Opened 13 years ago
Closed 12 years ago
#845 closed defect (invalid)
Heap corruption in Windows (VC2010 debug build)
| Reported by: | Jan Wassenberg | Owned by: | |
|---|---|---|---|
| Priority: | Should Have | Milestone: | |
| Component: | Non-game systems | Keywords: | |
| Cc: | philip | Patch: |
Description
Wanted to host an MP game in a self-compiled debug build. Clicked Host, continue, and corruption is detected with the following call stack:
ntdll.dll!77de0844()
[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]
ntdll.dll!77d9ae38()
ntdll.dll!77d9aa6e()
ntdll.dll!77d43070()
ntdll.dll!77de10eb()
ntdll.dll!77d9ac93()
ntdll.dll!77d43070()
ntdll.dll!77de1a64()
ntdll.dll!77d9a9af()
ntdll.dll!77d43070()
ntdll.dll!77de1a64()
ntdll.dll!77d9a9af()
ntdll.dll!77d42ffa()
kernel32.dll!772c14d1()
> msvcr100d.dll!_heap_alloc_base(unsigned int size=44) Line 55 C
msvcr100d.dll!_heap_alloc_dbg_impl(unsigned int nSize=8, int nBlockUse=1, const char * szFileName=0x00000000, int nLine=0, int * errno_tmp=0x002cd39c) Line 431 + 0x9 bytes C++
msvcr100d.dll!_nh_malloc_dbg_impl(unsigned int nSize=8, int nhFlag=0, int nBlockUse=1, const char * szFileName=0x00000000, int nLine=0, int * errno_tmp=0x002cd39c) Line 239 + 0x19 bytes C++
msvcr100d.dll!_nh_malloc_dbg(unsigned int nSize=8, int nhFlag=0, int nBlockUse=1, const char * szFileName=0x00000000, int nLine=0) Line 302 + 0x1d bytes C++
msvcr100d.dll!malloc(unsigned int nSize=8) Line 56 + 0x15 bytes C++
msvcr100d.dll!operator new(unsigned int size=8) Line 59 + 0x9 bytes C++
pyrogenesis_dbg.exe!std::_Allocate<std::_Container_proxy>(unsigned int _Count=1, std::_Container_proxy * __formal=0x00000000) Line 36 + 0x15 bytes C++
pyrogenesis_dbg.exe!std::allocator<std::_Container_proxy>::allocate(unsigned int _Count=1) Line 187 + 0xb bytes C++
pyrogenesis_dbg.exe!std::_String_val<char,std::allocator<char> >::_String_val<char,std::allocator<char> >(std::allocator<char> _Al={...}) Line 469 + 0xa bytes C++
pyrogenesis_dbg.exe!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >(std::basic_string<char,std::char_traits<char>,std::allocator<char> > && _Right="Simulation") Line 702 + 0x55 bytes C++
pyrogenesis_dbg.exe!std::_Pair_base<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::_Pair_base<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >(const ScriptInterface * && _Val1=0x0b0eba48, std::basic_string<char,std::char_traits<char>,std::allocator<char> > && _Val2="Simulation") Line 146 C++
pyrogenesis_dbg.exe!std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > ><ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > && _Right=(0x0b0eba48 {m=auto_ptr {m_runtime={...} m_cx=0x04a85a30 m_glob=0x0d402028 ...} }, "Simulation")) Line 256 C++
pyrogenesis_dbg.exe!std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::construct(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Ptr=0x0b0ebd0c (0x0b0eba48 {m=auto_ptr {m_runtime={...} m_cx=0x04a85a30 m_glob=0x0d402028 ...} }, <Bad Ptr>), std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > && _Val=(0x0b0eba48 {m=auto_ptr {m_runtime={...} m_cx=0x04a85a30 m_glob=0x0d402028 ...} }, "Simulation")) Line 202 + 0x33 bytes C++
pyrogenesis_dbg.exe!std::_Cons_val<std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >,std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >(std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > & _Alval={...}, std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Pdest=0x0b0ebd0c (0x0b0eba48 {m=auto_ptr {m_runtime={...} m_cx=0x04a85a30 m_glob=0x0d402028 ...} }, <Bad Ptr>), std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > && _Src=(0x0b0eba48 {m=auto_ptr {m_runtime={...} m_cx=0x04a85a30 m_glob=0x0d402028 ...} }, "Simulation")) Line 281 C++
pyrogenesis_dbg.exe!std::vector<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >::push_back(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > && _Val=(0x0b0eba48 {m=auto_ptr {m_runtime={...} m_cx=0x04a85a30 m_glob=0x0d402028 ...} }, "Simulation")) Line 650 + 0x20 bytes C++
pyrogenesis_dbg.exe!CScriptStatsTable::Add(const ScriptInterface * scriptInterface=0x0b0eba48, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & title="Simulation") Line 43 + 0x33 bytes C++
pyrogenesis_dbg.exe!ScriptInterface::ScriptInterface(const char * nativeScopeName=0x0146e8e4, const char * debugName=0x0146e8d8, const boost::shared_ptr<ScriptRuntime> & runtime={...}) Line 487 + 0x23 bytes C++
pyrogenesis_dbg.exe!CComponentManager::CComponentManager(CSimContext & context={...}, bool skipScriptFunctions=false) Line 59 + 0x89 bytes C++
pyrogenesis_dbg.exe!CSimulation2Impl::CSimulation2Impl(CUnitManager * unitManager=0x0b0eb790, CTerrain * terrain=0x0b0eb740) Line 51 + 0x4d bytes C++
pyrogenesis_dbg.exe!CSimulation2::CSimulation2(CUnitManager * unitManager=0x0b0eb790, CTerrain * terrain=0x0b0eb740) Line 314 + 0x66 bytes C++
pyrogenesis_dbg.exe!CGame::CGame(bool disableGraphics=false) Line 67 + 0xb9 bytes C++
pyrogenesis_dbg.exe!`anonymous namespace'::StartNetworkHost(void * cbdata=0x02e4d1b8, std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > playerName="Jan") Line 220 + 0x21 bytes C++
pyrogenesis_dbg.exe!ScriptInterface_NativeWrapper<void>::call<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,void (__cdecl*)(void *,std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >)>(JSContext * cx=0x048f2468, unsigned __int64 & __formal=18446462607322775552, void (void *, std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >)* fptr=0x00b54d57, std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > a0="Jan") Line 45 + 0x75 bytes C++
pyrogenesis_dbg.exe!ScriptInterface::call<void,std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,&`anonymous namespace'::StartNetworkHost>(JSContext * cx=0x048f2468, unsigned int argc=1, unsigned __int64 * vp=0x044a00b8) Line 97 + 0x1a0 bytes C++
mozjs-ps-debug.dll!5f650324()
mozjs-ps-debug.dll!5f66182d()
mozjs-ps-debug.dll!5f62a287()
mozjs-ps-debug.dll!5f62a115()
mozjs-ps-debug.dll!5f7006e3()
mozjs-ps-debug.dll!5f68fbd8()
mozjs-ps-debug.dll!5f64fa2c()
mozjs-ps-debug.dll!5f64fe97()
mozjs-ps-debug.dll!5f650e63()
mozjs-ps-debug.dll!5f5b9870()
mozjs-ps-debug.dll!5f5b9b6d()
pyrogenesis_dbg.exe!OBJECT_TO_JSVAL(JSObject * obj=0x002cefa8) Line 220 + 0x9 bytes C++
pyrogenesis_dbg.exe!IGUIObject::SendEvent(EGUIMessageType type=GUIM_PRESSED, const CStr8 & EventName={...}) Line 503 C++
pyrogenesis_dbg.exe!IGUIButtonBehavior::HandleMessage(SGUIMessage & Message={...}) Line 66 + 0x35 bytes C++
pyrogenesis_dbg.exe!CButton::HandleMessage(SGUIMessage & Message={...}) Line 86 C++
pyrogenesis_dbg.exe!IGUIObject::SendEvent(EGUIMessageType type=GUIM_MOUSE_RELEASE_LEFT, const CStr8 & EventName={...}) Line 499 + 0x13 bytes C++
pyrogenesis_dbg.exe!CGUI::HandleEvent(const SDL_Event_ * ev=0x002cf488) Line 207 + 0x2e bytes C++
pyrogenesis_dbg.exe!CGUIManager::HandleEvent(const SDL_Event_ * ev=0x002cf488) Line 202 + 0x38 bytes C++
pyrogenesis_dbg.exe!gui_handler(const SDL_Event_ * ev=0x002cf488) Line 48 + 0xf bytes C++
pyrogenesis_dbg.exe!in_dispatch_event(const SDL_Event_ * ev=0x002cf488) Line 60 + 0x12 bytes C++
pyrogenesis_dbg.exe!PumpEvents() Line 149 + 0x9 bytes C++
pyrogenesis_dbg.exe!Frame() Line 309 C++
pyrogenesis_dbg.exe!RunGameOrAtlas(int argc=1, const char * * argv=0x03dc5db8) Line 492 + 0x5 bytes C++
pyrogenesis_dbg.exe!main(int argc=1, char * * argv=0x03dc5db8) Line 511 + 0xd bytes C++
pyrogenesis_dbg.exe!wmain(int argc=1, wchar_t * * argv=0x03dc5210) Line 373 + 0x14 bytes C++
pyrogenesis_dbg.exe!__tmainCRTStartup() Line 552 + 0x19 bytes C
pyrogenesis_dbg.exe!wmainCRTStartup() Line 371 C
pyrogenesis_dbg.exe!CallStartupWithinTryBlock() Line 385 + 0x5 bytes C++
pyrogenesis_dbg.exe!wseh_EntryPoint() Line 413 C++
kernel32.dll!772c3677()
ntdll.dll!77d49f02()
ntdll.dll!77d49ed5()
I strongly recommend we delay this release until MUCH more testing has been done. Launching atlas from in-game also failed before I recompiled it ("attempt to load the CRT in an invalid fashion" or similar).
Attachments (1)
Change History (5)
comment:1 by , 13 years ago
comment:2 by , 13 years ago
Update: just spent FOUR hours of CPU time verifying EVERY heap operation. Looks like we're OK until the main loop/render, at least.
The problem really does seem to center on CScriptStatsTable::Add and Remove, triggered when initializing CGame after clicking on Host game -> continue. It happens with both ICC and VC2010 (which share the same STL). The crashes involve a double-free of the container proxy for a string. Bug in the STL?
by , 13 years ago
| Attachment: | stl_crash_workaround_845.patch added |
|---|
comment:3 by , 13 years ago
| Component: | Simulation → Non-game systems |
|---|---|
| Milestone: | Alpha 5 → Backlog |
| Priority: | Release Blocker → Should Have |
A workaround for VC2010 debug builds is now available (see attached). Philip reports that the problem doesn't occur in VC2008, so we'll just leave this ticket open for anyone else affected to find.
comment:4 by , 12 years ago
| Milestone: | Backlog |
|---|---|
| Resolution: | → invalid |
| Status: | new → closed |
| Summary: | Heap corruption in Windows → Heap corruption in Windows (VC2010 debug build) |
Note:
See TracTickets
for help on using tickets.
During a second attempt, clicking continue (as above) worked, but clicking cancel crashed as follows:
> msvcp100d.dll!std::_Container_base12::_Orphan_all() Line 201 + 0x12 bytes C++ pyrogenesis_dbg.exe!std::_String_val<char,std::allocator<char> >::~_String_val<char,std::allocator<char> >() Line 478 + 0xb bytes C++ pyrogenesis_dbg.exe!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >() Line 755 + 0xf bytes C++ pyrogenesis_dbg.exe!std::_Pair_base<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::~_Pair_base<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >() + 0x19 bytes C++ pyrogenesis_dbg.exe!std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::~pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >() + 0x16 bytes C++ pyrogenesis_dbg.exe!std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::`scalar deleting destructor'() + 0x16 bytes C++ pyrogenesis_dbg.exe!std::_Destroy<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Ptr=0x0b499278 (0xfdfdfdfd {m=auto_ptr ... }, "")) Line 64 C++ pyrogenesis_dbg.exe!std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::destroy(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Ptr=0x0b499278 (0xfdfdfdfd {m=auto_ptr ... }, "")) Line 213 + 0x9 bytes C++ pyrogenesis_dbg.exe!std::_Dest_val<std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >,std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >(std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > & _Alval={...}, std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Pdest=0x0b499278 (0xfdfdfdfd {m=auto_ptr ... }, "")) Line 288 C++ pyrogenesis_dbg.exe!std::_Destroy_range<std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _First=0x0b499278 (0xfdfdfdfd {m=auto_ptr ... }, ""), std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Last=0x0b49929c (0x03ee0c60 {m=auto_ptr {m_runtime={...} m_cx=0x00000000 m_glob=0x00000000 ...} }, <Bad Ptr>), std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > & _Al={...}, std::_Nonscalar_ptr_iterator_tag __formal={...}) Line 97 + 0xd bytes C++ pyrogenesis_dbg.exe!std::_Destroy_range<std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _First=0x0b499278 (0xfdfdfdfd {m=auto_ptr ... }, ""), std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Last=0x0b49929c (0x03ee0c60 {m=auto_ptr {m_runtime={...} m_cx=0x00000000 m_glob=0x00000000 ...} }, <Bad Ptr>), std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > & _Al={...}) Line 88 + 0x29 bytes C++ pyrogenesis_dbg.exe!std::vector<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >::_Destroy(std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _First=0x0b499278 (0xfdfdfdfd {m=auto_ptr ... }, ""), std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * _Last=0x0b49929c (0x03ee0c60 {m=auto_ptr {m_runtime={...} m_cx=0x00000000 m_glob=0x00000000 ...