random crash when clicking on a destination

[hussam]

I'm getting a random crash (three times in last week). it happens when I am walking somewhere then I click on an area in a different direction. instead of changing direction, the client crashed. it has only happened once in GP, once in Ida and once in MM.

 

 

(gdb) bt full
#0  0x081103af in pf_add_tile_to_open_list (current=0x9dd95968, neighbour=0x9dd95950) at pathfinder.c:136
       idx = 6
       parent_idx = 2
       parent = 0x9dd97d68
#1  0x08110b3d in pf_find_path (x=92, y=215) at pathfinder.c:194
       me = 0x15613350
       i = 147456
       attempts = 4
#2  0x080f6595 in move_to (x=92, y=215, try_pathfinder=1) at multiplayer.c:208
       me = 0x15613350
       str = ">\b\265\327B"
#3  0x080b2980 in click_game_handler (win=0xa686ed8, mx=358, my=158, flags=67108864) at gamewin.c:957
       x = 92
       y = 215
       flag_alt = 0
       flag_ctrl = 0
       flag_right = 0
       force_walk = 0
       range_weapon_equipped = 0
#4  0x080a446d in click_in_window (win_id=1, x=358, y=158, flags=67108864) at elwindows.c:1541
       time = 3120747
       win = 0xa686ed8
       mx = 358
       my = 158
       W = 0x0
       ret_val = 0
       scroll_pos = 0
#5  0x080a0b3b in click_in_windows (mx=358, my=158, flags=67108864) at elwindows.c:211
       done = 0
       id = -2
       next_id = 0
       first_win = -1
---Type <return> to continue, or q <return> to quit---
       i = 1
       cm_try_activate = 0
#6  0x080a98ac in HandleEvent (event=0xbfbd24a0) at events.c:298
       done = 0
       mouse_delta_x = 0
       mouse_delta_y = 0
       key = 0
       flags = 67108864
#7  0x080e8679 in start_rendering () at main.c:165
       event = {type = 5 '\005', active = {type = 5 '\005', gain = 0 '\000', state = 1 '\001'}, key = {
           type = 5 '\005', which = 0 '\000', state = 1 '\001', keysym = {scancode = 102 'f', 
             sym = SDLK_UNKNOWN, mod = KMOD_NONE, unicode = 0}}, motion = {type = 5 '\005', 
           which = 0 '\000', state = 1 '\001', x = 358, y = 158, xrel = 0, yrel = 0}, button = {
           type = 5 '\005', which = 0 '\000', button = 1 '\001', state = 1 '\001', x = 358, y = 158}, 
         jaxis = {type = 5 '\005', which = 0 '\000', axis = 1 '\001', value = 358}, jball = {
           type = 5 '\005', which = 0 '\000', ball = 1 '\001', xrel = 358, yrel = 158}, jhat = {
           type = 5 '\005', which = 0 '\000', hat = 1 '\001', value = 1 '\001'}, jbutton = {
           type = 5 '\005', which = 0 '\000', button = 1 '\001', state = 1 '\001'}, resize = {
           type = 5 '\005', w = 10355046, h = 0}, expose = {type = 5 '\005'}, quit = {type = 5 '\005'}, 
         user = {type = 5 '\005', code = 10355046, data1 = 0x0, data2 = 0x0}, syswm = {type = 5 '\005', 
           msg = 0x9e0166}}
       done = 0
       network_thread_data = {0xae3d6f0, 0x8491d58}
       last_frame_and_command_update = 3133820
       network_thread = 0xadb2898
       message_queue = 0xae3d6f0
#8  0x080e8f7d in main (argc=1, argv=0xbfbd2584) at main.c:446
No locals.

[Grum]

Can't reproduce it, valgrind's not complaining either.

 

It also crashes in a weird spot: line 136 is

PF_TILE *parent = pf_open.tiles[parent_idx];

According to gdb, parent_idx = 2, so it's not accessing outside the pf_open.tiles array. parent is not NULL (in fact it seems to refer to the tile two rows down in the y direction from current, that looks valid), so it's not choking on the next statement either, I think.

 

Just what sort of crash is it? Segmentation fault?

[hussam]

A freeze so I typed gdb -p `pidof el.x86.linux.bin` then bt full and posted the output.

[Alberich]

I think there is a small bug in the pf_open list which could lead on very rare conditions to this bug.

 

--- a/pathfinder.c
+++ b/pathfinder.c
@@ -72,6 +72,7 @@
	{
		int i, j;
		PF_TILE *tmp = pf_open.tiles[0] = pf_open.tiles[pf_open.count];
+		tmp->open_pos = 0;

		i = 0;
		while ( (j = 2*i + 1) < pf_open.count )

[Grum]

I think there is a small bug in the pf_open list which could lead on very rare conditions to this bug.

 

--- a/pathfinder.c
+++ b/pathfinder.c
@@ -72,6 +72,7 @@
	{
		int i, j;
		PF_TILE *tmp = pf_open.tiles[0] = pf_open.tiles[pf_open.count];
+		tmp->open_pos = 0;

		i = 0;
		while ( (j = 2*i + 1) < pf_open.count )

Ouch, you're correct, that's a bug, and it would be very hard to hit. I'm not exactly sure how this would lead to a freeze, though, but let's first fix this.