Project

General

Profile

Bug #11378

coredump after dt was just crashed and I open that file

Added by David Schaefer over 3 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Low
Assignee:
Category:
-
Target version:
Start date:
12/21/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
git master branch
System:
Ubuntu
bitness:
64-bit
hardware architecture:
amd64/x86

Description

Hi,

I was using dt, it crashed, and I started the asan version. The image I was formerly working on now was a skull. Double clicking yields this dump.

=================================================================
17380ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000030788 at pc 0x7fde1e24063f bp 0x7fde09c9ea00 sp 0x7fde09c9e9f0
READ of size 4 at 0x61c000030788 thread T34
#0 0x7fde1e24063e in process_sse2._omp_fn.5 /home/david/workspace/darktable.git/src/iop/temperature.c:561
#1 0x7fde40a27e05 (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0x16e05)
#2 0x7fde4773e6c9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76c9)
#3 0x7fde474780ae in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x1080ae)

0x61c000030788 is located 0 bytes to the right of 1800-byte region [0x61c000030080,0x61c000030788)
allocated by thread T7 here:
#0 0x7fde481ec9d0 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc79d0)
#1 0x7fde47a85870 in dt_alloc_align /home/david/workspace/darktable.git/src/common/darktable.c:1118
#2 0x7fde47b8bd08 in dt_dev_pixelpipe_cache_get_weighted /home/david/workspace/darktable.git/src/develop/pixelpipe_cache.c:173
#3 0x7fde47b915ef in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:725
#4 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#5 0x7fde47b8d599 in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:701
#6 0x7fde47b8d599 in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:701
#7 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#8 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#9 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#10 0x7fde47b8d599 in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:701
#11 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#12 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#13 0x7fde47b8d599 in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:701
#14 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#15 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#16 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#17 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#18 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#19 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#20 0x7fde47b8d599 in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:701
#21 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#22 0x7fde47b8d599 in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:701
#23 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#24 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#25 0x7fde47b8d599 in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:701
#26 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#27 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#28 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582
#29 0x7fde47b8c70c in dt_dev_pixelpipe_process_rec /home/david/workspace/darktable.git/src/develop/pixelpipe_hb.c:582

Thread T34 created by T7 here:
#0 0x7fde481564e8 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x314e8)
#1 0x7fde40a283bf (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0x173bf)
#2 0x7fde40a1f1b9 in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xe1b9)
#3 0x3ed921823dcccccc (<unknown module>)

Thread T7 created by T0 here:
#0 0x7fde481564e8 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x314e8)
#1 0x7fde47a9629d in dt_pthread_create /home/david/workspace/darktable.git/src/common/dtpthread.c:63
#2 0x7fde47b3e4ed in dt_control_init /home/david/workspace/darktable.git/src/control/control.c:119
#3 0x7fde47a8941d in dt_init /home/david/workspace/darktable.git/src/common/darktable.c:827
#4 0x55e63db239d5 in main /home/david/workspace/darktable.git/src/main.c:24
#5 0x7fde473903f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/david/workspace/darktable.git/src/iop/temperature.c:561 in process_sse2._omp_fn.5
Shadow bytes around the buggy address:
0x0c387fffe0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fffe0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fffe0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fffe0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fffe0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fffe0f0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fffe100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fffe110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fffe120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fffe130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fffe140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
17380ABORTING

Associated revisions

Revision f69eecb5 (diff)
Added by Roman Lebedev over 3 years ago

Temperature iop: process_sse2(): make sure that i < width. Fixes #11378

Revision 3f0bb3fd (diff)
Added by Roman Lebedev over 3 years ago

Invert iop: process_sse2(): make sure that i < width. Refs #11378

History

#1 Updated by Roman Lebedev over 3 years ago

  • % Done changed from 0 to 20
  • Assignee set to Roman Lebedev
  • Status changed from New to Triaged

#2 Updated by Roman Lebedev over 3 years ago

Nice catch :)

#3 Updated by Roman Lebedev over 3 years ago

  • % Done changed from 20 to 100
  • Status changed from Triaged to Fixed

#4 Updated by Roman Lebedev over 3 years ago

  • Target version set to 2.2.0

Also available in: Atom PDF

Go to top