[osg-users] OpenSceneGraph-3.6.5 release candidate 2 tagged, please test
OpenSceneGraph Users
osg-users at lists.openscenegraph.org
Mon Jan 27 18:33:18 PST 2020
Am Montag, 27. Januar 2020 10:57:23 UTC+1 schrieb Robert Osfield:
>
> Hi Fiabian,
>
> On Monday, 27 January 2020 09:41:43 UTC, Fabian Roth wrote:
>>
>> Hi,
>> I am currently testing this RC with openmw.
>> If i have the fps display or profiler open while exiting the application
>> i get a crash on exit.
>> I am not sure if this is due to a bug in my build, a bug in openmw or a
>> real issue with osg.
>> The issue seems to be related to the destruction of the default font, but
>> i was not able to investigate further.
>> Attached is a Backtrace of the issue i am currently observing.
>>
>
> That stack trace looks like the automatic clean up of the ObjectCache with
> the DefaultFont within it is related somehow to the crash. How the
> DefaultFont is managed has changed, to address bugs ironically, and in a
> general sense the clean up the stack trace looks just fine to me, it's
> roughly what I'd expect to happen. However, I don't have any clear idea
> why in this instance the crash has occurred.
>
> Given there isn't any obvious amiss we are unfortunately are left to widen
> out the search for what is amiss.
>
> Does running an OSG example like osgtext fail?
>
> Do others in the OpenMMW community seen this same crash?
>
> Is it possible to run OpenMMW single threaded to see if there might be
> some thread interaction?
>
> What OS/compile and OpenMMW version combination are you using?
>
> One possible cause of crash like this is memory corruption during the run
> of the application that is only revealed on clean up. Using a memory tools
> like valgrind might be spot this type of issue.
>
> Perhaps others might have seen something similar and can help shed some
> light on the nature of the crash.
>
> If it's possible to recreate the crash with an standard OSG example, or a
> small modification of one, then this would be really helpful for me to jump
> in a start investigating the issue.
>
> Cheers.
> Robert.
>
Hi,
Thank you for the fast reply.
My build is using static osg, static osg-plugins and link time optimization.
I created an address sanitizer enabled build.
It exhibits a heap-use-after-free.
I will try to further investigate this week.
Greetings,
Fabian
=================================================================
==11872==ERROR: AddressSanitizer: heap-use-after-free on address
0x6030000082c0 at pc 0x55b4b9659551 bp 0x7ffdf8a9c190 sp 0x7ffdf8a9c180
READ of size 8 at 0x6030000082c0 thread T0
#0 0x55b4b9659550 in
OpenThreads::ScopedPointerLock<OpenThreads::Mutex>::ScopedPointerLock(OpenThreads::Mutex*)
./openmw/extern-git/OpenSceneGraph/include/OpenThreads/ScopedLock:54
#1 0x55b4b9659550 in osg::StateAttribute::removeParent(osg::StateSet*)
./openmw/extern-git/OpenSceneGraph/src/osg/StateAttribute.cpp:38
#2 0x55b4b965a033 in osg::StateSet::clear()
./openmw/extern-git/OpenSceneGraph/src/osg/StateSet.cpp:734
#3 0x55b4b965a5ef in __base_dtor
./openmw/extern-git/OpenSceneGraph/src/osg/StateSet.cpp:285
#4 0x55b4b965a9f8 in __deleting_dtor
./openmw/extern-git/OpenSceneGraph/src/osg/StateSet.cpp:286
#5 0x55b4b9c98246 in osg::Referenced::unref() const
./openmw/extern-git/OpenSceneGraph/include/osg/Referenced:201
#6 0x55b4b9c98246 in osg::ref_ptr<osg::StateSet>::~ref_ptr()
./openmw/extern-git/OpenSceneGraph/include/osg/ref_ptr:41
#7 0x55b4b9c98246 in void std::_Destroy<osg::ref_ptr<osg::StateSet>
