[7a1274a] Yet another HD segfault: BFG Edition

[Matt]

I think it's related to the "chainsaw crash" here. Both are weapons that I recently converted entirely to ZScript.

Use this version, and a "Release" compile of 7a1274a.

1. Run once to make sure the titular player class is set.
2. Run again with the following parameters: -nomusic -noautoload +map map15 +set sv_cheats 1
3. IDDQD.
4. Fire the BFG.
5. If it does not crash, quit and repeat from step 2. It eventually will.

I have the +set sv_cheats 1 only because I could not initially replicate this crash outside of deathmatch. Turns out it happens in single and -host 1 as well, though it seems to do so less often in single.

GDB output:

Code: Select all

...
[New Thread 0x7fffd37fe700 (LWP 10443)]
[Thread 0x7fffd37fe700 (LWP 10443) exited]

Program received signal SIGSEGV, Segmentation fault.
0x0000000000835ae8 in GC::Mark(DObject**) ()
(gdb) thread 1
[Switching to thread 1 (Thread 0x7ffff7fbe740 (LWP 9917))]
#0  0x0000000000835ae8 in GC::Mark(DObject**) ()
(gdb) bt
#0  0x0000000000835ae8 in GC::Mark(DObject**) ()
#1  0x0000000000835538 in DObject::PropagateMark() ()
#2  0x000000000083b568 in DThinker::PropagateMark() ()
#3  0x0000000000835bb8 in GC::Step() ()
#4  0x000000000083b152 in DThinker::TickThinkers(FThinkerList*, FThinkerList*)
    ()
#5  0x000000000083aed0 in DThinker::RunThinkers() ()
#6  0x0000000000930e53 in P_Ticker() ()
#7  0x00000000008456ba in G_Ticker() ()
#8  0x000000000082b34f in TryRunTics() ()
#9  0x0000000000823cc5 in D_DoomLoop() ()
#10 0x0000000000826ea3 in D_DoomMain() ()
#11 0x0000000000561900 in main ()
(gdb) Quit
(gdb) thread 1
[Switching to thread 1 (Thread 0x7ffff7fbe740 (LWP 9917))]
#0  0x0000000000835ae8 in GC::Mark(DObject**) ()
(gdb) bt
#0  0x0000000000835ae8 in GC::Mark(DObject**) ()
#1  0x0000000000835538 in DObject::PropagateMark() ()
#2  0x000000000083b568 in DThinker::PropagateMark() ()
#3  0x0000000000835bb8 in GC::Step() ()
#4  0x000000000083b152 in DThinker::TickThinkers(FThinkerList*, FThinkerList*)
    ()
#5  0x000000000083aed0 in DThinker::RunThinkers() ()
#6  0x0000000000930e53 in P_Ticker() ()
#7  0x00000000008456ba in G_Ticker() ()
#8  0x000000000082b34f in TryRunTics() ()
#9  0x0000000000823cc5 in D_DoomLoop() ()
#10 0x0000000000826ea3 in D_DoomMain() ()
#11 0x0000000000561900 in main ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 9917] will be killed.

Quit anyway? (y or n) y

[_mental_]

Does it crash in Debug or in RelWithDebInfo configurations? After how many attempts does it crash usually?

[Matt]

Anywhere between 1 and 10, possibly more.

Just tried Debug now once, didn't crash until I hit F10.
Second time instant-startup crash, possibly actually the other one.
Third time no crash.
#4: as #1.
#5: as #3.
#6. Crash just as I hit fire:

Code: Select all

*** Error in `/home/mchan223/doom/./gzdoom': malloc(): smallbin double linked list corrupted: 0x00000000054571e0 ***
/home/mchan223/bin/gzdoom: line 2:  3780 Aborted                 ~/doom/./gzdoom $*

Any possible relation to this by any chance?

[_mental_]

Hard to say, such memory corruption issues are quite difficult to debug even with appropriate tools thanks to their random nature.

[Matt]

I think I managed to get this crash on the 3.1.0 release (compiled as release).

[_mental_]

Without at least line numbers such crash report is almost useless unfortunately.
Actually there is a very little sense to check bugs in 3.1.0 if you can build the latest code to test on.

EDIT: Probably I'm doing something wrong but BFG doesn't fire for me at all. It has some sort of firing animation but no projectile.

[Matt]

I was under the impression that this crash had been a regression of some sort until I tried it with 3.1.0.

Sorry, forgot to mention - you have to hold down the fire key for a second or two before the BFG will shoot. I usually get the crash just before the ball hits the back wall of the far tower (i.e. where you're pointing at when you spawn on map15).

EDIT: Just tried compiling a relwithdebinfo with gcc. Still crash.
EDIT: Swapping libjpeg-8-dev to libjpeg-62-turbo-dev as recommended by the libjpeg-dev dummy package. Still crash.
EDIT: Tried using software. Still crash.
EDIT: Noticed I had nvidia-kernel-3.2.0-4-amd64 when I've actually got linux-image-3.16.0-4-amd64, so switched to 3.16etc. - still crash.

EDIT: Now I got a crash just standing around doing nothing but holding the use key.

Maybe let's just close this or move it to technical since this is extremely likely to be a [Not GZDoom]?

[Matt]

...so, uh

I unplugged the spare wireless mouse I'd been using due to my trackball's mb1 acting up, went back to said trackball, and repeated the steps in the OP well over 10 times without a crash. (I was never able to do this anywhere near 10 times in a row without a crash since I filed this bug report.)

It could be a fluke, but if I don't get a crash in the next few days I think we can close this as [Not GZDoom].

EDIT: Nope, still crashes. Throw computer out 6th-storey window y/y/???