Opened 7 years ago

Last modified 7 years ago

#4788 new defect

CCmpFootprint / CCmpPathfinder Segfault on a tiny square danubius map

Reported by: elexis Owned by:
Priority: Should Have Milestone: Backlog
Component: Core engine Keywords: pathfinding
Cc: Patch:

Description

Often getting a segfault in case of setting danubius to a square map in the json file. The attached replay reproduces the issue reliably on alpha 22.

Stacktrace:

#0  CCmpPathfinder::CheckUnitPlacement (this=0x1895680, filter=..., x=..., z=..., r=..., passClass=<optimized out>) at ../../../source/simulation2/components/CCmpPathfinder.cpp:819
#1  0x000000000050806c in CCmpFootprint::PickSpawnPoint (this=0x639ce20, spawned=<optimized out>) at ../../../source/simulation2/components/CCmpFootprint.cpp:253
#2  0x000000000054809b in ScriptInterface_NativeMethodWrapper<CFixedVector3D, ICmpFootprint>::call<CFixedVector3D (ICmpFootprint::*)(unsigned int) const, unsigned int> (
    fptr=&virtual ICmpFootprint::PickSpawnPoint(unsigned int) const, c=0x639ce20, rval=..., cx=0x13024b0) at ../../../source/scriptinterface/NativeWrapperDefns.h:98
#3  ScriptInterface::callMethodConst<CFixedVector3D, unsigned int, &class_ICmpFootprint, ICmpFootprint, &(ICmpFootprint::PickSpawnPoint(unsigned int) const)> (cx=0x13024b0, argc=<optimized out>, vp=0x120fd08)
    at ../../../source/scriptinterface/NativeWrapperDefns.h:165
#4  0x00007ffff71dc012 in js::CallJSNative (args=..., native=<optimized out>, cx=0x13024b0) at /path/to/0ad/git/0ad/libraries/source/spidermonkey/mozjs-38.0.0/js/src/jscntxtinlines.h:226
#5  js::Invoke (cx=0x13024b0, args=..., construct=<optimized out>) at /path/to/0ad/git/0ad/libraries/source/spidermonkey/mozjs-38.0.0/js/src/vm/Interpreter.cpp:498
#6  0x00007ffff71d084f in Interpret (cx=0x13024b0, state=...) at /path/to/0ad/git/0ad/libraries/source/spidermonkey/mozjs-38.0.0/js/src/vm/Interpreter.cpp:2602
#7  0x00007ffff71dbcd1 in js::RunScript (cx=cx@entry=0x13024b0, state=...) at /path/to/0ad/git/0ad/libraries/source/spidermonkey/mozjs-38.0.0/js/src/vm/Interpreter.cpp:448
#8  0x00007ffff71dbf5c in js::Invoke (cx=cx@entry=0x13024b0, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /path/to/0ad/git/0ad/libraries/source/spidermonkey/mozjs-38.0.0/js/src/vm/Interpreter.cpp:517
#9  0x00007ffff71dca8f in js::Invoke (cx=cx@entry=0x13024b0, thisv=..., fval=..., argc=argc@entry=4, argv=argv@entry=0x7fffffff95d8, rval=..., rval@entry=...)
    at /path/to/0ad/git/0ad/libraries/source/spidermonkey/mozjs-38.0.0/js/src/vm/Interpreter.cpp:554
#10 0x00007ffff736cb00 in js::jit::DoCallFallback (cx=0x13024b0, frame=0x7fffffff9698, stub_=0x65cea48, argc=4, vp=0x7fffffff95c8, res=...)
    at /path/to/0ad/git/0ad/libraries/source/spidermonkey/mozjs-38.0.0/js/src/jit/BaselineIC.cpp:9572
#11 0x00007ffff7fc2036 in ?? ()

Sounds like out of bounds to me. Someone could print the coordinates and see if there is a simple map coordinates boundary check missing.

Attachments (1)

commands.txt (2.0 KB ) - added by elexis 7 years ago.

Download all attachments as: .zip

Change History (2)

by elexis, 7 years ago

Attachment: commands.txt added

comment:1 by fatherbushido, 7 years ago

Valgrind output

==4427== Invalid read of size 2
==4427==    at 0x2938BA: get (Grid.h:147)
==4427==    by 0x2938BA: CCmpPathfinder::CheckUnitPlacement(IObstructionTestFilter const&, CFixed<int, 2147483647, 32, 15, 16, 65536>, CFixed<int, 2147483647, 32, 15, 16, 65536>, CFixed<int, 2147483647, 32, 15, 16, 65536>, unsigned short, bool) const (CCmpPathfinder.cpp:819)
==4427==    by 0x24121B: CCmpFootprint::PickSpawnPoint(unsigned int) const (CCmpFootprint.cpp:195)
==4427==    by 0x24896A: call<CFixedVector3D (ICmpFootprint::*)(unsigned int) const, unsigned int> (NativeWrapperDefns.h:98)
==4427==    by 0x24896A: bool ScriptInterface::callMethodConst<CFixedVector3D, unsigned int, &class_ICmpFootprint, ICmpFootprint, &(ICmpFootprint::PickSpawnPoint(unsigned int) const)>(JSContext*, unsigned int, JS::Value*) (NativeWrapperDefns.h:165)
==4427==    by 0x5737401: CallJSNative (jscntxtinlines.h:226)
==4427==    by 0x5737401: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:498)
==4427==    by 0x572BCAE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2602)
==4427==    by 0x57370FC: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:448)
==4427==    by 0x5737368: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:517)
==4427==    by 0x5737DEE: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:554)
==4427==    by 0x58BB7FC: js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) (BaselineIC.cpp:9572)
==4427==    by 0x380788F9: ???
==4427==    by 0x53AF5FC7: ???
==4427==    by 0x380737BB: ???
==4427==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4427== 
==4427== 
==4427== Process terminating with default action of signal 11 (SIGSEGV)
==4427==  Access not within mapped region at address 0x3
==4427==    at 0x2938BA: get (Grid.h:147)
==4427==    by 0x2938BA: CCmpPathfinder::CheckUnitPlacement(IObstructionTestFilter const&, CFixed<int, 2147483647, 32, 15, 16, 65536>, CFixed<int, 2147483647, 32, 15, 16, 65536>, CFixed<int, 2147483647, 32, 15, 16, 65536>, unsigned short, bool) const (CCmpPathfinder.cpp:819)
==4427==    by 0x24121B: CCmpFootprint::PickSpawnPoint(unsigned int) const (CCmpFootprint.cpp:195)
==4427==    by 0x24896A: call<CFixedVector3D (ICmpFootprint::*)(unsigned int) const, unsigned int> (NativeWrapperDefns.h:98)
==4427==    by 0x24896A: bool ScriptInterface::callMethodConst<CFixedVector3D, unsigned int, &class_ICmpFootprint, ICmpFootprint, &(ICmpFootprint::PickSpawnPoint(unsigned int) const)>(JSContext*, unsigned int, JS::Value*) (NativeWrapperDefns.h:165)
==4427==    by 0x5737401: CallJSNative (jscntxtinlines.h:226)
==4427==    by 0x5737401: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:498)
==4427==    by 0x572BCAE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2602)
==4427==    by 0x57370FC: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:448)
==4427==    by 0x5737368: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:517)
==4427==    by 0x5737DEE: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:554)
==4427==    by 0x58BB7FC: js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) (BaselineIC.cpp:9572)
==4427==    by 0x380788F9: ???
==4427==    by 0x53AF5FC7: ???
==4427==    by 0x380737BB: ???
Note: See TracTickets for help on using tickets.