Crashes and memory corruption

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Crashes and memory corruption

Matt Adcock
The last few days I've been getting crashes of the *** glibc detected ***
type. I upgraded to glibc-2.7-10 last week so I am fairly sure that may have
something to do with it, however I've also just started using the character
actions framework so I am concerned that is the cause.

I ran a fresh unmodified compile of 3.6 with a couple of python cmds to
start/stop/interrupt actions under valgrind and it threw up several
read/write errors:

MALLOC_CHECK_=2 valgrind --leak-check=yes --suppressions=python.supp
./NakedMud 4001

(edited log follows)

==18153== Invalid read of size 4
==18153==    at 0x8079AF0: listIteratorNext (list.c:479)
==18153==    by 0x806CE38: pulse_actions (action.c:232)
==18153==    by 0x80639A9: update_handler (gameloop.c:337)
==18153==    by 0x8063B0E: game_loop (gameloop.c:405)
==18153==    by 0x8064086: main (gameloop.c:311)
==18153==  Address 0x4bb0764 is 4 bytes inside a block of size 12 free'd
==18153==    at 0x402265C: free (vg_replace_malloc.c:323)
==18153==    by 0x8079E67: deleteList (list.c:142)
==18153==    by 0x806D03E: start_action (action.c:197)
==18153==    by 0x8098084: PyChar_start_action (pychar.c:1141)
==18153==    by 0x4110509: PyCFunction_Call (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x415EBD5: PyEval_EvalFrameEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x4160367: PyEval_EvalCodeEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40FC67E: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D98D6: PyObject_Call (in /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D9B52: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40DC02E: PyObject_CallFunction (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x8098225: PyAction_on_complete (pychar.c:1085)

==18153== Invalid read of size 4
==18153==    at 0x8079F6C: deleteListIterator (list.c:466)
==18153==    by 0x806CE44: pulse_actions (action.c:241)
==18153==    by 0x80639A9: update_handler (gameloop.c:337)
==18153==    by 0x8063B0E: game_loop (gameloop.c:405)
==18153==    by 0x8064086: main (gameloop.c:311)
==18153==  Address 0x4bb0664 is 12 bytes inside a block of size 20 free'd
==18153==    at 0x402265C: free (vg_replace_malloc.c:323)
==18153==    by 0x806D03E: start_action (action.c:197)
==18153==    by 0x8098084: PyChar_start_action (pychar.c:1141)
==18153==    by 0x4110509: PyCFunction_Call (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x415EBD5: PyEval_EvalFrameEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x4160367: PyEval_EvalCodeEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40FC67E: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D98D6: PyObject_Call (in /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D9B52: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40DC02E: PyObject_CallFunction (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x8098225: PyAction_on_complete (pychar.c:1085)
==18153==    by 0x806CC2B: run_action (action.c:102)

==18153== Invalid read of size 4
==18153==    at 0x8079E8B: listCleanRemoved (list.c:83)
==18153==    by 0x8079F7E: deleteListIterator (list.c:469)
==18153==    by 0x806CE44: pulse_actions (action.c:241)
==18153==    by 0x80639A9: update_handler (gameloop.c:337)
==18153==    by 0x8063B0E: game_loop (gameloop.c:405)
==18153==    by 0x8064086: main (gameloop.c:311)
==18153==  Address 0x4bb0668 is 16 bytes inside a block of size 20 free'd
==18153==    at 0x402265C: free (vg_replace_malloc.c:323)
==18153==    by 0x806D03E: start_action (action.c:197)
==18153==    by 0x8098084: PyChar_start_action (pychar.c:1141)
==18153==    by 0x4110509: PyCFunction_Call (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x415EBD5: PyEval_EvalFrameEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x4160367: PyEval_EvalCodeEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40FC67E: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D98D6: PyObject_Call (in /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D9B52: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40DC02E: PyObject_CallFunction (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x8098225: PyAction_on_complete (pychar.c:1085)
==18153==    by 0x806CC2B: run_action (action.c:102)

==18153== Invalid read of size 4
==18153==    at 0x8079BCA: deleteListNode (list.c:50)
==18153==    by 0x8079EB4: listCleanRemoved (list.c:92)
==18153==    by 0x8079F7E: deleteListIterator (list.c:469)
==18153==    by 0x806CE44: pulse_actions (action.c:241)
==18153==    by 0x80639A9: update_handler (gameloop.c:337)
==18153==    by 0x8063B0E: game_loop (gameloop.c:405)
==18153==    by 0x8064086: main (gameloop.c:311)
==18153==  Address 0x4bb0764 is 4 bytes inside a block of size 12 free'd
==18153==    at 0x402265C: free (vg_replace_malloc.c:323)
==18153==    by 0x8079E67: deleteList (list.c:142)
==18153==    by 0x806D03E: start_action (action.c:197)
==18153==    by 0x8098084: PyChar_start_action (pychar.c:1141)
==18153==    by 0x4110509: PyCFunction_Call (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x415EBD5: PyEval_EvalFrameEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x4160367: PyEval_EvalCodeEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40FC67E: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D98D6: PyObject_Call (in /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D9B52: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40DC02E: PyObject_CallFunction (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x8098225: PyAction_on_complete (pychar.c:1085)

==18153== Invalid free() / delete / delete[]
==18153==    at 0x402265C: free (vg_replace_malloc.c:323)
==18153==    by 0x8079EB4: listCleanRemoved (list.c:92)
==18153==    by 0x8079F7E: deleteListIterator (list.c:469)
==18153==    by 0x806CE44: pulse_actions (action.c:241)
==18153==    by 0x80639A9: update_handler (gameloop.c:337)
==18153==    by 0x8063B0E: game_loop (gameloop.c:405)
==18153==    by 0x8064086: main (gameloop.c:311)
==18153==  Address 0x4bb0760 is 0 bytes inside a block of size 12 free'd
==18153==    at 0x402265C: free (vg_replace_malloc.c:323)
==18153==    by 0x8079E67: deleteList (list.c:142)
==18153==    by 0x806D03E: start_action (action.c:197)
==18153==    by 0x8098084: PyChar_start_action (pychar.c:1141)
==18153==    by 0x4110509: PyCFunction_Call (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x415EBD5: PyEval_EvalFrameEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x4160367: PyEval_EvalCodeEx (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40FC67E: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D98D6: PyObject_Call (in /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40D9B52: (within /usr/lib/libpython2.5.so.1.0)
==18153==    by 0x40DC02E: PyObject_CallFunction (in
/usr/lib/libpython2.5.so.1.0)
==18153==    by 0x8098225: PyAction_on_complete (pychar.c:1085)

I will try and replicate the crashes I've had and post some gdb output, but
has anyone experienced anything similar or have any ideas on how to fix
this?

Thanks,
-Matt
Reply | Threaded
Open this post in threaded view
|

Re: Crashes and memory corruption

Matt Adcock
I've since produced several crashes - same setup with new copy of 3.6
with some python action commands - after a while of exectuting actions
it crashes:

Program terminated with signal 11, Segmentation fault.
[New process 18735]
#0  0x08079afa in listIteratorNext (I=0x8210d70) at list.c:478
478       while(I->curr && I->curr->removed)
(gdb) bt
#0  0x08079afa in listIteratorNext (I=0x8210d70) at list.c:478
#1  0x0806ce39 in pulse_actions (time=1) at action.c:232
#2  0x080639aa in update_handler () at gameloop.c:337
#3  0x08063b0f in game_loop (control=3) at gameloop.c:405
#4  0x08064087 in main (argc=2, argv=0xbf926214) at gameloop.c:311
(gdb) p I->curr
$1 = (LIST_NODE *) 0x79
(gdb) p I->curr->removed
Cannot access memory at address 0x81
(gdb) list
473     void *listIteratorNext(LIST_ITERATOR *I) {
474       if(I->curr)
475         I->curr = I->curr->next;
476
477       // skip all of the removed elements
478       while(I->curr && I->curr->removed)
479         I->curr = I->curr->next;
480
481       return (I->curr ? I->curr->elem : NULL);
482     };
(gdb) p I->curr->next
Cannot access memory at address 0x7d
(gdb) frame 1
#1  0x0806ce39 in pulse_actions (time=1) at action.c:232
232           ITERATE_LIST(action, act_i) {
(gdb) list
227           // UID, and re-look him up in the player table
228           ch = propertyTableGet(mob_table, charGetUID(map_actor));
229
230           act_i = newListIterator(actions);
231
232           ITERATE_LIST(action, act_i) {
233             // decrement the delay
234             action->delay -= time;
235             // pop the action from the list, and run it
236             if(action->delay <= 0) {
(gdb) p *ch
$2 = {loadroom = 0x8211488 "tavern_entrance@examples", uid = 1,
  body = 0x825d0c8, race = 0x8210b50 "human", prototypes = 0x825ce90 "",
  class = 0x825ce80 "", socket = 0x82126d8, room = 0x81ab3e0,
last_room = 0x0,
  furniture = 0x0, desc = 0x825ce18, look_buf = 0x825ce38,
  name = 0x825ce58 "Matt", sex = 0, position = 3, inventory = 0x825ce68,
  auxiliary_data = 0x825cf38, prfs = 0x825cee0, user_groups = 0x825cf00,
  rdesc = 0x825d0d8 "Matt is here.", multi_name = 0x825ced0 "",
  multi_rdesc = 0x825cec0 "", keywords = 0x825ceb0 ""}
(gdb) p *action
$3 = {on_complete = 0, on_interrupt = 0x80980e0 <PyAction_on_interrupt>,
  where = 1, delay = 0, data = 0x4037d464, arg = 0x82109b8 "ø\017!\by"}

The list looks dodgy, but so does 'arg'. Hmmm.

I've also had crashes when a char quits:

Breakpoint 3, deleteChar (mob=0x825ba60) at character.c:375
375     void deleteChar( CHAR_DATA *mob) {
(gdb) p *mob
$5 = {loadroom = 0x825cb48 "tavern_entrance@examples", uid = 1,
  body = 0x825ca98, race = 0x825babf "", prototypes = 0x825c860 "",
  class = 0x825c850 "", socket = 0x0, room = 0x0, last_room = 0x81aa8a0,
  furniture = 0x0, desc = 0x825c7e8, look_buf = 0x825c808,
  name = 0x825c828 "Matt", sex = 0, position = 3, inventory = 0x825c838,
  auxiliary_data = 0x825c908, prfs = 0x825c8b0, user_groups = 0x825c8d0,
  rdesc = 0x825caa8 "Matt is here.", multi_name = 0x825c8a0 "",
  multi_rdesc = 0x825c890 "", keywords = 0x825c880 ""}
(gdb) Quit
(gdb) n
378       if(mob->body) deleteBody(mob->body);
(gdb)
380       deleteList(mob->inventory);
(gdb)
382       if(mob->class)       free(mob->class);
(gdb)
383       if(mob->prototypes)  free(mob->prototypes);
(gdb)
384       if(mob->name)        free(mob->name);
(gdb)
385       if(mob->desc)        deleteBuffer(mob->desc);
(gdb)
386       if(mob->look_buf)    deleteBuffer(mob->look_buf);
(gdb)
387       if(mob->rdesc)       free(mob->rdesc);
(gdb)
388       if(mob->multi_rdesc) free(mob->multi_rdesc);
(gdb)
389       if(mob->multi_name)  free(mob->multi_name);
(gdb)
390       if(mob->keywords)    free(mob->keywords);
(gdb)
391       if(mob->loadroom)    free(mob->loadroom);
(gdb)
392       if(mob->race)        free(mob->race);
(gdb)
*** glibc detected *** ./NakedMud: free(): invalid pointer: 0x0825babf ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0x4024fa85]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0x402534f0]
./NakedMud(deleteChar+0xc8)[0x8072cc8]
./NakedMud(unreference_player+0x64)[0x806d9f4]
./NakedMud(update_handler+0x58)[0x80639e8]
./NakedMud(game_loop+0xbf)[0x8063b0f]
./NakedMud(main+0x417)[0x8064087]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0x401fa450]
./NakedMud[0x8063921]
======= Memory map: ========
08048000-080c0000 r-xp 00000000 62:00 83382    
/home/matt/nakedmudv3.6/src/NakedMud
080c0000-080c1000 rw-p 00078000 62:00 83382    
/home/matt/nakedmudv3.6/src/NakedMud
080c1000-0827d000 rw-p 080c1000 00:00 0          [heap]
40000000-4001a000 r-xp 00000000 62:00 16337      /lib/ld-2.7.so
4001a000-4001c000 rw-p 00019000 62:00 16337      /lib/ld-2.7.so
4001c000-4001e000 rw-p 4001c000 00:00 0
4001e000-40021000 r-xp 00000000 62:00 440687    
/usr/lib/python2.5/lib-dynload/_ssl.so
40021000-40022000 rw-p 00003000 62:00 440687    
/usr/lib/python2.5/lib-dynload/_ssl.so
40022000-40036000 r-xp 00000000 62:00 2669       /usr/lib/libz.so.1.2.3.3
40036000-40037000 rw-p 00013000 62:00 2669       /usr/lib/libz.so.1.2.3.3
40037000-4004b000 r-xp 00000000 62:00 16490    
/lib/tls/i686/cmov/libpthread-2.7.so
4004b000-4004d000 rw-p 00013000 62:00 16490    
/lib/tls/i686/cmov/libpthread-2.7.so
4004d000-4004f000 rw-p 4004d000 00:00 0
4004f000-40058000 r-xp 00000000 62:00 16476    
/lib/tls/i686/cmov/libcrypt-2.7.so
40058000-4005a000 rw-p 00008000 62:00 16476    
/lib/tls/i686/cmov/libcrypt-2.7.so
4005a000-40081000 rw-p 4005a000 00:00 0
40081000-400a4000 r-xp 00000000 62:00 16479    
/lib/tls/i686/cmov/libm-2.7.so
400a4000-400a6000 rw-p 00023000 62:00 16479    
/lib/tls/i686/cmov/libm-2.7.so
400a6000-400a7000 rw-p 400a6000 00:00 0
400a7000-400a9000 r-xp 00000000 62:00 16477    
/lib/tls/i686/cmov/libdl-2.7.so
400a9000-400ab000 rw-p 00001000 62:00 16477    
/lib/tls/i686/cmov/libdl-2.7.so
400ab000-400ad000 r-xp 00000000 62:00 16497    
/lib/tls/i686/cmov/libutil-2.7.so
400ad000-400af000 rw-p 00001000 62:00 16497    
/lib/tls/i686/cmov/libutil-2.7.so
400af000-401b9000 r-xp 00000000 62:00 432597    
/usr/lib/libpython2.5.so.1.0
401b9000-401de000 rw-p 0010a000 62:00 432597    
/usr/lib/libpython2.5.so.1.0
401de000-401e4000 rw-p 401de000 00:00 0
401e4000-4032d000 r-xp 00000000 62:00 16474    
/lib/tls/i686/cmov/libc-2.7.so
4032d000-4032e000 r--p 00149000 62:00 16474    
/lib/tls/i686/cmov/libc-2.7.so
4032e000-40330000 rw-p 0014a000 62:00 16474    
/lib/tls/i686/cmov/libc-2.7.so
40330000-403b7000 rw-p 40330000 00:00 0
403b7000-403ed000 r--p 00000000 62:00 58551    
/usr/lib/locale/en_GB.iso885915/LC_CTYPE
403ed000-403f4000 r--s 00000000 62:00 2673      
/usr/lib/gconv/gconv-modules.cache
403f4000-403ff000 r-xp 00000000 62:00 4334      
/usr/lib/python2.5/lib-dynload/_socket.so
403ff000-40402000 rw-p 0000a000 62:00 4334      
/usr/lib/python2.5/lib-dynload/_socket.so
40402000-40405000 r-xp 00000000 62:00 5443      
/usr/lib/python2.5/lib-dynload/select.so
40405000-40406000 rw-p 00002000 62:00 5443      
/usr/lib/python2.5/lib-dynload/select.so
40406000-40444000 r-xp 00000000 62:00 7476      
/usr/lib/i686/cmov/libssl.so.0.9.8
40444000-40448000 rw-p 0003d000 62:00 7476      
/usr/lib/i686/cmov/libssl.so.0.9.8
40448000-40572000 r-xp 00000000 62:00 7475      
/usr/lib/i686/cmov/libcrypto.so.0.9.8
40572000-40587000 rw-p 00129000 62:00 7475      
/usr/lib/i686/cmov/libcrypto.so.0.9.8
40587000-4058a000 rw-p 40587000 00:00 0
4058b000-405cc000 rw-p 4058b000 00:00 0
405cc000-405cf000 r-xp 00000000 62:00 5441      
/usr/lib/python2.5/lib-dynload/math.so
405cf000-405d0000 rw-p 00002000 62:00 5441      
/usr/lib/python2.5/lib-dynload/math.so
405d0000-405d4000 r-xp 00000000 62:00 5437      
/usr/lib/python2.5/lib-dynload/binascii.so
405d4000-405d5000 rw-p 00003000 62:00 5437      
/usr/lib/python2.5/lib-dynload/binascii.so
405d5000-405d7000 r-xp 00000000 62:00 4332      
/usr/lib/python2.5/lib-dynload/_random.so
405d7000-405d8000 rw-p 00002000 62:00 4332      
/usr/lib/python2.5/lib-dynload/_random.so
405d8000-405dc000 r-xp 00000000 62:00 5444      
/usr/lib/python2.5/lib-dynload/strop.so
405dc000-405de000 rw-p 00004000 62:00 5444      
/usr/lib/python2.5/lib-dynload/strop.so
405de000-405df000 ---p 405de000 00:00 0
405df000-40ddf000 rw-p 405df000 00:00 0
40de3000-40dec000 r-xp 00000000 62:00 16485    
/lib/tls/i686/cmov/libnss_files-2.7.so
40dec000-40dee000 rw-p 00008000 62:00 16485    
/lib/tls/i686/cmov/libnss_files-2.7.so
40dee000-40df2000 r-xp 00000000 62:00 16484    
/lib/tls/i686/cmov/libnss_dns-2.7.so
40df2000-40df4000 rw-p 00003000 62:00 16484    
/lib/tls/i686/cmov/libnss_dns-2.7.so
40df4000-40e03000 r-xp 00000000 62:00 16491    
/lib/tls/i686/cmov/libresolv-2.7.so
40e03000-40e05000 rw-p 0000f000 62:00 16491    
/lib/tls/i686/cmov/libresolv-2.7.so
40e05000-40e07000 rw-p 40e05000 00:00 0
40e07000-40e11000 r-xp 00000000 62:00 16336      /lib/libgcc_s.so.1
40e11000-40e12000 rw-p 0000a000 62:00 16336      /lib/libgcc_s.so.1
bfa73000-bfa8b000 rw-p bffe8000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()


It looks like ch->race is getting corrupted somehow. I only seem to
get this after running actions for a while but I don't know what might
be causing it.

Does anyone have any ideas?

-Matt


------------------------------------

Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/nakedmud/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/nakedmud/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:[hidden email]
    mailto:[hidden email]

<*> To unsubscribe from this group, send an email to:
    [hidden email]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/

Reply | Threaded
Open this post in threaded view
|

Re: Re: Crashes and memory corruption

Geoff Hollis
I've been looking through the code, but can't find anything  
interesting. I haven't tried replicating it yet though. Were you  
using builtin actions, or was it stuff of your own? If it was stuff  
of your own, think I'd be able to see a copy of the code so I can try  
replicating these crashes as well?

On Jul 7, 2008, at 10:07 AM, mattjea wrote:

> I've since produced several crashes - same setup with new copy of 3.6
> with some python action commands - after a while of exectuting actions
> it crashes:
>
> Program terminated with signal 11, Segmentation fault.
> [New process 18735]
> #0 0x08079afa in listIteratorNext (I=0x8210d70) at list.c:478
> 478 while(I->curr && I->curr->removed)
> (gdb) bt
> #0 0x08079afa in listIteratorNext (I=0x8210d70) at list.c:478
> #1 0x0806ce39 in pulse_actions (time=1) at action.c:232
> #2 0x080639aa in update_handler () at gameloop.c:337
> #3 0x08063b0f in game_loop (control=3) at gameloop.c:405
> #4 0x08064087 in main (argc=2, argv=0xbf926214) at gameloop.c:311
> (gdb) p I->curr
> $1 = (LIST_NODE *) 0x79
> (gdb) p I->curr->removed
> Cannot access memory at address 0x81
> (gdb) list
> 473 void *listIteratorNext(LIST_ITERATOR *I) {
> 474 if(I->curr)
> 475 I->curr = I->curr->next;
> 476
> 477 // skip all of the removed elements
> 478 while(I->curr && I->curr->removed)
> 479 I->curr = I->curr->next;
> 480
> 481 return (I->curr ? I->curr->elem : NULL);
> 482 };
> (gdb) p I->curr->next
> Cannot access memory at address 0x7d
> (gdb) frame 1
> #1 0x0806ce39 in pulse_actions (time=1) at action.c:232
> 232 ITERATE_LIST(action, act_i) {
> (gdb) list
> 227 // UID, and re-look him up in the player table
> 228 ch = propertyTableGet(mob_table, charGetUID(map_actor));
> 229
> 230 act_i = newListIterator(actions);
> 231
> 232 ITERATE_LIST(action, act_i) {
> 233 // decrement the delay
> 234 action->delay -= time;
> 235 // pop the action from the list, and run it
> 236 if(action->delay <= 0) {
> (gdb) p *ch
> $2 = {loadroom = 0x8211488 "tavern_entrance@examples", uid = 1,
> body = 0x825d0c8, race = 0x8210b50 "human", prototypes = 0x825ce90 "",
> class = 0x825ce80 "", socket = 0x82126d8, room = 0x81ab3e0,
> last_room = 0x0,
> furniture = 0x0, desc = 0x825ce18, look_buf = 0x825ce38,
> name = 0x825ce58 "Matt", sex = 0, position = 3, inventory = 0x825ce68,
> auxiliary_data = 0x825cf38, prfs = 0x825cee0, user_groups = 0x825cf00,
> rdesc = 0x825d0d8 "Matt is here.", multi_name = 0x825ced0 "",
> multi_rdesc = 0x825cec0 "", keywords = 0x825ceb0 ""}
> (gdb) p *action
> $3 = {on_complete = 0, on_interrupt = 0x80980e0  
> <PyAction_on_interrupt>,
> where = 1, delay = 0, data = 0x4037d464, arg = 0x82109b8 "ø\017!\by"}
>
> The list looks dodgy, but so does 'arg'. Hmmm.
>
> I've also had crashes when a char quits:
>
> Breakpoint 3, deleteChar (mob=0x825ba60) at character.c:375
> 375 void deleteChar( CHAR_DATA *mob) {
> (gdb) p *mob
> $5 = {loadroom = 0x825cb48 "tavern_entrance@examples", uid = 1,
> body = 0x825ca98, race = 0x825babf "", prototypes = 0x825c860 "",
> class = 0x825c850 "", socket = 0x0, room = 0x0, last_room = 0x81aa8a0,
> furniture = 0x0, desc = 0x825c7e8, look_buf = 0x825c808,
> name = 0x825c828 "Matt", sex = 0, position = 3, inventory = 0x825c838,
> auxiliary_data = 0x825c908, prfs = 0x825c8b0, user_groups = 0x825c8d0,
> rdesc = 0x825caa8 "Matt is here.", multi_name = 0x825c8a0 "",
> multi_rdesc = 0x825c890 "", keywords = 0x825c880 ""}
> (gdb) Quit
> (gdb) n
> 378 if(mob->body) deleteBody(mob->body);
> (gdb)
> 380 deleteList(mob->inventory);
> (gdb)
> 382 if(mob->class) free(mob->class);
> (gdb)
> 383 if(mob->prototypes) free(mob->prototypes);
> (gdb)
> 384 if(mob->name) free(mob->name);
> (gdb)
> 385 if(mob->desc) deleteBuffer(mob->desc);
> (gdb)
> 386 if(mob->look_buf) deleteBuffer(mob->look_buf);
> (gdb)
> 387 if(mob->rdesc) free(mob->rdesc);
> (gdb)
> 388 if(mob->multi_rdesc) free(mob->multi_rdesc);
> (gdb)
> 389 if(mob->multi_name) free(mob->multi_name);
> (gdb)
> 390 if(mob->keywords) free(mob->keywords);
> (gdb)
> 391 if(mob->loadroom) free(mob->loadroom);
> (gdb)
> 392 if(mob->race) free(mob->race);
> (gdb)
> *** glibc detected *** ./NakedMud: free(): invalid pointer:  
> 0x0825babf ***
> ======= Backtrace: =========
> /lib/tls/i686/cmov/libc.so.6[0x4024fa85]
> /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0x402534f0]
> ./NakedMud(deleteChar+0xc8)[0x8072cc8]
> ./NakedMud(unreference_player+0x64)[0x806d9f4]
> ./NakedMud(update_handler+0x58)[0x80639e8]
> ./NakedMud(game_loop+0xbf)[0x8063b0f]
> ./NakedMud(main+0x417)[0x8064087]
> /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0x401fa450]
> ./NakedMud[0x8063921]
> ======= Memory map: ========
> 08048000-080c0000 r-xp 00000000 62:00 83382
> /home/matt/nakedmudv3.6/src/NakedMud
> 080c0000-080c1000 rw-p 00078000 62:00 83382
> /home/matt/nakedmudv3.6/src/NakedMud
> 080c1000-0827d000 rw-p 080c1000 00:00 0 [heap]
> 40000000-4001a000 r-xp 00000000 62:00 16337 /lib/ld-2.7.so
> 4001a000-4001c000 rw-p 00019000 62:00 16337 /lib/ld-2.7.so
> 4001c000-4001e000 rw-p 4001c000 00:00 0
> 4001e000-40021000 r-xp 00000000 62:00 440687
> /usr/lib/python2.5/lib-dynload/_ssl.so
> 40021000-40022000 rw-p 00003000 62:00 440687
> /usr/lib/python2.5/lib-dynload/_ssl.so
> 40022000-40036000 r-xp 00000000 62:00 2669 /usr/lib/libz.so.1.2.3.3
> 40036000-40037000 rw-p 00013000 62:00 2669 /usr/lib/libz.so.1.2.3.3
> 40037000-4004b000 r-xp 00000000 62:00 16490
> /lib/tls/i686/cmov/libpthread-2.7.so
> 4004b000-4004d000 rw-p 00013000 62:00 16490
> /lib/tls/i686/cmov/libpthread-2.7.so
> 4004d000-4004f000 rw-p 4004d000 00:00 0
> 4004f000-40058000 r-xp 00000000 62:00 16476
> /lib/tls/i686/cmov/libcrypt-2.7.so
> 40058000-4005a000 rw-p 00008000 62:00 16476
> /lib/tls/i686/cmov/libcrypt-2.7.so
> 4005a000-40081000 rw-p 4005a000 00:00 0
> 40081000-400a4000 r-xp 00000000 62:00 16479
> /lib/tls/i686/cmov/libm-2.7.so
> 400a4000-400a6000 rw-p 00023000 62:00 16479
> /lib/tls/i686/cmov/libm-2.7.so
> 400a6000-400a7000 rw-p 400a6000 00:00 0
> 400a7000-400a9000 r-xp 00000000 62:00 16477
> /lib/tls/i686/cmov/libdl-2.7.so
> 400a9000-400ab000 rw-p 00001000 62:00 16477
> /lib/tls/i686/cmov/libdl-2.7.so
> 400ab000-400ad000 r-xp 00000000 62:00 16497
> /lib/tls/i686/cmov/libutil-2.7.so
> 400ad000-400af000 rw-p 00001000 62:00 16497
> /lib/tls/i686/cmov/libutil-2.7.so
> 400af000-401b9000 r-xp 00000000 62:00 432597
> /usr/lib/libpython2.5.so.1.0
> 401b9000-401de000 rw-p 0010a000 62:00 432597
> /usr/lib/libpython2.5.so.1.0
> 401de000-401e4000 rw-p 401de000 00:00 0
> 401e4000-4032d000 r-xp 00000000 62:00 16474
> /lib/tls/i686/cmov/libc-2.7.so
> 4032d000-4032e000 r--p 00149000 62:00 16474
> /lib/tls/i686/cmov/libc-2.7.so
> 4032e000-40330000 rw-p 0014a000 62:00 16474
> /lib/tls/i686/cmov/libc-2.7.so
> 40330000-403b7000 rw-p 40330000 00:00 0
> 403b7000-403ed000 r--p 00000000 62:00 58551
> /usr/lib/locale/en_GB.iso885915/LC_CTYPE
> 403ed000-403f4000 r--s 00000000 62:00 2673
> /usr/lib/gconv/gconv-modules.cache
> 403f4000-403ff000 r-xp 00000000 62:00 4334
> /usr/lib/python2.5/lib-dynload/_socket.so
> 403ff000-40402000 rw-p 0000a000 62:00 4334
> /usr/lib/python2.5/lib-dynload/_socket.so
> 40402000-40405000 r-xp 00000000 62:00 5443
> /usr/lib/python2.5/lib-dynload/select.so
> 40405000-40406000 rw-p 00002000 62:00 5443
> /usr/lib/python2.5/lib-dynload/select.so
> 40406000-40444000 r-xp 00000000 62:00 7476
> /usr/lib/i686/cmov/libssl.so.0.9.8
> 40444000-40448000 rw-p 0003d000 62:00 7476
> /usr/lib/i686/cmov/libssl.so.0.9.8
> 40448000-40572000 r-xp 00000000 62:00 7475
> /usr/lib/i686/cmov/libcrypto.so.0.9.8
> 40572000-40587000 rw-p 00129000 62:00 7475
> /usr/lib/i686/cmov/libcrypto.so.0.9.8
> 40587000-4058a000 rw-p 40587000 00:00 0
> 4058b000-405cc000 rw-p 4058b000 00:00 0
> 405cc000-405cf000 r-xp 00000000 62:00 5441
> /usr/lib/python2.5/lib-dynload/math.so
> 405cf000-405d0000 rw-p 00002000 62:00 5441
> /usr/lib/python2.5/lib-dynload/math.so
> 405d0000-405d4000 r-xp 00000000 62:00 5437
> /usr/lib/python2.5/lib-dynload/binascii.so
> 405d4000-405d5000 rw-p 00003000 62:00 5437
> /usr/lib/python2.5/lib-dynload/binascii.so
> 405d5000-405d7000 r-xp 00000000 62:00 4332
> /usr/lib/python2.5/lib-dynload/_random.so
> 405d7000-405d8000 rw-p 00002000 62:00 4332
> /usr/lib/python2.5/lib-dynload/_random.so
> 405d8000-405dc000 r-xp 00000000 62:00 5444
> /usr/lib/python2.5/lib-dynload/strop.so
> 405dc000-405de000 rw-p 00004000 62:00 5444
> /usr/lib/python2.5/lib-dynload/strop.so
> 405de000-405df000 ---p 405de000 00:00 0
> 405df000-40ddf000 rw-p 405df000 00:00 0
> 40de3000-40dec000 r-xp 00000000 62:00 16485
> /lib/tls/i686/cmov/libnss_files-2.7.so
> 40dec000-40dee000 rw-p 00008000 62:00 16485
> /lib/tls/i686/cmov/libnss_files-2.7.so
> 40dee000-40df2000 r-xp 00000000 62:00 16484
> /lib/tls/i686/cmov/libnss_dns-2.7.so
> 40df2000-40df4000 rw-p 00003000 62:00 16484
> /lib/tls/i686/cmov/libnss_dns-2.7.so
> 40df4000-40e03000 r-xp 00000000 62:00 16491
> /lib/tls/i686/cmov/libresolv-2.7.so
> 40e03000-40e05000 rw-p 0000f000 62:00 16491
> /lib/tls/i686/cmov/libresolv-2.7.so
> 40e05000-40e07000 rw-p 40e05000 00:00 0
> 40e07000-40e11000 r-xp 00000000 62:00 16336 /lib/libgcc_s.so.1
> 40e11000-40e12000 rw-p 0000a000 62:00 16336 /lib/libgcc_s.so.1
> bfa73000-bfa8b000 rw-p bffe8000 00:00 0 [stack]
> ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
>
> Program received signal SIGABRT, Aborted.
> 0xffffe410 in __kernel_vsyscall ()
>
> It looks like ch->race is getting corrupted somehow. I only seem to
> get this after running actions for a while but I don't know what might
> be causing it.
>
> Does anyone have any ideas?
>
> -Matt
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Re: Crashes and memory corruption

Matt Adcock
Sure, these are the python functions I am using:

grapplers = {}

def do_struggle(ch, tgt, arg):
    if not tgt in ch.room.chars: return
    if grapplers.get(tgt) != ch: return

    # base percent chance to escape
    chance = 25
    if random.randrange(1, 100) < chance:
        mud.message(ch, tgt, None, None, False, "to_char", "You succeed in
freeing yourself from $N.")
        mud.message(ch, tgt, None, None, False, "to_vict", "$n has struggled
free from your grasp.")
        if grapplers.get(ch) == tgt: del grapplers[ch]
    else:
        mud.message(ch, tgt, None, None, False, "to_char", "You continue to
struggle against $N.")
        ch.startAction(3, do_struggle, stop_struggle, tgt)

def stop_struggle(ch, tgt, arg):
    mud.message(ch, tgt, None, None, False, "to_char", "You stop struggling
against $N.")

def do_grapple(ch, tgt, arg):
    # check they are still here and haven't escaped yet
    if not tgt in ch.room.chars: return
    if grapplers.get(ch) != tgt: return

    mud.message(ch, tgt, None, None, False, "to_char", "You continue to
grapple with $N.")
    mud.message(ch, tgt, None, None, False, "to_vict", "$n continues to
grapple with you.")
    mud.message(ch, tgt, None, None, False, "to_room", "$n continues to
grapple with $N.")
    ch.startAction(3, do_grapple, stop_grapple, tgt)

def stop_grapple(ch, tgt, arg):
    if grapplers.get(ch) == tgt:
        del grapplers[ch]
    mud.message(ch, tgt, None, None, False, "to_char", "You release $N from
your grasp.")
    mud.message(ch, tgt, None, None, False, "to_vict", "$n releases you from
$s grasp.")

def cmd_struggle(ch, cmd, arg):
    if not ch in grapplers.values():
        ch.send('But you are not grappling!')
    else:
        for k,v in grapplers.items():
            if v == ch: tgt = k
        mud.message(ch, tgt, None, None, False, "to_char", "You begin to
struggle against $N.")
        ch.startAction(3, do_struggle, stop_struggle, tgt)

def cmd_grapple(ch, cmd, arg):
    try:
        tgt, = mud.parse_args(ch, True, cmd, arg, "ch.room.noself")
    except: return

    mud.message(ch, tgt, None, None, False, "to_char", "You begin to grapple
with $N.")
    mud.message(ch, tgt, None, None, False, "to_vict", "$n begins to grapple
with you.")
    mud.message(ch, tgt, None, None, False, "to_room", "$n begins to grapple
with $N.")
    grapplers[ch] = tgt
    ch.startAction(3, do_grapple, stop_grapple, tgt)

mudsys.add_cmd("grapple", None, cmd_grapple, "player", True)
mudsys.add_cmd("struggle", None, cmd_struggle, "player", True)

I log in two characters with one to grapple and the other struggling, back
and forth, and after a few minutes I can quit one character and the mud
crashes. I don't know if it's something stupid I've done in the python code
- I've tried specifying the 5th argument to startAction as arg or "" but it
makes no difference

I am thinking now that this is most likely a library issue given my recent
upgrade and the fact that I cannot reproduce the crash when running the mud
under valgrind - presumably because it is using its own memory management
implementation rather than the standard library. However there still must be
something in the code that it doesn't like.

DISTRIB_DESCRIPTION="Ubuntu 8.04"
libc6          2.7-10ubuntu3
Python 2.5.2 (r252:60911, Apr 21 2008, 11:12:42)
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2


2008/7/7 Geoff Hollis <[hidden email]>:

>    I've been looking through the code, but can't find anything
> interesting. I haven't tried replicating it yet though. Were you using
> builtin actions, or was it stuff of your own? If it was stuff of your own,
> think I'd be able to see a copy of the code so I can try replicating these
> crashes as well?
>
> On Jul 7, 2008, at 10:07 AM, mattjea wrote:
>
> I've since produced several crashes - same setup with new copy of 3.6
> with some python action commands - after a while of exectuting actions
> it crashes:
>
> Program terminated with signal 11, Segmentation fault.
> [New process 18735]
> #0 0x08079afa in listIteratorNext (I=0x8210d70) at list.c:478
> 478 while(I->curr && I->curr->removed)
> (gdb) bt
> #0 0x08079afa in listIteratorNext (I=0x8210d70) at list.c:478
> #1 0x0806ce39 in pulse_actions (time=1) at action.c:232
> #2 0x080639aa in update_handler () at gameloop.c:337
> #3 0x08063b0f in game_loop (control=3) at gameloop.c:405
> #4 0x08064087 in main (argc=2, argv=0xbf926214) at gameloop.c:311
> (gdb) p I->curr
> $1 = (LIST_NODE *) 0x79
> (gdb) p I->curr->removed
> Cannot access memory at address 0x81
> (gdb) list
> 473 void *listIteratorNext(LIST_ITERATOR *I) {
> 474 if(I->curr)
> 475 I->curr = I->curr->next;
> 476
> 477 // skip all of the removed elements
> 478 while(I->curr && I->curr->removed)
> 479 I->curr = I->curr->next;
> 480
> 481 return (I->curr ? I->curr->elem : NULL);
> 482 };
> (gdb) p I->curr->next
> Cannot access memory at address 0x7d
> (gdb) frame 1
> #1 0x0806ce39 in pulse_actions (time=1) at action.c:232
> 232 ITERATE_LIST(action, act_i) {
> (gdb) list
> 227 // UID, and re-look him up in the player table
> 228 ch = propertyTableGet(mob_table, charGetUID(map_actor));
> 229
> 230 act_i = newListIterator(actions);
> 231
> 232 ITERATE_LIST(action, act_i) {
> 233 // decrement the delay
> 234 action->delay -= time;
> 235 // pop the action from the list, and run it
> 236 if(action->delay <= 0) {
> (gdb) p *ch
> $2 = {loadroom = 0x8211488 "tavern_entrance@examples", uid = 1,
> body = 0x825d0c8, race = 0x8210b50 "human", prototypes = 0x825ce90 "",
> class = 0x825ce80 "", socket = 0x82126d8, room = 0x81ab3e0,
> last_room = 0x0,
> furniture = 0x0, desc = 0x825ce18, look_buf = 0x825ce38,
> name = 0x825ce58 "Matt", sex = 0, position = 3, inventory = 0x825ce68,
> auxiliary_data = 0x825cf38, prfs = 0x825cee0, user_groups = 0x825cf00,
> rdesc = 0x825d0d8 "Matt is here.", multi_name = 0x825ced0 "",
> multi_rdesc = 0x825cec0 "", keywords = 0x825ceb0 ""}
> (gdb) p *action
> $3 = {on_complete = 0, on_interrupt = 0x80980e0 <PyAction_on_interrupt>,
> where = 1, delay = 0, data = 0x4037d464, arg = 0x82109b8 "ø\017!\by"}
>
> The list looks dodgy, but so does 'arg'. Hmmm.
>
> I've also had crashes when a char quits:
>
> Breakpoint 3, deleteChar (mob=0x825ba60) at character.c:375
> 375 void deleteChar( CHAR_DATA *mob) {
> (gdb) p *mob
> $5 = {loadroom = 0x825cb48 "tavern_entrance@examples", uid = 1,
> body = 0x825ca98, race = 0x825babf "", prototypes = 0x825c860 "",
> class = 0x825c850 "", socket = 0x0, room = 0x0, last_room = 0x81aa8a0,
> furniture = 0x0, desc = 0x825c7e8, look_buf = 0x825c808,
> name = 0x825c828 "Matt", sex = 0, position = 3, inventory = 0x825c838,
> auxiliary_data = 0x825c908, prfs = 0x825c8b0, user_groups = 0x825c8d0,
> rdesc = 0x825caa8 "Matt is here.", multi_name = 0x825c8a0 "",
> multi_rdesc = 0x825c890 "", keywords = 0x825c880 ""}
> (gdb) Quit
> (gdb) n
> 378 if(mob->body) deleteBody(mob->body);
> (gdb)
> 380 deleteList(mob->inventory);
> (gdb)
> 382 if(mob->class) free(mob->class);
> (gdb)
> 383 if(mob->prototypes) free(mob->prototypes);
> (gdb)
> 384 if(mob->name) free(mob->name);
> (gdb)
> 385 if(mob->desc) deleteBuffer(mob->desc);
> (gdb)
> 386 if(mob->look_buf) deleteBuffer(mob->look_buf);
> (gdb)
> 387 if(mob->rdesc) free(mob->rdesc);
> (gdb)
> 388 if(mob->multi_rdesc) free(mob->multi_rdesc);
> (gdb)
> 389 if(mob->multi_name) free(mob->multi_name);
> (gdb)
> 390 if(mob->keywords) free(mob->keywords);
> (gdb)
> 391 if(mob->loadroom) free(mob->loadroom);
> (gdb)
> 392 if(mob->race) free(mob->race);
> (gdb)
> *** glibc detected *** ./NakedMud: free(): invalid pointer: 0x0825babf ***
> ======= Backtrace: =========
> /lib/tls/i686/cmov/libc.so.6[0x4024fa85]
> /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0x402534f0]
> ./NakedMud(deleteChar+0xc8)[0x8072cc8]
> ./NakedMud(unreference_player+0x64)[0x806d9f4]
> ./NakedMud(update_handler+0x58)[0x80639e8]
> ./NakedMud(game_loop+0xbf)[0x8063b0f]
> ./NakedMud(main+0x417)[0x8064087]
> /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0x401fa450]
> ./NakedMud[0x8063921]
> ======= Memory map: ========
> 08048000-080c0000 r-xp 00000000 62:00 83382
> /home/matt/nakedmudv3.6/src/NakedMud
> 080c0000-080c1000 rw-p 00078000 62:00 83382
> /home/matt/nakedmudv3.6/src/NakedMud
> 080c1000-0827d000 rw-p 080c1000 00:00 0 [heap]
> 40000000-4001a000 r-xp 00000000 62:00 16337 /lib/ld-2.7.so
> 4001a000-4001c000 rw-p 00019000 62:00 16337 /lib/ld-2.7.so
> 4001c000-4001e000 rw-p 4001c000 00:00 0
> 4001e000-40021000 r-xp 00000000 62:00 440687
> /usr/lib/python2.5/lib-dynload/_ssl.so
> 40021000-40022000 rw-p 00003000 62:00 440687
> /usr/lib/python2.5/lib-dynload/_ssl.so
> 40022000-40036000 r-xp 00000000 62:00 2669 /usr/lib/libz.so.1.2.3.3
> 40036000-40037000 rw-p 00013000 62:00 2669 /usr/lib/libz.so.1.2.3.3
> 40037000-4004b000 r-xp 00000000 62:00 16490
> /lib/tls/i686/cmov/libpthread-2.7.so
> 4004b000-4004d000 rw-p 00013000 62:00 16490
> /lib/tls/i686/cmov/libpthread-2.7.so
> 4004d000-4004f000 rw-p 4004d000 00:00 0
> 4004f000-40058000 r-xp 00000000 62:00 16476
> /lib/tls/i686/cmov/libcrypt-2.7.so
> 40058000-4005a000 rw-p 00008000 62:00 16476
> /lib/tls/i686/cmov/libcrypt-2.7.so
> 4005a000-40081000 rw-p 4005a000 00:00 0
> 40081000-400a4000 r-xp 00000000 62:00 16479
> /lib/tls/i686/cmov/libm-2.7.so
> 400a4000-400a6000 rw-p 00023000 62:00 16479
> /lib/tls/i686/cmov/libm-2.7.so
> 400a6000-400a7000 rw-p 400a6000 00:00 0
> 400a7000-400a9000 r-xp 00000000 62:00 16477
> /lib/tls/i686/cmov/libdl-2.7.so
> 400a9000-400ab000 rw-p 00001000 62:00 16477
> /lib/tls/i686/cmov/libdl-2.7.so
> 400ab000-400ad000 r-xp 00000000 62:00 16497
> /lib/tls/i686/cmov/libutil-2.7.so
> 400ad000-400af000 rw-p 00001000 62:00 16497
> /lib/tls/i686/cmov/libutil-2.7.so
> 400af000-401b9000 r-xp 00000000 62:00 432597
> /usr/lib/libpython2.5.so.1.0
> 401b9000-401de000 rw-p 0010a000 62:00 432597
> /usr/lib/libpython2.5.so.1.0
> 401de000-401e4000 rw-p 401de000 00:00 0
> 401e4000-4032d000 r-xp 00000000 62:00 16474
> /lib/tls/i686/cmov/libc-2.7.so
> 4032d000-4032e000 r--p 00149000 62:00 16474
> /lib/tls/i686/cmov/libc-2.7.so
> 4032e000-40330000 rw-p 0014a000 62:00 16474
> /lib/tls/i686/cmov/libc-2.7.so
> 40330000-403b7000 rw-p 40330000 00:00 0
> 403b7000-403ed000 r--p 00000000 62:00 58551
> /usr/lib/locale/en_GB.iso885915/LC_CTYPE
> 403ed000-403f4000 r--s 00000000 62:00 2673
> /usr/lib/gconv/gconv-modules.cache
> 403f4000-403ff000 r-xp 00000000 62:00 4334
> /usr/lib/python2.5/lib-dynload/_socket.so
> 403ff000-40402000 rw-p 0000a000 62:00 4334
> /usr/lib/python2.5/lib-dynload/_socket.so
> 40402000-40405000 r-xp 00000000 62:00 5443
> /usr/lib/python2.5/lib-dynload/select.so
> 40405000-40406000 rw-p 00002000 62:00 5443
> /usr/lib/python2.5/lib-dynload/select.so
> 40406000-40444000 r-xp 00000000 62:00 7476
> /usr/lib/i686/cmov/libssl.so.0.9.8
> 40444000-40448000 rw-p 0003d000 62:00 7476
> /usr/lib/i686/cmov/libssl.so.0.9.8
> 40448000-40572000 r-xp 00000000 62:00 7475
> /usr/lib/i686/cmov/libcrypto.so.0.9.8
> 40572000-40587000 rw-p 00129000 62:00 7475
> /usr/lib/i686/cmov/libcrypto.so.0.9.8
> 40587000-4058a000 rw-p 40587000 00:00 0
> 4058b000-405cc000 rw-p 4058b000 00:00 0
> 405cc000-405cf000 r-xp 00000000 62:00 5441
> /usr/lib/python2.5/lib-dynload/math.so
> 405cf000-405d0000 rw-p 00002000 62:00 5441
> /usr/lib/python2.5/lib-dynload/math.so
> 405d0000-405d4000 r-xp 00000000 62:00 5437
> /usr/lib/python2.5/lib-dynload/binascii.so
> 405d4000-405d5000 rw-p 00003000 62:00 5437
> /usr/lib/python2.5/lib-dynload/binascii.so
> 405d5000-405d7000 r-xp 00000000 62:00 4332
> /usr/lib/python2.5/lib-dynload/_random.so
> 405d7000-405d8000 rw-p 00002000 62:00 4332
> /usr/lib/python2.5/lib-dynload/_random.so
> 405d8000-405dc000 r-xp 00000000 62:00 5444
> /usr/lib/python2.5/lib-dynload/strop.so
> 405dc000-405de000 rw-p 00004000 62:00 5444
> /usr/lib/python2.5/lib-dynload/strop.so
> 405de000-405df000 ---p 405de000 00:00 0
> 405df000-40ddf000 rw-p 405df000 00:00 0
> 40de3000-40dec000 r-xp 00000000 62:00 16485
> /lib/tls/i686/cmov/libnss_files-2.7.so
> 40dec000-40dee000 rw-p 00008000 62:00 16485
> /lib/tls/i686/cmov/libnss_files-2.7.so
> 40dee000-40df2000 r-xp 00000000 62:00 16484
> /lib/tls/i686/cmov/libnss_dns-2.7.so
> 40df2000-40df4000 rw-p 00003000 62:00 16484
> /lib/tls/i686/cmov/libnss_dns-2.7.so
> 40df4000-40e03000 r-xp 00000000 62:00 16491
> /lib/tls/i686/cmov/libresolv-2.7.so
> 40e03000-40e05000 rw-p 0000f000 62:00 16491
> /lib/tls/i686/cmov/libresolv-2.7.so
> 40e05000-40e07000 rw-p 40e05000 00:00 0
> 40e07000-40e11000 r-xp 00000000 62:00 16336 /lib/libgcc_s.so.1
> 40e11000-40e12000 rw-p 0000a000 62:00 16336 /lib/libgcc_s.so.1
> bfa73000-bfa8b000 rw-p bffe8000 00:00 0 [stack]
> ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
>
> Program received signal SIGABRT, Aborted.
> 0xffffe410 in __kernel_vsyscall ()
>
> It looks like ch->race is getting corrupted somehow. I only seem to
> get this after running actions for a while but I don't know what might
> be causing it.
>
> Does anyone have any ideas?
>
> -Matt
>
>
>  
Reply | Threaded
Open this post in threaded view
|

Re: Re: Crashes and memory corruption

Matt Adcock
An update..

I've reproduced the bug using a modified dsay and isolated it to the
recursive call to start_action.

void do_dsay(CHAR_DATA *ch, void *data, bitvector_t where, char *arg) {
  communicate(ch, arg, COMM_LOCAL);
  start_action(ch, 3 SECOND, 1, do_dsay, dsay_interrupt, NULL, arg);
}

The first valgrind error is thrown when the dsay function executes:

 Invalid read of size 4
==22252==    at 0x80812F7: listIteratorNext (list.c:475)
==22252==    by 0x8071CDB: pulse_actions (action.c:243)
==22252==    by 0x80675F0: update_handler (gameloop.c:339)
==22252==    by 0x80677DA: game_loop (gameloop.c:407)
==22252==    by 0x8067575: main (gameloop.c:313)
==22252==  Address 0x5350134 is 4 bytes inside a block of size 12 free'd
==22252==    at 0x402265C: free (vg_replace_malloc.c:323)
==22252==    by 0x8080834: deleteListNode (list.c:51)
==22252==    by 0x8080A02: deleteList (list.c:142)
==22252==    by 0x8071B28: interrupt_action (action.c:197)
==22252==    by 0x8071B46: start_action (action.c:208)
==22252==    by 0x807171D: do_dsay (action.c:64)
==22252==    by 0x80718CB: run_action (action.c:113)
==22252==    by 0x8071CC5: pulse_actions (action.c:249)
==22252==    by 0x80675F0: update_handler (gameloop.c:339)
==22252==    by 0x80677DA: game_loop (gameloop.c:407)
==22252==    by 0x8067575: main (gameloop.c:313)

I haven't delved into the code too deeply yet, but it looks like
interrupt_action is modifying a list from within pulse_actions where it's
being iterated over.