ZDoom

Yes, it's the same bug as here, as apparently not everything is fixed. I managed to make gzdoom crash again with a more recent build. See this report from the address sanitizer:

Spoiler:

---

Code: Select all

=================================================================
==97800==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100055a068 at pc 0x000102d11830 bp 0x7ffeeebd4730 sp 0x7ffeeebd4728
READ of size 4 at 0x61100055a068 thread T0
    #0 0x102d1182f in DHUDMessageBase* GC::ReadBarrier<DHUDMessageBase>(DHUDMessageBase*&) dobjgc.h:99
    #1 0x102cfdef4 in TObjPtr<DHUDMessageBase*>::operator DHUDMessageBase*() dobjgc.h:212
    #2 0x102d01823 in DBaseStatusBar::Tick() shared_sbar.cpp:746
    #3 0x1032e3d63 in SBar_Tick(DBaseStatusBar*) vmthunks.cpp:2273
    #4 0x10ef94139  (<unknown module>)
    #5 0x102d01e8e in DBaseStatusBar::CallTick() shared_sbar.cpp:790
    #6 0x1029a6304 in P_Ticker() p_tick.cpp:168
    #7 0x1025eb1ab in G_Ticker() g_game.cpp:1192
    #8 0x102597fe7 in TryRunTics() d_net.cpp:1984
    #9 0x102572573 in D_DoomLoop() d_main.cpp:1027
    #10 0x10257a403 in D_DoomMain() d_main.cpp:2717
    #11 0x101042619 in OriginalMainTry(int, char**) i_main.mm:176
    #12 0x101047b1d in OriginalMainExcept(int, char**) i_main_except.cpp:49
    #13 0x101043a88 in (anonymous namespace)::OriginalMain(int, char**) i_main.mm:211
    #14 0x1010434da in -[ApplicationController applicationDidFinishLaunching:] i_main.mm:312
    #15 0x7fff45525595 in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (CoreFoundation:x86_64h+0x9e595)
    #16 0x7fff4552550f in ___CFXRegistrationPost_block_invoke (CoreFoundation:x86_64h+0x9e50f)
    #17 0x7fff45525479 in _CFXRegistrationPost (CoreFoundation:x86_64h+0x9e479)
    #18 0x7fff4552d927 in ___CFXNotificationPost_block_invoke (CoreFoundation:x86_64h+0xa6927)
    #19 0x7fff45496383 in -[_CFXNotificationRegistrar find:object:observer:enumerator:] (CoreFoundation:x86_64h+0xf383)
    #20 0x7fff45495736 in _CFXNotificationPost (CoreFoundation:x86_64h+0xe736)
    #21 0x7fff4771b06a in -[NSNotificationCenter postNotificationName:object:userInfo:] (Foundation:x86_64+0x1206a)
    #22 0x7fff42b4e1a7 in -[NSApplication _postDidFinishNotification] (AppKit:x86_64+0x211a7)
    #23 0x7fff42b4dafa in -[NSApplication _sendFinishLaunchingNotification] (AppKit:x86_64+0x20afa)
    #24 0x7fff42b4bc4e in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (AppKit:x86_64+0x1ec4e)
    #25 0x7fff42b4b89e in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (AppKit:x86_64+0x1e89e)
    #26 0x7fff47764beb in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (Foundation:x86_64+0x5bbeb)
    #27 0x7fff47764a68 in _NSAppleEventManagerGenericHandler (Foundation:x86_64+0x5ba68)
    #28 0x7fff466e6396 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (AE:x86_64+0x9396)
    #29 0x7fff466e5c28 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (AE:x86_64+0x8c28)
    #30 0x7fff466e5b00 in aeProcessAppleEvent (AE:x86_64+0x8b00)
    #31 0x7fff447b6e96 in AEProcessAppleEvent (HIToolbox:x86_64+0x13e96)
    #32 0x7fff42b47c7d in _DPSNextEvent (AppKit:x86_64+0x1ac7d)
    #33 0x7fff42b4671e in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (AppKit:x86_64+0x1971e)
    #34 0x7fff42b4083b in -[NSApplication run] (AppKit:x86_64+0x1383b)
    #35 0x101044dc2 in main i_main.mm:537
    #36 0x7fff713f03d4 in start (libdyld.dylib:x86_64+0x163d4)

0x61100055a068 is located 40 bytes inside of 216-byte region [0x61100055a040,0x61100055a118)
freed by thread T0 here:
    #0 0x106caa20d in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c20d)
    #1 0x1039aa55f in M_Free(void*) m_alloc.cpp:208
    #2 0x1024b06a4 in DObject::operator delete(void*) dobject.h:279
    #3 0x102c989e1 in DHUDMessageFadeOut::~DHUDMessageFadeOut() sbar.h:168
    #4 0x1025c144d in GC::SweepList(DObject**, unsigned long, unsigned long*) dobjgc.cpp:214
    #5 0x1025bef1a in GC::SingleStep() dobjgc.cpp:371
    #6 0x1025beca8 in GC::Step() dobjgc.cpp:413
    #7 0x102c2e93c in GC::CheckGC() dobjgc.h:110
    #8 0x102c2992c in FThinkerList::TickThinkers(FThinkerList*) dthinker.cpp:577
    #9 0x102c28785 in FThinkerCollection::RunThinkers(FLevelLocals*) dthinker.cpp:114
    #10 0x1029a6145 in P_Ticker() p_tick.cpp:154
    #11 0x1025eb1ab in G_Ticker() g_game.cpp:1192
    #12 0x102597fe7 in TryRunTics() d_net.cpp:1984
    #13 0x102572573 in D_DoomLoop() d_main.cpp:1027
    #14 0x10257a403 in D_DoomMain() d_main.cpp:2717
    #15 0x101042619 in OriginalMainTry(int, char**) i_main.mm:176
    #16 0x101047b1d in OriginalMainExcept(int, char**) i_main_except.cpp:49
    #17 0x101043a88 in (anonymous namespace)::OriginalMain(int, char**) i_main.mm:211
    #18 0x1010434da in -[ApplicationController applicationDidFinishLaunching:] i_main.mm:312
    #19 0x7fff45525595 in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (CoreFoundation:x86_64h+0x9e595)
    #20 0x7fff4552550f in ___CFXRegistrationPost_block_invoke (CoreFoundation:x86_64h+0x9e50f)
    #21 0x7fff45525479 in _CFXRegistrationPost (CoreFoundation:x86_64h+0x9e479)
    #22 0x7fff4552d927 in ___CFXNotificationPost_block_invoke (CoreFoundation:x86_64h+0xa6927)
    #23 0x7fff45496383 in -[_CFXNotificationRegistrar find:object:observer:enumerator:] (CoreFoundation:x86_64h+0xf383)
    #24 0x7fff45495736 in _CFXNotificationPost (CoreFoundation:x86_64h+0xe736)
    #25 0x7fff4771b06a in -[NSNotificationCenter postNotificationName:object:userInfo:] (Foundation:x86_64+0x1206a)
    #26 0x7fff42b4e1a7 in -[NSApplication _postDidFinishNotification] (AppKit:x86_64+0x211a7)
    #27 0x7fff42b4dafa in -[NSApplication _sendFinishLaunchingNotification] (AppKit:x86_64+0x20afa)
    #28 0x7fff42b4bc4e in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (AppKit:x86_64+0x1ec4e)
    #29 0x7fff42b4b89e in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (AppKit:x86_64+0x1e89e)

