Home Explore Help
Register Sign In
devn00b
/
EQ2EMu
8
2
Fork 0
Files Issues 77 Pull Requests 0 Wiki
Labels Milestones
New Issue

#373 Spell loading / pending ASan crash

Closed
opened 2 years ago by image · 0 comments
image commented 2 years ago 
#[0;37;40m#[1;37;40m03:58:46 #[1;31;40mE #[1;37;40mLUA       : #[1;31;40mZoneScripts/QueensColony.lua: LUA SendPopUpMessage command error: Spawn is not valid.
#[0;37;40m#[1;37;40m03:58:46 #[1;31;40mE #[1;37;40mLUA       : #[1;31;40mWorldDatabase::LoadCharacterSpellEffects: GetSpell(2550197, 1), spell could not be found!
#[0;37;40m#[1;37;40m03:58:46 #[1;31;40mE #[1;37;40mLUA       : #[1;31;40mWorldDatabase::LoadCharacterSpellEffects: GetSpell(2550197, 1), spell could not be found!
#[0;37;40m=================================================================
==6186==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130002b4ee0 at pc 0x555555bbf8f5 bp 0x7fffd9731f30 sp 0x7fffd9731f28
READ of size 8 at 0x6130002b4ee0 thread T102
    #0 0x555555bbf8f4 in SpellProcess::Process() ../WorldServer/SpellProcess.cpp:126
    #1 0x555555a12751 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1390
    #2 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867
    #3 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
    #4 0x7ffff68274ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

0x6130002b4ee0 is located 96 bytes inside of 336-byte region [0x6130002b4e80,0x6130002b4fd0)
freed by thread T18 here:
    #0 0x7ffff72e0128 in operator delete(void*, unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xec128)
    #1 0x555555c1f6cc in LuaInterface::DeletePendingSpells(bool) ../WorldServer/LuaInterface.cpp:1510
    #2 0x555555c2dd07 in LuaInterface::Process() ../WorldServer/LuaInterface.cpp:142
    #3 0x555555a128fa in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1418
    #4 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867
    #5 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

previously allocated by thread T102 here:
    #0 0x7ffff72ded30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
    #1 0x555555c22ea5 in LuaInterface::GetSpell(char const*) ../WorldServer/LuaInterface.cpp:1887
    #2 0x555555ecc89e in EQ2Emu_lua_GetSpell(lua_State*) ../WorldServer/LuaFunctions.cpp:11128
    #3 0x5555567a3dc5 in luaD_precall (/home/eq2emu_server/server/eq2world+0x124fdc5)
    #4 0x5555567b0d45 in luaV_execute (/home/eq2emu_server/server/eq2world+0x125cd45)
    #5 0x5555567a4154 in luaD_call (/home/eq2emu_server/server/eq2world+0x1250154)
    #6 0x5555567a41b2 in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x12501b2)
    #7 0x5555567b54b4 in f_call (/home/eq2emu_server/server/eq2world+0x12614b4)
    #8 0x5555567a319d in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x124f19d)
    #9 0x5555567a496d in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125096d)
    #10 0x5555567b5582 in lua_pcallk (/home/eq2emu_server/server/eq2world+0x1261582)
    #11 0x555555c2af17 in LuaInterface::CallItemScript(lua_State*, unsigned char, long long*) ../WorldServer/LuaInterface.cpp:669
    #12 0x555555c3cd0b in LuaInterface::RunItemScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Item*, Spawn*, long long*) ../WorldServer/LuaInterface.cpp:2158
    #13 0x555555f7535c in Client::ConsumeFoodDrink(Item*, unsigned int) ../WorldServer/client.cpp:10544
    #14 0x55555637be20 in Commands::Command_ConsumeFood(Client*, Seperator*) ../WorldServer/Commands/Commands.cpp:10925
    #15 0x5555563ec805 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:5322
    #16 0x555555fa9e92 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1814
    #17 0x555555fbfaea in Client::Process(bool) ../WorldServer/client.cpp:2994
    #18 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183
    #19 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387
    #20 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867
    #21 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T102 created by T0 here:
    #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
    #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308
    #2 0x555555de112e in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:595
    #3 0x555555f0cace in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3346
    #4 0x5555561e6963 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1784
    #5 0x555555f9a856 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9788
    #6 0x555555f9f546 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1059
    #7 0x555555fbfaea in Client::Process(bool) ../WorldServer/client.cpp:2994
    #8 0x555555fc26ee in ClientList::Process() ../WorldServer/client.cpp:3278
    #9 0x555555c691a6 in main ../WorldServer/net.cpp:458
    #10 0x7ffff675209a in __libc_start_main ../csu/libc-start.c:308

Thread T18 created by T0 here:
    #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
    #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308
    #2 0x55555613c7ba in WorldDatabase::LoadSpecialZones() ../WorldServer/WorldDatabase.cpp:2961
    #3 0x555555c67c47 in main ../WorldServer/net.cpp:374
    #4 0x7ffff675209a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/SpellProcess.cpp:126 in SpellProcess::Process()
Shadow bytes around the buggy address:
  0x0c268004e980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268004e990: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c268004e9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c268004e9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c268004e9c0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c268004e9d0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c268004e9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268004e9f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c268004ea00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268004ea10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268004ea20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6186==ABORTING
``` #[0;37;40m#[1;37;40m03:58:46 #[1;31;40mE #[1;37;40mLUA : #[1;31;40mZoneScripts/QueensColony.lua: LUA SendPopUpMessage command error: Spawn is not valid. #[0;37;40m#[1;37;40m03:58:46 #[1;31;40mE #[1;37;40mLUA : #[1;31;40mWorldDatabase::LoadCharacterSpellEffects: GetSpell(2550197, 1), spell could not be found! #[0;37;40m#[1;37;40m03:58:46 #[1;31;40mE #[1;37;40mLUA : #[1;31;40mWorldDatabase::LoadCharacterSpellEffects: GetSpell(2550197, 1), spell could not be found! #[0;37;40m================================================================= ==6186==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130002b4ee0 at pc 0x555555bbf8f5 bp 0x7fffd9731f30 sp 0x7fffd9731f28 READ of size 8 at 0x6130002b4ee0 thread T102 #0 0x555555bbf8f4 in SpellProcess::Process() ../WorldServer/SpellProcess.cpp:126 #1 0x555555a12751 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1390 #2 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867 #3 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 #4 0x7ffff68274ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce) 0x6130002b4ee0 is located 96 bytes inside of 336-byte region [0x6130002b4e80,0x6130002b4fd0) freed by thread T18 here: #0 0x7ffff72e0128 in operator delete(void*, unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xec128) #1 0x555555c1f6cc in LuaInterface::DeletePendingSpells(bool) ../WorldServer/LuaInterface.cpp:1510 #2 0x555555c2dd07 in LuaInterface::Process() ../WorldServer/LuaInterface.cpp:142 #3 0x555555a128fa in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1418 #4 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867 #5 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 previously allocated by thread T102 here: #0 0x7ffff72ded30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30) #1 0x555555c22ea5 in LuaInterface::GetSpell(char const*) ../WorldServer/LuaInterface.cpp:1887 #2 0x555555ecc89e in EQ2Emu_lua_GetSpell(lua_State*) ../WorldServer/LuaFunctions.cpp:11128 #3 0x5555567a3dc5 in luaD_precall (/home/eq2emu_server/server/eq2world+0x124fdc5) #4 0x5555567b0d45 in luaV_execute (/home/eq2emu_server/server/eq2world+0x125cd45) #5 0x5555567a4154 in luaD_call (/home/eq2emu_server/server/eq2world+0x1250154) #6 0x5555567a41b2 in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x12501b2) #7 0x5555567b54b4 in f_call (/home/eq2emu_server/server/eq2world+0x12614b4) #8 0x5555567a319d in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x124f19d) #9 0x5555567a496d in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125096d) #10 0x5555567b5582 in lua_pcallk (/home/eq2emu_server/server/eq2world+0x1261582) #11 0x555555c2af17 in LuaInterface::CallItemScript(lua_State*, unsigned char, long long*) ../WorldServer/LuaInterface.cpp:669 #12 0x555555c3cd0b in LuaInterface::RunItemScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Item*, Spawn*, long long*) ../WorldServer/LuaInterface.cpp:2158 #13 0x555555f7535c in Client::ConsumeFoodDrink(Item*, unsigned int) ../WorldServer/client.cpp:10544 #14 0x55555637be20 in Commands::Command_ConsumeFood(Client*, Seperator*) ../WorldServer/Commands/Commands.cpp:10925 #15 0x5555563ec805 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:5322 #16 0x555555fa9e92 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1814 #17 0x555555fbfaea in Client::Process(bool) ../WorldServer/client.cpp:2994 #18 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183 #19 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387 #20 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867 #21 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 Thread T102 created by T0 here: #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0) #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308 #2 0x555555de112e in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:595 #3 0x555555f0cace in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3346 #4 0x5555561e6963 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1784 #5 0x555555f9a856 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9788 #6 0x555555f9f546 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1059 #7 0x555555fbfaea in Client::Process(bool) ../WorldServer/client.cpp:2994 #8 0x555555fc26ee in ClientList::Process() ../WorldServer/client.cpp:3278 #9 0x555555c691a6 in main ../WorldServer/net.cpp:458 #10 0x7ffff675209a in __libc_start_main ../csu/libc-start.c:308 Thread T18 created by T0 here: #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0) #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308 #2 0x55555613c7ba in WorldDatabase::LoadSpecialZones() ../WorldServer/WorldDatabase.cpp:2961 #3 0x555555c67c47 in main ../WorldServer/net.cpp:374 #4 0x7ffff675209a in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/SpellProcess.cpp:126 in SpellProcess::Process() Shadow bytes around the buggy address: 0x0c268004e980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c268004e990: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c268004e9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c268004e9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c268004e9c0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c268004e9d0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c268004e9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c268004e9f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c268004ea00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c268004ea10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c268004ea20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6186==ABORTING ```
image referenced this issue from a commit 2 years ago
Lacertae Update #2 - Stability Fixes against Inventory and GM reload options...
image closed 2 years ago
Sign in to join this conversation.
Labels
Clear labels
Content LoginServer ModelViewer Needs Assignment On Hold P1 P2 P3 Recast User Input WorldServer bug crash duplicate enhancement invalid limitation missing client feature question security tech debt
No Label
Content
LoginServer
ModelViewer
Needs Assignment
On Hold
P1
P2
P3
Recast
User Input
WorldServer
bug
crash
duplicate
enhancement
invalid
limitation
missing client feature
question
security
tech debt
Milestone
Clear milestone
No Milestone
Lacertae - August 2021
Assignee
Clear assignee
No assignee
1 Participants
Write Preview
Loading...
Cancel
Save
There is no content yet.