search

carla-simulator / carla

Open-source simulator for autonomous driving research.
http://carla.org
MIT License
10.93k stars 3.52k forks source link

Carla traffic manager triggers a null pointer reference #6358

Open blabla-my opened 1 year ago

blabla-my commented 1 year ago

version and platforms

CARLA version: 0.9.13 scenario_runner version: 0.9.13 OS: ubuntu 18.04 Memory: 64GB GPU: NVIDIA 3070 8G CPU: 32 cores Intel python 3.6.9

problems

Scnenario runner encounters a segmentation fault. The scenario to run is self-defined. Opendrive stand alone mode is used to generate the simulation world.

As the dumped core shows, the segmentation fault is due to a null pointer reference. The last instruction is mov (%rax),%rsi, and p $rax shows %rax == 0. Then a null pointer reference is triggered.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  std::__shared_ptr<carla::traffic_manager::SimpleWaypoint, (__gnu_cxx::_Lock_policy)2>::get (this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/shared_ptr_base.h:1258
1258          { return _M_ptr; }
[Current thread is 1 (Thread 0x7f4949e21700 (LWP 382))]
(gdb) x/16gi $rip
=> 0x7f49b56b0d12 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1730>:    mov    (%rax),%rsi
   0x7f49b56b0d15 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1733>:    mov    %rbp,%rdi
   0x7f49b56b0d18 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1736>:    call   0x7f49b56ccce0
     <_ZNK5carla15traffic_manager14SimpleWaypoint12GetTransformEv>
   0x7f49b56b0d1d <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1741>:    movss  0x50(%rsp),%xmm0
   0x7f49b56b0d23 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1747>:    movss  %xmm0,0x1c(%rsp)
   0x7f49b56b0d29 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1753>:    mov    0x78(%rsp),%rax
   0x7f49b56b0d2e <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1758>:    mov    -0x10(%rax),%rsi
   0x7f49b56b0d32 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1762>:    mov    %rbp,%rdi
   0x7f49b56b0d35 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1765>:
    call   0x7f49b56ccce0 <_ZNK5carla15traffic_manager14SimpleWaypoint12GetTransformEv>
   0x7f49b56b0d3a <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1770>:    cvttss2si 0x50(%rsp),%eax
   0x7f49b56b0d40 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1776>:    cvttss2si 0x1c(%rsp),%ecx
   0x7f49b56b0d46 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1782>:    movswl %ax,%edx
   0x7f49b56b0d49 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1785>:    movswl %cx,%eax
   0x7f49b56b0d4c <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1788>:    sub    %eax,%edx
   0x7f49b56b0d4e <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1790>:    movslq %edx,%rax
   0x7f49b56b0d51 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1793>:    imul   $0xffffffffb60b60b7,%rax,%rax
(gdb) p $rax
$1 = 0

And I find the source code location of the assembly code above. This assembly code is inside InMemoryMap::SetupRoadOption() and invokes traffic_manager::SimpleWaypoint::GetTransform(), I think it is near by InMemoryMap.cpp +431. 

// Calculate the angle between the first and the last point of the junction.
int16_t current_angle = static_cast<int16_t>(traversed_waypoints.front()->GetTransform().rotation.yaw);
int16_t junction_end_angle = static_cast<int16_t>(traversed_waypoints.back()->GetTransform().rotation.yaw)

Steps to reproduce

  1. download the attached test.zip, unzip it.
  2. put test.xodr and test.xosc in the same directory.
  3. python3 scenario_runner.py --openscenario /path/to/test.xosc

According to my experience, the segmentation fault is not stable to reproduce. Maybe you need to run serveral times to get the segmentation fault.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

blabla-my commented 9 months ago

The reason of the null-pointer dereference is that traversed_waypoints.size() == 0, resulting tarversed_waypoints.front() == null.

The root cause is the wrong definition of road networks in the input OpenDrive. If two junctions are connected then the traversed_waypoints will be empty.

So fixing the OpenDrive file or adding a check by inspecting traversed_waypoints.empty() will solve this segmentation fault. The former solution is recommended because there are other components that use the OpenDrive map content like autopilot.

stale[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.