ZDoom

Posted: **Sun May 26, 2019 8:46 am**

Sometimes it happens that during my gameplay with DoomRPG SE, if I use the address sanitizer, I get this crash to the desktop:

Spoiler:

Code: Select all

=================================================================
==15393==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000e4cba8 at pc 0x5594e912e6d6 bp 0x7ffe5b02c010 sp 0x7ffe5b02c000
READ of size 4 at 0x611000e4cba8 thread T0
    #0 0x5594e912e6d5 in DHUDMessageBase* GC::ReadBarrier<DHUDMessageBase>(DHUDMessageBase*&) /home/edward-san/zdoom/gzdoom/trunk/src/./dobjgc.h:99
    #1 0x5594e912def7 in TObjPtr<DHUDMessageBase*>::operator DHUDMessageBase*() /home/edward-san/zdoom/gzdoom/trunk/src/./dobjgc.h:212
    #2 0x5594e91234d7 in DBaseStatusBar::Tick() /home/edward-san/zdoom/gzdoom/trunk/src/g_statusbar/shared_sbar.cpp:746
    #3 0x5594e94e8b1f in SBar_Tick /home/edward-san/zdoom/gzdoom/trunk/src/scripting/vmthunks.cpp:2273
    #4 0x7ff97c04b814  (<unknown module>)
    #5 0x5594e96bdd1a in VMCall(VMFunction*, VMValue*, int, VMReturn*, int) /home/edward-san/zdoom/gzdoom/trunk/src/scripting/vm/vmframe.cpp:569
    #6 0x5594e912385d in DBaseStatusBar::CallTick() /home/edward-san/zdoom/gzdoom/trunk/src/g_statusbar/shared_sbar.cpp:790
    #7 0x5594e8ed41e5 in P_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/p_tick.cpp:168
    #8 0x5594e8c4add6 in G_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/g_game.cpp:1192
    #9 0x5594e8c116b5 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1984
    #10 0x5594e8bf8d15 in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1026
    #11 0x5594e8c016c6 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2716
    #12 0x5594e7e17dfc in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:263
    #13 0x7ff997fb1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x5594e7e08f99 in _start (/home/edward-san/zdoom/gzdoom/trunk/debug-asan/gzdoom+0x924f99)

