0002862: Crash exiting game from command briefing on newly created pilot

All Projects FSSCP wxFRED

ID	Project	Category	View Status	Date Submitted	Last Update

0002862	FSSCP	Pilot data	public	2013-05-01 23:20	2013-05-04 23:23

Reporter	FUBAR-BDHR	Assigned To	Echelon9
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	3.7.0 RC1

Summary	0002862: Crash exiting game from command briefing on newly created pilot
Description	Trying to test 2859 I ran into this issue. Running the debug exe doesn't seem to give you the error just the windows error sound. Running from the debugger in VS2008 I get the following along with a brekpoint window: HEAP[fs2_open_3_6_19-DEBUG.exe]: Invalid Address specified to RtlValidateHeap( 03DA0000, 09BDE548 ) Windows has triggered a breakpoint in fs2_open_3_6_19-DEBUG.exe. This may be due to a corruption of the heap, which indicates a bug in fs2_open_3_6_19-DEBUG.exe or any of the DLLs it has loaded. This may also be due to the user pressing F12 while fs2_open_3_6_19-DEBUG.exe has focus. The output window may have more diagnostic information.
Steps To Reproduce	Run the launcher and set to no mod and apply. From inside VS start the FS2_Open debug exp from the debugger (example right click on freespace2->debug-start new instance) Create new pilot Close the help tip window Go straight to the campaign. When the mission is done loading and the briefing text/voice starts hit esc to go back to the main hall. Hit esc again to exit the game. Switch to show output from debug, output tab and wait for the crash
Additional Information	This only seems to happen with newly created pilots the first time into the campaign. Going back in with an already created pilot even the one that just caused the issue does not result in the issue. Call stack: ntdll.dll!7c90120e() [Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll] ntdll.dll!7c96ee31() ntdll.dll!7c96f26e() ntdll.dll!7c962fe0() kernel32.dll!7c85fa1f() > fs2_open_3_6_19-DEBUG.exe!_CrtIsValidHeapPointer(const void * pUserData=0x09bde568) Line 2103 C++ fs2_open_3_6_19-DEBUG.exe!_free_dbg_nolock(void * pUserData=0x09bde568, int nBlockUse=1) Line 1317 + 0x9 bytes C++ fs2_open_3_6_19-DEBUG.exe!_free_dbg(void * pUserData=0x09bde568, int nBlockUse=1) Line 1258 + 0xd bytes C++ fs2_open_3_6_19-DEBUG.exe!_vm_free(void * ptr=0x09bde568, char * filename=0x0115670c, int line=45) Line 1864 + 0xb bytes C++ fs2_open_3_6_19-DEBUG.exe!cutscene_close() Line 45 + 0x1f bytes C++ fs2_open_3_6_19-DEBUG.exe!doexit(int code=1, int quick=0, int retcaller=0) Line 591 C fs2_open_3_6_19-DEBUG.exe!exit(int code=1) Line 412 + 0xd bytes C fs2_open_3_6_19-DEBUG.exe!__tmainCRTStartup() Line 272 C fs2_open_3_6_19-DEBUG.exe!WinMainCRTStartup() Line 182 C kernel32.dll!7c81776f() Autos: _crtheap 0x03da0000 void * pUserData 0x09bde568 const void * From cutscene_close()in cutscene.cpp - cut {filename=0x043c3e90 "intro.mve" name=0x043c3eb0 "Introduction" description=0x09bde568 "îþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþ " ...} std::_Vector_iterator<cutscene_info,SCP_vm_allocator<cutscene_info> > - ptr {filename=0x043c3e90 "intro.mve" name=0x043c3eb0 "Introduction" description=0x09bde568 "îþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþ " ...} cutscene_info + filename 0x043c3e90 "intro.mve" char [32] + name 0x043c3eb0 "Introduction" char [32] + description 0x09bde568 "îþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþ " char * cd 2 int viewable true bool
Tags	No tags attached.

niffiwan 2013-05-02 08:26 developer ~0015017 Last edited: 2013-05-02 08:31	From my testing, you don't need to enter the mission briefing, it occurs if you exit from the mainhall straight after creating a new pilot. This was also reported: * glibc detected * ./fs2_open_3.6.19_DEBUG_9664: double free or corruption (!prev): 0x0000000003a05b30 *** I wonder if this is similar to 0002601.

