Carla traffic manager triggers a null pointer reference

[blabla-my]

version and platforms

CARLA version: 0.9.13
scenario_runner version: 0.9.13
OS: ubuntu 18.04
Memory: 64GB
GPU: NVIDIA 3070 8G
CPU: 32 cores Intel
python 3.6.9

problems

Scnenario runner encounters a segmentation fault. The scenario to run is self-defined. Opendrive stand alone mode is used to generate the simulation world.

As the dumped core shows, the segmentation fault is due to a null pointer reference.
The last instruction is mov (%rax),%rsi, and p $rax shows %rax == 0. Then a null pointer reference is triggered.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  std::__shared_ptr<carla::traffic_manager::SimpleWaypoint, (__gnu_cxx::_Lock_policy)2>::get (this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/shared_ptr_base.h:1258
1258          { return _M_ptr; }
[Current thread is 1 (Thread 0x7f4949e21700 (LWP 382))]
(gdb) x/16gi $rip
=> 0x7f49b56b0d12 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1730>:    mov    (%rax),%rsi
   0x7f49b56b0d15 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1733>:    mov    %rbp,%rdi
   0x7f49b56b0d18 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1736>:    call   0x7f49b56ccce0
     <_ZNK5carla15traffic_manager14SimpleWaypoint12GetTransformEv>
   0x7f49b56b0d1d <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1741>:    movss  0x50(%rsp),%xmm0
   0x7f49b56b0d23 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1747>:    movss  %xmm0,0x1c(%rsp)
   0x7f49b56b0d29 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1753>:    mov    0x78(%rsp),%rax
   0x7f49b56b0d2e <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1758>:    mov    -0x10(%rax),%rsi
   0x7f49b56b0d32 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1762>:    mov    %rbp,%rdi
   0x7f49b56b0d35 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1765>:
    call   0x7f49b56ccce0 <_ZNK5carla15traffic_manager14SimpleWaypoint12GetTransformEv>
   0x7f49b56b0d3a <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1770>:    cvttss2si 0x50(%rsp),%eax
   0x7f49b56b0d40 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1776>:    cvttss2si 0x1c(%rsp),%ecx
   0x7f49b56b0d46 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1782>:    movswl %ax,%edx
   0x7f49b56b0d49 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1785>:    movswl %cx,%eax
   0x7f49b56b0d4c <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1788>:    sub    %eax,%edx
   0x7f49b56b0d4e <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1790>:    movslq %edx,%rax
   0x7f49b56b0d51 <_ZN5carla15traffic_manager11InMemoryMap15SetUpRoadOptionEv+1793>:    imul   $0xffffffffb60b60b7,%rax,%rax
(gdb) p $rax
$1 = 0

And I find the source code location of the assembly code above. This assembly code is inside InMemoryMap::SetupRoadOption() and invokes traffic_manager::SimpleWaypoint::GetTransform(), I think it is near by InMemoryMap.cpp +431.

// Calculate the angle between the first and the last point of the junction.
int16_t current_angle = static_cast<int16_t>(traversed_waypoints.front()->GetTransform().rotation.yaw);
int16_t junction_end_angle = static_cast<int16_t>(traversed_waypoints.back()->GetTransform().rotation.yaw)

Steps to reproduce

1. download the attached test.zip, unzip it.
2. put test.xodr and test.xosc in the same directory.
3. python3 scenario_runner.py --openscenario /path/to/test.xosc

According to my experience, the segmentation fault is not stable to reproduce. Maybe you need to run serveral times to get the segmentation fault.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[blabla-my]

The reason of the null-pointer dereference is that traversed_waypoints.size() == 0, resulting tarversed_waypoints.front() == null.

The root cause is the wrong definition of road networks in the input OpenDrive. If two junctions are connected then the traversed_waypoints will be empty.

So fixing the OpenDrive file or adding a check by inspecting traversed_waypoints.empty() will solve this segmentation fault. The former solution is recommended because there are other components that use the OpenDrive map content like autopilot.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.