URL:
  <http://gna.org/bugs/?19814>

                 Summary: Free'd ruleset structures accessed when changing
ruleset
                 Project: Freeciv
            Submitted by: jtn
            Submitted on: Fri Jun 15 20:39:30 2012
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: S2_3 r21191
         Discussion Lock: Any
        Operating System: Any
         Planned Release: 

    _______________________________________________________

Details:

Spotted by pepeto's valgrind in bug #19800:

load_rulesets() calls game_ruleset_free(), which frees ruleset structures, and
shortly afterwards calls reset_player_nations(), which eventually calls
package_player_info(), which as part of its work calls government_number(),
which follows pointers from the player structure to the previously freed
government structures.
(package_player_info() also calls all sorts of other game functions which I
fear might try to access freed ruleset structures, although I didn't spot
any.)

The obvious fix is to swap the order of the two calls made by
load_rulesets().

However, I'm not sure how worried to be about those dangling government
pointers left in player structures over the ruleset reload -- does something
clear them down?

Here's the relevant bit of the Valgrind log from bug #19800:


pepeto: 'rulesetdir multiplayer
'
2: Ruleset directory set to "multiplayer"
2: Loading rulesets.
==32115== Invalid read of size 4
==32115==    at 0x8125F88: government_number (government.c:93)
==32115==    by 0x80B779F: package_player_info (plrhand.c:872)
==32115==    by 0x80B7EE7: send_player_info_c_real (plrhand.c:717)
==32115==    by 0x80B8010: send_player_info_c (plrhand.c:690)
==32115==    by 0x80C7A7B: load_rulesets (ruleset.c:3968)
==32115==    by 0x80571FE: set_rulesetdir (stdinhand.c:3694)
==32115==    by 0x805CF1F: handle_stdin_input_real.part.15 (stdinhand.c:4124)
==32115==    by 0x805F04F: read_init_script_real (stdinhand.c:1196)
==32115==    by 0x805C578: handle_stdin_input_real.part.15 (stdinhand.c:1113)
==32115==    by 0x8101147: handle_chat_msg_req (handchat.c:343)
==32115==    by 0x80B1E9E: server_handle_packet (hand_gen.c:40)
==32115==    by 0x804FEC1: server_packet_input (srv_main.c:1498)
==32115==  Address 0x43391a0 is 0 bytes inside a block of size 1,344 free'd
==32115==    at 0x402B06C: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==32115==    by 0x8126B7C: governments_free (government.c:536)
==32115==    by 0x8125731: game_ruleset_free (game.c:493)
==32115==    by 0x80C7A54: load_rulesets (ruleset.c:3983)
==32115==    by 0x80571FE: set_rulesetdir (stdinhand.c:3694)
==32115==    by 0x805CF1F: handle_stdin_input_real.part.15 (stdinhand.c:4124)
==32115==    by 0x805F04F: read_init_script_real (stdinhand.c:1196)
==32115==    by 0x805C578: handle_stdin_input_real.part.15 (stdinhand.c:1113)
==32115==    by 0x8101147: handle_chat_msg_req (handchat.c:343)
==32115==    by 0x80B1E9E: server_handle_packet (hand_gen.c:40)
==32115==    by 0x804FEC1: server_packet_input (srv_main.c:1498)
==32115==    by 0x80DF00D: server_sniff_all_input (sernet.c:448)
==32115== 
2: Ruleset: 'generator' has been set to "Island-based" (ISLAND).





    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?19814>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to