[b84f7bc]CheckWeaponChange null VM Abort

[Major Cooke]

Download D4D here.

There is a VM abort with mods like D4D occurring whenever picking up demon runes. One of the things I noticed is the null pointer check that was actually doable in the C++ side of things.

This scriptified counterpart does not and cannot from the looks of it, since attempting to put a null pointer check for the player causes a crash since the player is a struct.

The abort happens on this line precisely.

[_mental_]

I tried to investigate the problem but would like to ask Graf to take a look.

---

Code: Select all

#0	P_MorphPlayer(player_t*, player_t*, PClassActor*, int, int, PClassActor*, PClassActor*) at src/g_shared/a_morph.cpp:66
#1	AF__PlayerInfo_MorphPlayer(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/g_shared/a_morph.cpp:190
#2	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#3	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#4	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#5	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#6	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#7	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#8	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#9	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#10	VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#11	AInventory::CallTryPickup(AActor*, AActor**) at src/g_inventory/a_pickups.cpp:518
#12	DoGiveInventory(AActor*, bool, VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:2317
#13	AF_AActor_A_GiveInventory(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:2333
#14	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#15	VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#16	AStateProvider::CallStateChain(AActor*, FState*) at src/p_actionfunctions.cpp:187
#17	AF_ACustomInventory_CallStateChain(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:229
#18	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#19	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#20	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#21	VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#22	AActor::CallTouch(AActor*) at src/p_mobj.cpp:1740
#23	P_TouchSpecialThing(AActor*, AActor*) at src/p_interaction.cpp:114
#24	PIT_CheckThing(FMultiBlockThingsIterator&, FMultiBlockThingsIterator::CheckResult&, FBoundingBox const&, FCheckPosition&) at src/p_map.cpp:1658
#25	P_CheckPosition(AActor*, TVector2<double> const&, FCheckPosition&, bool) at src/p_map.cpp:1803
#26	P_TryMove(AActor*, TVector2<double> const&, int, secplane_t const*, FCheckPosition&, bool) at src/p_map.cpp:2242
#27	P_XYMovement(AActor*, TVector2<double>) at src/p_mobj.cpp:2515
#28	AActor::Tick() at src/p_mobj.cpp:4436
#29	APlayerPawn::Tick() at src/p_user.cpp:989
#30	AF_DThinker_Tick(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/dthinker.cpp:557
#31	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#32	VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#33	DThinker::CallTick() at src/dthinker.cpp:567
#34	DThinker::TickThinkers(FThinkerList*, FThinkerList*) at src/dthinker.cpp:535
#35	DThinker::RunThinkers() at src/dthinker.cpp:481
#36	P_Ticker() at src/p_tick.cpp:136
#37	G_Ticker() at src/g_game.cpp:1232
#38	TryRunTics() at src/d_net.cpp:1951
#39	D_DoomLoop() at src/d_main.cpp:1038
#40	D_DoomMain() at src/d_main.cpp:2717

---

Code: Select all

...
#27	AF_AActor_CheckBlock(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:6497
#28	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#29	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#30	VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#31	FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**) at src/info.cpp:152
#32	DPSprite::SetState(FState*, bool) at src/p_pspr.cpp:509
#33	AF_DPSprite_SetState(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_pspr.cpp:541
#34	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#35	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#36	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#37	VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#38	P_PlayerThink(player_t*) at src/p_user.cpp:2311
...

I guess the issue with the latter is changing of PlayerPawn object, unmorphed one will have player member set to nullptr.
For some reason this works fine when morph happens during APlayerPawn::Tick() but fails if called from P_PlayerThink() function.

I'm using D4D Alpha 5 with these bindings:

Code: Select all

+bind k "summon baronrune"
+bind l "morphme"

Picking up summoned rune will end with one of callstacks above and depending on origin of morph it will work fine or abort with error.

Addition of null checks to scripting side won't solve the problem.
This will rather postpone it to a later moment when the game will crash because of nullptr value of player argument:

---

Code: Select all

#0	DObject* GC::ReadBarrier<DObject>(DObject*&) at src/dobjgc.h:99
#1	TObjPtr<DBot*>::operator==(DBot*) at src/dobjgc.h:213
#2	P_CheckWeaponButtons(player_t*) at src/p_pspr.cpp:876
#3	AF_APlayerPawn_CheckWeaponButtons(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_pspr.cpp:908
#4	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#5	VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#6	VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#7	P_PlayerThink(player_t*) at src/p_user.cpp:2311
#8	P_Ticker() at src/p_tick.cpp:130
#9	G_Ticker() at src/g_game.cpp:1232
#10	TryRunTics() at src/d_net.cpp:1951
#11	D_DoomLoop() at src/d_main.cpp:1038
#12	D_DoomMain() at src/d_main.cpp:2717

[Graf Zahl]

Hard to say because I don't get it to crash.

[_mental_]

It will crash only if you will add the following check to PlayerPawn.CheckWeaponChange() and PlayerPawn.CheckWeaponFire():

Code: Select all

if (!player) return;

Otherwise it will abort VM with reading NULL address exception. Of course, it will abort if morphing will happen during code path from the second callstack.
For this reason the issue cannot be reproduced with give baronrune and morphme CCMDs. The rune must be picked up during P_PlayerThink() call.

[Graf Zahl]

I don't even get it to abort. What precisely do I have to do to trigger the error?

[_mental_]

Load any map with D4D, press K to summon the rune and pick it up.

It doesn't have 100% reproduction rate but it somehow depends on moment when the rune has been picked up.
If morphing has been completed (this means that code path from the first callstack was taken) I press L to unmorph and repeat.

Sometimes the rune spawns in front of player and you need to move to grab it.
But sometimes it spawns too close and so will be picked up in the same or maybe in the next frame. This case aborts VM usually.

[Graf Zahl]

It only happens with some weapons. And from the look of it there's some exceptional fuckery going on here, because the item pickup gets called from some overlay! That's a situation the code isn't prepared for. It worked in older versions because it reused the same player pointer that got initially passed in, but the new code re-retrieves it from the passed actor. And with how morphs work that link got broken in here.

Now I got to find the messed up movement in D4D.

EDIT: A_CheckBlock is the perpetrator. This function calls P_CheckPosition which handles item pickups. Not a good idea to allow this in a supposedly pure checking function.

[Graf Zahl]

I also think that the morphing logic needs some serious evaluation. Having the pickup function morph the player is inherently unsafe so all it should really do is to queue the transition and let it actually be done in a safe place like PlayerThink or Tick.

[Edward-san]

Could this line actually be a typo? Shouldn't it be "thing->flags &= ~MF_PICKUP;" (missing ~)?

[Graf Zahl]

Goddamnit. What's up with the editor? It's not the first time it removed some tildes on its own.

[Major Cooke]

A quick note, the overlays are on the player actors themselves, not the weapons. I know specifics weren't specified.

[Graf Zahl]

It doesn't matter where the overlays are, they are all ticked from TickPSprites, and that was were things went wrong.