use-after-free in ProductionSiteWindow::update_worker_table
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
widelands |
Fix Released
|
Critical
|
Unassigned |
Bug Description
I was playing fellowships (No AIs involved) just to get a lot of ships,
when changing the priority of log fors a charcoal kiln the game crashed
witn the attached ASAN report:
==6450==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130029690e8 at pc 0x000106764f14 bp 0x7ffeea7d6450 sp 0x7ffeea7d6448
READ of size 8 at 0x6130029690e8 thread T0
#0 0x106764f13 in UI::Table<
#1 0x106c2a80f in ProductionSiteW
#2 0x106c2eff6 in ProductionSiteW
#3 0x106c2ee6c in _ZNSt3_
#4 0x106c2ecf8 in std::__
#5 0x105e02112 in std::__
#6 0x105e01e3e in void Notifications:
#7 0x105df1f2c in void Notifications:
#8 0x105ee1389 in Widelands:
#9 0x105edd9e1 in Widelands:
#10 0x105ed3eed in Widelands:
#11 0x105d53141 in Widelands:
#12 0x105ac1e5b in Widelands:
#13 0x105b16bdf in Widelands:
0x6130029690e8 is located 360 bytes inside of 376-byte region [0x613002968f80
freed by thread T0 here:
#0 0x109c2e74b in wrap__ZdlPv (libclang_
#1 0x1065fac91 in UI::Table<
#2 0x1064f73b7 in UI::Panel:
previously allocated by thread T0 here:
#0 0x109c2e14b in wrap__Znwm (libclang_
#1 0x106c27bb0 in ProductionSiteW
#2 0x106c26839 in ProductionSiteW
I assume this is another case of me closing a Window before the Game could think().
I will not atach a save game unless I can realiably reproduces this.
Related branches
- TiborB: Approve
-
Diff: 13 lines (+3/-0)1 file modifiedsrc/wui/productionsitewindow.cc (+3/-0)
tags: | added: asan |
Changed in widelands: | |
milestone: | none → build20-rc1 |
importance: | Undecided → Critical |
I feel I have fixed this bug recently. Here it looks like the Table has been destroyed already, I checked that the building is still in existance. It seems weird that the table can be invalid while the building is still alive.