} }, <Bad Ptr>)) Line 1270 + 0x14 bytes C++ pyrogenesis_dbg.exe!std::vector<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >::erase(std::_Vector_const_iterator<std::_Vector_val<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<ScriptInterface const *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > > _Where=(0xfdfdfdfd {m=auto_ptr ... }, <Bad Ptr>)) Line 1172 C++ pyrogenesis_dbg.exe!CScriptStatsTable::Remove(const ScriptInterface * scriptInterface=0x0b498d88) Line 51 + 0x5f bytes C++ pyrogenesis_dbg.exe!ScriptInterface::~ScriptInterface() Line 498 C++ pyrogenesis_dbg.exe!CComponentManager::~CComponentManager() Line 108 + 0xb1 bytes C++ pyrogenesis_dbg.exe!CSimulation2Impl::~CSimulation2Impl() Line 64 + 0x45 bytes C++ pyrogenesis_dbg.exe!CSimulation2Impl::`scalar deleting destructor'() + 0x16 bytes C++ pyrogenesis_dbg.exe!CSimulation2::~CSimulation2() Line 319 + 0x1e bytes C++ pyrogenesis_dbg.exe!CSimulation2::`scalar deleting destructor'() + 0x16 bytes C++ pyrogenesis_dbg.exe!CGame::~CGame() Line 96 + 0x1f bytes C++ pyrogenesis_dbg.exe!CGame::`scalar deleting destructor'() + 0x16 bytes C++ pyrogenesis_dbg.exe!`anonymous namespace'::DisconnectNetworkGame(void * __formal=0x03f0d1b8) Line 257 + 0x1f bytes C++ pyrogenesis_dbg.exe!ScriptInterface_NativeWrapper<void>::call<void (__cdecl*)(void *)>(JSContext * cx=0x04a82468, unsigned __int64 & __formal=18446462607322775552, void (void *)* fptr=0x002e5cc2) Line 45 + 0x16 bytes C++ pyrogenesis_dbg.exe!ScriptInterface::call<void,&`anonymous namespace'::DisconnectNetworkGame>(JSContext * cx=0x04a82468, unsigned int argc=0, unsigned __int64 * vp=0x046300a8) Line 97 + 0x112 bytes C++ mozjs-ps-debug.dll!5fb10324() [Frames below may be incorrect and/or missing, no symbols loaded for mozjs-ps-debug.dll] mozjs-ps-debug.dll!5fb2182d() mozjs-ps-debug.dll!5faea287() mozjs-ps-debug.dll!5faea115() mozjs-ps-debug.dll!5fbc06e3() mozjs-ps-debug.dll!5fb4fbd8() mozjs-ps-debug.dll!5fb0fa2c() mozjs-ps-debug.dll!5fb0fe97() mozjs-ps-debug.dll!5fb10e63() mozjs-ps-debug.dll!5fa79870() mozjs-ps-debug.dll!5fa79b6d() pyrogenesis_dbg.exe!OBJECT_TO_JSVAL(JSObject * obj=0x00e9ef28) Line 220 + 0x9 bytes C++ pyrogenesis_dbg.exe!IGUIObject::SendEvent(EGUIMessageType type=GUIM_PRESSED, const CStr8 & EventName={...}) Line 503 C++ pyrogenesis_dbg.exe!IGUIButtonBehavior::HandleMessage(SGUIMessage & Message={...}) Line 66 + 0x35 bytes C++ pyrogenesis_dbg.exe!CButton::HandleMessage(SGUIMessage & Message={...}) Line 86 C++ pyrogenesis_dbg.exe!IGUIObject::SendEvent(EGUIMessageType type=GUIM_MOUSE_RELEASE_LEFT, const CStr8 & EventName={...}) Line 499 + 0x13 bytes C++ pyrogenesis_dbg.exe!CGUI::HandleEvent(const SDL_Event_ * ev=0x00e9f408) Line 207 + 0x2e bytes C++ pyrogenesis_dbg.exe!CGUIManager::HandleEvent(const SDL_Event_ * ev=0x00e9f408) Line 202 + 0x38 bytes C++ pyrogenesis_dbg.exe!gui_handler(const SDL_Event_ * ev=0x00e9f408) Line 48 + 0xf bytes C++ pyrogenesis_dbg.exe!in_dispatch_event(const SDL_Event_ * ev=0x00e9f408) Line 60 + 0x12 bytes C++ pyrogenesis_dbg.exe!PumpEvents() Line 149 + 0x9 bytes C++ pyrogenesis_dbg.exe!Frame() Line 309 C++ pyrogenesis_dbg.exe!RunGameOrAtlas(int argc=1, const char * * argv=0x00d75db8) Line 492 + 0x5 bytes C++ pyrogenesis_dbg.exe!main(int argc=1, char * * argv=0x00d75db8) Line 512 + 0xd bytes C++ pyrogenesis_dbg.exe!wmain(int argc=1, wchar_t * * argv=0x00d75210) Line 373 + 0x14 bytes C++ pyrogenesis_dbg.exe!__tmainCRTStartup() Line 552 + 0x19 bytes C pyrogenesis_dbg.exe!wmainCRTStartup() Line 371 C pyrogenesis_dbg.exe!CallStartupWithinTryBlock() Line 385 + 0x5 bytes C++ pyrogenesis_dbg.exe!wseh_EntryPoint() Line 413 C++ kernel32.dll!772c3677() ntdll.dll!77d49f02() ntdll.dll!77d49ed5()