Skip to content
This repository has been archived by the owner on Aug 8, 2023. It is now read-only.

ASan heap-buffer-overflow in MGLPolyline #10741

Closed
friedbunny opened this issue Dec 19, 2017 · 2 comments
Closed

ASan heap-buffer-overflow in MGLPolyline #10741

friedbunny opened this issue Dec 19, 2017 · 2 comments
Assignees
@friedbunny
Labels
bug iOS Mapbox Maps SDK for iOS tests

Comments

@friedbunny
Copy link
Contributor

Running make ios-sanitize-address circa 9759ba7 exits with the following failure:

==13221==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000be500 at pc 0x0001004bc6d8 bp 0x7ffeef819070 sp 0x7ffeef818820
READ of size 16 at 0x6030000be500 thread T0
    #0 0x1004bc6d7 in __asan_memcpy (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x4c6d7)
    #1 0x11c59ffba in -[MGLPolyline coordinate] MGLPolyline.mm:68
    #2 0x11a48e870 in -[MGLCodingTests testPolyline] MGLCodingTests.m:92
    #3 0x1024e936b in __invoking___ (CoreFoundation:x86_64+0x7d36b)
    #4 0x1024e923f in -[NSInvocation invoke] (CoreFoundation:x86_64+0x7d23f)
    #5 0x101acde2f in __24-[XCTestCase invokeTest]_block_invoke (XCTest:x86_64+0x19e2f)
    #6 0x101b1717d in -[XCUITestContext performInScope:] (XCTest:x86_64+0x6317d)
    #7 0x101acdbd5 in -[XCTestCase invokeTest] (XCTest:x86_64+0x19bd5)
    #8 0x101aceb96 in __26-[XCTestCase performTest:]_block_invoke.369 (XCTest:x86_64+0x1ab96)
    #9 0x101b1bf24 in +[XCTContext runInContextForTestCase:block:] (XCTest:x86_64+0x67f24)
    #10 0x101ace532 in -[XCTestCase performTest:] (XCTest:x86_64+0x1a532)
    #11 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #12 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #13 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #14 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #15 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #16 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #17 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #18 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #19 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #20 0x101b2364e in __44-[XCTTestRunSession runTestsAndReturnError:]_block_invoke (XCTest:x86_64+0x6f64e)
    #21 0x101add719 in -[XCTestObservationCenter _observeTestExecutionForBlock:] (XCTest:x86_64+0x29719)
    #22 0x101b234ed in -[XCTTestRunSession runTestsAndReturnError:] (XCTest:x86_64+0x6f4ed)
    #23 0x101ab9af0 in -[XCTestDriver runTestsAndReturnError:] (XCTest:x86_64+0x5af0)
    #24 0x101b1b18f in _XCTestMain (XCTest:x86_64+0x6718f)
    #25 0x1003e3590  (xctest:x86_64+0x100002590)
    #26 0x10907cd80 in start (libdyld.dylib:x86_64+0xd80)
 
