FeatureHole stack-use-after-scope

About the development of the Part Design module/workbench. PLEASE DO NOT POST HELP REQUESTS HERE!
rlee287
Posts: 2
Joined: Wed Dec 26, 2018 9:25 pm

FeatureHole stack-use-after-scope

Postby rlee287 » Fri Dec 28, 2018 9:55 pm

Running the tests with ./FreeCAD --console --run-test 0 triggers a stack-use-after-scope error under AddressSanitizer from the following code (lines 1216-1233 of src/Mod/PartDesign/App/FeatureHole.cpp):

Code: Select all

            Handle(Geom_Circle) circle = Handle(Geom_Circle)::DownCast(c);

            const gp_Pnt& loc = circle->Axis().Location();

            gp_Trsf sketchTransformation;
            gp_Trsf localSketchTransformation;
            Base::Placement SketchPos = profile->Placement.getValue();
            Base::Matrix4D mat = SketchPos.toMatrix();
            sketchTransformation.SetValues(
                        mat[0][0], mat[0][1], mat[0][2], mat[0][3],
                        mat[1][0], mat[1][1], mat[1][2], mat[1][3],
                        mat[2][0], mat[2][1], mat[2][2], mat[2][3]
#if OCC_VERSION_HEX < 0x060800
                        , 0.00001, 0.00001
#endif
                    ); //precision was removed in OCCT CR0025194
            localSketchTransformation.SetTranslation( gp_Pnt( 0, 0, 0 ),
                                                      gp_Pnt(loc.X(), loc.Y(), loc.Z()) );
With the error message as

Code: Select all

testAngledDrillHole (PartDesignTests.TestHole.TestHole) ... /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/Mod/PartDesign/App/FeatureSketchBased.cpp:253:35: runtime error: member call on address 0x7ffff457e290 which does not point to an object of type 'BRepBuilderAPI_Copy'
0x7ffff457e290: note: object is of type 'BRepBuilderAPI_Copy'
 8c 7f 00 00  e0 16 0e 4a 8c 7f 00 00  01 01 00 00 8c 7f 00 00  50 f8 9f 00 40 60 00 00  c0 1f 50 01
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'BRepBuilderAPI_Copy'
=================================================================
==17121==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffff4580110 at pc 0x7f8c364648ff bp 0x7ffff457e6a0 sp 0x7ffff457e690
READ of size 8 at 0x7ffff4580110 thread T0
    #0 0x7f8c364648fe in gp_XYZ::Z() const /usr/local/lib/oce-0.18/../../include/oce/gp_XYZ.lxx:71
    #1 0x7f8c364af635 in gp_Pnt::Z() const /usr/local/lib/oce-0.18/../../include/oce/gp_Pnt.lxx:70
    #2 0x7f8c36525f2e in PartDesign::Hole::execute() /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/Mod/PartDesign/App/FeatureHole.cpp:1233
    #3 0x7f8c688f2fb0 in App::DocumentObject::recompute() /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/App/DocumentObject.cpp:89
    #4 0x7f8c48e32589 in Part::Feature::recompute() /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/Mod/Part/App/PartFeature.cpp:83
    #5 0x7f8c686ecfb9 in App::Document::_recomputeFeature(App::DocumentObject*) /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/App/Document.cpp:2446
    #6 0x7f8c686e5cf3 in App::Document::recompute() /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/App/Document.cpp:2230
    #7 0x7f8c68a4c6b7 in App::DocumentPy::recompute(_object*) /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/App/DocumentPyImp.cpp:408
    #8 0x7f8c68a2de04 in App::DocumentPy::staticCallback_recompute(_object*, _object*) /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/build/src/App/DocumentPy.cpp:1718
    #9 0x7f8c64d02b46 in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x118b46)
    #10 0x7f8c64d0267e in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x11867e)
    #11 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #12 0x7f8c64d7faeb  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195aeb)
    #13 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #14 0x7f8c64cfa88c in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x11088c)
    #15 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #16 0x7f8c64d7fa1a  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195a1a)
    #17 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #18 0x7f8c64d96b8b  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1acb8b)
    #19 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #20 0x7f8c64d46ff9  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x15cff9)
    #21 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #22 0x7f8c64cfe763 in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x114763)
    #23 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #24 0x7f8c64d7faeb  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195aeb)
    #25 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #26 0x7f8c64cfa88c in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x11088c)
    #27 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #28 0x7f8c64d7fa1a  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195a1a)
    #29 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #30 0x7f8c64d96b8b  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1acb8b)
    #31 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #32 0x7f8c64d46ff9  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x15cff9)
    #33 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #34 0x7f8c64cfe763 in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x114763)
    #35 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #36 0x7f8c64d7faeb  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195aeb)
    #37 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #38 0x7f8c64cfa88c in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x11088c)
    #39 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #40 0x7f8c64d7fa1a  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195a1a)
    #41 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #42 0x7f8c64d96b8b  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1acb8b)
    #43 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #44 0x7f8c64d46ff9  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x15cff9)
    #45 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #46 0x7f8c64cfe763 in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x114763)
    #47 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #48 0x7f8c64d7faeb  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195aeb)
    #49 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #50 0x7f8c64cfa88c in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x11088c)
    #51 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #52 0x7f8c64d7fa1a  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x195a1a)
    #53 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #54 0x7f8c64d96b8b  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1acb8b)
    #55 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #56 0x7f8c64d46ff9  (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x15cff9)
    #57 0x7f8c64da9e92 in PyObject_Call (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x1bfe92)
    #58 0x7f8c64cfe763 in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x114763)
    #59 0x7f8c64d0267e in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x11867e)
    #60 0x7f8c64d0267e in PyEval_EvalFrameEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x11867e)
    #61 0x7f8c64cf90c1 in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f0c1)
    #62 0x7f8c64cf96d8 in PyEval_EvalCode (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0x10f6d8)
    #63 0x7f8c64cd1f15 in PyRun_StringFlags (/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0+0xe7f15)
    #64 0x7f8c65bbe36c in Base::InterpreterSingleton::runString[abi:cxx11](char const*) /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/Base/Interpreter.cpp:232
    #65 0x7f8c68ec481d in App::Application::runApplication() /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/App/Application.cpp:1696
    #66 0x565202d16aef in main /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/Main/MainGui.cpp:258
    #67 0x7f8c62b7409a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #68 0x565202d14679 in _start (/home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/build/bin/FreeCAD+0x1d679)

Address 0x7ffff4580110 is located in stack of thread T0 at offset 6416 in frame
    #0 0x7f8c3651c361 in PartDesign::Hole::execute() /home/ryan/Documents/3D_modeling/FreeCAD_proj/FreeCAD/src/Mod/PartDesign/App/FeatureHole.cpp:937

  This frame has 126 object(s):
    [32, 33) '<unknown>'
    [96, 97) '<unknown>'
    [160, 161) '<unknown>'
    [224, 225) 'builder'
    [288, 289) '<unknown>'
    [352, 353) '<unknown>'
    [416, 417) '<unknown>'
    [480, 488) 'invObjLoc'
    [544, 552) '<unknown>'
    [608, 616) 'x'
    [672, 680) 'z'
    [736, 744) 'x'
    [800, 808) 'z'
    [864, 872) 'x'
    [928, 936) 'z'
    [992, 1000) 'c_start'
    [1056, 1064) 'c_end'
    [1120, 1128) 'c'
    [1184, 1192) 'circle'
    [1248, 1256) '<unknown>'
    [1312, 1320) '<unknown>'
    [1376, 1400) 'profileshape'
    [1440, 1464) '<unknown>'
    [1504, 1528) 'base'
    [1568, 1592) 'SketchVector'
    [1632, 1656) 'zDir'
    [1696, 1720) 'xDir'
    [1760, 1784) '<unknown>'
    [1824, 1848) '<unknown>'
    [1888, 1912) '<unknown>'
    [1952, 1976) 'firstPoint'
    [2016, 2040) 'lastPoint'
    [2080, 2104) 'newPoint'
    [2144, 2168) '<unknown>'
    [2208, 2232) '<unknown>'
    [2272, 2296) '<unknown>'
    [2336, 2360) '<unknown>'
    [2400, 2424) '<unknown>'
    [2464, 2488) '<unknown>'
    [2528, 2552) '<unknown>'
    [2592, 2616) '<unknown>'
    [2656, 2680) '<unknown>'
    [2720, 2744) 'newPoint'
    [2784, 2808) '<unknown>'
    [2848, 2872) '<unknown>'
    [2912, 2936) '<unknown>'
    [2976, 3000) '<unknown>'
    [3040, 3064) '<unknown>'
    [3104, 3128) '<unknown>'
    [3168, 3192) '<unknown>'
    [3232, 3256) '<unknown>'
    [3296, 3320) '<unknown>'
    [3360, 3384) '<unknown>'
    [3424, 3448) '<unknown>'
    [3488, 3512) '<unknown>'
    [3552, 3576) '<unknown>'
    [3616, 3640) 'newPoint'
    [3680, 3704) '<unknown>'
    [3744, 3768) 'newPoint'
    [3808, 3832) '<unknown>'
    [3872, 3896) '<unknown>'
    [3936, 3960) '<unknown>'
    [4000, 4024) '<unknown>'
    [4064, 4088) '<unknown>'
    [4128, 4152) 'newPoint'
    [4192, 4216) '<unknown>'
    [4256, 4280) '<unknown>'
    [4320, 4344) '<unknown>'
    [4384, 4408) '<unknown>'
    [4448, 4472) '<unknown>'
    [4512, 4536) '<unknown>'
    [4576, 4600) '<unknown>'
    [4640, 4664) '<unknown>'
    [4704, 4728) '<unknown>'
    [4768, 4792) '<unknown>'
    [4832, 4856) '<unknown>'
    [4896, 4920) 'wire'
    [4960, 4984) 'face'
    [5024, 5048) '<unknown>'
    [5088, 5112) 'protoHole'
    [5152, 5176) 'holes'
    [5216, 5240) 'edge'
    [5280, 5304) '<unknown>'
    [5344, 5368) '<unknown>'
    [5408, 5432) 'copy'
    [5472, 5496) 'result'
    [5536, 5560) '<unknown>'
    [5600, 5624) '<unknown>'
    [5664, 5688) '<unknown>'
