[Fixed] Newrenderer crashes in Woods of the Dark Serpent (SW)

Moderator: Raze Developers

Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Talon1024 » Thu May 06, 2021 9:56 pm

Title mostly says it all. To reproduce the crash, load this savegame, open the door in front of you, and walk around a bit. I haven't been able to consistently reproduce this crash, however, so your mileage may vary. (Game: ShadowWarrior.ShadowWarrior)
Talon1024
 
 
 
Joined: 27 Jun 2016
Github ID: Talon1024
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit
Graphics Processor: nVidia with Vulkan support

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Graf Zahl » Fri May 07, 2021 12:33 am

I tried but cannot reproduce this. Do you have some crash log info?
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Talon1024 » Fri May 07, 2021 2:13 am

Talon1024
 
 
 
Joined: 27 Jun 2016
Github ID: Talon1024
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit
Graphics Processor: nVidia with Vulkan support

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby sinisterseed » Fri May 07, 2021 2:37 am

Dark Woods of the Serpent*, got that backwards ^^.

Either way yeah, another case where using a different OS helps, I replayed it two days ago for some tests but it never crashed on me.
User avatar
sinisterseed
Raze/GZDoom RO Translator & Raze Tester
 
Joined: 05 Nov 2019
Twitch ID: nixchievousfox
Github ID: sinisterseed
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: nVidia with Vulkan support

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Graf Zahl » Fri May 07, 2021 3:39 am

This makes no sense. It tells me that a global TArray variable has gotten corrupted, but I have no idea what may cause it.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Talon1024 » Fri May 07, 2021 10:21 am

sinisterseed wrote:Dark Woods of the Serpent*, got that backwards ^^.

I guess that's what I get for posting when I'm tired. :D :D :D
sinisterseed wrote:Either way yeah, another case where using a different OS helps, I replayed it two days ago for some tests but it never crashed on me.

Strangely enough, I don't get the crash every time. This time, though, I luckily managed to get a backtrace from gdb (Raze 29b0106a9):
Code: Select allExpand view
#0  0x0000555555b49b62 in BunchDrawer::ProcessBunch (this=0x55556085d338, bnch=0)
    at ../source/core/rendering/scene/hw_bunchdrawer.cpp:289
#1  0x0000555555b4b0ab in BunchDrawer::<lambda()>::operator()(void) const (
    __closure=0x7fffffffc3b0) at ../source/core/rendering/scene/hw_bunchdrawer.cpp:609
#2  0x0000555555b4b17e in BunchDrawer::RenderScene (this=0x55556085d338,
    viewsectors=0x55555f771a80, sectcount=6, portal=true)
    at ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
#3  0x0000555555b46605 in HWDrawInfo::CreateScene (this=0x55556085cf50, portal=true)
    at ../source/core/rendering/scene/hw_drawinfo.cpp:392
#4  0x0000555555b4783c in HWDrawInfo::DrawScene (this=0x55556085cf50, drawmode=2,
    portal=true) at ../source/core/rendering/scene/hw_drawinfo.cpp:696
#5  0x0000555555b4cb75 in HWScenePortalBase::DrawContents (this=0x555561d3ff40,
    di=0x55556085cf50, state=...) at ../source/core/rendering/scene/hw_portal.cpp:373
#6  0x0000555555b474db in HWDrawInfo::RenderPortal (this=0x555560826ce0,
    p=0x555561d3ff40, state=..., usestencil=true)
    at ../source/core/rendering/scene/hw_drawinfo.cpp:602
#7  0x0000555555b4bd95 in FPortalSceneState::RenderPortal (
    this=0x555556e38c80 <portalState>, p=0x555561d3ff40, state=..., usestencil=true,
    outer_di=0x555560826ce0) at ../source/core/rendering/scene/hw_portal.cpp:133
#8  0x0000555555b4bb94 in FPortalSceneState::EndFrame (
    this=0x555556e38c80 <portalState>, di=0x555560826ce0, state=...)
    at ../source/core/rendering/scene/hw_portal.cpp:96
#9  0x0000555555b4796a in HWDrawInfo::DrawScene (this=0x555560826ce0, drawmode=2,
    portal=true) at ../source/core/rendering/scene/hw_drawinfo.cpp:714
#10 0x0000555555b4cb75 in HWScenePortalBase::DrawContents (this=0x555561c693d0,
    di=0x555560826ce0, state=...) at ../source/core/rendering/scene/hw_portal.cpp:373
#11 0x0000555555b474db in HWDrawInfo::RenderPortal (this=0x55555fc93d00,
    p=0x555561c693d0, state=..., usestencil=true)
    at ../source/core/rendering/scene/hw_drawinfo.cpp:602
#12 0x0000555555b4bd95 in FPortalSceneState::RenderPortal (
    this=0x555556e38c80 <portalState>, p=0x555561c693d0, state=..., usestencil=true,
    outer_di=0x55555fc93d00) at ../source/core/rendering/scene/hw_portal.cpp:133
#13 0x0000555555b4bb94 in FPortalSceneState::EndFrame (
    this=0x555556e38c80 <portalState>, di=0x55555fc93d00, state=...)
    at ../source/core/rendering/scene/hw_portal.cpp:96
#14 0x0000555555b4796a in HWDrawInfo::DrawScene (this=0x55555fc93d00, drawmode=0,
    portal=false) at ../source/core/rendering/scene/hw_drawinfo.cpp:714
#15 0x0000555555b479dc in HWDrawInfo::ProcessScene (this=0x55555fc93d00, toscreen=true)
    at ../source/core/rendering/scene/hw_drawinfo.cpp:729
#16 0x0000555555b29f8a in RenderViewpoint (mainvp=..., bounds=0x0, fov=100,
    ratio=1.77777779, fovratio=1.33000004, mainview=true, toscreen=true)
    at ../source/core/rendering/hw_entrypoint.cpp:150
#17 0x0000555555b2ab23 in render_drawrooms (
    playersprite=0x5555568d4a1c <sprite_s+40732>, position=..., sectnum=584,
    angle=..., horizon=..., rollang=..., smoothratio=30809.364889600001)
    at ../source/core/rendering/hw_entrypoint.cpp:365
#18 0x0000555555fbc626 in ShadowWarrior::drawscreen (
    pp=0x5555579ffee0 <ShadowWarrior::Player>, smoothratio=30809.364889600001)
    at ../source/games/sw/src/draw.cpp:1604
#19 0x0000555555fc0bce in ShadowWarrior::GameInterface::Render (this=0x555557b20c30)
    at ../source/games/sw/src/game.cpp:625
#20 0x0000555555ac8ad0 in Display () at ../source/core/mainloop.cpp:411
#21 0x0000555555ac91dc in MainLoop () at ../source/core/mainloop.cpp:689
#22 0x0000555555ad0b1f in RunGame () at ../source/core/gamecontrol.cpp:1053
#23 0x0000555555acee0c in GameMain () at ../source/core/gamecontrol.cpp:556
#24 0x000055555592f2bb in main (argc=1, argv=0x7fffffffde08)
    at ../source/common/platform/posix/sdl/i_main.cpp:194
Talon1024
 
 
 
Joined: 27 Jun 2016
Github ID: Talon1024
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit
Graphics Processor: nVidia with Vulkan support

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Graf Zahl » Fri May 07, 2021 10:44 am

It's the same as last time, the crash line is identical.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Talon1024 » Fri May 07, 2021 1:23 pm

On the other hand, I sometimes get random crashes during the game. The backtrace is slightly different, however:
Code: Select allExpand view
Thread 1 "raze" received signal SIGSEGV, Segmentation fault.
0x0000555555ad651e in PlanesAtPoint (sec=0x556c4142e800, dax=22016, day=42752,
    pceilz=0x7fffffffc4a8, pflorz=0x7fffffffc4ac) at ../source/core/gamefuncs.cpp:159
159      float ceilz = float(sec->ceilingz);
(gdb) #0  0x0000555555ad651e in PlanesAtPoint (sec=0x556c4142e800, dax=22016, day=42752,
    pceilz=0x7fffffffc4a8, pflorz=0x7fffffffc4ac) at ../source/core/gamefuncs.cpp:159
#1  0x0000555555b30993 in HWWall::Process (this=0x7fffffffc570, di=0x55555f91aef0,
    wal=0x555556b202c0 <wall_s+136512>, frontsector=0x556c4142e800, backsector=0x0)
    at ../source/core/rendering/scene/hw_walls.cpp:856
#2  0x0000555555b49d28 in BunchDrawer::ProcessBunch (this=0x55555f91b2d8, bnch=0)
    at ../source/core/rendering/scene/hw_bunchdrawer.cpp:300
#3  0x0000555555b4b0ab in BunchDrawer::<lambda()>::operator()(void) const (
    __closure=0x7fffffffc6d0) at ../source/core/rendering/scene/hw_bunchdrawer.cpp:609
#4  0x0000555555b4b17e in BunchDrawer::RenderScene (this=0x55555f91b2d8,
    viewsectors=0x55555f926800, sectcount=1, portal=false)
    at ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
#5  0x0000555555b46633 in HWDrawInfo::CreateScene (this=0x55555f91aef0, portal=false)
    at ../source/core/rendering/scene/hw_drawinfo.cpp:394
#6  0x0000555555b4783c in HWDrawInfo::DrawScene (this=0x55555f91aef0, drawmode=0,
    portal=false) at ../source/core/rendering/scene/hw_drawinfo.cpp:696
#7  0x0000555555b479dc in HWDrawInfo::ProcessScene (this=0x55555f91aef0, toscreen=true)
    at ../source/core/rendering/scene/hw_drawinfo.cpp:729
#8  0x0000555555b29f8a in RenderViewpoint (mainvp=..., bounds=0x0, fov=100,
    ratio=1.77777779, fovratio=1.33000004, mainview=true, toscreen=true)
    at ../source/core/rendering/hw_entrypoint.cpp:150
#9  0x0000555555b2ab23 in render_drawrooms (
    playersprite=0x5555568d5be8 <sprite_s+45288>, position=..., sectnum=142,
    angle=..., horizon=..., rollang=..., smoothratio=61143.672422399999)
    at ../source/core/rendering/hw_entrypoint.cpp:365
#10 0x0000555555fbc626 in ShadowWarrior::drawscreen (
    pp=0x5555579ffee0 <ShadowWarrior::Player>, smoothratio=61143.672422399999)
    at ../source/games/sw/src/draw.cpp:1604
#11 0x0000555555fc0bce in ShadowWarrior::GameInterface::Render (this=0x555557b20c30)
    at ../source/games/sw/src/game.cpp:625
--Type <RET> for more, q to quit, c to continue without paging--#12 0x0000555555ac8ad0 in Display () at ../source/core/mainloop.cpp:411
#13 0x0000555555ac91dc in MainLoop () at ../source/core/mainloop.cpp:689
#14 0x0000555555ad0b1f in RunGame () at ../source/core/gamecontrol.cpp:1053
#15 0x0000555555acee0c in GameMain () at ../source/core/gamecontrol.cpp:556
#16 0x000055555592f2bb in main (argc=1, argv=0x7fffffffde48)
    at ../source/common/platform/posix/sdl/i_main.cpp:194
Talon1024
 
 
 
Joined: 27 Jun 2016
Github ID: Talon1024
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit
Graphics Processor: nVidia with Vulkan support

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Graf Zahl » Fri May 07, 2021 1:58 pm

That's the same as this one: viewtopic.php?f=340&t=72187
Unfortiunately both of these only seem to happen on Linux so I'm going to need some help with them. I can see some bad data in the backtraces but have no idea where it comes from.

It looks like random memory corruption in both cases so probably some stray uninitialized variable somewhere.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Talon1024 » Sat May 08, 2021 12:09 am

Well, I enabled AddressSanitizer, and it gave me this information, which may be related to these crashes:
Code: Select allExpand view
==30170==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300334a028 at pc 0x56393423494f bp 0x7ffc3364a300 sp 0x7ffc3364a2f0
READ of size 4 at 0x61300334a028 thread T0
    #0 0x56393423494e in BunchDrawer::ProcessBunch(int) ../source/core/rendering/scene/hw_bunchdrawer.cpp:280
    #1 0x563934237fd0 in operator() ../source/core/rendering/scene/hw_bunchdrawer.cpp:609
    #2 0x5639342382a0 in BunchDrawer::RenderScene(int const*, unsigned int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
    #3 0x56393422b99a in HWDrawInfo::CreateScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:394
    #4 0x56393422ea6e in HWDrawInfo::DrawScene(int, bool) ../source/core/rendering/scene/hw_drawinfo.cpp:696
    #5 0x56393422edcf in HWDrawInfo::ProcessScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:729
    #6 0x5639341d3989 in RenderViewpoint(FRenderViewpoint&, IntRect*, float, float, float, bool, bool) ../source/core/rendering/hw_entrypoint.cpp:150
    #7 0x5639341d5c67 in render_drawrooms(spritetype*, vec3_t const&, int, binangle, fixedhoriz, binangle, double) ../source/core/rendering/hw_entrypoint.cpp:365
    #8 0x5639348c52c2 in Duke3d::renderView(spritetype*, int, int, int, int, binangle, fixedhoriz, binangle, int) ../source/games/duke/src/render.cpp:86
    #9 0x5639348c927e in Duke3d::displayrooms(int, double) ../source/games/duke/src/render.cpp:418
    #10 0x56393489e7d9 in Duke3d::GameInterface::Render() ../source/games/duke/src/gameloop.cpp:132
    #11 0x5639340ed309 in Display() ../source/core/mainloop.cpp:411
    #12 0x5639340ee7a8 in MainLoop() ../source/core/mainloop.cpp:689
    #13 0x5639340fc990 in RunGame() ../source/core/gamecontrol.cpp:1053
    #14 0x5639340f8a17 in GameMain() ../source/core/gamecontrol.cpp:556
    #15 0x563933c7fb5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #16 0x7f1ee932d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #17 0x563933c717ed in _start (/home/kevinc/Games/code/Raze/build/raze+0x7807ed)

0x61300334a028 is located 296 bytes inside of 384-byte region [0x613003349f00,0x61300334a080)
freed by thread T0 here:
    #0 0x7f1ee9f1bffe in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x56393444b70c in M_Realloc_Dbg(void*, unsigned long, char const*, int) ../source/common/utility/m_alloc.cpp:145
    #2 0x563934239774 in TArray<FBunch, FBunch>::DoResize() ../source/common/utility/tarray.h:563
    #3 0x563934239564 in TArray<FBunch, FBunch>::Grow(unsigned int) ../source/common/utility/tarray.h:455
    #4 0x563934238d4f in TArray<FBunch, FBunch>::Reserve(unsigned long) ../source/common/utility/tarray.h:498
    #5 0x563934232a03 in BunchDrawer::StartBunch(int, int, binangle, binangle, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:107
    #6 0x56393423745c in BunchDrawer::ProcessSection(int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:567
    #7 0x5639342350c4 in BunchDrawer::ProcessBunch(int) ../source/core/rendering/scene/hw_bunchdrawer.cpp:313
    #8 0x563934237fd0 in operator() ../source/core/rendering/scene/hw_bunchdrawer.cpp:609
    #9 0x5639342382a0 in BunchDrawer::RenderScene(int const*, unsigned int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
    #10 0x56393422b99a in HWDrawInfo::CreateScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:394
    #11 0x56393422ea6e in HWDrawInfo::DrawScene(int, bool) ../source/core/rendering/scene/hw_drawinfo.cpp:696
    #12 0x56393422edcf in HWDrawInfo::ProcessScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:729
    #13 0x5639341d3989 in RenderViewpoint(FRenderViewpoint&, IntRect*, float, float, float, bool, bool) ../source/core/rendering/hw_entrypoint.cpp:150
    #14 0x5639341d5c67 in render_drawrooms(spritetype*, vec3_t const&, int, binangle, fixedhoriz, binangle, double) ../source/core/rendering/hw_entrypoint.cpp:365
    #15 0x5639348c52c2 in Duke3d::renderView(spritetype*, int, int, int, int, binangle, fixedhoriz, binangle, int) ../source/games/duke/src/render.cpp:86
    #16 0x5639348c927e in Duke3d::displayrooms(int, double) ../source/games/duke/src/render.cpp:418
    #17 0x56393489e7d9 in Duke3d::GameInterface::Render() ../source/games/duke/src/gameloop.cpp:132
    #18 0x5639340ed309 in Display() ../source/core/mainloop.cpp:411
    #19 0x5639340ee7a8 in MainLoop() ../source/core/mainloop.cpp:689
    #20 0x5639340fc990 in RunGame() ../source/core/gamecontrol.cpp:1053
    #21 0x5639340f8a17 in GameMain() ../source/core/gamecontrol.cpp:556
    #22 0x563933c7fb5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #23 0x7f1ee932d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7f1ee9f1bffe in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x56393444b70c in M_Realloc_Dbg(void*, unsigned long, char const*, int) ../source/common/utility/m_alloc.cpp:145
    #2 0x563934239774 in TArray<FBunch, FBunch>::DoResize() ../source/common/utility/tarray.h:563
    #3 0x563934239564 in TArray<FBunch, FBunch>::Grow(unsigned int) ../source/common/utility/tarray.h:455
    #4 0x563934238d4f in TArray<FBunch, FBunch>::Reserve(unsigned long) ../source/common/utility/tarray.h:498
    #5 0x563934232a03 in BunchDrawer::StartBunch(int, int, binangle, binangle, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:107
    #6 0x56393423745c in BunchDrawer::ProcessSection(int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:567
    #7 0x563934237ed0 in operator() ../source/core/rendering/scene/hw_bunchdrawer.cpp:603
    #8 0x5639342382a0 in BunchDrawer::RenderScene(int const*, unsigned int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
    #9 0x56393422b99a in HWDrawInfo::CreateScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:394
    #10 0x56393422ea6e in HWDrawInfo::DrawScene(int, bool) ../source/core/rendering/scene/hw_drawinfo.cpp:696
    #11 0x56393422edcf in HWDrawInfo::ProcessScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:729
    #12 0x5639341d3989 in RenderViewpoint(FRenderViewpoint&, IntRect*, float, float, float, bool, bool) ../source/core/rendering/hw_entrypoint.cpp:150
    #13 0x5639341d5c67 in render_drawrooms(spritetype*, vec3_t const&, int, binangle, fixedhoriz, binangle, double) ../source/core/rendering/hw_entrypoint.cpp:365
    #14 0x5639348c52c2 in Duke3d::renderView(spritetype*, int, int, int, int, binangle, fixedhoriz, binangle, int) ../source/games/duke/src/render.cpp:86
    #15 0x5639348c927e in Duke3d::displayrooms(int, double) ../source/games/duke/src/render.cpp:418
    #16 0x56393489e7d9 in Duke3d::GameInterface::Render() ../source/games/duke/src/gameloop.cpp:132
    #17 0x5639340ed309 in Display() ../source/core/mainloop.cpp:411
    #18 0x5639340ee7a8 in MainLoop() ../source/core/mainloop.cpp:689
    #19 0x5639340fc990 in RunGame() ../source/core/gamecontrol.cpp:1053
    #20 0x5639340f8a17 in GameMain() ../source/core/gamecontrol.cpp:556
    #21 0x563933c7fb5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #22 0x7f1ee932d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../source/core/rendering/scene/hw_bunchdrawer.cpp:280 in BunchDrawer::ProcessBunch(int)
Shadow bytes around the buggy address:
  0x0c26806613b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c26806613c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c26806613d0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c26806613e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c26806613f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2680661400: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c2680661410: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2680661420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680661430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680661440: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2680661450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30170==ABORTING

This was from Duke3D E4L1 (It's Impossible)
Talon1024
 
 
 
Joined: 27 Jun 2016
Github ID: Talon1024
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit
Graphics Processor: nVidia with Vulkan support

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Cacodemon345 » Sat May 08, 2021 12:42 am

I enabled AddressSanitizer here and tried to load a SW savegame for reproducing the bug but I got this instead.
Code: Select allExpand view
==25163==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100068e4d0 at pc 0x560027ed329d bp 0x7ffe8ab58000 sp 0x7ffe8ab57ff8
READ of size 4 at 0x61100068e4d0 thread T0
    #0 0x560027ed329c in FResourceLump::Unlock() /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:209
    #1 0x560027ed5e46 in FLumpReader::~FLumpReader() /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:63
    #2 0x560027ed5e71 in FLumpReader::~FLumpReader() /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:64
    #3 0x56002795f257 in FileReader::Close() /home/caco345/Raze/source/common/utility/files.h:166
    #4 0x56002795f17f in FileReader::~FileReader() /home/caco345/Raze/source/common/utility/files.h:156
    #5 0x560027ba6018 in ReadSavegame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:130
    #6 0x560027ba9f46 in DoLoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:676
    #7 0x560027baa051 in G_LoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:691
    #8 0x56002821fe96 in FSavegameManager::PerformLoadGame(char const*, bool) /home/caco345/Raze/source/core/menu/loadsavemenu.cpp:117
    #9 0x560027f786bf in FSavegameManagerBase::LoadSavegame(int) /home/caco345/Raze/source/common/menu/savegamemanager.cpp:210
    #10 0x560027f78a23 in AF_FSavegameManager_LoadSavegame /home/caco345/Raze/source/common/menu/savegamemanager.cpp:223
    #11 0x5600280ddeab in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:315
    #12 0x7fe0a75a4736  (<unknown module>)
    #13 0x5600280df126 in VMCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:580
    #14 0x560027f5ac34 in DMenu::CallMenuEvent(int, bool) /home/caco345/Raze/source/common/menu/menu.cpp:328
    #15 0x560027f5d8e8 in M_Responder(event_t*) /home/caco345/Raze/source/common/menu/menu.cpp:768
    #16 0x560027ed6fdc in D_ProcessEvents() /home/caco345/Raze/source/common/engine/d_event.cpp:84
    #17 0x560027b2732a in NetUpdate() /home/caco345/Raze/source/core/d_net.cpp:991
    #18 0x560027b364f2 in TryRunTics() /home/caco345/Raze/source/core/mainloop.cpp:510
    #19 0x560027b36dbf in MainLoop() /home/caco345/Raze/source/core/mainloop.cpp:685
    #20 0x560027b44936 in RunGame() /home/caco345/Raze/source/core/gamecontrol.cpp:1053
    #21 0x560027b40b0c in GameMain() /home/caco345/Raze/source/core/gamecontrol.cpp:556
    #22 0x5600276d2fbc in main /home/caco345/Raze/source/common/platform/posix/sdl/i_main.cpp:194
    #23 0x7fe0c0b58b24 in __libc_start_main ../csu/libc-start.c:332
    #24 0x5600276c45ad in _start (/home/caco345/Raze/build/raze+0x8295ad)

0x61100068e4d0 is located 16 bytes inside of 200-byte region [0x61100068e4c0,0x61100068e588)
freed by thread T0 here:
    #0 0x7fe0c17da067 in operator delete[](void*, unsigned long) (/usr/lib64/libasan.so.6+0xb4067)
    #1 0x560027ec9a79 in FZipFile::~FZipFile() /home/caco345/Raze/source/common/filesystem/file_zip.cpp:361
    #2 0x560027ec9aa7 in FZipFile::~FZipFile() /home/caco345/Raze/source/common/filesystem/file_zip.cpp:362
    #3 0x560027ba5ffa in ReadSavegame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:157
    #4 0x560027ba9f46 in DoLoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:676
    #5 0x560027baa051 in G_LoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:691
    #6 0x56002821fe96 in FSavegameManager::PerformLoadGame(char const*, bool) /home/caco345/Raze/source/core/menu/loadsavemenu.cpp:117
    #7 0x560027f786bf in FSavegameManagerBase::LoadSavegame(int) /home/caco345/Raze/source/common/menu/savegamemanager.cpp:210
    #8 0x560027f78a23 in AF_FSavegameManager_LoadSavegame /home/caco345/Raze/source/common/menu/savegamemanager.cpp:223
    #9 0x5600280ddeab in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:315
    #10 0x7fe0a75a4736  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7fe0c17d9227 in operator new[](unsigned long) (/usr/lib64/libasan.so.6+0xb3227)
    #1 0x560027ec7b9d in FZipFile::Open(bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/file_zip.cpp:200
    #2 0x560027ecaa0f in CheckZip(char const*, FileReader&, bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/file_zip.cpp:476
    #3 0x560027ed3463 in FResourceFile::DoOpenResourceFile(char const*, FileReader&, bool, bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:244
    #4 0x560027ed35a7 in FResourceFile::OpenResourceFile(char const*, bool, bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:260
    #5 0x560027ba5ae3 in ReadSavegame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:120
    #6 0x560027ba9f46 in DoLoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:676
    #7 0x560027baa051 in G_LoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:691
    #8 0x56002821fe96 in FSavegameManager::PerformLoadGame(char const*, bool) /home/caco345/Raze/source/core/menu/loadsavemenu.cpp:117
    #9 0x560027f786bf in FSavegameManagerBase::LoadSavegame(int) /home/caco345/Raze/source/common/menu/savegamemanager.cpp:210
    #10 0x560027f78a23 in AF_FSavegameManager_LoadSavegame /home/caco345/Raze/source/common/menu/savegamemanager.cpp:223
    #11 0x5600280ddeab in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:315
    #12 0x7fe0a75a4736  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:209 in FResourceLump::Unlock()
Cacodemon345
 