0x6030000be500 is located 0 bytes to the right of 32-byte region [0x6030000be4e0,0x6030000be500)
allocated by thread T0 here:
    #0 0x1004cec5b in wrap__Znwm (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x5ec5b)
    #1 0x11bcc9d83 in std::__1::vector<CLLocationCoordinate2D, std::__1::allocator<CLLocationCoordinate2D> >::allocate(unsigned long) new:226
    #2 0x11c3be709 in std::__1::vector<CLLocationCoordinate2D, std::__1::allocator<CLLocationCoordinate2D> >::vector<CLLocationCoordinate2D const*>(CLLocationCoordinate2D const*, std::__1::enable_if<(__is_forward_iterator<CLLocationCoordinate2D const*>::value) && (is_constructible<CLLocationCoordinate2D, std::__1::iterator_traits<CLLocationCoordinate2D const*>::reference>::value), CLLocationCoordinate2D const*>::type) vector:1165
    #3 0x11c3adef4 in std::__1::vector<CLLocationCoordinate2D, std::__1::allocator<CLLocationCoordinate2D> >::vector<CLLocationCoordinate2D const*>(CLLocationCoordinate2D const*, std::__1::enable_if<(__is_forward_iterator<CLLocationCoordinate2D const*>::value) && (is_constructible<CLLocationCoordinate2D, std::__1::iterator_traits<CLLocationCoordinate2D const*>::reference>::value), CLLocationCoordinate2D const*>::type) vector:1158
    #4 0x11c3adcb4 in -[MGLMultiPoint initWithCoordinates:count:] MGLMultiPoint.mm:23
    #5 0x11c59caf9 in +[MGLPolyline polylineWithCoordinates:count:] MGLPolyline.mm:18
    #6 0x11a48e6cd in -[MGLCodingTests testPolyline] MGLCodingTests.m:89
    #7 0x1024e936b in __invoking___ (CoreFoundation:x86_64+0x7d36b)
    #8 0x1024e923f in -[NSInvocation invoke] (CoreFoundation:x86_64+0x7d23f)
    #9 0x101acde2f in __24-[XCTestCase invokeTest]_block_invoke (XCTest:x86_64+0x19e2f)
    #10 0x101b1717d in -[XCUITestContext performInScope:] (XCTest:x86_64+0x6317d)
    #11 0x101acdbd5 in -[XCTestCase invokeTest] (XCTest:x86_64+0x19bd5)
    #12 0x101aceb96 in __26-[XCTestCase performTest:]_block_invoke.369 (XCTest:x86_64+0x1ab96)
    #13 0x101b1bf24 in +[XCTContext runInContextForTestCase:block:] (XCTest:x86_64+0x67f24)
    #14 0x101ace532 in -[XCTestCase performTest:] (XCTest:x86_64+0x1a532)
    #15 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #16 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #17 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #18 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #19 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #20 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #21 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #22 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #23 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #24 0x101b2364e in __44-[XCTTestRunSession runTestsAndReturnError:]_block_invoke (XCTest:x86_64+0x6f64e)
    #25 0x101add719 in -[XCTestObservationCenter _observeTestExecutionForBlock:] (XCTest:x86_64+0x29719)
    #26 0x101b234ed in -[XCTTestRunSession runTestsAndReturnError:] (XCTest:x86_64+0x6f4ed)
    #27 0x101ab9af0 in -[XCTestDriver runTestsAndReturnError:] (XCTest:x86_64+0x5af0)
    #28 0x101b1b18f in _XCTestMain (XCTest:x86_64+0x6718f)
    #29 0x1003e3590  (xctest:x86_64+0x100002590)
Click for full report/crash log. 
Process:               xctest [13221]
Path:                  /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/Library/Xcode/Agents/xctest
Identifier:            xctest
Version:               13764
Code Type:             X86-64 (Native)
Parent Process:        launchd_sim [13001]
Responsible:           xctest [13221]
User ID:               501

Date/Time:             2017-12-18 16:40:00.155 -0800
OS Version:            Mac OS X 10.13.2 (17C88)
Report Version:        12
Bridge OS Version:     3.0 (14Y661)
Anonymous UUID:        9724949D-B1E9-BF59-188C-CDA606688ED1

Sleep/Wake UUID:       E040B869-A543-4AF8-B068-A2CF64A84794

Time Awake Since Boot: 370000 seconds
Time Since Wake:       1500 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
=================================================================
==13221==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000be500 at pc 0x0001004bc6d8 bp 0x7ffeef819070 sp 0x7ffeef818820
READ of size 16 at 0x6030000be500 thread T0
    #0 0x1004bc6d7 in __asan_memcpy (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x4c6d7)
    #1 0x11c59ffba in -[MGLPolyline coordinate] MGLPolyline.mm:68
    #2 0x11a48e870 in -[MGLCodingTests testPolyline] MGLCodingTests.m:92
    #3 0x1024e936b in __invoking___ (CoreFoundation:x86_64+0x7d36b)
    #4 0x1024e923f in -[NSInvocation invoke] (CoreFoundation:x86_64+0x7d23f)
    #5 0x101acde2f in __24-[XCTestCase invokeTest]_block_invoke (XCTest:x86_64+0x19e2f)
    #6 0x101b1717d in -[XCUITestContext performInScope:] (XCTest:x86_64+0x6317d)
    #7 0x101acdbd5 in -[XCTestCase invokeTest] (XCTest:x86_64+0x19bd5)
    #8 0x101aceb96 in __26-[XCTestCase performTest:]_block_invoke.369 (XCTest:x86_64+0x1ab96)
    #9 0x101b1bf24 in +[XCTContext runInContextForTestCase:block:] (XCTest:x86_64+0x67f24)
    #10 0x101ace532 in -[XCTestCase performTest:] (XCTest:x86_64+0x1a532)
    #11 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #12 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #13 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #14 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #15 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #16 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #17 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #18 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #19 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #20 0x101b2364e in __44-[XCTTestRunSession runTestsAndReturnError:]_block_invoke (XCTest:x86_64+0x6f64e)
    #21 0x101add719 in -[XCTestObservationCenter _observeTestExecutionForBlock:] (XCTest:x86_64+0x29719)
    #22 0x101b234ed in -[XCTTestRunSession runTestsAndReturnError:] (XCTest:x86_64+0x6f4ed)
    #23 0x101ab9af0 in -[XCTestDriver runTestsAndReturnError:] (XCTest:x86_64+0x5af0)
    #24 0x101b1b18f in _XCTestMain (XCTest:x86_64+0x6718f)
    #25 0x1003e3590  (xctest:x86_64+0x100002590)
    #26 0x10907cd80 in start (libdyld.dylib:x86_64+0xd80)
 
0x6030000be500 is located 0 bytes to the right of 32-byte region [0x6030000be4e0,0x6030000be500)
allocated by thread T0 here:
    #0 0x1004cec5b in wrap__Znwm (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x5ec5b)
    #1 0x11bcc9d83 in std::__1::vector<CLLocationCoordinate2D, std::__1::allocator<CLLocationCoordinate2D> >::allocate(unsigned long) new:226
    #2 0x11c3be709 in std::__1::vector<CLLocationCoordinate2D, std::__1::allocator<CLLocationCoordinate2D> >::vector<CLLocationCoordinate2D const*>(CLLocationCoordinate2D const*, std::__1::enable_if<(__is_forward_iterator<CLLocationCoordinate2D const*>::value) && (is_constructible<CLLocationCoordinate2D, std::__1::iterator_traits<CLLocationCoordinate2D const*>::reference>::value), CLLocationCoordinate2D const*>::type) vector:1165
    #3 0x11c3adef4 in std::__1::vector<CLLocationCoordinate2D, std::__1::allocator<CLLocationCoordinate2D> >::vector<CLLocationCoordinate2D const*>(CLLocationCoordinate2D const*, std::__1::enable_if<(__is_forward_iterator<CLLocationCoordinate2D const*>::value) && (is_constructible<CLLocationCoordinate2D, std::__1::iterator_traits<CLLocationCoordinate2D const*>::reference>::value), CLLocationCoordinate2D const*>::type) vector:1158
    #4 0x11c3adcb4 in -[MGLMultiPoint initWithCoordinates:count:] MGLMultiPoint.mm:23
    #5 0x11c59caf9 in +[MGLPolyline polylineWithCoordinates:count:] MGLPolyline.mm:18
    #6 0x11a48e6cd in -[MGLCodingTests testPolyline] MGLCodingTests.m:89
    #7 0x1024e936b in __invoking___ (CoreFoundation:x86_64+0x7d36b)
    #8 0x1024e923f in -[NSInvocation invoke] (CoreFoundation:x86_64+0x7d23f)
    #9 0x101acde2f in __24-[XCTestCase invokeTest]_block_invoke (XCTest:x86_64+0x19e2f)
    #10 0x101b1717d in -[XCUITestContext performInScope:] (XCTest:x86_64+0x6317d)
    #11 0x101acdbd5 in -[XCTestCase invokeTest] (XCTest:x86_64+0x19bd5)
    #12 0x101aceb96 in __26-[XCTestCase performTest:]_block_invoke.369 (XCTest:x86_64+0x1ab96)
    #13 0x101b1bf24 in +[XCTContext runInContextForTestCase:block:] (XCTest:x86_64+0x67f24)
    #14 0x101ace532 in -[XCTestCase performTest:] (XCTest:x86_64+0x1a532)
    #15 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #16 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #17 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #18 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #19 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #20 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #21 0x101aca538 in __27-[XCTestSuite performTest:]_block_invoke (XCTest:x86_64+0x16538)
    #22 0x101ac9e9f in -[XCTestSuite _performProtectedSectionForTest:testSection:] (XCTest:x86_64+0x15e9f)
    #23 0x101aca09c in -[XCTestSuite performTest:] (XCTest:x86_64+0x1609c)
    #24 0x101b2364e in __44-[XCTTestRunSession runTestsAndReturnError:]_block_invoke (XCTest:x86_64+0x6f64e)
    #25 0x101add719 in -[XCTestObservationCenter _observeTestExecutionForBlock:] (XCTest:x86_64+0x29719)
    #26 0x101b234ed in -[XCTTestRunSession runTestsAndReturnError:] (XCTest:x86_64+0x6f4ed)
    #27 0x101ab9af0 in -[XCTestDriver runTestsAndReturnError:] (XCTest:x86_64+0x5af0)
    #28 0x101b1b18f in _XCTestMain (XCTest:x86_64+0x6718f)
    #29 0x1003e3590  (xctest:x86_64+0x100002590)
 
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x4c6d7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0600017c50: fa fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
  0x1c0600017c60: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x1c0600017c70: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fa fa
  0x1c0600017c80: fa fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x1c0600017c90: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x1c0600017ca0:[fa]fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x1c0600017cb0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x1c0600017cc0: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
  0x1c0600017cd0: fa fa fa fa fa fa fa fa fd fd fd fd fa fa 00 00
  0x1c0600017ce0: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x1c0600017cf0: 00 00 00 00 fa fa fd fd fd fa fa fa 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13221==ABORTING
 
abort() called
CoreSimulator 494.33 - Device: iPhone 6 - Runtime: iOS 11.2 (15C107) - DeviceType: iPhone 6

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x0000000109482e3e __pthread_kill + 10
1   libsystem_pthread.dylib       	0x00000001094bc150 pthread_kill + 333
2   libsystem_c.dylib             	0x000000010913d0eb abort + 127
3   libclang_rt.asan_iossim_dynamic.dylib	0x00000001004e61c6 __sanitizer::Abort() + 70
4   libclang_rt.asan_iossim_dynamic.dylib	0x00000001004e1848 __sanitizer::Die() + 120
5   libclang_rt.asan_iossim_dynamic.dylib	0x00000001004c9951 __asan::ScopedInErrorReport::~ScopedInErrorReport() + 321
6   libclang_rt.asan_iossim_dynamic.dylib	0x00000001004c93c8 __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 344
7   libclang_rt.asan_iossim_dynamic.dylib	0x00000001004bc702 __asan_memcpy + 898
8   com.mapbox.sdk.ios            	0x000000011c59ffbb -[MGLPolyline coordinate] + 3275 (MGLPolyline.mm:68)
9   com.mapbox.test               	0x000000011a48e871 -[MGLCodingTests testPolyline] + 17649 (MGLCodingTests.m:92)
10  com.apple.CoreFoundation      	0x00000001024e936c __invoking___ + 140
11  com.apple.CoreFoundation      	0x00000001024e9240 -[NSInvocation invoke] + 320
12  com.apple.dt.XCTest           	0x0000000101acde30 __24-[XCTestCase invokeTest]_block_invoke + 591
13  com.apple.dt.XCTest           	0x0000000101b1717e -[XCUITestContext performInScope:] + 183
14  com.apple.dt.XCTest           	0x0000000101acdbd6 -[XCTestCase invokeTest] + 141
15  com.apple.dt.XCTest           	0x0000000101aceb97 __26-[XCTestCase performTest:]_block_invoke.369 + 42
16  com.apple.dt.XCTest           	0x0000000101b1bf25 +[XCTContext runInContextForTestCase:block:] + 163
17  com.apple.dt.XCTest           	0x0000000101ace533 -[XCTestCase performTest:] + 608
18  com.apple.dt.XCTest           	0x0000000101aca539 __27-[XCTestSuite performTest:]_block_invoke + 363
19  com.apple.dt.XCTest           	0x0000000101ac9ea0 -[XCTestSuite _performProtectedSectionForTest:testSection:] + 26
20  com.apple.dt.XCTest           	0x0000000101aca09d -[XCTestSuite performTest:] + 239
21  com.apple.dt.XCTest           	0x0000000101aca539 __27-[XCTestSuite performTest:]_block_invoke + 363
22  com.apple.dt.XCTest           	0x0000000101ac9ea0 -[XCTestSuite _performProtectedSectionForTest:testSection:] + 26
23  com.apple.dt.XCTest           	0x0000000101aca09d -[XCTestSuite performTest:] + 239
24  com.apple.dt.XCTest           	0x0000000101aca539 __27-[XCTestSuite performTest:]_block_invoke + 363
25  com.apple.dt.XCTest           	0x0000000101ac9ea0 -[XCTestSuite _performProtectedSectionForTest:testSection:] + 26
26  com.apple.dt.XCTest           	0x0000000101aca09d -[XCTestSuite performTest:] + 239
27  com.apple.dt.XCTest           	0x0000000101b2364f __44-[XCTTestRunSession runTestsAndReturnError:]_block_invoke + 40
28  com.apple.dt.XCTest           	0x0000000101add71a -[XCTestObservationCenter _observeTestExecutionForBlock:] + 475
29  com.apple.dt.XCTest           	0x0000000101b234ee -[XCTTestRunSession runTestsAndReturnError:] + 281
30  com.apple.dt.XCTest           	0x0000000101ab9af1 -[XCTestDriver runTestsAndReturnError:] + 314
31  com.apple.dt.XCTest           	0x0000000101b1b190 _XCTestMain + 619
32  xctest                        	0x00000001003e3591 0x1003e1000 + 9617
33  libdyld.dylib                 	0x000000010907cd81 start + 1

