New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"UPDATE_WALKABOUT_POS: missing sprite component" #1137
Comments
I have very similar crash report (8c92ceac) from RMZ. This time, it's a missing walkabout sprite component on a hero slice, and it happened after loading map 55 due to a quick load in Vikings of Midgard - Complete, running the 20200530.11864 Windows nightly.
|
Marking this a release-blocker because people are running into it a lot. This was probably introduced by the hero slice lifespan changes in gorgonzola. RMZ encountered it when swapping out and locking a hero right before changing maps without a wait. Adding a wait worked around it. Wobbler ran into it in KBB and emailed us a testcase. It crashed at the end of the Dr. Cube RPG. Again, his script did We have a mountain crash reports for this, which come in a quite a variety, including:
|
This is a tricky one! For example, if I comment out everything in the implementation of "camera follows hero" in scriptcommands.bas then the crash doesn't happen. Or if I add debug comments inside update_HeroSliceContext() then the crash doesn't happen. I assume memory is being corrupted and that these small changes are altering the layout of the corrupted memory just enough to prevent the crash |
Sounds like it could be a dangling pointer.
Can you use valgrind or asan (AddressSanitizer)?
I have a lot of poor luck with valgrind, sometimes I can't really get it to
work, and it's a pain that I always have to spend a long time updating
misc/valgrind_suppressions.txt after having upgraded parts of my OS.
asan doesn't seem to have that problem. To use asan compile with "scons
asan=1", which compiles in memory error checking into C code (it forces
gengcc=1). Like valgrind, asan can report reads/writes off the end of
allocated memory or access to freed memory.
…On Tue, 27 Apr 2021 at 09:04, James Paige ***@***.***> wrote:
This is a tricky one!
I have a test case that crashes on this, but very tiny seemingly
irrelevant changes to the source code can prevent the crash from happening.
For example, if I comment out everything in the implementation of "camera
follows hero" in scriptcommands.bas then the crash doesn't happen. Or if I
add debug comments inside update_HeroSliceContext() then the crash doesn't
happen.
I assume memory is being corrupted and that these small changes are
altering the layout of the corrupted memory just enough to prevent the crash
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1137 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAI4RCPDTPZQDR4HKXLFRN3TKXIPBANCNFSM4O7TTNZA>
.
|
I tried valgrind, and the crash simply didn't happen.
I'll try asan also
On Mon., Apr. 26, 2021, 11:41 p.m. Ralph Versteegen, <
***@***.***> wrote:
… Sounds like it could be a dangling pointer.
Can you use valgrind or asan (AddressSanitizer)?
I have a lot of poor luck with valgrind, sometimes I can't really get it to
work, and it's a pain that I always have to spend a long time updating
misc/valgrind_suppressions.txt after having upgraded parts of my OS.
asan doesn't seem to have that problem. To use asan compile with "scons
asan=1", which compiles in memory error checking into C code (it forces
gengcc=1). Like valgrind, asan can report reads/writes off the end of
allocated memory or access to freed memory.
On Tue, 27 Apr 2021 at 09:04, James Paige ***@***.***> wrote:
> This is a tricky one!
> I have a test case that crashes on this, but very tiny seemingly
> irrelevant changes to the source code can prevent the crash from
happening.
>
> For example, if I comment out everything in the implementation of "camera
> follows hero" in scriptcommands.bas then the crash doesn't happen. Or if
I
> add debug comments inside update_HeroSliceContext() then the crash
doesn't
> happen.
>
> I assume memory is being corrupted and that these small changes are
> altering the layout of the corrupted memory just enough to prevent the
crash
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#1137 (comment)
>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AAI4RCPDTPZQDR4HKXLFRN3TKXIPBANCNFSM4O7TTNZA
>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1137 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA2IR6LF43VQQHP3MFVJEP3TKYW5RANCNFSM4O7TTNZA>
.
|
Oh, another question: how much do we trust the SWAP built-in? We use it a
lot for simple types like integers, but I think the only places we ever use
it for complex UDTs is when swapping heroes and when re-ordering menudef
items in custom
I remember being paranoid about SWAP... But I don't remember why.
