UAF bug occurs during karto::SensorManager::GetSensorByName()

[GoesM]

Required Info:

• Operating System:
  • Ubuntu 22.04
• Installation type:
  • source
• ROS Version
  • ROS2-humble
• Version or commit hash:
  • the latest
• Laser unit:
  • defaulted

Steps to reproduce issue

I use slam-toolbox (async) by following command :

#!/bin/bash
export ASAN_OPTIONS=halt_on_error=0:new_delete_type_mismatch=0:detect_leaks=0:log_path=asan
source install/setup.bash
ros2 launch slam_toolbox online_async_launch.py

Running Slam-Toolbox within AddressSanitizer , I always faced to such UAF report during shutdown-period

Expected behavior

No UAF occurs

Actual behavior

we could always face to an ASAN-report about UAF bug as following:

=================================================================
==90177==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000083858 at pc 0x72c4273e7e1e bp 0x72c4153e4dd0 sp 0x72c4153e4dc8
READ of size 8 at 0x606000083858 thread T20
    #0 0x72c4273e7e1d in karto::SensorManager::GetSensorByName(karto::Name const&) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x1e7e1d) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #1 0x72c423204947 in karto::Mapper::Process(karto::LocalizedRangeScan*, karto::Matrix3*) (/home/***/slam_toolbox/install/slam_toolbox/lib/libkartoSlamToolbox.so+0x204947) (BuildId: 2dbb35367cda8afe894c24f7258cd868357940f7)
    #2 0x72c4273cd78e in slam_toolbox::SlamToolbox::addScan(karto::LaserRangeFinder*, std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&, karto::Pose2&) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x1cd78e) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #3 0x72c4279110a8 in slam_toolbox::AsynchronousSlamToolbox::laserCallback(std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const>) (/home/***/slam_toolbox/install/slam_toolbox/lib/libasync_slam_toolbox.so+0x510a8) (BuildId: dfd93fd6d8c439ddd8872d21ec131f9383d9e085)
    #4 0x72c4275b5356 in void std::__invoke_impl<void, void (slam_toolbox::SlamToolbox::*&)(std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const>), slam_toolbox::SlamToolbox*&, std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&>(std::__invoke_memfun_deref, void (slam_toolbox::SlamToolbox::*&)(std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const>), slam_toolbox::SlamToolbox*&, std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x3b5356) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #5 0x72c4275b4b38 in message_filters::CallbackHelper1T<std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&, sensor_msgs::msg::LaserScan_<std::allocator<void> > >::call(message_filters::MessageEvent<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&, bool) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x3b4b38) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #6 0x72c4275ad065 in tf2_ros::MessageFilter<sensor_msgs::msg::LaserScan_<std::allocator<void> >, tf2_ros::Buffer>::transformReadyCallback(tf2_ros::TransformStampedFuture const&, unsigned long) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x3ad065) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #7 0x72c427816e8d  (/opt/ros/humble/lib/libtf2_ros.so+0x4fe8d) (BuildId: dceacb25e05c8a82678784802b23fb16ba98d172)
    #8 0x72c42597d65e in tf2::BufferCore::testTransformableRequests() (/opt/ros/humble/lib/libtf2.so+0x1065e) (BuildId: 5677f8e557cfe0980662adcc0a17f03987f8b7f1)
    #9 0x72c4259803fa in tf2::BufferCore::setTransformImpl(tf2::Transform const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::chrono::time_point<std::chrono::_V2::system_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (/opt/ros/humble/lib/libtf2.so+0x133fa) (BuildId: 5677f8e557cfe0980662adcc0a17f03987f8b7f1)
    #10 0x72c425980b29 in tf2::BufferCore::setTransform(geometry_msgs::msg::TransformStamped_<std::allocator<void> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (/opt/ros/humble/lib/libtf2.so+0x13b29) (BuildId: 5677f8e557cfe0980662adcc0a17f03987f8b7f1)
    #11 0x72c42781fbb0 in tf2_ros::TransformListener::subscription_callback(std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>, bool) (/opt/ros/humble/lib/libtf2_ros.so+0x58bb0) (BuildId: dceacb25e05c8a82678784802b23fb16ba98d172)
    #12 0x72c426f9e7e9 in std::_Function_handler<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>), std::_Bind<void (tf2_ros::TransformListener::* (tf2_ros::TransformListener*, std::_Placeholder<1>, bool))(std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>, bool)> >::_M_invoke(std::_Any_data const&, std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>&&) (/opt/ros/humble/lib/librviz_default_plugins.so+0x79e7e9) (BuildId: b9e8c9e8368837fa41d968409b5b6b05e426765a)
