Found by fuzzer: minvent: 2 uncursed small globs of moldy pudding held by mon

elunna commented 1 year ago

migrating minvent sanity obj 60c0010c2f40 minvent: 2 uncursed small globs of moldy pudding held by mon 61100034d180 (an orc shaman called Aizuruk of Ogothog)
Generating more information you may report:

[0] /lib/x86_64-linux-gnu/libasan.so.5(+0x6cd40) [0x7ffff75f8d40]
[1] /home/lunatunez/games/hackemdir/hackem(+0x4f95c6) [0x555555a4d5c6]
[2] /home/lunatunez/games/hackemdir/hackem(+0x4f94b9) [0x555555a4d4b9]
[3] /home/lunatunez/games/hackemdir/hackem(panic+0x6ab) [0x555555a542db]
[4] /home/lunatunez/games/hackemdir/hackem(impossible+0x2c8) [0x555555fac033]
[5] /home/lunatunez/games/hackemdir/hackem(+0x80f79b) [0x555555d6379b]
[6] /home/lunatunez/games/hackemdir/hackem(+0x81079b) [0x555555d6479b]
[7] /home/lunatunez/games/hackemdir/hackem(+0x80f33b) [0x555555d6333b]
[8] /home/lunatunez/games/hackemdir/hackem(obj_sanity_check+0x5ea) [0x555555d6268b]
[9] /home/lunatunez/games/hackemdir/hackem(sanity_check+0xd) [0x555555865440]
[10] /home/lunatunez/games/hackemdir/hackem(moveloop+0x6ebc) [0x555555767ae2]
[11] /home/lunatunez/games/hackemdir/hackem(main+0xdda) [0x5555563d7c54]
[12] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7ffff7365083]
[13] /home/lunatunez/games/hackemdir/hackem(_start+0x2e) [0x55555575eace]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7363859 in __GI_abort () at abort.c:79
#2  0x0000555555a4d4df in NH_abort () at end.c:236
#3  0x0000555555a542db in panic (str=0x5555565429e0 "%s") at end.c:802
#4  0x0000555555fac033 in impossible (
    s=0x7fffffffde10 "%s obj %s %s: %s held by mon %s (%s)") at pline.c:518
#5  0x0000555555d6379b in insane_object (obj=0x60c0010c2f40, 
    fmt=0x5555564f6b60 <ofmt0> "%s obj %s %s: %s", 
    mesg=0x7fffffffe080 "migrating minvent sanity", mon=0x61100034d180) at mkobj.c:2793
#6  0x0000555555d6479b in check_glob (obj=0x60c0010c2f40, 
    mesg=0x7fffffffe080 "migrating minvent sanity") at mkobj.c:2897
#7  0x0000555555d6333b in mon_obj_sanity (monlist=0x61100034da40, 
    mesg=0x5555564f6ea0 "migrating minvent sanity") at mkobj.c:2745
#8  0x0000555555d6268b in obj_sanity_check () at mkobj.c:2634
#9  0x0000555555865440 in sanity_check () at cmd.c:4856
#10 0x0000555555767ae2 in moveloop (resuming=0 '\000') at allmain.c:792
#11 0x00005555563d7c54 in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 0, 0, 140737335783280, 93824997446065, 335544320, 
            140737341046928, 1073741824, 0, 140737342793376, 4294967295, 140737337360384, 
            140737342776480, 9296769676823852032}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007ffff7363859 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0xffffffff, sa_sigaction = 0xffffffff}, 
          sa_mask = {__val = {140737337360384, 140737342776480, 9296769676823852032, 
              140737488343696, 140737342793376, 18446744073709547520, 140737327104000, 
              140737345462488, 140737488344768, 140737488344768, 140737344331794, 
              17592186042962, 140737488338944, 140737341046928, 9296769676823852032, 
              140737488344096}}, sa_flags = -1045072896, sa_restorer = 0x7fffffffd5e0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x0000555555a4d4df in NH_abort () at end.c:236
        gdb_prio = 1
        libc_prio = 2
        aborting = 1 '\001'
#3  0x0000555555a542db in panic (str=0x5555565429e0 "%s") at end.c:802
        the_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffd6b0, 
            reg_save_area = 0x7fffffffd5e0}}
#4  0x0000555555fac033 in impossible (
    s=0x7fffffffde10 "%s obj %s %s: %s held by mon %s (%s)") at pline.c:518
        pbuf = "migrating minvent sanity obj 60c0010c2f40 minvent: 2 uncursed small globs of moldy pudding held by mon 61100034d180 (an orc shaman called Aizuruk of Ogothog)\000\000\000\020\224i\367\000\000\000\000\000\000\001\000\377\177\000\000\240\217BVUU\000\000\000\200c\366\377\177\000\000\240@~VUU\000\000"...
        the_args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffffffdda8, 
            reg_save_area = 0x7fffffffdcc0}}
#5  0x0000555555d6379b in insane_object (obj=0x60c0010c2f40, 
    fmt=0x5555564f6b60 <ofmt0> "%s obj %s %s: %s", 
    mesg=0x7fffffffe080 "migrating minvent sanity", mon=0x61100034d180) at mkobj.c:2793
        objnm = 0x5555567ea485 <obufs+1605> "2 uncursed small globs of moldy pudding"
        monnm = 0x5555567ea540 <obufs+1792> "an orc shaman called Aizuruk of Ogothog"
        altfmt = "%s obj %s %s: %s held by mon %s (%s)\000a\000\000\002\000\000\000\004", '\000' <repeats 19 times>, "\263\212\265A\000\000\000\000q.WVUU\000\000>\330\vVUU\000\000\000\337\377\377\377\177\000\000\377\377\377\377\377\177\000\000\000t\265\301\303\302\004\201\260\336\377\377\377\177\000\000\370\373\377\377\377\017\000\000\300\337\377\377\377\177\000\000\340\341\377\377\377\177\000\000\300\337\377\377\377\177", '\000' <repeats 11 times>, "\342\377\377\377\177\000\000߫b\367\377\177\000\000\240\337\377\377\377\177\000\000\000\254\b\001\300`\000\000(\000\000\000\060\000\000\000\260"...
#6  0x0000555555d6479b in check_glob (obj=0x60c0010c2f40, 
    mesg=0x7fffffffe080 "migrating minvent sanity") at mkobj.c:2897
        mesgbuf = "migrating minvent sanity\000tOVUU\000\000C>\326UUU\000\000\320\340\377\377\377\177\000\000\020\341\377\377\377\177\000\000\067\325\vVUU\000\000\340\221hVUU\000\000\260\342\377\377\004\000\000\000\360\340\377\377\377\177\000\000\375\322\vVUU\000\000\020\341\377\377\377\177\000\000\340\343\377\377\004\000\000\000\320\342\377\377\377\177\000\000\304\310\vVUU\000\000\004\000\000\000\000\000\000\000\064\374\377\377\004\000\000\000\263\212\265A\000\000\000\000\240+WVUU\000\000W\301\vVUU\000\000\000\226\227\002Pa\000\000\356z\000\000\000\000\000\000\000\211\351\001\020b\000\000H\000\000\000\000\000\000\000"...
        globbuf = " glob 349,quan=2,owt=40 \000\205OVUU\000\000@\342\377\377\377\177\000\000\316-\326UUU\000\000\000\000\000\000\000\000\000\000 nOVUU\000\000\020\341\377\377\a", '\000' <repeats 11 times>, "\200\230\227\002Pa\000\000\000\000\000\000\000\000\000\000\263\212\265A\000\000\000\000 pOVUU\000\000\307(\326UUU\000\000Iui\367\377\177\000"
#7  0x0000555555d6333b in mon_obj_sanity (monlist=0x61100034da40, 
    mesg=0x5555564f6ea0 "migrating minvent sanity") at mkobj.c:2745
        mon = 0x61100034d180
        obj = 0x60c0010c2f40
        mwep = 0x0
#8  0x0000555555d6268b in obj_sanity_check () at mkobj.c:2634
        x = 80
        y = 21
        obj = 0x0
#9  0x0000555555865440 in sanity_check () at cmd.c:4856
No locals.
#10 0x0000555555767ae2 in moveloop (resuming=0 '\000') at allmain.c:792
        moveamt = 9
        wtcap = 1
        change = 0
        monscanmove = 0 '\000'
        timeout_start = 33584
        past_clock = 26890
        elf_regen = 1 '\001'
        orc_regen = 1 '\001'
        vamp_regen = 1 '\001'
#11 0x00005555563d7c54 in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
        fd = -1
        dir = 0x0
        exact_username = 0 '\000'
        resuming = 0 '\000'
        plsel_once = 1 '\001'

elunna commented 1 year ago

Tried wishing for a glob of moldy pudding, then another, and they just globbed together. Created an orcish shaman, and gave them 2 globs (separately); they globbed together.

elunna commented 1 year ago

Saw again - something with the named orcs?


Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7363859 in __GI_abort () at abort.c:79
#2  0x0000555555a4d4df in NH_abort () at end.c:236
#3  0x0000555555a542db in panic (str=0x5555565429e0 "%s") at end.c:802
#4  0x0000555555fac062 in impossible (
    s=0x7fffffffde10 "%s obj %s %s: %s held by mon %s (%s)") at pline.c:518
#5  0x0000555555d6379b in insane_object (obj=0x60c000e4bbc0, 
    fmt=0x5555564f6b60 <ofmt0> "%s obj %s %s: %s", 
    mesg=0x7fffffffe080 "migrating minvent sanity", mon=0x61100021cf40) at mkobj.c:2793
#6  0x0000555555d6479b in check_glob (obj=0x60c000e4bbc0, 
    mesg=0x7fffffffe080 "migrating minvent sanity") at mkobj.c:2897
#7  0x0000555555d6333b in mon_obj_sanity (monlist=0x611000219340, 
    mesg=0x5555564f6ea0 "migrating minvent sanity") at mkobj.c:2745
#8  0x0000555555d6268b in obj_sanity_check () at mkobj.c:2634
#9  0x0000555555865440 in sanity_check () at cmd.c:4856
#10 0x0000555555767ae2 in moveloop (resuming=0 '\000') at allmain.c:792
#11 0x00005555563d7c83 in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 0, 0, 140737335783280, 93824997446065, 335544320, 
            140737341046928, 1073741824, 0, 140737342793376, 4294967295, 140737337360384, 
            140737342776480, 9986303083300662528}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007ffff7363859 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0xffffffff, sa_sigaction = 0xffffffff}, 
          sa_mask = {__val = {140737337360384, 140737342776480, 9986303083300662528, 
              140737488343696, 140737342793376, 18446744073709547520, 140737327104000, 
              140737345462488, 140737488344768, 140737488344768, 140737344331794, 
              17592186042962, 140737488338944, 140737341046928, 9986303083300662528, 
              140737488344096}}, sa_flags = -1685705472, sa_restorer = 0x7fffffffd5e0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x0000555555a4d4df in NH_abort () at end.c:236
        gdb_prio = 1
        libc_prio = 2
        aborting = 1 '\001'
#3  0x0000555555a542db in panic (str=0x5555565429e0 "%s") at end.c:802
        the_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffd6b0, 
            reg_save_area = 0x7fffffffd5e0}}
#4  0x0000555555fac062 in impossible (
    s=0x7fffffffde10 "%s obj %s %s: %s held by mon %s (%s)") at pline.c:518
        pbuf = "migrating minvent sanity obj 60c000e4bbc0 minvent: 3 uncursed small globs of blood pudding held by mon 61100021cf40 (an orc called Othaigor of Haiaithos)\000\000\000\002\000\000\000\377\377\377\377\000\000\000\000\000\000\001\000\000\000\000\000\240\216BVUU\000\000\000\000\000\000\000\000\000\000\240D~VUU\000\000"...
        the_args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffffffdda8, 
            reg_save_area = 0x7fffffffdcc0}}
#5  0x0000555555d6379b in insane_object (obj=0x60c000e4bbc0, 
    fmt=0x5555564f6b60 <ofmt0> "%s obj %s %s: %s", 
    mesg=0x7fffffffe080 "migrating minvent sanity", mon=0x61100021cf40) at mkobj.c:2793
        objnm = 0x5555567ea085 <obufs+581> "3 uncursed small globs of blood pudding"
        monnm = 0x5555567ea140 <obufs+768> "an orc called Othaigor of Haiaithos"
        altfmt = "%s obj %s %s: %s held by mon %s (%s)", '\000' <repeats 69 times>, "-\206\233\276y\226\212\000\000\000\000\000\000\000\000\370\373\377\377\377\017\000\000\300\337\377\377\377\177\000\000\340\341\377\377\377\177\000\000\300\337\377\377\377\177", '\000' <repeats 11 times>, "\342\377\377\377\177\000\000߫b\367\377\177", '\000' <repeats 11 times>, "\355\270\000\300`\000\000(\000\000\000\060\000\000\000\260"...
#6  0x0000555555d6479b in check_glob (obj=0x60c000e4bbc0, 
    mesg=0x7fffffffe080 "migrating minvent sanity") at mkobj.c:2897
        mesgbuf = "migrating minvent sanity\000tOVUU\000\000C>\326UUU", '\000' <repeats 217 times>
        globbuf = " glob 347,quan=3,owt=60 \000\340\377\377\377\177\000\000@\342\377\377\377\177\000\000\316-\326UUU\000\000\000\000\000\000\000\000\000\000 nOVUU\000\000\000\000\000\000\a", '\000' <repeats 27 times>, "\263\212\265A\000\000\000\000 pOVUU\000\000\307(\326UUU\000\000\000\000\000\000\000\000\000"
#7  0x0000555555d6333b in mon_obj_sanity (monlist=0x611000219340, 
    mesg=0x5555564f6ea0 "migrating minvent sanity") at mkobj.c:2745
        mon = 0x61100021cf40
        obj = 0x60c000e4bbc0
        mwep = 0x0
#8  0x0000555555d6268b in obj_sanity_check () at mkobj.c:2634
        x = 80
        y = 21
        obj = 0x0
#9  0x0000555555865440 in sanity_check () at cmd.c:4856
No locals.
#10 0x0000555555767ae2 in moveloop (resuming=0 '\000') at allmain.c:792
        moveamt = 12
        wtcap = 0
        change = 0
        monscanmove = 0 '\000'
        timeout_start = 25760
        past_clock = 365670
        elf_regen = 1 '\001'
        orc_regen = 1 '\001'
        vamp_regen = 1 '\001'
#11 0x00005555563d7c83 in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
        fd = -1
        dir = 0x0
        exact_username = 0 '\000'
        resuming = 0 '\000'
        plsel_once = 1 '\001'

elunna commented 1 year ago

In dokick.c, there is this function: deliver_obj_to_mon(mtmp, cnt, deliverflags)

Is this somehow delivering multiple globs to orcs? I doubled check the order of the puddings and globs, seems fine.

elunna commented 1 year ago

Got another hit on this. Now seeing a pattern: New glob type held by a named orc.

elunna commented 1 year ago

Globs only seem to be moldy, blood, gel - not black or brown yet.

elunna commented 1 year ago

Commit 68353c691: Fix for issue #44. stolen_booty was not checking for the new globs of pudding before giving it to the orcish raiders in orctown.

elunna / hackem

Found by fuzzer: minvent: 2 uncursed small globs of moldy pudding held by mon #44