Joined: 22 Dec 2017
Discord: Cacodemon345#9151
Github ID: Cacodemon345
Operating System: Other Linux 64-bit
Graphics Processor: ATI/AMD (Modern GZDoom)

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Graf Zahl » Sat May 08, 2021 1:14 am

Talon1024 wrote:Well, I enabled AddressSanitizer, and it gave me this information, which may be related to these crashes:
Code: Select allExpand view
==30170==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300334a028 at pc 0x56393423494f bp 0x7ffc3364a300 sp 0x7ffc3364a2f0
READ of size 4 at 0x61300334a028 thread T0
    #0 0x56393423494e in BunchDrawer::ProcessBunch(int) ../source/core/rendering/scene/hw_bunchdrawer.cpp:280
    #1 0x563934237fd0 in operator() ../source/core/rendering/scene/hw_bunchdrawer.cpp:609
    #2 0x5639342382a0 in BunchDrawer::RenderScene(int const*, unsigned int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
    #3 0x56393422b99a in HWDrawInfo::CreateScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:394
    #4 0x56393422ea6e in HWDrawInfo::DrawScene(int, bool) ../source/core/rendering/scene/hw_drawinfo.cpp:696
    #5 0x56393422edcf in HWDrawInfo::ProcessScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:729
    #6 0x5639341d3989 in RenderViewpoint(FRenderViewpoint&, IntRect*, float, float, float, bool, bool) ../source/core/rendering/hw_entrypoint.cpp:150
    #7 0x5639341d5c67 in render_drawrooms(spritetype*, vec3_t const&, int, binangle, fixedhoriz, binangle, double) ../source/core/rendering/hw_entrypoint.cpp:365
    #8 0x5639348c52c2 in Duke3d::renderView(spritetype*, int, int, int, int, binangle, fixedhoriz, binangle, int) ../source/games/duke/src/render.cpp:86
    #9 0x5639348c927e in Duke3d::displayrooms(int, double) ../source/games/duke/src/render.cpp:418
    #10 0x56393489e7d9 in Duke3d::GameInterface::Render() ../source/games/duke/src/gameloop.cpp:132
    #11 0x5639340ed309 in Display() ../source/core/mainloop.cpp:411
    #12 0x5639340ee7a8 in MainLoop() ../source/core/mainloop.cpp:689
    #13 0x5639340fc990 in RunGame() ../source/core/gamecontrol.cpp:1053
    #14 0x5639340f8a17 in GameMain() ../source/core/gamecontrol.cpp:556
    #15 0x563933c7fb5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #16 0x7f1ee932d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #17 0x563933c717ed in _start (/home/kevinc/Games/code/Raze/build/raze+0x7807ed)

