Freeciv - Bugs: bug #19800, Server crash after reading... [Gna!]

Freeciv - Bugs: bug #19800, Server crash after reading...

Group

Main
- Main
- View Members
- Search
Homepage
Download
Docs
- Browse
- Submit
- Edit
- Digest
- Export
- Search
Mailing Lists
Source Code
- Use Subversion
- Browse Sources Repository
Bugs
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
Tasks
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
Patches
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search

Show feedback again

bug #19800: Server crash after reading "multiplayer.serv" or "civ2.serv"

Submitted by:	pepeto <pepeto>
Submitted on:	Tue 12 Jun 2012 10:36:30 AM UTC

Category:	general	Severity:	3 - Normal
Priority:	5 - Normal	Status:	Fixed
Assigned to:	Marko Lindqvist <cazfi>	Open/Closed:	Closed
Release:	S2_3	Operating System:	GNU/Linux
Planned Release:	2.3.3, 2.4.0, 2.5.0

Add a New Comment (Rich Markup):

You are not logged in

Please log in, so followups can be emailed to you.

( Jump to the original submission)

Sun 07 Oct 2012 07:44:42 PM UTC, SVN revision 21891: Reallocate space for advisor government want values when their number may change on load of new ruleset. Reported by pepeto Patch by me after investigation and suggestion by Jacob Nevins See gna bug #19800 (Browse SVN revision 21891)	Marko Lindqvist <cazfi>
Sun 07 Oct 2012 07:44:37 PM UTC, SVN revision 21890: Reallocate space for advisor government want values when their number may change on load of new ruleset. Reported by pepeto Patch by me after investigation and suggestion by Jacob Nevins See gna bug #19800 (Browse SVN revision 21890)	Marko Lindqvist <cazfi>
Sun 07 Oct 2012 07:44:32 PM UTC, SVN revision 21889: Reallocate space for advisor government want values when their number may change on load of new ruleset. Reported by pepeto Patch by me after investigation and suggestion by Jacob Nevins See gna bug #19800 (Browse SVN revision 21889)	Marko Lindqvist <cazfi>
Fri 05 Oct 2012 03:07:27 AM UTC, comment #5: Patches (file #16636, file #16637)	Marko Lindqvist <cazfi>
Fri 15 Jun 2012 07:54:13 PM UTC, comment #4: The calls to ai_data_init() and ai_data_close() look balanced. However, the second significant valgrind error ("Invalid write of size 4") is relevant, I think. When ai_data_init() is called for a player, it allocates ai->government_want according to the government_count() in force at the time. It looks like ai_data_init() is only called when a player is first created. I'm guessing the problem is that if a player exists over a ruleset reload, that player's government_want remains sized for the old ruleset. It looks like ai_data_default() is called to reinitialise the player on ruleset reload, but that doesn't reallocate ai->government_want. However it does memset it, based on the new government_count(). Since the civ2 and multiplayer rulesets have an extra government compared to the classic ruleset (Fundamentalism), that memset will overrun. Is the fix simply to reallocate government_want in ai_data_default() rather than ai_data_init()? I'll leave this for someone else... (The other valgrind error looks unrelated -- although player data applicable to long-gone rulesets is also implicated -- so I've raised it as bug #19814.)	Jacob Nevins <jtn>
Fri 15 Jun 2012 10:45:39 AM UTC, comment #3: Revision: 21191 ; This is valgrind backtrace : ==32115== Memcheck, a memory error detector ==32115== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==32115== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==32115== Command: server/freeciv-server ==32115== This is the server for Freeciv version 2.3.2+ You can learn a lot about Freeciv at http://www.freeciv.org/ 2: Loading rulesets. ==32115== Conditional jump or move depends on uninitialised value(s) ==32115== at 0x4057DD8: inflateReset2 (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0x4057EC7: inflateInit2_ (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0xFFFFFFFE: ??? ==32115== ==32115== Conditional jump or move depends on uninitialised value(s) ==32115== at 0x4057DD8: inflateReset2 (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0x4057EC7: inflateInit2_ (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0x4F462FDF: ??? ==32115== ==32115== Conditional jump or move depends on uninitialised value(s) ==32115== at 0x4057DD8: inflateReset2 (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0x4057EC7: inflateInit2_ (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0x4FDB0A0A: ??? ==32115== 2: ai_data_init(): 0x68d63f0 nb 0 "noname" 2: AI1 has been added as Easy level AI-controlled player. 2: ai_data_init(): 0x68ea540 nb 1 "noname" 2: AI2 has been added as Easy level AI-controlled player. 2: ai_data_init(): 0x68fe7d0 nb 2 "noname" 2: AI3 has been added as Easy level AI-controlled player. 2: ai_data_init(): 0x6912ba0 nb 3 "noname" 2: AI4 has been added as Easy level AI-controlled player. 2: ai_data_init(): 0x69270b0 nb 4 "noname" 2: AI5 has been added as Easy level AI-controlled player. 2: Now accepting new client connections. For introductory help, type 'help'. > 2: Connection request from pepeto from localhost 2: c1 has client version 2.3.2+ 2: pepeto has connected from localhost. > ==32115== Conditional jump or move depends on uninitialised value(s) ==32115== at 0x4057DD8: inflateReset2 (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0x4057EC7: inflateInit2_ (in /lib/i386-linux-gnu/libz.so.1.2.3.4) ==32115== by 0x4FDB0EB1: ??? ==32115== pepeto: '/read multiplayer' 2: Loading script file 'data/multiplayer.serv'. pepeto: '# Server commands to make multiplayer Freeciv rules ' pepeto: '# ' pepeto: ' ' pepeto: 'rulesetdir multiplayer ' 2: Ruleset directory set to "multiplayer" 2: Loading rulesets. ==32115== Invalid read of size 4 ==32115== at 0x8125F88: government_number (government.c:93) ==32115== by 0x80B779F: package_player_info (plrhand.c:872) ==32115== by 0x80B7EE7: send_player_info_c_real (plrhand.c:717) ==32115== by 0x80B8010: send_player_info_c (plrhand.c:690) ==32115== by 0x80C7A7B: load_rulesets (ruleset.c:3968) ==32115== by 0x80571FE: set_rulesetdir (stdinhand.c:3694) ==32115== by 0x805CF1F: handle_stdin_input_real.part.15 (stdinhand.c:4124) ==32115== by 0x805F04F: read_init_script_real (stdinhand.c:1196) ==32115== by 0x805C578: handle_stdin_input_real.part.15 (stdinhand.c:1113) ==32115== by 0x8101147: handle_chat_msg_req (handchat.c:343) ==32115== by 0x80B1E9E: server_handle_packet (hand_gen.c:40) ==32115== by 0x804FEC1: server_packet_input (srv_main.c:1498) ==32115== Address 0x43391a0 is 0 bytes inside a block of size 1,344 free'd ==32115== at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==32115== by 0x8126B7C: governments_free (government.c:536) ==32115== by 0x8125731: game_ruleset_free (game.c:493) ==32115== by 0x80C7A54: load_rulesets (ruleset.c:3983) ==32115== by 0x80571FE: set_rulesetdir (stdinhand.c:3694) ==32115== by 0x805CF1F: handle_stdin_input_real.part.15 (stdinhand.c:4124) ==32115== by 0x805F04F: read_init_script_real (stdinhand.c:1196) ==32115== by 0x805C578: handle_stdin_input_real.part.15 (stdinhand.c:1113) ==32115== by 0x8101147: handle_chat_msg_req (handchat.c:343) ==32115== by 0x80B1E9E: server_handle_packet (hand_gen.c:40) ==32115== by 0x804FEC1: server_packet_input (srv_main.c:1498) ==32115== by 0x80DF00D: server_sniff_all_input (sernet.c:448) ==32115== 2: Ruleset: 'generator' has been set to "Island-based" (ISLAND). 2: Ruleset: 'topology' has been set to "Wrap East-West" and "Wrap North-South" (WRAPX\|WRAPY). 2: Ruleset: 'startpos' has been set to "One player per continent" (SINGLE). 2: Ruleset: 'alltemperate' has been set to enabled. 2: Ruleset: 'separatepoles' has been set to disabled. 2: Ruleset: 'huts' has been set to 0. 2: Ruleset: 'aifill' has been set to 0. 2: Ruleset: 'diplomacy' has been set to "Disabled for everyone" (DISABLED). 2: Ruleset: 'contactturns' has been set to 0. 2: Ruleset: 'revolen' has been set to 2. 2: Ruleset: 'barbarians' has been set to "No barbarians" (DISABLED). 2: Ruleset: 'techpenalty' has been set to 0. 2: Ruleset: 'startunits' has been set to "cccwwwxxxx". 2: Ruleset: 'specials' has been set to 350. 2: Ruleset: 'borders' has been set to "Disabled" (DISABLED). 2: Removing player AI5. 2: ai_data_close(): 0x69270b0 nb 4 "AI5" 2: Removing player AI4. 2: ai_data_close(): 0x6912ba0 nb 3 "AI4" 2: Removing player AI3. 2: ai_data_close(): 0x68fe7d0 nb 2 "AI3" 2: Removing player AI2. 2: ai_data_close(): 0x68ea540 nb 1 "AI*2" pepeto: ' ' pepeto: '# changed game settings are defined in game.ruleset ' > Starting game. > 2: Tvrtko Kotromanić rules the Bosnians. 2: Creating a map of size 64 x 64 = 4096 tiles (4000 requested). ==32115== Invalid write of size 4 ==32115== at 0x402E8D3: memset (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==32115== by 0x8088F23: ai_data_default (string3.h:85) ==32115== by 0x8052EED: srv_main (srv_main.c:2450) ==32115== by 0x804B6DB: main (civserver.c:377) ==32115== Address 0x68e1cdc is 0 bytes after a block of size 28 alloc'd ==32115== at 0x402BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==32115== by 0x81BB644: fc_real_malloc (mem.c:83) ==32115== by 0x81BB803: fc_real_calloc (mem.c:128) ==32115== by 0x80890F3: ai_data_init (advdata.c:846) ==32115== by 0x80BA86B: server_create_player (plrhand.c:1136) ==32115== by 0x8050B5C: aifill (srv_main.c:1807) ==32115== by 0x80E4EB4: settings_ruleset (settings.c:3063) ==32115== by 0x80CA5CD: load_rulesets (ruleset.c:3461) ==32115== by 0x80517D7: srv_main (srv_main.c:2267) ==32115== by 0x40AA4D2: (below main) (libc-start.c:226) ==32115== > pepeto: '/quit' 2: Goodbye. 2: Removing player Tvrtko Kotromanić. 2: ai_data_close(): 0x68d63f0 nb 0 "Tvrtko Kotromanić" ==32115== ==32115== HEAP SUMMARY: ==32115== in use at exit: 4,683 bytes in 108 blocks ==32115== total heap usage: 608,540 allocs, 608,432 frees, 71,709,523 bytes allocated ==32115== ==32115== LEAK SUMMARY: ==32115== definitely lost: 24 bytes in 3 blocks ==32115== indirectly lost: 293 bytes in 6 blocks ==32115== possibly lost: 0 bytes in 0 blocks ==32115== still reachable: 4,366 bytes in 99 blocks ==32115== suppressed: 0 bytes in 0 blocks ==32115== Rerun with --leak-check=full to see details of leaked memory ==32115== ==32115== For counts of detected and suppressed errors, rerun with: -v ==32115== Use --track-origins=yes to see where uninitialised values come from ==32115== ERROR SUMMARY: 801 errors from 6 contexts (suppressed: 0 from 0)	pepeto <pepeto>
Fri 15 Jun 2012 12:06:31 AM UTC, comment #2: > I can't trivially reproduce this As this seems to be about ai->government_want being non-NULL illegal pointer it could be simply that it's not initialized. 1) To avoid compiler setting it to NULL you need to compile with optimization. 2) You must be lucky that the uninitialized value is something that does not just happen to pass. Pepeto: Can you add logging to ai_data_init() and ai_data_close() with player names to check that they are always called in pairs (ai_data_init() must be called before ai_data_close() and ai_data_close() should not be called multiple times)	Marko Lindqvist <cazfi>
Thu 14 Jun 2012 11:40:12 PM UTC, comment #1: Hey pepeto, long time no see... I can't trivially reproduce this with head of S2_3 (r21191), but then I don't think the line numbers in the backtrace match up with that. Which revision was this? We fixed several player-removal bugs recently, but none strikes me as obviously relevant.	Jacob Nevins <jtn>
Tue 12 Jun 2012 10:36:30 AM UTC, original submission: I get a crash when quitting the server after having loaded "multiplayer" or "civ2" rulesets at first turn. * glibc detected * /usr/local/bin/freeciv-server: free(): invalid next size (fast): 0x0883c438 * ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x73e42)[0x1e8e42] /usr/local/bin/freeciv-server[0x8088fcc] /usr/local/bin/freeciv-server[0x80b87fd] /usr/local/bin/freeciv-server[0x805159a] /usr/local/bin/freeciv-server[0x80516b2] /usr/local/bin/freeciv-server[0x805ccb5] /usr/local/bin/freeciv-server[0x8100998] /usr/local/bin/freeciv-server[0x80b1a5f] /usr/local/bin/freeciv-server[0x804fe92] /usr/local/bin/freeciv-server[0x80dea16] /usr/local/bin/freeciv-server[0x8051ded] /usr/local/bin/freeciv-server[0x804b68c] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x18e4d3] /usr/local/bin/freeciv-server[0x804bc65] ======= Memory map: ======== 00110000-00130000 r-xp 00000000 08:01 8388653 /lib/i386-linux-gnu/ld-2.15.so 00130000-00131000 r--p 0001f000 08:01 8388653 /lib/i386-linux-gnu/ld-2.15.so 00131000-00132000 rw-p 00020000 08:01 8388653 /lib/i386-linux-gnu/ld-2.15.so 00132000-00133000 r-xp 00000000 00:00 0 [vdso] 00133000-00147000 r-xp 00000000 08:01 8388673 /lib/i386-linux-gnu/libz.so.1.2.3.4 00147000-00148000 r--p 00013000 08:01 8388673 /lib/i386-linux-gnu/libz.so.1.2.3.4 00148000-00149000 rw-p 00014000 08:01 8388673 /lib/i386-linux-gnu/libz.so.1.2.3.4 00149000-00173000 r-xp 00000000 08:01 8393785 /lib/i386-linux-gnu/libm-2.15.so 00173000-00174000 r--p 00029000 08:01 8393785 /lib/i386-linux-gnu/libm-2.15.so 00174000-00175000 rw-p 0002a000 08:01 8393785 /lib/i386-linux-gnu/libm-2.15.so 00175000-00314000 r-xp 00000000 08:01 8393781 /lib/i386-linux-gnu/libc-2.15.so 00314000-00316000 r--p 0019f000 08:01 8393781 /lib/i386-linux-gnu/libc-2.15.so 00316000-00317000 rw-p 001a1000 08:01 8393781 /lib/i386-linux-gnu/libc-2.15.so 00317000-0031a000 rw-p 00000000 00:00 0 0031a000-00325000 r-xp 00000000 08:01 8393790 /lib/i386-linux-gnu/libnss_files-2.15.so 00325000-00326000 r--p 0000a000 08:01 8393790 /lib/i386-linux-gnu/libnss_files-2.15.so 00326000-00327000 rw-p 0000b000 08:01 8393790 /lib/i386-linux-gnu/libnss_files-2.15.so 00327000-00343000 r-xp 00000000 08:01 8388853 /lib/i386-linux-gnu/libgcc_s.so.1 00343000-00344000 r--p 0001b000 08:01 8388853 /lib/i386-linux-gnu/libgcc_s.so.1 00344000-00345000 rw-p 0001c000 08:01 8388853 /lib/i386-linux-gnu/libgcc_s.so.1 08048000-0826f000 r-xp 00000000 08:01 10890857 /usr/local/bin/freeciv-server 0826f000-08270000 r--p 00226000 08:01 10890857 /usr/local/bin/freeciv-server 08270000-08274000 rw-p 00227000 08:01 10890857 /usr/local/bin/freeciv-server 08274000-0936e000 rw-p 00000000 00:00 0 [heap] b7c69000-b7cd3000 rw-p 00000000 00:00 0 b7cd3000-b7cda000 r--s 00000000 08:01 10496484 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache b7cda000-b7de2000 r--p 00000000 08:01 11014208 /usr/local/share/locale/fr/LC_MESSAGES/freeciv.mo b7de2000-b7fe2000 r--p 00000000 08:01 10487192 /usr/lib/locale/locale-archive b7fe2000-b7fe4000 rw-p 00000000 00:00 0 b7ffd000-b7ffe000 r--p 002cc000 08:01 10487192 /usr/lib/locale/locale-archive b7ffe000-b8000000 rw-p 00000000 00:00 0 bffb6000-c0000000 rw-p 00000000 00:00 0 [stack] Program received signal SIGABRT, Aborted. 0x00132416 in __kernel_vsyscall () (gdb) bt #0 0x00132416 in __kernel_vsyscall () #1 0x001a31ef in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0x001a6835 in __GI_abort () at abort.c:91 #3 0x001de2fa in __libc_message (do_abort=2, fmt=0x2d63bc "* glibc detected * %s: %s: 0x%s \n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 #4 0x001e8e42 in malloc_printerr (action=<optimized out>, str=<optimized out>, ptr=0x883c438) at malloc.c:5007 #5 0x08088fcc in ai_data_close (pplayer=0x8958428) at advdata.c:905 #6 0x080b87fd in server_remove_player (pplayer=0x8958428) at plrhand.c:1182 #7 0x0805159a in server_game_free () at srv_main.c:2529 #8 0x080516b2 in server_quit () at srv_main.c:1308 #9 0x0805ccb5 in quit_game (check=false, caller=0x827cd80) at stdinhand.c:3866 #10 handle_stdin_input_real (caller=0x827cd80, str=<optimized out>, check=false, read_recursion=0) at stdinhand.c:4110 #11 0x08100998 in handle_chat_msg_req (pconn=0x827cd80, message=0x897e0f8 "/quit") at handchat.c:343 #12 0x080b1a5f in server_handle_packet (type=PACKET_CHAT_MSG_REQ, packet=0x897e0f8, pplayer=0x0, pconn=0x827cd80) at hand_gen.c:40 #13 0x0804fe92 in server_packet_input (pconn=0x827cd80, packet=0x897e0f8, type=26) at srv_main.c:1510 #14 0x080dea16 in incoming_client_packets (pconn=<optimized out>) at sernet.c:448 #15 server_sniff_all_input () at sernet.c:825 #16 0x08051ded in srv_running () at srv_main.c:2174 #17 srv_main () at srv_main.c:2574 #18 0x0804b68c in main (argc=1, argv=0xbffff394) at civserver.c:377 (gdb) bt full #0 0x00132416 in __kernel_vsyscall () No symbol table info available. #1 0x001a31ef in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = <optimized out> resultvar = <optimized out> pid = 3235828 selftid = 4609 #2 0x001a6835 in __GI_abort () at abort.c:91 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x3, sa_sigaction = 0x3}, sa_mask = {__val = {134513092, 134513132, 3221203196, 1369, 3221203228, 2455982, 0, 0, 1790285, 3235828, 3235828, 14, 3221204660, 2577802, 11, 3221203124, 4, 0, 3221222252, 0, 3, 0, 6, 3221203228, 3221203220, 4, 2966248, 2966252, 1631200, 3, 1631443, 4}}, sa_flags = 5, sa_restorer = 0x2d1dbf} sigs = {__val = {32, 0 <repeats 31 times>}} #3 0x001de2fa in __libc_message (do_abort=2, fmt=0x2d63bc " glibc detected * %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 ap = 0xb7c69000 "" ap_copy = 0xb7c69000 "" fd = 11 on_2 = <optimized out> list = <optimized out> nlist = <optimized out> cp = <optimized out> written = <optimized out> #4 0x001e8e42 in malloc_printerr (action=<optimized out>, str=<optimized out>, ptr=0x883c438) at malloc.c:5007 buf = "0883c438" cp = <optimized out> #5 0x08088fcc in ai_data_close (pplayer=0x8958428) at advdata.c:905 ai = 0x853d478 #6 0x080b87fd in server_remove_player (pplayer=0x8958428) at plrhand.c:1182 pslot = <optimized out> __FUNCTION__ = "server_remove_player" #7 0x0805159a in server_game_free () at srv_main.c:2529 pplayer = <optimized out> _pslot = 0x8484f58 #8 0x080516b2 in server_quit () at srv_main.c:1308 No locals. #9 0x0805ccb5 in quit_game (check=false, caller=0x827cd80) at stdinhand.c:3866 No locals. #10 handle_stdin_input_real (caller=0x827cd80, str=<optimized out>, check=false, read_recursion=0) at stdinhand.c:4110	pepeto <pepeto>

(Note: upload size limit is set to 1024 kB, after insertion of the required escape characters.)

Attach File(s):


Comment:

Attached Files

file #16636: GovCountChange.patch added by cazfi (973B - text/x-patch)

file #16637: GovCountChange-S2_3.patch added by cazfi (818B - text/x-patch)

Depends on the following items: None found

Items that depend on this one: None found

Carbon-Copy List

-unavailable- added by cazfi (Posted a comment)

-unavailable- added by jtn (Posted a comment)

-unavailable- added by pepeto (Submitted the item)

Do you think this task is very important?
If so, you can click here to add your encouragement to it.
This task has 0 encouragements so far.

Only logged-in users can vote.

Please enter the title of George Orwell's famous dystopian book (it's a date):

Follow 8 latest changes.

Date	Changed By	Updated Field	Previous Value	Replaced By
Sun 07 Oct 2012 07:44:58 PM UTC	cazfi	Status	Ready For Test	Fixed
		Assigned to	None	cazfi
		Open/Closed	Open	Closed
Fri 05 Oct 2012 03:07:27 AM UTC	cazfi	Attached File	-	Added GovCountChange.patch, #16636
		Attached File	-	Added GovCountChange-S2_3.patch, #16637
		Status	None	Ready For Test
Mon 25 Jun 2012 06:16:00 PM UTC	cazfi	Planned Release		2.3.3, 2.4.0, 2.5.0
Fri 15 Jun 2012 07:54:13 PM UTC	jtn	Summary	Server crash after reading "multiplayer.serv" or "civ.serv"	Server crash after reading "multiplayer.serv" or "civ2.serv"

Show feedback again