[Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 [EMAIL PROTECTED] - So 22. Jun 2008, 19:09:56]: I can't reproduce the crash here with S2_0. On loading the game and ending turn a time or two, the game ends. What client is used to get the crash and what is necessary to do other than just end turn? -jason The crash happens on Windows (GTK+ client) after ending the turn and after the server cuts the connection due to lagging player while the client is busy for some seconds. When the client detects the lost connection (in this case when trying to send data to the server in request_new_unit_activity(punit, ACTIVITY_IDLE), called from set_unit_focus()) it does some cleanup and switches to the main page. But set_unit_focus() still continues after the request_new_unit_activity() call and references a now invalid unit pointer: /* in set_unit_focus() */ ... if (punit-activity != ACTIVITY_IDLE || punit-ai.control) { punit-ai.control = FALSE; refresh_unit_city_dialogs(punit); request_new_unit_activity(punit, ACTIVITY_IDLE); / lost connection detected and client in pre-game state ***/ } } / punit_old_focus is now invalid */ /* avoid the old focus unit disappearing: */ if (punit_old_focus (!punit || !same_pos(punit_old_focus-tile, punit-tile))) { refresh_tile_mapcanvas(punit_old_focus-tile, FALSE); } Now I wonder if it's really necessary to take actions on socket write errors on the client side at all? Since the request calls to the server don't return an immediate result that the client depends on, wouldn't it be sufficient if the client would cleanup and reset to pre-game state only when reading of server input fails? The attached patch fixed the crash and didn't show any problems for me so far. Index: client/clinet.c === --- client/clinet.c (revision 14833) +++ client/clinet.c (working copy) @@ -186,8 +186,6 @@ { struct packet_server_join_req req; - close_socket_set_callback(close_socket_callback); - /* connection in progress? wait. */ if (aconnection.used) { (void) mystrlcpy(errbuf, _(Connection in progress.), errbufsize); ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
Re: [Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 Christian Prochaska wrote: The crash happens on Windows (GTK+ client) after ending the turn and after the server cuts the connection due to lagging player while the client is busy for some seconds. When the client detects the lost connection (in this case when trying to send data to the server in request_new_unit_activity(punit, ACTIVITY_IDLE), called from set_unit_focus()) it does some cleanup and switches to the main page. But set_unit_focus() still continues after the request_new_unit_activity() call and references a now invalid unit pointer: Interesting. But...I thought hack connections weren't supposed to be cut because of lag? When I run under valgrind I get: 2: ignoring ping timeout to hack-level connection sjolley from localhost (player Stephen Jolley) many many times. But the connection is uninterrupted. Now I wonder if it's really necessary to take actions on socket write errors on the client side at all? Since the request calls to the server don't return an immediate result that the client depends on, wouldn't it be sufficient if the client would cleanup and reset to pre-game state only when reading of server input fails? The attached patch fixed the crash and didn't show any problems for me so far. Possibly an okay workaround. But, I'd still want to know how exactly the punit_focus is getting set to an invalid (freed) pointer. If it can happen here, it could happen again. -jason ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
Re: [Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 Maybe I miss something, but: your backtrace in this ticket shows the crash happening on a successful read, not on a write error. It also shows SDL and GTK code being mixed together, what's up with that? -jason ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 [EMAIL PROTECTED] - Mo 23. Jun 2008, 15:43:02]: Christian Prochaska wrote: The crash happens on Windows (GTK+ client) after ending the turn and after the server cuts the connection due to lagging player while the client is busy for some seconds. When the client detects the lost connection (in this case when trying to send data to the server in request_new_unit_activity(punit, ACTIVITY_IDLE), called from set_unit_focus()) it does some cleanup and switches to the main page. But set_unit_focus() still continues after the request_new_unit_activity() call and references a now invalid unit pointer: Interesting. But...I thought hack connections weren't supposed to be cut because of lag? When I run under valgrind I get: 2: ignoring ping timeout to hack-level connection sjolley from localhost (player Stephen Jolley) many many times. But the connection is uninterrupted. that's ping timeout (server option pingtimeout), but the lag cut is associated to network timeout (server option nettimeout) which doesn't have a check for hack level access (perhaps it should have). Can you reproduce the crash when setting the nettimeout server option to a lower value before ending the turn? Now I wonder if it's really necessary to take actions on socket write errors on the client side at all? Since the request calls to the server don't return an immediate result that the client depends on, wouldn't it be sufficient if the client would cleanup and reset to pre-game state only when reading of server input fails? The attached patch fixed the crash and didn't show any problems for me so far. Possibly an okay workaround. But, I'd still want to know how exactly the punit_focus is getting set to an invalid (freed) pointer. If it can happen here, it could happen again. -jason got this from valgrind on Linux now: 2: lost connection to server ==11022== ==11022== Invalid read of size 4 ==11022==at 0x805F1D7: set_unit_focus (control.c:160) ==11022==by 0x806F246: handle_unit_packet_common (packhand.c:1043) ==11022==by 0x806F8A4: handle_unit_info (packhand.c:957) ==11022==by 0x8072275: client_handle_packet (packhand_gen.c:160) ==11022==by 0x8058588: handle_packet_input (civclient.c:389) ==11022==by 0x805CE52: input_from_server (clinet.c:350) ==11022==by 0x43C6B2E: (within /usr/lib/libgdk-x11-2.0.so.0.1200.9) ==11022==by 0x45E364C: (within /usr/lib/libglib-2.0.so.0.1600.3) ==11022==by 0x45AF977: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.1600.3) ==11022==by 0x45B2BCD: (within /usr/lib/libglib-2.0.so.0.1600.3) ==11022==by 0x45B2F56: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.1600.3) ==11022==by 0x417DD03: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.1200.9) ==11022== Address 0x524ba64 is 12 bytes inside a block of size 172 free'd ==11022==at 0x402265C: free (vg_replace_malloc.c:323) ==11022==by 0x8093059: game_remove_player (game.c:463) ==11022==by 0x809314D: game_free (game.c:312) ==11022==by 0x805848A: set_client_state (civclient.c:532) ==11022==by 0x805CC59: close_socket_nomessage (clinet.c:113) ==11022==by 0x805CC7D: close_socket_callback (clinet.c:124) ==11022==by 0x808F689: write_socket_data (connection.c:252) ==11022==by 0x808F725: flush_connection_send_buffer_all (connection.c:276) ==11022==by 0x80990A8: send_packet_data (packets.c:161) ==11022==by 0x809E81F: send_packet_unit_change_activity (packets_gen.c:16599) ==11022==by 0x809E989: dsend_packet_unit_change_activity (packets_gen.c:16667) ==11022==by 0x805E025: request_new_unit_activity (control.c:863) ==11022== So the unit pointer gets freed by game_remove_unit() (game.c:463) when the client switches to pre-game state. ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 [EMAIL PROTECTED] - Mo 23. Jun 2008, 15:54:33]: Maybe I miss something, but: your backtrace in this ticket shows the crash happening on a successful read, not on a write error. It also shows SDL and GTK code being mixed together, what's up with that? -jason As I understand it, the read was successful, but while the received data is being handled, the connection gets lost, which gets detected when trying to send data to the server in request_new_unit_activity(). The write error then causes the client to switch to pre-game state, which causes the unit pointer to be freed. SDL is used for sound output and on Windows the main() function is wrapped by SDL_main() which does some Windows-specific initialization. ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 [cproc - Mo 23. Jun 2008, 20:09:02]: SDL is used for sound output and on Windows the main() function is wrapped by SDL_main() which does some Windows-specific initialization. Actually, the client's main() function gets renamed to SDL_main() during compilation (-Dmain=SDL_main) and is then called by the WinMain() function in libSDLmain. ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
Re: [Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 Christian Prochaska wrote: As I understand it, the read was successful, but while the received data is being handled, the connection gets lost, which gets detected when trying to send data to the server in request_new_unit_activity(). The write error then causes the client to switch to pre-game state, which causes the unit pointer to be freed. Switching to pre-game state in the middle of packet handling seems to be a very, very bad idea. I would think rather that the disconnect should be queued up to be handled once current handlers have left. Failing that, your patch to just ignore write errors might be the safest choice. -jason ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
Re: [Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 Christian Prochaska wrote: The 2.0.9 uninstaller deletes only files installed by itself, so the savegames should still be where they were stored (by default in the game directory - C:\Program Files\Freeciv-2.0.9-gtk2 or C:\Program Files\Freeciv-2.0.9-win32). Please look again. That's a bug right there. Savegames should be shared across freeciv installations (freeciv is generally backward-compatible and mostly forward-compatible in loading savegames) so only one savegame directory should be needed. -jason ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
Re: [Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 I can't reproduce the crash here with S2_0. On loading the game and ending turn a time or two, the game ends. What client is used to get the crash and what is necessary to do other than just end turn? -jason ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] (PR#39582) 2.0.9: crash at end of turn
URL: http://bugs.freeciv.org/Ticket/Display.html?id=39582 As a side note, when running the server separately, it showed this output: 1: Dangerous danger[0] (20180936) in Bethlehem. Beware of overflow. 1: Dangerous danger[0] (22214694) in Stoke-on-Trent. Beware of overflow. 1: Dangerous danger[0] (20253237) in Mazeikiai. Beware of overflow. 1: Dangerous danger[0] (22251357) in Bolton. Beware of overflow. 1: Dangerous danger[0] (17485341) in Middlesborough. Beware of overflow. 1: Dangerous danger[0] (22210793) in Velsen. Beware of overflow. 1: Dangerous danger[0] (22261980) in Assen. Beware of overflow. 1: Dangerous danger[0] (22271838) in Wageningen. Beware of overflow. 1: Dangerous danger[0] (22280328) in Zutphen. Beware of overflow. 1: Dangerous danger[0] (22299537) in Bradford. Beware of overflow. 1: Dangerous danger[0] (22288277) in Naarden. Beware of overflow. 1: Dangerous danger[0] (21112646) in Breda. Beware of overflow. 1: Dangerous danger[0] (21125629) in Eyrarbakki. Beware of overflow. 1: Dangerous danger[0] (21546728) in Apeldoorn. Beware of overflow. 1: Dangerous danger[0] (21162036) in Coventry. Beware of overflow. 1: Dangerous danger[0] (21646640) in Hvammstangi. Beware of overflow. 1: Dangerous danger[0] (21125908) in Hengelo. Beware of overflow. 1: Dangerous danger[0] (21124647) in Emmen. Beware of overflow. 1: Dangerous danger[0] (21120563) in Leicester. Beware of overflow. ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev