Fedora 29 crash when clicking on singleplayer color dropdown

[elexis]

A Fedora 29 user reported on #0ad-dev that occasionally when ending a 0ad match, when opening the summary screen a crash occurs.

From ​http://irclogs.wildfiregames.com/2019-09/2019-09-15-QuakeNet-%230ad-dev.log:

20:40 < newbay> I am not sure. I have some auto backtrace tool. it blames std::__replacement_assert

Today he reported the same crash to be always reproducible when opening the singleplayer gamesetup page, selecting the maptype "random", then clicking on the color dropdown:

From ​http://irclogs.wildfiregames.com/2019-09/2019-09-17-QuakeNet-%230ad-dev.log

19:44 < freemint> pyrogenesis killed by SIGABRT and it crashed in std::__replacement_assert
19:47 < freemint> bt: main RunGameOrAtlas(int, char const**) Frame() in_dispatch_event(SDL_Event_ const*) gui_handler(SDL_Event_ const*) CGUIManager::HandleEvent(SDL_Event_ const*) CGUI::HandleEvent(SDL_Event_ const*) IGUIObject::SendEvent(EGUIMessageType, CStr8 const&) CDropDown::HandleMessage(SGUIMessage&) ???? abort raise

The crash happens when clicking on the (collapsed) dropdown already (not after selecting an item or such).

It seems the bug is reported downstream: ​https://bugzilla.redhat.com/show_bug.cgi?id=1697209

Excerpt from their trace:

#3  0x000000000097833b in std::vector<float, std::allocator<float> >::operator[] (__n=<optimized out>, this=0x6997a38) at /usr/include/c++/8/bits/stl_iterator.h:804
        __PRETTY_FUNCTION__ = "std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) [with _Tp = float; _Alloc = std::allocator<float>; std::vector<_Tp, _Alloc>::reference = f"...
#4  CDropDown::HandleMessage (this=0x69979f0, Message=...) at ../../../source/gui/CDropDown.cpp:196
        pList = 0x116edcc0
        soundPath = {<std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >> = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<wchar_t>> = {<__gnu_cxx::new_allocator<wchar_t>> = {<No data fields>}, <No data fields>}, _M_p = 0xd0c05a0 L"\xd0c0501"}, _M_string_length = 0, {_M_local_buf = L"\xea0580\000\x6997ab0", _M_allocated_capacity = 15336832}}, <No data fields>}
        enabled = true
#5  0x000000000095908f in IGUIObject::SendEvent (this=this@entry=0x6997ab0, type=type@entry=GUIM_MOUSE_PRESS_LEFT, EventName=...) at ../../../source/gui/IGUIObject.cpp:444
        msg = {type = GUIM_MOUSE_PRESS_LEFT, value = {<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >> = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x7fffc951bf38 ""}, _M_string_length = 0, {_M_local_buf = "\000\277Q\311\377\177\000\000\000\000\000\000\000\000\000", _M_allocated_capacity = 140736570965760}}, <No data fields>}, skipped = false}
#6  0x00000000008f9c82 in CGUI::HandleEvent (this=0x9962ad0, ev=ev@entry=0x7fffc951c270) at /usr/include/c++/8/ext/new_allocator.h:86

Affected line would be here: ​https://code.wildfiregames.com/source/0ad/browse/ps/trunk/source/gui/CDropDown.cpp;22557$196

Perhaps the summary screen crash is related.

Doing a websearch for std::__replacement_assert yields some Fedora 29 crashes, one of the results speaks on address sanitization.

So it might be that either a library on Fedora 29 is broken or in the wrong version, or that the game was built on Fedora 29 with less sanitization flags (address sanitization?) and thus reveals a bug in 0ad code that was otherwise hidden.