|
Notes |
(0001318)
zesstra
2009-09-27 18:36
|
Just some first comments:
- output on stdout/stderr and maybe the debug.log might help as well.
- additional information about your platform and environment and configuration might help.
- the two backtraces are very different. But it may well be that there is a common memory corruption as root cause. For example, the address give to print_svalue() in the second crash (0xb7) nearly certainly wrong and maybe already the one given to f_write() - but where did it come from? But I guess, we won't find it by stacktraces alone, so...
- please consider disabling the optimization for some time, because it severely limits debugging and think about adding -ggdb3 to your compiler options if you use gcc/gdb.
- If not already active, please enable the following configuration options in your driver and recompile: --enable-malloc-check, --enable-malloc-trace, --enable-malloc-lpc-trace, --enable-trace-code, --enable-debug.
- please enable core files on your system and archive the _exact_ executable that produced the core along with it.
- if the crashes occur regularly: do you recognize any common thing prior to the crashes? Reproducing the issue would of course be best. ;-)
|
|
(0001347)
favoretti
2009-09-29 14:48
|
I have core + executable for you, for the rest I'll need to recompile the driver and then wait for it to crash again (which can take a week or so).
Cores are about 2G, where do you want them upped? |
|
(0001348)
favoretti
2009-09-29 15:48
|
Attached stderr, stdout logs.
Platform: debian lenny 64-bit, 6G RAM.
Configuration is the same as you've seen in that XML bug I've reported earlier. But just in case, in your trunk under settings/bat.
Pasteing here as well:
#!/bin/sh
#
# Settings for the BatMUD
#
# configure will strip this part from the script.
exec ./configure --prefix=/bat --with-setting=bat $*
exit 1
# --- The actual settings ---
#
# mudlib compatibility etc options
#
with_portno=1234
with_max_players=1000
with_master_name=secure/master
with_input_escape="@"
enable_erq=erq
enable_use_mysql=1
enable_malloc_sbrk=no
enable_use_parse_command=yes
enable_compat_mode=no
enable_strict_euids=no
enable_use_deprecated=yes
enable_use_alists=yes
enable_use_pcre=yes
enable_use_xml=xml2
with_time_to_reset=3600
with_time_to_clean_up=7200
enable_use_structs=yes
enable_use_tls=no
with_alarm_time=1
with_heart_beat_interval=3
#
# debug
#
enable_malloc_trace=0
enable_malloc_lpc_trace=0
enable_trace_code=no
enable_debug=no
enable_debug_telnet=no
# /debug
enable_malloc_check=no
with_malloc=smalloc
#
# performance options
#
with_optimize=med
enable_use_pthreads=yes
#no swapping
with_time_to_swap=0
with_time_to_swap_variables=0
# 1/5 of distinct strings
with_htable_size=274566
with_itable_size=16384
# 1/4 of objects
with_otable_size=32768
with_evaluator_stack_size=3000
with_compiler_stack_size=600
with_max_user_trace=120
with_max_trace=125
with_hard_malloc_limit=0
with_max_cost=25000000
with_catch_reserved_cost=150000
with_max_array_size=50000
with_max_mapping_keys=100000
with_max_mapping_size=150000
with_max_bits=20000
with_read_file_max_size=100000
# preallocation
with_min_malloced=671088640
with_min_small_malloced=536870912 |
|
(0001349)
favoretti
2009-09-29 15:49
|
So far, in both cases executables were linked against:
batmud64:/bat/mudlib/crash-20090923-231937# ldd ldmud
linux-vdso.so.1 => (0x00007fff3dbff000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1735710000)
libm.so.6 => /lib/libm.so.6 (0x00007f173548d000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f1735255000)
libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x00007f1734fee000)
libmysqlclient.so.15 => /usr/lib/libmysqlclient.so.15 (0x00007f1734be3000)
libxml2.so.2 => /usr/lib/libxml2.so.2 (0x00007f1734887000)
libc.so.6 => /lib/libc.so.6 (0x00007f1734534000)
libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x00007f1735a36000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007f1734318000)
libz.so.1 => /usr/lib/libz.so.1 (0x00007f1734101000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f1733efd000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1735928000) |
|
(0001356)
zesstra
2009-09-30 15:52
|
2 GB? Mhmm, I'm afraid, I don't know where to upload that.
With enabled optimization I am also sceptical, that it will be worth the effort to upload such big cores as long as there are other possibilities.
Is all that memory actually in use? Until now all muds I know with such a memory consumption had a memory leak somewhere. ;-)
Did that crashes started after switching to the x86_64 architecture or after switching to 3.3.719? Or both?
BTW: a non-related comment to your configuration: a string hash table size >65535 is not different than 65535, it just consumes more memory. This has been changed until now only in 3.5.x. Maybe that work will someday be backported, but for now it still has to tested somewhat more. |
|
(0001369)
favoretti
2009-09-30 17:06
|
Well, I suppose I could arrange you an account directly on the box to dig in it with GDB if you want.
Yes, that memory is in use, we are quite some HUGE(tm) MUD out there.
Crashes tarted occuring after both switching to 64 bit and to 3.3.719, it was all in one go, since previous attempts to switch to earlier driver versions were pathetic crash festshows :) This one seems to be stable, apart from these intermittent crashes.
Withregards to leaking memory, I'm not sure we do, it stays stable around 2.2g for most of the day after all objects have been loaded and most players have visited the game.
Thanks for the info about the hashtable size param, will adjust.
What I will do tomorrow is recompile the driver with full debugging options and will run on that hoping that it will crash again. Until that I can provide you access to those cores right on the machine where it runs. |
|
(0001423)
favoretti
2009-10-02 10:10
|
Crashed again this morning, unfortunately I haven't recompiled driver with all the debugging yet. But this one is similar to one of the pervious crashes, might give you an idea on where to look.
(gdb) bt
#0 fatal (fmt=0x4cf720 "(free_svalue) Illegal svalue %p type %d\n") at simulate.c:593
0000001 0x000000000043d564 in int_free_svalue (v=0x7f0e6d9dbb30) at interpret.c:1136
0000002 0x000000000044a504 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:8865
0000003 0x00000000004579e7 in apply_low (fun=0x7f0e6d9dbb50, ob=0x7f0e3648b9f0, num_arg=0, b_ign_prot=false, allowRefs=false,
b_ign_shadows=false) at interpret.c:17442
0000004 0x0000000000447584 in int_apply (fun=0x8, ob=0x0, num_arg=1, b_ign_prot=<value optimized out>, b_use_default=true,
b_ign_shadows=<value optimized out>) at interpret.c:17546
0000005 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
0000006 0x00000000004579e7 in apply_low (fun=0x7f0e6db09ba8, ob=0x7f0e3648b9f0, num_arg=0, b_ign_prot=false, allowRefs=false,
b_ign_shadows=false) at interpret.c:17442
0000007 0x0000000000447584 in int_apply (fun=0x8, ob=0x0, num_arg=1, b_ign_prot=<value optimized out>, b_use_default=true,
b_ign_shadows=<value optimized out>) at interpret.c:17546
0000008 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
0000009 0x0000000000458a0b in int_call_lambda (lsvp=<value optimized out>, num_arg=1, allowRefs=false, external=true) at interpret.c:18447
0000010 0x0000000000458bc3 in v_funcall (sp=0x713100, num_arg=2) at interpret.c:21003
0000011 0x000000000044b621 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:8475
0000012 0x000000000045871c in int_call_lambda (lsvp=0x7e40e0, num_arg=<value optimized out>, allowRefs=false, external=true) at interpret.c:18589
0000013 0x000000000047aa12 in reset_object (ob=0x7f0e3648b9f0, arg=96) at object.c:875
#14 0x00000000004ae1d5 in clone_object (str1=<value optimized out>) at simulate.c:2356
#15 0x00000000004ae421 in f_clone_object (sp=0x7130c0) at simulate.c:4376
#16 0x000000000044ee88 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:8276
#17 0x00000000004ad373 in catch_instruction (flags=0, offset=<value optimized out>, i_sp=0x7e3d50,
i_pc=0x7f0e6dfa9373 "e\b\002\037\001??g?4", i_fp=<value optimized out>, reserve_cost=150000, i_context=0x0) at simulate.c:455
#18 0x000000000044a9a2 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:9730
#19 0x00000000004579e7 in apply_low (fun=0x7f0e6db11110, ob=0x1c860, num_arg=1, b_ign_prot=false, allowRefs=false, b_ign_shadows=false)
at interpret.c:17442#20 0x0000000000447584 in int_apply (fun=0x8, ob=0x0, num_arg=1, b_ign_prot=<value optimized out>, b_use_default=true,
b_ign_shadows=<value optimized out>) at interpret.c:17546
#21 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
#22 0x00000000004579e7 in apply_low (fun=0x7f0e6db09ba8, ob=0x9660, num_arg=0, b_ign_prot=false, allowRefs=false, b_ign_shadows=false)
at interpret.c:17442
#23 0x0000000000447584 in int_apply (fun=0x8, ob=0x0, num_arg=1, b_ign_prot=<value optimized out>, b_use_default=true,
b_ign_shadows=<value optimized out>) at interpret.c:17546
#24 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
#25 0x0000000000458a0b in int_call_lambda (lsvp=<value optimized out>, num_arg=1, allowRefs=false, external=true) at interpret.c:18447
#26 0x0000000000458bc3 in v_funcall (sp=0x712fb0, num_arg=2) at interpret.c:21003
#27 0x000000000044b621 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:8475
#28 0x000000000045871c in int_call_lambda (lsvp=0x7e40d0, num_arg=<value optimized out>, allowRefs=false, external=true) at interpret.c:18589
#29 0x000000000047aa12 in reset_object (ob=0x7f0e27dcdc90, arg=80) at object.c:875
#30 0x00000000004aa17d in load_object (lname=<value optimized out>, create_super=false, depth=0, isMasterObj=false, chain=0x0)
at simulate.c:2144
#31 0x00000000004aa454 in lookfor_object (str=<value optimized out>, bLoad=true) at simulate.c:2412
#32 0x0000000000452cb0 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16618
#33 0x00000000004ad373 in catch_instruction (flags=0, offset=<value optimized out>, i_sp=0x7e3d50,
i_pc=0x7f0e6dfb3bec "e\037\006\n\"?f\003t\200\002*?f)\002\037\002n\020\n#\b\025\037\001??,\n$,\003~\020\030\037\006\003u\200\006+e?\n-eg?5", i_fp=<value optimized out>, reserve_cost=150000, i_context=0x0) at simulate.c:455
#34 0x000000000044a9a2 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:9730
#35 0x00000000004579e7 in apply_low (fun=0x7f0e6d9fd3b8, ob=0x1b960, num_arg=1, b_ign_prot=false, allowRefs=false, b_ign_shadows=false)
at interpret.c:17442
0000036 0x0000000000447584 in int_apply (fun=0x8, ob=0x0, num_arg=1, b_ign_prot=<value optimized out>, b_use_default=true,
b_ign_shadows=<value optimized out>) at interpret.c:17546
0000037 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
0000038 0x00000000004579e7 in apply_low (fun=0x7f0e6da62098, ob=0x7f0e4714efe8, num_arg=0, b_ign_prot=false, allowRefs=false,
b_ign_shadows=false) at interpret.c:17442
0000039 0x0000000000447584 in int_apply (fun=0x8, ob=0x0, num_arg=1, b_ign_prot=<value optimized out>, b_use_default=true,
b_ign_shadows=<value optimized out>) at interpret.c:17546
0000040 0x00000000004480cb in sapply_int (fun=0x7f0e6da62098, ob=0x7f0e4714efe8, num_arg=0, b_find_static=72, b_use_default=true)
at interpret.c:17707
0000041 0x000000000040718c in parse_command (buff=0x7fff9fa06b91 "west", from_efun=false) at actions.c:1162
0000042 0x0000000000408711 in execute_command (str=0x7fff9fa06b91 "west", ob=0x7f0e4714efe8) at actions.c:1333
0000043 0x000000000040f339 in backend () at backend.c:690
0000044 0x0000000000464f36 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:688
Recompiling driver with debugs now... |
|
(0001424)
favoretti
2009-10-02 10:18
(Last edited: 2009-10-02 10:19) |
Starting from boot tomorrow will run debugging driver.
When it crashes will let you know :)
In the meantime, if you have even a slightest idea why it crashes based on the traces we have so far (or if you want core access, let me know) - please let me know. We have 500+ players suffering daily :)
|
|
(0001425)
zesstra
2009-10-02 11:34
|
Phew, the stacks are basically identical. Thats good for a start.
Debugging a memory corruption issue is very hard, therefore we will need access to the cores, yes. (BTW: That should Gnomi as well as me, he has more experience in this and might be needed.) The problem is (as you see), that certain values have been optimized away from the compiler and that makes it harder to analyze the core. Additionally, the debug options from the driver itself which annotate memory blocks with their origin makes life usually again easier. Therefore I am the opinion that you will probably have to suffer at least one more of these crashes.
It would help to know, if this only occurs with 3.3.719 (then it has to be one of the changes there) or if it does only occur on x86_64 architectures. But I see, that this information is not available right now, so there remains only the cores. ;-)
The first and the second backtrace both involve someone going west in some object. During that at least one new object is loaded (probably a room) and some other object is cloned. The crash occurs during the initialization of this clone (create() or whatever you call it). It would help to find out, if that objects were the same in both cases (that means, the same room, where somebody went west). Then we could look at the code and check for unusual thing or try to create a test case.
I don't know if it promises any success, but maybe some of your players remembers going west directly before the crash? |
|
(0001426)
favoretti
2009-10-02 11:38
|
Yeah, went in that way of thinking myself already, will try to dig out if someone remembers that.
Withregards to the cores access, let me quickly clear that out with the rest of game administration and I'll get back to you with login details. Would help if you could tell me how to reach you aside of bugtracker, not feeling very happy about leaving login details here :) |
|
(0001427)
favoretti
2009-10-02 12:18
|
Aha.
We dug in a bit more. On the LPC side, it seems twice the same stuff triggered the crash:
Last crash:
2009.09.27 15:31:14 Command giver: 'players/malar/areas/outpost/mons/guard_capt#169325'
Last command: 'west'
(free_svalue) Illegal svalue 0xffffffff type 1189027840
Command giver: 'players/malar/areas/outpost/mons/guard_capt#169325'
Last command: 'west'
2009.09.27 15:31:14 Current object was players/malar/areas/outpost/mons/guard_capt#169325
Command giver: 'players/malar/areas/outpost/mons/guard_capt#169325'
Last command: 'west'
2009.09.27 15:31:14 Dump of the call chain:
Command giver: 'players/malar/areas/outpost/mons/guard_capt#169325'
Last command: 'west'
' command_hook' in ' obj/player.c' ('obj/race/p/ent-azgaroth') line 1952
' parser' in ' nroom/room.c' ('players/malar/areas/outpost/1floor/kentry') line 346
' CATCH' in ('players/malar/areas/outpost/1floor/kentry')
<lambda 0x7f961d036729> in 'players/malar/areas/outpost/1floor/kentry.c' ('players/malar/areas/outpost/1floor/kentry') offset 7
'_create_object_hook' in ' secure/master.c' (' secure/master') line 2319
' create' in ' nroom/room.c' ('players/malar/areas/outpost/1floor/kwest') line 85
' reset' in ' nroom/room.c' ('players/malar/areas/outpost/1floor/kwest') line 920
' reset_items' in ' nroom/items.c' ('players/malar/areas/outpost/1floor/kwest') line 462
' CATCH' in ('players/malar/areas/outpost/1floor/kwest')
<lambda 0x7f961d036699> in 'players/malar/areas/outpost/1floor/kwest.c' ('players/malar/areas/outpost/1floor/kwest') offset 7
'_create_object_hook' in ' secure/master.c' (' secure/master') line 2319
' create' in ' obj/monster.c' ('players/malar/areas/outpost/mons/guard_capt#169325') line 240
' extra_create' in 'players/malar/areas/outpost/mons/guard_capt.c' ('players/malar/areas/outpost/mons/guard_capt#169325') line 38
Command giver: 'players/malar/areas/outpost/mons/guard_capt#169325'
Last command: 'west'
Previous crash:
2009.10.02 04:00:27 Command giver: 'players/malar/areas/outpost/mons/guard_capt#527582'
Last command: 'west'
(free_svalue) Illegal svalue 0xffffffff type -1752428544
Command giver: 'players/malar/areas/outpost/mons/guard_capt#527582'
Last command: 'west'
2009.10.02 04:00:27 Current object was players/malar/areas/outpost/mons/guard_capt#527582
Command giver: 'players/malar/areas/outpost/mons/guard_capt#527582'
Last command: 'west'
2009.10.02 04:00:27 Dump of the call chain:
Command giver: 'players/malar/areas/outpost/mons/guard_capt#527582'
Last command: 'west'
' command_hook' in ' obj/player.c' ('obj/race/p/barsoomian-kheldor') line 1952
' parser' in ' nroom/room.c' ('players/malar/areas/outpost/1floor/kentry') line 346
' CATCH' in ('players/malar/areas/outpost/1floor/kentry')
<lambda 0x7f0e6db06729> in 'players/malar/areas/outpost/1floor/kentry.c' ('players/malar/areas/outpost/1floor/kentry') offset 7
'_create_object_hook' in ' secure/master.c' (' secure/master') line 2319
' create' in ' nroom/room.c' ('players/malar/areas/outpost/1floor/kwest') line 85
' reset' in ' nroom/room.c' ('players/malar/areas/outpost/1floor/kwest') line 920
' reset_items' in ' nroom/items.c' ('players/malar/areas/outpost/1floor/kwest') line 462
' CATCH' in ('players/malar/areas/outpost/1floor/kwest')
<lambda 0x7f0e6db06699> in 'players/malar/areas/outpost/1floor/kwest.c' ('players/malar/areas/outpost/1floor/kwest') offset 7
'_create_object_hook' in ' secure/master.c' (' secure/master') line 2319
' create' in ' obj/monster.c' ('players/malar/areas/outpost/mons/guard_capt#527582') line 240
' extra_create' in 'players/malar/areas/outpost/mons/guard_capt.c' ('players/malar/areas/outpost/mons/guard_capt#527582') line 38
Command giver: 'players/malar/areas/outpost/mons/guard_capt#527582'
Last command: 'west' |
|
(0001428)
favoretti
2009-10-02 12:40
|
In both cases it crashes in eval_instruction in interpret.c in the piece where it processes default return:
CASE(F_RETURN):
...
/* The caller might have a yet-unterminated SAVE_ARG_FRAME in
* effect (this can happen in lambda closures, when the subclosure
* to compute an efun argument executes a #'return) - undo them.
*/
while (ap && ap > efp)
{
while (sp > ap)
free_svalue(--sp); <-- this is where we crash
sp = ap-1;
ap = sp->u.lvalue;
}
Crash occurs on attempting to load that guard_capt.c evaluating extra_create() as can be seen from the ldmud.log call trace and on processing the closing bracer, a.k.a. return statement. |
|
(0001429)
fufu
2009-10-02 14:33
|
The line numbers look odd to me for 3.3.719 - do you have any custom patches in your driver? |
|
(0001432)
favoretti
2009-10-02 15:51
|
Yeah, there is a small number, but nothing that would actually break this. If there will be suspicion that it's one of our patches I can disable some of those. Can't disable all of the, however, since it will break the game heavily :) |
|
(0001433)
favoretti
2009-10-02 15:54
|
On a sidenote, tried to load that room this boot again.. No crash, so it could be that it's just a coincidence that it crashed twice there, although in a world with 16000+ inside rooms and hardly countable outside rooms it sounds a bit odd. |
|
(0001434)
zesstra
2009-10-03 05:14
|
Ok... But even if you think, your patches are completely unrelated, please put them in an archive and upload them here, so we speak about the same source and the same line numbers.
Concerning login details: yes, I can understand that. ;-) You can reach us at our our developer address ldmud-dev@UNItopia.rus.Uni-Stuttgart.DE or contact me at zesstra@zesstra.de.
The place where it crashes (that free_svalue()) is not the place of the root cause. Somehow a malformed svalue was pushed onto the stack (or corrupted while already being there is even more probable). Finding that is the challenge here. A test case whould ease that enormously. Knowing the involved code could help us finding one.
It may be a coincidence, but maybe there is something in there (e.g. a rarely used feature/efun) which can cause problems when certain circumstances are met. On the other hand, your second crash was somewhere else. But it looks also like a corrupted svalue on the stack. Here, the debugging feature you enabled now are useful, because then we get the last 4096 instructions before the crash (well, if that is a call to fatal() at least). |
|
(0001435)
favoretti
2009-10-03 06:27
(Last edited: 2009-10-03 06:38) |
Yesterday just to be sure, except adding debug to the driver I hacked the patching out of interpret.c and simulate.c.
We used to have our own code profiler built into the driver. However, it wasn't enabled during crashes, so from what I could see, the code was never evaluated. But just to be sure I disabled it.
Now there's not that much hacking left :) Attached.
EDIT: The line numbers after this patch won't match the crashes 1:1, cuz I hacked profiler code out for the debugging version. So in case it crashes again any time soon, we'll have the perfect match between trace and line numbers.
|
|
(0001439)
favoretti
2009-10-03 13:20
|
Ok, I think I figured a relation to crashes.
Every time we crashed someone fiddled with XML functions (I had xml2 package compiled it). Now I fiddled with those myself and we crashed almost immediately with the following stack trace:
(gdb) bt
#0 0x00000000004ee262 in UNLINK_SMALL_FREE (block=0x7f26f221e158) at smalloc.c:1137
0000001 0x00000000004ee77a in mem_alloc (size=32) at smalloc.c:1545
0000002 0x00000000004f17f1 in xalloc_traced (size=24) at xalloc.c:565
0000003 0x000000000049672a in f_restore_object (sp=0x745bf0) at object.c:8977
0000004 0x0000000000451b3a in eval_instruction (
first_instruction=0x7f271e875b2b "\037\002\003V\200\003*?f)\003\037\003>n\001\031\b", initial_sp=0x745bd0)
at interpret.c:8219
0000005 0x00000000004cdae4 in catch_instruction (flags=0, offset=8, i_sp=0x816360,
i_pc=0x7f271e875b2b "\037\002\003V\200\003*?f)\003\037\003>n\001\031\b", i_fp=0x745b90, reserve_cost=150000, i_context=0x0)
at simulate.c:453
0000006 0x00000000004541c6 in eval_instruction (first_instruction=0x7f271e875aba "d\001\003?>)\026e?g?", initial_sp=0x745bc0)
at interpret.c:9652
0000007 0x0000000000467455 in apply_low (fun=0x7f27051119b0, ob=0x7f26d58bf4a0, num_arg=1, b_ign_prot=false, allowRefs=false,
b_ign_shadows=false) at interpret.c:17207
0000008 0x00000000004675ca in int_apply (fun=0x7f27051119b0, ob=0x7f26d58bf4a0, num_arg=1, b_ign_prot=false, b_use_default=true,
b_ign_shadows=false) at interpret.c:17285
0000009 0x00000000004634f4 in eval_instruction (first_instruction=0x7f271e8792fa "d\001\002e\037", initial_sp=0x745af0)
at interpret.c:16528
0000010 0x0000000000467455 in apply_low (fun=0x7f27051173d8, ob=0x7f271e5a3300, num_arg=1, b_ign_prot=false, allowRefs=false,
b_ign_shadows=false) at interpret.c:17207
0000011 0x00000000004675ca in int_apply (fun=0x7f27051173d8, ob=0x7f271e5a3300, num_arg=1, b_ign_prot=false, b_use_default=true,
b_ign_shadows=false) at interpret.c:17285
0000012 0x00000000004634f4 in eval_instruction (first_instruction=0x7f271f26aa2a "d\002\n\037", initial_sp=0x745a90)
at interpret.c:16528
0000013 0x0000000000467455 in apply_low (fun=0x7f270c2cd200, ob=0x7f271f2628e8, num_arg=2, b_ign_prot=false, allowRefs=false,
b_ign_shadows=false) at interpret.c:17207
#14 0x00000000004675ca in int_apply (fun=0x7f270c2cd200, ob=0x7f271f2628e8, num_arg=2, b_ign_prot=false, b_use_default=true,
b_ign_shadows=false) at interpret.c:17285
#15 0x00000000004634f4 in eval_instruction (first_instruction=0x7f271c4ac199 "e\n\026\037", initial_sp=0x7459a0)
at interpret.c:16528
#16 0x00000000004cdae4 in catch_instruction (flags=0, offset=21, i_sp=0x816360, i_pc=0x7f271c4ac199 "e\n\026\037",
i_fp=0x745970, reserve_cost=150000, i_context=0x0) at simulate.c:453
#17 0x00000000004541c6 in eval_instruction (first_instruction=0x7f271c4abf8a "e\037", initial_sp=0x745810) at interpret.c:9652
#18 0x0000000000468c69 in int_call_lambda (lsvp=0x7cd840, num_arg=3, allowRefs=false, external=true) at interpret.c:18186
#19 0x00000000004696dc in secure_call_lambda (closure=0x7cd840, num_arg=3, external=true) at interpret.c:18560
#20 0x00000000004dd558 in socket_process_events (sock=0x7cd800, events=5) at sockets.c:1128
#21 0x00000000004dce88 in socket_poll () at sockets.c:986
#22 0x000000000040f695 in backend () at backend.c:755
#23 0x00000000004775f6 in main (argc=8, argv=0x7fff4b6dc048) at main.c:688
I recompiled the driver using libiksemel for now... Still running debugging mode in case it's unrelated. |
|
(0001440)
favoretti
2009-10-03 13:38
|
Last call on mudside was:
2009.10.03 19:03:32 Caught error: Bad arg 1 to xml_generate(): tag is not an array with 3 elements.
Command giver: 'obj/race/p/coder-favorit'
Environment: 'city/main/boardroom'
Last command: 'call ./guilds_server_xml update_guild_object find_object("nguild/d/mage")'
' command_hook' in ' obj/player.c' ('obj/race/p/coder-favorit') line 1904
' do_command' in ' cmds/cmd_inherit.c' (' cmds/wiz/call') line 37
' CATCH' in (' cmds/wiz/call')
' command' in ' cmds/wiz/call.c' (' cmds/wiz/call') line 99
' CATCH' in (' cmds/wiz/call')
' call_lpc' in 'players/favorit/TMP.c' (' players/favorit/TMP') line 1
'update_guild_object' in 'lib/gameinfo/guilds_server_xml.c' ('lib/gameinfo/guilds_server_xml') line 61
'update_guild_info' in 'lib/gameinfo/guilds_server_xml.c' ('lib/gameinfo/guilds_server_xml') line 116
Command giver: 'obj/race/p/coder-favorit'
Environment: 'city/main/boardroom'
Last command: 'call ./guilds_server_xml update_guild_object find_object("nguild/d/mage")'
2009.10.03 19:03:32 ... execution continues.
Command giver: 'obj/race/p/coder-favorit'
Environment: 'city/main/boardroom'
Last command: 'call ./guilds_server_xml update_guild_object find_object("nguild/d/mage")'
What I did, I fed a 3-d array to xml_generate, which wasn't formed correctly. |
|
(0001458)
zesstra
2009-10-05 10:14
|
Mhmm, I had a look at your diff. I wouldn't call 144k "not much", even if you deactivated some of it. That differs substantially from the source we have.
May I ask, what exactly you fed into xml_generate() and what the others did?
BTW: I noticed two things you should check in your diff, while having a short glance (although I may have overlooked something, I had only a few minutes to spare):
- the efun random_integer() won't return [INT_MIN .. INT_MAX] on x86_64 platforms, because your random_integer() returns uint32, but an LPC int has 64 bits on x86_64.
- f_recompile_object(). You seem to replace the blueprint of the object, while keeping the variable block. If the new program differs in variables or sequence of variables, this will cause problems, especially if the new program uses more variables, because it will read garbage beyond the variable block or overwrite stuff there. |
|
(0001462)
favoretti
2009-10-05 11:38
|
Basically I fed a huge mapping containing multi-dimensional arrays, while being curious what kinda output it will produce.
What others did - was pretty much twiddling around, generating XML about guild information, etc. I could probably paste some code here, but I don't think it will be largely relevant. There was nothing out of ordinary which, for instance, some code typo won't produce.
([ /* 0000001 */
0: ({ /* 0000002, size: 1 */
({ /* 0000003, size: 2 */
"background",
({ /* 0000004, size: 1 */
"magical"
})
})
}),
2: ({ /* 0000005, size: 7 */
({ /* 0000006, size: 3 */
"skill_min",
"cast_generic",
6
}),
({ /* 0000007, size: 3 */
"skill_min",
"cast_protection",
12
}),
({ /* 0000008, size: 3 */
"skill_min",
"consider",
15
}),
...
This will go on for another page or five :)
Thanks for the notices on the diff, I'll have a look. That diff has also been a long-term hacking effort of a gazillion of people so maybe now would be the time to look at it closely again. |
|
(0001463)
favoretti
2009-10-05 11:39
|
Oh yeah, and as to 144k, if you notice, there's mostly efuns that are added.
The only hacking into the driver self would be adding ability to bypass shadows, which is rather straightforward and otherwise harmless.
The biggest part of the diff is sockets implementation. |
|
(0001465)
zesstra
2009-10-05 12:25
|
It doesn't really matter, if it is only efuns or not. Any efun may corrupt memory (.e.g. your mentioned xml_generate()), they are not separated from the rest of the driver. I wrote some efuns which wrote somewhere they shouldn't the first time I tested them... ;-) But sometimes a memory corruption in an efun takes a long time to be noticed.
Any piece of code changing data may be the root cause of an avalanche of small or big changes leading in the end to a crash.
Concerning your last crash: if you believe, that it is caused by some call to xml_generate(), please try to reproduce it. If that does work, create a minimal test case (just enough code to trigger the problem). Otherwise, we will never make progress finding the real problem. I can't just try random arguments to xml_generate() until I find some problem (especially, because the crash by be platform/architecture-specific). ;-) |
|
(0001518)
favoretti
2009-10-12 07:40
|
Just crashed again:
#0 0x0000000000422bf0 in add_flush_entry (ip=0x7fbc722ad0a8) at comm.c:2118
0000001 0x0000000000422b74 in add_message (fmt=0x421e27 "UH\211?H\201??\r") at comm.c:2060
0000002 0x00000000004d48b7 in print_svalue (arg=0x7453d0) at simulate.c:4322
0000003 0x00000000004d5913 in f_write (sp=0x7453d0) at simulate.c:4955
0000004 0x00000000004517ea in eval_instruction (
first_instruction=0x7fbcb4181aba "d\001\004\n\017\003T_e\n\017\022\005\022<.\a\b\017f_\037", initial_sp=0x7453c0)
at interpret.c:8219
0000005 0x0000000000466d3e in apply_low (fun=0x7fbc9e3bd0e8, ob=0x7fbc7226db08, num_arg=0, b_ign_prot=false,
allowRefs=false, b_ign_shadows=false) at interpret.c:17093
0000006 0x000000000046727a in int_apply (fun=0x7fbc9e3bd0e8, ob=0x7fbc7226db08, num_arg=0, b_ign_prot=false,
b_use_default=true, b_ign_shadows=false) at interpret.c:17285
0000007 0x00000000004631a4 in eval_instruction (first_instruction=0x7fbcb4a7bb92 "\037\001{$+\037\001o\016eeg?",
initial_sp=0x7452e0) at interpret.c:16528
0000008 0x0000000000466d3e in apply_low (fun=0x7fbc9a559590, ob=0x7fbc72c27210, num_arg=2, b_ign_prot=false,
allowRefs=false, b_ign_shadows=false) at interpret.c:17093
0000009 0x000000000046727a in int_apply (fun=0x7fbc9a559590, ob=0x7fbc72c27210, num_arg=2, b_ign_prot=false,
b_use_default=true, b_ign_shadows=false) at interpret.c:17285
0000010 0x00000000004631a4 in eval_instruction (first_instruction=0x7fbcb4181e12 "d\001\005\037", initial_sp=0x745220)
at interpret.c:16528
0000011 0x0000000000466d3e in apply_low (fun=0x7fbc9a5564f8, ob=0x7fbc72c26b60, num_arg=1, b_ign_prot=false,
allowRefs=false, b_ign_shadows=false) at interpret.c:17093
0000012 0x000000000046727a in int_apply (fun=0x7fbc9a5564f8, ob=0x7fbc72c26b60, num_arg=1, b_ign_prot=false,
b_use_default=true, b_ign_shadows=false) at interpret.c:17285
0000013 0x0000000000467673 in sapply_int (fun=0x7fbc9a5564f8, ob=0x7fbc72c26b60, num_arg=1, b_find_static=false,
b_use_default=true) at interpret.c:17446
#14 0x00000000004d43cf in execute_callback (cb=0x73d948, nargs=1, keep=false, toplevel=true) at simulate.c:4075
#15 0x000000000042638f in call_input_to (i=0x7fbc722ad0a8, str=0x7fffe1266540 "use ref at mahogany in dw",
it=0x7fbcc2db05a8) at comm.c:4127
#16 0x000000000042652d in call_function_interactive (i=0x7fbc722ad0a8, str=0x7fffe1266540 "use ref at mahogany in dw")
at comm.c:4212
#17 0x000000000040f1fe in backend () at backend.c:679
#18 0x00000000004772a6 in main (argc=8, argv=0x7fffe1267f58) at main.c:688 |
|
(0001524)
zesstra
2009-10-16 04:35
|
The stack traces alone give not enough information, so we need access to core + binary + source. If you still consider giving us access to your machine for that purpose, the easiest would be to give you Gnomis and my public ssh key which you temporarily add to your authorized_keys.
Otherwise, you need to pack the stuff and put it somewhere for download. Although then we might have problems having the right gdb for your platform+architecture. |
|
(0001525)
zesstra
2009-10-16 05:20
|
BTW: You might want to have a look at your garbage collector. You added some socket stuff. During the early phase of the GC run you call clear_socket_refs() to clear the refcounters, but later you don't call count_socket_refs(), but clear_socket_refs() again. That will lead to uncounted references and later to memory that might be used twice (because the GC will mark memory as free which is not referenced). So, if you ever have a GC run while having socket callbacks, your system will be unstable. |
|
(0001528)
Gnomi
2009-10-18 09:52
|
We found a possible cause in the xml2 functions. I committed a fix in 3.3/trunk as r2770. Maybe you could try it out? |
|
(0001529)
favoretti
2009-10-18 10:42
|
Will do. Although last 2 crashes occured with libiksemel, since I was trying to exclude the possible reason of crashing. |
|
(0001530)
favoretti
2009-10-18 10:49
|
@Zesstra: that's a brilliant find! Thanks. That sounds like something I overlooked/mistyped while manually transferring some failed hunks...
Could might as well be responsible for those crashes of late..
We're gonna try to run test version of mud under valgrind.. Maybe that will give us some pointers.
Withregards to access to cores and source... There's some commotion about accessing internal net here, Would it be enough if I give you some VM off-site where no mudlib will be present, but just those cores, source and logs? |
|
(0001531)
zesstra
2009-10-18 10:55
|
Yes, that will be sufficient. But don't forget the correct binary as well and gdb. ;-) |
|
(0001532)
favoretti
2009-10-18 12:03
|
BTW, something unrelated, but maybe nice to fix just in case.
While waiting on startup of ldmud under valgrind, this popped out:
==19441== Conditional jump or move depends on uninitialised value(s)
==19441== at 0x43BA54: e_sscanf (efuns.c:4134)
==19441== by 0x4539E1: eval_instruction (interpret.c:9516)
==19441== by 0x467104: apply_low (interpret.c:17207)
==19441== by 0x467279: int_apply (interpret.c:17285)
==19441== by 0x4631A3: eval_instruction (interpret.c:16528)
==19441== by 0x467104: apply_low (interpret.c:17207)
==19441== by 0x467279: int_apply (interpret.c:17285)
==19441== by 0x4631A3: eval_instruction (interpret.c:16528)
==19441== by 0x468918: int_call_lambda (interpret.c:18186)
==19441== by 0x46B9ED: v_funcall (interpret.c:20742)
==19441== by 0x451F74: eval_instruction (interpret.c:8418)
==19441== by 0x468CEF: int_call_lambda (interpret.c:18328)
He's generally right, checking for value initialization is a Good Thing(tm) ;-)
I'll set up the VM for you in a few hours and will place those crashcollections there. Our crashchecker autocopies the current binary next to core, so you'll have precise binaries with each crashdump. |
|
(0001535)
favoretti
2009-10-18 17:59
|
Ok, if you could send me your ssh keys, I'll add them to the machine with all you need to have for analyzing crashdumps.
Details of the machine: 89.105.199.206, user bat.
You'll have full sudo rights, that VM is totally yours, feel free to install any tools you might find missing.
It's identical to the machine we're using s/w-wise.
Source is in /home/bat/ldmud-src.
Thanks for looking into it! |
|
(0001537)
Gnomi
2009-10-20 06:07
|
The last two crashes (in add_flush_entry) are unrelated to the previous ones and result from inconsistencies in the list of dirty players. |
|
(0001538)
favoretti
2009-10-21 02:53
|
Yeah, that I got as well, question is, how come it got dirty... |
|
(0001539)
Gnomi
2009-10-21 03:05
|
Players get dirty all the time. And normally when add_message(message_flush); is called they get clean again. And exec() is counting on that. But this time too many messages were sent to a particular player (a login object), so that its socket buffer got full and messages had to be discarded. This interactive object won't get clean until the master object was notified. And that was something exec() didn't expect and so it left some non-interactive object (the former interactive object) in the list of dirty players which lead to the crash.
It can be fixed quite easily and I'll have a fix for that shortly. |
|
(0001540)
Gnomi
2009-10-21 05:33
|
I attached a patch for 3.3 and committed a patch for 3.5 as r2771. |
|
(0001541)
favoretti
2009-10-21 08:45
|
Thanks! Will patch it up right away.
Any thoughts on the previous crashes though? |
|
(0001542)
Gnomi
2009-10-21 10:03
(Last edited: 2009-10-21 10:03) |
The first one (20090927-153151) has the same cause as the last two ones (exec() on dirty players).
The next two crashes (20090927-153151 and 20091002-040121) I don't know. They're hard to debug (optimized and no TRACE_CODE). They both occurred when 'players/malar/areas/outpost/mons/guard_capt' was loaded and the driver was returning from the function extra_create and cleaned up the stack. So somebody put an illegal value on the stack but who or how I cannot see in the core.
The fourth one (20091003-190417) had probably something to do with libxml2 processing, which we already fixed. It shows memory corruption and has the following call trace:
lib/finger/finger_ob#266918->load_character
lib/finger/server->query_web_player_data
lib/webgw/modules/xmlfinger->request
So this one is fixed.
|
|
(0001543)
favoretti
2009-10-21 11:00
|
Thanks! I'd say we mark this as resolved, and wait if something else occures. If so, we keep running in debug mode, so that we can produce usable cores and I'll just log a new one.
Guys, I can't express my thanks for bearing with me and helping us solving it. You made a ton of players very happy :) |
|
(0001572)
favoretti
2009-10-29 15:53
|
Aaaand, we have a winner:
Core was generated by `/bat/bin/ldmud -m /bat/mudlib --pidfile /bat/mudlib/ldmud.pid --debug-file /bat'.
Program terminated with signal 8, Arithmetic exception.
[New process 23645]
#0 0x00000000004cdd27 in dump_core () at simulate.c:591
591 *((char*)0) = 0/a;
(gdb) bt
#0 0x00000000004cdd27 in dump_core () at simulate.c:591
0000001 0x00000000004cdc5e in fatal (fmt=0x4fe1e8 "'illegal' instruction encountered.\n") at simulate.c:653
0000002 0x00000000004513e0 in eval_instruction (first_instruction=0x7f828ab2fef2 "", initial_sp=0x745a40)
at interpret.c:8103
0000003 0x00000000004670d1 in apply_low (fun=0x7f82d7763338, ob=0x7f828ab3fa70, num_arg=0, b_ign_prot=false,
allowRefs=false, b_ign_shadows=false) at interpret.c:17207
0000004 0x0000000000467246 in int_apply (fun=0x7f82d7763338, ob=0x7f828ab3fa70, num_arg=0, b_ign_prot=false,
b_use_default=true, b_ign_shadows=false) at interpret.c:17285
0000005 0x0000000000463170 in eval_instruction (
first_instruction=0x7f82d7bef608 "e?\n??fn\006\020\200\032*m\004\017\200\032*?f>\200\033+\037\032(\002\037\033n\a\017{i+\037", initial_sp=0x745880) at interpret.c:16528
0000006 0x00000000004cd6c8 in catch_instruction (flags=0, offset=19, i_sp=0x815d60,
i_pc=0x7f82d7bef608 "e?\n??fn\006\020\200\032*m\004\017\200\032*?f>\200\033+\037\032(\002\037\033n\a\017{i+\037",
i_fp=0x745680, reserve_cost=150000, i_context=0x0) at simulate.c:453
0000007 0x0000000000453e42 in eval_instruction (first_instruction=0x7f82d7c58a12 "d\004\002e\037", initial_sp=0x745660)
at interpret.c:9652
0000008 0x0000000000466d0a in apply_low (fun=0x7f82d7787898, ob=0x7f828ab3fa70, num_arg=2, b_ign_prot=false,
allowRefs=false, b_ign_shadows=false) at interpret.c:17093
0000009 0x0000000000467246 in int_apply (fun=0x7f82d7787898, ob=0x7f828ab3fa70, num_arg=2, b_ign_prot=false,
b_use_default=true, b_ign_shadows=false) at interpret.c:17285
0000010 0x0000000000463170 in eval_instruction (first_instruction=0x7f82df49a7f2 "d", initial_sp=0x745200)
at interpret.c:16528
0000011 0x0000000000469562 in call_function (progp=0x7f82df49a310, fx=18) at interpret.c:18650
0000012 0x000000000044a660 in call_heart_beat () at heartbeat.c:289
0000013 0x000000000040f2f5 in backend () at backend.c:732
#14 0x0000000000477272 in main (argc=8, argv=0x7fff09864498) at main.c:688
Uploading cores to the same vm again.
This time it's again that Malar's area. All it does it puts some objects into arrays and then removes arrays with
array -= ({ 0 });
Seems it somehow screws something up. If need be I'll upload LPC code of the relevant pieces.
Appreciate a lot if you could have a glance.
Thanks!! |
|
(0001594)
favoretti
2009-11-03 17:44
|
Guys, any luck? Did you have a chance to have a look yet? Thanks! |
|
(0001595)
favoretti
2009-11-03 17:51
|
Actually to elaborate a bit more on what the LPC code does.
That array contains object references. On certain occasions LPC code fires
array -= ({ 0 }) to remove object references to objects that have been destructed.
It also happens in second_life() of monsters, so somewhere just before object gets destructed.
We tried to reproduce it under valgrind, but couldn't find anything even remotely useful. But we thought that maybe explaining this to you will light the bulb somewhere :) |
|
(0001598)
Gnomi
2009-11-04 04:51
|
I had a first look and didn't found anything that could be the cause. But I hadn't enough time to look deeper so far. In the next few days I shall have enough time to do that. |
|
(0001605)
Gnomi
2009-11-05 04:31
|
I had another look yesterday. I'm I right that second_life() in /players/malar/areas/outpost/mons/veteran_guard1.c just contains a return; (or nothing at all)?
It seems to me that 2 bytes of the function were overwritten or wrongly written (the first four bytes consist of 00 19 00 80, but should have been 00 00 19 <whatever>). But at this time I have no idea how this could have happened.
Which LPC code did you refer to in comment 0000683:0001595 (about removing destructed objects from an array)? Could we have a look at the LPC code from Malar's area? |
|
(0001606)
favoretti
2009-11-05 04:37
|
Second life from the mob:
second_life()
{
MSERV->remove(this_object());
}
MSERV:
FILE /players/malar/areas/outpost/monster_server.c 548 bytes, 42 lines.
---------------------------------------------------------------------------
// Monster server for outpost
// Malar
object *guards = ({ });
add(object mons)
{
guards+= ({ mons });
}
get()
{
update();
if (sizeof(guards))
{
object mons = guards[0];
guards= guards[1..];
mons->set_aggressive(1);
return mons;
}
else return 0;
}
remove(object ob)
{
if(member_array(ob, guards) != -1) guards -= ({ ob });
update();
return 1;
}
query_mons()
{
update();
write(guards);
return guards;
}
update()
{
guards-=({ 0 });
return 1;
}
EOF |
|
(0001607)
Gnomi
2009-11-05 06:01
|
Then there's something badly wrong with the program structure. As I read the bytecode, second_life() is the last function in veteran_guard1.c. And there are only 8 bytes left in the bytecode block (afterwards comes the function lookup table, which seems fine), such an call_other needs 12 bytes. |
|
(0001608)
favoretti
2009-11-05 06:24
|
Right... Any ideas on the cause? |
|
(0001614)
Gnomi
2009-11-06 09:06
|
None whatsoever.
The whole program structure is consistent (malloc size, program size, pointers to the several tables of the program) in this regard, that there are only 8 bytes left for this particular function. So if there really should have been a call_other, then either the LPC compiler aborted the compilation at that function (and returned the compiled program nevertheless) or removed some bytes from the program at the end of the compilation. The first possibility I cannot image. And for the second one: The compiler does remove some opcodes during the compilation, but I went over these places and haven't found anything wrong with them. And it should be fairly reproducible. Did you try to call second_life on it again?
Could I have a look on veteran_guard1.c? |
|
(0001615)
favoretti
2009-11-07 10:11
|
FILE /players/malar/areas/outpost/mons/veteran_guard1.c 1246 bytes, 37 lines.
---------------------------------------------------------------------------
#define MSERV "/players/malar/areas/outpost/monster_server"
inherit "obj/monster";
inherit "/players/shardik/monster/renaming_limbs";
extra_create ()
{
set_name ("veteran guard");
set_short ("an old veteran guard");
set_long (line_wrap("This old elf is a typical elven soldier. Proud of"+
" his art and sure in his swordsmanship he stands tall"+
" and secure. You are certain this man knows how to"+
" fight. At least he looks like he knows. He has a fist"+
" insignia on his breastplate."));
set_id (({"elf","guard","elite guard","guard with insignia",
"elven guard","an elven guard",
"guard with a flaming fist insignia"}));
set_hunt_range(5);
set_al(500);
set_defender(1);
set_level(21);
set_wimpy(0);
set_aggressive(0);
set_gender(1);
set_race("elf");
set_skill("cleave",80,"attacker","while_fighting");
set_skill_chance("dodge",70);
set_skill_chance("negate offhand penalty",80);
rename_limbs( ({"right hand", 1, "fist", "left hand", 1, "fist",
"right foot", 0, "kick"}) );
add_random_weapon("random_katana");
if(file_name() != base_name()) MSERV->add(this_object());
}
second_life()
{
MSERV->remove(this_object());
} |
|
(0001618)
Gnomi
2009-11-10 15:37
|
The patch against crashes because of dirty users was committed to 3.3 as r2806. |
|
(0001619)
favoretti
2009-11-10 15:39
|
Cool. Any ideas on the last crash, though? :-P Sorry if I become annoying :) |
|
(0001621)
Gnomi
2009-11-11 05:20
|
I can confirm that the compiler did compile the second_life() function (because there is a string for "remove" in the program's string table). I have searched for the missing bytecodes and found veteran_guard3.c seems to be identical to veteran_guard1.c. Can you confirm that both files are the same? |
|
(0001622)
favoretti
2009-11-11 05:32
|
Pretty much, yeah.
favorit@batmud64:/bat/mudlib/players/malar/areas/outpost/mons$ cat veteran_guard3.c
#define MSERV "/players/malar/areas/outpost/monster_server"
inherit "obj/monster";
inherit "/players/shardik/monster/renaming_limbs";
extra_create ()
{
set_name ("veteran guard");
set_short ("a tall elven guard with a fist insignia");
set_long (line_wrap("This tall guard has seen many battles. He is one of"+
" the veteran guards in the outpost."+
" He is vigilant and alert. He wears a thin armour of"+
" elven chain and a green tunica on top of that with"+
" a fist insignia."));
set_id (({"elf","guard","elite guard","guard with insignia",
"elven guard","an elven guard","guard with a flaming fist"+
" insignia"}));
set_hunt_range(5);
set_al(500);
set_defender(1);
set_level(21);
set_wimpy(0);
set_aggressive(0);
set_gender(1);
set_race("elf");
set_skill("cleave",80,"attacker","while_fighting");
set_skill_chance("dodge",70);
set_skill_chance("negate offhand penalty",80);
rename_limbs( ({"right hand", 1, "fist", "left hand", 1, "fist", "right foot", 0, "kick"}) );
add_random_weapon("random_katana");
if(file_name() != base_name()) MSERV->add(this_object());
}
second_life()
{
MSERV->remove(this_object());
} |
|
(0001623)
Gnomi
2009-11-11 07:46
|
I'm still out of ideas. We have two nearly identical files which give identical programs with identical bytecodes (except the string content which doesn't matter because it's stored in the global string table, not in the program). But one of them is missing 10 bytes before the final and automatic 'return' bytecode in second_life(), while the other is fine. |
|
(0001624)
favoretti
2009-11-11 07:54
|
Heh, indeed. Why that happens is beyond my comprehension. So far it's been 10 days stable, if it will ever crash again I hope a new crash dump will give more ideas. |
|
(0001666)
Gnomi
2009-12-22 10:22
|
And we've found the cause for the last one. Wildcat could reproduce this bug in 0000709, so we finally tracked that one down. The bugfix was committed as r2809. So I'm now closing this bug. |
|
|
Notes |
(0000596)
chaos
2008-02-19 08:28
|
Please disregard in favor of next ticket; the file upload attempted with this one failed. |
|
(0000597)
zesstra
2008-02-19 12:26
|
You may just attach your file to this ticket, no need to open a new one.
Yes, alloca() allocates memory on the stack and that is often limited to 8 MB by default, so its relatively "easy" to hit that limit.
Note that the check after the alloca() doesn't work on my machine as well. alloca() seems to happily allocate memory exceeding the stack limit for the process (without returning NULL) and upon accessing it or calling a function (which implicitly accesses the out-of-bounds stack now) the driver crashes.
According to the manpage its behaviour is machine and compiler dependent. (You can try the behaviour on your system with the very simple test program I will attach.)
One problems is: It is not very straight-forward to determine the already used stack size as there is no libc function for it, otherwise you could check beforehand if there is enough space on the stack + a safety margin. Therefore it is probably indeed a good idea to replace other alloca() as well or introduce a (rather low) limit for all alloca() (which may impair legitimate uses) and will not work if you heavily recursed and use already quite a lot of the available stack space.
Note: For MG we use a stack size limit of 128MB at the moment, because of such potential problems and the PCRE crash reported in 0000524, but that doesn't solve the basic problem. |
|
(0000598)
zesstra
2008-02-19 12:47
|
Hmpf, I forgot: My system here is 32 bit based, it is definitely not a 64 bit issue. A quick search suggests that it is quite common for alloca() implementations not to return NULL upon out-of-stack-memory. From a BSD man page: "if the allocated block is beyond the current stack limit, the resulting behavior is undefined." I assume that on most systems this crash s reproducible.
(BTW: the man page on MacOS is just wrong. :-( ) |
|
(0000599)
chaos
2008-02-19 14:11
|
Additional data: I had suspected a 64-bit issue because the same data being processed by 3.2.15 restore_value() (also uses alloca()) on intel32 FreeBSD 5.4 works fine.
So, yeah, glibc's fault. |
|
(0000600)
zesstra
2008-02-19 14:25
|
How large was that string and stack size limit you used there? alloca() on FreeBSD 5.4 may well behave the same behaviour, maybe the stack size limit was just bigger and you didn't hit the limit. At least FreeBSD 6.2 has the same behaviour according to its manpage. It says:
"The allocation made may exceed the bounds of the stack, or even go further into other objects in memory, and alloca() cannot determine such an error."
So I would check if either the stack limit was higher on your FreeBSD or if the process just didn't get killed and potentially overwrote stuff after/below the stack (on Linux that would be system/shared lib code, but I don't know how FreeBSD organizes the process' address space.
(The latter behaviour would be especially interesting as it may allow to inject code into the drivers process.) |
|
(0000601)
zesstra
2008-02-19 18:11
|
I thought a little bit about my last note and tested the alloca() on 2 systems (MacOS 10.5 and Debian etch). Basically on both systems alloca() gave me any address in the virtual address space of the process I wanted to have. So you can write arbitrary data to arbitrary memory addresses in the driver's address space.
Of course, in practice you are limited by the possible size of the string to restore_value() (AFAIK LPC strings are only limited by the amount of memory available).
If you know the process image layout and where the systems shared libs are mapped and which memory areas are not write-protected, you may really be able to inject code remotely if you know what you do (I don't, that said.).
(simplified and quick example: in a small test program I expanded the stack into an address range allocated by the heap. That area is not write-protected so you can overwrite the data there or continue program execution (calling functions is possible because the system simply expands the stack happily further into the heap). Although simply overwriting the heap should be detected by the driver's memory allocator later, resulting in calling fatal().)
BTW, there are 69 calls to alloca(), some of them in efuns, probably one has to have a closer look at them, if they may be a problem. They contain checks for NULL pointers, but... *sigh* |
|
(0000604)
chaos
2008-02-20 14:09
|
Re: your question about my FreeBSD environment, I don't know how to find out what stack size gcc sets up (I'm thinking that's the relevant stack size, rather than the LPC interpreter's stack). Google shows me articles which speak of the stack size being "unlimited" unless changed with ulimit, but we seem to be seeing that alloca() interacts with it in a way that doesn't cause it to expand when needed.
http://www.irccrew.org/~cras/security/howto/dynamic.html has commentary on alloca() that pretty much says that it's completely unsafe to use on any arbitrary or user-provided data, and portability-negative too. |
|
(0000605)
zesstra
2008-02-20 15:43
|
I would say, the people on irccrew.org are right with that opinion.
And yes, I did not mean the LPC stack. ;-) It is, how much memory space your system wants to permit the process to use (obviously it does only weakly enforce it). You can find that out by executing 'ulimit -a' in your shell, there should be an entry "stack size", that is the maximum amount of memory the process started in that shell should use for the stack. (You can also change it with ulimit.)
Example:
On my system the memory of the process looks like this (system-dependent!):
-----<stack><stackguard>--------<syslibs>---------<heap><executable>
(all --- may be used for the heap, it grows from right to left here)
The <stackguard> is read and write protected, so any access there gets the process killed, if you extend the stack into to the <stackguard> area. If you manage to "jump" over it at get from alloca() an address where you can write, your process doesn't get killed.
Linux AFAIK even doesn't have this stackguard area, there stack and heap are next to each other, if that neighbouring heap area is allocated by your process, you may not even notice it for some time, if the stack grows into the heap. |
|
(0000606)
chaos
2008-02-20 15:51
|
Okay. ulimit -a shows a stack size of 8192K on the Debian system and 65536K on the FreeBSD system, so that's consistent with observed behavior. |
|
(0000611)
zesstra
2008-05-06 14:22
|
Yesterday Gnomi and me had a discussion about the use of alloca() in the driver.
Basically there seem to be 3 possibilities:
1) use alloca() only for small allocations (<200 byte) and only if it is guaranteed to be not more. Consequently change all other alloca() to xalloc().
2) There is a alloc.c in the driver source, using mempools to allocate memory and it reclaims storage allocated deeper in the stack. We might use this palloca() instead of alloca(). But I am not sure if it is finished yet.
3) continue to use alloca() but always check before if there is enough stack space left. This can be determined by using the initial stack pointer upon start-up, the current stack pointer, the direction in which the stack grows and RLIMIT_STACK from getrlimit().
2) and 3) have the advantage of not having to free the memory manually.
With 3) a function may still use a lot of stack space and potentially crash upon calling other functions.
1) may increase fragmentation of the heap and we have to keep in mind all return paths out of the function for freeing the memory.
Any favorites? |
|
(0000661)
chaos
2008-07-02 10:17
(Last edited: 2008-07-02 10:17) |
3) doesn't seem like a good idea; what will it do when there isn't enough memory on the stack, error out? Then lib code will error at random based on stack conditions, and a new unanticipated failure condition has been introduced into all the functions using alloca; seems very unfriendly. The only alternative I see to erroring out is switching to using xalloc, and then really you may as well have just used xalloc in the first place.
I can't really evaluate 2); if it's not clear that the function is finished, it sounds like it's going to be flaky.
So 1), the painful one, kinda sounds the best.
|
|
(0000665)
zesstra
2008-07-02 19:11
|
I still think, palloca() has some potential, but to have a fix ready for this one I just changed f_restore_value() to use xalloc/xfree for the buffer. I noticed 6 return paths in the function, if somebody reads the diff, please double-check that I did not miss one. ;-) |
|
(0000666)
Gnomi
2008-07-03 03:46
|
restore_svalue might throw errors that abort through a longjmp. Mostly out of memory errors, but also on illegal array sizes (e.g. restore_value("0000001:0\n({" + "0,"*100000 + "})\n")). So I would recommend using the already existing error handler (restore_value_cleanup) to catch these. |
|
(0000667)
fufu
2008-07-03 05:30
|
How about this?
We could cheat and use a global variable, but I'd rather eliminate those than introduce new ones. |
|
(0000668)
Gnomi
2008-07-03 05:40
|
A global variable is not an option, because restore_value/object calls can be quite recursive (e.g. "#e:efun" can raise a privilege violation and the master can then call restore_value/object again). |
|
(0000669)
zesstra
2008-07-03 05:54
|
Ok, had the same in mind after Gnomis comment, but had no time during the day.
I think using the restore_cleanup_t for transfering the address of buff is just fine.
There is IMHO one problem left, which I also missed in my first patch: buff is changed in line 9070: buff = p+1; We have to account for this and use the original address of the allocated memory for xfree and the cleanup structure. |
|
(0000670)
fufu
2008-07-03 06:09
|
good point. I think the easiest solution is to check whether a version is there after setting up the error handler, see latest patch. (restore_value-2a.diff applies on top of restore_value-2.diff) |
|
(0000671)
zesstra
2008-07-03 07:04
|
Looks good for me.
I wrote a small test yesterday, once the testsuite is available in SVN I could commit the test (although it heavily depends on the available stack memory, so it just feeds some 50MB of zeroes into restore_value()...). |
|
(0000672)
Gnomi
2008-07-04 07:47
(Last edited: 2008-07-04 07:47) |
Looks good for me too.
|
|
(0000684)
zesstra
2008-07-08 16:53
|
Fuchur, do you want to apply your patches yourself? |
|
(0000701)
fufu
2008-07-09 09:19
|
(Zesstra) Fuchur, do you want to apply your patches yourself?
Done now, see SVN revision 2377. |
|
|
Notes |
(0000593)
zesstra
2008-01-27 18:20
|
I just had a look at the 64-bit version of the MT and read a note from its author. He states, that the SIMD-oriented Fast Mersenne Twister (SFMT), a variant of the MT, is much faster:
"It is faster than the original MT, even in non-SIMD CPUs, and has better assurance of randomenss."
The SFTM homepage states:
"SFMT is much faster than MT, in most platforms. Not only the speed, but also the dimensions of equidistributions at v-bit precision are improved. In addition, recovery from 0-excess initial state is much faster."
The license of SFMT is the same as for the original MT.
Details can be found at:
http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/SFMT/index.html
The speed comparisons look quite impressive. Has anyone an opinion about this? |
|
(0000617)
zesstra
2008-05-07 15:50
|
If there is nobody speaking against the SFMT, I would like to give it a shot and start working on a patch integrating it into the driver, with 32-bit and 64-bit variants and probably the optimized code for SSE2, Altivec and CPUs without both. Just to let you know. ;-) |
|
(0000621)
zesstra
2008-05-09 18:43
|
OK. First version of a patch which replaces the MT with the SFMT-1.3.3 and make the PRNG usable in 64-bit environments.
random.c and random.h are a wrapper around the functions of the SFMT.
The SFMT is contained in a new sub-directory src/random/, because it contains multiple Files for different period lengths and optimizations.
random.c includes random/SFMT.c, so a number of functions should be inlinable by the compiler.
I removed non-necessary files from the SFMT (like Makefile, most of the documention), but I didn't remove functions from the source, which we don't use. The reasoning behind this is, that it is easier to update the SFMT if we use their source more or less 'as is'. If it really disturbs someone, we may remove some public functions like get_idstring() and 2 functions which generate arrays of random numbers.
I added a --with-random-period-length to autoconf/configure.in and a corresponding define to config.h.in for choosing the period length of the SFMT (default: 19937 -> 2^19937 - 1, supported are several length between 2^607-1 to 2^216091-1).
Additionally the patch includes my changes for seeding the PRNG from /dev/urandom or /dev/random (see 0000515) which make it impossible to guess the seed and removes the problem that the 32-bit integer seed can only make 2^32 kinds of initial state.
However there is something still missing: I did not mange until now to include the necessary autoconf magic to automatically set HAVE_SSE2 and -msse2 (and the corresponding altivec variants). If anybody has a working solution for this I would be delighted. ;-)
If anybody is interested to test the patch, I will be happy about comments. |
|
(0000638)
Gnomi
2008-07-01 04:35
|
The command line option --randominit seems somewhat limiting. Wouldn't it be better to specifiy the random device name itself? (And if it's missing stick to the system clock.)
In random.c random.h should be included before random/SFMT.c, otherwise the definition of MEXP comes too late. I also got the following warning:
random.c: In function 'seed_random':
random.c:82: warning: passing argument 1 of 'init_by_array' from incompatible pointer type
I can't comment on the SFMT itself, so go for it. |
|
(0000648)
zesstra
2008-07-01 18:40
|
Ok, the incompatible pointer type was due to use of uint32 in the driver and uint32_t in the SFMT, and I missed one. I use now in the random wrapper consistently uint32_t (and uint64_t).
Generalizing --random-init is definitely a good idea, it can now be used to specify arbitrary filenames. (We may think about deprecating --random-seed as you could give a constant seed in a file. It would be nice to change the behaviour of -random-seed instead of introducing --random-init, but I don't know, if we can do that... ;-) Or maybe --random-device would also be appropriate.)
Mhmm, what about adding a configure switch to specify the default filename/device to use for seeding the PRNG (defaulting to /dev/urandom?). If that is non-readable, the driver will use the clock as fallback as always, if the given file is non-readable. Setting the filename to an empty string would also cause the driver to use the system clock.
One thing may be interesting as well: we could store the file name for the uptime and enable re-seeding the PRNG, e.g. by efun (specifying files similar to the garbage_collection() efun) or automatically at some point in the backend.
BTW: any autoconf experts there, who know some working magic to enable HAVE_SSE2 and -msse2 (and the corresponding altivec variants)? |
|
(0000821)
zesstra
2008-12-15 07:49
|
Fuchur asked about the difference in performance between SSE2-optimized and non-optimized versions of the SFMT (I don't have any PowerPC available for Altivec). His idea was to skip any automatic detection of SSE stuff during configure and don't use any fancy compiler settings.
Execution time for 300k numbers (including loop overhead):
foreach(int i: 300000) random(__INT_MAX__);
SFMT, i386: 172ms
SFMT, x86_64 85ms
SFMT-sse2, i386: 137ms
SFMT-sse2, x86_64: 82ms
As you see, there is no difference on x86_64 platforms. The reason is AFAIK, that on this platform gcc implicitely uses the SSE stuff, which is good news. On i386 platforms, there is a larger difference. Don't know, if it warrants the effort to find some autoconf magic...
One odd thing:
Old PRNG, i386: 101ms
Old PRNG, x86_64 80ms
As you see, the old PRNG ist actually faster than the new one. This should not be the case if you compare with the speed comparison the authors did:
http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/SFMT/speed.html |
|
(0000846)
zesstra
2009-01-03 16:48
|
Im preparing the latest SFMT patch now and will probably apply it tomorrow.
I added some improvements, e.g. changing the "public" functions of the the SFMT to static ones, because they are only used through the wrapper of the driver. Now the complete stuff of the PRG is inlined into one function (random_number).
Timings for 1000k numbers (foreach(int i: 1000000) random(__INT_MAX__);)
SFMT, 64: 285ms
SFMT, 32: 550ms
SFMT, 32-sse2: 470ms
Alt, 64: 255ms
Alt, 32: 475ms
I am still curious about this unexpected increase in execution time, but I guess, it is not that significant... Most of the time (about 65-75%) is spent in eval_instruction() anyway (according to a statistical sampling while generating random numbers), see below.
SFMT-32:
- 64.4%, eval_instruction, ldmud.random
- 12.7%, random_number, ldmud.random
- 8.1%, check_object_shadow, ldmud.random
- 4.1%, check_all_object_shadows, ldmud.random
- 3.5%, int_free_svalue, ldmud.random
- 3.5%, assert_stack_gap, ldmud.random
- 2.7%, free_svalue, ldmud.random
- 1.0%, f_random, ldmud.random
SFMT-32-sse2:
- 62.8%, eval_instruction, ldmud.random.sse2
- 12.1%, random_number, ldmud.random.sse2
- 9.4%, check_object_shadow, ldmud.random.sse2
- 4.6%, assert_stack_gap, ldmud.random.sse2
- 4.1%, free_svalue, ldmud.random.sse2
- 3.4%, check_all_object_shadows, ldmud.random.sse2
- 3.3%, int_free_svalue, ldmud.random.sse2
- 0.5%, f_random, ldmud.random.sse2
SFMT-64:
- 71.6%, eval_instruction, ldmud64.random
- 11.8%, random_number, ldmud64.random
- 7.5%, assert_stack_gap, ldmud64.random
- 4.3%, free_svalue, ldmud64.random
- 3.8%, int_free_svalue, ldmud64.random
- 1.0%, f_random, ldmud64.random
MT-32:
- 64.9%, eval_instruction, ldmud
- 9.0%, check_object_shadow, ldmud
- 6.6%, random_number, ldmud
- 4.4%, assert_stack_gap, ldmud
- 4.1%, int_free_svalue, ldmud
- 3.8%, check_all_object_shadows, ldmud
- 3.6%, genrand_int32, ldmud
- 3.1%, free_svalue, ldmud
- 0.6%, f_random, ldmud
MT-64
- 75.2%, eval_instruction, ldmud64
- 7.9%, assert_stack_gap, ldmud64
- 4.1%, random_number, ldmud64
- 4.1%, free_svalue, ldmud64
- 3.9%, genrand_int32, ldmud64
- 3.4%, int_free_svalue, ldmud64
- 1.4%, f_random, ldmud64 |
|
(0000847)
zesstra
2009-01-04 14:33
|
Committed as r2470. |
|
|
Notes |
(0001841)
_xtian_
2005-01-11 11:16
|
ah, and it could help MUDs prepare their switch to 3.3 by masking the efuns that are to vanish with an "obsolete" sefun |
|
(0001842)
_xtian_
2005-01-19 06:15
|
come to think about it "deprecated" probably wouldn't sound that harsh. |
|
(0001843)
zesstra
2010-02-12 19:14
|
Oh, BTW: I like that idea (Although it might be difficult to find a bit for that flag in the function header.) We have plenty of old nonsense floating around... I am surprised that I did not comment earlier. |
|
(0001844)
Coogan
2010-03-03 18:00
|
Years ago, I wrapped each obsoleted efun by an sefun of the same name, giving a warning each time it was used. In the second stage, the sefun throws an error, pointing to the particular successor function.
This way it's quite comfortable to switch to a more recent driver version with "vanished" efuns. |
|
(0001845)
zesstra
2010-03-03 18:11
|
Yes, that works good for efuns. But for them we have such a mechanism in the driver source which we also use (e.g. cat(), tail() in 3.3.x).
But in this case (lfuns, sefuns) it does not really work. You might define sefuns for obsolete lfuns, but you will have difficulties to defer from the sefun to private/protected lfuns. And if it triggers a warning on each call you might be flooded with scroll.
Additionally it does not catch call_others. You might define a call_other sefun and check on each call. But that introduces a signifcant slowdown for each call_other...
I think, the driver would be better suited, because it can do a lot things at compile-time and the remaining (call_other) much more efficient. |
|
(0001846)
Bardioc
2010-03-05 14:15
|
I would love to have this modifier! Even though EverLIB is not old, parts of the domains are, and this would help alot! |
|
(0001847)
zesstra
2010-03-07 12:02
|
I worked on this a bit. It is not committed to the driver sources yet, because I would like to have some comments first.
I added a modifier 'deprecated' for functions (in theory it could be extended to variables at some point), which will set TYPE_MOD_DEPRECATED in the function flags. Upon calling such a function (intra-object + sefuns) the compiler will issue a warning at compile-time. Callothers and lfun closure evaluations will cause a warning at runtime (this could trigger a huge number of warnings, be warned).
There are still two caveats to be solved:
1) the warning in case of lfun closures will not include the correct line number + defining program (the correct solution would be to check before pushing a new control stack frame, but therefore I need a possibility to get the function flags indepedent of setup_new_frame1()).
2) If you call a not-defined function and this will be defined later by inheritance/cross-definition the compiler will miss any deprecated modifier, because the call was generated when the flag was unknown.
You can find the changeset at: http://github.com/zesstra/ldmud-dev/compare/deprecated_mod and the deprecated_mod branch is at http://github.com/zesstra/ldmud-dev/tree/deprecated_mod. Comments welcome. |
|
(0001848)
zesstra
2010-03-10 16:29
|
BTW: Should it be possible to 'loose' the deprecated flags by redefining the function in inheritees?
Pro: I deprecate a specific function (e.g core lib) and don't care about redefined function as long as they don't call me.
Contra: Maybe I want to deprecate an interface as a whole, not only the function I define myself... |
|
(0001849)
_xtian_
2010-03-10 17:22
|
We would use "deprecated" if we want to change or eliminate parts of APIs. In that case we don't even want another user to keep on redefining that function - which he surely only did redefine in the first place to extend the inherited API.
In that case redefining the function will not work any more as expected and the user should be notified of this.
So: Pro: "deprecated" should not go away. |
|
(0001850)
_xtian_
2010-03-10 17:29
|
Concerning 2) (external declarations of functions):
In uni-libs, at least if we haven't diverged that much, we use external declarations quite a bit for the core living and player objects (the code is deployed over several inherits), so this limitation might be a bit hindering.
Could a work-around be to issue a warning if the compiler encounters a redefinition where not all declarations are "deprecated"? |
|
(0001851)
Gnomi
2010-03-11 04:55
|
I disagree. I might have a program with a function fun() that is perfectly valid and will stay. And just because some other program had a fun() that is now deprecated, this doesn't make my fun() invalid or deprecated as well, just because both programs were inherited together in another program. And I'd rather not differentiate between redefining a function and cross-defining it to another inherited program (because it's basically the same and moving a function to an inherited program should be a valid refactoring step, so it should behave similarly).
In other words, the deprecated flag should warn whenever the removal of that function declaration with this flag alters the behavior at the point of the warning (might not compile anymore or might call a function that was hidden until now). And when a deprecated function is redefined by a non-deprecated function the removal of the deprecated function changes nothing for the caller (which still calls the non-deprecated one), so no warning there. |
|
(0001852)
zesstra
2010-03-11 05:33
|
Right, so to summarize the two different wishes:
a) Gnomi wishes to deprecate functions
b) Xtian wishes to deprecate interfaces
Unfortunately both are mutually exclusive. Gnomi offered the opinion, that we probably can't do b) consistently. One issue is, that we can't prevent somebody from implementing a deprecated interface himself and not inheriting the original program defining the interface at all. Although that is IMHO very rare (might in theory be excluded by code-style conventions).
Actually I could probably use both a) and b) independently in our lib... ;-) Usually I would deprecate functions. But there are some exceptions. e.g. we have an interface do_wear() which is obsolete and we do things differently now. If a wizard redefined do_wear() and did not call ::do_wear() there would be no warning, but his do_wear() will a) do the wrong things to wear a piece of clothing or b) his object will completely miss when a player wears the object (e.g fail to enforce restrictions).
So far, I guess you would have to use first deprecated, then a deprecated+nomask empty function to deprecate interfaces. |
|
(0001853)
_xtian_
2010-03-11 14:01
|
Yes, my wish (point b) can actually be realized by using "deprecated" (as Gnomi argued) and "nomask", or even the "warn_nomask" (http://mantis.bearnip.com/view.php?id=734) idea.
Please note, that we once proposed a "required" modifier which guaranteed that a inherited function would call ::fun() (http://mantis.bearnip.com/view.php?id=352). All these suggestions come from the frustrating experiences of maintaining an API over decades and inexperienced programmers, btw so all have real used cases. (yes, I remember that "required" still had some difficulties) |
|
(0001854)
zesstra
2010-03-11 14:26
|
Yes, I fully share that frustration, we also have our share of ancient APIs and wizards who just copy a function from the core lib and the copy is never maintained anymore, gets no updates or bugfixes, until some ugly enough bug happens. (BTW: that suggestion about 'required' is still here in Mantis. Although I guess, we can't make it happen until we have a compiler which can analyze the execution flow. :-() |
|
(0001855)
zesstra
2010-03-14 10:54
|
Ah, concerning the issue with the cross-defined functions: IMHO it not so big as it seems.
If you have a (matching) prototype with deprecated, the driver will warn. If you don't have a prototype, AFAIK you can only call the function if the calling function is compiled without type testing (it has no function type, which is not allowed with anything other than weak_types.
If you don't call a function without prototype yourself, that leaves call_other and symbol_function at runtime. And at runtime, the flags from the cross-defined functions are available (and would contain the deprecated flag). |
|
(0001856)
zesstra
2010-03-14 11:40
|
Updated my test branch for this: the flag is now checked upon creation of closures, not at evaluation time (symbol_function, compiler (#'fun, #'::fun)). |
|
(0001857)
zesstra
2010-03-21 12:25
|
I added checks for usages of deprecated global variables and committed my patch series to the trunk of 3.5. for testing. |
|
(0001858)
zesstra
2010-04-29 14:10
|
Cloned the issue to LDMud-3.3. I think, we might backport in due time (so, after some months of maturing in 3.5.x). What do you think?
|
|
(0001997)
zesstra
2011-02-19 18:25
|
I backported the deprecated into 3.3/trunk as of r3004. |
|
|
Notes |
(0000298)
_xtian_
2005-01-11 11:16
|
ah, and it could help MUDs prepare their switch to 3.3 by masking the efuns that are to vanish with an "obsolete" sefun |
|
(0000310)
_xtian_
2005-01-19 06:15
|
come to think about it "deprecated" probably wouldn't sound that harsh. |
|
(0001718)
zesstra
2010-02-12 19:14
|
Oh, BTW: I like that idea (Although it might be difficult to find a bit for that flag in the function header.) We have plenty of old nonsense floating around... I am surprised that I did not comment earlier. |
|
(0001749)
Coogan
2010-03-03 18:00
|
Years ago, I wrapped each obsoleted efun by an sefun of the same name, giving a warning each time it was used. In the second stage, the sefun throws an error, pointing to the particular successor function.
This way it's quite comfortable to switch to a more recent driver version with "vanished" efuns. |
|
(0001750)
zesstra
2010-03-03 18:11
|
Yes, that works good for efuns. But for them we have such a mechanism in the driver source which we also use (e.g. cat(), tail() in 3.3.x).
But in this case (lfuns, sefuns) it does not really work. You might define sefuns for obsolete lfuns, but you will have difficulties to defer from the sefun to private/protected lfuns. And if it triggers a warning on each call you might be flooded with scroll.
Additionally it does not catch call_others. You might define a call_other sefun and check on each call. But that introduces a signifcant slowdown for each call_other...
I think, the driver would be better suited, because it can do a lot things at compile-time and the remaining (call_other) much more efficient. |
|
(0001767)
Bardioc
2010-03-05 14:15
|
I would love to have this modifier! Even though EverLIB is not old, parts of the domains are, and this would help alot! |
|
(0001768)
zesstra
2010-03-07 12:02
|
I worked on this a bit. It is not committed to the driver sources yet, because I would like to have some comments first.
I added a modifier 'deprecated' for functions (in theory it could be extended to variables at some point), which will set TYPE_MOD_DEPRECATED in the function flags. Upon calling such a function (intra-object + sefuns) the compiler will issue a warning at compile-time. Callothers and lfun closure evaluations will cause a warning at runtime (this could trigger a huge number of warnings, be warned).
There are still two caveats to be solved:
1) the warning in case of lfun closures will not include the correct line number + defining program (the correct solution would be to check before pushing a new control stack frame, but therefore I need a possibility to get the function flags indepedent of setup_new_frame1()).
2) If you call a not-defined function and this will be defined later by inheritance/cross-definition the compiler will miss any deprecated modifier, because the call was generated when the flag was unknown.
You can find the changeset at: http://github.com/zesstra/ldmud-dev/compare/deprecated_mod and the deprecated_mod branch is at http://github.com/zesstra/ldmud-dev/tree/deprecated_mod. Comments welcome. |
|
(0001776)
zesstra
2010-03-10 16:29
|
BTW: Should it be possible to 'loose' the deprecated flags by redefining the function in inheritees?
Pro: I deprecate a specific function (e.g core lib) and don't care about redefined function as long as they don't call me.
Contra: Maybe I want to deprecate an interface as a whole, not only the function I define myself... |
|
(0001778)
_xtian_
2010-03-10 17:22
|
We would use "deprecated" if we want to change or eliminate parts of APIs. In that case we don't even want another user to keep on redefining that function - which he surely only did redefine in the first place to extend the inherited API.
In that case redefining the function will not work any more as expected and the user should be notified of this.
So: Pro: "deprecated" should not go away. |
|
(0001779)
_xtian_
2010-03-10 17:29
|
Concerning 2) (external declarations of functions):
In uni-libs, at least if we haven't diverged that much, we use external declarations quite a bit for the core living and player objects (the code is deployed over several inherits), so this limitation might be a bit hindering.
Could a work-around be to issue a warning if the compiler encounters a redefinition where not all declarations are "deprecated"? |
|
(0001784)
Gnomi
2010-03-11 04:55
|
I disagree. I might have a program with a function fun() that is perfectly valid and will stay. And just because some other program had a fun() that is now deprecated, this doesn't make my fun() invalid or deprecated as well, just because both programs were inherited together in another program. And I'd rather not differentiate between redefining a function and cross-defining it to another inherited program (because it's basically the same and moving a function to an inherited program should be a valid refactoring step, so it should behave similarly).
In other words, the deprecated flag should warn whenever the removal of that function declaration with this flag alters the behavior at the point of the warning (might not compile anymore or might call a function that was hidden until now). And when a deprecated function is redefined by a non-deprecated function the removal of the deprecated function changes nothing for the caller (which still calls the non-deprecated one), so no warning there. |
|
(0001785)
zesstra
2010-03-11 05:33
|
Right, so to summarize the two different wishes:
a) Gnomi wishes to deprecate functions
b) Xtian wishes to deprecate interfaces
Unfortunately both are mutually exclusive. Gnomi offered the opinion, that we probably can't do b) consistently. One issue is, that we can't prevent somebody from implementing a deprecated interface himself and not inheriting the original program defining the interface at all. Although that is IMHO very rare (might in theory be excluded by code-style conventions).
Actually I could probably use both a) and b) independently in our lib... ;-) Usually I would deprecate functions. But there are some exceptions. e.g. we have an interface do_wear() which is obsolete and we do things differently now. If a wizard redefined do_wear() and did not call ::do_wear() there would be no warning, but his do_wear() will a) do the wrong things to wear a piece of clothing or b) his object will completely miss when a player wears the object (e.g fail to enforce restrictions).
So far, I guess you would have to use first deprecated, then a deprecated+nomask empty function to deprecate interfaces. |
|
(0001787)
_xtian_
2010-03-11 14:01
|
Yes, my wish (point b) can actually be realized by using "deprecated" (as Gnomi argued) and "nomask", or even the "warn_nomask" (http://mantis.bearnip.com/view.php?id=734) idea.
Please note, that we once proposed a "required" modifier which guaranteed that a inherited function would call ::fun() (http://mantis.bearnip.com/view.php?id=352). All these suggestions come from the frustrating experiences of maintaining an API over decades and inexperienced programmers, btw so all have real used cases. (yes, I remember that "required" still had some difficulties) |
|
(0001788)
zesstra
2010-03-11 14:26
|
Yes, I fully share that frustration, we also have our share of ancient APIs and wizards who just copy a function from the core lib and the copy is never maintained anymore, gets no updates or bugfixes, until some ugly enough bug happens. (BTW: that suggestion about 'required' is still here in Mantis. Although I guess, we can't make it happen until we have a compiler which can analyze the execution flow. :-() |
|
(0001794)
zesstra
2010-03-14 10:54
|
Ah, concerning the issue with the cross-defined functions: IMHO it not so big as it seems.
If you have a (matching) prototype with deprecated, the driver will warn. If you don't have a prototype, AFAIK you can only call the function if the calling function is compiled without type testing (it has no function type, which is not allowed with anything other than weak_types.
If you don't call a function without prototype yourself, that leaves call_other and symbol_function at runtime. And at runtime, the flags from the cross-defined functions are available (and would contain the deprecated flag). |
|
(0001797)
zesstra
2010-03-14 11:40
|
Updated my test branch for this: the flag is now checked upon creation of closures, not at evaluation time (symbol_function, compiler (#'fun, #'::fun)). |
|
(0001811)
zesstra
2010-03-21 12:25
|
I added checks for usages of deprecated global variables and committed my patch series to the trunk of 3.5. for testing. |
|
(0001870)
zesstra
2010-07-13 15:40
|
Ok, no complaints so far. Closing this one for now. |
|
|
Notes |
(0001279)
zesstra
2009-09-19 15:55
|
Just a spontaneous shot in the dark: something like this (segfaults in used libraries) may happen, if our memory allocator does not replace the system allocator reliably, openssl uses (partially) the system allocator and the two interfere. It seems unlikely in this particular case, but it is not much effort: You may just try --enable-malloc-sbrk=no and see if that changes anything. |
|
(0001444)
zesstra
2009-10-03 19:23
|
I just saw that there are references in the net to CRYPTO_malloc_init(), CRYPTO_set_mem_functions(), CRYPTO_set_mem_ex_functions(), CRYPTO_set_locked_mem_functions(), CRYPTO_set_locked_mem_ex_functions(). So there is a way to tell openssl to use a custom memory allocator. Which we use but don't tell openssl. Unfortunately - and quite typical for openssl - documentation seems to be missing. Or better: use the source, luke... *argl* |
|
(0001445)
zesstra
2009-10-04 05:22
|
I had a look at Coogans Coredump. Relevant stacktrace with data:
(gdb) bt full
#0 sk_value (st=0x84e5060, i=4) at stack.c:310
No locals.
0000001 0x00e54888 in ssl3_accept (s=0x84e5060) at s3_srvr.c:393
buf = <value optimized out>
l = <value optimized out>
Time = 1254609144
cb = (void (*)(const SSL *, int, int)) 0
num1 = <value optimized out>
ret = <value optimized out>
state = 8544
skip = <value optimized out>
0000002 0x00e6cd4a in SSL_accept (s=0x84e5060) at ssl_lib.c:850
No locals.
0000003 0x00e5ee40 in ssl23_get_client_hello (s=0x84e5060) at s23_srvr.c:568
buf_space = "\200d\001\003\001\000K\000\000\000\020"
p = (unsigned char *) 0x84e9b91 ""
d = (unsigned char *) 0x84da0cd ""
i = <value optimized out>
csl = 75
cl = <value optimized out>
n = 100
j = <value optimized out>
type = 2
0000004 0x00e5f738 in ssl23_accept (s=0x84e5060) at s23_srvr.c:203
buf = (BUF_MEM *) 0x84d7ae8
Time = 1254609144
cb = (void (*)(const SSL *, int, int)) 0
ret = <value optimized out>
state = 139350112
0000005 0x00e6c6e3 in SSL_do_handshake (s=0x84e5060) at ssl_lib.c:2085
ret = 0
0000005 0x00e6c6e3 in SSL_do_handshake (s=0x84e5060) at ssl_lib.c:2085
ret = 0
0000006 0x080dd7df in tls_continue_handshake (ip=0x84d9400) at pkg-tls.c:774
n = 139350112
ret = 1
0000007 0x080ddd38 in f_tls_init_connection (sp=0x8124e38, num_arg=3) at pkg-tls.c:1012
session = (SSL *) 0x84e5060
argp = (svalue_t *) 0x8124e38
ret = 0
obj = (object_t *) 0x84b3f84
ip = (interactive_t *) 0x84d9400
char *sk_value(const STACK *st, int i)
{
if(!st || (i < 0) || (i >= st->num)) return NULL;
return st->data[i];
}
It crashes upon st->data[i].
st is:
$3 = {num = 769, data = 0x2000, sorted = 15213344, num_alloc = 139295540,
comp = 0x84d7be8}
Clearly, 0x2000 is not mapped into the process memory, and the values for num_alloc and sorted look rather strange, num probably as well. The address 0x84d7be8 should be a function pointer to an openssl function. But as far as I can see, they are mapped somewhere around 0x00e.... and 0x84d7be8 is part of the heap.
Note that the given address for the st is 0x84e5060 which is the address of the SSL context/session. And that is:
(gdb) print *s
$1 = {version = 769, type = 8192, method = 0xe82320, rbio = 0x84d7b34, wbio = 0x84d7be8, bbio = 0x84d7be8, rwstate = 1, in_handshake = 2, ...
line 393 in s3_srvr.c is
ret=ssl3_send_certificate_request(s);
That one actually iterates over a stack in the session and calls sk_value (although it is called differently, these openssl people love playing tricks with defines). But strange enough, I would expect ssl3_send_certificate_request(s) to be in the stacktrace...
The stack is extracted from the SSL context by SSL_get_client_CA_list(). That one should return s->ctx->client_CA which is:
(gdb) print s->ctx->client_CA
$4 = (STACK *) 0x832fc58
(gdb) print *(s->ctx->client_CA)
$5 = {num = 1, data = 0x0, sorted = 0, num_alloc = 1886220131, comp = 0x8007461}
That would make more sense, but it is obviously not the address given to sk_value().
So... I don't know what openssl exactly does here... BTW: I assume, you use 0.9.8g-15+lenny5? |
|
(0001448)
zesstra
2009-10-04 13:01
|
I checked this afternoon with tubmuds settings and tubmuds public mudlib on MacOS 10.6 and Debian Lenny.
Debian Lenny: crash as Coogan described (openssl-0.9.8g-15+lenny5)
MacOS x86_64: driver not working at all
MacOS i386: no crash, TLS works fine. (openssl-0.9.8)
|
|
(0001449)
zesstra
2009-10-04 15:03
|
The stack used by the sk_value() which segfaults is tls_session->ctx->client_CA, which is als context->client_CA in pkg-tls.c, created during tls_global_init() by SSL_CTX_new().
After creation it is
(gdb) print *context->client_CA
$20 = {num = 0, data = 0x931abf8, sorted = 0, num_alloc = 4, comp = 0}
When we get a new ssl session in f_tls_init_connection(), that context contains already the wrong data:
SSL * session = SSL_new(context); // line 978
(gdb) print *session->ctx->client_CA
$13 = {num = 30, data = 0x20003, sorted = 170242664, num_alloc = 2, comp = 0x28}
So somewhere between tls_global_init() and f_tls_init_connection this context gets somehow changed. I tried to find out more by using gdb's watchpoints, but that seems to slow it down far to much. :-( |
|
(0001450)
zesstra
2009-10-04 16:21
|
Mhmm:
Hardware watchpoint 9: ((struct stack_st *) 154250276)->num
Old value = 150
New value = 978082211
0xb7db5032 in BN_lshift (r=0x9322a78, a=0x9322a78, n=320) at bn_shift.c:151
1: *(struct stack_st *) 154250276 = {num = 978082211, data = 0x35b5d4c7,
sorted = -557861449, num_alloc = 1591931666, comp = 0}
(gdb) list
146 f=a->d;
147 t=r->d;
148 t[a->top+nw]=0;
149 if (lb == 0)
150 for (i=a->top-1; i>=0; i--)
151 t[nw+i]=f[i];
152 else
153 for (i=a->top-1; i>=0; i--)
154 {
155 l=f[i];
(gdb) bt
#0 0xb7db5032 in BN_lshift (r=0x9322a78, a=0x9322a78, n=320) at bn_shift.c:151
0000001 0xb7dd5dc8 in DSA_generate_parameters_ex (ret=0x931a1cc, bits=1024, seed_in=0x0,
seed_len=<value optimized out>, counter_ret=0x0, h_ret=0x0, cb=0xbf9685f4)
at dsa_gen.c:236
0000002 0xb7dd7b43 in DSA_generate_parameters (bits=1024,
seed_in=0xbf968644 ";-) :-( :-) :-( $\223\021\b$\223\021\b9\223\021\b$\223\021\bN\223\021\b\003", seed_len=20, counter_ret=0x0, h_ret=0x0, callback=0, cb_arg=0x0)
at dsa_depr.c:99
0000003 0x080df54b in set_dhe1024 () at pkg-tls.c:130
0000004 0x080dfcec in tls_global_init () at pkg-tls.c:500
0000005 0x080b6a62 in main (argc=9, argv=0xbf9699d4) at main.c:390
(gdb) print *a
$39 = {d = 0x931abf8, top = 5, dmax = 16, neg = 0, flags = 0}
And then another:
Hardware watchpoint 9: ((struct stack_st *) 154250276)->num
Old value = 978082211
New value = 0
0x0804f4fa in _allocate_array (n=6, file=0x8107020 "interpret.c::allocate_uninit_array",
line=12370) at array.c:271
271 *svp++ = const0;
1: *(struct stack_st *) 154250276 = {num = 0, data = 0x35b5d4c7, sorted = -557861449,
num_alloc = 1591931666, comp = 0x931abdc}
(gdb) bt
#0 0x0804f4fa in _allocate_array (n=6,
file=0x8107020 "interpret.c::allocate_uninit_array", line=12370) at array.c:271
0000001 0x080948a0 in eval_instruction (first_instruction=0x94618cf "R\001\001\033",
initial_sp=0x8129a50) at interpret.c:12370
0000002 0x080a8cbf in apply_low (fun=0x92aa750 "inaugurate_master", ob=0x932afec, num_arg=1,
b_ign_prot=1) at interpret.c:21684
0000003 0x080a8f15 in sapply_int (fun=0x92aa750 "inaugurate_master", ob=0x932afec,
num_arg=1, b_find_static=1) at interpret.c:21796
0000004 0x080a94bd in apply_master_ob (fun=0x92aa750 "inaugurate_master", num_arg=1,
external=1) at interpret.c:22084
0000005 0x080b6e12 in main (argc=9, argv=0xbf9699d4) at main.c:483
And then it goes on and on and on with changing st->num, before finally transfer_svalue_no_free_spc() writes the 'final' data into it.
So somehow that memory range gets just used twice, because openssl gets it from a different allocator than our own. That is confirmed by undefining SBRK_OK in machine.h before make.
Sooooo.... Workaround for Coogan: disable SBRK_OK. Unfortunately, in 3.2 that does not work with --enable-malloc-sbrk=no which I mentioned earlier, because that does not exist anymore. Und obviously, our detection whether it is safe to use SBRK_OK and replace the system allocator is again not working.
I guess, the more libraries we optionally use, the more severe our problems with sbrk and replacing the system allocator get. I suggest to change our defaults in 3.3. and 3.5 (but that is a different issue). |
|
(0001451)
zesstra
2009-10-04 16:41
|
Coogan: please apply the attached patch and try on your system. I believe it will solve the immediate problem. At least it does on my test system.
BTW: Even the OpenSSL developers are sceptical, that all memory allocation and deallocation in openssl takes place by using the functions supplied by the user with CRYPTO_set_mem_functions(). (The function is even undocumented.) So I believe, there may be more issues like this.
The only proper and robust fix would be
a) not to use SBRK_OK and replace the memory allocators or
b) use mmap() for allocating memory.
b) is only possibly in 3.3 and 3.5 and a) increases memory allocator overhead because our allocator then uses the system allocator for getting memory. It is also not that easy, because it can't be configured by configure in 3.2 (but in 3.3 and 3.5). |
|
(0001469)
zesstra
2009-10-05 16:27
|
OK. For some reason, my idea yesterday was just plain wrong. Don't know why my test didn't crash, maybe I used the wrong binary. :-(
So, next gdb session today:
The client_CA stack is at 0x94594b4. I checked now all allocations and deallocations and finally found:
Breakpoint 18, sfree (ptr=0x94594b4) at smalloc.c:1147
1147 if (bsize > SMALL_BLOCK_MAX)
(gdb) print context->client_CA
$27 = (STACK *) 0x94594b4
(gdb) bt
#0 sfree (ptr=0x94594b4) at smalloc.c:1147
0000001 0x080f73d4 in xfree (ptr=0x94594b4) at smalloc.c:1245
0000002 0x080f88cd in pfree (p=0x94594b4) at smalloc.c:2891
0000003 0x080f89e2 in afree (p=0x94594b4) at smalloc.c:2987
0000004 0x080f988f in free (ptr=0x94594b4) at smalloc.c:3441
0000005 0xb7dc1cca in CRYPTO_free (str=0x94594b4) at mem.c:378
0000006 0xb7e2d925 in sk_free (st=0x94594b4) at stack.c:298
0000007 0xb7e2d979 in sk_pop_free (st=0x94594b4, func=0xb7e48880 <X509_NAME_free>)
at stack.c:291
0000008 0xb7f01006 in SSL_CTX_set_client_CA_list (ctx=0x944febc, name_list=0x94594b4)
at ssl_cert.c:549
0000009 0x080dd216 in tls_verify_init () at pkg-tls.c:395
0000010 0x080dd4c7 in tls_global_init () at pkg-tls.c:498
0000011 0x080b47ce in main (argc=9, argv=0xbf8a8914) at main.c:390
Ok... OpenSSL deliberately frees that stack.
static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
{
if (*ca_list != NULL)
sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
*ca_list=name_list;
}
Yeah, it frees the old content before storing the new pointer.
Now the problem:
We do in tls_verify_init():
stack = SSL_CTX_get_client_CA_list(context);
if (trustdirectory != NULL) {
SSL_add_dir_cert_subjects_to_stack(stack, trustdirectory);
}
if (stack != NULL) {
SSL_CTX_set_client_CA_list(context, stack);
}
So we set the old stack again. Now openssl frees the stack and stores the pointer to the stack it just free'd. No wonder that that stack is overwritten all the time. ;-)
|
|
(0001470)
zesstra
2009-10-05 17:01
|
I duplicated the fix for this issue in 3.3.x. This should now be fixed in r2755. |
|
(0001484)
Coogan
2009-10-06 03:10
|
Please be aware, that this is a report against LDMud-3.2. A fix for 3.5 and/or 3.3 is nice but does not help me here.
As this seems to be a regression since 3.2.14, it should also get fixed in the 3.2 trunk. |
|
(0001485)
Gnomi
2009-10-06 03:32
|
The last note was a little ambiguous. Zesstra took a fix for 3.3 and applied it to 3.2. So this bug is now fixed in the 3.2 trunk. |
|
|
Notes |
(0001025)
wedsall
2009-04-13 23:43
|
Some extra debugging:
slaballoc: no reorder: this 00002b8f445428e8 free 22, no next
slaballoc: alloc (80 + 16) 96 bytes -> [3]
slaballoc: block 00002b8f44568ed0 from freelist (next 00002b8f44568f30), slab 00002b8f44567d60 free 15
slaballoc: alloc (120 + 16) 136 bytes -> [8]
slaballoc: freshmem 00002b8f444fd8d8 from 00002b8f444fc310..00002b8f44500688
slaballoc: free 00002b8f43552858, offset 861, small 1
slaballoc: -> slab 00002b8f43550d70 [6], freelist 00002b8f43552d80, 22 free
slaballoc: no reorder: this 00002b8f43550d70 free 23, no next
slaballoc: alloc (80 + 16) 96 bytes -> [3]
slaballoc: block 00002b8f44568f30 from freelist (next 00002b8f44568f90), slab 00002b8f44567d60 free 14
2009.04.13 23:41:57 [xerq] select() returns 1, time() 1239680517
2009.04.13 23:41:57 [xerq] New command from driver.
[xerq] read: Success
2009.04.13 23:41:57 [xerq] Demon exiting. |
|
(0001026)
zesstra
2009-04-14 04:54
|
Well, thanks for the report. Unfortunately, this doesn't tell too much so far. We need at least a stack trace when the driver segfaults or a core dump. You could start the driver in a gdb session and list the stack trace after the segfault with 'bt full' or issue a 'ulimit -c unlimited' in the shell before you start the driver. Then a core dump will be written upon crashes in the / of the mudlib (which you can load into gdb and get the stack trace).
Some additional comments:
- The compiler settings from the INSTALL are an example from _my_ machine. The compiler settings you need for generating 64bit executables with your gcc may be different. Especially if you don't have any Intel Core-Duo processor, you should NOT use -mtune=core2.
- Are you using a plain 3.3.718 (without any patches/modifications)?
- Could you add the output of 'file' for the crashing ldmud executable and the ouput of 'gcc -v'?
- if you change compiler settings altering the architecture of the executable, please issue a 'make distclean' before calling 'configure'. Not doing this may create all sorts of problems leading to crashes.
- You may add a -ggdb3 for maximum debug information to the DEBUG variable in the Makefile.
- If the problem is completely reproducable, you could attempt to make a minimal test case (including minimal needed mudlib) so that we can try to reproduce it as well. |
|
(0001027)
wedsall
2009-04-14 09:22
|
Hello!
- Compiler settings. I'm not sure what to use, this is beyond me right now.
- Version. I've used both a vanilla version and my own version with two patches. I am seeing the same crash on a vanilla 3.3.718 as my patched version. I will include results from both versions just in case.
- ldmud: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.4, dynamically linked (uses shared libs), not stripped
Using built-in specs.
Target: x86_64-suse-linux
Configured with: ../configure --enable-threads=posix --prefix=/usr --with-local-prefix=/usr/local --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-gxx-include-dir=/usr/include/c++/4.2.1 --enable-ssp --disable-libssp --disable-libgcj --with-slibdir=/lib64 --with-system-zlib --enable-shared --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --program-suffix=-4.2 --enable-version-specific-runtime-libs --without-system-libunwind --with-cpu=generic --host=x86_64-suse-linux
Thread model: posix
gcc version 4.2.1 (SUSE Linux)
- Distclean - i will try this but i've used a brand new download of ldmud and recieved the same result.
- I will try the -ggdb3 next. |
|
(0001028)
wedsall
2009-04-14 09:23
|
Here is the gdb output from the current crash, without the ggdb3 flag.
df:/home/dragonfire/bin # gdb -c ../lib/core ldmud
GNU gdb 6.6.50.20070726-cvs
Copyright (C) 2007 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-suse-linux"...
Using host libthread_db library "/lib64/libthread_db.so.1".
Reading symbols from /lib64/libnsl.so.1...done.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /lib64/libm.so.6...done.
Loaded symbols for /lib64/libm.so.6
Reading symbols from /usr/lib64/libidn.so.11...done.
Loaded symbols for /usr/lib64/libidn.so.11
Reading symbols from /usr/lib64/libpcre.so.0...done.
Loaded symbols for /usr/lib64/libpcre.so.0
Reading symbols from /lib64/libz.so.1...done.
Loaded symbols for /lib64/libz.so.1
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `/home/dragonfire/bin/ldmud --debug-file DF.debug.log'.
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004930d0 in f_functionlist (sp=0x76a120) at object.c:1883
1883 flags = fun[j];
(gdb) |
|
(0001029)
wedsall
2009-04-14 09:27
|
As I mentioned yesterday I have a development mudlib. I'm getting a different gdb result from this. Here it is:
df:/home/dragonfiredev/bin # gdb -c ../dev-lib/core ldmud
GNU gdb 6.6.50.20070726-cvs
Copyright (C) 2007 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-suse-linux"...
Using host libthread_db library "/lib64/libthread_db.so.1".
warning: core file may not match specified executable file.
Reading symbols from /lib64/libnsl.so.1...done.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /lib64/libm.so.6...done.
Loaded symbols for /lib64/libm.so.6
Reading symbols from /usr/lib64/libidn.so.11...done.
Loaded symbols for /usr/lib64/libidn.so.11
Reading symbols from /usr/lib64/libpcre.so.0...done.
Loaded symbols for /usr/lib64/libpcre.so.0
Reading symbols from /usr/lib64/libmysqlclient.so.15...done.
Loaded symbols for /usr/lib64/libmysqlclient.so.15
Reading symbols from /lib64/libz.so.1...done.
Loaded symbols for /lib64/libz.so.1
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/libcrypt.so.1...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /usr/lib64/libssl.so.0.9.8...done.
Loaded symbols for /usr/lib64/libssl.so.0.9.8
Reading symbols from /usr/lib64/libcrypto.so.0.9.8...done.
Loaded symbols for /usr/lib64/libcrypto.so.0.9.8
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib64/libdl.so.2
Core was generated by `/home/dragonfiredev/bin/dev-ldmud -d --debug-file /home/dragonfiredev/DF.debug.'.
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004c6570 in crypt (buf=0x2b881f1eb061 "",
salt=0x2b881f11a3fa "2wSDC4Eu8m3YM") at hosts/crypt.c:543
543 ll = out[0]; l2c(ll,b); |
|
(0001030)
zesstra
2009-04-14 09:35
|
Ok, 'gcc -v' tells, that your gcc creates executables for the x86_64 architecture by default, without any special compiler settings/options. You can leave them just as they are and don't change anything. In fact, you have to change them if you want executables for the (32bit) i386 architecture, in many cases it will be -m32.
-ggdb3 won't change anything concerning the crash itself, but it adds information used in a debugger session (live or post-mortem by using a core dump). You may have to install 'gdb' for getting a stack trace then.
|
|
(0001031)
zesstra
2009-04-14 09:56
|
The crash in Note 0000624:0001028 seems to be the same one I described in bug 0000559. That one was fixed in revision 2492 in the trunk of the driver.
The other one in crypt() is unknown to me so far.
hosts/crypt.c implements crypt() in a portable way (e.g. for systems which don't have its own crypt()). But: most modern systems, and certainly your Suse-Linux include a crypt() implementation in its glibc. I suggest to use it by NOT using --enable-use-system-crypt=no. So either make it a --enable-use-system-crypt=yes or just delete the configure option from your settings. I guess, that crash was probably not noticed for a long time, because nearly nobody used the crypt()-implementation we include in the driver. (That said, it doesn't crash on my system.)
BTW: If you get a core dump, please keep exactly the same executable around which generated it (see gdb warning 'warning: core file may not match specified executable file.'). Otherwise a core dump looses much of its usefulness. (I usually archive the core dump and the corresponding executable in one directory or tar archive.) |
|
(0001032)
wedsall
2009-04-14 09:56
|
(gdb) bt
#0 0x00000000004937e8 in f_functionlist (sp=0x76a3c0) at object.c:1883
0000001 0x0000000000455d88 in eval_instruction (
first_instruction=0x2b2fa18c7baa "b\037", initial_sp=0x76a360)
at interpret.c:8148
0000002 0x000000000046d1c5 in apply_low (fun=0x2b2fa1853ac0, ob=0x2b2fa18a6968,
num_arg=0, b_ign_prot=false, allowRefs=false) at interpret.c:16949
0000003 0x000000000046d350 in int_apply (fun=0x2b2fa1853ac0, ob=0x2b2fa18a6968,
num_arg=0, b_ign_prot=false, b_use_default=true) at interpret.c:17027
0000004 0x0000000000468c95 in eval_instruction (
first_instruction=0x2b2fa18589db "bÂ", initial_sp=0x76a320)
at interpret.c:16297
0000005 0x000000000046efb7 in int_call_lambda (lsvp=0x76a320, num_arg=0,
allowRefs=false) at interpret.c:18030
0000006 0x0000000000473435 in v_funcall (sp=0x76a320, num_arg=1)
at interpret.c:20451
0000007 0x00000000004563db in eval_instruction (
first_instruction=0x2b2fa187702a "a\003\001\037", initial_sp=0x76a300)
at interpret.c:8297
0000008 0x000000000046eb96 in int_call_lambda (lsvp=0x76a2b0, num_arg=3,
allowRefs=false) at interpret.c:17913
0000009 0x0000000000473435 in v_funcall (sp=0x76a2e0, num_arg=4)
at interpret.c:20451
0000010 0x00000000004563db in eval_instruction (
---Type <return> to continue, or q <return> to quit---
first_instruction=0x2b2f9fb06bd3 "bÂ", initial_sp=0x76a290)
at interpret.c:8297
0000011 0x000000000046efb7 in int_call_lambda (lsvp=0x8784e0, num_arg=0,
allowRefs=false) at interpret.c:18030
0000012 0x0000000000492053 in reset_object (ob=0x2b2fa18a6968, arg=4)
at object.c:880
0000013 0x00000000004ce529 in load_object (lname=0x7fff0b095f10 "std/room",
create_super=true, depth=1, isMasterObj=false, chain=0x7fff0b095f70)
at simulate.c:2158
#14 0x00000000004ce0f6 in load_object (lname=0x832640 "std/room/objects",
create_super=false, depth=0, isMasterObj=false, chain=0x0)
at simulate.c:2045
#15 0x00000000004cedc7 in lookfor_object (str=0x2b2f9fb04e90, bLoad=true)
at simulate.c:2426
#16 0x00000000004d2c84 in f_load_object (sp=0x76a260) at simulate.c:4499
#17 0x0000000000455b86 in eval_instruction (
first_instruction=0x2b2fa18774fa "a\001\001\037", initial_sp=0x76a250)
at interpret.c:8098
#18 0x000000000046cdac in apply_low (fun=0x2b2f9faf9d38, ob=0x2b2f9fb21d20,
num_arg=1, b_ign_prot=true, allowRefs=false) at interpret.c:16836
#19 0x000000000046d350 in int_apply (fun=0x2b2f9faf9d38, ob=0x2b2f9fb21d20,
num_arg=1, b_ign_prot=true, b_use_default=false) at interpret.c:17027
#20 0x000000000046d7a0 in sapply_int (fun=0x2b2f9faf9d38, ob=0x2b2f9fb21d20,
---Type <return> to continue, or q <return> to quit---
num_arg=1, b_find_static=true, b_use_default=false) at interpret.c:17188
#21 0x000000000046e015 in apply_master_ob (fun=0x2b2f9faf9d38, num_arg=1,
external=false) at interpret.c:17491
#22 0x0000000000411254 in preload_objects (eflag=0) at backend.c:1288
#23 0x000000000047f1e6 in main (argc=3, argv=0x7fff0b098338) at main.c:620
(gdb) |
|
(0001033)
wedsall
2009-04-14 10:11
|
uploaded a full backtrace from my production lib and from my dev lib since they are producing slightly different output. |
|
(0001034)
zesstra
2009-04-14 10:15
|
Ok, I can reproduce the crash in the crypt() from hosts/crypt.c after all (did start the wrong executable in my first test *gna*), which is a NULL pointer dereference and doesn't seem to happen on the i386 platform. I will investigate it this evening.
