Debian Bug report logs - #863536
doomsday: Segfaults when attempting to start new game

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hans Joachim Desserud <debian@desserud.org>

To: submit@bugs.debian.org

Subject: doomsday: Segfaults when attempting to start new game

Date: Sun, 28 May 2017 11:35:42 +0200

Package: doomsday
Version: 1.15.8-4
Severity: important

Dear Maintainer,


Thanks for resolving 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847651. I no longer 
get a segfault at
startup, but I do see one when attempting to start a new
game:

^ : Starting music 'intro'
fluidsynth: warning: Failed to pin the sample data to RAM; swapping is 
possible.
fluidsynth: warning: Failed to pin the sample data to RAM; swapping is 
possible.
Game begins...

Episode: Knee-Deep In The Dead (Singleplayer)

S_StartMusic: Starting music 'e1m1'
Loading map "E1M1"...
Segmentation fault

So it looks like there might be more issues. I get similar
segfaults with both doom-shareware wad as well as freedoom.
I can navigate the menu and options fine, but it crashes
when attempting to start a new game.

It should be noted that I'm trying to run this in a VM, so
if I'm the only one who can reproduce this, I can dig
into whether it is related to the 3D graphics somehow.


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages doomsday depends on:
ii  doomsday-common           1.15.8-4
ii  doomsday-data             1.15.8-4
ii  libc6                     2.24-10
ii  libgcc1                   1:6.3.0-18
ii  libgl1-mesa-glx [libgl1]  13.0.6-1+b2
ii  libqt4-network            4:4.8.7+dfsg-11
ii  libqt4-opengl             4:4.8.7+dfsg-11
ii  libqtcore4                4:4.8.7+dfsg-11
ii  libqtgui4                 4:4.8.7+dfsg-11
ii  libsdl2-2.0-0             2.0.5+dfsg1-2
ii  libsdl2-mixer-2.0-0       2.0.1+dfsg1-1
ii  libstdc++6                6.3.0-18

Versions of packages doomsday recommends:
ii  fluid-soundfont-gm  3.1-5.1

doomsday suggests no packages.

-- no debconf information


-- 
mvh / best regards
Hans Joachim Desserud
http://desserud.org

Message #10 received at 863536@bugs.debian.org (full text, mbox, reply):

From: Bernhard Übelacker <bernhardu@mailbox.org>

To: 863536@bugs.debian.org, Hans Joachim Desserud <debian@desserud.org>

Subject: Re: doomsday: Segfaults when attempting to start new game

Date: Wed, 31 May 2017 20:12:00 +0200

[Message part 1 (text/plain, inline)]

Hello,
tried to reproduce the issue.

I think the problem is that in Cl_IsClientMobj the method maybeAs()
is called on a NULL pointer on mo->thinker.d.

With the attached patch the crash does not happen.

And this time I took the opportunity to play in
doom1-share.wad and doom2.wad (just short) and found
no more crashes.

Kind regards,
Bernhard





# gdb -q --args doomsday
(gdb) run
...
Loading map "E1M1"...

Thread 39 "CallbackThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff873a2700 (LWP 17501)]
0x00007ffff476492d in __dynamic_cast () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6


(gdb) bt
#0  0x00007ffff476492d in __dynamic_cast () at /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00005555555dc9bd in Thinker::IData::maybeAs<ClientMobjThinkerData>() (this=<optimized out>) at ../libdoomsday/include/doomsday/world/thinker.h:135
#2  0x00005555555dc9bd in Cl_IsClientMobj(mobj_s const*) (mo=mo@entry=0x7fffe2663cc0) at src/client/cl_mobj.cpp:214
#3  0x00005555558828e0 in de::Thinkers::add(thinker_s&, bool) (this=0x7fff39c58690, th=..., makePublic=makePublic@entry=true) at src/world/thinkers.cpp:230
#4  0x0000555555861020 in P_MobjCreate(void (*)(void*), de::Vector3<double> const&, unsigned int, double, double, int) (function=0x7fffe1fc3940 <P_MobjThinker>, origin=..., angle=<optimized out>, radius=16, height=128, ddflags=536870912) at src/world/p_mobj.cpp:119
#5  0x000055555580555b in Mobj_CreateXYZ(thinkfunc_t, coord_t, coord_t, coord_t, angle_t, coord_t, coord_t, int) (function=<optimized out>, x=<optimized out>, y=<optimized out>, z=<optimized out>, angle=<optimized out>, radius=<optimized out>, height=<optimized out>, ddflags=<optimized out>) at src/world/api_map.cpp:1788
#6  0x00007fffe1fc3458 in P_SpawnMobjXYZ (type=type@entry=MT_MISC48, x=288, y=-3104, z=0, angle=1073741824, spawnFlags=536870919) at src/p_mobj.c:709
#7  0x00007fffe1fc385a in P_SpawnMobj (type=type@entry=MT_MISC48, pos=pos@entry=0x7fffe26625c0, angle=<optimized out>, spawnFlags=<optimized out>) at src/p_mobj.c:796
#8  0x00007fffe1f6b972 in spawnMapObjects () at ../common/src/p_mapsetup.cpp:593
#9  0x00007fffe1f6b972 in P_FinalizeMapChange(uri_s const*) (mapUri_=0x7fff873a1900) at ../common/src/p_mapsetup.cpp:894
#10 0x00005555558871c6 in de::WorldSystem::Instance::makeCurrent(de::Map*) (this=this@entry=0x555556e16b60, newMap=newMap@entry=0x7fff38423e50) at src/world/worldsystem.cpp:521
#11 0x0000555555889022 in de::WorldSystem::Instance::changeMap(MapDef*) (this=0x555556e16b60, mapDef=0x7fff383a08f0) at src/world/worldsystem.cpp:724
#12 0x000055555588965d in de::WorldSystem::Instance::changeMapWorker(void*) (context=<optimized out>) at src/world/worldsystem.cpp:744
#13 0x00007ffff7243f83 in CallbackThread::run() (this=0x555558ae1330) at src/concurrency.cpp:76
#14 0x00007ffff4d45daa in QThreadPrivate::start(void*) (arg=0x555558ae1330) at thread/qthread_unix.cpp:352
#15 0x00007ffff6509494 in start_thread (arg=0x7fff873a2700) at pthread_create.c:333
#16 0x00007ffff3f0693f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97


(gdb) up
#1  0x00005555555dc9bd in Thinker::IData::maybeAs<ClientMobjThinkerData> (this=<optimized out>) at ../libdoomsday/include/doomsday/world/thinker.h:135
135             DENG2_AS_IS_METHODS()
(gdb) 
#2  Cl_IsClientMobj (mo=mo@entry=0x7fffe2663cc0) at src/client/cl_mobj.cpp:214
214         if(ClientMobjThinkerData *data = THINKER_DATA_MAYBE(mo->thinker, ClientMobjThinkerData))


(gdb) print mo
$3 = (const mobj_t *) 0x7fffe2663cc0
(gdb) print mo->thinker
$4 = {prev = 0x0, next = 0x0, function = 0x7fffe1fc3940 <P_MobjThinker>, _flags = 0, id = 0, d = 0x0}


#define THINKER_DATA_MAYBE(thinker, T)  (reinterpret_cast<Thinker::IData *>((thinker).d)->maybeAs<T>())


(gdb) print mo->thinker.d
$5 = (void *) 0x0


dd_bool Cl_IsClientMobj(mobj_t const *mo)
{
    if(ClientMobjThinkerData *data = THINKER_DATA_MAYBE(mo->thinker, ClientMobjThinkerData))
    {
        return data->hasRemoteSync();
    }
    return false;
}

[0001-Avoid-crash-when-mo-thinker.d-is-a-NULL-pointer.patch (text/x-patch, attachment)]

Message #15 received at 863536@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Bernhard Übelacker <bernhardu@mailbox.org>

Cc: 863536@bugs.debian.org, Hans Joachim Desserud <debian@desserud.org>

Subject: Re: Bug#863536: doomsday: Segfaults when attempting to start new game

Date: Fri, 2 Jun 2017 00:45:01 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 pending

Am 31.05.2017 um 20:12 schrieb Bernhard Übelacker:
> Hello,
> tried to reproduce the issue.
> 
> I think the problem is that in Cl_IsClientMobj the method maybeAs()
> is called on a NULL pointer on mo->thinker.d.
> 
> With the attached patch the crash does not happen.
> 
> And this time I took the opportunity to play in
> doom1-share.wad and doom2.wad (just short) and found
> no more crashes.
> 
> Kind regards,
> Bernhard

