Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

double free or corruption (fasttop) #54

Closed
osrf-migration opened this issue Mar 27, 2020 · 9 comments
Closed

double free or corruption (fasttop) #54

osrf-migration opened this issue Mar 27, 2020 · 9 comments
Labels
bug Something isn't working

Comments

@osrf-migration
Copy link

Original report (archived issue) by Juan Oxoby (Bitbucket: Juan Oxoby).


Prerequisites

  • [ X] Put an X between the brackets on this line if you have done all of the following:

Description

double free or corruption (fasttop) after executing a simple program using Server.

Steps to Reproduce

Build and run the following test program:

#include <ignition/gazebo/Server.hh>

using namespace ignition;
using namespace gazebo;

/////////////////////////////////////////////////
int main()
{
  ServerConfig serverConfig;
  Server server(serverConfig);
  server.Run();
  return 0;
}

Expected behavior:

The program should run and finish without any problems.

Actual behavior:

At the end of the execution, the program fails with this output:

double free or corruption (fasttop)
Aborted (core dumped)

Reproduces how often:

Always.

Versions

gcc (Ubuntu 8.3.0-6ubuntu1~18.04.1) 8.3.0

ldd (Ubuntu GLIBC 2.27-3ubuntu1) 2.27

Additional Information

When running with valgrind:

valgrind --keep-stacktraces=alloc-and-free crash_test

==29049== Memcheck, a memory error detector
==29049== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==29049== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==29049== Command: bin/crash_test
==29049==
==29049== Invalid free() / delete / delete[] / realloc()
==29049== at 0x4C3123B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29049== by 0x580F040: __run_exit_handlers (exit.c:108)
==29049== by 0x580F139: exit (exit.c:139)
==29049== by 0x57EDB9D: (below main) (libc-start.c:344)
==29049== Address 0x1f97e1d0 is 0 bytes inside a block of size 29 free'd
==29049== at 0x4C3123B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29049== by 0x580F040: __run_exit_handlers (exit.c:108)
==29049== by 0x580F139: exit (exit.c:139)
==29049== by 0x57EDB9D: (below main) (libc-start.c:344)
==29049== Block was alloc'd at
==29049== at 0x4C3017F: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29049== by 0x2ABF365D: ??? (in /opt/ros/melodic/lib/liboctomap.so.1.9.0)
==29049== by 0x4010732: call_init (dl-init.c:72)
==29049== by 0x4010732: _dl_init (dl-init.c:119)
==29049== by 0x40151FE: dl_open_worker (dl-open.c:522)
==29049== by 0x59332DE: _dl_catch_exception (dl-error-skeleton.c:196)
==29049== by 0x40147C9: _dl_open (dl-open.c:605)
==29049== by 0x972CF95: dlopen_doit (dlopen.c:66)
==29049== by 0x59332DE: _dl_catch_exception (dl-error-skeleton.c:196)
==29049== by 0x593336E: _dl_catch_error (dl-error-skeleton.c:215)
==29049== by 0x972D734: _dlerror_run (dlerror.c:162)
==29049== by 0x972D050: dlopen@@GLIBC_2.2.5 (dlopen.c:87)
==29049== by 0x663A3A9: ignition::plugin::Loader::Implementation::LoadLib(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) (Loader.cc:457)
==29049==
==29049==
==29049== HEAP SUMMARY:
==29049== in use at exit: 663,703 bytes in 9,163 blocks
==29049== total heap usage: 211,095 allocs, 201,934 frees, 31,648,420 bytes allocated
==29049==
==29049== LEAK SUMMARY:
==29049== definitely lost: 3,573 bytes in 212 blocks
==29049== indirectly lost: 0 bytes in 0 blocks
==29049== possibly lost: 0 bytes in 0 blocks
==29049== still reachable: 660,130 bytes in 8,951 blocks
==29049== suppressed: 0 bytes in 0 blocks
==29049== Rerun with --leak-check=full to see details of leaked memory
==29049==
==29049== For counts of detected and suppressed errors, rerun with: -v
==29049== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)

Pointed to line: https://github.com/ignitionrobotics/ign-plugin/blob/94482af3e9b2cc1cbb7c2dbeb2c7846f8283f0f6/loader/src/Loader.cc#L457

If running with address sanitizer, we get:

=================================================================
==16996==ERROR: AddressSanitizer: attempting double-free on 0x60300026dc10 in thread T0:
#0 0x55fafdc08dc0 in operator delete(void*) (bin/crash_test+0xd7dc0)
#1 0x7f658031e040 (/lib/x86_64-linux-gnu/libc.so.6+0x43040)
#2 0x7f658031e139 in exit (/lib/x86_64-linux-gnu/libc.so.6+0x43139)
#3 0x7f65802fcb9d in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b9d)
#4 0x55fafdb39b89 in _start (build/bin/crash_test+0x8b89)

0x60300026dc10 is located 0 bytes inside of 29-byte region [0x60300026dc10,0x60300026dc2d)
freed by thread T0 here:
#0 0x55fafdc08dc0 in operator delete(void*) (build/bin/crash_test+0xd7dc0)
#1 0x7f658031e040 (/lib/x86_64-linux-gnu/libc.so.6+0x43040)

previously allocated by thread T0 here:
#0 0x55fafdc07f10 in operator new(unsigned long) (build/bin/crash_test+0xd6f10)
#1 0x7f655b39565d (/opt/ros/melodic/lib/liboctomap.so.1.9+0x1465d)

SUMMARY: AddressSanitizer: double-free (build/bin/crash_test+0xd7dc0) in operator delete(void*)
==16996==ABORTING

@osrf-migration
Copy link
Author

Original comment by Juan Oxoby (Bitbucket: Juan Oxoby).


  • Edited issue description

3 similar comments
@osrf-migration
Copy link
Author

Original comment by Juan Oxoby (Bitbucket: Juan Oxoby).


  • Edited issue description

@osrf-migration
Copy link
Author

Original comment by Juan Oxoby (Bitbucket: Juan Oxoby).


  • Edited issue description

@osrf-migration
Copy link
Author

Original comment by Juan Oxoby (Bitbucket: Juan Oxoby).


  • Edited issue description

@osrf-migration
Copy link
Author

Original comment by Louise Poubel (Bitbucket: chapulina, GitHub: chapulina).


I'm not able to reproduce your issue. See pull request #578 for an example. I also tried with the exact code you posted, on Blueprint and Citadel, and never got a crash.

Your trace points to the loader, but I don't know how LoadLib would be called on a program that's not loading any plugins. Are you sure the trace is from that code snippet?

@osrf-migration
Copy link
Author

Original comment by Juan Oxoby (Bitbucket: Juan Oxoby).


Hi Louise - Thanks for giving it a try. Yes, the trace is from that code snippet. Address sanitizer points to liboctomap.so.1.9… Maybe a version issue?

@osrf-migration
Copy link
Author

Original comment by Louise Poubel (Bitbucket: chapulina, GitHub: chapulina).


Humm could be, I'm running liboctomap1.8 1.8.1+dfsg-1, which comes with Ubuntu Bionic.

Are you using Ignition debs or building from source?

@osrf-migration
Copy link
Author

Original comment by Juan Oxoby (Bitbucket: Juan Oxoby).


Hi Louise - It seems that the problem was a result of linking two different octomap libraries into libignition-physics2-dartsim-plugin.so. My system has both liboctomap1.8 and liboctomap1.9 installed.

Running ldd libignition-physics2-dartsim-plugin.so | grep octomap I get:

liboctomap.so.1.9 => /opt/ros/melodic/lib/liboctomap.so.1.9 (0x00007fa6ce7e8000)
liboctomap.so.1.8 => /usr/lib/liboctomap.so.1.8 (0x00007fa6cb269000)

No wonder why the “double free“ error…

So, removing liboctomap1.9 and rebuilding package ignition-physics2 solves the issue.

@osrf-migration
Copy link
Author

Original comment by Louise Poubel (Bitbucket: chapulina, GitHub: chapulina).


  • changed state from "new" to "resolved"

Glad to hear the issue is solved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant