Bug#863536: doomsday: Segfaults when attempting to start new game

Bernhard Übelacker Wed, 31 May 2017 11:15:35 -0700

Hello,
tried to reproduce the issue.

I think the problem is that in Cl_IsClientMobj the method maybeAs()
is called on a NULL pointer on mo->thinker.d.


With the attached patch the crash does not happen.

And this time I took the opportunity to play in
doom1-share.wad and doom2.wad (just short) and found
no more crashes.

Kind regards,
Bernhard





# gdb -q --args doomsday
(gdb) run
...
Loading map "E1M1"...

Thread 39 "CallbackThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff873a2700 (LWP 17501)]
0x00007ffff476492d in __dynamic_cast () from 
/usr/lib/x86_64-linux-gnu/libstdc++.so.6


(gdb) bt
#0  0x00007ffff476492d in __dynamic_cast () at 
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00005555555dc9bd in Thinker::IData::maybeAs<ClientMobjThinkerData>() 
(this=<optimized out>) at ../libdoomsday/include/doomsday/world/thinker.h:135
#2  0x00005555555dc9bd in Cl_IsClientMobj(mobj_s const*) 
(mo=mo@entry=0x7fffe2663cc0) at src/client/cl_mobj.cpp:214
#3  0x00005555558828e0 in de::Thinkers::add(thinker_s&, bool) 
(this=0x7fff39c58690, th=..., makePublic=makePublic@entry=true) at 
src/world/thinkers.cpp:230
#4  0x0000555555861020 in P_MobjCreate(void (*)(void*), de::Vector3<double> 
const&, unsigned int, double, double, int) (function=0x7fffe1fc3940 
<P_MobjThinker>, origin=..., angle=<optimized out>, radius=16, height=128, 
ddflags=536870912) at src/world/p_mobj.cpp:119
#5  0x000055555580555b in Mobj_CreateXYZ(thinkfunc_t, coord_t, coord_t, 
coord_t, angle_t, coord_t, coord_t, int) (function=<optimized out>, 
x=<optimized out>, y=<optimized out>, z=<optimized out>, angle=<optimized out>, 
radius=<optimized out>, height=<optimized out>, ddflags=<optimized out>) at 
src/world/api_map.cpp:1788
#6  0x00007fffe1fc3458 in P_SpawnMobjXYZ (type=type@entry=MT_MISC48, x=288, 
y=-3104, z=0, angle=1073741824, spawnFlags=536870919) at src/p_mobj.c:709
#7  0x00007fffe1fc385a in P_SpawnMobj (type=type@entry=MT_MISC48, 
pos=pos@entry=0x7fffe26625c0, angle=<optimized out>, spawnFlags=<optimized 
out>) at src/p_mobj.c:796
#8  0x00007fffe1f6b972 in spawnMapObjects () at ../common/src/p_mapsetup.cpp:593
#9  0x00007fffe1f6b972 in P_FinalizeMapChange(uri_s const*) 
(mapUri_=0x7fff873a1900) at ../common/src/p_mapsetup.cpp:894
#10 0x00005555558871c6 in de::WorldSystem::Instance::makeCurrent(de::Map*) 
(this=this@entry=0x555556e16b60, newMap=newMap@entry=0x7fff38423e50) at 
src/world/worldsystem.cpp:521
#11 0x0000555555889022 in de::WorldSystem::Instance::changeMap(MapDef*) 
(this=0x555556e16b60, mapDef=0x7fff383a08f0) at src/world/worldsystem.cpp:724
#12 0x000055555588965d in de::WorldSystem::Instance::changeMapWorker(void*) 
(context=<optimized out>) at src/world/worldsystem.cpp:744
#13 0x00007ffff7243f83 in CallbackThread::run() (this=0x555558ae1330) at 
src/concurrency.cpp:76
#14 0x00007ffff4d45daa in QThreadPrivate::start(void*) (arg=0x555558ae1330) at 
thread/qthread_unix.cpp:352
#15 0x00007ffff6509494 in start_thread (arg=0x7fff873a2700) at 
pthread_create.c:333
#16 0x00007ffff3f0693f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97


(gdb) up
#1  0x00005555555dc9bd in Thinker::IData::maybeAs<ClientMobjThinkerData> 
(this=<optimized out>) at ../libdoomsday/include/doomsday/world/thinker.h:135
135             DENG2_AS_IS_METHODS()
(gdb) 
#2  Cl_IsClientMobj (mo=mo@entry=0x7fffe2663cc0) at src/client/cl_mobj.cpp:214
214         if(ClientMobjThinkerData *data = THINKER_DATA_MAYBE(mo->thinker, 
ClientMobjThinkerData))


(gdb) print mo
$3 = (const mobj_t *) 0x7fffe2663cc0
(gdb) print mo->thinker
$4 = {prev = 0x0, next = 0x0, function = 0x7fffe1fc3940 <P_MobjThinker>, _flags 
= 0, id = 0, d = 0x0}


