ThreadSanitizer reports heap-use-after-free in the state update timer and callback chain.
WARNING: ThreadSanitizer: heap-use-after-free (pid=62240)
Read of size 8 ...
#3 planning_scene_monitor::PlanningSceneMonitor::stateUpdateTimerCallback() .../planning_scene_monitor.cpp:1325
#4 planning_scene_monitor::PlanningSceneMonitor::setStateUpdateFrequency(double)::$_21::operator()() const .../planning_scene_monitor.cpp:1361
#5 planning_scene_monitor::PlanningSceneMonitor::updateSceneWithCurrentState(bool) .../planning_scene_monitor.cpp:1402
#6 planning_scene_monitor::PlanningSceneMonitor::onStateUpdate(...) .../planning_scene_monitor.cpp:1316
#7 planning_scene_monitor::PlanningSceneMonitor::startStateMonitor(...)::$_10::operator()(...) const .../planning_scene_monitor.cpp:1268
SUMMARY: ThreadSanitizer: heap-use-after-free (...librcutils.so+0xd658) in rcutils_logging_get_logger_effective_level
### ROS Distro
Humble
### OS and version
Ubuntu 24.04.3 LTS
### Source or binary build?
Source
### If binary, which release version?
_No response_
### If source, which branch?
humble branch (moveit/moveit2, commit e7004f4)
### Which RMW are you using?
None
### Steps to Reproduce
Clone MoveIt2 (Humble) into a ROS 2 Humble workspace:
```bash
cd <ws>/src
git clone https://github.com/moveit/moveit2.git --branch humble --depth=1
2. Build with ThreadSanitizer enabled (and run the instrumented harness):
export CC=clang
export CXX=clang++
export RMW_IMPLEMENTATION=rmw_cyclonedds_cpp
export TSAN_OPTIONS="halt_on_error=0 history_size=3"
# Build (workspace + harness) with TSan/instrumentation
# (same setup used for SCARAB stage2 runs)
3. Run the planning_scene_monitor target (10 min):
./build-multi-e2e/stage2-fuzzer/scarab_e2e_runner \
--target moveit2_planning_scene_monitor \
--candidates nav2_ws/stage2/moveit2_ast_reanalysis_20260305/stage1/moveit2_all_candidates.json \
--duration 600 \
--threads 4 \
--output-dir /tmp/moveit2_psm_run
4. Check the run log for TSan reports:
- heap-use-after-free path: planning_scene_monitor.cpp:1325, 1361, 1402, 1316, 1268
- data race path: planning_scene_monitor.cpp:651, 1117, 687, 807, 1286
5. Reference logs from reproduced runs:
- nav2_ws/stage2/moveit2_psm_pass_runs_20260305/run1/run.log
- nav2_ws/stage2/moveit2_psm_pass_runs_20260305/run3/run.log
### Expected behavior
`planning_scene_monitor` callbacks should execute without concurrency violations: no ThreadSanitizer-reported data races and no heap-use-after-free
under stress/concurrent callback execution.
### Actual behavior
• Under concurrent callback execution, ThreadSanitizer reports concurrency violations in `planning_scene_monitor`: data races across scene/state callback
paths and, in the state update path, heap-use-after-free.
### Backtrace or Console output
_No response_
Description
Summary
A concurrency bug is observed in
planning_scene_monitorstate update callbacks.The primary symptom is a data race, and in the same execution path ThreadSanitizer also reports heap-use-after-free (likely lifetime/race interaction).
Affected Location
moveit_ros/planning/planning_scene_monitor/src/planning_scene_monitor.cpp:1325moveit_ros/planning/planning_scene_monitor/src/planning_scene_monitor.cpp:1361moveit_ros/planning/planning_scene_monitor/src/planning_scene_monitor.cpp:1402moveit_ros/planning/planning_scene_monitor/src/planning_scene_monitor.cpp:1316moveit_ros/planning/planning_scene_monitor/src/planning_scene_monitor.cpp:1268Observed Result
ThreadSanitizer reports heap-use-after-free in the state update timer and callback chain.