UAF bug occurs during `nav2_navfn_planner::NavFn` 's calculation work

[GoesM]

Bug report

Required Info:

• Operating System:
  • Ubuntu22.04
• ROS2 Version:
  • humble
• Version or commit hash:
  • the latest
• DDS implementation:
  • defaulted

Steps to reproduce issue

I encounter this UAF-bug many times when using the Nav2Goal feature

Launch the navigation2 normally, as following steps:

#!/bin/bash
export ASAN_OPTIONS=halt_on_error=0:new_delete_type_mismatch=0:detect_leaks=0:log_pah=asan
source install/setup.bash
export TURTLEBOT3_MODEL=waffle
export GAZEBO_MODEL_PATH=$GAZEBO_MODEL_PATH:/opt/ros/humble/share/turtlebot3_gazebo/models
ros2 launch nav2_bringup tb3_simulation_launch.py headless:=True use_rviz:=False use_composition:=False 

Keep sending Nav2Goal in rviz2-displayer or sending goal by command ros2 action send_goal or send msm into topic /goal_pose , in which the goal_pose is random.

Finally sent Ctrl+C to shutdown navigation2, which is before stop the action-sending and even before the latest action-goal finished.

An ASAN report file was discovered in my execution environment.

Expected behavior

Actual behavior

The ASAN reporting a use-after-free bug to me, as following:

=================================================================
==924435==ERROR: AddressSanitizer: heap-use-after-free on address 0x75dd9a983f48 at pc 0x75dd9fe736b9 bp 0x75dd9e1a8670 sp 0x75dd9e1a8668
READ of size 4 at 0x75dd9a983f48 thread T34
    #0 0x75dd9fe736b8 in nav2_navfn_planner::NavFn::updateCell(int) (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x326b8) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #1 0x75dd9fe6fa42 in nav2_navfn_planner::NavFn::propNavFnDijkstra(int, bool) (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x2ea42) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #2 0x75dd9fe5f08f in nav2_navfn_planner::NavfnPlanner::makePlan(geometry_msgs::msg::Pose_<std::allocator<void> > const&, geometry_msgs::msg::Pose_<std::allocator<void> > const&, double, nav_msgs::msg::Path_<std::allocator<void> >&) (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x1e08f) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #3 0x75dd9fe5d649 in nav2_navfn_planner::NavfnPlanner::createPlan(geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&, geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&) (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x1c649) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #4 0x75ddac6a4ee5 in nav2_planner::PlannerServer::getPlan(geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&, geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0xa4ee5) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #5 0x75ddac690ed9 in nav2_planner::PlannerServer::computePlan() (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x90ed9) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #6 0x75ddac7994f4 in nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::work() (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x1994f4) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #7 0x75ddac798956 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()> >, void>::operator()() const (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x198956) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #8 0x75ddac79874f in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()> >, void> >::_M_invoke(std::_Any_data const&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x19874f) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #9 0x75ddac79837f in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x19837f) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #10 0x75ddaa499ee7 in __pthread_once_slow nptl/./nptl/pthread_once.c:116:7
    #11 0x75ddac796ca6 in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()> >, void>::_M_run() (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x196ca6) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #12 0x75ddaa8dc252  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc252) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #13 0x75ddaa494ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #14 0x75ddaa52684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x75dd9a983f48 is located 329544 bytes inside of 589824-byte region [0x75dd9a933800,0x75dd9a9c3800)
freed by thread T0 here:
    #0 0x5af36f5bc9dd in operator delete[](void*) (/home/***/nav2/install/nav2_planner/lib/nav2_planner/planner_server+0xdf9dd) (BuildId: a53c0b4c8e364d2ddd89807e504fe220fd79ef2e)
    #1 0x75dd9fe6bc19 in nav2_navfn_planner::NavFn::~NavFn() (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x2ac19) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #2 0x75dd9fe524f3 in nav2_navfn_planner::NavfnPlanner::~NavfnPlanner() (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x114f3) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)

previously allocated by thread T34 here:
    #0 0x5af36f5bc18d in operator new[](unsigned long) (/home/***/nav2/install/nav2_planner/lib/nav2_planner/planner_server+0xdf18d) (BuildId: a53c0b4c8e364d2ddd89807e504fe220fd79ef2e)
    #1 0x75dd9fe6b5ae in nav2_navfn_planner::NavFn::setNavArr(int, int) (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x2a5ae) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #2 0x75dd9fe5ec88 in nav2_navfn_planner::NavfnPlanner::makePlan(geometry_msgs::msg::Pose_<std::allocator<void> > const&, geometry_msgs::msg::Pose_<std::allocator<void> > const&, double, nav_msgs::msg::Path_<std::allocator<void> >&) (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x1dc88) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #3 0x75dd9fe5d649 in nav2_navfn_planner::NavfnPlanner::createPlan(geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&, geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&) (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x1c649) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3)
    #4 0x75ddac6a4ee5 in nav2_planner::PlannerServer::getPlan(geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&, geometry_msgs::msg::PoseStamped_<std::allocator<void> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0xa4ee5) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #5 0x75ddac690ed9 in nav2_planner::PlannerServer::computePlan() (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x90ed9) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #6 0x75ddac7994f4 in nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::work() (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x1994f4) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #7 0x75ddac798956 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()> >, void>::operator()() const (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x198956) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #8 0x75ddac79874f in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()> >, void> >::_M_invoke(std::_Any_data const&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x19874f) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #9 0x75ddac79837f in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x19837f) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #10 0x75ddaa499ee7 in __pthread_once_slow nptl/./nptl/pthread_once.c:116:7

Thread T34 created by T15 here:
    #0 0x5af36f56a72c in __interceptor_pthread_create (/home/***/nav2/install/nav2_planner/lib/nav2_planner/planner_server+0x8d72c) (BuildId: a53c0b4c8e364d2ddd89807e504fe220fd79ef2e)
    #1 0x75ddaa8dc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x75ddac793821 in std::future<std::__invoke_result<std::decay<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()>::type>::type> std::async<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()>(std::launch, nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >)::'lambda'()&&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x193821) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #3 0x75ddac779df0 in nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x179df0) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #4 0x75ddac79fb92 in std::__invoke_result<void (nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::*&)(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >), nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>*&, std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> > >::type std::__invoke<void (nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::*&)(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >), nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>*&, std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> > >(void (nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::*&)(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >), nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>*&, std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::ComputePathToPose> >&&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x19fb92) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #5 0x75ddac781880 in rclcpp_action::Server<nav2_msgs::action::ComputePathToPose>::call_goal_accepted_callback(std::shared_ptr<rcl_action_goal_handle_s>, std::array<unsigned char, 16ul>, std::shared_ptr<void>) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x181880) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #6 0x75ddab9d01b6 in rclcpp_action::ServerBase::execute_goal_request_received(std::shared_ptr<void>&) (/opt/ros/humble/lib/librclcpp_action.so+0x131b6) (BuildId: 8da0710b8af025b200f6ce73ffc85c5ed5c45a8d)

Thread T15 created by T0 here:
    #0 0x5af36f56a72c in __interceptor_pthread_create (/home/***/nav2/install/nav2_planner/lib/nav2_planner/planner_server+0x8d72c) (BuildId: a53c0b4c8e364d2ddd89807e504fe220fd79ef2e)
    #1 0x75ddaa8dc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x75ddac7732cb in nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::SimpleActionServer(std::shared_ptr<rclcpp::node_interfaces::NodeBaseInterface>, std::shared_ptr<rclcpp::node_interfaces::NodeClockInterface>, std::shared_ptr<rclcpp::node_interfaces::NodeLoggingInterface>, std::shared_ptr<rclcpp::node_interfaces::NodeWaitablesInterface>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::function<void ()>, std::function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >, bool, rcl_action_server_options_s const&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x1732cb) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #3 0x75ddac76fbf8 in nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>::SimpleActionServer<std::shared_ptr<nav2_util::LifecycleNode> >(std::shared_ptr<nav2_util::LifecycleNode>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::function<void ()>, std::function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >, bool, rcl_action_server_options_s const&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x16fbf8) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #4 0x75ddac68fb35 in std::_MakeUniq<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose> >::__single_object std::make_unique<nav2_util::SimpleActionServer<nav2_msgs::action::ComputePathToPose>, std::shared_ptr<nav2_util::LifecycleNode>, char const (&) [21], std::_Bind<void (nav2_planner::PlannerServer::* (nav2_planner::PlannerServer*))()>, std::nullptr_t, std::chrono::duration<long, std::ratio<1l, 1000l> >, bool>(std::shared_ptr<nav2_util::LifecycleNode>&&, char const (&) [21], std::_Bind<void (nav2_planner::PlannerServer::* (nav2_planner::PlannerServer*))()>&&, std::nullptr_t&&, std::chrono::duration<long, std::ratio<1l, 1000l> >&&, bool&&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x8fb35) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #5 0x75ddac6880ab in nav2_planner::PlannerServer::on_configure(rclcpp_lifecycle::State const&) (/home/***/nav2/install/nav2_planner/lib/libplanner_server_core.so+0x880ab) (BuildId: aef58e89824c7a18a2835f121508ebf22b22877a)
    #6 0x75ddac889b8c  (/opt/ros/humble/lib/librclcpp_lifecycle.so+0x28b8c) (BuildId: e9b8e454bf87aaab775667b79aefcab12c018de9)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/***/nav2/install/nav2_navfn_planner/lib/libnav2_navfn_planner.so+0x326b8) (BuildId: 1ac9c097881f207fa259d7749bdafc5eb1e98cf3) in nav2_navfn_planner::NavFn::updateCell(int)
Shadow bytes around the buggy address:
  0x0ebc33528790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc335287a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc335287b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc335287c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc335287d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ebc335287e0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0ebc335287f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc33528800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc33528810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc33528820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ebc33528830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==924435==ABORTING

Additional information

---

Accroding to the ASAN report ,

During the function nav2_navfn_planner::NavFn::propNavFnDijkstra running , the resources in need for this function were freed by the destructor of nav2_planner

However, it seems that here's already a action_server_pose->deactivate() and action_server_pose.reset() in on_deactivate() and on_cleanup() of nav2_planner

[GoesM]

Additional check

Through my expeirments( by insert thread-sleep in the function nav2_navfn_planner::NavfnPlanner::makePlan and insert ros log)

Finally, I confirmed the reason for this issue, it's also caused by the error-thrown mechanism defect in nav2_util (in humble branch )

https://github.com/ros-planning/navigation2/blob/150dd6beb50aee502ada8935cee23d7160a40f57/nav2_util/include/nav2_util/simple_action_server.hpp#L294

It seems like another ticket for #4175 and #4180, and my experiments are very similar to how I do it in #4175.

This bug seems fixed in main-branch in our last work, and just not updated into the humble-branch.

[SteveMacenski]

Can you submit a PR to backport to Humble?

[GoesM]

It seems there's a restriction on "only being able to submit to the main branch," and I'm not particularly familiar with cherry-pick operations... T_T

Would you be willing to help me?

[SteveMacenski]

Sure, if you find the git hash that you're interested in either through git log or the GitHub UI, you can apply that hash to another branch via

git checkout humble
git checkout -b my_branch
git cherry-pick <hash>

If there are issues with conflicts, then it'll give you errors that you need to resolve in line of the code. Else, it should be smooth. Then open a PR against that branch. You can ignore the only being able to submit to the main branch bot, that is a general rule for general situations. When we're talking about approved specific backports, its OK. That more for people that want to add a new feature or fix a new bug in some branch but that isn't in main (so then any new distributions wouldn't get it 😢 ). Since this is already in main, this is the backport, which is fine.

[GoesM]

Thanks a lot ! ^_^ I'd have a try on it ~