#define THINKER_DATA_MAYBE(thinker, T)  (reinterpret_cast<Thinker::IData 
*>((thinker).d)->maybeAs<T>())


(gdb) print mo->thinker.d
$5 = (void *) 0x0


dd_bool Cl_IsClientMobj(mobj_t const *mo)
{
    if(ClientMobjThinkerData *data = THINKER_DATA_MAYBE(mo->thinker, 
ClientMobjThinkerData))
    {
        return data->hasRemoteSync();
    }
    return false;
}

From 8a6fb59e5dd1965638c70ad9a396eb9bf959e84d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernha...@mailbox.org>
Date: Wed, 31 May 2017 19:59:36 +0200
Subject: Avoid crash when mo->thinker.d is a NULL pointer.

https://bugs.debian.org/863536

(gdb) bt
#0  0x00007ffff476492d in __dynamic_cast () at /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00005555555dc9bd in Thinker::IData::maybeAs<ClientMobjThinkerData>() (this=<optimized out>) at ../libdoomsday/include/doomsday/world/thinker.h:135
#2  0x00005555555dc9bd in Cl_IsClientMobj(mobj_s const*) (mo=mo@entry=0x7fffe2663cc0) at src/client/cl_mobj.cpp:214
#3  0x00005555558828e0 in de::Thinkers::add(thinker_s&, bool) (this=0x7fff39c58690, th=..., makePublic=makePublic@entry=true) at src/world/thinkers.cpp:230
#4  0x0000555555861020 in P_MobjCreate(void (*)(void*), de::Vector3<double> const&, unsigned int, double, double, int) (function=0x7fffe1fc3940 <P_MobjThinker>, origin=..., angle=<optimized out>, radius=16, height=128, ddflags=536870912) at src/world/p_mobj.cpp:119
#5  0x000055555580555b in Mobj_CreateXYZ(thinkfunc_t, coord_t, coord_t, coord_t, angle_t, coord_t, coord_t, int) (function=<optimized out>, x=<optimized out>, y=<optimized out>, z=<optimized out>, angle=<optimized out>, radius=<optimized out>, height=<optimized out>, ddflags=<optimized out>) at src/world/api_map.cpp:1788
#6  0x00007fffe1fc3458 in P_SpawnMobjXYZ (type=type@entry=MT_MISC48, x=288, y=-3104, z=0, angle=1073741824, spawnFlags=536870919) at src/p_mobj.c:709
#7  0x00007fffe1fc385a in P_SpawnMobj (type=type@entry=MT_MISC48, pos=pos@entry=0x7fffe26625c0, angle=<optimized out>, spawnFlags=<optimized out>) at src/p_mobj.c:796
#8  0x00007fffe1f6b972 in spawnMapObjects () at ../common/src/p_mapsetup.cpp:593
#9  0x00007fffe1f6b972 in P_FinalizeMapChange(uri_s const*) (mapUri_=0x7fff873a1900) at ../common/src/p_mapsetup.cpp:894
#10 0x00005555558871c6 in de::WorldSystem::Instance::makeCurrent(de::Map*) (this=this@entry=0x555556e16b60, newMap=newMap@entry=0x7fff38423e50) at src/world/worldsystem.cpp:521
#11 0x0000555555889022 in de::WorldSystem::Instance::changeMap(MapDef*) (this=0x555556e16b60, mapDef=0x7fff383a08f0) at src/world/worldsystem.cpp:724
#12 0x000055555588965d in de::WorldSystem::Instance::changeMapWorker(void*) (context=<optimized out>) at src/world/worldsystem.cpp:744
#13 0x00007ffff7243f83 in CallbackThread::run() (this=0x555558ae1330) at src/concurrency.cpp:76
#14 0x00007ffff4d45daa in QThreadPrivate::start(void*) (arg=0x555558ae1330) at thread/qthread_unix.cpp:352
#15 0x00007ffff6509494 in start_thread (arg=0x7fff873a2700) at pthread_create.c:333
#16 0x00007ffff3f0693f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
---
 doomsday/client/src/client/cl_mobj.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doomsday/client/src/client/cl_mobj.cpp b/doomsday/client/src/client/cl_mobj.cpp
index 1f207f5..f57270d 100644
--- a/doomsday/client/src/client/cl_mobj.cpp
+++ b/doomsday/client/src/client/cl_mobj.cpp
@@ -211,6 +211,9 @@ void Cl_UpdateRealPlayerMobj(mobj_t *localMobj, mobj_t *remoteClientMobj,
 
 dd_bool Cl_IsClientMobj(mobj_t const *mo)
 {
+    if(!mo->thinker.d)
+        return false;
+
     if(ClientMobjThinkerData *data = THINKER_DATA_MAYBE(mo->thinker, ClientMobjThinkerData))
     {
         return data->hasRemoteSync();
-- 
2.11.0

Bug#863536: doomsday: Segfaults when attempting to start new game

Reply via email to