>(osg::ref_ptr<osg::StateSet>*) /usr/include/c++/7/bits/stl_construct.h:98
#8 0x55b4b9c98246 in void
std::_Destroy_aux<false>::__destroy<osg::ref_ptr<osg::StateSet>*>(osg::ref_ptr<osg::StateSet>*,
osg::ref_ptr<osg::StateSet>*) /usr/include/c++/7/bits/stl_construct.h:108
#9 0x55b4b9c98246 in void
std::_Destroy<osg::ref_ptr<osg::StateSet>*>(osg::ref_ptr<osg::StateSet>*,
osg::ref_ptr<osg::StateSet>*) /usr/include/c++/7/bits/stl_construct.h:137
#10 0x55b4b9c98246 in void std::_Destroy<osg::ref_ptr<osg::StateSet>*,
osg::ref_ptr<osg::StateSet> >(osg::ref_ptr<osg::StateSet>*,
osg::ref_ptr<osg::StateSet>*, std::allocator<osg::ref_ptr<osg::StateSet>
>&) /usr/include/c++/7/bits/stl_construct.h:206
#11 0x55b4b9c98246 in std::vector<osg::ref_ptr<osg::StateSet>,
std::allocator<osg::ref_ptr<osg::StateSet> > >::~vector() [clone
.lto_priv.5218] /usr/include/c++/7/bits/stl_vector.h:434
#12 0x55b4b9da20dd in osgText::Font::~Font()
./openmw/extern-git/OpenSceneGraph/src/osgText/Font.cpp:295
#13 0x55b4b9e59ed2 in __base_dtor
./openmw/extern-git/OpenSceneGraph/src/osgText/DefaultFont.cpp:35
#14 0x55b4b9e59ed2 in __deleting_dtor
./openmw/extern-git/OpenSceneGraph/src/osgText/DefaultFont.cpp:37
#15 0x55b4b8df93d6 in osg::Referenced::unref() const
./openmw/extern-git/OpenSceneGraph/include/osg/Referenced:201
#16 0x55b4b98e7518 in osg::ref_ptr<osg::Object>::~ref_ptr()
./openmw/extern-git/OpenSceneGraph/include/osg/ref_ptr:41
#17 0x55b4b98e7518 in std::pair<osg::ref_ptr<osg::Object>,
double>::~pair() /usr/include/c++/7/bits/stl_pair.h:208
#18 0x55b4b98e7518 in __base_dtor
/usr/include/c++/7/bits/stl_pair.h:208
#19 0x55b4b98e7518 in void
__gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >
>::destroy<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> >
>(std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> >*)
/usr/include/c++/7/ext/new_allocator.h:140
#20 0x55b4b98e7518 in void
std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > > >
>::destroy<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> >
>(std::allocator<std::_Rb_tree_node<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > > >&,
std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> >*)
/usr/include/c++/7/bits/alloc_traits.h:487
#21 0x55b4b98e7518 in
std::_Rb_tree<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> >, std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> >,
std::_Select1st<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >,
osgDB::ObjectCache::ClassComp,
std::allocator<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >
>::_M_destroy_node(std::_Rb_tree_node<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >*)
/usr/include/c++/7/bits/stl_tree.h:650
#22 0x55b4b98e7518 in
std::_Rb_tree<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> >, std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> >,
std::_Select1st<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >,
osgDB::ObjectCache::ClassComp,
std::allocator<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >
>::_M_drop_node(std::_Rb_tree_node<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >*)
/usr/include/c++/7/bits/stl_tree.h:658
#23 0x55b4b98e7518 in _M_erase /usr/include/c++/7/bits/stl_tree.h:1858
#24 0x55b4b990fe4f in
std::_Rb_tree<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> >, std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> >,
std::_Select1st<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > >,
osgDB::ObjectCache::ClassComp,
