-
Notifications
You must be signed in to change notification settings - Fork 114
Fix use after free in neighbors, spring_attachments and cell attack #397
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: development
Are you sure you want to change the base?
Changes from all commits
9ad3b4d
5fbcfc2
74e24c5
ca591c7
0780ef2
73acd59
6093eea
b7ccc39
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -1207,6 +1207,9 @@ void delete_cell( int index ) | |||||||||||||||
| // released internalized substrates (as of 1.5.x releases) | ||||||||||||||||
| pDeleteMe->release_internalized_substrates(); | ||||||||||||||||
|
|
||||||||||||||||
| // new Dec 2, 2025 | ||||||||||||||||
| pDeleteMe->remove_self_from_attackers(); | ||||||||||||||||
|
|
||||||||||||||||
| // performance goal: don't delete in the middle -- very expensive reallocation | ||||||||||||||||
| // alternative: copy last element to index position, then shrink vector by 1 at the end O(constant) | ||||||||||||||||
|
|
||||||||||||||||
|
|
@@ -3401,6 +3404,23 @@ void Cell::remove_self_from_all_neighbors( void ) | |||||||||||||||
| else | ||||||||||||||||
| { /* future error message */ } | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| // This is a bit of a ugly hack, we need to find the origin of that bug | ||||||||||||||||
vincent-noel marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
| // This is a bit of a ugly hack, we need to find the origin of that bug | |
| // This is a bit of an ugly hack, we need to find the origin of that bug |
Copilot
AI
Dec 2, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Potential issue: This function iterates over all_cells while being called during cell deletion in delete_cell(). If multiple cells are being deleted concurrently, the size of all_cells may change during iteration, potentially causing out-of-bounds access or skipped cells. Consider caching the size before the loop: int n = all_cells->size(); and using for (int i=0; i < n; i++).
| for ( int i = 0; i < all_cells->size(); i++ ) | |
| { | |
| int n = all_cells->size(); | |
| for ( int i = 0; i < n; i++ ) |
Copilot
AI
Dec 3, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This loop iterates over all_cells without thread safety protections. If cell deletion can occur concurrently (e.g., from multiple threads), this could lead to iterator invalidation or accessing deallocated memory. Consider adding appropriate synchronization or documenting that delete_cell must be called from a single-threaded context.
vincent-noel marked this conversation as resolved.
Show resolved
Hide resolved
Copilot
AI
Dec 2, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Grammatical error: "a ugly hack" should be "an ugly hack" (use "an" before words starting with a vowel sound).
| // This is a bit of a ugly hack, we need to find the origin of that bug | |
| // This is a bit of an ugly hack, we need to find the origin of that bug |
Copilot
AI
Dec 3, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This loop iterates over all_cells without thread safety protections. If cell deletion can occur concurrently (e.g., from multiple threads), this could lead to iterator invalidation or accessing deallocated memory. Consider adding appropriate synchronization or documenting that delete_cell must be called from a single-threaded context.
Copilot
AI
Dec 2, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Potential issue: This function iterates over all_cells while being called during cell deletion in delete_cell(). If multiple cells are being deleted concurrently (e.g., in a parallel simulation step), the size of all_cells may change during iteration, potentially causing out-of-bounds access or skipped cells. Consider caching the size before the loop: int n = all_cells->size(); and using for (int j=0; j < n; j++).
| #pragma omp parallel for | |
| for (int j=0; j < all_cells->size(); j++) | |
| int n = all_cells->size(); | |
| #pragma omp parallel for | |
| for (int j=0; j < n; j++) |
Copilot
AI
Dec 2, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Race condition: The parallel loop reads pC->phenotype.cell_interactions.pAttackTarget on line 3489 and writes to it on line 3490 without synchronization. If multiple threads attempt to delete cells simultaneously, or if other operations modify pAttackTarget concurrently, this can lead to race conditions.
Consider either:
- Adding a critical section around the check and assignment (lines 3489-3490), or
- Removing the
#pragma omp parallel fordirective to ensure thread-safety.
| if (( pC != this) && pC->phenotype.cell_interactions.pAttackTarget == this) { | |
| pC->phenotype.cell_interactions.pAttackTarget = NULL; | |
| #pragma omp critical | |
| { | |
| if (( pC != this) && pC->phenotype.cell_interactions.pAttackTarget == this) { | |
| pC->phenotype.cell_interactions.pAttackTarget = NULL; | |
| } |
Copilot
AI
Dec 2, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This O(n) search through all cells on every deletion is a performance concern for large simulations. Consider maintaining a reverse index or list of cells that have this cell as their attack target, which would allow O(1) cleanup instead of requiring a full search through all cells.
Copilot
AI
Dec 3, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The loop iterates over all_cells without synchronization, and the #pragma omp parallel for creates concurrent writes to pAttackTarget. This can cause race conditions if cells are being deleted or modified concurrently. Consider removing the parallel directive or adding proper synchronization.
Copilot
AI
Dec 3, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This O(n) loop iterates through all cells to clean up attack targets, which can be expensive for large simulations with many cells. Consider using a reverse index (e.g., a set/list of attackers stored on each potential target cell) to make this operation O(k) where k is the number of attacking cells, which is typically much smaller than n.
Uh oh!
There was an error while loading. Please reload this page.