Thread 1:
0   libsystem_kernel.dylib        	0x0000000109483562 __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00000001094b926f _pthread_wqthread + 1552
2   libsystem_pthread.dylib       	0x00000001094b8c4d start_wqthread + 13

Thread 2:
0   libsystem_kernel.dylib        	0x0000000109483562 __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00000001094b906a _pthread_wqthread + 1035
2   libsystem_pthread.dylib       	0x00000001094b8c4d start_wqthread + 13

Thread 3:
0   libsystem_kernel.dylib        	0x0000000109483562 __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00000001094b926f _pthread_wqthread + 1552
2   libsystem_pthread.dylib       	0x00000001094b8c4d start_wqthread + 13

Thread 4:
0   libsystem_kernel.dylib        	0x0000000109483562 __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00000001094b906a _pthread_wqthread + 1035
2   libsystem_pthread.dylib       	0x00000001094b8c4d start_wqthread + 13

Thread 5:
0   libsystem_kernel.dylib        	0x0000000109483562 __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00000001094b926f _pthread_wqthread + 1552
2   libsystem_pthread.dylib       	0x00000001094b8c4d start_wqthread + 13

Thread 6:: com.mapbox.mbgl.Worker 1
0   libsystem_kernel.dylib        	0x0000000109482cee __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00000001094ba662 _pthread_cond_wait + 732
2   libc++.1.dylib                	0x000000010815edc0 std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 18
3   com.mapbox.sdk.ios            	0x000000011c67a048 _ZNSt3__118condition_variable4waitIZZN4mbgl10ThreadPoolC1EmENK3$_0clEvEUlvE_EEvRNS_11unique_lockINS_5mutexEEET_ + 312 (__mutex_base:374)
4   com.mapbox.sdk.ios            	0x000000011c6794df mbgl::ThreadPool::ThreadPool(unsigned long)::$_0::operator()() const + 2703 (default_thread_pool.cpp:17)
5   com.mapbox.sdk.ios            	0x000000011c678628 std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mbgl::ThreadPool::ThreadPool(unsigned long)::$_0> >(void*, void*) + 1544 (type_traits:4291)
6   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
7   libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
8   libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 7:: com.mapbox.mbgl.Worker 2
0   libsystem_kernel.dylib        	0x0000000109482cee __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00000001094ba662 _pthread_cond_wait + 732
2   libc++.1.dylib                	0x000000010815edc0 std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 18
3   com.mapbox.sdk.ios            	0x000000011c67a048 _ZNSt3__118condition_variable4waitIZZN4mbgl10ThreadPoolC1EmENK3$_0clEvEUlvE_EEvRNS_11unique_lockINS_5mutexEEET_ + 312 (__mutex_base:374)
4   com.mapbox.sdk.ios            	0x000000011c6794df mbgl::ThreadPool::ThreadPool(unsigned long)::$_0::operator()() const + 2703 (default_thread_pool.cpp:17)
5   com.mapbox.sdk.ios            	0x000000011c678628 std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mbgl::ThreadPool::ThreadPool(unsigned long)::$_0> >(void*, void*) + 1544 (type_traits:4291)
6   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
7   libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
8   libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 8:: com.mapbox.mbgl.Worker 3
0   libsystem_kernel.dylib        	0x0000000109482cee __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00000001094ba662 _pthread_cond_wait + 732
2   libc++.1.dylib                	0x000000010815edc0 std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 18
3   com.mapbox.sdk.ios            	0x000000011c67a048 _ZNSt3__118condition_variable4waitIZZN4mbgl10ThreadPoolC1EmENK3$_0clEvEUlvE_EEvRNS_11unique_lockINS_5mutexEEET_ + 312 (__mutex_base:374)
4   com.mapbox.sdk.ios            	0x000000011c6794df mbgl::ThreadPool::ThreadPool(unsigned long)::$_0::operator()() const + 2703 (default_thread_pool.cpp:17)
5   com.mapbox.sdk.ios            	0x000000011c678628 std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mbgl::ThreadPool::ThreadPool(unsigned long)::$_0> >(void*, void*) + 1544 (type_traits:4291)
6   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
7   libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
8   libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 9:: com.mapbox.mbgl.Worker 4
0   libsystem_kernel.dylib        	0x0000000109482cee __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00000001094ba662 _pthread_cond_wait + 732
2   libc++.1.dylib                	0x000000010815edc0 std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 18
3   com.mapbox.sdk.ios            	0x000000011c67a048 _ZNSt3__118condition_variable4waitIZZN4mbgl10ThreadPoolC1EmENK3$_0clEvEUlvE_EEvRNS_11unique_lockINS_5mutexEEET_ + 312 (__mutex_base:374)
4   com.mapbox.sdk.ios            	0x000000011c6794df mbgl::ThreadPool::ThreadPool(unsigned long)::$_0::operator()() const + 2703 (default_thread_pool.cpp:17)
5   com.mapbox.sdk.ios            	0x000000011c678628 std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mbgl::ThreadPool::ThreadPool(unsigned long)::$_0> >(void*, void*) + 1544 (type_traits:4291)
6   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
7   libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
8   libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 10:: com.mapbox.mbgl.AssetFileSource
0   libsystem_kernel.dylib        	0x00000001094797c2 mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x0000000109478cdc mach_msg + 60
2   com.apple.CoreFoundation      	0x00000001024ecc85 __CFRunLoopServiceMachPort + 213
3   com.apple.CoreFoundation      	0x00000001024ec1c2 __CFRunLoopRun + 1730
4   com.apple.CoreFoundation      	0x00000001024eb889 CFRunLoopRunSpecific + 409
5   com.apple.CoreFoundation      	0x0000000102527e03 CFRunLoopRun + 99
6   com.mapbox.sdk.ios            	0x000000011df60c41 mbgl::util::RunLoop::run() + 17 (run_loop.cpp:41)
7   com.mapbox.sdk.ios            	0x000000011dfb6cd1 mbgl::util::Thread<mbgl::AssetFileSource::Impl>::Thread<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&&&)::'lambda'()::operator()() const + 2753 (thread.hpp:56)
8   com.mapbox.sdk.ios            	0x000000011dfb5de8 std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mbgl::util::Thread<mbgl::AssetFileSource::Impl>::Thread<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&&&)::'lambda'()> >(void*, void*) + 1544 (type_traits:4291)
9   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
10  libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
11  libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 11:: com.mapbox.mbgl.DefaultFileSource
0   libsystem_kernel.dylib        	0x00000001094797c2 mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x0000000109478cdc mach_msg + 60
2   com.apple.CoreFoundation      	0x00000001024ecc85 __CFRunLoopServiceMachPort + 213
3   com.apple.CoreFoundation      	0x00000001024ec1c2 __CFRunLoopRun + 1730
4   com.apple.CoreFoundation      	0x00000001024eb889 CFRunLoopRunSpecific + 409
5   com.apple.CoreFoundation      	0x0000000102527e03 CFRunLoopRun + 99
6   com.mapbox.sdk.ios            	0x000000011df60c41 mbgl::util::RunLoop::run() + 17 (run_loop.cpp:41)
7   com.mapbox.sdk.ios            	0x000000011e0037ce mbgl::util::Thread<mbgl::DefaultFileSource::Impl>::Thread<std::__1::shared_ptr<mbgl::FileSource> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, unsigned long long&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::shared_ptr<mbgl::FileSource> const&&&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&&&, unsigned long long&&&)::'lambda'()::operator()() const + 2990 (thread.hpp:56)
8   com.mapbox.sdk.ios            	0x000000011e0027f8 std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mbgl::util::Thread<mbgl::DefaultFileSource::Impl>::Thread<std::__1::shared_ptr<mbgl::FileSource> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, unsigned long long&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::shared_ptr<mbgl::FileSource> const&&&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&&&, unsigned long long&&&)::'lambda'()> >(void*, void*) + 1544 (type_traits:4291)
9   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
10  libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
11  libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 12:: com.mapbox.mbgl.LocalFileSource
0   libsystem_kernel.dylib        	0x00000001094797c2 mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x0000000109478cdc mach_msg + 60
2   com.apple.CoreFoundation      	0x00000001024ecc85 __CFRunLoopServiceMachPort + 213
3   com.apple.CoreFoundation      	0x00000001024ec1c2 __CFRunLoopRun + 1730
4   com.apple.CoreFoundation      	0x00000001024eb889 CFRunLoopRunSpecific + 409
5   com.apple.CoreFoundation      	0x0000000102527e03 CFRunLoopRun + 99
6   com.mapbox.sdk.ios            	0x000000011df60c41 mbgl::util::RunLoop::run() + 17 (run_loop.cpp:41)
7   com.mapbox.sdk.ios            	0x000000011e04940f mbgl::util::Thread<mbgl::LocalFileSource::Impl>::Thread<>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)::'lambda'()::operator()() const + 2639 (thread.hpp:56)
8   com.mapbox.sdk.ios            	0x000000011e048598 std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, mbgl::util::Thread<mbgl::LocalFileSource::Impl>::Thread<>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)::'lambda'()> >(void*, void*) + 1544 (type_traits:4291)
9   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
10  libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
11  libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 13:
0   libsystem_kernel.dylib        	0x0000000109483562 __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00000001094b906a _pthread_wqthread + 1035
2   libsystem_pthread.dylib       	0x00000001094b8c4d start_wqthread + 13

