SEGV on unknown address bug found in sdfdump #1765
Comments
|
Filed as internal issue #USD-7199 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Description of Issue
SEGV on unknown address
Steps to Reproduce
./sdfdump [poc]
poc.zip
System Information (OS, Hardware)
ubuntu 18.04
The corresponding ASAN log information is as follows:
hill@ubuntu:~/usd_asan_debug$ '/home/hill/usd_asan_debug/bin/sdfdump' '/home/hill/openUSD_rename_crashes_2/2205.usdz'
failed call to posix_madvise(140499363221504, 36028797018966123)ret=12, errno=2 'No such file or directory'
Runtime Error: in Read at line 618 of /home/hill/USD/USD-release/pxr/usd/usd/crateFile.cpp -- Read out-of-bounds: 8 bytes at offset 576460752303424353 in a mapping of length 3523
ASAN:DEADLYSIGNAL
ASAN:DEADLYSIGNAL
ASAN:DEADLYSIGNAL
==7655==AddressSanitizer: while reporting a bug found another one. Ignoring.
ASAN:DEADLYSIGNAL
==7655==AddressSanitizer: while reporting a bug found another one. Ignoring.
==7655==AddressSanitizer: while reporting a bug found another one. Ignoring.
ASAN:DEADLYSIGNAL
==7655==AddressSanitizer: while reporting a bug found another one. Ignoring.
ASAN:DEADLYSIGNAL
==7655==AddressSanitizer: while reporting a bug found another one. Ignoring.
ASAN:DEADLYSIGNAL
==7655==AddressSanitizer: while reporting a bug found another one. Ignoring.
ASAN:DEADLYSIGNAL
==7655==AddressSanitizer: while reporting a bug found another one. Ignoring.
==7655==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fc88b14b175 bp 0x7fc88d67a820 sp 0x7fc88d67a810 T3)
==7655==The signal is caused by a READ memory access.
==7655==Hint: address points to the zero page.
#0 0x7fc88b14b174 in boost::intrusive_ptr<pxrInternal_v0_21__pxrReserved__::Usd_Counted<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > > >::intrusive_ptr(boost::intrusive_ptr<pxrInternal_v0_21__pxrReserved__::Usd_Counted<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > > > const&) (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xe82174)
#1 0x7fc88b148271 in boost::intrusive_ptr<pxrInternal_v0_21__pxrReserved__::Usd_Counted<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > > >::operator=(boost::intrusive_ptr<pxrInternal_v0_21__pxrReserved__::Usd_Counted<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > > > const&) (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xe7f271)
#2 0x7fc88b13a5ec in pxrInternal_v0_21__pxrReserved__::Usd_Shared<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > >::operator=(pxrInternal_v0_21__pxrReserved__::Usd_Shared<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > > const&) /home/hill/USD/USD-release/pxr/usd/usd/shared.h:66
#3 0x7fc88b13a575 in pxrInternal_v0_21__pxrReserved__::Usd_CrateDataImpl::PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}::operator()(unsigned long) const /home/hill/USD/USD-release/pxr/usd/usd/crateData.cpp:983
#4 0x7fc88b19d78e in tbb::internal::parallel_for_body<pxrInternal_v0_21__pxrReserved_::Usd_CrateDataImpl::PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}, unsigned long>::operator()(tbb::blocked_range const&) const (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xed478e)
#5 0x7fc88b198be0 in tbb::interface9::internal::start_for<tbb::blocked_range, tbb::internal::parallel_for_body<pxrInternal_v0_21__pxrReserved_::Usd_CrateDataImpl::PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}, unsigned long>, tbb::auto_partitioner const>::run_body(tbb::blocked_range&) (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xecfbe0)
#6 0x7fc88b197623 in void tbb::interface9::internal::dynamic_grainsize_mode<tbb::interface9::internal::adaptive_modetbb::interface9::internal::auto_partition_type >::work_balance<tbb::interface9::internal::start_for<tbb::blocked_range, tbb::internal::parallel_for_body<pxrInternal_v0_21__pxrReserved_::Usd_CrateDataImpl::PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}, unsigned long>, tbb::auto_partitioner const>, tbb::blocked_range >(tbb::interface9::internal::start_for<tbb::blocked_range, tbb::internal::parallel_for_body<pxrInternal_v0_21__pxrReserved_::Usd_CrateDataImpl::PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}, unsigned long>, tbb::auto_partitioner const>&, tbb::blocked_range&) (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xece623)
#7 0x7fc88b196c59 in void tbb::interface9::internal::partition_type_basetbb::interface9::internal::auto_partition_type::execute<tbb::interface9::internal::start_for<tbb::blocked_range, tbb::internal::parallel_for_body<pxrInternal_v0_21__pxrReserved_::Usd_CrateDataImpl::PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}, unsigned long>, tbb::auto_partitioner const>, tbb::blocked_range >(tbb::interface9::internal::start_for<tbb::blocked_range, tbb::internal::parallel_for_body<pxrInternal_v0_21__pxrReserved_::Usd_CrateDataImpl::PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}, unsigned long>, tbb::auto_partitioner const>&, tbb::blocked_range&) (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xecdc59)
#8 0x7fc88b195b07 in tbb::interface9::internal::start_for<tbb::blocked_range, tbb::internal::parallel_for_body<pxrInternal_v0_21__pxrReserved_::Usd_CrateDataImpl::_PopulateFromCrateFile()::{lambda()#1}::operator()() const::{lambda()#6}::operator()() const::{lambda(unsigned long)#1}, unsigned long>, tbb::auto_partitioner const>::execute() (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xeccb07)
#9 0x7fc8913d0638 in tbb::internal::custom_schedulertbb::internal::IntelSchedulerTraits::local_wait_for_all(tbb::task&, tbb::task*) ../../src/tbb/custom_scheduler.h:509
#10 0x7fc8913c9e2f in tbb::internal::arena::process(tbb::internal::generic_scheduler&) ../../src/tbb/arena.cpp:160
#11 0x7fc8913c893a in tbb::internal::market::process(rml::job&) ../../src/tbb/market.cpp:693
#12 0x7fc8913c4acf in tbb::internal::rml::private_worker::run() ../../src/tbb/private_server.cpp:270
#13 0x7fc8913c4cf8 in tbb::internal::rml::private_worker::thread_routine(void*) ../../src/tbb/private_server.cpp:223
#14 0x7fc8930c56da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#15 0x7fc89380a71e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12171e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/hill/usd_asan_debug/lib/libusd_usd.so+0xe82174) in boost::intrusive_ptr<pxrInternal_v0_21__pxrReserved__::Usd_Counted<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > > >::intrusive_ptr(boost::intrusive_ptr<pxrInternal_v0_21__pxrReserved__::Usd_Counted<std::vector<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue>, std::allocator<std::pair<pxrInternal_v0_21__pxrReserved__::TfToken, pxrInternal_v0_21__pxrReserved__::VtValue> > > > > const&)
Thread T3 created by T1 here:
#0 0x7fc897609d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7fc8913c496f in rml::internal::thread_monitor::launch(void* ()(void), void*, unsigned long) ../../src/tbb/../rml/server/thread_monitor.h:221
#2 0x7fc8913c496f in tbb::internal::rml::private_worker::wake_or_launch() ../../src/tbb/private_server.cpp:300
#3 0x7fc8913c496f in tbb::internal::rml::private_server::wake_some(int) ../../src/tbb/private_server.cpp:394
Thread T1 created by T0 here:
#0 0x7fc897609d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7fc8913c496f in rml::internal::thread_monitor::launch(void* ()(void), void*, unsigned long) ../../src/tbb/../rml/server/thread_monitor.h:221
#2 0x7fc8913c496f in tbb::internal::rml::private_worker::wake_or_launch() ../../src/tbb/private_server.cpp:300
#3 0x7fc8913c496f in tbb::internal::rml::private_server::wake_some(int) ../../src/tbb/private_server.cpp:394
==7655==ABORTING
Package Versions
21.11
This bug is found by fuzzer ATTuzz
The text was updated successfully, but these errors were encountered: