Рандомное срабатывание Mem_Free: not allocated or double freed при переходе между уровнями.

[ghost]

При переходе между уровнями, с некоторой долей вероятности может сработать Mem_Free: not allocated or double freed. К сожалению, но баг так-же "плавающий" и точных последовательности действий для его воспроизведения я не знаю, но похоже, что оно порой происходит, если произошло больше 5-10 переходов между уровнями за всю работу игры . Backtrace:

Thread 1 "hl" received signal SIGINT, Interrupt.
0x00007ffff7b24701 in raise () from /lib64/libc.so.6
#0  0x00007ffff7b24701 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff6e7825b in Sys_Error (error=0x7ffff6f3ce08 "Mem_Free: not allocated or double freed (free at %s:%i)\n") at ../engine/common/system.c:409
        argptr = {{gp_offset = 1445197616, fp_offset = 21845, overflow_arg_area = 0x555555f9c620, reg_save_area = 0x7fffffffbc00}}
        text = "\000\000\200?\"¾@D ÆùUUU\000\000\020ºÿÿÿ\177\000\000EÍãöÿ\177\000\000\000PùUUU\000\000\000¼ÿÿÿ\177\000\000\000\000¶B\003\000\000\000Ö§1Ä\003\000\000\000@ºÿÿÿ\177\000\000\060÷#VUU\000\000 ÆùUUU\000\000\000¼ÿÿÿ\177\000\000\000\000\000\000vò4D ÆùUUU\000\000pºÿÿÿ\177\000\000EÍãöÿ\177\000\000\000PùUUU\000\000\000¼ÿÿÿ\177\000\000\200»ÿÿ\003\000\000\000\064\063|C\003\000\000\000 ºÿÿÿ\177\000\000\020ï#VUU\000\000ÐÊùUUU\000\000\000¼ÿÿÿ\177\000\000\210Ù\nXÒmýÃ"...
#2  0x00007ffff6e78ee0 in Mem_FreeBlock (mem=0x55555620bca0, filename=0x7ffff6f36b52 "../engine/common/model.c", fileline=110) at ../engine/common/zone.c:129
        pool = 0x555556325eb0
#3  0x00007ffff6e792a5 in _Mem_FreePool (poolptr=0x7ffff6fa80b0 <mod_known+80>, filename=0x7ffff6f36b52 "../engine/common/model.c", fileline=110) at ../engine/common/zone.c:213
        pool = 0x555556325eb0
        chainaddress = 0x5555560de3f8
#4  0x00007ffff6e49168 in Mod_FreeModel (mod=0x7ffff6fa8060 <mod_known>) at ../engine/common/model.c:110
No locals.
#5  0x00007ffff6e49a26 in Mod_PurgeStudioCache () at ../engine/common/model.c:411
        i = 49
#6  0x00007ffff6e49b5e in Mod_LoadWorld (name=0x7ffff740f5ec <sv+268> "maps/c1a1.bsp", preload=true) at ../engine/common/model.c:444
        pworld = 0x7fffffffdea0
#7  0x00007ffff6e96969 in SV_SpawnServer (mapname=0x7fffffffdc20 "c1a1", startspot=0x7fffffffdca0 "c1a0catoc1a1", background=false) at ../engine/server/sv_init.c:942
        i = 1444737200
        current_skill = 3
        ent = 0x7ffff6e95dd4 <SV_DeactivateServer+185>
#8  0x00007ffff6eac930 in SV_ChangeLevel (loadfromsavedgame=true, mapname=0x7ffff73cc3fc <host+28> "c1a1", start=0x7ffff73cc43c <host+92> "c1a0catoc1a1", background=false) at ../engine/server/sv_save.c:2064
        level = "c1a1\000\177\000\000PÜÿÿÿ\177\000\000ÀPUUUU\000\000 @\001õÿ\177\000\000\000\000\000\000\000\000\000\000#^ëöÿ\177\000\000 @\001õÿ\177\000\000\002¨ñöÿ\177\000"
        oldlevel = "c1a0c\000\000\000Tæ#\000\000\000\000\000\200Üÿÿÿ\177\000\000u8Kõÿ\177\000\000 Üÿÿÿ\177\000\000\227÷ïöÿ\177\000\000 Üÿÿÿ\177\000\000\000oö°\001\000\000"
        _startspot = "c1a0catoc1a1\000\177\000\000àÜÿÿÿ\177\000\000q+º÷ÿ\177\000\000àÜÿÿÿ\177\000\000 Ýÿÿÿ\177\000\000ÀPUUUU\000\000ÅçÙöÿ\177\000"
        startspot = 0x7fffffffdca0 "c1a0catoc1a1"
        pSaveData = 0x555558cbcc90
#9  0x00007ffff6e96d71 in SV_ExecChangeLevel () at ../engine/server/sv_init.c:1063
No locals.
#10 0x00007ffff6e27ebc in COM_Frame (time=0.0203845147) at ../engine/common/host_state.c:190
        oldState = 3
        loopCount = 0
#11 0x00007ffff6e278f7 in Host_Main (argc=4, argv=0x7fffffffdea8, progname=0x5555555560df "valve", bChangeGame=0, func=0x555555555388 <Sys_ChangeGame(char const*)>) at ../engine/common/host.c:1107
        oldtime = 106.58244386200001
        newtime = 106.60282837600001
#12 0x000055555555547d in Sys_Start () at ../game_launch/game.cpp:141
        ret = 0
        changeGame = 0x555555555388 <Sys_ChangeGame(char const*)>
#13 0x00005555555554b2 in main (argc=4, argv=0x7fffffffdea8) at ../game_launch/game.cpp:153
No locals.

[a1batross]

Должна быть строка с аллокацией.

[ghost]

@a1batross Немного потестировал и опять этот баг поймал, правда теперь почему-то вместо "not allocated or double freed" ругается на "trashed header sentinel 1": Mem_Free: trashed header sentinel 1 (alloc at ../engine/common/mod_bmodel.c:119928016, free at ../engine/common/model.c:110)

[mittorn]

Поймай со включенным asan

[ghost]

@mittorn Проверил с asan, в случае подключенного asan вылетает сразу-же после второго перехода, причём всегда:

==5255==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000066e78 at pc 0x7ff6538b008c bp 0x7ffe145ecab0 sp 0x7ffe145ecaa0
READ of size 8 at 0x610000066e78 thread T0
    #0 0x7ff6538b008b in Cache_Check ../engine/common/common.c:841
    #1 0x7ff65398d8c7 in Mod_CacheCheck ../engine/common/model.c:509
    #2 0x7ff65187ca87 in pfnMod_CacheCheck ../ref_soft/r_studio.c:3668
    #3 0x7ff64e81da37 in CStudioModelRenderer::StudioGetAnim(model_s*, mstudioseqdesc_t*) ../cl_dll/StudioModelRenderer.cpp:391
    #4 0x7ff64e81f3f6 in CStudioModelRenderer::StudioSetupBones() ../cl_dll/StudioModelRenderer.cpp:809
    #5 0x7ff64e81f151 in CStudioModelRenderer::StudioDrawModel(int) ../cl_dll/StudioModelRenderer.cpp:1138
    #6 0x7ff64e81d0d1 in R_StudioDrawModel(int) ../cl_dll/GameStudioModelRenderer.cpp:71
    #7 0x7ff6518ad138 in R_StudioDrawModelInternal ../ref_soft/r_studio.c:3364
    #8 0x7ff6518ad352 in R_DrawStudioModel ../ref_soft/r_studio.c:3400
    #9 0x7ff65183d33d in R_DrawEntitiesOnList ../ref_soft/r_main.c:838
    #10 0x7ff65183e3d1 in R_RenderScene ../ref_soft/r_main.c:1625
    #11 0x7ff65183eabb in R_RenderFrame ../ref_soft/r_main.c:1776
    #12 0x7ff653c68721 in GL_RenderFrame ../engine/client/ref_common.c:60
    #13 0x7ff653c20dcb in V_RenderView ../engine/client/cl_view.c:339
    #14 0x7ff653bf1ae4 in SCR_UpdateScreen ../engine/client/cl_scrn.c:558
    #15 0x7ff653b9854e in Host_ClientFrame ../engine/client/cl_main.c:3029
    #16 0x7ff65390a5bf in Host_Frame ../engine/common/host.c:642
    #17 0x7ff65390cbed in Host_RunFrame ../engine/common/host_state.c:144
    #18 0x7ff65390cee4 in COM_Frame ../engine/common/host_state.c:194
    #19 0x7ff65390bd3e in Host_Main ../engine/common/host.c:1107
    #20 0x56039ca425db in Sys_Start ../game_launch/game.cpp:141
    #21 0x56039ca425db in main ../game_launch/game.cpp:153
    #22 0x7ff6583a6c8a in __libc_start_main (/lib64/libc.so.6+0x23c8a)
    #23 0x56039ca42189 in _start (*secret*/xash+0x2189)

0x610000066e78 is located 56 bytes inside of 188-byte region [0x610000066e40,0x610000066efc)
freed by thread T0 here:
    #0 0x7ff6592ed50f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/9.3.0/libasan.so.5+0x10c50f)
    #1 0x7ff653a46b4c in Mem_FreeBlock ../engine/common/zone.c:141

previously allocated by thread T0 here:
    #0 0x7ff6592ed908 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.3.0/libasan.so.5+0x10c908)
    #1 0x7ff653a47113 in _Mem_Alloc ../engine/common/zone.c:70

SUMMARY: AddressSanitizer: heap-use-after-free ../engine/common/common.c:841 in Cache_Check

[glebm]

This appears to be a duplicate of https://github.com/FWGS/xash3d-fwgs/issues/260

[ghost]

Баг более не проявляется, скорее всего исправили в коммите https://github.com/FWGS/xash3d-fwgs/commit/9313f7e80e0c33bc58298477d8e24b015502a295.