widelands

Deallocated Memory on teardown of Military site

Bug #1733812 reported by Klaus Halfmann on 2017-11-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	widelands	Fix Released	High	Unassigned	widelands build20-rc1

Bug Description

I wanted to teardown some militray bulding, and closed the building window before
Game:think() was called. So the BuildingWindow has already died() but still
got some notification.

Call stack looks like:
Player::dismantle_building(Building* building)
...
BuildingWindow::on_building_note)
-> building_.serial() -> Use of deallocated Memory

* A quick fix would be:
void BuildingWindow::on_building_note(const Widelands::NoteBuilding& note) {
if (!is_dying && note.serial == building_.serial()) {
switch (note.action) {

* Should this not be done via some "unregestration"? this would mean
that we would leak some Memory for every such subscription?

Thanks to http://clang.llvm.org/docs/AddressSanitizer.html

Tags:

Related branches

lp:~widelands-dev/widelands/fix_invalid_memory_access_on_dismantle

Merged into lp:widelands at revision 8512

Klaus Halfmann: Approve (review) on 2017-11-29

GunChleoc: Approve on 2017-11-29

Revision history for this message

Klaus Halfmann (klaus-halfmann) wrote on 2017-11-22:

Same problem in ProductionSiteWindow, check for !is_dying_ is already there but was
done _after_ the broken access.

Revision history for this message

GunChleoc (gunchleoc) wrote on 2017-11-22:

I had been struggling with those when I implemented them - a fix will be very much appreciated :)

tags:	added: cleanups ui
Changed in widelands:
status:	New → Confirmed
milestone:	none → build20-rc1

GunChleoc (gunchleoc) on 2017-11-22

tags:

added: crash

GunChleoc (gunchleoc) on 2017-11-26

tags:

added: asan

Revision history for this message

SirVer (sirver) wrote on 2017-11-29:

I looked at this and agree with klaus fix. I proposed a branch to get this fixed. Thanks, Klaus!

> * Should this not be done via some "unregestration"? this would mean that we would leak some Memory for every such subscription?

it is unregistered as soon as the subscriber is deleted once the window object is deleted. die() registers a window to be closed on the next logical frame, so it is perfectly valid that it still receives NoteBuilding for the moment. Of course, the underlying building is deleted, so we cannot access it anymore. We use is_dying_ as a proxy of 'i do no longer care and the building might be gone anyways' now.

Changed in widelands:
status:	Confirmed → In Progress
importance:	Undecided → High
assignee:	nobody → SirVer (sirver)

GunChleoc (gunchleoc) on 2017-11-29

Changed in widelands:
status:	In Progress → Fix Committed
assignee:	SirVer (sirver) → nobody

Revision history for this message

GunChleoc (gunchleoc) wrote on 2019-04-22:

Fixed in build20-rc1

Changed in widelands:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.