    #13 0x72c426fa95b1 in std::__detail::__variant::__gen_vtable_impl<std::__detail::__variant::_Multi_array<std::__detail::__variant::__deduce_visit_result<void> (*)(rclcpp::AnySubscriptionCallback<tf2_msgs::msg::TFMessage_<std::allocator<void> >, std::allocator<void> >::dispatch(std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > >, rclcpp::MessageInfo const&)::'lambda'(auto&&)&&, std::variant<std::function<void (tf2_msgs::msg::TFMessage_<std::allocator<void> > const&)>, std::function<void (tf2_msgs::msg::TFMessage_<std::allocator<void> > const&, rclcpp::MessageInfo const&)>, std::function<void (rclcpp::SerializedMessage const&)>, std::function<void (rclcpp::SerializedMessage const&, rclcpp::MessageInfo const&)>, std::function<void (std::unique_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> >, std::default_delete<tf2_msgs::msg::TFMessage_<std::allocator<void> > > >)>, std::function<void (std::unique_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> >, std::default_delete<tf2_msgs::msg::TFMessage_<std::allocator<void> > > >, rclcpp::MessageInfo const&)>, std::function<void (std::unique_ptr<rclcpp::SerializedMessage, std::default_delete<rclcpp::SerializedMessage> >)>, std::function<void (std::unique_ptr<rclcpp::SerializedMessage, std::default_delete<rclcpp::SerializedMessage> >, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const>)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const>, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const> const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const> const&, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const> const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const> const&, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > >)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > >, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage>)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage>, rclcpp::MessageInfo const&)> >&)>, std::integer_sequence<unsigned long, 8ul> >::__visit_invoke(rclcpp::AnySubscriptionCallback<tf2_msgs::msg::TFMessage_<std::allocator<void> >, std::allocator<void> >::dispatch(std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > >, rclcpp::MessageInfo const&)::'lambda'(auto&&)&&, std::variant<std::function<void (tf2_msgs::msg::TFMessage_<std::allocator<void> > const&)>, std::function<void (tf2_msgs::msg::TFMessage_<std::allocator<void> > const&, rclcpp::MessageInfo const&)>, std::function<void (rclcpp::SerializedMessage const&)>, std::function<void (rclcpp::SerializedMessage const&, rclcpp::MessageInfo const&)>, std::function<void (std::unique_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> >, std::default_delete<tf2_msgs::msg::TFMessage_<std::allocator<void> > > >)>, std::function<void (std::unique_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> >, std::default_delete<tf2_msgs::msg::TFMessage_<std::allocator<void> > > >, rclcpp::MessageInfo const&)>, std::function<void (std::unique_ptr<rclcpp::SerializedMessage, std::default_delete<rclcpp::SerializedMessage> >)>, std::function<void (std::unique_ptr<rclcpp::SerializedMessage, std::default_delete<rclcpp::SerializedMessage> >, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const>, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const>)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const>, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const> const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > const> const&, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const> const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage const> const&, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > >)>, std::function<void (std::shared_ptr<tf2_msgs::msg::TFMessage_<std::allocator<void> > >, rclcpp::MessageInfo const&)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage>)>, std::function<void (std::shared_ptr<rclcpp::SerializedMessage>, rclcpp::MessageInfo const&)> >&) (/opt/ros/humble/lib/librviz_default_plugins.so+0x7a95b1) (BuildId: b9e8c9e8368837fa41d968409b5b6b05e426765a)
    #14 0x72c426faa282  (/opt/ros/humble/lib/librviz_default_plugins.so+0x7aa282) (BuildId: b9e8c9e8368837fa41d968409b5b6b05e426765a)
    #15 0x72c422ef07bb in rclcpp::Executor::execute_subscription(std::shared_ptr<rclcpp::SubscriptionBase>) (/opt/ros/humble/lib/librclcpp.so+0xe77bb) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #16 0x72c422ef0fbe in rclcpp::Executor::execute_any_executable(rclcpp::AnyExecutable&) (/opt/ros/humble/lib/librclcpp.so+0xe7fbe) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #17 0x72c422ef88af in rclcpp::executors::SingleThreadedExecutor::spin() (/opt/ros/humble/lib/librclcpp.so+0xef8af) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #18 0x72c4224dc252  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc252) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #19 0x72c422094ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #20 0x72c42212684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x606000083858 is located 24 bytes inside of 56-byte region [0x606000083840,0x606000083878)
freed by thread T0 here:
    #0 0x556b876f39cd in operator delete(void*) (/home/***/slam_toolbox/install/slam_toolbox/lib/slam_toolbox/async_slam_toolbox_node+0x1229cd) (BuildId: 924645fe03080352703e9ddaaf3b488138509ed0)
    #1 0x72c422045494 in __run_exit_handlers stdlib/./stdlib/exit.c:113:8