0x611000e4cba8 is located 40 bytes inside of 216-byte region [0x611000e4cb80,0x611000e4cc58)
freed by thread T0 here:
    #0 0x7ff999e43bbf in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10bbbf)
    #1 0x5594e9927dd5 in M_Free(void*) /home/edward-san/zdoom/gzdoom/trunk/src/utility/m_alloc.cpp:208
    #2 0x5594e8b73d90 in DObject::operator delete(void*) /home/edward-san/zdoom/gzdoom/trunk/src/./dobject.h:279
    #3 0x5594e90e01d7 in DHUDMessageFadeOut::~DHUDMessageFadeOut() /home/edward-san/zdoom/gzdoom/trunk/src/g_statusbar/sbar.h:168
    #4 0x5594e8c2bf88 in SweepList /home/edward-san/zdoom/gzdoom/trunk/src/dobjgc.cpp:214
    #5 0x5594e8c2c8a9 in SingleStep /home/edward-san/zdoom/gzdoom/trunk/src/dobjgc.cpp:371
    #6 0x5594e8c2ca41 in GC::Step() /home/edward-san/zdoom/gzdoom/trunk/src/dobjgc.cpp:413
    #7 0x5594e90919d6 in CheckGC /home/edward-san/zdoom/gzdoom/trunk/src/./dobjgc.h:110
    #8 0x5594e9094870 in FThinkerList::TickThinkers(FThinkerList*) /home/edward-san/zdoom/gzdoom/trunk/src/g_shared/dthinker.cpp:577
    #9 0x5594e90922be in FThinkerCollection::RunThinkers(FLevelLocals*) /home/edward-san/zdoom/gzdoom/trunk/src/g_shared/dthinker.cpp:114
    #10 0x5594e8ed4025 in P_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/p_tick.cpp:154
    #11 0x5594e8c4add6 in G_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/g_game.cpp:1192
    #12 0x5594e8c116b5 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1984
    #13 0x5594e8bf8d15 in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1026
    #14 0x5594e8c016c6 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2716
    #15 0x5594e7e17dfc in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:263
    #16 0x7ff997fb1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7ff999e43fb8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10bfb8)
    #1 0x5594e9927c17 in M_Malloc_Dbg(unsigned long, char const*, int) /home/edward-san/zdoom/gzdoom/trunk/src/utility/m_alloc.cpp:137
    #2 0x5594e8b73d57 in DObject::operator new(unsigned long, DObject::nonew&) /home/edward-san/zdoom/gzdoom/trunk/src/./dobject.h:268
    #3 0x5594e8d0aa50 in DHUDMessageFadeOut* Create<DHUDMessageFadeOut, FFont*&, FString&, float&, float&, int&, int&, EColorRange&, float&, float&>(FFont*&, FString&, float&, float&, int&, int&, EColorRange&, float&, float&) (/home/edward-san/zdoom/gzdoom/trunk/debug-asan/gzdoom+0x1826a50)
    #4 0x5594e8ce22d6 in DLevelScript::RunScript() /home/edward-san/zdoom/gzdoom/trunk/src/p_acs.cpp:8670
    #5 0x5594e8cff66e in P_StartScript(FLevelLocals*, AActor*, line_t*, int, char const*, int const*, int, int) /home/edward-san/zdoom/gzdoom/trunk/src/p_acs.cpp:10400
    #6 0x5594e8dc749f in LS_ACS_ExecuteWithResult /home/edward-san/zdoom/gzdoom/trunk/src/p_lnspec.cpp:1972
    #7 0x5594e8dd0cc9 in P_ExecuteSpecial(FLevelLocals*, int, line_t*, AActor*, bool, int, int, int, int, int) /home/edward-san/zdoom/gzdoom/trunk/src/p_lnspec.cpp:3936
    #8 0x5594e8cb73ca in DLevelScript::CallFunction(int, int, int*) /home/edward-san/zdoom/gzdoom/trunk/src/p_acs.cpp:5754
    #9 0x5594e8cc834f in DLevelScript::RunScript() /home/edward-san/zdoom/gzdoom/trunk/src/p_acs.cpp:7121
    #10 0x5594e8ca3e02 in DACSThinker::Tick() /home/edward-san/zdoom/gzdoom/trunk/src/p_acs.cpp:3421
    #11 0x5594e90961ac in DThinker::CallTick() /home/edward-san/zdoom/gzdoom/trunk/src/g_shared/dthinker.cpp:854
    #12 0x5594e9094825 in FThinkerList::TickThinkers(FThinkerList*) /home/edward-san/zdoom/gzdoom/trunk/src/g_shared/dthinker.cpp:575
    #13 0x5594e90922be in FThinkerCollection::RunThinkers(FLevelLocals*) /home/edward-san/zdoom/gzdoom/trunk/src/g_shared/dthinker.cpp:114
    #14 0x5594e8ed4025 in P_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/p_tick.cpp:154
    #15 0x5594e8c4add6 in G_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/g_game.cpp:1192
    #16 0x5594e8c116b5 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1984
    #17 0x5594e8bf8d15 in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1026
    #18 0x5594e8c016c6 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2716
    #19 0x5594e7e17dfc in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:263
    #20 0x7ff997fb1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free /home/edward-san/zdoom/gzdoom/trunk/src/./dobjgc.h:99 in DHUDMessageBase* GC::ReadBarrier<DHUDMessageBase>(DHUDMessageBase*&)
Shadow bytes around the buggy address:
  0x0c22801c1920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22801c1930: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c22801c1940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c22801c1950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22801c1960: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c22801c1970: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c22801c1980: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c22801c1990: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c22801c19a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22801c19b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22801c19c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==15393==ABORTING

Moreover, it seems to happen either when multiple events are triggered (which means more HUD messages), or either while doing shopping in the DoomRPG menu. It's really hard to reproduce reliably, so I leave this for now (I won't be able to get a stack trace till tomorrow) (see later).

I got this with Ubuntu 18.04 x64, I don't know if it happens on OSX, I can try later. and also with OSX (makefile + clang + address sanitizer).

Also I got this stack trace (I really miss the 'backtrace full' from gdb):

Spoiler:

I reproduced this way: just run `gzdoom -iwad freedoom2.wad -file DoomRPG/DoomRPG` (provided you extracted the zip from github and renamed the folder from DoomRPG-master to DoomRPG), then start a new game and play for some time.

I'll try to make a suitable save file which should allow for easy reproduction of the bug. Managed to do it. See the attached save file.

When you load it, you should start from map01 of freedoom2, with the player having some cheats (god2 + notarget + infinite ammo) and a lot of summoned cyberdemons you'll need to kill them. During the process, in a way or in another, you'll get the crash. If it doesn't happen, try again.

Posted: **Fri May 31, 2019 7:09 am**

PR with the fix. It's garbage collection in conjunction with linker lists, i.e. usual things, nothing special.

Posted: **Thu Jun 06, 2019 12:56 am**

It was fixed in 5b32c5b.

ZDoom

[??-gd9da513f7]Use after free with HUDMessages and DoomRPG

[??-gd9da513f7]Use after free with HUDMessages and DoomRPG

Re: [??-gd9da513f7]Use after free with HUDMessages and DoomR

Re: [??-gd9da513f7]Use after free with HUDMessages and DoomR