Segmentation Fault when removing certain parts from a crashed UH-60

[SageB]

Describe the bug
Removing anything from the tile where the controls are located causes the game to crash with a segmentation fault.

To Reproduce
Steps to reproduce the behavior:

1. Load the attached save.
2. Go east to the crashed UH-60.
3. Attempt to remove the seatbelt, controls, dashboard, etc... from the pilot's seat.
4. The game should now crash.

Expected behavior
I expected the game not to crash, because it normally doesn't have an issue with removing vehicle parts.

Versions and configuration

• OS: Windows 7
• Game Version: 0.C-34979-g3765602
• Graphics version: Tiles
• Mods loaded: DDA, Filthy Clothing, Disable NPC Needs, Simplified Nutrition, Cataclysm++, No Explosive Zombies, Safe Autodoc.

Additional context
Crash Log

Save

[ralreegorganon]

Confirmed when using 3de7663 from CDDA and 42cdd0bb174a7f9bdd9ce38c43579264962ac369 of Cata++.

Loaded save, moved east, removed seatbelt from UH-60 crash, crashed with:

CRASH LOG FILE: ./config/crash.log
VERSION: 0.C-35105-g3de7663397
TYPE: Signal
MESSAGE: SIGSEGV: Segmentation fault
STACK TRACE:

	0   cataclysm-tiles                     0x000000010502ebab _Z21debug_write_backtraceRNSt3__113basic_ostreamIcNS_11char_traitsIcEEEE + 43
	1   cataclysm-tiles                     0x000000010501a267 _ZL9log_crashPKcS0_ + 503
	2   cataclysm-tiles                     0x0000000105019f82 _ZL14signal_handleri + 66
	3   libsystem_platform.dylib            0x00007fff6fa23b3d _sigtramp + 29
	4   ???                                 0xfd00000070001006 0x0 + 18230571293474820102
	5   cataclysm-tiles                     0x00000001055b8b78 _ZNSt3__14listI4itemNS_9allocatorIS1_EEE6insertINS_15__list_iteratorIS1_PvEEEES8_NS_21__list_const_iteratorIS1_S7_EET_SB_PNS_9enable_ifIXsr19__is_input_iteratorISB_EE5valueEvE4typeE + 72
	6   cataclysm-tiles                     0x00000001056cd220 _ZN12veh_interact16complete_vehicleEv + 3056
	7   cataclysm-tiles                     0x0000000104e35f0f _ZN17activity_handlers14vehicle_finishEP15player_activityP6player + 95
	8   cataclysm-tiles                     0x0000000104e61248 _ZNKSt3__18functionIFbPK4itemS3_EEclES3_S3_ + 40
	9   cataclysm-tiles                     0x0000000104e612d0 _ZNK13activity_type11call_finishEP15player_activityP6player + 64
	10  cataclysm-tiles                     0x00000001055d323f _ZN15player_activity7do_turnER6player + 255
	11  cataclysm-tiles                     0x00000001050dffe0 _ZN4game16process_activityEv + 96
	12  cataclysm-tiles                     0x00000001050df043 _ZN4game7do_turnEv + 659
	13  cataclysm-tiles                     0x00000001052c0889 main + 3209
	14  libdyld.dylib                       0x00007fff6f83a08d start + 1

[mlangsdorf]

Can't confirm when not using cata++. I spawned as a crash survivor at a UH-60 and removed both pilot seatbelts and seats without an issue.

I suggest reporting it to the Cataclysm++ maintainers.

[kevingranade]

From inspection this is either happening

Cataclysm-DDA/src/veh_interact.cpp

Line 2724 in f923aac

resulting_items.insert(resulting_items.end(), contents.begin(), contents.end());

or

Cataclysm-DDA/src/veh_interact.cpp

Line 2751 in f923aac

resulting_items.insert(resulting_items.end(), pieces.begin(), pieces.end());

[kevingranade]

Both of these are potentially attempting to insert an empty range into the list.
The first is inserting a maybe empty std::list, and the second is inserting a maybe empty std::vector.
I expect the first to be called with an empty range a lot, so I'd be surprised if it is the source of the problem.

The second is more concerning:

Cataclysm-DDA/src/vehicle.cpp

Lines 1881 to 1887 in c3b2421

	item_group::ItemList vehicle_part::pieces_for_broken_part() const
	{
	const std::string &group = info().breaks_into_group;
	// @todo make it optional? Or use id of empty item group?
	if( group.empty() ) {
	return {};
	}

I'm not 100% sure that {} initialization is safe.

[kevingranade]

Also is it just me or is this mangled invocation weird?
_ZNSt3__14listI4itemNS_9allocatorIS1_EEE6insertINS_15__list_iteratorIS1_PvEEEES8_NS_21__list_const_iteratorIS1_S7_EET_SB_PNS_9enable_ifIXsr19__is_input_iteratorISB_EE5valueEvE4typeE

it's a std::list (ok cool) ::insert( list_iterator (ok makes sense), list_const_iterator (got it), enable_if<is_input_iterator>.
so it almost looks like it's dispatching to a std::list::insert( iter, iter ), which doesn't exist?

[ralreegorganon]

It's crashing on the first of the two entries you listed, line 2724: resulting_items.insert(resulting_items.end(), contents.begin(), contents.end());

It's bombing with an EXEC_BAD_ACCESS on the copy constructor for item:
item( const item & ) = default;

[jbytheway]

If someone could reproduce this in a build with SANITIZE=address DEBUG_SYMBOLS=1 that might be enlightening.

[ZhilkinSerg]

There are three vehicles on submap (\save\Escape\maps\8.1.0\257.40.0.map), all three named UH-60 Wreckage. One has 1 part, another one has 2 parts and last one has many parts. The latter is the one which we removed seatbelt from.

If you rename vehicles in file mentioned above to have unique names and look to debugger when game is crashed, you will see that parts are getting removed from incorrect vehicle.

That is what I get while trying to remove part from biggest vehicle - parts are trying to be removed from vehicle with single part (I have added suffix (1) to its name):

[ZhilkinSerg]

Issue happens when there are at least two overlapped vehicles (which probably failed to merge when spawned). Player interacts with one of vehicles and coordinates of vehicle are saved in activity. When activity is finished, nearest vehicle is searched using these coordinates, but it is possible that part from vehicle different from original one would be found.

[mlangsdorf]

I'll take a look at it.

[mlangsdorf]

I can't get a vehicle to fail to merge. I can see how this failure would happen if a vehicle failed to merge, I just can't make it happen. I will keep poking.

[ZhilkinSerg]

I can't get a vehicle to fail to merge. I can see how this failure would happen if a vehicle failed to merge, I just can't make it happen. I will keep poking.

Maybe that helicopter crash map extra was generated in some older version where vehicle merge was not working properly?

[mlangsdorf]

Maybe.

[mlangsdorf]

Aha! Got it. If you merge two vehicles together, then split one of them, the split vehicle can sometimes appear under the original vehicle. Okay, definitely my bug.