Segfault when sending back-to-order command for garrisoned unit

[elexis]

In this game hosted by pesem, many if not all clients have experienced a SEGFAULT. It was reported yesterday by causative, Boudica had it too and the replay was uploaded by Grugnas. Replaying the thing in non-visual replaymode reproduces the segfault!

[elexis]

Thanks Grugnas for sharing the replay!

[elexis]

Looks like an error that seems unlikely to be fixed soon:

Thread 1 "pyrogenesis" received signal SIGSEGV, Segmentation fault.
0x00007ffff719f926 in js::jit::GetOptimizationLevel (pc=<optimized out>, script=...) at /.../a21/trunk/libraries/source/spidermonkey/mozjs-38.0.0/js/src/jit/Ion.cpp:2049
2049	    return js_IonOptimizations.levelForScript(script, pc);
(gdb) info stack
#0  0x00007ffff719f926 in js::jit::GetOptimizationLevel (pc=<optimized out>, script=...) at /media/.../trunk/libraries/source/spidermonkey/mozjs-38.0.0/js/src/jit/Ion.cpp:2049
#1  js::jit::Compile (cx=cx@entry=0xd04fc0, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=false, forceRecompile=forceRecompile@entry=false)
    at /.../a21/trunk/libraries/source/spidermonkey/mozjs-38.0.0/js/src/jit/Ion.cpp:2080
#2  0x00007ffff71a0a11 in js::jit::CanEnter (cx=cx@entry=0xd04fc0, state=...) at /.../a21/trunk/libraries/source/spidermonkey/mozjs-38.0.0/js/src/jit/Ion.cpp:2244
#3  0x00007ffff6f92039 in js::RunScript (cx=cx@entry=0xd04fc0, state=...) at /.../a21/trunk/libraries/source/spidermonkey/mozjs-38.0.0/js/src/vm/Interpreter.cpp:424
#4  0x00007ffff6f9227c in js::Invoke (cx=cx@entry=0xd04fc0, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /.../a21/trunk/libraries/source/spidermonkey/mozjs-38.0.0/js/src/vm/Interpreter.cpp:517
#5  0x00007ffff72dd147 in js_fun_apply (cx=0xd04fc0, argc=<optimized out>, vp=0x7fffff7ffb78) at /.../a21/trunk/libraries/source/spidermonkey/mozjs-38.0.0/js/src/jsfun.cpp:1323

[causative]

concise replay causing the segfault

[causative]

I was able to reproduce this error in SVN. You can reliably cause the segfault by:

• Select a citizen cavalry unit
• Click to hunt an animal (camel, in this case), but don't actually kill it.
• Garrison the cavalry
• Use the script console to post a network message telling the garrisoned cavalry to resume work: Engine.PostNetworkCommand({"type":"back-to-work","entities":[21062]}).
• It segfaults

The error can also be triggered without using the script console.

• Select a citizen cavalry unit
• Click to hunt an animal (camel, in this case), but don't actually kill it.
• Click to stand right next to the building you will garrison into
• Set the game speed to Turtle (0.1x) to make the next step easier
• Ctrl-click to garrison into the building, and very quickly afterwards press y to resume work, so that both commands post to the same turn.
• the game segfaults. It may take a few tries before this happens.

I have provided a replay of this in SVN.

However, note that this method is not quite the same thing nigel87 did. He garrisoned his cavalry (entity 21062) many turns before he ordered it to resume work. How did he issue the command for it to resume work, without the script console and without issuing very fast consecutive commands?

[elexis]

I could reproduce it by adding a keyboard shortcut to that unit, garrisoning it, then repeatedly clicking on the icon button while pressing Y, many turns later without any console action.

Thanks a lot for the debugging!

[elexis]

A known issue with an existing patch at ​https://code.wildfiregames.com/D64 (we just didn't know that it could be triggered in actual games).