use-after-free in lua during level transition

```
AddressSanitizer: heap-use-after-free on address 0x7b51d12d8098 at pc 0x7f11e893f680 bp 0x7ffc46f05030 sp 0x7ffc46f05020
READ of size 8 at 0x7b51d12d8098 thread T0
    #0 0x7f11e893f67f in luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>::operator()(CScriptBinderObject const&) const /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/property.hpp:20
    #1 0x7f11e8941d93 in luabind::detail::invoke_struct<luabind::meta::type_list<luabind::call_policy_injector<luabind::detail::dependency_policy<0, 1> > >, luabind::meta::type_list<CScriptGameObject*, CScriptBinderObject const&>, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*> >::call_struct<false, false, luabind::meta::index_list<0u> >::call(lua_State*, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>&, std::tuple<luabind::default_converter<CScriptBinderObject const&, void> >&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/call.hpp:218
    #2 0x7f11e8941f01 in int luabind::detail::invoke_struct<luabind::meta::type_list<luabind::call_policy_injector<luabind::detail::dependency_policy<0, 1> > >, luabind::meta::type_list<CScriptGameObject*, CScriptBinderObject const&>, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*> >::call_fun<std::tuple<luabind::default_converter<CScriptBinderObject const&, void> > >(lua_State*, luabind::detail::invoke_context&, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>&, int, std::tuple<luabind::default_converter<CScriptBinderObject const&, void> >&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/call.hpp:317
    #3 0x7f11e894264f in luabind::detail::invoke_struct<luabind::meta::type_list<luabind::call_policy_injector<luabind::detail::dependency_policy<0, 1> > >, luabind::meta::type_list<CScriptGameObject*, CScriptBinderObject const&>, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*> >::invoke(lua_State*, luabind::detail::function_object const&, luabind::detail::invoke_context&, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/call.hpp:374
    #4 0x7f11e89426ef in int luabind::detail::invoke<luabind::meta::type_list<luabind::call_policy_injector<luabind::detail::dependency_policy<0, 1> > >, luabind::meta::type_list<CScriptGameObject*, CScriptBinderObject const&>, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*> >(lua_State*, luabind::detail::function_object const&, luabind::detail::invoke_context&, luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/call.hpp:392
    #5 0x7f11e89426ef in luabind::detail::function_object_impl<luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>, luabind::meta::type_list<CScriptGameObject*, CScriptBinderObject const&>, luabind::meta::type_list<luabind::call_policy_injector<luabind::detail::dependency_policy<0, 1> > > >::invoke_defer(lua_State*, luabind::detail::function_object_impl<luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>, luabind::meta::type_list<CScriptGameObject*, CScriptBinderObject const&>, luabind::meta::type_list<luabind::call_policy_injector<luabind::detail::dependency_policy<0, 1> > > >*, luabind::detail::invoke_context&, int&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/make_function.hpp:51
    #6 0x7f11e89428b6 in luabind::detail::function_object_impl<luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>, luabind::meta::type_list<CScriptGameObject*, CScriptBinderObject const&>, luabind::meta::type_list<luabind::call_policy_injector<luabind::detail::dependency_policy<0, 1> > > >::entry_point(lua_State*) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/make_function.hpp:73
    #7 0x7f11fe75ca14 in lj_BC_FUNCC /mnt/data/dev/xray-16/bin/buildvm_x86.dasc:849
    #8 0x7f11d511f9d3 in get_instance_value /mnt/data/dev/xray-16/Externals/luabind/src/object_rep.cpp:163
    #9 0x7f11fe75ca14 in lj_BC_FUNCC /mnt/data/dev/xray-16/bin/buildvm_x86.dasc:849
    #10 0x7f11fe775685 in lua_pcall /mnt/data/dev/xray-16/Externals/LuaJIT/src/lj_api.c:1218
    #11 0x7f11d512129a in luabind::detail::pcall(lua_State*, int, int) /mnt/data/dev/xray-16/Externals/luabind/src/pcall.cpp:43
    #12 0x7f11e717b23f in void luabind::detail::call_function_struct<void, luabind::meta::type_list<>, luabind::meta::index_list<1u>, 1u, &luabind::detail::pcall, true>::call<char const*>(lua_State*, char const*&&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/call_function.hpp:111
    #13 0x7f11e717b33e in void luabind::call_pushed_function<void, luabind::meta::type_list<>, char const*>(lua_State*, char const*&&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/call_function.hpp:111
    #14 0x7f11e717b387 in void luabind::call_function<void, luabind::meta::type_list<>, char const*>(luabind::adl::object const&, char const*&&) /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/object.hpp:146
    #15 0x7f11e7174f3d in void luabind::functor<void>::operator()<char const*>(char const*&&) const /mnt/data/dev/xray-16/src/xrScriptEngine/Functor.hpp:33
    #16 0x7f11e7174f3d in CALifeStorageManager::save(char const*, bool) /mnt/data/dev/xray-16/src/xrGame/alife_storage_manager.cpp:61
    #17 0x7f11e71bb120 in CALifeUpdateManager::change_level(NET_Packet&) /mnt/data/dev/xray-16/src/xrGame/alife_update_manager.cpp:198
    #18 0x7f11e7d66dc9 in game_sv_Single::change_level(NET_Packet&, ClientID) /mnt/data/dev/xray-16/src/xrGame/game_sv_single.cpp:227
    #19 0x7f11e97f1592 in xrServer::OnMessage(NET_Packet&, ClientID) /mnt/data/dev/xray-16/src/xrGame/xrServer.cpp:544
    #20 0x7f11e81c6339 in CLevel::Send(NET_Packet&, unsigned int, unsigned int) /mnt/data/dev/xray-16/src/xrGame/Level_network.cpp:298
    #21 0x7f11e810c429 in CLevelChanger::feel_touch_new(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/level_changer.cpp:124
    #22 0x7f11d7dcfeda in Feel::Touch::feel_touch_update(_vector3<float>&, float) /mnt/data/dev/xray-16/src/xrEngine/Feel_Touch.cpp:63
    #23 0x7f11e810d8ae in CLevelChanger::shedule_Update(unsigned int) /mnt/data/dev/xray-16/src/xrGame/level_changer.cpp:101
    #24 0x7f11d7ebdcdb in CSheduler::ProcessStep() /mnt/data/dev/xray-16/src/xrEngine/xrSheduler.cpp:371
    #25 0x7f11d7ebed7c in CSheduler::Update() /mnt/data/dev/xray-16/src/xrEngine/xrSheduler.cpp:467
    #26 0x7f11e7b7f19c in CGamePersistent::OnFrame() /mnt/data/dev/xray-16/src/xrGame/GamePersistent.cpp:616
    #27 0x7f11d7edf988 in pureFrame::OnPure(pureFrame*) /mnt/data/dev/xray-16/src/xrEngine/pure.h:18
    #28 0x7f11d7edf988 in MessageRegistry<pureFrame>::Process() /mnt/data/dev/xray-16/src/xrEngine/pure.h:101
    #29 0x7f11d7ececb7 in CRenderDevice::FrameMove() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:484
    #30 0x7f11d7ecf34b in CRenderDevice::ProcessFrame() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:270
    #31 0x7f11d7e8470e in CApplication::Run() /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:433
    #32 0x5572f20764d5 in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:53
    #33 0x5572f207695b in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:109
    #34 0x7f11d5827b8a  (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
    #35 0x7f11d5827c4a in __libc_start_main (/usr/lib/libc.so.6+0x27c4a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
    #36 0x5572f2076304 in _start (/mnt/data/dev/xray-16/bin/x86_64/Debug/xr_3da+0x7304) (BuildId: a42307e2056b24dd7d40950015579916511720c5)

0x7b51d12d8098 is located 8 bytes inside of 48-byte region [0x7b51d12d8090,0x7b51d12d80c0)
freed by thread T19 here:
    #0 0x7f11fe15103d in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:51
    #1 0x7f11d6c8b447 in xrMemory::mem_free(void*) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:260
    #2 0x7f11fba254f6 in void xr_free<void>(void*&) /mnt/data/dev/xray-16/src/xrCore/xrMemory.h:105
    #3 0x7f11d54ee9c7 in lua_alloc /mnt/data/dev/xray-16/src/xrScriptEngine/script_engine.cpp:63
    #4 0x7f11fe7a4cb6 in gc_sweep /mnt/data/dev/xray-16/Externals/LuaJIT/src/lj_gc.c:417
    #5 0x7f11fe7a4cb6 in gc_onestep /mnt/data/dev/xray-16/Externals/LuaJIT/src/lj_gc.c:651

previously allocated by thread T17 here:
    #0 0x7f11fe1512e5 in realloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:81
    #1 0x7f11d6c8b426 in xrMemory::mem_realloc(void*, unsigned long) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:244
    #2 0x7f11d6c8b801 in xr_realloc(void*, unsigned long) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:370
    #3 0x7f11d54ee975 in lua_alloc /mnt/data/dev/xray-16/src/xrScriptEngine/script_engine.cpp:66
    #4 0x7f11fe7a581b in lj_mem_newgco /mnt/data/dev/xray-16/Externals/LuaJIT/src/lj_gc.c:850

Thread T19 created by T0 here:
    #0 0x7f11fe147670 in pthread_create /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_interceptors.cpp:250
    #1 0x7f11d65003b9 in __gthread_create(unsigned long*, void* (*)(void*), void*) /usr/src/debug/gcc/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:709
    #2 0x7f11d65003b9 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /usr/src/debug/gcc/gcc/libstdc++-v3/src/c++11/thread.cc:172
    #3 0x7f11d6cb774d in std::thread Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&) /mnt/data/dev/xray-16/src/xrCore/Threading/ThreadUtil.h:39
    #4 0x7f11d6cae9e9 in TaskManager::SpawnThreads() /mnt/data/dev/xray-16/src/xrCore/Threading/TaskManager.cpp:163
    #5 0x7f11d6c71e4b in xrCore::Initialize(char const*, char const*, bool, char const*, bool) /mnt/data/dev/xray-16/src/xrCore/xrCore.cpp:278
    #6 0x7f11d7e86613 in CApplication::CApplication(char const*, GameModule*, std::array<RendererModule*, 2ul> const&) /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:256
    #7 0x5572f20764cd in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:51
    #8 0x5572f207695b in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:109
    #9 0x7f11d5827b8a  (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)

Thread T17 created by T0 here:
    #0 0x7f11fe147670 in pthread_create /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_interceptors.cpp:250
    #1 0x7f11d65003b9 in __gthread_create(unsigned long*, void* (*)(void*), void*) /usr/src/debug/gcc/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:709
    #2 0x7f11d65003b9 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /usr/src/debug/gcc/gcc/libstdc++-v3/src/c++11/thread.cc:172
    #3 0x7f11d6cb774d in std::thread Threading::RunThread<void (TaskManager::*)(), TaskManager*>(char const*, void (TaskManager::*&&)(), TaskManager*&&) /mnt/data/dev/xray-16/src/xrCore/Threading/ThreadUtil.h:39
    #4 0x7f11d6cae9e9 in TaskManager::SpawnThreads() /mnt/data/dev/xray-16/src/xrCore/Threading/TaskManager.cpp:163
    #5 0x7f11d6c71e4b in xrCore::Initialize(char const*, char const*, bool, char const*, bool) /mnt/data/dev/xray-16/src/xrCore/xrCore.cpp:278
    #6 0x7f11d7e86613 in CApplication::CApplication(char const*, GameModule*, std::array<RendererModule*, 2ul> const&) /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:256
    #7 0x5572f20764cd in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:51
    #8 0x5572f207695b in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:109
    #9 0x7f11d5827b8a  (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)

SUMMARY: AddressSanitizer: heap-use-after-free /mnt/data/dev/xray-16/Externals/luabind/src/../luabind/detail/property.hpp:20 in luabind::detail::access_member_ptr<CScriptBinderObject, CScriptGameObject*, CScriptGameObject*>::operator()(CScriptBinderObject const&) const
Shadow bytes around the buggy address:
  0x7b51d12d7e00: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x7b51d12d7e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b51d12d7f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b51d12d7f80: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x7b51d12d8000: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x7b51d12d8080: fa fa fd[fd]fd fd fd fd fa fa fa fa fa fa fa fa
  0x7b51d12d8100: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x7b51d12d8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b51d12d8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b51d12d8280: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x7b51d12d8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

use-after-free in lua during level transition #1983

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

use-after-free in lua during level transition #1983

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions