/xray-16/src/Layers/xrRender/D3DXRenderBase.h:125
#7 0x7fe7c94ecddb in xray::render::render_gl::D3DXRenderBase::End() /mnt/data/dev/xray-16/src/Layers/xrRender/D3DXRenderBase.cpp:311
#8 0x7fe7a56e9b86 in CRenderDevice::RenderEnd() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:98
#9 0x7fe7a56ebaf4 in CRenderDevice::DoRender() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:250
#10 0x7fe7a56ecb81 in CRenderDevice::ProcessFrame() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:283
#11 0x7fe7a56a1e0e in CApplication::Run() /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:433
#12 0x55fd673594d5 in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:53
#13 0x55fd6735995b in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:109
#14 0x7fe7a3027b8a (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
previously allocated by thread T5 here:
#0 0x7fe7cbb52345 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:67
#1 0x7fe7a448ac33 in xrMemory::mem_alloc(unsigned long) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:202
#2 0x7fe7c97b2c86 in xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* xr_alloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> >(unsigned long) /mnt/data/dev/xray-16/src/xrCore/xrMemory.h:97
#3 0x7fe7c97bb944 in xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> >::allocate(unsigned long, void const*) /mnt/data/dev/xray-16/src/xrCore/Memory/xalloc.h:40
#4 0x7fe7c97bb944 in xr_fixed_map<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems, 2ul, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> > >::resize() /mnt/data/dev/xray-16/src/xrCore/Containers/FixedMap.h:97
#5 0x7fe7c97bc02a in xr_fixed_map<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems, 2ul, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> > >::add(xray::render::render_gl::SPass* const&) /mnt/data/dev/xray-16/src/xrCore/Containers/FixedMap.h:142
#6 0x7fe7c97bc35b in xr_fixed_map<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems, 2ul, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> > >::insert(xray::render::render_gl::SPass* const&) /mnt/data/dev/xray-16/src/xrCore/Containers/FixedMap.h:244
#7 0x7fe7c97a290f in xr_fixed_map<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems, 2ul, xalloc<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems> > >::operator[](xray::render::render_gl::SPass* const&) /mnt/data/dev/xray-16/src/xrCore/Containers/FixedMap.h:364
#8 0x7fe7c97a290f in xray::render::render_gl::R_dsgraph_structure::insert_static(xray::render::render_gl::dxRender_Visual*) /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_build.cpp:234
#9 0x7fe7c97a46a6 in xray::render::render_gl::R_dsgraph_structure::add_static(xray::render::render_gl::dxRender_Visual*, CFrustum const&, unsigned int) /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_build.cpp:663
#10 0x7fe7c97a3d63 in xray::render::render_gl::R_dsgraph_structure::add_static(xray::render::render_gl::dxRender_Visual*, CFrustum const&, unsigned int) /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_build.cpp:602
#11 0x7fe7c97a3d63 in xray::render::render_gl::R_dsgraph_structure::add_static(xray::render::render_gl::dxRender_Visual*, CFrustum const&, unsigned int) /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_build.cpp:602
#12 0x7fe7c97a3d63 in xray::render::render_gl::R_dsgraph_structure::add_static(xray::render::render_gl::dxRender_Visual*, CFrustum const&, unsigned int) /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_build.cpp:602
#13 0x7fe7c97a5458 in xray::render::render_gl::R_dsgraph_structure::build_subspace() /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_build.cpp:783
#14 0x7fe7c99e64b8 in xray::render::render_gl::render_main::calculate() /mnt/data/dev/xray-16/src/Layers/xrRender_R2/r2_R_calculate.cpp:56
#15 0x7fe7c99eb51e in xray::render::render_gl::i_render_phase::run()::{lambda()#1}::operator()() const /mnt/data/dev/xray-16/src/Layers/xrRender_R2/r2.h:51
#16 0x7fe7c99eb8f6 in Task::Dispatcher<xray::render::render_gl::i_render_phase::run()::{lambda()#1}, false, void>::Call(Task&) /mnt/data/dev/xray-16/src/xrCore/Threading/Task.hpp:94
#17 0x7fe7a44ae634 in Task::operator()() /mnt/data/dev/xray-16/src/xrCore/Threading/Task.hpp:200
#18 0x7fe7a44ac462 in TaskManager::ExecuteTask(Task&) /mnt/data/dev/xray-16/src/xrCore/Threading/TaskManager.cpp:307
#19 0x7fe7a44acc95 in TaskManager::ExecuteOneTask() const /mnt/data/dev/xray-16/src/xrCore/Threading/TaskManager.cpp:339
#20 0x7fe7a44adf7a in TaskManager::TaskWorkerStart() /mnt/data/dev/xray-16/src/xrCore/Threading/TaskManager.cpp:244
#21 0x7fe7a44b33a2 in void std::__invoke_impl<void, void (TaskManager::*)(), TaskManager*>(std::__invoke_memfun_deref, void (TaskManager::*&&)(), TaskManager*&&) /usr/include/c++/15.2.1/bits/invoke.h:76
#22 0x7fe7a44b33ef in std::__invoke_result<void (TaskManager::*)(), TaskManager*>::type std::__invoke<void (TaskManager::*)(), TaskManager*>(void (TaskManager::*&&)(), TaskManager*&&) /usr/include/c++/15.2.1/bits/invoke.h:98
#23 0x7fe7a44b33ef in std::invoke_result<void (TaskManager::*)(), TaskManager*>::type std::invoke<void (TaskManager::*)(), TaskManager*>(void (TaskManager::*&&)(), TaskManager*&&) /usr/include/c++/15.2.1/functional:122
#24 0x7fe7a44b33ef in Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&)::{lambda(void (TaskManager::*&&)(), TaskManager*&&)#1}::operator()(void (TaskManager::*&&)(), TaskManager*&&) const /mnt/data/dev/xray-16/src/xrCore/Threading/ThreadUtil.h:45
#25 0x7fe7a44b34b4 in void std::__invoke_impl<void, Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&)::{lambda(void (TaskManager::*&&)(), TaskManager*&&)#1}, void (TaskManager::*)(), TaskManager*>(std::__invoke_other, Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&)::{lambda(void (TaskManager::*&&&&)(), TaskManager*&&)#1}, void (TaskManager::*&&)(), TaskManager*&&) /usr/include/c++/15.2.1/bits/invoke.h:63
#26 0x7fe7a44b34b4 in _ZSt8__invokeIZN9Threading9RunThreadIM11TaskManagerFvvEJPS2_EEESt6threadPKcOT_DpOT0_EUlOS4_OS5_E_JS4_S5_EENSt15__invoke_resultIS9_JDpSB_EE4typeESA_SD_ /usr/include/c++/15.2.1/bits/invoke.h:98
#27 0x7fe7a44b34b4 in void std::thread::_Invoker<std::tuple<Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&)::{lambda(void (TaskManager::*&&)(), TaskManager*&&)#1}, void (TaskManager::*)(), TaskManager*> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/15.2.1/bits/std_thread.h:303
#28 0x7fe7a44b34b4 in std::thread::_Invoker<std::tuple<Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&)::{lambda(void (TaskManager::*&&)(), TaskManager*&&)#1}, void (TaskManager::*)(), TaskManager*> >::operator()() /usr/include/c++/15.2.1/bits/std_thread.h:310
#29 0x7fe7a44b34b4 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&)::{lambda(void (TaskManager::*&&)(), TaskManager*&&)#1}, void (TaskManager::*)(), TaskManager*> > >::_M_run() /usr/include/c++/15.2.1/bits/std_thread.h:255
#30 0x7fe7a3d002f3 in execute_native_thread_routine /usr/src/debug/gcc/gcc/libstdc++-v3/src/c++11/thread.cc:104
Thread T5 created by T0 here:
#0 0x7fe7cbb47670 in pthread_create /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_interceptors.cpp:250
#1 0x7fe7a3d003b9 in __gthread_create(unsigned long*, void* (*)(void*), void*) /usr/src/debug/gcc/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:709
#2 0x7fe7a3d003b9 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /usr/src/debug/gcc/gcc/libstdc++-v3/src/c++11/thread.cc:172
#3 0x7fe7a44b6fad in std::thread Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&) /mnt/data/dev/xray-16/src/xrCore/Threading/ThreadUtil.h:39
#4 0x7fe7a44ae249 in TaskManager::SpawnThreads() /mnt/data/dev/xray-16/src/xrCore/Threading/TaskManager.cpp:163
#5 0x7fe7a4471e4b in xrCore::Initialize(char const*, char const*, bool, char const*, bool) /mnt/data/dev/xray-16/src/xrCore/xrCore.cpp:278 bool m_correct;
#6 0x7fe7a56a3d13 in CApplication::CApplication(char const*, GameModule*, std::array<RendererModule*, 2ul> const&) /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:256
#7 0x55fd673594cd in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:51
#8 0x55fd6735995b in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:109
#9 0x7fe7a3027b8a (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
SUMMARY: AddressSanitizer: heap-use-after-free /mnt/data/dev/xray-16/src/Layers/xrRender/r__dsgraph_render.cpp:34 in bool xray::render::render_gl::cmp_pass<xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>*>(xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&, xr_fixed_map_node<xray::render::render_gl::SPass*, xray::render::render_gl::R_dsgraph::mapNormalItems>* const&)
Shadow bytes around the buggy address:
0x7de79f82f100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x7de79f82f380: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7de79f82f600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
If I understand the code correctly then every frame the mapNormalPasses are destroyed here.
And would be created here. But looking at the R_dsgraph_structure::insert_static function we can see there are several early returns which would skip this initilization and would then be used here in R_dsgraph_structure::render_graph accesing freed memory. But I'm not really sure what the best way to fix this would be.
I would also assume that the same problem exists for mapMatrixPasses.