Crash while showing hit effect

[jakwings]

The patch for "on death" crash was applied. I guess the hiteffect::DrawStep() doesn't check entity::Exists() at the right time (too late)? I was hitting a skeleton.

==5790==ERROR: AddressSanitizer: heap-use-after-free on address 0x61800070e890 at pc 0x0001068a20be bp 0x7fff59362990 sp 0x7fff59362988
READ of size 8 at 0x61800070e890 thread T0
    #0 0x1068a20bd in entity::Exists() const (ivan:x86_64+0x1000080bd)
    #1 0x1073d0e48 in hiteffect::DrawStep() (ivan:x86_64+0x100b36e48)
    #2 0x1072e5ff8 in lsquare::DrawHitEffect() (ivan:x86_64+0x100a4bff8)
    #3 0x1072e5f0e in level::DrawHitEffects(int, int, int, int) const (ivan:x86_64+0x100a4bf0e)
    #4 0x1072e79d6 in level::Draw(bool) const (ivan:x86_64+0x100a4d9d6)
    #5 0x106c8857e in game::DrawEverythingNoBlit(bool) (ivan:x86_64+0x1003ee57e)
    #6 0x106c874aa in game::DrawEverything() (ivan:x86_64+0x1003ed4aa)
    #7 0x1068fb923 in character::GetPlayerCommand() (ivan:x86_64+0x100061923)
    #8 0x1068f7046 in character::Be() (ivan:x86_64+0x10005d046)
    #9 0x106b74f4a in pool::Be() (ivan:x86_64+0x1002daf4a)
    #10 0x106c855a5 in game::Run() (ivan:x86_64+0x1003eb5a5)
    #11 0x10739d65f in main (ivan:x86_64+0x100b0365f)
    #12 0x7fff891d95ac in start (libdyld.dylib:x86_64+0x35ac)

0x61800070e890 is located 16 bytes inside of 824-byte region [0x61800070e880,0x61800070ebb8)
freed by thread T0 here:
    #0 0x10833376b in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6776b)
    #1 0x106a11601 in werewolfhuman::~werewolfhuman() (ivan:x86_64+0x100177601)
    #2 0x106b75089 in pool::BurnHell() (ivan:x86_64+0x1002db089)
    #3 0x106c855af in game::Run() (ivan:x86_64+0x1003eb5af)
    #4 0x10739d65f in main (ivan:x86_64+0x100b0365f)
    #5 0x7fff891d95ac in start (libdyld.dylib:x86_64+0x35ac)

previously allocated by thread T0 here:
    #0 0x10833310b in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6710b)
    #1 0x1068c18a9 in sysbase<skeleton, humanoid, characterprototype>::Spawn(int, int) (ivan:x86_64+0x1000278a9)
    #2 0x106b04955 in characterprototype::Spawn(int, int) const (ivan:x86_64+0x10026a955)
    #3 0x106b7721e in protosystem::BalancedCreateMonster() (ivan:x86_64+0x1002dd21e)
    #4 0x1072d0d01 in level::GenerateNewMonsters(int, bool) (ivan:x86_64+0x100a36d01)
    #5 0x106c618aa in dungeon::PrepareLevel(int, bool) (ivan:x86_64+0x1003c78aa)
    #6 0x1070a7525 in game::EnterArea(std::__1::vector<character*, std::__1::allocator<character*> >&, int, int) (ivan:x86_64+0x10080d525)
    #7 0x1070a6a1a in game::TryTravel(int, int, int, bool, bool) (ivan:x86_64+0x10080ca1a)
    #8 0x107561abe in owterrain::Enter(bool) const (ivan:x86_64+0x100cc7abe)
    #9 0x106b3e570 in commandsystem::GoDown(character*) (ivan:x86_64+0x1002a4570)
    #10 0x1068fc18a in character::GetPlayerCommand() (ivan:x86_64+0x10006218a)
    #11 0x1068f7046 in character::Be() (ivan:x86_64+0x10005d046)
    #12 0x106b74f4a in pool::Be() (ivan:x86_64+0x1002daf4a)
    #13 0x106c855a5 in game::Run() (ivan:x86_64+0x1003eb5a5)
    #14 0x10739d65f in main (ivan:x86_64+0x100b0365f)
    #15 0x7fff891d95ac in start (libdyld.dylib:x86_64+0x35ac)

SUMMARY: AddressSanitizer: heap-use-after-free (ivan:x86_64+0x1000080bd) in entity::Exists() const
Shadow bytes around the buggy address:
  0x1c30000e1cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1ce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1cf0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x1c30000e1d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c30000e1d10: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1d20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c30000e1d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5790==ABORTING
DBGMSG:SIGNAL[6]='Abort trap: 6'
DBGMSG:SIGNAL[6]='Abort trap: 6'
DBGMSG:CurrentStackTrace:Begin >>--->
0   ivan                                0x0000000106c473b0 _ZN6dbgmsg20getCurrentStackTraceEbRi + 208
1   ivan                                0x0000000106c47817 _ZN6dbgmsg22getCurrentStackTraceSSEbb + 423
2   ivan                                0x0000000106c4f565 _ZN6dbgmsg8SigHndlrEi + 5477
3   libsystem_platform.dylib            0x00007fff8897b52a _sigtramp + 26
4   ???                                 0x00007fff593617e0 0x0 + 140734690105312
5   libsystem_c.dylib                   0x00007fff903be6df abort + 129
6   libclang_rt.asan_osx_dynamic.dylib  0x0000000108349736 _ZN11__sanitizer5AbortEv + 70
7   libclang_rt.asan_osx_dynamic.dylib  0x0000000108347d98 _ZN11__sanitizer3DieEv + 120
8   libclang_rt.asan_osx_dynamic.dylib  0x000000010832d376 _ZN6__asan19ScopedInErrorReportD2Ev + 294
9   libclang_rt.asan_osx_dynamic.dylib  0x000000010832cc23 _ZN6__asan18ReportGenericErrorEmmmmbmjb + 355
10  libclang_rt.asan_osx_dynamic.dylib  0x000000010832d936 __asan_report_load8 + 54
11  ivan                                0x00000001068a20be _ZNK6entity6ExistsEv + 62
12  ivan                                0x00000001073d0e49 _ZN9hiteffect8DrawStepEv + 985
13  ivan                                0x00000001072e5ff9 _ZN7lsquare13DrawHitEffectEv + 105
14  ivan                                0x00000001072e5f0f _ZNK5level14DrawHitEffectsEiiii + 303
15  ivan                                0x00000001072e79d7 _ZNK5level4DrawEb + 6519
16  ivan                                0x0000000106c8857f _ZN4game20DrawEverythingNoBlitEb + 4287
17  ivan                                0x0000000106c874ab _ZN4game14DrawEverythingEv + 11
18  ivan                                0x00000001068fb924 _ZN9character16GetPlayerCommandEv + 452
19  ivan                                0x00000001068f7047 _ZN9character2BeEv + 4679
20  ivan                                0x0000000106b74f4b _ZN4pool2BeEv + 155
21  ivan                                0x0000000106c855a6 _ZN4game3RunEv + 3798
22  ivan                                0x000000010739d660 main + 3552
23  libdyld.dylib                       0x00007fff891d95ad start + 1
DBGMSG:CurrentStackTrace:End   <---<<

$ cat ~/.ivan/.Crash.pid5790.dbgmsg.log
 game.cpp:395:PrepareToClearNonVisibleSquaresAround:(ReachedHere)

My config (click here)

DefaultName = "";
FantasyNamePattern = "!ss !sV";
DefaultPetName = "Tofu";
AutoSaveInterval = 100;
AltAdentureInfo = 1;
BeNice = 1;
HoldPosMaxDist = 6;
MemorizeEquipmentMode = 2;
WarnAboutVeryDangerousMonsters = 1;
AutoDropLeftOvers = 0;
SmartOpenCloseApply = 1;
CenterOnPlayerAfterLook = 1;
ShowGodInfo = 1;
ShowMapAtDetectMaterial = 1;
GoOnStopMode = 0;
WaitNeutralsMoveAway = 0;
Contrast = 100;
WindowWidth = 800;
WindowHeight = 600;
GraphicsScale = 1;
FullScreenMode = 0;
ScalingQuality = 0;
LookZoom = 1;
XBRZScale = 0;
XBRZSquaresAroundPlayer = 3;
SilhouetteScale = 1;
AltSilhouette = 1;
AltSilhouettePreventColorGlitch = 1;
AltListItemPos = 2;
AltListItemWidth = 652;
StackListPageLength = 12;
DungeonGfxScale = 3;
OutlinedGfx = 0;
FrameSkip = 0;
ShowItemsAtPlayerSquare = 0;
RotateTimesPerSquare = 0;
HitIndicator = 4;
ShowMap = 2;
PlaySounds = 1;
Volume = 127;
MIDIOutputDevice = 1;
DirectionKeyMap = 2;
SaveGameSortMode = 0;
ShowTurn = 0;
ShowFullDungeonName = 1;
SelectedBkgColor = "8,8,8";
AllowImportOldSavegame = 0;
SavegameSafely = 1;
HideWeirdHitAnimationsThatLookLikeMiss = 1;
GenerateDefinesValidator = 1;

[AquariusPower]

will take a look thx!

