Download the test.pk3 attached. Give SMM in console. A few seconds later, crash.
Re: Odd unmorph crashing bug
Posted: Sat Aug 13, 2016 4:37 pm
by Edward-san
it would be interesting to know what are the values of 'type' and, if it's not null, 'i' and 'type->Slot'..
Re: Camera + Morph = Crash
Posted: Mon Aug 15, 2016 8:41 am
by Major Cooke
I have managed to reproduce it on a much simpler scale. Attached in the first post is a test example.
"Give SMM" in console. Don't mind the fact that you cannot move.
A couple seconds later, the game crashes from the morph expiring.
Re: Camera + Morph = Crash
Posted: Mon Aug 15, 2016 9:02 am
by Graf Zahl
Still very much 'ugh'.
For some reason it encounters a player class object that isn't fully initialized and crashes on the garbage data.
The big problem is, that cause and effect are in completely separate parts of the code.
Re: Camera + Morph = Crash
Posted: Mon Aug 15, 2016 12:31 pm
by Major Cooke
Youch. Yeah, it is weird when it happens especially because the player's view is just outside of the actor. Hmmm...
Re: Camera + Morph = Crash
Posted: Mon Aug 15, 2016 3:30 pm
by Edward-san
Regarding the original problem, I got this asan error with the wad:
==1759==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00022cd38 at pc 0x000000d44c4d bp 0x7fffffffc0b0 sp 0x7fffffffc0a0
READ of size 8 at 0x61a00022cd38 thread T0
#0 0xd44c4c in P_UndoPlayerMorph(player_t*, player_t*, int, bool) /home/edward-san/zdoom/trunk/src/g_shared/a_morph.cpp:256
#1 0xd2fc44 in APowerMorph::EndEffect() /home/edward-san/zdoom/trunk/src/g_shared/a_artifacts.cpp:1972
#2 0xd26d3f in APowerup::Destroy() /home/edward-san/zdoom/trunk/src/g_shared/a_artifacts.cpp:227
#3 0xd53e74 in AInventory::DepleteOrDestroy() /home/edward-san/zdoom/trunk/src/g_shared/a_pickups.cpp:1238
#4 0xa76a7f in AActor::TakeInventory(PClassActor*, int, bool, bool) /home/edward-san/zdoom/trunk/src/p_mobj.cpp:725
#5 0x909398 in cht_Take(player_t*, char const*, int) /home/edward-san/zdoom/trunk/src/m_cheat.cpp:1000
#6 0x850761 in Net_DoCommand(int, unsigned char**, int) /home/edward-san/zdoom/trunk/src/d_net.cpp:2199
#7 0x861a63 in RunNetSpecs(int, int) /home/edward-san/zdoom/trunk/src/d_protocol.cpp:460
#8 0x8ba33b in G_Ticker() /home/edward-san/zdoom/trunk/src/g_game.cpp:1150
#9 0x84ecf1 in TryRunTics() /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
#10 0x83ae41 in D_DoomLoop() /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
#11 0x842043 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
#12 0x59ba05 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
#13 0x7ffff3be782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x58cdf8 in _start (/home/edward-san/zdoom/trunk/debug_san/zdoom+0x58cdf8)
0x61a00022cd38 is located 16 bytes to the right of 1192-byte region [0x61a00022c880,0x61a00022cd28)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x901a38 in M_Malloc_Dbg(unsigned long, char const*, int) /home/edward-san/zdoom/trunk/src/m_alloc.cpp:135
#2 0x87f5ad in PClass::CreateNew() const /home/edward-san/zdoom/trunk/src/dobjtype.cpp:3130
#3 0xa8d7ae in AActor::StaticSpawn(PClassActor*, TVector3<double> const&, replace_t, bool) /home/edward-san/zdoom/trunk/src/p_mobj.cpp:4066
#4 0x82a5e5 in Spawn(PClassActor*, TVector3<double> const&, replace_t) /home/edward-san/zdoom/trunk/src/./actor.h:1460
#5 0xeba795 in AF_A_SpawnItemEx /home/edward-san/zdoom/trunk/src/thingdef/thingdef_codeptr.cpp:2986
#6 0xfd596c in VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) /home/edward-san/zdoom/trunk/src/zscript/vmexec.h:496
#7 0x10190eb in VMFrameStack::Call(VMFunction*, VMValue*, int, VMReturn*, int, VMException**) /home/edward-san/zdoom/trunk/src/zscript/vmframe.cpp:392
#8 0x8f575f in FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**) /home/edward-san/zdoom/trunk/src/info.cpp:95
#9 0xaa7e74 in DPSprite::SetState(FState*, bool) /home/edward-san/zdoom/trunk/src/p_pspr.cpp:339
#10 0xab5d64 in DPSprite::Tick() /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1438
#11 0xab5954 in player_t::TickPSprites() /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1392
#12 0xb5952f in P_PlayerThink(player_t*) /home/edward-san/zdoom/trunk/src/p_user.cpp:2647
#13 0xb23639 in P_Ticker() /home/edward-san/zdoom/trunk/src/p_tick.cpp:125
#14 0x8baba5 in G_Ticker() /home/edward-san/zdoom/trunk/src/g_game.cpp:1201
#15 0x84ecf1 in TryRunTics() /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
#16 0x83ae41 in D_DoomLoop() /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
#17 0x842043 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
#18 0x59ba05 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
#19 0x7ffff3be782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/edward-san/zdoom/trunk/src/g_shared/a_morph.cpp:256 P_UndoPlayerMorph(player_t*, player_t*, int, bool)
Shadow bytes around the buggy address:
0x0c348003d950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c348003d960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c348003d970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c348003d980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c348003d990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c348003d9a0: 00 00 00 00 00 fa fa[fa]fa fa fa fa fa fa fa fa
0x0c348003d9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348003d9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348003d9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c348003d9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c348003d9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==1759==ABORTING
#2 0x0000000000d44c4d in P_UndoPlayerMorph (activator=0x17a4040 <players>,
player=0x17a4040 <players>, unmorphflag=0, force=true)
at /home/edward-san/zdoom/trunk/src/g_shared/a_morph.cpp:256
#3 0x0000000000d2fc45 in APowerMorph::EndEffect (this=0x61a000241e80)
at /home/edward-san/zdoom/trunk/src/g_shared/a_artifacts.cpp:1972
#4 0x0000000000d26d40 in APowerup::Destroy (this=0x61a000241e80)
at /home/edward-san/zdoom/trunk/src/g_shared/a_artifacts.cpp:227
#5 0x0000000000d53e75 in AInventory::DepleteOrDestroy (this=0x61a000241e80)
at /home/edward-san/zdoom/trunk/src/g_shared/a_pickups.cpp:1238
#6 0x0000000000a76a80 in AActor::TakeInventory (this=0x61b0000e6280,
itemclass=0x6150000b2280, amount=1, fromdecorate=false,
notakeinfinite=false) at /home/edward-san/zdoom/trunk/src/p_mobj.cpp:725
#7 0x0000000000909399 in cht_Take (player=0x17a4040 <players>,
name=0x603000394ed0 "PowerTwilightSparkleGiantMorph", amount=0)
at /home/edward-san/zdoom/trunk/src/m_cheat.cpp:1000
#8 0x0000000000850762 in Net_DoCommand (type=47, stream=0x7fffffffc880,
player=0) at /home/edward-san/zdoom/trunk/src/d_net.cpp:2199
#9 0x0000000000861a64 in RunNetSpecs (player=0, buf=11)
at /home/edward-san/zdoom/trunk/src/d_protocol.cpp:460
---Type <return> to continue, or q <return> to quit---
#10 0x00000000008ba33c in G_Ticker ()
at /home/edward-san/zdoom/trunk/src/g_game.cpp:1150
#11 0x000000000084ecf2 in TryRunTics ()
at /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
#12 0x000000000083ae42 in D_DoomLoop ()
at /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
#13 0x0000000000842044 in D_DoomMain ()
at /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
#14 0x000000000059ba06 in main (argc=11, argv=0x7fffffffde58)
at /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
Incidentally, I got another asan error when I just got the morphing item and then directly removed the powerup (no camera switch):
#2 0x0000000000fc6c58 in VMExec_Checked::Exec (
stack=0x17aa860 <FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**)::stack>, pc=0x61d0001a9af8, ret=0x7fffffffc530, numret=1)
at /home/edward-san/zdoom/trunk/src/zscript/vmexec.h:110
#3 0x00000000010190ec in VMFrameStack::Call (
this=0x17aa860 <FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**)::stack>, func=0x60c00031cb40, params=0x7fffffffc570, numparams=3,
results=0x7fffffffc530, numresults=1, trap=0x0)
at /home/edward-san/zdoom/trunk/src/zscript/vmframe.cpp:392
#4 0x00000000008f57e0 in FState::CallAction (this=0x6270000d9150,
self=0x61a00021b480, stateowner=0x61a00021b480, info=0x7fffffffc690,
stateret=0x7fffffffc650) at /home/edward-san/zdoom/trunk/src/info.cpp:101
#5 0x0000000000aa7e75 in DPSprite::SetState (this=0x60d000046660,
newstate=0x6270000d9150, pending=false)
at /home/edward-san/zdoom/trunk/src/p_pspr.cpp:339
#6 0x0000000000ab5d65 in DPSprite::Tick (this=0x60d000046660)
at /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1438
#7 0x0000000000ab5955 in player_t::TickPSprites (this=0x17a4040 <players>)
at /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1392
---Type <return> to continue, or q <return> to quit---
#8 0x0000000000b59530 in P_PlayerThink (player=0x17a4040 <players>)
at /home/edward-san/zdoom/trunk/src/p_user.cpp:2647
#9 0x0000000000b2363a in P_Ticker ()
at /home/edward-san/zdoom/trunk/src/p_tick.cpp:125
#10 0x00000000008baba6 in G_Ticker ()
at /home/edward-san/zdoom/trunk/src/g_game.cpp:1201
#11 0x000000000084ecf2 in TryRunTics ()
at /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
#12 0x000000000083ae42 in D_DoomLoop ()
at /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
#13 0x0000000000842044 in D_DoomMain ()
at /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
#14 0x000000000059ba06 in main (argc=11, argv=0x7fffffffde58)
at /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
with these messages from the log before the crash:
user_lastHP is not a user variable in class DoomPlayer
user_camang is not a user variable in class DoomPlayer
user_dirget is not a user variable in class DoomPlayer
user_dirforward is not a user variable in class DoomPlayer
user_dirside is not a user variable in class DoomPlayer
I wonder what's going on...
Re: Camera + Morph = Crash
Posted: Mon Aug 15, 2016 3:35 pm
by Major Cooke
Try the new test.pk3.
Now, if you're wondering, overlays are not cleared when unmorphing. Something I told Leonard about but he said they'll be fixed when Actor Overlays are implemented, he said. But as you can see from the new test.pk3, there's no overlays at all.
Re: Camera + Morph = Crash
Posted: Mon Aug 15, 2016 4:00 pm
by Edward-san
urgh please use a different name to the wad instead of the repetitive 'test'. Anyways, I see no change either in gdb and asan output.
Re: Camera + Morph = Crash
Posted: Sun Aug 21, 2016 7:21 am
by Major Cooke
Meh.
Anyway, anything else I can try to do for this? Or is this something randi has to look into?
Re: Camera + Morph = Crash
Posted: Sun Aug 21, 2016 1:28 pm
by Edward-san
Can you add a test wad which does just morph and unmorph? In a post above, I mentioned a problem with those steps and would like to check it again.
The old actor's information is lost, making the program crash when attempting to unmorph, because it's trying to get the player's info from invalid actor.
In order to fix this, I suspect the old actor pointer should be stored in a different place than the 'tracer'. Graf?
Spawn:
PLAY A 95 NoDelay
{
SetPlayerProperty(0,1,PROP_TOTALLYFROZEN);
A_PrintBold("Camera On");
A_SpawnItemEx("ChaseCam",-10,0,32,0,0,0,0,SXF_NOCHECKPOSITION|SXF_SETMASTER|SXF_ISTRACER,0,32700);
ChangeCamera(32700,0,0);
}
PLAY A 0
{
A_RemoveChildren(true,RMVF_EVERYTHING,"ChaseCam");
}
This doesn't crash, backing up Edward's words possibly.
Re: Camera + Morph = Crash
Posted: Wed Aug 31, 2016 2:49 pm
by Graf Zahl
Edward-san wrote:
In order to fix this, I suspect the old actor pointer should be stored in a different place than the 'tracer'. Graf?
Correct. Since it's no longer safe to use tracer for this, a different variable is needed.
Re: Camera + Morph = Crash
Posted: Wed Aug 31, 2016 2:53 pm
by Edward-san
I hope there's nothing which (ab)used the morphed tracer data...