search

FWGS / xash3d-fwgs

Xash3D FWGS engine.
1.51k stars 225 forks source link

Crash in SV_TouchLinks (reproducible on GS too) #1204

Open FreeSlave opened 1 year ago

FreeSlave commented 1 year ago

Encountered a crash on a map. testcrash.bsp.zip

Take a suit and both batteries.

Thread 1 "xash3d" received signal SIGSEGV, Segmentation fault.
0xf6ddc53d in SV_TouchLinks (ent=0xf298d350, node=0xf7731418 <sv_areanodes+760>) at ../engine/server/sv_world.c:514
514                     next = l->next;
(gdb) bt
#0  0xf6ddc53d in SV_TouchLinks (ent=0xf298d350, node=0xf7731418 <sv_areanodes+760>) at ../engine/server/sv_world.c:514
#1  0xf6ddc72a in SV_TouchLinks (ent=0xf298d350, node=0xf77313f0 <sv_areanodes+720>) at ../engine/server/sv_world.c:579
#2  0xf6ddc72a in SV_TouchLinks (ent=0xf298d350, node=0xf77313c8 <sv_areanodes+680>) at ../engine/server/sv_world.c:579
#3  0xf6ddc72a in SV_TouchLinks (ent=0xf298d350, node=0xf77313a0 <sv_areanodes+640>) at ../engine/server/sv_world.c:579
#4  0xf6ddc710 in SV_TouchLinks (ent=0xf298d350, node=0xf7731120 <sv_areanodes>) at ../engine/server/sv_world.c:581
#5  0xf6ddca5d in SV_LinkEdict (ent=<optimized out>, touch_triggers=<optimized out>) at ../engine/server/sv_world.c:695
#6  0xf6dd624b in SV_RunCmd (cl=0xbce7102c, ucmd=0xffffbf4c, random_seed=113) at ../engine/server/sv_pmove.c:1116
#7  0xf6dad62d in SV_ParseClientMove (cl=cl@entry=0xbce7102c, msg=msg@entry=0xf750437c <net_message>) at ../engine/server/sv_client.c:3229
#8  0xf6daf7ae in SV_ExecuteClientMessage (cl=0xbce7102c, msg=0xf750437c <net_message>) at ../engine/server/sv_client.c:3489
#9  0xf6dc7b2d in SV_ReadPackets () at ../engine/server/sv_main.c:432
#10 0xf6dc8090 in Host_ServerFrame () at ../engine/server/sv_main.c:645
#11 0xf6d471e7 in Host_Frame (time=0.0166010968) at ../engine/common/host.c:709
#12 0xf6d48755 in Host_RunFrame (time=0.0166010968) at ../engine/common/host_state.c:144
#13 0xf6d488e4 in COM_Frame (time=0.0166010968) at ../engine/common/host_state.c:194
#14 0xf6d4806a in Host_Main (argc=<optimized out>, argv=0xffffcf44, progname=<optimized out>, bChangeGame=<optimized out>, func=0x565564b0 <Sys_ChangeGame(char const*)>)
    at ../engine/common/host.c:1249
#15 0x5655626c in Sys_Start () at ../game_launch/game.cpp:166
#16 main (argc=2, argv=0xffffcf44) at ../game_launch/game.cpp:179
(gdb) print l
$1 = (link_t *) 0x0

The crash is reproducible on GoldSource too.

FreeSlave commented 1 year ago

I've put a trigger_relay with a small delay before triggering trigger_hurt and it doesn't crash anymore. It seems like the problem is related to the fact that the trigger_hurt changes its solid state at the same time as battery is removed.

huigrunt commented 1 year ago

I checked with myself and this is what I noticed: if you pick up when entering the room, then the crash occurs, and if you bypass the batteries and pick up when leaving the room (that is, in a different sequence), then the crash does not occur