Echelon9 2013-05-02 11:25 developer ~0015019	Yup, this is a double free. AddressSantizer reports it as: ------- ERROR: AddressSanitizer: attempting double-free on 0x608000074520 in thread T0: #0 0x1053d1e7a in wrap_free (in libclang_rt.asan_osx_dynamic.dylib) + 58 0000001 0x1025f5ef0 in _vm_free stubs.cpp:689 0000002 0x1008742c6 in cutscene_close cutscenes.cpp:45 0000003 0x7fff92ccc30a in __cxa_finalize (in libsystem_c.dylib) + 203 0000004 0x7fff92ccdf56 in exit (in libsystem_c.dylib) + 14 0000005 0x1000026e7 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:303 0000006 0x7fff8fc3bed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000007 0x7fff91ce9e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 0000008 0x7fff8c67e55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000009 0x7fff8c67e295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000010 0x7fff8c67b481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 #11 0x7fff8c67b07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000012 0x7fff91d0370a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000013 0x7fff91d0356c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000014 0x7fff90c4b077 in aeDispatchAppleEvent(AEDesc const, AEDesc, unsigned int, unsigned char) (in AE) + 306 0000015 0x7fff90c4aed8 in dispatchEventAndSendReply(AEDesc const, AEDesc) (in AE) + 36 0000016 0x7fff90c4ad98 in aeProcessAppleEvent (in AE) + 317 0000017 0x7fff8ec71708 in AEProcessAppleEvent (in HIToolbox) + 99 0000018 0x7fff8c677865 in _DPSNextEvent (in AppKit) + 1455 0000019 0x7fff8c676e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000020 0x7fff8c66e1d2 in -[NSApplication run] (in AppKit) + 516 0000021 0x1000047d2 in CustomApplicationMain SDLMain.m:227 0000022 0x10000423f in main SDLMain.m:377 0000023 0x100001393 in start (in FS2_Open (debug)) + 51 0000024 0x0 in 0x0 0x608000074520 is located 0 bytes inside of 88-byte region [0x608000074520,0x608000074578) freed by thread T0 here: #0 0x1053d1e7a in wrap_free (in libclang_rt.asan_osx_dynamic.dylib) + 58 0000001 0x1025f5ef0 in _vm_free stubs.cpp:689 0000002 0x1008742c6 in cutscene_close cutscenes.cpp:45 0000003 0x7fff92ccc30a in __cxa_finalize (in libsystem_c.dylib) + 203 0000004 0x7fff92ccdf56 in exit (in libsystem_c.dylib) + 14 0000005 0x1000026e7 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:303 0000006 0x7fff8fc3bed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000007 0x7fff91ce9e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 0000008 0x7fff8c67e55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000009 0x7fff8c67e295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000010 0x7fff8c67b481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 #11 0x7fff8c67b07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000012 0x7fff91d0370a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000013 0x7fff91d0356c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000014 0x7fff90c4b077 in aeDispatchAppleEvent(AEDesc const, AEDesc, unsigned int, unsigned char) (in AE) + 306 0000015 0x7fff90c4aed8 in dispatchEventAndSendReply(AEDesc const, AEDesc) (in AE) + 36 0000016 0x7fff90c4ad98 in aeProcessAppleEvent (in AE) + 317 0000017 0x7fff8ec71708 in AEProcessAppleEvent (in HIToolbox) + 99 0000018 0x7fff8c677865 in _DPSNextEvent (in AppKit) + 1455 0000019 0x7fff8c676e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000020 0x7fff8c66e1d2 in -[NSApplication run] (in AppKit) + 516 0000021 0x1000047d2 in CustomApplicationMain SDLMain.m:227 0000022 0x10000423f in main SDLMain.m:377 0000023 0x100001393 in start (in FS2_Open (debug)) + 51 0000024 0x0 in 0x0 previously allocated by thread T0 here: #0 0x1053d1e05 in wrap_malloc (in libclang_rt.asan_osx_dynamic.dylib) + 53 0000001 0x1025f3f98 in _vm_malloc stubs.cpp:571 0000002 0x1025f52e5 in _vm_strdup stubs.cpp:640 0000003 0x10087482c in cutscene_init cutscenes.cpp:89 0000004 0x101ea6b22 in init_new_pilot managepilot.cpp:141 0000005 0x1010e095b in player_select_process_input playermenu.cpp:1061 0000006 0x1010de018 in player_select_do playermenu.cpp:416 0000007 0x100305708 in game_do_state freespace.cpp:6655 0000008 0x100900728 in gameseq_process_events gamesequence.cpp:405 0000009 0x10030bc26 in game_main freespace.cpp:7034 0000010 0x10030d2c4 in SDL_main freespace.cpp:7168 #11 0x100002673 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000012 0x7fff8fc3bed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000013 0x7fff91ce9e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 0000014 0x7fff8c67e55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000015 0x7fff8c67e295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000016 0x7fff8c67b481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 0000017 0x7fff8c67b07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000018 0x7fff91d0370a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000019 0x7fff91d0356c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000020 0x7fff90c4b077 in aeDispatchAppleEvent(AEDesc const, AEDesc, unsigned int, unsigned char) (in AE) + 306 0000021 0x7fff90c4aed8 in dispatchEventAndSendReply(AEDesc const, AEDesc*) (in AE) + 36 0000022 0x7fff90c4ad98 in aeProcessAppleEvent (in AE) + 317 0000023 0x7fff8ec71708 in AEProcessAppleEvent (in HIToolbox) + 99 0000024 0x7fff8c677865 in _DPSNextEvent (in AppKit) + 1455 0000025 0x7fff8c676e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000026 0x7fff8c66e1d2 in -[NSApplication run] (in AppKit) + 516 0000027 0x1000047d2 in CustomApplicationMain SDLMain.m:227 0000028 0x10000423f in main SDLMain.m:377 0000029 0x100001393 in start (in FS2_Open (debug)) + 51 ==46809==ABORTING

Echelon9 2013-05-02 11:48 developer	fix-mantis-2862.patch (508 bytes) Index: code/cutscene/cutscenes.cpp =================================================================== --- code/cutscene/cutscenes.cpp (revision 9668) +++ code/cutscene/cutscenes.cpp (working copy) @@ -41,8 +41,10 @@ void cutscene_close() { for(SCP_vector<cutscene_info>::iterator cut = Cutscenes.begin(); cut != Cutscenes.end(); ++cut) - if(cut->description) + if(cut->description != NULL) { vm_free(cut->description); + cut->description = NULL; + } } // initialization stuff for cutscenes fix-mantis-2862.patch (508 bytes)

Echelon9 2013-05-02 11:49 developer ~0015021	This patch will at least fix the crash, but we should consider the broader use of any calls to atexit() and what they are doing.

niffiwan 2013-05-04 02:22 developer ~0015026	Interesting, the patch stopped that particular error, but now I get a different crash-on-exit instead (only after creating a new pilot): #0 malloc_consolidate(av = 0x7ffff5c4c720) at malloc.c:4251 0000001 malloc_consolidate(av = 0x7ffff5c4c720) at malloc.c:4226 0000002 _int_free(av = 0x7ffff5c4c720, p = <optimised out>, have_lock = 0) at malloc.c:4157 0000003 _vm_free(ptr = 0x2ffa260, filename = 0x94afea "parse/parselo.cpp", line = 1991) at windows_stub/stubs.cpp:689 0000004 stop_parse() at parse/parselo.cpp:1991 0000005 __run_exit_handlers(status = 0, listp = 0x7ffff5c4c688, run_list_atexit = true) at exit.c:78 0000006 __GI_exit(status = <optimised out>) at exit.c:100 0000007 __libc_start_main(main = 0x416fe5 <main(int, char**)>, argc = 1, ubp_av = 0x7fffffffe2a8, init = <optimised out>, fini = <optimised out>, rtld_fini = <optimised out>, stack_end = 0x7fffffffe298) at libc-start.c:258 0000008 _start() at :0 Seems to randomly occur when either freeing Mission_text or Mission_text_raw. Both the vm_free's of these vars already check for NULL & set NULL after the vm_free.

Echelon9 2013-05-04 06:39 developer ~0015031	Have not been able to reproduce. Perhaps open another report if you can provide steps to reliably trigger it?

Echelon9 2013-05-04 23:23 developer ~0015033	Fix committed to trunk@9672.

Date Modified	Username	Field	Change
2013-05-01 23:20	FUBAR-BDHR	New Issue
2013-05-02 08:26	niffiwan	Note Added: 0015017
2013-05-02 08:26	niffiwan	Assigned To	=> niffiwan
2013-05-02 08:26	niffiwan	Status	new => confirmed
2013-05-02 08:28	niffiwan	Assigned To	niffiwan =>
2013-05-02 08:31	niffiwan	Note Edited: 0015017
2013-05-02 11:25	Echelon9	Note Added: 0015019
2013-05-02 11:48	Echelon9	File Added: fix-mantis-2862.patch
2013-05-02 11:49	Echelon9	Note Added: 0015021
2013-05-02 11:49	Echelon9	Assigned To	=> FUBAR-BDHR
2013-05-02 11:49	Echelon9	Status	confirmed => code review
2013-05-04 02:22	niffiwan	Note Added: 0015026
2013-05-04 06:28	Echelon9	Summary	Crash exiting game from command brieifing on newly created pilot => Crash exiting game from command briefing on newly created pilot
2013-05-04 06:39	Echelon9	Note Added: 0015031
2013-05-04 23:23	Echelon9	Assigned To	FUBAR-BDHR => Echelon9
2013-05-04 23:23	Echelon9	Status	code review => assigned
2013-05-04 23:23	Echelon9	Changeset attached	=> fs2open trunk r9672
2013-05-04 23:23	Echelon9	Note Added: 0015033
2013-05-04 23:23	Echelon9	Status	assigned => resolved
2013-05-04 23:23	Echelon9	Resolution	open => fixed

fs2open: trunk r9672 2013-05-04 20:17 Echelon9 Ported: N/A Details Diff	Fix Mantis 2862: Crash exiting game from command briefing on newly created pilot, caused by double free in cutscenes.cpp		Affected Issues 0002862
	mod - /trunk/fs2_open/code/cutscene/cutscenes.cpp		Diff File

View Issue Details

Activities

Related Changesets

Issue History