On Tue., Apr. 27, 2021, 7:55 a.m. James Paige, ***@***.***>
wrote:
… I tried valgrind, and the crash simply didn't happen.
I'll try asan also
On Mon., Apr. 26, 2021, 11:41 p.m. Ralph Versteegen, <
***@***.***> wrote:
> Sounds like it could be a dangling pointer.
>
> Can you use valgrind or asan (AddressSanitizer)?
>
> I have a lot of poor luck with valgrind, sometimes I can't really get it
> to
> work, and it's a pain that I always have to spend a long time updating
> misc/valgrind_suppressions.txt after having upgraded parts of my OS.
>
> asan doesn't seem to have that problem. To use asan compile with "scons
> asan=1", which compiles in memory error checking into C code (it forces
> gengcc=1). Like valgrind, asan can report reads/writes off the end of
> allocated memory or access to freed memory.
>
> On Tue, 27 Apr 2021 at 09:04, James Paige ***@***.***> wrote:
>
> > This is a tricky one!
> > I have a test case that crashes on this, but very tiny seemingly
> > irrelevant changes to the source code can prevent the crash from
> happening.
> >
> > For example, if I comment out everything in the implementation of
> "camera
> > follows hero" in scriptcommands.bas then the crash doesn't happen. Or
> if I
> > add debug comments inside update_HeroSliceContext() then the crash
> doesn't
> > happen.
> >
> > I assume memory is being corrupted and that these small changes are
> > altering the layout of the corrupted memory just enough to prevent the
> crash
> >
> > —
> > You are receiving this because you authored the thread.
> > Reply to this email directly, view it on GitHub
> > <
> #1137 (comment)>,
> > or unsubscribe
> > <
> https://github.com/notifications/unsubscribe-auth/AAI4RCPDTPZQDR4HKXLFRN3TKXIPBANCNFSM4O7TTNZA
> >
> > .
> >
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#1137 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AA2IR6LF43VQQHP3MFVJEP3TKYW5RANCNFSM4O7TTNZA>
> .
>
|
According to SWAP in the manual,
In other words it shouldn't call any copy-constructors or other constructors, which could be problematic. I don't remember avoiding SWAP. |
asan does a nice job of narrowing down the problem:
I haven't figured out what to fix yet, but this definitely narrows the search :D |
Okay, I found a fix for this. Swapping an active hero and a reserve hero means that you end up with a reserve hero's slice parented to the hero layer, and a active hero's slice parented to the reserve layer. This normally doesn't matter, and gets fixed every tick when sorting the heroes for drawing. But it matters if a change of map happens in the same tick as a hero swap, because in that case, the code that preserves the active heroes from deletion when recreating the hero layer misses one, because it is still parented to the reserve layer even though it belongs to an active hero now At least I THINK that was what was happening, :D At any rate, this does fix the crash for me. |
This fixes the use-after-free pointer crash from #1137 git-svn-id: https://rpg.hamsterrepublic.com/source/wip@12273 7d344553-34f0-0310-a9b1-970ce8f1c3a2
Glad that's solved. I would just have parented the hero slices to |
git-svn-id: https://rpg.hamsterrepublic.com/source/wip@12274 7d344553-34f0-0310-a9b1-970ce8f1c3a2
Just received a surprising crash report while playing wandering-hamster.rpg; an NPC walkabout slice (which does exist) with no sprite component. Should be impossible. There are no errors in g_debug.txt. From the file timestamps, it happened immediately after entering map 16.
It looks like the user opened wandering-hamster.rpg in Custom and saved it:
0.7 Last edited by: [[OHRRPGCE gorgonzola 20200502.11799 gfx_directx+sdl+fb/music_sdl FreeBASIC 1.05.0 (01-31-2016) GCC 5.3.0 x86 pdb Built on vampirecell -g -gen gcc Win32 32-bit]] branch_rev 11797
(Maybe we should have some better way of identifying a game, like hashing the .rpg every time it's saved, or every time it's distributed, saving the history of hashes in general.reld, and including that in crash reports.)
Unless we find something odd with map 16, I have no idea how to narrow down this bug, since the minidumps don't include any of the heap. Maybe we should include a dump of the slice tree in crash reports.
The text was updated successfully, but these errors were encountered: