#1 2014-05-13 06:23:06

thelionroars
Member

segfault occuring

I'm consistently getting a segfault while playing over my LAN against bots. The server is publically accessible ('Fragaholic'). System is Kubuntu 14.04 64 bit, and as the hardware is pretty good I have everything on max (perhaps this is the cause). I was playing CTF against 3-4 bots, and the game crashed every couple of minutes.

Let me know if there is anything I can do to pin down the error.

Offline

#2 2014-05-13 06:51:27

eihrul
Administrator

Re: segfault occuring

If you are able to compile it yourself, you will need -dev versions of the SDL2/image/mixer and zlib packages:

make -C src CXXFLAGS=-g3

That will build a debug version of the client. Run:

gdb src/tess_client

In-game, make sure you do: /fullscreen 0
So when it crashes you won't get stuck inside.
Then send me a backtrace of where it crashes.

Offline

#3 2014-05-13 12:51:59

thelionroars
Member

Re: segfault occuring

No probs, will do

Offline

#4 2014-06-09 11:58:34

andrius4669
Member

Re: segfault occuring

I have same bug, and after some debugging, it seems its use-after-free bug somewhere in models rendering code.

System: ArchLinux x86_64 (kernel: 3.14.6-1-ARCH, testing repos enabled)
gcc version 4.9.0 20140521 (prerelease) (GCC)
Renderer: Mesa DRI Intel(R) Ivybridge Mobile  (Intel Open Source Technology Center)
Driver: 3.3 (Core Profile) Mesa 10.2.1
GLSL: 3.30
all this testing was done with 1710 rev (newest atm)

as in thelionroars's case, I was playing with bots (32 bots) on server (not his server) (map: Alithia-Tess), and game crashed quite often.

here are few backtraces:
CXXFLAGS= -O0 -g3 -march=native -pipe -fno-inline -fstack-protector

Reading symbols from bin_unix/native_client...done.
[New LWP 23377]
[New LWP 23380]
[New LWP 23382]
[New LWP 23383]
Core was generated by `./bin_unix/native_client -u/home/andrius/.tesseract'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f079c4720e7 in ?? ()
(gdb) backtrace
#0  0x00007f079c4720e7 in ?? ()
#1  0x0000000008ade710 in ?? ()
#2  0x000000000a112360 in ?? ()
#3  0x0000000100000000 in ?? ()
#4  0x000000000050008c in cleanragdoll (d=<error reading variable: Cannot access memory at address 0x44d46cde>) at engine/ragdoll.h:534
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

------------
CXXFLAGS= -O0 -g3 -march=native -pipe -fno-inline -fstack-protector

Reading symbols from bin_unix/native_client...done.
[New LWP 24086]
[New LWP 24091]
[New LWP 24089]
[New LWP 24092]
Core was generated by `./bin_unix/native_client -u/home/andrius/.tesseract'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000498f84 in vec4::setxyz (this=0x99f270 <animmodel::matrixstack+48>, v=...) at shared/geom.h:352
352        void setxyz(const vec &v) { x = v.x; y = v.y; z = v.z; }
(gdb) backtrace
#0  0x0000000000498f84 in vec4::setxyz (this=0x99f270 <animmodel::matrixstack+48>, v=...) at shared/geom.h:352
#1  0x000000000049967f in matrix4::settranslation (this=0x99f240 <animmodel::matrixstack>, v=...) at shared/geom.h:1581
#2  0x0000000000518168 in animmodel::render (this=0x66be180, anim=1361063938, basetime=53083, basetime2=0, o=..., yaw=223, pitch=0, roll=0,
    d=0xaf8e8e0, a=0xc873160, size=0.209999979, color=...) at engine/animmodel.h:1305
#3  0x0000000000507bcb in renderbatchedmodel (m=0x66be180, b=...) at engine/rendermodel.cpp:535
#4  0x000000000050866c in rendershadowmodelbatches (dynmodel=true) at engine/rendermodel.cpp:680
#5  0x00000000004f5240 in rendercsmshadowmaps () at engine/renderlights.cpp:3834
#6  0x00000000004ef310 in collectlights () at engine/renderlights.cpp:3185
#7  0x000000000057673d in rendergeom () at engine/renderva.cpp:1751
#8  0x00000000004f8650 in rendergbuffer (depthclear=true) at engine/renderlights.cpp:4355
#9  0x00000000004d9c38 in gl_drawview () at engine/rendergl.cpp:2432
#10 0x00000000004dba20 in gl_drawframe () at engine/rendergl.cpp:2854
#11 0x0000000000466fbe in main (argc=2, argv=0x7fff3a6f9e88) at engine/main.cpp:1235