Hi Bernhard,

thanks again for your patch! I have just uploaded a new revision.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 863536-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 863536-close@bugs.debian.org

Subject: Bug#863536: fixed in doomsday 1.15.8-5

Date: Thu, 01 Jun 2017 23:04:33 +0000

Source: doomsday
Source-Version: 1.15.8-5

We believe that the bug you reported is fixed in the latest version of
doomsday, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863536@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated doomsday package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 01 Jun 2017 23:42:23 +0200
Source: doomsday
Binary: doomsday doomsday-server doomsday-common doomsday-data
Architecture: source
Version: 1.15.8-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 doomsday   - enhanced version of the legendary DOOM game
 doomsday-common - enhanced version of the legendary DOOM game - common files
 doomsday-data - enhanced version of the legendary DOOM game - data files
 doomsday-server - enhanced version of the legendary DOOM game - server
Closes: 858333 863536
Changes:
 doomsday (1.15.8-5) unstable; urgency=medium
 .
   * Team upload.
   * Add mo-thinker-NULL-pointer.patch and fix another segfault.
     Thanks to Hans Joachim Desserud for the report and Bernhard Übelacker for
     the patch. (Closes: #863536)
   * Make the build reproducible. Thanks to Chris Lamb for the report and patch.
     (Closes: #858333)
Checksums-Sha1:
 69eede20c95c6531d8eff7401d715a700eab4dcd 3050 doomsday_1.15.8-5.dsc
 0fd41245503260051fa743d64794fe5c038484f6 17076 doomsday_1.15.8-5.debian.tar.xz
 28e46fa08ecac1d6080dc312c5f70167d572bc64 7440 doomsday_1.15.8-5_source.buildinfo
Checksums-Sha256:
 438c4c6f372d01f37f8703c7e319091779a61ba0cefd91fe4975d78848fb516b 3050 doomsday_1.15.8-5.dsc
 7b6ebc40a99c8a819247220c3e8296f825fc140d4c29aa16804883c3a4120322 17076 doomsday_1.15.8-5.debian.tar.xz
 cf11562dbd7829a2db3ee0cdd978e4fe14f10360bc498303b274fcb5d20a0416 7440 doomsday_1.15.8-5_source.buildinfo
Files:
 a941009ed7134e410133be88418b93df 3050 games optional doomsday_1.15.8-5.dsc
 e0e1866f83effc29b8c2f3b249067833 17076 games optional doomsday_1.15.8-5.debian.tar.xz
 af0a53d6e759c11f4ab6ed2fc4de9b65 7440 games optional doomsday_1.15.8-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlkwmHNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkrvgQAI8xdEwsan+38uc3EZ2efIRo1r9q6MFHeVkO
31bALe+O3fBhK1vdqwW/Ykx7Pq+3HAzanV07zZr0gbF+hS9M2O2cXo7UmzdzILkP
8xackaYiwFzUOSbFxzMd2kfgHyYBkuuQsPGc7hxNmZMfOo4wPkLbEuIXZCChom+L
pwNL+eqcaw200UmfMzcKm2zDYvat4PWLIwpgp71BiA/kqSlMN5oGhY/YiwsVNI/v
O+LQI7ob6W+z+r43t9GMDTYuTnzrakVa076n8B6PTuCg8Jl3vu2N8uAGNUastsez
hJ0oX9WvSzatBh0INdSj1GUcmjOLvTt58KXq7qXoghZpNqkGqeKN/R665KtUejTc
MNYDkzwPqIXUAjn0Z5n2lohOKM2LH/vUBtyFYOM1iJ3opKjjryZ6elLFuxb1ahbn
71Vr/7y3qLCXikcUFiCHoxue+R/kD+CFDxXgBDv60SkNaiMhMFhUKmB2Jim/792K
Cx2JQm8K5CU5Jidqd5uYSyxsRJH9/frN4uRg6aly5i0iYyeW2jil8Z0aBAIEOvUS
xOAhr3++lvvxadVS0LNs0Lya8YWu/wpUgkBNB+XE/HVZT6qa1TsboBOxLrdEU/hj
S729h2i04ufMOQ5g77c/Xq+a+DRGK9Jf3QEsF3i4jTXME4iW1l3YCDLifM9Ou+2i
PpGIXPqG
=UCii
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.