Crash subdoarg/quickrepeat on corrupted script data

[ohrrpgce-bugbot]

[bz#717]

I have a game that is crashing randomly with segmentation faults on "SELECT CASE cmdptr->kind" right after the quickrepeat label in subdoarg()

I have no idea yet where the corruption could be happening, this is just where it causes the crash.

From: @bob-the-hamster
Reported version: 20110506 Zenzizenzic
Severity: major
Blocker for: bz⁠#683

[ohrrpgce-bugbot]

Comment author: @bob-the-hamster

Created attachment 154
gdb_log.txt

Attached file: gdb_log.txt (text/plain, 2340 bytes)
Description: gdb_log.txt

[ohrrpgce-bugbot]

Comment author: @bob-the-hamster

Okay, so although this crash is random, it always happens in the same place

quickrepeat:
DIM as ScriptCommand ptr cmdptr = cast(ScriptCommand ptr, dataptr + curcmd->args(si.curargn))

SELECT CASE cmdptr->kind

corrupted data at dataptr + curcmd->args(si.curargn) gets cast into a ScriptCommand ptr and assigned to cmdptr. Then when we try to dereference this bogus data to get the ->kind member in the SELECT, crashes happen.

I am having a rough time of reproducing this one. I can only make it happen less than 10% of the time, but it does seem to happen most often when a long and complex recursive script that includes "wait" commands finishes. Other scripts run on top of it, such as on-keypress, each-step and several timers, but I can't tell if any of them make a difference.

[ohrrpgce-bugbot]

Comment author: @bob-the-hamster

Possible re-incarnation of bug bz⁠#653?

[ohrrpgce-bugbot]

Comment author: @bob-the-hamster

http://hamsterrepublic.com/tmp/baconcrash.zip

This is my (unfortunately not-at-all-simplified) test case for reproducing this bug. This is an early development version of Bob the Hamster in the Crypt of Baconthulhu (which I did not post here sooner to avoid penalty points in the Terrible Games Contest)

Here is how to do it.

1. Start playing
2. Run around and find a monster before the dungeon matures
3. Fight with the monster

The crash will occur when the dungeon matures (that is when the deeply recursive generate map script completes).

* The crash NEVER happens if you don't fight a monster
* The crash only USUALLY happens when you do fight a monster

[ohrrpgce-bugbot]

Comment author: @bob-the-hamster

Yay! TeeEmCee, your fixes in svn revision 2708 (1dcca6c) fixed this bug. I am overjoyed!

[ohrrpgce-bugbot]

Comment author: @rversteegen

Actually, I'm disappointed. I was SO sure that my crash and possibly yours was due to bug bz⁠#270, because I did some really weird stuff with break:

script, text, t, begin
do(
if (t >= 60000) then (
if (t >= 86390) then ($1="[23:59] Sew> don't go down that path", lasttime := -1, break(needbreak) )
...
if (t >= 60020) then ($1="[16:40] Sew> catchy opeeeeeeeeera songz", lasttime := 60040, break(needbreak) )
)
text sub (t)
)
end

script, text sub, t, begin
if (t >= 59990) then ($1="[16:39] Sew> if you watch all of that you can question yourself <3", lasttime := 60020, break(needbreak) )
...
if (t >= 0) then ($1="[00:00] ---==== 2009-01-21 ====---", lasttime := 5, break(needbreak) )
end

Guess bug bz⁠#270 will go unsolved forever (until the interpreter is replaced)