MantisBT - Zandronum
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002275Zandronum[All Projects] Bugpublic2015-05-30 06:232024-01-29 15:39
ReporterPresident People 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformAppleOSMac OS XOS Version10.4-10.7
Product Version2.0 
Target Version3.1Fixed in Version3.1 
Summary0002275: Crash when selecting Random class after enabling Multiplayer
DescriptionSeems to happen with any class mod. Example provided.

*** Fatal Error ***
Address not mapped to object (signal 11)
Address: 0x635b6370
Steps To Reproduce1. Enable multiplayer either by typing "Multiplayer" in console, or adding and then removing a bot.
2. Leave the game either by typing "Spectate" in console, or using Spectate in the Multiplayer menu.
3. Rejoin the game either by pressing fire and selecting the Random class, or choosing Random class in the Player preferences, and typing "Join" in console.
4. Reward yourself either by eating a Whopper, or eating a Big Mac.
Additional Information
TagsNo tags attached.
Relationships
Attached Files? RandomClassCrash.pk3 (309) 2015-05-30 06:23
https://zandronum.com/tracker/file_download.php?file_id=1516&type=bug
Issue History
Date ModifiedUsernameFieldChange
2015-05-30 06:23President PeopleNew Issue
2015-05-30 06:23President PeopleFile Added: RandomClassCrash.pk3
2015-05-30 07:20Edward-sanNote Added: 0012459
2015-05-30 07:43Edward-sanNote Edited: 0012459bug_revision_view_page.php?bugnote_id=12459#r7219
2015-05-30 07:44Edward-sanStatusnew => confirmed
2015-05-30 12:12Edward-sanNote Added: 0012465
2015-05-30 12:12Edward-sanNote Edited: 0012465bug_revision_view_page.php?bugnote_id=12465#r7221
2024-01-29 15:39Ru5tK1ngNote Added: 0023032
2024-01-29 15:39Ru5tK1ngStatusconfirmed => resolved
2024-01-29 15:39Ru5tK1ngResolutionopen => fixed
2024-01-29 15:39Ru5tK1ngFixed in Version => 3.1
2024-01-29 15:39Ru5tK1ngTarget Version => 3.1

Notes
(0012459)
Edward-san   
2015-05-30 07:20   
(edited on: 2015-05-30 07:43)
I can reproduce the crash in 3.0, not in 2.0.

Anyways, valgrind reported some issues before crashing:


==2778== Invalid read of size 8
==2778== at 0x7623F3: P_SpawnPlayer(FPlayerStart*, int, int) (p_mobj.cpp:5342)
==2778== by 0x67701F: G_CooperativeSpawnPlayer(unsigned long, bool, bool) (g_game.cpp:2559)
==2778== by 0x694BBE: GAMEMODE_SpawnPlayer(unsigned long, bool) (gamemode.cpp:662)
==2778== by 0x677570: G_DoReborn(int, bool) (g_game.cpp:2704)
==2778== by 0x6741A4: G_Ticker() (g_game.cpp:1332)
==2778== by 0x652B42: TryRunTics() (d_net.cpp:1922)
==2778== by 0x648DDB: D_DoomLoop() (d_main.cpp:1353)
==2778== by 0x64CCA2: D_DoomMain() (d_main.cpp:3198)
==2778== by 0x5D0004: main (i_main.cpp:366)
==2778== Address 0x15fefb80 is 7,584 bytes inside a block of size 16,384 free'd
==2778== at 0x4C2C83C: operator delete[](void*) (vg_replace_malloc.c:538)
==2778== by 0xA1765E: FPatchTexture::Unload() (patchtexture.cpp:184)
==2778== by 0x7C3493: FSoftwareRenderer::PrecacheTexture(FTexture*, int) (r_swrenderer.cpp:104)
==2778== by 0xA2091D: FTextureManager::PrecacheLevel() (texturemanager.cpp:1247)
==2778== by 0x783429: P_SetupLevel(char*, int) (p_setup.cpp:4565)
==2778== by 0x6830C0: G_DoLoadLevel(int, bool) (g_level.cpp:1442)
==2778== by 0x681192: G_InitNew(char const*, bool) (g_level.cpp:566)
==2778== by 0x680BC9: G_DoNewGame() (g_level.cpp:332)
==2778== by 0x674251: G_Ticker() (g_game.cpp:1366)
==2778== by 0x652B42: TryRunTics() (d_net.cpp:1922)
==2778== by 0x648DDB: D_DoomLoop() (d_main.cpp:1353)
==2778== by 0x64CCA2: D_DoomMain() (d_main.cpp:3198)
==2778==
==2778== Invalid read of size 8
==2778== at 0x61BB9A: GetDefaultByType(PClass const*) (actor.h:611)
==2778== by 0x7625C4: P_SpawnPlayer(FPlayerStart*, int, int) (p_mobj.cpp:5378)
==2778== by 0x67701F: G_CooperativeSpawnPlayer(unsigned long, bool, bool) (g_game.cpp:2559)
==2778== by 0x694BBE: GAMEMODE_SpawnPlayer(unsigned long, bool) (gamemode.cpp:662)
==2778== by 0x677570: G_DoReborn(int, bool) (g_game.cpp:2704)
==2778== by 0x6741A4: G_Ticker() (g_game.cpp:1332)
==2778== by 0x652B42: TryRunTics() (d_net.cpp:1922)
==2778== by 0x648DDB: D_DoomLoop() (d_main.cpp:1353)
==2778== by 0x64CCA2: D_DoomMain() (d_main.cpp:3198)
==2778== by 0x5D0004: main (i_main.cpp:366)
==2778== Address 0x919291869167679f is not stack'd, malloc'd or (recently) free'd
==2778==


Analyzing that I found out that in p_mobj.cpp, line 5322, 'type' becomes -1, leading to 'p->CurrentPlayerClass' = -1 in line 5336, and hence 'PlayerClasses' is accessed with index -1 at line 5342, giving 'p->cls' a very random value, leading to the crash later in line 5378 while trying to access to 'p->cls' inside GetDefaultByType call.

[edit] 'SinglePlayerClass[consoleplayer]' is -1 in the function PLAYER_JoinGameFromSpectators in p_user.cpp, line 3060+:


    // [BB] In single player, allow the player to switch its class when changing from spectator to player.
    if ( ( NETWORK_GetState( ) == NETSTATE_SINGLE ) || ( NETWORK_GetState( ) == NETSTATE_SINGLE_MULTIPLAYER ) )
        SinglePlayerClass[consoleplayer] = players[consoleplayer].userinfo.GetPlayerClassNum();
(0012465)
Edward-san   
2015-05-30 12:12   
Nevermind, it happens also in 2.0, same thing.
(0023032)
Ru5tK1ng   
2024-01-29 15:39   
This was fixed in 3.1.