0x61300334a028 is located 296 bytes inside of 384-byte region [0x613003349f00,0x61300334a080)
freed by thread T0 here:
    #0 0x7f1ee9f1bffe in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x56393444b70c in M_Realloc_Dbg(void*, unsigned long, char const*, int) ../source/common/utility/m_alloc.cpp:145
    #2 0x563934239774 in TArray<FBunch, FBunch>::DoResize() ../source/common/utility/tarray.h:563
    #3 0x563934239564 in TArray<FBunch, FBunch>::Grow(unsigned int) ../source/common/utility/tarray.h:455
    #4 0x563934238d4f in TArray<FBunch, FBunch>::Reserve(unsigned long) ../source/common/utility/tarray.h:498
    #5 0x563934232a03 in BunchDrawer::StartBunch(int, int, binangle, binangle, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:107
    #6 0x56393423745c in BunchDrawer::ProcessSection(int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:567
    #7 0x5639342350c4 in BunchDrawer::ProcessBunch(int) ../source/core/rendering/scene/hw_bunchdrawer.cpp:313
    #8 0x563934237fd0 in operator() ../source/core/rendering/scene/hw_bunchdrawer.cpp:609
    #9 0x5639342382a0 in BunchDrawer::RenderScene(int const*, unsigned int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
    #10 0x56393422b99a in HWDrawInfo::CreateScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:394
    #11 0x56393422ea6e in HWDrawInfo::DrawScene(int, bool) ../source/core/rendering/scene/hw_drawinfo.cpp:696
    #12 0x56393422edcf in HWDrawInfo::ProcessScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:729
    #13 0x5639341d3989 in RenderViewpoint(FRenderViewpoint&, IntRect*, float, float, float, bool, bool) ../source/core/rendering/hw_entrypoint.cpp:150
    #14 0x5639341d5c67 in render_drawrooms(spritetype*, vec3_t const&, int, binangle, fixedhoriz, binangle, double) ../source/core/rendering/hw_entrypoint.cpp:365
    #15 0x5639348c52c2 in Duke3d::renderView(spritetype*, int, int, int, int, binangle, fixedhoriz, binangle, int) ../source/games/duke/src/render.cpp:86
    #16 0x5639348c927e in Duke3d::displayrooms(int, double) ../source/games/duke/src/render.cpp:418
    #17 0x56393489e7d9 in Duke3d::GameInterface::Render() ../source/games/duke/src/gameloop.cpp:132
    #18 0x5639340ed309 in Display() ../source/core/mainloop.cpp:411
    #19 0x5639340ee7a8 in MainLoop() ../source/core/mainloop.cpp:689
    #20 0x5639340fc990 in RunGame() ../source/core/gamecontrol.cpp:1053
    #21 0x5639340f8a17 in GameMain() ../source/core/gamecontrol.cpp:556
    #22 0x563933c7fb5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #23 0x7f1ee932d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7f1ee9f1bffe in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x56393444b70c in M_Realloc_Dbg(void*, unsigned long, char const*, int) ../source/common/utility/m_alloc.cpp:145
    #2 0x563934239774 in TArray<FBunch, FBunch>::DoResize() ../source/common/utility/tarray.h:563
    #3 0x563934239564 in TArray<FBunch, FBunch>::Grow(unsigned int) ../source/common/utility/tarray.h:455
    #4 0x563934238d4f in TArray<FBunch, FBunch>::Reserve(unsigned long) ../source/common/utility/tarray.h:498
    #5 0x563934232a03 in BunchDrawer::StartBunch(int, int, binangle, binangle, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:107
    #6 0x56393423745c in BunchDrawer::ProcessSection(int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:567
    #7 0x563934237ed0 in operator() ../source/core/rendering/scene/hw_bunchdrawer.cpp:603
    #8 0x5639342382a0 in BunchDrawer::RenderScene(int const*, unsigned int, bool) ../source/core/rendering/scene/hw_bunchdrawer.cpp:617
    #9 0x56393422b99a in HWDrawInfo::CreateScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:394
    #10 0x56393422ea6e in HWDrawInfo::DrawScene(int, bool) ../source/core/rendering/scene/hw_drawinfo.cpp:696
    #11 0x56393422edcf in HWDrawInfo::ProcessScene(bool) ../source/core/rendering/scene/hw_drawinfo.cpp:729
    #12 0x5639341d3989 in RenderViewpoint(FRenderViewpoint&, IntRect*, float, float, float, bool, bool) ../source/core/rendering/hw_entrypoint.cpp:150
    #13 0x5639341d5c67 in render_drawrooms(spritetype*, vec3_t const&, int, binangle, fixedhoriz, binangle, double) ../source/core/rendering/hw_entrypoint.cpp:365
    #14 0x5639348c52c2 in Duke3d::renderView(spritetype*, int, int, int, int, binangle, fixedhoriz, binangle, int) ../source/games/duke/src/render.cpp:86
    #15 0x5639348c927e in Duke3d::displayrooms(int, double) ../source/games/duke/src/render.cpp:418
    #16 0x56393489e7d9 in Duke3d::GameInterface::Render() ../source/games/duke/src/gameloop.cpp:132
    #17 0x5639340ed309 in Display() ../source/core/mainloop.cpp:411
    #18 0x5639340ee7a8 in MainLoop() ../source/core/mainloop.cpp:689
    #19 0x5639340fc990 in RunGame() ../source/core/gamecontrol.cpp:1053
    #20 0x5639340f8a17 in GameMain() ../source/core/gamecontrol.cpp:556
    #21 0x563933c7fb5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #22 0x7f1ee932d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../source/core/rendering/scene/hw_bunchdrawer.cpp:280 in BunchDrawer::ProcessBunch(int)
Shadow bytes around the buggy address:
  0x0c26806613b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c26806613c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c26806613d0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c26806613e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c26806613f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2680661400: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c2680661410: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2680661420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680661430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680661440: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2680661450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30170==ABORTING

This was from Duke3D E4L1 (It's Impossible)


Thanks, that actually helped. The function was iterating over an array that may have gotten reallocated. It was just dumb luck that it didn't crash on Windows.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Graf Zahl » Sat May 08, 2021 1:22 am

Cacodemon345 wrote:I enabled AddressSanitizer here and tried to load a SW savegame for reproducing the bug but I got this instead.
Code: Select allExpand view
==25163==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100068e4d0 at pc 0x560027ed329d bp 0x7ffe8ab58000 sp 0x7ffe8ab57ff8
READ of size 4 at 0x61100068e4d0 thread T0
    #0 0x560027ed329c in FResourceLump::Unlock() /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:209
    #1 0x560027ed5e46 in FLumpReader::~FLumpReader() /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:63
    #2 0x560027ed5e71 in FLumpReader::~FLumpReader() /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:64
    #3 0x56002795f257 in FileReader::Close() /home/caco345/Raze/source/common/utility/files.h:166
    #4 0x56002795f17f in FileReader::~FileReader() /home/caco345/Raze/source/common/utility/files.h:156
    #5 0x560027ba6018 in ReadSavegame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:130
    #6 0x560027ba9f46 in DoLoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:676
    #7 0x560027baa051 in G_LoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:691
    #8 0x56002821fe96 in FSavegameManager::PerformLoadGame(char const*, bool) /home/caco345/Raze/source/core/menu/loadsavemenu.cpp:117
    #9 0x560027f786bf in FSavegameManagerBase::LoadSavegame(int) /home/caco345/Raze/source/common/menu/savegamemanager.cpp:210
    #10 0x560027f78a23 in AF_FSavegameManager_LoadSavegame /home/caco345/Raze/source/common/menu/savegamemanager.cpp:223
    #11 0x5600280ddeab in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:315
    #12 0x7fe0a75a4736  (<unknown module>)
    #13 0x5600280df126 in VMCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:580
    #14 0x560027f5ac34 in DMenu::CallMenuEvent(int, bool) /home/caco345/Raze/source/common/menu/menu.cpp:328
    #15 0x560027f5d8e8 in M_Responder(event_t*) /home/caco345/Raze/source/common/menu/menu.cpp:768
    #16 0x560027ed6fdc in D_ProcessEvents() /home/caco345/Raze/source/common/engine/d_event.cpp:84
    #17 0x560027b2732a in NetUpdate() /home/caco345/Raze/source/core/d_net.cpp:991
    #18 0x560027b364f2 in TryRunTics() /home/caco345/Raze/source/core/mainloop.cpp:510
    #19 0x560027b36dbf in MainLoop() /home/caco345/Raze/source/core/mainloop.cpp:685
    #20 0x560027b44936 in RunGame() /home/caco345/Raze/source/core/gamecontrol.cpp:1053
    #21 0x560027b40b0c in GameMain() /home/caco345/Raze/source/core/gamecontrol.cpp:556
    #22 0x5600276d2fbc in main /home/caco345/Raze/source/common/platform/posix/sdl/i_main.cpp:194
    #23 0x7fe0c0b58b24 in __libc_start_main ../csu/libc-start.c:332
    #24 0x5600276c45ad in _start (/home/caco345/Raze/build/raze+0x8295ad)