-------------
CXXFLAGS= -O0 -g3 -march=native -pipe -fno-inline -fstack-protector -fsanitize=address

you got fragged by bot [132]
=================================================================
==24693==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900062f3d0 at pc 0x66d2b7 bp 0x7fffb5dd1fa0 sp 0x7fffb5dd1f90
READ of size 8 at 0x61900062f3d0 thread T0
    #0 0x66d2b6 in animmodel::render(int, int, int, vec const&, float, float, float, dynent*, modelattach*, float, vec4 const&) engine/animmodel.h:1285
    #1 0x6494ab in renderbatchedmodel engine/rendermodel.cpp:535
    #2 0x64ade0 in rendershadowmodelbatches(bool) engine/rendermodel.cpp:680
    #3 0x61e12c in rendercsmshadowmaps() engine/renderlights.cpp:3834
    #4 0x611e5c in collectlights() engine/renderlights.cpp:3185
    #5 0x74ce1d in rendergeom() engine/renderva.cpp:1751
    #6 0x624ea6 in rendergbuffer(bool) engine/renderlights.cpp:4355
    #7 0x5e2bad in gl_drawview() engine/rendergl.cpp:2432
    #8 0x5e6fb2 in gl_drawframe() engine/rendergl.cpp:2854
    #9 0x4db21c in main engine/main.cpp:1235
    #10 0x7f2dd4a7afff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)
    #11 0x4064a8 (/home/andrius/tesseract/bin_unix/native_client+0x4064a8)

0x61900062f3d0 is located 336 bytes inside of 1080-byte region [0x61900062f280,0x61900062f6b8)
freed by thread T0 here:
    #0 0x7f2dd69ef8ff in __interceptor_free (/usr/lib/libasan.so.1+0x578ff)
    #1 0x428ed8 in operator delete(void*) shared/tools.cpp:19
    #2 0x8b1cf1 in game::moveragdolls() game/render.cpp:42
    #3 0x8aa230 in game::updateworld() game/game.cpp:228
    #4 0x4db167 in main engine/main.cpp:1216
    #5 0x7f2dd4a7afff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)

previously allocated by thread T0 here:
    #0 0x7f2dd69efb77 in malloc (/usr/lib/libasan.so.1+0x57b77)
    #1 0x428e6b in operator new(unsigned long) shared/tools.cpp:7
    #2 0x8b1743 in game::saveragdoll(gameent*) game/render.cpp:21
    #3 0x8916c9 in game::parsemessages(int, gameent*, databuf<unsigned char>&) game/client.cpp:1459
    #4 0x895aff in game::parsepacketclient(int, packetbuf&) game/client.cpp:1950
    #5 0x4667d5 in localservertoclient(int, _ENetPacket*) engine/client.cpp:206
    #6 0x466ae8 in gets2c() engine/client.cpp:243
    #7 0x8aa235 in game::updateworld() game/game.cpp:229
    #8 0x4db167 in main engine/main.cpp:1216
    #9 0x7f2dd4a7afff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)

SUMMARY: AddressSanitizer: heap-use-after-free engine/animmodel.h:1285 animmodel::render(int, int, int, vec const&, float, float, float, dynent*, modelattach*, float, vec4 const&)
Shadow bytes around the buggy address:
  0x0c32800bde20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800bde30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800bde40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800bde50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800bde60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c32800bde70: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c32800bde80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800bde90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800bdea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800bdeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800bdec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==24693==ABORTING

hope this helps :)

Offline

Board footer