Bug#443822: hex-a-hop: Got bt from a segfault :D
Bas Wijnen
wijnen at debian.org
Mon Sep 24 22:40:05 UTC 2007
On Mon, Sep 24, 2007 at 08:34:44AM +0200, Gerfried Fuchs wrote:
> I finally managed to get a crash from hex-a-hop again, with my debug
> built version:
...
> Hope this is helpful, if you need something more please let me know.
I think it is. I looked at the code and found the following:
class RenderObject has a member numStages, which holds a number. The
allocated array member time has numStages elements. There are maxStages
elements allocated. maxStages is always >= numstages.
That's the theory. However, there seems to be a bug there:
time is allocated in Reserve(). This function increases maxStages if
needed and allocates the new amount of elements. In other words,
Reserve makes sure that time has enough memory allocated to hold the
elements that are supposed to be stored in there. A logical conclusion
is that Reserve() must be called whenever numStages in increased.
There is only one place where that happens, and that's in
void Add(RenderStage* s, double t);
However, the order is wrong: first Reserve() is called, and after that
numStages is incremented. This can lead to referencing the last element
of time which isn't allocated. I think this is the cause of the
problem: the memmove from your backtrace moves the last element of time.
All the above is also true for "stage", but that doesn't make the
problem any better or worse. If it would crash on that, it always
crashed on "time" just before. :-)
Thanks,
Bas
--
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://pcbcn10.phys.rug.nl/e-mail.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20070925/0024a56c/attachment-0002.pgp
More information about the Pkg-games-devel
mailing list