bugWarzone 2100 Project - Bugs: bug #11847, Playlist code causes segfaults.

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #11847: Playlist code causes segfaults.

Submitted by:  Dennis Schridde <devurandom>
Submitted on:  Fri Jun 20 18:58:44 2008  
 
Category: NoneSeverity: Important
Priority: 7 - HighStatus: In Progress
Assigned to: NoneOpen/Closed: Open
Release: svn/trunkOperating System: GNU/Linux
Planned Release: None

(Jump to the original submission Jump to the original submission)

Sun Sep 14 20:36:52 2008, SVN revision 6028:

Trunk is currently broken when playing music and switching between the "base" and "mp" mods, see ticket:57.

This revision fixes ticket:57. We (Buginator, EvilGuru and Giel) decided to use the fix suggested in ticket:57 for now and to use [wiki:Proposal:ModMounting] on a later date. I.e. fix the problem now (however dirty the solution may be), and implement a properly designed one later on, instead of letting trunk remain broken until said proposal is worked out in enough detail.

This revision fixes bug #11847, bug #11875, bug #11898, bug #11976, bug #11989, bug #12017, bug #12250 and bug #12280.

Patch by Buginator and myself

(Browse SVN revision 6028)

Giel van Schijndel <muggenhor>
Project Member
Mon Sep 8 04:13:12 2008, comment #14:

Thanks for the info Ryan.

I have found at least one error in the way we were handling things in the source code.

This should fix your issue:
http://developer.wz2100.net/ticket/57

Which should be in trunk ASAP.

Bugs Buggy <buginator>
Project Administrator
Sun Sep 7 19:40:09 2008, comment #13:

What do you mean by bogus handle?

All it sends in to physfs is a path string. Sure, our code attempts to remove paths from the search path that have not been added, but should this cause problems internally in physfs?

Per I. Mathisen <per>
Project Administrator
Sun Sep 7 18:32:36 2008, comment #12:

(err...that first Valgrind output was from 1.0, not 1.1, sorry for the confusion.)

--ryan.

Anonymous
Sun Sep 7 18:30:56 2008, comment #11:

This does not appear to be a PhysicsFS bug. I get the crash in PhysicsFS 1.0 and 1.1.

- Start program (svn-5944)
- "Single Player"
- "Start Skirmish Game"
- "Start Hosting Game"
- "Click when ready"

Crashes reliably with both physfs 1.0 and 1.1

It looks like the game is passing a bogus handle to PhysicsFS for closing. Here's Valgrind on 1.1:

==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CAC53: rebuildSearchPath (init.c:271)
==28626== by 0x4CAA91: rebuildSearchPath (init.c:240)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CACC7: rebuildSearchPath (init.c:279)
==28626== by 0x4CAA91: rebuildSearchPath (init.c:240)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CB0FF: rebuildSearchPath (init.c:357)
==28626== by 0x4CAA91: rebuildSearchPath (init.c:240)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CAF9C: rebuildSearchPath (init.c:330)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 4
==28626== at 0x620DEA1: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x621139B: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620DBC0: alDeleteSources (in /usr/lib/libopenal.so.0.0.0)
==28626== by 0x5C4874: sound_DestroyStream (openal_track.c:1049)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C21A0: audio_Update (audio.c:577)
==28626== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==28626== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==28626== by 0x626BE9: resLoadFile (frameresource.c:525)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xa929804 is 4 bytes before a block of size 0 alloc'd
==28626== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==28626== by 0x620AF7C: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620B189: alSourceUnqueueBuffers (in /usr/lib/libopenal.so.0.0.0)
==28626== by 0x5C4846: sound_DestroyStream (openal_track.c:1041)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C21A0: audio_Update (audio.c:577)
==28626== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==28626== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==28626== by 0x626BE9: resLoadFile (frameresource.c:525)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626==
==28626== Invalid read of size 2
==28626== at 0x5513F6C: ZIP_fileClose (zip.c:405)
==28626== by 0x550E548: closeHandleInOpenList (physfs.c:1707)
==28626== by 0x550E9BE: PHYSFS_close (physfs.c:1736)
==28626== by 0x5C4898: sound_DestroyStream (openal_track.c:1056)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C21A0: audio_Update (audio.c:577)
==28626== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==28626== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==28626== by 0x626BE9: resLoadFile (frameresource.c:525)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xaaa5204 is 3,476 bytes inside a block of size 32,768 free'd
==28626== at 0x4C22B2E: free (vg_replace_malloc.c:323)
==28626== by 0x7D06D33: inflateEnd (in /usr/lib/libz.so.1.2.3.3)
==28626== by 0x572D759: png_read_destroy (in /usr/lib/libpng12.so.0.15.0)
==28626== by 0x572D8A3: png_destroy_read_struct (in /usr/lib/libpng12.so.0.15.0)
==28626== by 0x61EF2D: PNGReadCleanup (png_util.c:59)
==28626== by 0x61EEBE: iV_loadImage_PNG (png_util.c:168)
==28626== by 0x551162: texLoad (texture.c:220)
==28626== by 0x4909B6: dataTERTILESLoad (data.c:720)
==28626== by 0x626B3C: resLoadFile (frameresource.c:509)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626==
==28626== Thread 3:
==28626== Invalid read of size 2
==28626== at 0x6212B0B: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620A876: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620A374: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x621202A: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x50F03F6: start_thread (in /lib/libpthread-2.7.so)
==28626== by 0x6DE2B2C: clone (in /lib/libc-2.7.so)
==28626== Address 0xabbcfc8 is 0 bytes inside a block of size 4,096 free'd
==28626== at 0x4C22B2E: free (vg_replace_malloc.c:323)
==28626== by 0x620DEBC: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x621139B: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620DBC0: alDeleteSources (in /usr/lib/libopenal.so.0.0.0)
==28626== by 0x5C4874: sound_DestroyStream (openal_track.c:1049)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C30D4: cdAudio_Stop (cdaudio.c:159)
==28626== by 0x5C2D5D: cdAudio_Close (cdaudio.c:61)
==28626== by 0x4CB39D: systemShutdown (init.c:468)
==28626== by 0x6D4010F: exit (in /lib/libc-2.7.so)
==28626== by 0x6D291CA: (below main) (in /lib/libc-2.7.so)
==28626==

This is with PhysicsFS 1.1 ... it looks like we might be handling this better internally, so the crash moves elsewhere (note the game's logging of resLoadFile problem...).

==22317==
==22317== Invalid read of size 4
==22317== at 0x6223EA1: (within /usr/lib/libopenal.so.0.0.0)
==22317== by 0x622739B: (within /usr/lib/libopenal.so.0.0.0)
==22317== by 0x6223BC0: alDeleteSources (in /usr/lib/libopenal.so.0.0.0)
==22317== by 0x5C4874: sound_DestroyStream (openal_track.c:1049)
==22317== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==22317== by 0x5C3792: sound_Update (openal_track.c:280)
==22317== by 0x5C21A0: audio_Update (audio.c:577)
==22317== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==22317== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==22317== by 0x626BE9: resLoadFile (frameresource.c:525)
==22317== by 0x62AAC2: res_parse (resource_parser.y:120)
==22317== by 0x6261FC: resLoad (frameresource.c:121)
==22317== by 0x4DF2F5: levLoadData (levels.c:719)
==22317== by 0x4E4F56: startGameLoop (main.c:555)
==22317== by 0x4E52F3: runTitleLoop (main.c:707)
==22317== by 0x4E551C: mainLoop (main.c:825)
==22317== by 0x4E58EF: main (main.c:979)
==22317== Address 0xa8a8ff4 is 4 bytes before a block of size 0 alloc'd
==22317== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==22317== by 0x6220F7C: (within /usr/lib/libopenal.so.0.0.0)
==22317== by 0x6221189: alSourceUnqueueBuffers (in /usr/lib/libopenal.so.0.0.0)
==22317== by 0x5C4846: sound_DestroyStream (openal_track.c:1041)
==22317== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==22317== by 0x5C3792: sound_Update (openal_track.c:280)
==22317== by 0x5C21A0: audio_Update (audio.c:577)
==22317== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==22317== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==22317== by 0x626BE9: resLoadFile (frameresource.c:525)
==22317== by 0x62AAC2: res_parse (resource_parser.y:120)
==22317== by 0x6261FC: resLoad (frameresource.c:121)
==22317== by 0x4DF2F5: levLoadData (levels.c:719)
==22317== by 0x4E4F56: startGameLoop (main.c:555)
==22317== by 0x4E52F3: runTitleLoop (main.c:707)
==22317== by 0x4E551C: mainLoop (main.c:825)
==22317== by 0x4E58EF: main (main.c:979)
error |000000000002: [scrv_error] VLO parse error: Construct component CyborgSpade not found at line 86, text: 'CyborgSpade'
error |000000000002: [dataScriptLoadVals] Script rules.vlo did not compile
error |000000000002: [resLoadFile] resLoadFile: The load function for resource type "SCRIPTVAL" failed for file "rules.vlo"
error |000000000002: [resLoad] resLoad: failed to parse wrf/multi/skirmish4.wrf
error |000000000002: [startGameLoop] Shutting down after failure
==22317==
==22317== Invalid read of size 8
==22317== at 0x5E6E1A: scriptFreeCode (script.c:83)
==22317== by 0x491015: dataScriptRelease (data.c:952)
==22317== by 0x627922: resReleaseAllData (frameresource.c:863)
==22317== by 0x627856: resReleaseAll (frameresource.c:834)
==22317== by 0x4CB345: systemShutdown (init.c:458)
==22317== by 0x6D5610F: exit (in /lib/libc-2.7.so)
==22317== by 0x4E4F87: startGameLoop (main.c:558)
==22317== by 0x4E52F3: runTitleLoop (main.c:707)
==22317== by 0x4E551C: mainLoop (main.c:825)
==22317== by 0x4E58EF: main (main.c:979)
==22317== Address 0x8 is not stack'd, malloc'd or (recently) free'd
No function contains program counter for selected frame.
Saved dump file to '/tmp/warzone2100.gdmp'

I haven't dug into PhysicsFS or Warzone for the specific issue, but it seems like if it didn't crash with physfs 1.0 for you, it was a lucky accident of memory layout.

If this proves to be a PhysicsFS bug after all, please feel free to email me directly (icculus@icculus.org) and I'll follow up further.

Thanks,
--ryan.

Anonymous
Sat Jul 12 15:00:10 2008, comment #10:

Per just tested and installed a svn snapshot (r941). It seems physfs-1.1(.1)? is responsible for this issue.

Dennis Schridde <devurandom>
Project Administrator
Sat Jul 12 14:48:58 2008, comment #9:

NOTE: I'm using PhysicsFS 1.0 as well.

Debian currently hasn't yet provided an updated PhysicsFS package for 1.1.1.

I will try testing 1.1.1 and if it fails on my system I'll notify the Debian maintainer(s) of the PhysicsFS package by creating a bugreport telling them that 1.1.1 is "bugged".

PS Is there any bugreport on PhysicsFS indicating that 1.1.1 is "bugged"? I can't check right now, because it seems like icculus.org is down.

Giel van Schijndel <muggenhor>
Project Member
Sat Jul 12 10:24:29 2008, comment #8:

A reply by Buggy, which I think was mistakenly posted to another bug:
---
Looks like the issue with the playlist is the result of physfs 1.1.1 being bugged.

Revert back to 1.0, and it works as it should.

This also explains why per didn't have any issues with it, since he is using an older version of physfs than the rest of us.
---

Since there should be afaik no API or contract changes between 1.0 and 1.1, this would be an upstream bug.

Can someone else confirm that physfs-1.1.1 causes this bug (and it works fine with 1.0 or 1.1.0)?
In that case we should recommend distributors to depend strictly on !physfs-1.1.1.

Dennis Schridde <devurandom>
Project Administrator
Sun Jun 29 15:53:29 2008, comment #7:

The segfault in scriptFreeCode seems to be caused by something trying to free one script twice. Though because it is all a bit fuzzy and hidden behind some layers of indirection I do not yet know who is doing it and why.

So the final segfault is maybe not caused by the bug itself, but by another bug in the script loading code, which does not handle a failed script-compilation very well.

