Complete.Org: Mailing Lists: Archives: freeciv-dev: April 2004:
[Freeciv-Dev] (PR#8552) civserver crash 		Home

[Freeciv-Dev] (PR#8552) civserver crash

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: undisclosed-recipients: ;
Subject: [Freeciv-Dev] (PR#8552) civserver crash
From: "Jason Short" <jdorje@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Apr 2004 23:08:29 -0700
Reply-to: rt@xxxxxxxxxxx 
<URL: http://rt.freeciv.org/Ticket/Display.html?id=8552 >

When I run civserver with the attached autogame, it segfaults in 475 BC:

686       unit_list_iterate(pcity->units_supported, punit) {
(gdb) p game.year
$1 = -475
(gdb) bt
#0  resolve_city_emergency (pplayer=0x8250244, pcity=0x83bc3a0) at 
aicity.c:686
#1  0x0810f594 in ai_manage_cities (pplayer=0x8250244) at aicity.c:507
#2  0x08110fb4 in ai_do_last_activities (pplayer=0x8250244) at aihand.c:319
#3  0x0804e8e8 in end_turn () at srv_main.c:493
#4  0x0804ff96 in main_loop () at srv_main.c:1405
#5  0x0805010d in srv_main () at srv_main.c:1492
#6  0x0804a27e in main (argc=5, argv=0xbffff914) at civserver.c:157

According to valgrind

==28232== Invalid read of size 4
==28232==    at 0x80FFD6C: resolve_city_emergency (aicity.c:686)
==28232==    by 0x80FF7F9: ai_manage_cities (aicity.c:507)
==28232==    by 0x8101144: ai_do_last_activities (aihand.c:319)
==28232==    by 0x804E418: end_turn (srv_main.c:493)
==28232==    by 0x804FBB6: main_loop (srv_main.c:1405)
==28232==    by 0x8050377: srv_loop (srv_main.c:1715)
==28232==    by 0x804FD9B: srv_main (srv_main.c:1492)
==28232==    by 0x804A4C8: main (civserver.c:157)
==28232==  Address 0x3C4D2574 is 8 bytes inside a block of size 12 free'd
==28232==    at 0x3C01F918: free (vg_replace_malloc.c:127)
==28232==    by 0x80AC7AC: genlist_unlink (genlist.c:111)
==28232==    by 0x80F1E6C: unit_list_unlink (speclist_c.h:60)
==28232==    by 0x80AB665: game_remove_unit (game.c:149)
==28232==    by 0x805CC66: server_remove_unit (unittools.c:1685)
==28232==    by 0x805CF64: wipe_unit_spec_safe (unittools.c:1752)
==28232==    by 0x805D2E1: wipe_unit (unittools.c:1815)
==28232==    by 0x809D58A: handle_unit_disband (unithand.c:375)
==28232==    by 0x80FFD63: resolve_city_emergency (aicity.c:691)
==28232==    by 0x80FF7F9: ai_manage_cities (aicity.c:507)
==28232==    by 0x8101144: ai_do_last_activities (aihand.c:319)
==28232==    by 0x804E418: end_turn (srv_main.c:493)
==28232==    by 0x804FBB6: main_loop (srv_main.c:1405)
==28232==    by 0x8050377: srv_loop (srv_main.c:1715)
==28232==    by 0x804FD9B: srv_main (srv_main.c:1492)
==28232==    by 0x804A4C8: main (civserver.c:157)

so the error seems to be an unsafe unit iteration.  This bug is almost a 
year old.  Can we have safe genlists yet?

jason


? ai/output
Index: ai/aicity.c
===================================================================
RCS file: /home/freeciv/CVS/freeciv/ai/aicity.c,v
retrieving revision 1.149
diff -u -r1.149 aicity.c
--- ai/aicity.c 25 Feb 2004 20:23:49 -0000      1.149
+++ ai/aicity.c 20 Apr 2004 06:07:02 -0000
@@ -683,7 +683,7 @@
     goto cleanup;
   }
 
-  unit_list_iterate(pcity->units_supported, punit) {
+  unit_list_iterate_safe(pcity->units_supported, punit) {
     if (city_unhappy(pcity)
         && punit->unhappiness != 0
         && punit->ai.passenger == 0) {
@@ -691,7 +691,7 @@
       handle_unit_disband(pplayer, punit->id);
       city_refresh(pcity);
     }
-  } unit_list_iterate_end;
+  } unit_list_iterate_safe_end;
 
   if (CITY_EMERGENCY(pcity)) {
     freelog(LOG_EMERGENCY, "Emergency in %s remains unresolved",
[Prev in Thread] Current Thread [Next in Thread]
  • [Freeciv-Dev] (PR#8552) civserver crash, Jason Short <=