Jazz Jackrabbit 1 - level switch segmentation fault on OpenBSD

[mulander]

Hi,

I am hitting a segmentation fault with openjazz using the Jazz Jackrabbit 1 files from GOG.com on OpenBSD/amd64 -current using openjazz 20171024.

This happens when:

1. going from episode one to episode 2 by playing
2. loading episode 2
3. loading episode 3

I haven't yet checked if all paths lead to the exact same backtrace. I'm attaching a trace from scenario 1. I'm still trying to diagnose this myself but dropping buy with the bug report as I'm somewhat stuck and maybe someone can point me in the right direction.

(gdb) bt
#0  0x0000194eae765cc9 in Blit1to4 (info=0x7f7ffffbd280) at /usr/local/pobj/sdl-1.2.15/SDL-1.2.15/src/video/SDL_blit_1.c:252
#1  0x0000194eae76317c in SDL_SoftBlit (src=0x194ed2caf780, srcrect=Variable "srcrect" is not available.
) at /usr/local/pobj/sdl-1.2.15/SDL-1.2.15/src/video/SDL_blit.c:97
#2  0x0000194eae776b0b in SDL_LowerBlit (src=0x194ed2caf780, srcrect=0x7f7ffffbd360, dst=0x194f0aeee380, dstrect=0x7f7ffffbd360) at /usr/local/pobj/sdl-1.2.15/SDL-1.2.15/src/video/SDL_surface.c:440
#3  0x0000194eae779f86 in SDL_Flip (screen=Variable "screen" is not available.
) at /usr/local/pobj/sdl-1.2.15/SDL-1.2.15/src/video/SDL_video.c:1137
#4  0x0000194c4e80cc71 in Video::flip (this=0x194c4ea40788, mspf=15, paletteEffects=0x194f12af0640) at src/io/gfx/video.cpp:519
#5  0x0000194c4e8279b8 in loop (type=NORMAL_LOOP, paletteEffects=0x194f12af0640) at main.cpp:470
#6  0x0000194c4e826995 in Level::loop (this=0x194f44d3a000, menu=@0x7f7ffffbd87f, option=@0x7f7ffffbd878, message=@0x7f7ffffbd87e) at src/level/level.cpp:396
#7  0x0000194c4e8100d8 in JJ1BonusLevel::play (this=0x194f44d3a000) at src/jj1bonuslevel/jj1bonuslevel.cpp:768
#8  0x0000194c4e801ed0 in Game::playLevel (this=0x194e5f7d9c40, fileName=0x194e84b71c00 "BONUSMAP.000", intro=Variable "intro" is not available.
) at src/game/game.cpp:218
#9  0x0000194c4e815793 in JJ1Level::play (this=0x194e708da000) at src/jj1level/jj1level.cpp:679
#10 0x0000194c4e80200d in Game::playLevel (this=0x194e5f7d9c40, fileName=Variable "fileName" is not available.
) at src/game/game.cpp:290
#11 0x0000194c4e802280 in Game::play (this=0x194e5f7d9c40) at src/game/game.cpp:358
#12 0x0000194c4e827fb1 in GameMenu::playNewGame (this=0x194ef3cd0790, mode=M_SINGLE, firstLevel=0x194eac39e370 "LEVEL0.000") at src/menu/gamemenu.cpp:168
#13 0x0000194c4e82844d in GameMenu::newGameDifficulty (this=0x194ef3cd0790, mode=M_SINGLE, firstLevel=0x194eac39e370 "LEVEL0.000") from /usr/local/bin/openjazz
#14 0x0000194c4e828a75 in GameMenu::selectEpisode (this=0x194ef3cd0790, mode=M_SINGLE, episode=Variable "episode" is not available.
) at src/menu/gamemenu.cpp:285
#15 0x0000194c4e828cd8 in GameMenu::newGameEpisode (this=0x194ef3cd0790, mode=M_SINGLE) at src/menu/gamemenu.cpp:511
#16 0x0000194c4e829285 in GameMenu::newGame (this=0x194ef3cd0790) at src/menu/gamemenu.cpp:721
#17 0x0000194c4e829656 in MainMenu::select (this=0x194eab1c4000, option=0) at src/menu/mainmenu.cpp:167
#18 0x0000194c4e829a5f in MainMenu::main (this=0x194eab1c4000) at src/menu/mainmenu.cpp:321
#19 0x0000194c4e827881 in play () at main.cpp:408
#20 0x0000194c4e827a7c in main (argc=1, argv=0x7f7ffffbdd48) at main.cpp:566

EDIT: forgot to point out that frame 0 fails with an out of bounds write

(gdb) frame 0
#0  0x0000194eae765cc9 in Blit1to4 (info=0x7f7ffffbd280) at /usr/local/pobj/sdl-1.2.15/SDL-1.2.15/src/video/SDL_blit_1.c:252
252                     DUFFS_LOOP(
(gdb) p info
$46 = (SDL_BlitInfo *) 0x7f7ffffbd280
(gdb) p info->s_pixels
$47 = (Uint8 *) 0x194ed8a93000 ""
(gdb) p info->d_pixels
$48 = (Uint8 *) 0x194f36514000 <Address 0x194f36514000 out of bounds>

EDIT 2: the pixels of the destination screen are not allocated?

(gdb) frame 2
#2  0x0000194eae776b0b in SDL_LowerBlit (src=0x194ed2caf780, srcrect=0x7f7ffffbd360, dst=0x194f0aeee380, dstrect=0x7f7ffffbd360) at /usr/local/pobj/sdl-1.2.15/SDL-1.2.15/src/video/SDL_surface.c:440
440             return(do_blit(src, srcrect, dst, dstrect));
(gdb) p dst
$1 = (SDL_Surface *) 0x194f0aeee380
(gdb) p dst->pixels
$2 = (void *) 0x0
(gdb) p src
$3 = (SDL_Surface *) 0x194ed2caf780
(gdb) p src->pixels
$4 = (void *) 0x194ed8a93000

[mulander]

Instead of the above segfault, some test runs lead to the game being killed with the following on the console. This also happens on level change/load:

fishtank$ openjazz
pthread_mutex_destroy on mutex with waiters!
X Error of failed request:  BadShmSeg (invalid shared segment parameter)
  Major opcode of failed request:  130 (MIT-SHM)
  Minor opcode of failed request:  3 (X_ShmPutImage)
  Segment id in failed request:  0x2c0000f
  Serial number of failed request:  7133
  Current serial number in output stream:  7136

[mulander]

Yesterday I tested the following:

1. Changing the screen into a global to rule out the variable going out of scope - still crashing
2. Avoided calling SDL_Flip if either canvas or screen ->refcount dropped to 0 - still crashing
3. Avoided calling SDL_Flip if either canvas or screen ->pixels was null (0x0) - still crashing

I'm stuck and will need some pointers in further diagnosing this crash.

[mulander]

I reached out to Ryan C. Gordon on twitter while initially hitting my head against this crash. His reply (note he only saw the backtrace by then, I only just linked him this ticket).

I'm not sure; does this only fail on OpenBSD? Likely either a wrong surface size or a bogus palette, it's dying in the loop where it converts from paletted values to RGBA.

[carstene1ns]

Since OJ is now ported to SDL2 and it only happened on OpenBSD so far, I am closing this without solution.