    [5728, 5752) '<unknown>'
    [5792, 5816) '<unknown>'
    [5856, 5880) '<unknown>'
    [5920, 5944) '<unknown>'
    [5984, 6008) '<unknown>'
    [6048, 6072) '<unknown>'
    [6112, 6136) '<unknown>'
    [6176, 6200) '<unknown>'
    [6240, 6272) 'edgeMap'
    [6304, 6352) '<unknown>'
    [6400, 6448) '<unknown>' <== Memory access at offset 6416 is inside this variable
    [6496, 6648) '<unknown>'
    [6688, 6888) '<unknown>'
    [6944, 7144) '<unknown>'
    [7200, 7400) '<unknown>'
    [7456, 7656) '<unknown>'
    [7712, 7912) '<unknown>'
    [7968, 8168) '<unknown>'
    [8224, 8424) '<unknown>'
    [8480, 8680) '<unknown>'
    [8736, 8936) '<unknown>'
    [8992, 9192) '<unknown>'
    [9248, 9448) '<unknown>'
    [9504, 9728) 'mkCut'
    [9760, 10064) 'mkWire'
    [10112, 10424) 'RevolMaker'
    [10464, 10496) 'method'
    [10528, 10560) 'holeCutType'
    [10592, 10624) 'drillPoint'
    [10656, 10688) '<unknown>'
    [10720, 10752) '<unknown>'
    [10784, 10816) '<unknown>'
    [10848, 10936) 'SketchPos'
    [10976, 11088) 'sketchTransformation'
    [11136, 11248) 'localSketchTransformation'
    [11296, 11424) 'mat'
    [11456, 11736) 'transformer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /usr/local/lib/oce-0.18/../../include/oce/gp_XYZ.lxx:71 in gp_XYZ::Z() const
Shadow bytes around the buggy address:
  0x10007e8a7fd0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
  0x10007e8a7fe0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
  0x10007e8a7ff0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
  0x10007e8a8000: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
  0x10007e8a8010: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2
=>0x10007e8a8020: f8 f8[f8]f8 f8 f8 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8
  0x10007e8a8030: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2
  0x10007e8a8040: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e8a8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2
  0x10007e8a8060: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e8a8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17121==ABORTING
Changing const gp_Pnt& loc = circle->Axis().Location() to gp_Pnt loc = circle->Axis().Location() fixed the error for me, but why does using a reference trigger a stack-use-after-scope error?

If you want to check the line numbers in the above error, please see commit 92d138d1b564fedc64913bf27297adcf74f38bfe at https://github.com/rlee287/FreeCAD/tree ... cf74f38bfe in my own fork of the FreeCAD repo (branched from the 0.17 release). I changed the reference to a value in commit c1541309b67f255685daa1b096145192e4e804b1 in my fork, at https://github.com/rlee287/FreeCAD/comm ... 92e4e804b1.