previously allocated by thread T0 here:
    #0 0x106caa053 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c053)
    #1 0x1039aa36b in M_Malloc_Dbg(unsigned long, char const*, int) m_alloc.cpp:137
    #2 0x1024cac94 in DObject::operator new(unsigned long, DObject::nonew&) dobject.h:268
    #3 0x102705f96 in DHUDMessageFadeOut* Create<DHUDMessageFadeOut, FFont*&, FString&, float&, float&, int&, int&, EColorRange&, float&, float&>(FFont*&&&, FString&&&, float&&&, float&&&, int&&&, int&&&, EColorRange&&&, float&&&, float&&&) dobject.h:361
    #4 0x1026a7e31 in DLevelScript::RunScript() p_acs.cpp:8670
    #5 0x10270bf5a in P_StartScript(FLevelLocals*, AActor*, line_t*, int, char const*, int const*, int, int) p_acs.cpp:10400
    #6 0x10281b841 in LS_ACS_ExecuteWithResult(FLevelLocals*, line_t*, AActor*, bool, int, int, int, int, int) p_lnspec.cpp:1972
    #7 0x102810b2f in P_ExecuteSpecial(FLevelLocals*, int, line_t*, AActor*, bool, int, int, int, int, int) p_lnspec.cpp:3936
    #8 0x1026f2460 in DLevelScript::CallFunction(int, int, int*) p_acs.cpp:5754
    #9 0x10267d1c8 in DLevelScript::RunScript() p_acs.cpp:7121
    #10 0x1026d2c40 in DACSThinker::Tick() p_acs.cpp:3421
    #11 0x102c2e83f in DThinker::CallTick() dthinker.cpp:854
    #12 0x102c298b2 in FThinkerList::TickThinkers(FThinkerList*) dthinker.cpp:575
    #13 0x102c28785 in FThinkerCollection::RunThinkers(FLevelLocals*) dthinker.cpp:114
    #14 0x1029a6145 in P_Ticker() p_tick.cpp:154
    #15 0x1025eb1ab in G_Ticker() g_game.cpp:1192
    #16 0x102597fe7 in TryRunTics() d_net.cpp:1984
    #17 0x102572573 in D_DoomLoop() d_main.cpp:1027
    #18 0x10257a403 in D_DoomMain() d_main.cpp:2717
    #19 0x101042619 in OriginalMainTry(int, char**) i_main.mm:176
    #20 0x101047b1d in OriginalMainExcept(int, char**) i_main_except.cpp:49
    #21 0x101043a88 in (anonymous namespace)::OriginalMain(int, char**) i_main.mm:211
    #22 0x1010434da in -[ApplicationController applicationDidFinishLaunching:] i_main.mm:312
    #23 0x7fff45525595 in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (CoreFoundation:x86_64h+0x9e595)
    #24 0x7fff4552550f in ___CFXRegistrationPost_block_invoke (CoreFoundation:x86_64h+0x9e50f)
    #25 0x7fff45525479 in _CFXRegistrationPost (CoreFoundation:x86_64h+0x9e479)
    #26 0x7fff4552d927 in ___CFXNotificationPost_block_invoke (CoreFoundation:x86_64h+0xa6927)
    #27 0x7fff45496383 in -[_CFXNotificationRegistrar find:object:observer:enumerator:] (CoreFoundation:x86_64h+0xf383)
    #28 0x7fff45495736 in _CFXNotificationPost (CoreFoundation:x86_64h+0xe736)
    #29 0x7fff4771b06a in -[NSNotificationCenter postNotificationName:object:userInfo:] (Foundation:x86_64+0x1206a)

SUMMARY: AddressSanitizer: heap-use-after-free dobjgc.h:99 in DHUDMessageBase* GC::ReadBarrier<DHUDMessageBase>(DHUDMessageBase*&)
Shadow bytes around the buggy address:
  0x1c22000ab3b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c22000ab3c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22000ab3d0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c22000ab3e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22000ab3f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x1c22000ab400: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x1c22000ab410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22000ab420: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c22000ab430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22000ab440: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c22000ab450: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

How to reproduce this (happens by trial and error): load the same save file from the other bug report, then bind two keys to 'mdk' and 'summon cyberdemon', then press the key for 'mdk', then after a few moments (like half a second) press the key for 'summon cyberdemon', then again, after a few moments, 'mdk' and repeat. It will crash in a way or in another.

I think I found it now. The detaching code was all fine and working, the problem was that the ticker loop for the messages didn't call it when a message had expired, but instead just unlinked the message, which in the middle of a garbage collection would cause all the same problems as before.

You really need a mod going overboard with HUD messages to trigger this, though.