Complete.Org: Mailing Lists: Archives: freeciv-dev: June 2005:
[Freeciv-Dev] Re: (PR#13383) Memory error in hunter code
Home

[Freeciv-Dev] Re: (PR#13383) Memory error in hunter code

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: marko.lindqvist@xxxxxxxxxxx
Subject: [Freeciv-Dev] Re: (PR#13383) Memory error in hunter code
From: "Jason Short" <jdorje@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 30 Jun 2005 08:08:55 -0700
Reply-to: bugs@xxxxxxxxxxx

<URL: http://bugs.freeciv.org/Ticket/Display.html?id=13383 >

Marko Lindqvist wrote:
> <URL: http://bugs.freeciv.org/Ticket/Display.html?id=13383 >
> 
>  From valgrind:
> 
> ==18897== Invalid read of size 4
> ==18897==    at 0x8100249: ai_hunter_try_launch (aihunt.c:261)
> ==18897==    by 0x8100CD5: ai_hunter_manage (aihunt.c:495)
> ==18897==    by 0x810946F: ai_manage_military (aiunit.c:1960)
> ==18897==    by 0x810A566: ai_manage_unit (aiunit.c:2149)
> ==18897==    by 0x810B1A1: ai_manage_units (aiunit.c:2248)
> ==18897==    by 0x80FF72D: ai_do_first_activities (aihand.c:426)
> ==18897==    by 0x8051039: main_loop (srv_main.c:453)
> ==18897==    by 0x8051AC2: srv_main (srv_main.c:1962)
> ==18897==    by 0x804A99A: main (civserver.c:242)
> ==18897==  Address 0x25E3D7AC is 4 bytes inside a block of size 192 free'd
> ==18897==    at 0x2598579D: free (vg_replace_malloc.c:152)
> ==18897==    by 0x805BDC6: server_remove_unit (unittools.c:1605)
> ==18897==    by 0x805F044: wipe_unit_spec_safe (unittools.c:1666)
> ==18897==    by 0x805FAA0: kill_unit (unittools.c:1831)
> ==18897==    by 0x809B246: handle_unit_attack_request (unithand.c:899)
> ==18897==    by 0x809AC25: handle_unit_move_request (unithand.c:1120)
> ==18897==    by 0x8104EFE: ai_unit_attack (aitools.c:921)
> ==18897==    by 0x81050B4: ai_unit_execute_path (aitools.c:162)
> ==18897==    by 0x8100CBB: ai_hunter_manage (aihunt.c:489)
> ==18897==    by 0x810946F: ai_manage_military (aiunit.c:1960)
> ==18897==    by 0x810A566: ai_manage_unit (aiunit.c:2149)
> ==18897==    by 0x810B1A1: ai_manage_units (aiunit.c:2248)

Can you reproduce this?

Clearly the unit is dying inside ai_unit_execute_path called from
aihunt.c:489.  A little later in aihunt.c:495 the unit is accessed.
However it looks like the aihunt code correctly checks the return value
of ai_unit_execute_path.  So you'd think the bug is inside
ai_unit_execut_path.  But here there is a correct call to
find_unit_by_id.  So I don't see how this can happen.

-jason





[Prev in Thread] Current Thread [Next in Thread]