PS.: I need to prepare that dbgmsg lib, will help I guess, but we need to get a stacktrace for windows too or it will not help that much... :/

[AquariusPower]

as the played effect is after things happened,
if you are playing fast like me you will see hit effects from previous hits still playing,
that is to not slow the game playing the effects, so they will keep showing for at most 3s after they happened, mostly visible during autoplay wiz mode, w/o xBRZ for dungeon/aroundPlayer.

I hardened the code, now it will validate characters and items using the consistency list at game::Search...().

fixed at #401

[jakwings]

Crashed a few times about material*HitEffect*character*bodypart, so I decide to paste the crash log here (hitting a snake):

DBGMSG:SIGNAL[11]='Segmentation fault: 11'
DBGMSG:SIGNAL[11]='Segmentation fault: 11'
DBGMSG:CurrentStackTrace:Begin >>--->
0   ivan                                0x0000000103d48c90 _ZN6dbgmsg20getCurrentStackTraceEbRi + 208
1   ivan                                0x0000000103d490f7 _ZN6dbgmsg22getCurrentStackTraceSSEbb + 423
2   ivan                                0x0000000103d50e45 _ZN6dbgmsg8SigHndlrEi + 5477
3   libsystem_platform.dylib            0x00007fff8897b52a _sigtramp + 26
4   ???                                 0x00000000004234b0 0x0 + 4338864
5   libclang_rt.asan_osx_dynamic.dylib  0x000000010541d54f __asan_memcpy + 1215
6   ivan                                0x00000001039a899e _ZNK6square6GetPosEv + 254
7   ivan                                0x00000001044a248f _ZN8material6EffectEP9characteril + 3023
8   ivan                                0x00000001044a3fb9 _ZN8material9HitEffectEP9characterP8bodypart + 1065
9   ivan                                0x00000001042e2b15 _ZN11meleeweapon9HitEffectEP9characterS1_2v2iib + 2341
10  ivan                                0x00000001042f4a86 _ZN7slowaxe9HitEffectEP9characterS1_2v2iib + 1046
11  ivan                                0x00000001039f2e35 _ZN9character9HitEffectEPS_P4item2v2iiibbi + 1317
12  ivan                                0x00000001039e7ff7 _ZN9character7TakeHitEPS_P4itemP8bodypart2v2ddiiibb + 20711
13  ivan                                0x00000001042b8377 _ZN3arm3HitEP9character2v2ii + 1911
14  ivan                                0x0000000103b89a79 _ZN8humanoid3HitEP9character2v2ii + 2905
15  ivan                                0x0000000103a0eae5 _ZN9character7TryMoveE2v2bbPb + 6053
16  ivan                                0x00000001039fbde8 _ZN9character16GetPlayerCommandEv + 2168
17  ivan                                0x00000001039f6e57 _ZN9character2BeEv + 4679
18  ivan                                0x0000000103c7682b _ZN4pool2BeEv + 155
19  ivan                                0x0000000103d86de6 _ZN4game3RunEv + 3798
20  ivan                                0x000000010449f1da main + 3914
21  libdyld.dylib                       0x00007fff891d95ad start + 1
DBGMSG:CurrentStackTrace:End   <---<<

$ cat ~/.ivan/.Crash.pid23987.dbgmsg.log
 graphics.cpp:505:PrepareBuffer:{bOk}="0";

[AquariusPower]

could you paste here the output of?
cat ~/.ivan/.Crash.pid23987.dbgmsg.log |grep hiteffect |tail -n 100

I spawned 30+ snakes, they hit me, I hit them (with a pickaxe, or hand or other weapons), all hiteffects shown, no crashes, using your cfg file.
EDIT: It is probably a specific condition, and it may be clear in the log, if not I will have to guess or add more log spots :)
I let it autoplaying but didnt crash.

But I am still trying to track based on that stack.

[jakwings]

Haven't occurred again since merging #401 :^)