Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash subdoarg/quickrepeat on corrupted script data #717

Closed
ohrrpgce-bugbot opened this issue Apr 20, 2009 · 6 comments
Closed

Crash subdoarg/quickrepeat on corrupted script data #717

ohrrpgce-bugbot opened this issue Apr 20, 2009 · 6 comments

Comments

@ohrrpgce-bugbot
Copy link

@ohrrpgce-bugbot ohrrpgce-bugbot commented Apr 20, 2009

[bz#717]

I have a game that is crashing randomly with segmentation faults on "SELECT CASE cmdptr->kind" right after the quickrepeat label in subdoarg()

I have no idea yet where the corruption could be happening, this is just where it causes the crash.

From: @bob-the-hamster
Reported version: 20110506 Zenzizenzic
Severity: major
Blocker for: bz⁠#683

@ohrrpgce-bugbot
Copy link
Author

@ohrrpgce-bugbot ohrrpgce-bugbot commented Apr 20, 2009

Comment author: @bob-the-hamster

Created attachment 154
gdb_log.txt

Attached file: gdb_log.txt (text/plain, 2340 bytes)
Description: gdb_log.txt

@ohrrpgce-bugbot
Copy link
Author

@ohrrpgce-bugbot ohrrpgce-bugbot commented Apr 20, 2009

Comment author: @bob-the-hamster

Okay, so although this crash is random, it always happens in the same place

quickrepeat:
DIM as ScriptCommand ptr cmdptr = cast(ScriptCommand ptr, dataptr + curcmd->args(si.curargn))

SELECT CASE cmdptr->kind

corrupted data at dataptr + curcmd->args(si.curargn) gets cast into a ScriptCommand ptr and assigned to cmdptr. Then when we try to dereference this bogus data to get the ->kind member in the SELECT, crashes happen.

I am having a rough time of reproducing this one. I can only make it happen less than 10% of the time, but it does seem to happen most often when a long and complex recursive script that includes "wait" commands finishes. Other scripts run on top of it, such as on-keypress, each-step and several timers, but I can't tell if any of them make a difference.

@ohrrpgce-bugbot
Copy link
Author

@ohrrpgce-bugbot ohrrpgce-bugbot commented Apr 21, 2009

Comment author: @bob-the-hamster

Possible re-incarnation of bug bz⁠#653?

@ohrrpgce-bugbot
Copy link
Author

@ohrrpgce-bugbot ohrrpgce-bugbot commented May 3, 2009

Comment author: @bob-the-hamster

http://hamsterrepublic.com/tmp/baconcrash.zip

This is my (unfortunately not-at-all-simplified) test case for reproducing this bug. This is an early development version of Bob the Hamster in the Crypt of Baconthulhu (which I did not post here sooner to avoid penalty points in the Terrible Games Contest)

Here is how to do it.

  1. Start playing
  2. Run around and find a monster before the dungeon matures
  3. Fight with the monster

The crash will occur when the dungeon matures (that is when the deeply recursive generate map script completes).

* The crash NEVER happens if you don't fight a monster
* The crash only USUALLY happens when you do fight a monster

@ohrrpgce-bugbot
Copy link
Author

@ohrrpgce-bugbot ohrrpgce-bugbot commented May 12, 2009

Comment author: @bob-the-hamster

Yay! TeeEmCee, your fixes in svn revision 2708 (1dcca6c) fixed this bug. I am overjoyed!

@ohrrpgce-bugbot
Copy link
Author

@ohrrpgce-bugbot ohrrpgce-bugbot commented May 13, 2009

Comment author: @rversteegen

Actually, I'm disappointed. I was SO sure that my crash and possibly yours was due to bug bz⁠#270, because I did some really weird stuff with break:

script, text, t, begin
do(
if (t >= 60000) then (
if (t >= 86390) then ($1="[23:59] Sew> don't go down that path", lasttime := -1, break(needbreak) )
...
if (t >= 60020) then ($1="[16:40] Sew> catchy opeeeeeeeeera songz", lasttime := 60040, break(needbreak) )
)
text sub (t)
)
end

script, text sub, t, begin
if (t >= 59990) then ($1="[16:39] Sew> if you watch all of that you can question yourself <3", lasttime := 60020, break(needbreak) )
...
if (t >= 0) then ($1="[00:00] ---==== 2009-01-21 ====---", lasttime := 5, break(needbreak) )
end

Guess bug bz⁠#270 will go unsolved forever (until the interpreter is replaced)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant