search

Marisa-Chan / UA_source

Mod for UrbanAssault (Replace original game engine)
GNU General Public License v2.0
120 stars 16 forks source link

Weird segfault when user controlled unit dies the moment it strikes a hit on a enemy unit. #18

Closed KynikossDragonn closed 3 years ago

KynikossDragonn commented 3 years ago

This happened during a livestream, I've clipped what happened: https://www.twitch.tv/videos/758279357

I think the crash might involve your unit getting destroyed the moment it hits or destroys another unit at nearly the same time, race condition perhaps?

UA_source[18558]: segfault at 55 ip 000055ed9b9ba3ae sp 00007fff4c870850 error 4 in UA_source[55ed9b76e000+25e000]
Code: 48 89 7d b8 48 89 75 b0 64 48 8b 04 25 28 00 00 00 48 89 45 f8 31 c0 48 8b 45 b0 48 8b 00 48 85 c0 74 3d 48 8b 45 b0 48 8b 00 <8b> 40 54 83 f8 09 75 2e 48 8b 45 b0 8b 40 08 83 f8 07 74 22 48 8b
Marisa-Chan commented 3 years ago

I needs more info, like OS and used binary.

Marisa-Chan commented 3 years ago

Seems linux/unix, and I think find right place in code and will try to analyze what's can going wrong.

KynikossDragonn commented 3 years ago

I needs more info, like OS and used binary.

Oh, sorry. I'm using Void Linux with kernel package 5.8.12_2.

I built from cloning the master at around September 21, 2020.

Marisa-Chan commented 3 years ago

Crash conditions are:

  1. enemy unit is commander (only one in squad?)
  2. your unit also commander and only one in squad
  3. you shoot multiple missiles targeted to enemy unit
  4. while your missiles fly to target your unit destroyed
  5. enemy unit hitted by your missile or another missiles and change agro to flee, some of your missiles still alive and targeted to this unit.

On your unit die all missiles reattached to your host-station as emitter because no more units in this squad for taking commander role. Then enemy unit hitted by missile and change agro to flee - it goes to iterate all attackers of this unit Alive missiles are in this list and at this point it switches to parent of missile emitter ( emitter switched to host-station after our unit die).

And for host-station and other top-level units in unit-tree (or dead cache unit list) originally parent setted to hacky value "(type)1" instead of real pointer or NULL. And this "1" used as object in this situation and all goes segfault.

Original game not crash because it's use two! pointers to parent. One to parent object and one to internal structure of that object which represent base unit object. When units directly placed in dead cache list or global units list this second pointer is NULL. And in situation like above used this NULL pointer and it's correctly processed after.

This bug must be fixed by this two commits: https://github.com/Marisa-Chan/UA_source/commit/0732921361e717aa723a1190eb61270e9f56709e https://github.com/Marisa-Chan/UA_source/commit/9432ecd74d94161e221abf21b931ffeec73994d5

goldstar611 commented 3 years ago

OH NO! The DEATH CACHE BUG is back!\n

KynikossDragonn commented 3 years ago

I've hadn't had this happen since that last commit that fixed the host station destruction segfault, so I think this case can be closed now.