2019-12-10 13:53 EST


View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002339FSSCPSEXPspublic2010-11-29 05:28
ReporterEchelon9 
Assigned ToEchelon9 
PrioritynormalSeveritycrashReproducibilitysometimes
StatusresolvedResolutionfixed 
Product Version3.6.13 
Target VersionFixed in Version3.6.13 
Summary0002339: Intermittent crashes in add_sexps
DescriptionIntermittently been experiencing crashes on OS X, with a stack trace as per below.

Reason: KERN_INVALID_ADDRESS at address: 0x1b34fff8
0x0031ad55 in add_sexps (n=1850) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:3510
3510 if ( Sexp_nodes[CAR(n)].value == SEXP_NAN )

Caused because CAR(1850) resolves to -1; which then crashes when -1 is used as an index into the Sexp_nodes array.

(gdb) print Sexp_nodes[1850]
$1 = {
  text = "10", '\0' <repeats 29 times>,
  op_index = -2,
  type = 1073741826,
  subtype = 2,
  first = -1,
  rest = 1851,
  value = -32765,
  flags = 1
}
(gdb) print Sexp_nodes[1850].first
$2 = -1
(gdb) print Sexp_nodes[-1]
Cannot access memory at address 0x1b34ffc4

Reliably occurs in first mission of Apotheosis from BP:WiH and other missions occasionally.
Additional Information(gdb) bt
#0 0x0031ad55 in add_sexps (n=1850) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:3510
0000001 0x00301a68 in eval_sexp (cur_node=1849, referenced_node=-1) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:17778
0000002 0x002ff998 in eval_sexp (cur_node=1852, referenced_node=-1) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:17761
0000003 0x00313159 in sexp_modify_variable (n=1848) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:22719
0000004 0x00301ef8 in eval_sexp (cur_node=1847, referenced_node=-1) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:17999
0000005 0x0031a0b4 in eval_when (n=1795, use_arguments=0) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:7426
0000006 0x0030220c in eval_sexp (cur_node=1791, referenced_node=-1) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/parse/sexp.cpp:18172
0000007 0x001e9d80 in mission_process_event (event=49) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/mission/missiongoals.cpp:913
0000008 0x001eb512 in mission_eval_goals () at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/mission/missiongoals.cpp:1062
0000009 0x00046eb5 in game_simulation_frame () at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/freespace2/freespace.cpp:4226
0000010 0x0004897b in game_frame (paused=0) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/freespace2/freespace.cpp:4663
#11 0x0004900a in game_do_frame () at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/freespace2/freespace.cpp:5098
0000012 0x000491f6 in game_do_state (state=2) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/freespace2/freespace.cpp:6889
0000013 0x000fb52d in gameseq_process_events () at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/gamesequence/gamesequence.cpp:407
0000014 0x00045cb6 in game_main (cmdline=0x2514e00 "") at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/freespace2/freespace.cpp:7465
0000015 0x00045e52 in SDL_main (argc=1, argv=0x200a3e0) at /Users/*/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode/../../code/freespace2/freespace.cpp:7614
TagsNo tags attached.
Attached Files
  • patch file icon mantis2239-add_sexps_fix.patch (1,397 bytes) 2010-11-20 22:40 -
    Index: code/parse/sexp.cpp
    ===================================================================
    --- code/parse/sexp.cpp	(revision 6759)
    +++ code/parse/sexp.cpp	(working copy)
    @@ -3500,25 +3500,25 @@
     	int	sum = 0, val;
     
     	if (n != -1) {
    -		if ( CAR(n) != -1)
    +		if ( CAR(n) != -1) {
     			sum = eval_sexp( CAR(n) );
    +			// be sure to check for the NAN value when doing arithmetic -- this value should
    +			// get propagated to the next highest function.
    +			if ( Sexp_nodes[CAR(n)].value == SEXP_NAN )
    +				return SEXP_NAN;
    +			else if ( Sexp_nodes[CAR(n)].value == SEXP_NAN_FOREVER )
    +				return SEXP_NAN_FOREVER;
    +		}
     		else
     			sum = atoi( CTEXT(n) );
     
    -		// be sure to check for the NAN value when doing arithmetic -- this value should
    -		// get propagated to the next highest function.
    -		if ( Sexp_nodes[CAR(n)].value == SEXP_NAN )
    -			return SEXP_NAN;
    -		else if ( Sexp_nodes[CAR(n)].value == SEXP_NAN_FOREVER )
    -			return SEXP_NAN_FOREVER;
    -
     		while (CDR(n) != -1) {
     			val = eval_sexp( CDR(n) );
     			// be sure to check for the NAN value when doing arithmetic -- this value should
     			// get propagated to the next highest function.
     			if ( Sexp_nodes[CDR(n)].value == SEXP_NAN )
     				return SEXP_NAN;
    -			else if ( Sexp_nodes[CAR(n)].value == SEXP_NAN_FOREVER )
    +			else if ( Sexp_nodes[CDR(n)].value == SEXP_NAN_FOREVER )
     				return SEXP_NAN_FOREVER;
     			sum += val;
     			n = CDR(n);
    
    patch file icon mantis2239-add_sexps_fix.patch (1,397 bytes) 2010-11-20 22:40 +

-Relationships
+Relationships

-Notes

~0012475

Echelon9 (developer)

Last edited: 2010-11-20 15:19

mission_process_event (event=49)
-----
(gdb) print Mission_events[49]
$9 = {
  name = "change to subspace", '\0' <repeats 13 times>,
  formula = 1791,
  result = 0,
  repeat_count = 1,
  trigger_count = 1,
  interval = 1,
  timestamp = 0,
  score = 0,
  chain_delay = -1,
  flags = 0,
  objective_text = 0x0,
  objective_key_text = 0x0,
  count = 0,
  satisfied_time = 0,
  born_on_date = 0,
  team = -1
}

eval_sexp (cur_node=1791, referenced_node=-1)
-----
(gdb) print Sexp_nodes[1791]
$10 = {
  text = "when", '\0' <repeats 27 times>,
  op_index = 146,
  type = 2,
  subtype = 1,
  first = -1,
  rest = 1795,
  value = 0,
  flags = 1
}

eval_when (n=1795, use_arguments=0)
-----
(gdb) print Sexp_nodes[1795]
$8 = {
  text = '\0' <repeats 31 times>,
  op_index = -2,
  type = 1,
  subtype = 0,
  first = 1792,
  rest = 1798,
  value = -32765,
  flags = 1
}

eval_sexp (cur_node=1847, referenced_node=-1)
-----
(gdb) print Sexp_nodes[1847]
$7 = {
  text = "modify-variable", '\0' <repeats 16 times>,
  op_index = 324,
  type = 2,
  subtype = 1,
  first = -1,
  rest = 1848,
  value = -32765,
  flags = 1
}

sexp_modify_variable (n=1848)
-----
(gdb) print Sexp_nodes[1848]
$6 = {
  text = "10", '\0' <repeats 29 times>,
  op_index = -2,
  type = 1073741826,
  subtype = 2,
  first = -1,
  rest = 1852,
  value = -32765,
  flags = 1
}

eval_sexp (cur_node=1852, referenced_node=-1)
-----
(gdb) print Sexp_nodes[1852]
$5 = {
  text = '\0' <repeats 31 times>,
  op_index = -2,
  type = 1,
  subtype = 0,
  first = 1849,
  rest = -1,
  value = -32765,
  flags = 1
}

eval_sexp (cur_node=1849, referenced_node=-1)
-----
(gdb) print Sexp_nodes[1849]
$4 = {
  text = "+", '\0' <repeats 30 times>,
  op_index = 0,
  type = 2,
  subtype = 1,
  first = -1,
  rest = 1850,
  value = -32765,
  flags = 1
}

add_sexps (n=1850)
-----
(gdb) print Sexp_nodes[1850]
$13 = {
  text = "10", '\0' <repeats 29 times>,
  op_index = -2,
  type = 1073741826,
  subtype = 2,
  first = -1,
  rest = 1851,
  value = -32765,
  flags = 1
}

(gdb) print Sexp_variables[10]
$15 = {
  type = 784,
  text = "400", '\0' <repeats 28 times>,
  variable_name = "sunsize", '\0' <repeats 24 times>
}

~0012476

Echelon9 (developer)

With assitance from The_E, proposed patch attached.

~0012481

Goober5000 (administrator)

Good catch. I believe this patch will do the job.

~0012483

Echelon9 (developer)

I'm going to post this on the SCP internal and get a few more eyes over it.

As we're patching one of the most fundamental SEXPs (the '+' operator) it could do with some comprehensive testing.

~0012491

Echelon9 (developer)

Fixed in r6795
+Notes

-Issue History
Date Modified Username Field Change
2010-11-18 05:46 Echelon9 New Issue
2010-11-18 06:05 Echelon9 Category graphics => scripting
2010-11-18 06:05 Echelon9 Description Updated
2010-11-18 06:11 Echelon9 Description Updated
2010-11-20 15:05 Echelon9 Summary Intermittent crashes around ade_obj<vec3d> / std::vector<light*, SCP_vm_allocator<light*> > => Intermittent crashes around sexp_modify_variable, eval_sexp and add_sexps
2010-11-20 15:05 Echelon9 Description Updated
2010-11-20 15:05 Echelon9 Additional Information Updated
2010-11-20 15:08 Echelon9 Description Updated
2010-11-20 15:08 Echelon9 Additional Information Updated
2010-11-20 15:13 Echelon9 Note Added: 0012475
2010-11-20 15:13 Echelon9 Reproducibility random => sometimes
2010-11-20 15:13 Echelon9 Category scripting => SEXPs
2010-11-20 15:19 Echelon9 Note Edited: 0012475
2010-11-20 15:21 Echelon9 Description Updated
2010-11-20 22:03 Echelon9 Description Updated
2010-11-20 22:40 Echelon9 File Added: mantis2239-add_sexps_fix.patch
2010-11-20 22:41 Echelon9 Note Added: 0012476
2010-11-20 22:42 Echelon9 Status new => assigned
2010-11-20 22:42 Echelon9 Assigned To => Echelon9
2010-11-22 05:04 Goober5000 Note Added: 0012481
2010-11-22 05:23 Echelon9 Note Added: 0012483
2010-11-22 06:27 Echelon9 Summary Intermittent crashes around sexp_modify_variable, eval_sexp and add_sexps => Intermittent crashes in add_sexps
2010-11-22 06:27 Echelon9 Status assigned => confirmed
2010-11-29 05:28 Echelon9 Note Added: 0012491
2010-11-29 05:28 Echelon9 Status confirmed => resolved
2010-11-29 05:28 Echelon9 Fixed in Version => 3.6.13
2010-11-29 05:28 Echelon9 Resolution open => fixed
+Issue History