previously allocated by thread T20 here:
    #0 0x556b876f316d in operator new(unsigned long) (/home/***/slam_toolbox/install/slam_toolbox/lib/slam_toolbox/async_slam_toolbox_node+0x12216d) (BuildId: 924645fe03080352703e9ddaaf3b488138509ed0)
    #1 0x72c42317a5d7 in karto::SensorManager::GetInstance() (/home/***/slam_toolbox/install/slam_toolbox/lib/libkartoSlamToolbox.so+0x17a5d7) (BuildId: 2dbb35367cda8afe894c24f7258cd868357940f7)
    #2 0x72c4273c49f0 in slam_toolbox::SlamToolbox::getLaser(std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x1c49f0) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #3 0x72c427911051 in slam_toolbox::AsynchronousSlamToolbox::laserCallback(std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const>) (/home/***/slam_toolbox/install/slam_toolbox/lib/libasync_slam_toolbox.so+0x51051) (BuildId: dfd93fd6d8c439ddd8872d21ec131f9383d9e085)
    #4 0x72c4275b5356 in void std::__invoke_impl<void, void (slam_toolbox::SlamToolbox::*&)(std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const>), slam_toolbox::SlamToolbox*&, std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&>(std::__invoke_memfun_deref, void (slam_toolbox::SlamToolbox::*&)(std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const>), slam_toolbox::SlamToolbox*&, std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x3b5356) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #5 0x72c4275b4b38 in message_filters::CallbackHelper1T<std::shared_ptr<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&, sensor_msgs::msg::LaserScan_<std::allocator<void> > >::call(message_filters::MessageEvent<sensor_msgs::msg::LaserScan_<std::allocator<void> > const> const&, bool) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x3b4b38) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #6 0x72c4275ad065 in tf2_ros::MessageFilter<sensor_msgs::msg::LaserScan_<std::allocator<void> >, tf2_ros::Buffer>::transformReadyCallback(tf2_ros::TransformStampedFuture const&, unsigned long) (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x3ad065) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #7 0x72c427816e8d  (/opt/ros/humble/lib/libtf2_ros.so+0x4fe8d) (BuildId: dceacb25e05c8a82678784802b23fb16ba98d172)
    #8 0x72c4153e991f  (<unknown module>)

Thread T20 created by T0 here:
    #0 0x556b876a181c in __interceptor_pthread_create (/home/***/slam_toolbox/install/slam_toolbox/lib/slam_toolbox/async_slam_toolbox_node+0xd081c) (BuildId: 924645fe03080352703e9ddaaf3b488138509ed0)
    #1 0x72c4224dc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x72c4273a8700 in slam_toolbox::SlamToolbox::setROSInterfaces() (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x1a8700) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #3 0x72c42739e0cc in slam_toolbox::SlamToolbox::configure() (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x19e0cc) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce)
    #4 0x556b876f679c in main (/home/***/slam_toolbox/install/slam_toolbox/lib/slam_toolbox/async_slam_toolbox_node+0x12579c) (BuildId: 924645fe03080352703e9ddaaf3b488138509ed0)
    #5 0x72c422029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free (/home/***/slam_toolbox/install/slam_toolbox/lib/libtoolbox_common.so+0x1e7e1d) (BuildId: e9b06ded44457cd29634e461aae28bcce716a4ce) in karto::SensorManager::GetSensorByName(karto::Name const&)
Shadow bytes around the buggy address:
  0x0c0c800086b0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c800086c0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c800086d0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c800086e0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c800086f0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x0c0c80008700: fd fd fd fd fa fa fa fa fd fd fd[fd]fd fd fd fa
  0x0c0c80008710: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80008720: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c80008730: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80008740: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80008750: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==90177==ABORTING

Additional information

This bug should be caused because:
During the shutdown-period, the excutor (which the function ``) is not stop before the destruction of the slam-toolbox node.

So I think this issue could be additional ticket for #696

[SteveMacenski]

Lets leave it in one ticket with both behaviors since they're the same - closing this one