0x61100068e4d0 is located 16 bytes inside of 200-byte region [0x61100068e4c0,0x61100068e588)
freed by thread T0 here:
    #0 0x7fe0c17da067 in operator delete[](void*, unsigned long) (/usr/lib64/libasan.so.6+0xb4067)
    #1 0x560027ec9a79 in FZipFile::~FZipFile() /home/caco345/Raze/source/common/filesystem/file_zip.cpp:361
    #2 0x560027ec9aa7 in FZipFile::~FZipFile() /home/caco345/Raze/source/common/filesystem/file_zip.cpp:362
    #3 0x560027ba5ffa in ReadSavegame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:157
    #4 0x560027ba9f46 in DoLoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:676
    #5 0x560027baa051 in G_LoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:691
    #6 0x56002821fe96 in FSavegameManager::PerformLoadGame(char const*, bool) /home/caco345/Raze/source/core/menu/loadsavemenu.cpp:117
    #7 0x560027f786bf in FSavegameManagerBase::LoadSavegame(int) /home/caco345/Raze/source/common/menu/savegamemanager.cpp:210
    #8 0x560027f78a23 in AF_FSavegameManager_LoadSavegame /home/caco345/Raze/source/common/menu/savegamemanager.cpp:223
    #9 0x5600280ddeab in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:315
    #10 0x7fe0a75a4736  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7fe0c17d9227 in operator new[](unsigned long) (/usr/lib64/libasan.so.6+0xb3227)
    #1 0x560027ec7b9d in FZipFile::Open(bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/file_zip.cpp:200
    #2 0x560027ecaa0f in CheckZip(char const*, FileReader&, bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/file_zip.cpp:476
    #3 0x560027ed3463 in FResourceFile::DoOpenResourceFile(char const*, FileReader&, bool, bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:244
    #4 0x560027ed35a7 in FResourceFile::OpenResourceFile(char const*, bool, bool, LumpFilterInfo*) /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:260
    #5 0x560027ba5ae3 in ReadSavegame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:120
    #6 0x560027ba9f46 in DoLoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:676
    #7 0x560027baa051 in G_LoadGame(char const*) /home/caco345/Raze/source/core/savegamehelp.cpp:691
    #8 0x56002821fe96 in FSavegameManager::PerformLoadGame(char const*, bool) /home/caco345/Raze/source/core/menu/loadsavemenu.cpp:117
    #9 0x560027f786bf in FSavegameManagerBase::LoadSavegame(int) /home/caco345/Raze/source/common/menu/savegamemanager.cpp:210
    #10 0x560027f78a23 in AF_FSavegameManager_LoadSavegame /home/caco345/Raze/source/common/menu/savegamemanager.cpp:223
    #11 0x5600280ddeab in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/caco345/Raze/source/common/scripting/vm/vmframe.cpp:315
    #12 0x7fe0a75a4736  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /home/caco345/Raze/source/common/filesystem/resourcefile.cpp:209 in FResourceLump::Unlock()


This one should also be fixed now.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Talon1024 » Sun May 09, 2021 2:02 pm

Unfortunately, it didn't fix the savegame loading issue for me:
Code: Select allExpand view
=================================================================
==48504==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000218a90 at pc 0x55f6ff9755db bp 0x7ffefb5a46b0 sp 0x7ffefb5a46a0
READ of size 4 at 0x611000218a90 thread T0
    #0 0x55f6ff9755da in FResourceLump::Unlock() ../source/common/filesystem/resourcefile.cpp:209
    #1 0x55f6ff9783d7 in FLumpReader::~FLumpReader() ../source/common/filesystem/resourcefile.cpp:63
    #2 0x55f6ff978403 in FLumpReader::~FLumpReader() ../source/common/filesystem/resourcefile.cpp:64
    #3 0x55f6ff3df9b8 in FileReader::Close() ../source/common/utility/files.h:166
    #4 0x55f6ff3df8db in FileReader::~FileReader() ../source/common/utility/files.h:156
    #5 0x55f6ff6386d6 in ReadSavegame(char const*) ../source/core/savegamehelp.cpp:130
    #6 0x55f6ff63c732 in DoLoadGame(char const*) ../source/core/savegamehelp.cpp:676
    #7 0x55f6ff63c840 in G_LoadGame(char const*) ../source/core/savegamehelp.cpp:691
    #8 0x55f6ffcd6a16 in FSavegameManager::PerformLoadGame(char const*, bool) ../source/core/menu/loadsavemenu.cpp:117
    #9 0x55f6ffa2004f in FSavegameManagerBase::LoadSavegame(int) ../source/common/menu/savegamemanager.cpp:210
    #10 0x55f6ffa203b0 in AF_FSavegameManager_LoadSavegame ../source/common/menu/savegamemanager.cpp:223
    #11 0x55f6ffb8dcc6 in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) ../source/common/scripting/vm/vmframe.cpp:315
    #12 0x7fb514cf1736  (<unknown module>)
    #13 0x55f6ffb8dc27 in VMScriptFunction::FirstScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) ../source/common/scripting/vm/vmframe.cpp:307
    #14 0x55f6ffb8ef61 in VMCall(VMFunction*, VMValue*, int, VMReturn*, int) ../source/common/scripting/vm/vmframe.cpp:580
    #15 0x55f6ffa014dd in DMenu::CallMenuEvent(int, bool) ../source/common/menu/menu.cpp:328
    #16 0x55f6ffa042eb in M_Responder(event_t*) ../source/common/menu/menu.cpp:768
    #17 0x55f6ff979564 in D_ProcessEvents() ../source/common/engine/d_event.cpp:84
    #18 0x55f6ff5b57d8 in NetUpdate() ../source/core/d_net.cpp:991
    #19 0x55f6ff5c4e9f in TryRunTics() ../source/core/mainloop.cpp:510
    #20 0x55f6ff5c579e in MainLoop() ../source/core/mainloop.cpp:685
    #21 0x55f6ff5d3990 in RunGame() ../source/core/gamecontrol.cpp:1053
    #22 0x55f6ff5cfa17 in GameMain() ../source/core/gamecontrol.cpp:556
    #23 0x55f6ff156b5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #24 0x7fb52e8150b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #25 0x55f6ff1487ed in _start (/home/kevinc/Games/code/Raze/build_asan/raze+0x7807ed)

