Update of bug #18921 (project wesnoth):
Severity: 3 - Normal => 5 - Blocker
_______________________________________________________
Follow-up Comment #1:
I finally managed to reproduce this (not using the provided save or case,
though), and found some things. Since this is yet another display of undefined
behavior, I have increased this bug's priority to Blocker, hoping it's fixed
before the first 1.10 point release.
Backtrace:
(gdb) bt
#0 0x00000000006b767a in std::vector<animated<unit_frame,
void_value<unit_frame> >::frame, std::allocator<animated<unit_frame,
void_value<unit_frame> >::frame> >::end (this=0xe8a5917490a692ac) at
/usr/include/c++/4.6/bits/stl_vector.h:491
#1 0x000000000086eb54 in std::vector<animated<unit_frame,
void_value<unit_frame> >::frame, std::allocator<animated<unit_frame,
void_value<unit_frame> >::frame> >::empty (this=0xe8a5917490a692ac) at
/usr/include/c++/4.6/bits/stl_vector.h:660
#2 0x000000000086d97d in animated<unit_frame, void_value<unit_frame>
>::animation_finished_potential (this=0xe8a5917490a6929c) at
src/animated.i:180
#3 0x00000000006e3a98 in unit_animation::animation_finished_potential
(this=0xe8a5917490a69174) at src/unit_animation.cpp:799
#4 0x00000000006e5732 in unit_animator::wait_for_end (this=0x7fff06d40430)
at src/unit_animation.cpp:1133
#5 0x0000000000a93fae in unit_display::unit_recruited (loc=...,
leader_loc=...) at src/unit_display.cpp:459
#6 0x0000000000a2f873 in events::menu_handler::create_unit
(this=0x7fff06d42960, mousehandler=...) at src/menu_events.cpp:1608
#7 0x000000000060fb16 in playsingle_controller::create_unit
(this=0x7fff06d427a0) at src/playsingle_controller.cpp:168
#8 0x0000000000ca2e85 in hotkey::command_executor::execute_command
(this=0x7fff06d427a0, command=hotkey::HOTKEY_CREATE_UNIT) at
src/hotkeys.cpp:1014
#9 0x0000000000a78c3f in play_controller::execute_command
(this=0x7fff06d427a0, command=hotkey::HOTKEY_CREATE_UNIT, index=0) at
src/play_controller.cpp:793
#10 0x0000000000ca3423 in hotkey::execute_command (disp=...,
command=hotkey::HOTKEY_CREATE_UNIT, executor=0x7fff06d427a0, index=0) at
src/hotkeys.cpp:1151
#11 0x0000000000ca41aa in hotkey::command_executor::show_menu
(this=0x7fff06d427a0, items_arg=..., xloc=961, yloc=339, context_menu=true,
gui=...)
at src/hotkeys.cpp:1259
#12 0x0000000000a7b6b1 in play_controller::show_menu (this=0x7fff06d427a0,
items_arg=..., xloc=961, yloc=339, context_menu=true)
at src/play_controller.cpp:1209
#13 0x00000000008800d6 in controller_base::handle_event (this=0x7fff06d427a0,
event=...) at src/controller_base.cpp:94
#14 0x0000000000c9955f in events::pump () at src/events.cpp:380
#15 0x0000000000880806 in controller_base::play_slice (this=0x7fff06d427a0,
is_delay_enabled=true) at src/controller_base.cpp:197
#16 0x0000000000613381 in playsingle_controller::play_human_turn
(this=0x7fff06d427a0) at src/playsingle_controller.cpp:709
#17 0x0000000000612c78 in playsingle_controller::play_side
(this=0x7fff06d427a0, side_number=1, save=false) at
src/playsingle_controller.cpp:637
#18 0x00000000006128a7 in playsingle_controller::play_turn
(this=0x7fff06d427a0, save=false) at src/playsingle_controller.cpp:591
#19 0x0000000000611117 in playsingle_controller::play_scenario
(this=0x7fff06d427a0, story=..., skip_replay=false) at
src/playsingle_controller.cpp:391
#20 0x000000000060376f in playsingle_scenario (game_config=...,
level=0x1a99028, disp=..., state_of_game=..., story=..., skip_replay=false,
end_level=...)
at src/playcampaign.cpp:130
#21 0x000000000060602f in play_game (disp=..., gamestate=...,
game_config=..., io_type=IO_NONE, skip_replay=false) at
src/playcampaign.cpp:365
#22 0x0000000000485bc0 in game_controller::launch_game (this=0x1a98dc0,
reload=game_controller_abstract::NO_RELOAD_DATA) at
src/game_controller.cpp:1268
#23 0x000000000041f981 in do_gameloop (argc=1, argv=0x7fff06d44fb8) at
src/game.cpp:577
#24 0x000000000041fe82 in main (argc=1, argv=0x7fff06d44fb8) at
src/game.cpp:641
Frame #2 is the first relevant point:
(gdb) frame 2
#2 0x000000000086d97d in animated<unit_frame, void_value<unit_frame>
>::animation_finished_potential (this=0xe8a5917490a6929c) at
src/animated.i:180
180 if(frames_.empty())
There's clearly a dangling pointer floating around:
(gdb) p &frames_
$1 = (std::vector<animated<unit_frame>::frame,
std::allocator<animated<unit_frame>::frame> > *) 0xe8a5917490a692ac
(gdb) p this
$2 = (const animated<unit_frame, void_value<unit_frame> > * const)
0xe8a5917490a6929c
(gdb) p frames_
Cannot access memory at address 0xe8a5917490a692ac
Checking frame #4 and assuming I'm interpreting things right, it seems
unit::get_animation() has a chance to return a dangling pointer:
(gdb) up
#4 0x00000000006e5732 in unit_animator::wait_for_end (this=0x7fff06d40430)
at src/unit_animation.cpp:1133
1133 finished &=
anim->my_unit->get_animation()->animation_finished_potential();
(gdb) p anim->my_unit
$3 = (unit *) 0x55fa8c0
(gdb) p anim->my_unit->get_animation()
warning: can't find linker symbol for virtual table for `unit' value
warning: can't find linker symbol for virtual table for `unit' value
warning: can't find linker symbol for virtual table for `unit' value
warning: can't find linker symbol for virtual table for `unit' value
warning: can't find linker symbol for virtual table for `unit' value
$4 = (unit_animation *) 0xe8a5917490a69174
There are a few instances in unit.cpp (containing the implementation of
various unit class methods) where the anim_ field is used; in the few
situations where the delete operator is applied on it in this file, it's
either reset to NULL or replaced with a new instance of a unit_animation
object. Thus, it's possible some code elsewhere is getting access to this
pointer and deleting the object referenced.
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?18921>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Wesnoth-bugs mailing list
[email protected]
https://mail.gna.org/listinfo/wesnoth-bugs
