Bug#863536: doomsday: Segfaults when attempting to start new game

Bernhard Übelacker bernhardu at mailbox.org
Wed May 31 18:12:00 UTC 2017


Hello,
tried to reproduce the issue.

I think the problem is that in Cl_IsClientMobj the method maybeAs()
is called on a NULL pointer on mo->thinker.d.

With the attached patch the crash does not happen.

And this time I took the opportunity to play in
doom1-share.wad and doom2.wad (just short) and found
no more crashes.

Kind regards,
Bernhard





# gdb -q --args doomsday
(gdb) run
...
Loading map "E1M1"...

Thread 39 "CallbackThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff873a2700 (LWP 17501)]
0x00007ffff476492d in __dynamic_cast () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6


(gdb) bt
#0  0x00007ffff476492d in __dynamic_cast () at /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00005555555dc9bd in Thinker::IData::maybeAs<ClientMobjThinkerData>() (this=<optimized out>) at ../libdoomsday/include/doomsday/world/thinker.h:135
#2  0x00005555555dc9bd in Cl_IsClientMobj(mobj_s const*) (mo=mo at entry=0x7fffe2663cc0) at src/client/cl_mobj.cpp:214
#3  0x00005555558828e0 in de::Thinkers::add(thinker_s&, bool) (this=0x7fff39c58690, th=..., makePublic=makePublic at entry=true) at src/world/thinkers.cpp:230
#4  0x0000555555861020 in P_MobjCreate(void (*)(void*), de::Vector3<double> const&, unsigned int, double, double, int) (function=0x7fffe1fc3940 <P_MobjThinker>, origin=..., angle=<optimized out>, radius=16, height=128, ddflags=536870912) at src/world/p_mobj.cpp:119
#5  0x000055555580555b in Mobj_CreateXYZ(thinkfunc_t, coord_t, coord_t, coord_t, angle_t, coord_t, coord_t, int) (function=<optimized out>, x=<optimized out>, y=<optimized out>, z=<optimized out>, angle=<optimized out>, radius=<optimized out>, height=<optimized out>, ddflags=<optimized out>) at src/world/api_map.cpp:1788
#6  0x00007fffe1fc3458 in P_SpawnMobjXYZ (type=type at entry=MT_MISC48, x=288, y=-3104, z=0, angle=1073741824, spawnFlags=536870919) at src/p_mobj.c:709
#7  0x00007fffe1fc385a in P_SpawnMobj (type=type at entry=MT_MISC48, pos=pos at entry=0x7fffe26625c0, angle=<optimized out>, spawnFlags=<optimized out>) at src/p_mobj.c:796
#8  0x00007fffe1f6b972 in spawnMapObjects () at ../common/src/p_mapsetup.cpp:593
#9  0x00007fffe1f6b972 in P_FinalizeMapChange(uri_s const*) (mapUri_=0x7fff873a1900) at ../common/src/p_mapsetup.cpp:894
#10 0x00005555558871c6 in de::WorldSystem::Instance::makeCurrent(de::Map*) (this=this at entry=0x555556e16b60, newMap=newMap at entry=0x7fff38423e50) at src/world/worldsystem.cpp:521
#11 0x0000555555889022 in de::WorldSystem::Instance::changeMap(MapDef*) (this=0x555556e16b60, mapDef=0x7fff383a08f0) at src/world/worldsystem.cpp:724
#12 0x000055555588965d in de::WorldSystem::Instance::changeMapWorker(void*) (context=<optimized out>) at src/world/worldsystem.cpp:744
#13 0x00007ffff7243f83 in CallbackThread::run() (this=0x555558ae1330) at src/concurrency.cpp:76
#14 0x00007ffff4d45daa in QThreadPrivate::start(void*) (arg=0x555558ae1330) at thread/qthread_unix.cpp:352
#15 0x00007ffff6509494 in start_thread (arg=0x7fff873a2700) at pthread_create.c:333
#16 0x00007ffff3f0693f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97


(gdb) up
#1  0x00005555555dc9bd in Thinker::IData::maybeAs<ClientMobjThinkerData> (this=<optimized out>) at ../libdoomsday/include/doomsday/world/thinker.h:135
135             DENG2_AS_IS_METHODS()
(gdb) 
#2  Cl_IsClientMobj (mo=mo at entry=0x7fffe2663cc0) at src/client/cl_mobj.cpp:214
214         if(ClientMobjThinkerData *data = THINKER_DATA_MAYBE(mo->thinker, ClientMobjThinkerData))


(gdb) print mo
$3 = (const mobj_t *) 0x7fffe2663cc0
(gdb) print mo->thinker
$4 = {prev = 0x0, next = 0x0, function = 0x7fffe1fc3940 <P_MobjThinker>, _flags = 0, id = 0, d = 0x0}


#define THINKER_DATA_MAYBE(thinker, T)  (reinterpret_cast<Thinker::IData *>((thinker).d)->maybeAs<T>())


(gdb) print mo->thinker.d
$5 = (void *) 0x0


dd_bool Cl_IsClientMobj(mobj_t const *mo)
{
    if(ClientMobjThinkerData *data = THINKER_DATA_MAYBE(mo->thinker, ClientMobjThinkerData))
    {
        return data->hasRemoteSync();
    }
    return false;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Avoid-crash-when-mo-thinker.d-is-a-NULL-pointer.patch
Type: text/x-patch
Size: 3373 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20170531/e0ba5a58/attachment.bin>


More information about the Pkg-games-devel mailing list