bugWarzone 2100 Project - Bugs: bug #11847, Playlist code causes segfaults.

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #11847: Playlist code causes segfaults.

Submitted by:  Dennis Schridde <devurandom>
Submitted on:  Fri 20 Jun 2008 06:58:44 PM UTC  
 
Category: NoneSeverity: Important
Priority: 7 - HighStatus: In Progress
Assigned to: NoneOpen/Closed: Open
Release: svn/trunkOperating System: GNU/Linux
Planned Release: None

(Jump to the original submission Jump to the original submission)

Sun 14 Sep 2008 08:36:52 PM UTC, SVN revision 6028:

Trunk is currently broken when playing music and switching between the "base" and "mp" mods, see ticket:57.

This revision fixes ticket:57. We (Buginator, EvilGuru and Giel) decided to use the fix suggested in ticket:57 for now and to use [wiki:Proposal:ModMounting] on a later date. I.e. fix the problem now (however dirty the solution may be), and implement a properly designed one later on, instead of letting trunk remain broken until said proposal is worked out in enough detail.

This revision fixes bug #11847, bug #11875, bug #11898, bug #11976, bug #11989, bug #12017, bug #12250 and bug #12280.

Patch by Buginator and myself

(Browse SVN revision 6028)

Giel van Schijndel <muggenhor>
Project Member
Mon 08 Sep 2008 04:13:12 AM UTC, comment #14:

Thanks for the info Ryan.

I have found at least one error in the way we were handling things in the source code.

This should fix your issue:
http://developer.wz2100.net/ticket/57

Which should be in trunk ASAP.

Bugs Buggy <buginator>
Project Administrator
Sun 07 Sep 2008 07:40:09 PM UTC, comment #13:

What do you mean by bogus handle?

All it sends in to physfs is a path string. Sure, our code attempts to remove paths from the search path that have not been added, but should this cause problems internally in physfs?

Per I. Mathisen <per>
Project Administrator
Sun 07 Sep 2008 06:32:36 PM UTC, comment #12:

(err...that first Valgrind output was from 1.0, not 1.1, sorry for the confusion.)

--ryan.

Anonymous
Sun 07 Sep 2008 06:30:56 PM UTC, comment #11:

This does not appear to be a PhysicsFS bug. I get the crash in PhysicsFS 1.0 and 1.1.

- Start program (svn-5944)
- "Single Player"
- "Start Skirmish Game"
- "Start Hosting Game"
- "Click when ready"

Crashes reliably with both physfs 1.0 and 1.1

It looks like the game is passing a bogus handle to PhysicsFS for closing. Here's Valgrind on 1.1:

==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CAC53: rebuildSearchPath (init.c:271)
==28626== by 0x4CAA91: rebuildSearchPath (init.c:240)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CACC7: rebuildSearchPath (init.c:279)
==28626== by 0x4CAA91: rebuildSearchPath (init.c:240)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CB0FF: rebuildSearchPath (init.c:357)
==28626== by 0x4CAA91: rebuildSearchPath (init.c:240)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 8
==28626== at 0x550FD77: freeDirInfo (physfs.c:604)
==28626== by 0x550FE30: PHYSFS_removeFromSearchPath (physfs.c:1006)
==28626== by 0x4CAF9C: rebuildSearchPath (init.c:330)
==28626== by 0x4DF1AA: levLoadData (levels.c:676)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xb41c960 is not stack'd, malloc'd or (recently) free'd
==28626==
==28626== Invalid read of size 4
==28626== at 0x620DEA1: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x621139B: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620DBC0: alDeleteSources (in /usr/lib/libopenal.so.0.0.0)
==28626== by 0x5C4874: sound_DestroyStream (openal_track.c:1049)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C21A0: audio_Update (audio.c:577)
==28626== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==28626== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==28626== by 0x626BE9: resLoadFile (frameresource.c:525)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xa929804 is 4 bytes before a block of size 0 alloc'd
==28626== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==28626== by 0x620AF7C: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620B189: alSourceUnqueueBuffers (in /usr/lib/libopenal.so.0.0.0)
==28626== by 0x5C4846: sound_DestroyStream (openal_track.c:1041)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C21A0: audio_Update (audio.c:577)
==28626== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==28626== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==28626== by 0x626BE9: resLoadFile (frameresource.c:525)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626==
==28626== Invalid read of size 2
==28626== at 0x5513F6C: ZIP_fileClose (zip.c:405)
==28626== by 0x550E548: closeHandleInOpenList (physfs.c:1707)
==28626== by 0x550E9BE: PHYSFS_close (physfs.c:1736)
==28626== by 0x5C4898: sound_DestroyStream (openal_track.c:1056)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C21A0: audio_Update (audio.c:577)
==28626== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==28626== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==28626== by 0x626BE9: resLoadFile (frameresource.c:525)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626== Address 0xaaa5204 is 3,476 bytes inside a block of size 32,768 free'd
==28626== at 0x4C22B2E: free (vg_replace_malloc.c:323)
==28626== by 0x7D06D33: inflateEnd (in /usr/lib/libz.so.1.2.3.3)
==28626== by 0x572D759: png_read_destroy (in /usr/lib/libpng12.so.0.15.0)
==28626== by 0x572D8A3: png_destroy_read_struct (in /usr/lib/libpng12.so.0.15.0)
==28626== by 0x61EF2D: PNGReadCleanup (png_util.c:59)
==28626== by 0x61EEBE: iV_loadImage_PNG (png_util.c:168)
==28626== by 0x551162: texLoad (texture.c:220)
==28626== by 0x4909B6: dataTERTILESLoad (data.c:720)
==28626== by 0x626B3C: resLoadFile (frameresource.c:509)
==28626== by 0x62AAC2: res_parse (resource_parser.y:120)
==28626== by 0x6261FC: resLoad (frameresource.c:121)
==28626== by 0x4DF2F5: levLoadData (levels.c:719)
==28626== by 0x4E4F56: startGameLoop (main.c:555)
==28626== by 0x4E52F3: runTitleLoop (main.c:707)
==28626== by 0x4E551C: mainLoop (main.c:825)
==28626== by 0x4E58EF: main (main.c:979)
==28626==
==28626== Thread 3:
==28626== Invalid read of size 2
==28626== at 0x6212B0B: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620A876: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620A374: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x621202A: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x50F03F6: start_thread (in /lib/libpthread-2.7.so)
==28626== by 0x6DE2B2C: clone (in /lib/libc-2.7.so)
==28626== Address 0xabbcfc8 is 0 bytes inside a block of size 4,096 free'd
==28626== at 0x4C22B2E: free (vg_replace_malloc.c:323)
==28626== by 0x620DEBC: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x621139B: (within /usr/lib/libopenal.so.0.0.0)
==28626== by 0x620DBC0: alDeleteSources (in /usr/lib/libopenal.so.0.0.0)
==28626== by 0x5C4874: sound_DestroyStream (openal_track.c:1049)
==28626== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==28626== by 0x5C3792: sound_Update (openal_track.c:280)
==28626== by 0x5C30D4: cdAudio_Stop (cdaudio.c:159)
==28626== by 0x5C2D5D: cdAudio_Close (cdaudio.c:61)
==28626== by 0x4CB39D: systemShutdown (init.c:468)
==28626== by 0x6D4010F: exit (in /lib/libc-2.7.so)
==28626== by 0x6D291CA: (below main) (in /lib/libc-2.7.so)
==28626==

This is with PhysicsFS 1.1 ... it looks like we might be handling this better internally, so the crash moves elsewhere (note the game's logging of resLoadFile problem...).

==22317==
==22317== Invalid read of size 4
==22317== at 0x6223EA1: (within /usr/lib/libopenal.so.0.0.0)
==22317== by 0x622739B: (within /usr/lib/libopenal.so.0.0.0)
==22317== by 0x6223BC0: alDeleteSources (in /usr/lib/libopenal.so.0.0.0)
==22317== by 0x5C4874: sound_DestroyStream (openal_track.c:1049)
==22317== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==22317== by 0x5C3792: sound_Update (openal_track.c:280)
==22317== by 0x5C21A0: audio_Update (audio.c:577)
==22317== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==22317== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==22317== by 0x626BE9: resLoadFile (frameresource.c:525)
==22317== by 0x62AAC2: res_parse (resource_parser.y:120)
==22317== by 0x6261FC: resLoad (frameresource.c:121)
==22317== by 0x4DF2F5: levLoadData (levels.c:719)
==22317== by 0x4E4F56: startGameLoop (main.c:555)
==22317== by 0x4E52F3: runTitleLoop (main.c:707)
==22317== by 0x4E551C: mainLoop (main.c:825)
==22317== by 0x4E58EF: main (main.c:979)
==22317== Address 0xa8a8ff4 is 4 bytes before a block of size 0 alloc'd
==22317== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==22317== by 0x6220F7C: (within /usr/lib/libopenal.so.0.0.0)
==22317== by 0x6221189: alSourceUnqueueBuffers (in /usr/lib/libopenal.so.0.0.0)
==22317== by 0x5C4846: sound_DestroyStream (openal_track.c:1041)
==22317== by 0x5C4934: sound_UpdateStreams (openal_track.c:1094)
==22317== by 0x5C3792: sound_Update (openal_track.c:280)
==22317== by 0x5C21A0: audio_Update (audio.c:577)
==22317== by 0x55934A: loadingScreenCallback (wrappers.c:311)
==22317== by 0x626E01: resDoResLoadCallback (frameresource.c:62)
==22317== by 0x626BE9: resLoadFile (frameresource.c:525)
==22317== by 0x62AAC2: res_parse (resource_parser.y:120)
==22317== by 0x6261FC: resLoad (frameresource.c:121)
==22317== by 0x4DF2F5: levLoadData (levels.c:719)
==22317== by 0x4E4F56: startGameLoop (main.c:555)
==22317== by 0x4E52F3: runTitleLoop (main.c:707)
==22317== by 0x4E551C: mainLoop (main.c:825)
==22317== by 0x4E58EF: main (main.c:979)
error |000000000002: [scrv_error] VLO parse error: Construct component CyborgSpade not found at line 86, text: 'CyborgSpade'
error |000000000002: [dataScriptLoadVals] Script rules.vlo did not compile
error |000000000002: [resLoadFile] resLoadFile: The load function for resource type "SCRIPTVAL" failed for file "rules.vlo"
error |000000000002: [resLoad] resLoad: failed to parse wrf/multi/skirmish4.wrf
error |000000000002: [startGameLoop] Shutting down after failure
==22317==
==22317== Invalid read of size 8
==22317== at 0x5E6E1A: scriptFreeCode (script.c:83)
==22317== by 0x491015: dataScriptRelease (data.c:952)
==22317== by 0x627922: resReleaseAllData (frameresource.c:863)
==22317== by 0x627856: resReleaseAll (frameresource.c:834)
==22317== by 0x4CB345: systemShutdown (init.c:458)
==22317== by 0x6D5610F: exit (in /lib/libc-2.7.so)
==22317== by 0x4E4F87: startGameLoop (main.c:558)
==22317== by 0x4E52F3: runTitleLoop (main.c:707)
==22317== by 0x4E551C: mainLoop (main.c:825)
==22317== by 0x4E58EF: main (main.c:979)
==22317== Address 0x8 is not stack'd, malloc'd or (recently) free'd
No function contains program counter for selected frame.
Saved dump file to '/tmp/warzone2100.gdmp'

I haven't dug into PhysicsFS or Warzone for the specific issue, but it seems like if it didn't crash with physfs 1.0 for you, it was a lucky accident of memory layout.

If this proves to be a PhysicsFS bug after all, please feel free to email me directly (icculus@icculus.org) and I'll follow up further.

Thanks,
--ryan.

Anonymous
Sat 12 Jul 2008 03:00:10 PM UTC, comment #10:

Per just tested and installed a svn snapshot (r941). It seems physfs-1.1(.1)? is responsible for this issue.

Dennis Schridde <devurandom>
Project Administrator
Sat 12 Jul 2008 02:48:58 PM UTC, comment #9:

NOTE: I'm using PhysicsFS 1.0 as well.

Debian currently hasn't yet provided an updated PhysicsFS package for 1.1.1.

I will try testing 1.1.1 and if it fails on my system I'll notify the Debian maintainer(s) of the PhysicsFS package by creating a bugreport telling them that 1.1.1 is "bugged".

PS Is there any bugreport on PhysicsFS indicating that 1.1.1 is "bugged"? I can't check right now, because it seems like icculus.org is down.

Giel van Schijndel <muggenhor>
Project Member
Sat 12 Jul 2008 10:24:29 AM UTC, comment #8:

A reply by Buggy, which I think was mistakenly posted to another bug:
---
Looks like the issue with the playlist is the result of physfs 1.1.1 being bugged.

Revert back to 1.0, and it works as it should.

This also explains why per didn't have any issues with it, since he is using an older version of physfs than the rest of us.
---

Since there should be afaik no API or contract changes between 1.0 and 1.1, this would be an upstream bug.

Can someone else confirm that physfs-1.1.1 causes this bug (and it works fine with 1.0 or 1.1.0)?
In that case we should recommend distributors to depend strictly on !physfs-1.1.1.

Dennis Schridde <devurandom>
Project Administrator
Sun 29 Jun 2008 03:53:29 PM UTC, comment #7:

The segfault in scriptFreeCode seems to be caused by something trying to free one script twice. Though because it is all a bit fuzzy and hidden behind some layers of indirection I do not yet know who is doing it and why.

So the final segfault is maybe not caused by the bug itself, but by another bug in the script loading code, which does not handle a failed script-compilation very well.

Dennis Schridde <devurandom>
Project Administrator
Wed 25 Jun 2008 05:02:33 PM UTC, comment #6:

> trunk version
> segfault after clicking "im ready" button in skirmish
>
> ./src/warzone2100 --mod aivolution
> error : [cdAudio_TrackFinished] Out of playlist?! was playing music/menu.ogg


This specific crash is unrelated to this bug AFAIK. Furthermore this specific crash had been reported as bug #11879, which I fixed several hours ago.

Giel van Schijndel <muggenhor>
Project Member
Tue 24 Jun 2008 06:02:27 PM UTC, comment #5:

My "echo > ~/.warzone2100-2.1/music/music.wpl" hack does not work anymore it seems... But Buggies "cp data/base/music/* ~/.warzone2100-2.1/music/" hack does still work... Weird...

Dennis Schridde <devurandom>
Project Administrator
Tue 24 Jun 2008 12:05:14 AM UTC, comment #4:

trunk version
segfault after clicking "im ready" button in skirmish

./src/warzone2100 --mod aivolution
error : [cdAudio_TrackFinished] Out of playlist?! was playing music/menu.ogg
Saved dump file to '/tmp/warzone2100.gdmp'
Segmentation fault

(file #4457)

Anonymous
Sun 22 Jun 2008 05:45:42 PM UTC, comment #3:

Same issue.

error : [scrv_error] VLO parse error: Construct component CyborgSpade not found at line 86, text: 'CyborgSpade'
error : [dataScriptLoadVals] Script rules.vlo did not compile
error : [resLoadFile] resLoadFile: The load function for resource type "SCRIPTVAL" failed for file "rules.vlo"
error : [resLoad] resLoad: failed to parse wrf/multi/skirmish4.wrf
error : [startGameLoop] Shutting down after failure

(file #4452)

Dennis Schridde <devurandom>
Project Administrator
Sat 21 Jun 2008 04:32:21 PM UTC, comment #2:

Can you still reproduce the problem?

Per I. Mathisen <per>
Project Administrator
Sat 21 Jun 2008 02:56:37 AM UTC, comment #1:

It seems that if we have the .ogg files in the base/music directory, instead of the configdir/music directory, we crash, with very strange errors.

Pull down a clean copy of trunk, then after you make it, cd to where-ever, makedir whatever, and then run warzone via:
--configdir fullPathTo/whatever --window
and it should crash everytime.

Then move the .ogg files from base\music\*.ogg to whatever\music, and all is fine now, when run with the same args.

Haven't yet found out why.

--Buginator

Anonymous
Fri 20 Jun 2008 06:58:44 PM UTC, original submission:

r5261 showed that the playlist code causes weird segfaults.
Buggy and I see them in the scripting engine, but it apparently also shows up in other locations, like the sound engine. (See attached backtrace.)

Dennis Schridde <devurandom>
Project Administrator

 

Attached Files
file #4490:  warzone2100-r5341.gdmp added by None (19kB - application/octet-stream)
file #4457:  warzone2100.gdmp added by None (11kB - text/plain)
file #4452:  warzone2100.gdmp added by devurandom (8kB - text/plain - Another, different, backtrace.)
file #4447:  SKJeIF75.txt added by devurandom (10kB - application/octet-stream)

 

Depends on the following items: None found

Items that depend on this one

Digest:
   bug dependencies.

 

Carbon-Copy List
  • -unavailable- added by muggenhor (Posted a comment)
  • -unavailable- added by per (Posted a comment)
  • -unavailable- added by devurandom (Submitted the item)
  •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Please enter the title of George Orwell's famous dystopian book (it's a date):

     

     

    Follow 9 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Mon 08 Sep 2008 04:13:12 AM UTCbuginatorOpen/ClosedClosed=>Open
    Mon 08 Sep 2008 04:13:11 AM UTCbuginatorStatusConfirmed=>In Progress
    Tue 15 Jul 2008 12:50:16 PM UTCperStatusNone=>Confirmed
      Open/ClosedOpen=>Closed
    Sat 28 Jun 2008 09:09:37 AM UTCNoneAttached File-=>Added warzone2100-r5341.gdmp, #4490
    Tue 24 Jun 2008 12:05:13 AM UTCNoneAttached File-=>Added warzone2100.gdmp, #4457
    Sun 22 Jun 2008 05:45:42 PM UTCdevurandomAttached File-=>Added warzone2100.gdmp, #4452
    Sun 22 Jun 2008 05:04:23 PM UTCdevurandomDependencies-=>bugs #11861 is dependent
    Fri 20 Jun 2008 06:58:44 PM UTCdevurandomAttached File-=>Added SKJeIF75.txt, #4447
    Show feedback again

    Back to the top


    Powered by Savane 3.1-cleanup