[Bugfix] bad-free in GridData::computeFOV / ~GridData via ColorLayer.draw_fov (ASan) #321

New issue

Open

opened 2026-06-21 20:41:23 +00:00 by john · 0 comments

john commented 2026-06-21 20:41:23 +00:00

Owner

Copy link

Summary

AddressSanitizer reports a bad-free / mismatched-ownership double-free in the FOV map managed by GridData. The FOV map is allocated with malloc and freed with free inside GridData::computeFOV, but GridData::~GridData later calls operator delete on a pointer that was already freed (or a TCOD-owned pointer), corrupting the heap.

Found by the #312 fuzz campaign (fuzz_fov target, new ColorLayer.draw_fov Tier C op). Severity: HIGH (memory corruption, not just UB).

ASan output (abridged)

==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: ... in thread T0
    #0 operator delete(void*)
    #7 GridData::~GridData()                         src/GridData.cpp:59
    #8 UIGrid::~UIGrid()                             src/UIGrid.cpp:447
    #12 UIGridView::~UIGridView()                    src/UIGridView.cpp:32
    #17 mcrfpydef::PyUIGridViewType::lambda(_object*) src/UIGridView.h:153

freed by thread T0 here:
    #0 free
    #4 GridData::computeFOV(...)                     src/GridData.cpp:155
    #5 ColorLayer::drawFOV(...)                      src/GridLayers.cpp:316
    #6 PyGridLayerAPI::ColorLayer_draw_fov(...)      src/GridLayers.cpp:1272

previously allocated by thread T0 here:
    #0 malloc
    #4 GridData::computeFOV(...)                     src/GridData.cpp:155
    #5 ColorLayer::drawFOV(...)                      src/GridLayers.cpp:316
    #6 PyGridLayerAPI::ColorLayer_draw_fov(...)      src/GridLayers.cpp:1272

SUMMARY: AddressSanitizer: bad-free in operator delete(void*)

Analysis

GridData::computeFOV (src/GridData.cpp:155) both allocates and frees a buffer (TCOD FOV map) with C malloc/free. The same/related pointer is then operator delete-d in GridData::~GridData (src/GridData.cpp:59). Either the destructor double-frees a pointer computeFOV already released, or it deletes memory that was malloc-ed (mismatched allocator). The draw_fov path makes the lifetime issue observable.

Repro

This one is iteration-state-dependent — single-input replay does not reliably trigger it; re-run the campaign:

make fuzz-build      # requires symbol-complete __lib_debug/libtcod.so (see #312 notes)
make fuzz-long TARGET=fov SECONDS=60

Minimized crashing input (base64), for reference:

Qyfn5+fn52fn5+f7//////z/s7M=

Suggested labels

Bugfix, system:grid, priority:tier1-active (apply via web — MCP label bug)

Related: #312 (fuzz coverage that found this), #283.