Thread 14:
0   libsystem_kernel.dylib        	0x0000000109482cee __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00000001094ba662 _pthread_cond_wait + 732
2   libc++.1.dylib                	0x000000010815edc0 std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 18
3   com.apple.JavaScriptCore      	0x000000010d9664b6 void std::__1::condition_variable_any::wait<std::__1::unique_lock<bmalloc::Mutex> >(std::__1::unique_lock<bmalloc::Mutex>&) + 86
4   com.apple.JavaScriptCore      	0x000000010d9663eb bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 139
5   com.apple.JavaScriptCore      	0x000000010d966718 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 40
6   libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
7   libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
8   libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 15:: WebThread
0   libsystem_kernel.dylib        	0x0000000109482d1e __psynch_mutexwait + 10
1   libsystem_pthread.dylib       	0x00000001094b9bfe _pthread_mutex_lock_wait + 83
2   libsystem_pthread.dylib       	0x00000001094b7551 _pthread_mutex_lock_slow + 253
3   com.apple.WebCore             	0x000000010eeb68a1 _WebTryThreadLock(bool) + 97
4   com.apple.WebCore             	0x000000010eeb83ee WebRunLoopLock(__CFRunLoopObserver*, unsigned long, void*) + 30
5   com.apple.CoreFoundation      	0x0000000102507c07 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
6   com.apple.CoreFoundation      	0x0000000102507b5e __CFRunLoopDoObservers + 430
7   com.apple.CoreFoundation      	0x00000001024ec37c __CFRunLoopRun + 2172
8   com.apple.CoreFoundation      	0x00000001024eb889 CFRunLoopRunSpecific + 409
9   com.apple.WebCore             	0x000000010eeb8275 RunWebThread(void*) + 533
10  libsystem_pthread.dylib       	0x00000001094b96c1 _pthread_body + 340
11  libsystem_pthread.dylib       	0x00000001094b956d _pthread_start + 377
12  libsystem_pthread.dylib       	0x00000001094b8c5d thread_start + 13