std::allocator<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > > >::clear()
/usr/include/c++/7/bits/stl_tree.h:1171
#25 0x55b4b990fe4f in
std::map<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >, osg::ref_ptr<osgDB::Options const> >,
std::pair<osg::ref_ptr<osg::Object>, double>,
osgDB::ObjectCache::ClassComp,
std::allocator<std::pair<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, osg::ref_ptr<osgDB::Options
const> > const, std::pair<osg::ref_ptr<osg::Object>, double> > > >::clear()
/usr/include/c++/7/bits/stl_map.h:1127
#26 0x55b4b990fe4f in osgDB::ObjectCache::clear()
./openmw/extern-git/OpenSceneGraph/src/osgDB/ObjectCache.cpp:189
#27 0x55b4b9914418 in clearObjectCache
./openmw/extern-git/OpenSceneGraph/src/osgDB/Registry.cpp:1654
#28 0x55b4b9914418 in osgDB::Registry::destruct()
./openmw/extern-git/OpenSceneGraph/src/osgDB/Registry.cpp:507
#29 0x55b4b9917574 in __base_dtor
./openmw/extern-git/OpenSceneGraph/src/osgDB/Registry.cpp:486
#30 0x55b4b9918268 in __deleting_dtor
./openmw/extern-git/OpenSceneGraph/src/osgDB/Registry.cpp:487
#31 0x55b4b8df93d6 in osg::Referenced::unref() const
./openmw/extern-git/OpenSceneGraph/include/osg/Referenced:201
#32 0x7fde57502040 (/lib/x86_64-linux-gnu/libc.so.6+0x43040)
#33 0x7fde57502139 in exit (/lib/x86_64-linux-gnu/libc.so.6+0x43139)
#34 0x7fde574e0b9d in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b9d)
#35 0x55b4b872bf79 in _start (.//openmw-build/openmw+0x3e9f79)
0x6030000082c0 is located 0 bytes inside of 24-byte region
[0x6030000082c0,0x6030000082d8)
freed by thread T0 here:
#0 0x7fde579919d8 in operator delete(void*, unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19d8)
#1 0x7fde57502040 (/lib/x86_64-linux-gnu/libc.so.6+0x43040)
previously allocated by thread T0 here:
#0 0x7fde57990458 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
#1 0x55b4b9658949 in osg::Referenced::getGlobalReferencedMutex()
./openmw/extern-git/OpenSceneGraph/src/osg/Referenced.cpp:86
SUMMARY: AddressSanitizer: heap-use-after-free
./openmw/extern-git/OpenSceneGraph/include/OpenThreads/ScopedLock:54 in
OpenThreads::ScopedPointerLock<OpenThreads::Mutex>::ScopedPointerLock(OpenThreads::Mutex*)
Shadow bytes around the buggy address:
0x0c067fff9000: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fa fa
0x0c067fff9010: fa fa fa fa fa fa fd fd fd fd fa fa fa fa fa fa
0x0c067fff9020: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fd fd
0x0c067fff9030: fd fd fa fa fa fa fa fa fa fa fd fd fd fa fa fa
0x0c067fff9040: fa fa fa fa fa fa fd fd fd fa fa fa fa fa fa fa
=>0x0c067fff9050: fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa fd fd
0x0c067fff9060: fd fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
0x0c067fff9070: fa fa fa fa fa fa fd fd fd fa fa fa fa fa fa fa
0x0c067fff9080: fa fa fd fd fd fa fa fa fa fa fa fa fa fa 00 00
0x0c067fff9090: 05 fa fa fa 00 00 05 fa fa fa fa fa fa fa fa fa
0x0c067fff90a0: 00 00 07 fa fa fa 00 00 07 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11872==ABORTING
--
You received this message because you are subscribed to the Google Groups "OpenSceneGraph Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osg-users+unsubscribe at googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osg-users/222411d9-3219-4d28-8090-a0602ce81f01%40googlegroups.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openscenegraph.org/pipermail/osg-users-openscenegraph.org/attachments/20200127/e746b48d/attachment.html>
More information about the osg-users
mailing list