Dennis Schridde <devurandom>
Project Administrator
Wed Jun 25 17:02:33 2008, comment #6:

> trunk version
> segfault after clicking "im ready" button in skirmish
>
> ./src/warzone2100 --mod aivolution
> error : [cdAudio_TrackFinished] Out of playlist?! was playing music/menu.ogg


This specific crash is unrelated to this bug AFAIK. Furthermore this specific crash had been reported as bug #11879, which I fixed several hours ago.

Giel van Schijndel <muggenhor>
Project Member
Tue Jun 24 18:02:27 2008, comment #5:

My "echo > ~/.warzone2100-2.1/music/music.wpl" hack does not work anymore it seems... But Buggies "cp data/base/music/* ~/.warzone2100-2.1/music/" hack does still work... Weird...

Dennis Schridde <devurandom>
Project Administrator
Tue Jun 24 00:05:14 2008, comment #4:

trunk version
segfault after clicking "im ready" button in skirmish

./src/warzone2100 --mod aivolution
error : [cdAudio_TrackFinished] Out of playlist?! was playing music/menu.ogg
Saved dump file to '/tmp/warzone2100.gdmp'
Segmentation fault

(file #4457)

Anonymous
Sun Jun 22 17:45:42 2008, comment #3:

Same issue.

error : [scrv_error] VLO parse error: Construct component CyborgSpade not found at line 86, text: 'CyborgSpade'
error : [dataScriptLoadVals] Script rules.vlo did not compile
error : [resLoadFile] resLoadFile: The load function for resource type "SCRIPTVAL" failed for file "rules.vlo"
error : [resLoad] resLoad: failed to parse wrf/multi/skirmish4.wrf
error : [startGameLoop] Shutting down after failure

(file #4452)

Dennis Schridde <devurandom>
Project Administrator
Sat Jun 21 16:32:21 2008, comment #2:

Can you still reproduce the problem?

Per I. Mathisen <per>
Project Administrator
Sat Jun 21 02:56:37 2008, comment #1:

It seems that if we have the .ogg files in the base/music directory, instead of the configdir/music directory, we crash, with very strange errors.

Pull down a clean copy of trunk, then after you make it, cd to where-ever, makedir whatever, and then run warzone via:
--configdir fullPathTo/whatever --window
and it should crash everytime.

Then move the .ogg files from base\music\*.ogg to whatever\music, and all is fine now, when run with the same args.

Haven't yet found out why.

--Buginator

Anonymous
Fri Jun 20 18:58:44 2008, original submission:

r5261 showed that the playlist code causes weird segfaults.
Buggy and I see them in the scripting engine, but it apparently also shows up in other locations, like the sound engine. (See attached backtrace.)

Dennis Schridde <devurandom>
Project Administrator

 

Attached Files
file #4490:  warzone2100-r5341.gdmp added by None (19kB - application/octet-stream)
file #4457:  warzone2100.gdmp added by None (11kB - text/plain)
file #4452:  warzone2100.gdmp added by devurandom (8kB - text/plain - Another, different, backtrace.)
file #4447:  SKJeIF75.txt added by devurandom (10kB - application/octet-stream)

 

Depends on the following items: None found

Items that depend on this one

Digest:
   bug dependencies.

 

Carbon-Copy List
  • -unavailable- added by muggenhor (Posted a comment)
  • -unavailable- added by per (Posted a comment)
  • -unavailable- added by devurandom (Submitted the item)
  •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Error: not logged in

     

     

    Follow 9 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Mon Sep 8 04:13:12 2008buginatorOpen/ClosedClosed=>Open
    Mon Sep 8 04:13:11 2008buginatorStatusConfirmed=>In Progress
    Tue Jul 15 12:50:16 2008perStatusNone=>Confirmed
      Open/ClosedOpen=>Closed
    Sat Jun 28 09:09:37 2008NoneAttached File-=>Added warzone2100-r5341.gdmp, #4490
    Tue Jun 24 00:05:13 2008NoneAttached File-=>Added warzone2100.gdmp, #4457
    Sun Jun 22 17:45:42 2008devurandomAttached File-=>Added warzone2100.gdmp, #4452
    Sun Jun 22 17:04:23 2008devurandomDependencies-=>bugs #11861 is dependent
    Fri Jun 20 18:58:44 2008devurandomAttached File-=>Added SKJeIF75.txt, #4447
    Show feedback again

    Back to the top


    Powered by Savane 3.1-cleanup