<URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 >

> [EMAIL PROTECTED] - Mo 23. Jun 2008, 15:43:02]:
> Christian Prochaska wrote:
> >
> > The crash happens on Windows (GTK+ client) after ending the turn and
> > after the server cuts the connection "due to lagging player" while
> the
> > client is busy for some seconds. When the client detects the lost
> > connection (in this case when trying to send data to the server in
> > request_new_unit_activity(punit, ACTIVITY_IDLE), called from
> > set_unit_focus()) it does some cleanup and switches to the main
> page.
> > But set_unit_focus() still continues after the
> > request_new_unit_activity() call and references a now invalid unit
> pointer:
> Interesting.  But...I thought hack connections weren't supposed to be
> cut because of lag?  When I run under valgrind I get:
> 2: ignoring ping timeout to hack-level connection sjolley from
> localhost
> (player Stephen Jolley)
> many many times.  But the connection is uninterrupted.

that's ping timeout (server option "pingtimeout"), but the lag cut is
associated to network timeout (server option "nettimeout") which doesn't
have a check for hack level access (perhaps it should have).

Can you reproduce the crash when setting the "nettimeout" server option
to a lower value before ending the turn?

> > Now I wonder if it's really necessary to take actions on socket
> write
> > errors on the client side at all? Since the request calls to the
> server
> > don't return an immediate result that the client depends on,
> wouldn't it
> > be sufficient if the client would cleanup and reset to pre-game
> state
> > only when reading of server input fails? The attached patch fixed
> the
> > crash and didn't show any problems for me so far.
> Possibly an okay workaround.  But, I'd still want to know how exactly
> the punit_focus is getting set to an invalid (freed) pointer.  If it
> can
> happen here, it could happen again.
> -jason

got this from valgrind on Linux now:

2: lost connection to server
==11022== Invalid read of size 4
==11022==    at 0x805F1D7: set_unit_focus (control.c:160)
==11022==    by 0x806F246: handle_unit_packet_common (packhand.c:1043)
==11022==    by 0x806F8A4: handle_unit_info (packhand.c:957)
==11022==    by 0x8072275: client_handle_packet (packhand_gen.c:160)
==11022==    by 0x8058588: handle_packet_input (civclient.c:389)
==11022==    by 0x805CE52: input_from_server (clinet.c:350)
==11022==    by 0x43C6B2E: (within /usr/lib/libgdk-x11-2.0.so.0.1200.9)
==11022==    by 0x45E364C: (within /usr/lib/libglib-2.0.so.0.1600.3)
==11022==    by 0x45AF977: g_main_context_dispatch (in
==11022==    by 0x45B2BCD: (within /usr/lib/libglib-2.0.so.0.1600.3)
==11022==    by 0x45B2F56: g_main_loop_run (in
==11022==    by 0x417DD03: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.1200.9)
==11022==  Address 0x524ba64 is 12 bytes inside a block of size 172 free'd
==11022==    at 0x402265C: free (vg_replace_malloc.c:323)
==11022==    by 0x8093059: game_remove_player (game.c:463)
==11022==    by 0x809314D: game_free (game.c:312)
==11022==    by 0x805848A: set_client_state (civclient.c:532)
==11022==    by 0x805CC59: close_socket_nomessage (clinet.c:113)
==11022==    by 0x805CC7D: close_socket_callback (clinet.c:124)
==11022==    by 0x808F689: write_socket_data (connection.c:252)
==11022==    by 0x808F725: flush_connection_send_buffer_all
==11022==    by 0x80990A8: send_packet_data (packets.c:161)
==11022==    by 0x809E81F: send_packet_unit_change_activity
==11022==    by 0x809E989: dsend_packet_unit_change_activity
==11022==    by 0x805E025: request_new_unit_activity (control.c:863)

So the unit pointer gets freed by game_remove_unit() (game.c:463) when
the client switches to pre-game state.

Freeciv-dev mailing list

Reply via email to