search

playgameservices / android-basic-samples

Google Play game services - Android samples
Apache License 2.0
970 stars 972 forks source link

GameServices::Builder::Create() does an invalid free() operation. #295

Open stolk opened 4 years ago

stolk commented 4 years ago

I am using the clang Address Sanitizer on my NDK-based Android app.

My android app uses: gpg-cpp-sdk_3.0.1

The address sanitizer caught a bug in GameServices::Builder::Create() where it frees an address that was never malloc()-ed.

Please double-check the implementation of Create() for free() operations that are not correct.

It triggers in my app the very first time I call Create().

2019-09-17 11:27:45.076 10934-11006/com.steenriver.buggy V/GamesNativeSDK: Using classes from /data/user/0/com.steenriver.buggy/app_.gpg.classloader/f4e1c1b7d8b3c0b3cf00b4afea4884b6_games.jar.
2019-09-17 11:27:45.076 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: =================================================================
2019-09-17 11:27:45.076 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: ==10934==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0xe2f9af80 in thread T1
2019-09-17 11:27:45.089 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #0 0xcce622c3  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xd32c3)
2019-09-17 11:27:45.089 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #1 0xcc4df277  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x252277)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #2 0xcc48b1f0  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1fe1f0)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #3 0xcc48ba27  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1fea27)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #4 0xcc484b28  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1f7b28)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #5 0xcc4c5946  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x238946)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #6 0xcc4222d5  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1952d5)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #7 0xcc417735  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x18a735)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #8 0xcc5ca4f5  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x33d4f5)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #9 0xcce6d7b2  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xde7b2)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #10 0xcce50be7  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xc1be7)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #11 0xe9690065  (/system/lib/libc.so+0x8f065)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #12 0xe962585b  (/system/lib/libc.so+0x2485b)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: Address 0xe2f9af80 is a wild pointer.
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: SUMMARY: AddressSanitizer: bad-free (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xd32c3) 
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: Thread T1 created by T0 here:
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #0 0xcce50a89  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xc1a89)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #1 0xcc5c9d55  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x33cd55)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #2 0xcc5c937d  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x33c37d)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #3 0xe91756d2  (/system/lib/libandroid_runtime.so+0x826d2)
2019-09-17 11:27:45.092 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #4 0x72b5794f  (/system/framework/x86/boot-framework.oat+0x3e794f)
2019-09-17 11:27:45.099 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #5 0x711d19c7  (/data/dalvik-cache/x86/system@framework@boot-framework.art+0x70c9c7)
2019-09-17 11:27:45.100 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: ==10934==ABORTING

My app's code:

    // Players().FetchSelf() response
    auto pcallback = [&]( gpg::PlayerManager::FetchSelfResponse const& response )
    {
        if ( gpg::IsSuccess( response.status ) )
        {
            self_id_ = response.data.Id();
            const std::string& url = response.data.AvatarUrl( gpg::ImageResolution::ICON );
            LOGI( "Our self id = %s", self_id_.c_str() );
            LOGI( "Our url = %s", url.c_str() );
            DownloadAvatar( url, 4 );
        }
    };
    // AuthActionStarted callback
    auto scallback = [started_callback]( gpg::AuthOperation op )
    {
        is_auth_in_progress_ = true;
        if ( started_callback != nullptr ) started_callback( op );
    };
    // AuthActionFinished callback
    auto fcallback = [finished_callback, pcallback]( gpg::AuthOperation op, gpg::AuthStatus status )
    {
        LOGI("Sign in finished with a result %s", gpg::DebugString( status ).c_str() );
            is_auth_in_progress_ = false;
        if ( finished_callback != nullptr ) finished_callback( op, status );
        if ( status == gpg::AuthStatus::VALID )
        {
            ASSERT( game_services_ );
            game_services_->Players().FetchSelf( pcallback );   // find out what our own Id is.
            FetchAchievements();
            FetchLeaderboards();
        }
    };

    if (!game_services_)
    {
        LOGI("Uninitialized services, so creating");
        game_services_ = gpg::GameServices::Builder()
            .SetDefaultOnLog( gpg::LogLevel::VERBOSE )
            .SetOnAuthActionStarted( scallback )
            .SetOnAuthActionFinished( fcallback )
            .SetOnMultiplayerInvitationEvent( invitationcallback )
            .Create(pc);
        if ( !game_services_ )
        {
            LOGE( "gpg::GameServices::Builder() returned nil." );
        }
    }
stolk commented 3 years ago

Happens in latest gpg sdk 3.1 as well. Can I please have an update?