[Freeciv-Dev] [bug #16451] Server crash after ending of turn (ai_hunter_try_launch())

Sun, 06 Mar 2011 12:36:47 -0800 

Update of bug #16451 (project freeciv):

                Severity:              3 - Normal => 4 - Important          
                  Status:                    None => Ready For Test         
             Assigned to:                    None => jtn                    
         Planned Release:                         => 2.3.0,2.4.0            

    _______________________________________________________

Follow-up Comment #13:

Looking at that valgrind log finds *a* bug: in ai_hunter_try_launch():


     ai_unit_goto(missile, sucker->tile);
     sucker = game_find_unit_by_number(target_sanity); /* Sanity */
     if (sucker && is_tiles_adjacent(sucker->tile, missile->tile)) {
       ai_unit_attack(missile, sucker->tile);


The log suggests that what likely happened is that ai_unit_goto() killed
'missile' (in this case I think it was attacking an AEGIS Cruiser), but the
code two lines down references 'missile->tile' (freed memory), which can
return crap which itself gets dereferenced, causing the crash.

ai_unit_goto() returns FALSE if 'missile' died, so we should check that
before dereferencing it. Also, the possibility of 'missile' dying suggests
that this function should be using unit_list_iterate_safe rather than
unit_list_iterate, although I don't think that's implicated in the current
problem.

While 'missile' will die if it attacks whether or not it sees off 'sucker', I
think this only bites if it fails to do so, as otherwise 'sucker' will become
NULL. (I'm not sure in what circumstances the offending code will fire -- we
aimed at 'sucker' with ai_unit_goto(), but somehow failed to reach them, yet
ai_unit_attack() still has a chance of getting them?) but I've left it in
place.

I ran my proposed fix for S2_2 through valgrind and it didn't show any errors
in ai_hunter_try_launch(), so I'm fairly confident this is the fix for the
originally reported problem.

The same problem still seems to exist on S2_3 and trunk.

(file #12630, file #12631, file #12632)
    _______________________________________________________

Additional Item Attachment:

File name: S2_2-ai-missile-fail-crash.diff Size:1 KB
File name: S2_3-ai-missile-fail-crash.diff Size:1 KB
File name: trunk-ai-missile-fail-crash.diff Size:1 KB


    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?16451>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
[email protected]
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to