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x00000001094c2340  rcx: 0x00007ffeef817ae8  rdx: 0x0000000000000000
  rdi: 0x0000000000000303  rsi: 0x0000000000000006  rbp: 0x00007ffeef817b20  rsp: 0x00007ffeef817ae8
   r8: 0x00000001009894dc   r9: 0x0000000000000012  r10: 0x0000000000000000  r11: 0x0000000000000206
  r12: 0x0000000000000303  r13: 0x00007ffeef818820  r14: 0x0000000000000006  r15: 0x000000000000002d
  rip: 0x0000000109482e3e  rfl: 0x0000000000000206  cr2: 0x00000001091691a8
  
Logical CPU:     0
Error Code:      0x02000148
Trap Number:     133

/cc @1ec5 @fabian-guerra @akitchen
@friedbunny friedbunny added bug iOS Mapbox Maps SDK for iOS tests labels Dec 19, 2017
@friedbunny friedbunny mentioned this issue Dec 19, 2017
Closed
@1ec5
Copy link
Contributor

1ec5 commented Dec 20, 2017

Yep, there’s a bug here. The following code looks ahead one spot in the coordinates array, but the for loop doesn’t guard against the possibility that i might be just one less than count:

mapbox-gl-native/platform/darwin/src/MGLPolyline.mm

Lines 65 to 68 in d744b50

for (NSUInteger i = 0; i < count; i++) {
MGLRadianCoordinate2D from = MGLRadianCoordinateFromLocationCoordinate(coordinates[i]);
MGLRadianCoordinate2D to = MGLRadianCoordinateFromLocationCoordinate(coordinates[i + 1]);

The overflow occurs when the polyline has exactly two coordinates, as in this test:

mapbox-gl-native/platform/darwin/test/MGLCodingTests.m

Lines 83 to 93 in d744b50

CLLocationCoordinate2D segmentCoordinates[] = {
CLLocationCoordinate2DMake(35.040390, -85.311477),
CLLocationCoordinate2DMake(35.040390, -85.209510),
};
NSUInteger segmentCoordinatesCount = sizeof(segmentCoordinates) / sizeof(CLLocationCoordinate2D);
MGLPolyline *segmentLine = [MGLPolyline polylineWithCoordinates:segmentCoordinates count:segmentCoordinatesCount];
CLLocationCoordinate2D segmentCenter = CLLocationCoordinate2DMake(35.0404006631, -85.2604935);
XCTAssertEqualWithAccuracy([segmentLine coordinate].latitude, segmentCenter.latitude, 0.0001);
XCTAssertEqualWithAccuracy([segmentLine coordinate].longitude, segmentCenter.longitude, 0.0001);

@friedbunny friedbunny mentioned this issue Mar 28, 2018
Merged
@friedbunny friedbunny self-assigned this Mar 28, 2018
@friedbunny
Copy link
Contributor Author

Fixed by #11543.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@friedbunny friedbunny

Labels
bug iOS Mapbox Maps SDK for iOS tests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@friedbunny @1ec5