0x611000218a90 is located 16 bytes inside of 200-byte region [0x611000218a80,0x611000218b48)
freed by thread T0 here:
    #0 0x7fb52f407215 in operator delete[](void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111215)
    #1 0x55f6ff96b7d8 in FZipFile::~FZipFile() ../source/common/filesystem/file_zip.cpp:361
    #2 0x55f6ff96b809 in FZipFile::~FZipFile() ../source/common/filesystem/file_zip.cpp:362
    #3 0x55f6ff6386b5 in ReadSavegame(char const*) ../source/core/savegamehelp.cpp:157
    #4 0x55f6ff63c732 in DoLoadGame(char const*) ../source/core/savegamehelp.cpp:676
    #5 0x55f6ff63c840 in G_LoadGame(char const*) ../source/core/savegamehelp.cpp:691
    #6 0x55f6ffcd6a16 in FSavegameManager::PerformLoadGame(char const*, bool) ../source/core/menu/loadsavemenu.cpp:117
    #7 0x55f6ffa2004f in FSavegameManagerBase::LoadSavegame(int) ../source/common/menu/savegamemanager.cpp:210
    #8 0x55f6ffa203b0 in AF_FSavegameManager_LoadSavegame ../source/common/menu/savegamemanager.cpp:223
    #9 0x55f6ffb8dcc6 in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) ../source/common/scripting/vm/vmframe.cpp:315
    #10 0x7fb514cf1736  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7fb52f405b47 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10fb47)
    #1 0x55f6ff9698b4 in FZipFile::Open(bool, LumpFilterInfo*) ../source/common/filesystem/file_zip.cpp:200
    #2 0x55f6ff96c7cb in CheckZip(char const*, FileReader&, bool, LumpFilterInfo*) ../source/common/filesystem/file_zip.cpp:476
    #3 0x55f6ff9757a8 in FResourceFile::DoOpenResourceFile(char const*, FileReader&, bool, bool, LumpFilterInfo*) ../source/common/filesystem/resourcefile.cpp:244
    #4 0x55f6ff97591f in FResourceFile::OpenResourceFile(char const*, bool, bool, LumpFilterInfo*) ../source/common/filesystem/resourcefile.cpp:260
    #5 0x55f6ff638191 in ReadSavegame(char const*) ../source/core/savegamehelp.cpp:120
    #6 0x55f6ff63c732 in DoLoadGame(char const*) ../source/core/savegamehelp.cpp:676
    #7 0x55f6ff63c840 in G_LoadGame(char const*) ../source/core/savegamehelp.cpp:691
    #8 0x55f6ffcd6a16 in FSavegameManager::PerformLoadGame(char const*, bool) ../source/core/menu/loadsavemenu.cpp:117
    #9 0x55f6ffa2004f in FSavegameManagerBase::LoadSavegame(int) ../source/common/menu/savegamemanager.cpp:210
    #10 0x55f6ffa203b0 in AF_FSavegameManager_LoadSavegame ../source/common/menu/savegamemanager.cpp:223
    #11 0x55f6ffb8dcc6 in VMNativeFunction::NativeScriptCall(VMFunction*, VMValue*, int, VMReturn*, int) ../source/common/scripting/vm/vmframe.cpp:315
    #12 0x7fb514cf1736  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ../source/common/filesystem/resourcefile.cpp:209 in FResourceLump::Unlock()
Shadow bytes around the buggy address:
  0x0c228003b100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003b110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003b120: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228003b130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003b140: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c228003b150: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003b160: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c228003b170: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228003b180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003b190: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c228003b1a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==48504==ABORTING


EDIT: Okay, something VERY weird is happening. For some reason, the ReadSavegame function in savegamehelp.cpp isn't flowing properly. Here's what I got from setting a breakpoint in GDB:
Code: Select allExpand view
Thread 1 "raze" hit Breakpoint 1, ReadSavegame (
    name=0x60800161992c "/home/kevinc/.config/raze/ShadowWarrior.ShadowWarrior/save0010.dsave") at ../source/core/savegamehelp.cpp:120
120      auto savereader = FResourceFile::OpenResourceFile(name, true, true);
122      if (savereader != nullptr)
$1 = (FResourceFile *) 0x606000362c00
124         auto lump = savereader->FindLump("info.json");
$2 = (FResourceLump *) 0x7f00ffffc000
125         if (!lump)
$3 = (FResourceLump *) 0x6110002334c8
130         auto file = lump->NewReader();
131         if (G_ValidateSavegame(file, nullptr, false) <= 0)
$4 = {mReader = 0x6040005d5d90}
137         FResourceLump* info = savereader->FindLump("session.json");
138         if (info == nullptr)
$5 = (FResourceLump *) 0x611000233548
144         void* data = info->Lock();
145         FSerializer arc;
$6 = (void *) 0x7fffd8bc3800
146         if (!arc.OpenReader((const char*)data, info->LumpSize))
152         info->Unlock();
155         loadMapBackup(currentLevel->fileName);
156         SerializeSession(arc);
157         delete savereader;
158         return true;
145         FSerializer arc;
130         auto file = lump->NewReader();

Why the heck is it going to line 145 AFTER the "return true" line?
Talon1024
 
 
 
Joined: 27 Jun 2016
Github ID: Talon1024
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit
Graphics Processor: nVidia with Vulkan support

Re: Newrenderer crashes in Woods of the Dark Serpent (SW)

Postby Graf Zahl » Mon May 10, 2021 11:57 am

That's probably the destructor running
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Next

Return to Closed Bugs

Who is online

Users browsing this forum: No registered users and 0 guests