## Summary AddressSanitizer reports a **bad-free / mismatched-ownership double-free** in the FOV map managed by `GridData`. The FOV map is allocated with `malloc` and freed with `free` inside `GridData::computeFOV`, but `GridData::~GridData` later calls `operator delete` on a pointer that was already freed (or a TCOD-owned pointer), corrupting the heap. Found by the #312 fuzz campaign (`fuzz_fov` target, new `ColorLayer.draw_fov` Tier C op). Severity: **HIGH** (memory corruption, not just UB). ## ASan output (abridged) ``` ==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: ... in thread T0 #0 operator delete(void*) #7 GridData::~GridData() src/GridData.cpp:59 #8 UIGrid::~UIGrid() src/UIGrid.cpp:447 #12 UIGridView::~UIGridView() src/UIGridView.cpp:32 #17 mcrfpydef::PyUIGridViewType::lambda(_object*) src/UIGridView.h:153 freed by thread T0 here: #0 free #4 GridData::computeFOV(...) src/GridData.cpp:155 #5 ColorLayer::drawFOV(...) src/GridLayers.cpp:316 #6 PyGridLayerAPI::ColorLayer_draw_fov(...) src/GridLayers.cpp:1272 previously allocated by thread T0 here: #0 malloc #4 GridData::computeFOV(...) src/GridData.cpp:155 #5 ColorLayer::drawFOV(...) src/GridLayers.cpp:316 #6 PyGridLayerAPI::ColorLayer_draw_fov(...) src/GridLayers.cpp:1272 SUMMARY: AddressSanitizer: bad-free in operator delete(void*) ``` ## Analysis `GridData::computeFOV` (src/GridData.cpp:155) both allocates and frees a buffer (TCOD FOV map) with C `malloc`/`free`. The same/related pointer is then `operator delete`-d in `GridData::~GridData` (src/GridData.cpp:59). Either the destructor double-frees a pointer `computeFOV` already released, or it `delete`s memory that was `malloc`-ed (mismatched allocator). The `draw_fov` path makes the lifetime issue observable. ## Repro This one is **iteration-state-dependent** — single-input replay does not reliably trigger it; re-run the campaign: ```sh make fuzz-build # requires symbol-complete __lib_debug/libtcod.so (see #312 notes) make fuzz-long TARGET=fov SECONDS=60 ``` Minimized crashing input (base64), for reference: ``` Qyfn5+fn52fn5+f7//////z/s7M= ``` ## Suggested labels `Bugfix`, `system:grid`, `priority:tier1-active` (apply via web — MCP label bug) Related: #312 (fuzz coverage that found this), #283.

john referenced this issue from a commit 2026-06-21 20:45:17 +00:00

Fold Tier C surface into existing fuzz targets; closes #312

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

feature/issues-317-319-verify-bugs

feature/issue-316-sparse-perspective

feature/issue-314-doc-followthrough

feature/api-freeze-313-314

threedee

emscripten-mcrogueface

rogueliketutorial25

alpha_presentable

alpha_streamline_2

alpha_streamline_1

interpreter_mode

grid_entity_integration

reprs_and_member_names

break_up_ui_h

standardize_font_handling

standardize_vector_handling

standardize_color_handling

standardize_texture_handling

raii_pyobjects

rebase-for-7DRL_Feb-2024

engjam_uicollection

engjam_ui_overhaul

0.2.3-prerelease-7drl2026-emscripten

Labels

Clear labels   

Alpha Release Requirement

This issue is a blocker to 0.1 Alpha release of McRogueFace.

  

Bugfix

  

Demo Target

Functionality to demonstrate; Depends on new features, but this issue isn't for writing them.

  

Documentation

  

Major Feature

Significant time and effort required.

  

Minor Feature

Some effort required to create or overhaul functionality.

  

priority:tier1-active

Current development focus - critical path to v1.0

  

priority:tier2-foundation

Important foundation work - not blocking v1.0

  

priority:tier3-future

Future features - deferred until after v1.0

  

priority:tier4-deferred

  

Refactoring & Cleanup

no new functionality, just improving the codebase.

  

system:animation

Animation and property interpolation

  

system:documentation

Documentation infrastructure

  

system:grid

Grid system and spatial containers

  

system:input

Input handling and events

  

system:performance

Performance optimization and profiling

  

system:procgen

Procedural Generation (Noise, BSP, Heightmap)

  

system:python-binding

Python/C++ binding layer

  

system:rendering

Rendering pipeline and visuals

  

system:ui-hierarchy

UI component hierarchy and composition

  

Tiny Feature

quick and easy - a few lines or with little interconnection around the codebase

  

workflow:blocked

Blocked by other work - waiting on dependencies

  

workflow:needs-benchmark

Needs performance testing and benchmarks

  

workflow:needs-documentation

Needs documentation before or after implementation

No labels

Alpha Release Requirement

Bugfix

Demo Target

Documentation

Major Feature

Minor Feature

priority:tier1-active

priority:tier2-foundation

priority:tier3-future

priority:tier4-deferred

Refactoring & Cleanup

system:animation

system:documentation

system:grid

system:input

system:performance

system:procgen

system:python-binding

system:rendering

system:ui-hierarchy

Tiny Feature

workflow:blocked

workflow:needs-benchmark

workflow:needs-documentation

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

john/McRogueFace#321

No description provided.