image commented 2 years ago
```
==31249==ERROR: AddressSanitizer: heap-use-after-free on address 0x62800094c1b0 at pc 0x555555a05f17 bp 0x7fffec696fc0 sp 0x7fffec696fb0
READ of size 4 at 0x62800094c1b0 thread T21
#0 0x555555a05f16 in Spawn::GetSpawnOrigHeading() ../WorldServer/Spawn.h:737
#1 0x555555a05f16 in ZoneServer::CheckHeadingTimers() ../WorldServer/zoneserver.cpp:3617
#2 0x555555a69ac6 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1460
#3 0x555555a7c589 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6906
#4 0x7ffff7535608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#5 0x7ffff6f6c292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
0x62800094c1b0 is located 176 bytes inside of 14984-byte region [0x62800094c100,0x62800094fb88)
freed by thread T22 here:
#0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025)
#1 0x5555563d91ad in NPC::~NPC() ../WorldServer/NPC.cpp:123
#2 0x555555968a77 in ZoneServer::DeleteSpawns(bool) ../WorldServer/zoneserver.cpp:1245
#3 0x555555a3d756 in ZoneServer::SpawnProcess() ../WorldServer/zoneserver.cpp:1634
#4 0x555555a3dc1c in SpawnLoop(void*) ../WorldServer/zoneserver.cpp:6930
#5 0x7ffff7535608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
previously allocated by thread T21 here:
#0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
#1 0x555555ac9e97 in ZoneServer::GetNewNPC(unsigned int) (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x575e97)
#2 0x5555559b70a2 in ZoneServer::GetSpawn(unsigned int) ../WorldServer/zoneserver.cpp:7031
#3 0x555555eec02c in EQ2Emu_lua_SummonPet(lua_State*) ../WorldServer/LuaFunctions.cpp:5068
#4 0x55555695c5c4 in luaD_precall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x14085c4)
#5 0x55555697f89c in luaV_execute (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x142b89c)
#6 0x55555695c894 in ccall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x1408894)
#7 0x55555695c911 in luaD_callnoyield (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x1408911)
#8 0x55555698901f in f_call (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x143501f)
#9 0x55555695b59d in luaD_rawrunprotected (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x140759d)
#10 0x55555695d0a6 in luaD_pcall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x14090a6)
#11 0x555556989102 in lua_pcallk (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x1435102)
#12 0x555555c552df in LuaInterface::CallSpellProcess(LuaSpell*, unsigned char, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ../WorldServer/LuaInterface.cpp:616
#13 0x5555563f54da in SpellProcess::ProcessSpell(LuaSpell*, bool, char const*, SpellScriptTimer*, bool) ../WorldServer/SpellProcess.cpp:495
#14 0x555556406786 in SpellProcess::CastProcessedSpell(LuaSpell*, bool, bool) ../WorldServer/SpellProcess.cpp:1618
#15 0x55555640ab40 in SpellProcess::CastInstant(Spell*, Entity*, Entity*, bool, bool) ../WorldServer/SpellProcess.cpp:591
#16 0x55555656c804 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:3533
#17 0x555555fce18f in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1817
#18 0x555555fe44d8 in Client::Process(bool) ../WorldServer/client.cpp:2997
#19 0x555555a568d5 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3196
#20 0x555555a69123 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1400
#21 0x555555a7c589 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6906
#22 0x7ffff7535608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
Thread T21 created by T0 here:
#0 0x7ffff75a5805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x555555a27560 in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308
#2 0x5555558773d0 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:595
#3 0x555555f114c6 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3356
#4 0x55555627e1b5 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1784
#5 0x555555fbdc59 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9801
#6 0x555555fc315c in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1062
#7 0x555555fe44d8 in Client::Process(bool) ../WorldServer/client.cpp:2997
#8 0x555555fe72cb in ClientList::Process() ../WorldServer/client.cpp:3288
#9 0x5555563bd856 in main ../WorldServer/net.cpp:458
#10 0x7ffff6e710b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
Thread T22 created by T0 here:
#0 0x7ffff75a5805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x555555a275a0 in ZoneServer::Init() ../WorldServer/zoneserver.cpp:310
#2 0x5555558773d0 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:595
#3 0x555555f114c6 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3356
#4 0x55555627e1b5 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1784
#5 0x555555fbdc59 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9801
#6 0x555555fc315c in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1062
#7 0x555555fe44d8 in Client::Process(bool) ../WorldServer/client.cpp:2997
#8 0x555555fe72cb in ClientList::Process() ../WorldServer/client.cpp:3288
#9 0x5555563bd856 in main ../WorldServer/net.cpp:458
#10 0x7ffff6e710b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/Spawn.h:737 in Spawn::GetSpawnOrigHeading()
Shadow bytes around the buggy address:
0x0c50801217e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c50801217f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5080121800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5080121810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5080121820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5080121830: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c5080121840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5080121850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5080121860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5080121870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5080121880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==31249==ABORTING
```