For the moment as immediate bugfixes: use the system crypt() for this issue. For the other crash in f_functionlist() you may either use the current trunk in our svn or extract patch for r2492 from it. (If you don't know how to do this, I could send you the patch after work, but knowing our subversion repository may be advantagous anyway. *g*)
|
|
(0001035)
wedsall
2009-04-14 13:26
|
Im trying to use the latest trunk but it freaks out immediately on make.
It seems to not like lines like this "@cdef_use_gcrypt@ USE_GCRYPT" in config.h
df:/home/dragonfire/ldmud-3.3.718-latest/src # make
./mk-patchlevel.sh
gcc -std=gnu99 -I/usr/include/pgsql -I/usr/include/mysql -g -Wall -Wparentheses -Wshadow -DMUD_LIB='"/home/dragonfire/lib"' -DBINDIR='"/home/dragonfire/bin"' -DERQ_DIR='"/home/dragonfire/libexec"' -c -o access_check.o access_check.c
In file included from driver.h:15,
from access_check.c:92:
config.h:348: error: stray â@â in program
Am I missing a step in preparing the trunk version before compiling? |
|
(0001036)
Gnomi
2009-04-14 13:35
|
There is a script called autogen.sh, that should be executed to regenerate the configure script. |
|
(0001037)
zesstra
2009-04-14 14:08
|
des_set_key() assumes that longs are 4 byte long. If the longs are 8 bytes long, the function overwrites 128 bytes following one of its buffers. Unfortunately, a pointer is located after that buffer and overwritten. This leads to a crash upon dereferencing it.
des_set_key() is designed to work in 4-byte long blocks (Shifts, Ands) and uses 16 iterations to write a 128 char long buffer in two 4-char long writes per iteration. The immediate solution would be to use a datatype with a length of 4 instead of longs.
But as we think of removing hosts/ altogether for some time, I suggest not to fix this code, but remove it. POSIX requires a crypt(), so there should be no negative consequences to always use the system crypt().
|
|
(0001038)
wedsall
2009-04-14 14:39
|
Thanks for the responses.
After running autogen.sh my production lib will compile well but still crashes on crypt.
Zesstra I'm gathering that your solution is to use the system crypt but I'm not sure how to do this. Do I need to modify the crypt.c or modify my mudlib? |
|
(0001039)
zesstra
2009-04-14 15:07
|
No, just delete the --enable-use-system-crypt=no from your configure call in the script you use to call configure. |
|
(0001040)
wedsall
2009-04-15 00:40
|
This appears to have resolved my problems! The mud has been running error free for about 4 hours -- migrated the sql databases and tested those.
Thank you very much for your help and consulting. |
|
(0001046)
zesstra
2009-04-16 14:21
|
I attached two patches, which removes hosts/. |
|
(0001084)
zesstra
2009-05-06 16:25
|
The possibility for not using the system supplied crypt() (that means: our own from hosts/) was removed in r2565 along with the whole hosts/ directory. |
|
|
View Issue Details |
|
|
ID: |
Category: |
Severity: |
Reproducibility: |
Date Submitted: |
Last Update: |
|
611 |
[LDMud 3.3] Runtime |
crash |
always |
2009-03-10 16:03 |
2009-03-12 18:08 |
|
|
Reporter: |
zesstra |
Platform: |
x86_64 |
|
|
Assigned To: |
zesstra |
OS: |
MacOS X |
|
|
Priority: |
normal |
OS Version: |
10.5.x |
|
|
Status: |
resolved |
Product Version: |
3.3.718 |
|
|
Product Build: |
r2524 |
Resolution: |
fixed |
|
|
Projection: |
none |
|
|
|
|
ETA: |
none |
Fixed in Version: |
3.3.719 |
|
|
|
|
Target Version: |
3.3.719 |
|
|
|
Summary: |
Crash in remove_from_free_list() during restore_object() |
|
Description: |
When compiled for x86_64 (-m64 -mtune=core2), the driver crashes upon loading a specific savefile on my system. On a i386 platform or with a different savefile there is no problem.
It seems to be some kind of memory problem/corruption.
2009.03.10 20:44:37 Seeding PRNG from /dev/urandom.
2009.03.10 20:44:37 LDMud 3.3.718 (Build $Revision$) (stable)
2009.03.10 20:44:37 Hostname 'phoenix' address '192.168.178.28'
2009.03.10 20:44:37 UDP port 4246 already bound!
2009.03.10 20:44:37 No simul_efun
2009.03.10 20:45:00 remove_from_free_list: block 0x101be2100, magic match failed: expected 3752850158, found 0
2009.03.10 20:45:00 Current object was secure/errord
2009.03.10 20:46:51 LDMud aborting on fatal error.
I have prepared a stripped mudlib and the savefile as test case, but I would not like to publish the savefile at this point as there may be some private data in it.
The problem occurs also in older versions (tested 100 revisions back) of the driver but not with standard configure settings, therefore I will attach my machine.h and config.h as well for the record.
|
|
Tags: |
|
|
Steps To Reproduce: |
export CFLAGS="-m64 -mtune=core2 -ggdb3 -O0"
export LDFLAGS="-m64 -mtune=core2 -ggdb3 -O0"
export EXTRA_CFLAGS=$CFLAGS
(use attached machine.h and config.h)
make
./ldmud -m /path/to/test/case 4713
|
|
Additional Information: |
(gdb) bt full
#0 fatal (fmt=0x10011a950 "remove_from_free_list: block %p, magic match failed: expected %lu, found %lu\n") at simulate.c:651
va = {{
gp_offset = 48,
fp_offset = 48,
overflow_arg_area = 0x7fff5fbfb4a8,
reg_save_area = 0x7fff5fbfb3d0
}}
ts = 0x1001406a0 "2009.03.10 20:46:51"
0000001 0x00000001000f9770 in remove_from_free_list (ptr=0x101be2100) at slaballoc.c:2309
p = (struct free_block *) 0x101ba2000
q = (struct free_block *) 0x7fff5fbfb560
r = (struct free_block *) 0x40100
s = (struct free_block *) 0x101ba1ff8
t = (struct free_block *) 0x101be20c8
0000002 0x00000001000faa39 in add_large_free (ptr=0x101ba2000, block_size=32800) at slaballoc.c:3037
No locals.
0000003 0x00000001000fae4a in large_malloc (size=1749, force_more=false) at slaballoc.c:3293
chunk_size = 262400
block_size = 32800
extra = 64
real_size = 4323311736
ptr = (word_t *) 0x101ba2000
orig_size = 13968
mess = "HARD_MALLOC_LIMIT reached.\n"
0000004 0x00000001000f89b2 in mem_alloc (size=96) at slaballoc.c:1719
numObjects = 145
slabSize = 13968
slab = (mslab_t *) 0x7fff5fbfb7a0
block = (word_t *) 0x0
ix = 3
0000005 0x00000001000fc795 in xalloc_traced (size=80, malloc_trace_file=0x100111b30 "mapping.c", malloc_trace_line=335) at xalloc.c:565
p = (word_t *) 0x101b5d8a0
0000006 0x0000000100086d09 in new_map_chain (m=0x101b48f60) at mapping.c:335
rc = (map_chain_t *) 0xb
0000007 0x00000001000868c1 in _get_map_lvalue (m=0x101b48f60, map_index=0x7fff5fbfb7a0, need_lvalue=true, check_size=false) at mapping.c:1007
mc = (map_chain_t *) 0x0
hm = (mapping_hash_t *) 0x101b0dbb8
entry = (svalue_t *) 0x0
idx = -1
local_const0 = {
type = 0,
x = {
exponent = 0,
closure_type = 0,
quotes = 0,
num_arg = 0,
extern_args = 0,
generic = 0
},
u = {
str = 0x0,
charp = 0x0,
number = 0,
ob = 0x0,
vec = 0x0,
strct = 0x0,
map = 0x0,
lambda = 0x0,
mantissa = 0,
cb = 0x0,
generic = 0x0,
lvalue = 0x0,
protected_lvalue = 0x0,
protected_char_lvalue = 0x0,
protected_range_lvalue = 0x0,
error_handler = 0
}
}
0000008 0x00000001000a27e5 in restore_mapping (svp=0x101b41e40, str=0x7fff5fbfbc68) at object.c:7416
z = (mapping_t *) 0x101b48f60
key = {
type = 3,
x = {
exponent = 32352,
closure_type = 32352,
quotes = 32352,
num_arg = 32352,
extern_args = 32352,
generic = 32352
},
u = {
str = 0x101023f30,
charp = 0x101023f30 "?",
number = 4311891760,
ob = 0x101023f30,
vec = 0x101023f30,
strct = 0x101023f30,
map = 0x101023f30,
lambda = 0x101023f30,
mantissa = 4311891760,
cb = 0x101023f30,
generic = 0x101023f30,
lvalue = 0x101023f30,
protected_lvalue = 0x101023f30,
protected_char_lvalue = 0x101023f30,
protected_range_lvalue = 0x101023f30,
error_handler = 0x101023f30
}
}
data = (svalue_t *) 0x101b41970
i = 1
tmp_par = {
str = 0x101b5d957 ",]),\"GUILD.magie_sp\":([\"2ab8fcc56cf505567837f5a565c51760\":([\"F_UID\":\"GUILD.magie_sp\",\"F_CLI\":\"konzentriere\",\"F_MSG\":\"Numeric overflow: 1235742139 + 1235742515\\n\",\"F_OBJ\":\"spellbooks/magie_sp\",\"F_TYPE\""...,
num_values = 1
}
siz = 4
0000009 0x00000001000a15b4 in restore_svalue (svp=0x101b41e40, pt=0x7fff5fbfbc68, delimiter=44 ',') at object.c:8330
cp = 0x101b5d507 "([F_UID"
0000010 0x00000001000a2868 in restore_mapping (svp=0x101b41ea0, str=0x7fff5fbfbc68) at object.c:7430
z = (mapping_t *) 0x101b49040
key = {
type = 0,
x = {
exponent = -26192,
closure_type = -26192,
quotes = -26192,
num_arg = -26192,
extern_args = -26192,
generic = -26192
},
u = {
str = 0x10101ccd8,
charp = 0x10101ccd8 "\003",
number = 4311862488,
ob = 0x10101ccd8,
vec = 0x10101ccd8,
strct = 0x10101ccd8,
map = 0x10101ccd8,
lambda = 0x10101ccd8,
mantissa = 4311862488,
cb = 0x10101ccd8,
generic = 0x10101ccd8,
lvalue = 0x10101ccd8,
protected_lvalue = 0x10101ccd8,
protected_char_lvalue = 0x10101ccd8,
protected_range_lvalue = 0x10101ccd8,
error_handler = 0x10101ccd8
}
}
data = (svalue_t *) 0x101b41e50
i = 0
tmp_par = {
str = 0x101b5d95a ",\"GUILD.magie_sp\":([\"2ab8fcc56cf505567837f5a565c51760\":([\"F_UID\":\"GUILD.magie_sp\",\"F_CLI\":\"konzentriere\",\"F_MSG\":\"Numeric overflow: 1235742139 + 1235742515\\n\",\"F_OBJ\":\"spellbooks/magie_sp\",\"F_TYPE\":1,"...,
num_values = 1
}
siz = 0
0000011 0x00000001000a15b4 in restore_svalue (svp=0x101b41ea0, pt=0x7fff5fbfbc68, delimiter=44 ',') at object.c:8330
cp = 0x101b5d4e2 "([8d0dafe4d88b33055fe33bf6444d2cb5"
0000012 0x00000001000a2868 in restore_mapping (svp=0x101028000, str=0x7fff5fbfbc68) at object.c:7430
z = (mapping_t *) 0x101018aa0
key = {
type = 0,
x = {
exponent = 21232,
closure_type = 21232,
quotes = 21232,
num_arg = 21232,
extern_args = 21232,
generic = 21232
},
u = {
str = 0x101ae2978,
charp = 0x101ae2978 "\005",
number = 4323158392,
ob = 0x101ae2978,
vec = 0x101ae2978,
strct = 0x101ae2978,
map = 0x101ae2978,
lambda = 0x101ae2978,
mantissa = 4323158392,
cb = 0x101ae2978,
generic = 0x101ae2978,
lvalue = 0x101ae2978,
protected_lvalue = 0x101ae2978,
protected_char_lvalue = 0x101ae2978,
protected_range_lvalue = 0x101ae2978,
error_handler = 0x101ae2978
}
}
data = (svalue_t *) 0x101b41eb0
i = 0
tmp_par = {
str = 0x101b6064a ",2:([\"wurzel\":([\"c0241c77a1f505027d6d323292ad0e4f\":([\"F_UID\":\"wurzel\",\"F_MSG\":\"Call from destructed object 'players/wurzel/obj/aids#4828017' ignored.\\n\",\"F_OBJ\":\"/players/wurzel/obj/aids#4828017\",\"F_T"...,
num_values = 1
}
siz = 6
0000013 0x00000001000a15b4 in restore_svalue (svp=0x101028000, pt=0x7fff5fbfbc68, delimiter=44 ',') at object.c:8330
cp = 0x101b5104b "([rimus"
#14 0x00000001000a2868 in restore_mapping (svp=0x1010240d0, str=0x7fff5fbfbc68) at object.c:7430
z = (mapping_t *) 0x101018b10
key = {
type = 0,
x = {
exponent = 2,
closure_type = 2,
quotes = 2,
num_arg = 2,
extern_args = 2,
generic = 2
},
u = {
str = 0x1,
charp = 0x1 <Address 0x1 out of bounds>,
number = 1,
ob = 0x1,
vec = 0x1,
strct = 0x1,
map = 0x1,
lambda = 0x1,
mantissa = 1,
cb = 0x1,
generic = 0x1,
lvalue = 0x1,
protected_lvalue = 0x1,
protected_char_lvalue = 0x1,
protected_range_lvalue = 0x1,
error_handler = 0x1
}
}
data = (svalue_t *) 0x101028010
i = 0
tmp_par = {
str = 0x101ba1eb3 "\n",
num_values = 1
}
siz = 3
#15 0x00000001000a15b4 in restore_svalue (svp=0x1010240d0, pt=0x7fff5fbfbc68, delimiter=10 '\n') at object.c:8330
cp = 0x101b51047 "([1:([rimus"
#16 0x00000001000a3b38 in f_restore_object (sp=0x100171000) at object.c:9004
v = (svalue_t *) 0x1010240d0
pt = 0x101b5d8ac "\"8d0dafe4d88b33055fe33bf6444d2cb5\",\"F_MODSTAMP\":1234487099,\"F_LOADNAME\":\"/d/wald/seleven/nelfen/npc/bewohner/fuerst\",\"F_READSTAMP\":1236199850,\"F_CREATESTAMP\":1234487099,]),]),\"GUILD.magie_sp\":([\"2ab8f"...
restored_version = 1
name = 0x101031ad8 "secure/ARCH/errord.o"
file = 0x101018c7a "/secure/ARCH/errord"
lineno = 2
var = (string_t *) 0x101028108
buff = 0x101b51040 "errors"
cur = 0x101b51040 "errors"
space = 0x101b51046 ""
ob = (object_t *) 0x101b0ee88
len = 18
f = (FILE *) 0x7fff700754d8
st = {
st_dev = 234881029,
st_ino = 13515213,
st_mode = 33184,
st_nlink = 1,
st_uid = 1000,
st_gid = 1000,
st_rdev = 0,
st_atimespec = {
tv_sec = 1236713868,
tv_nsec = 0
},
st_mtimespec = {
tv_sec = 1236681948,
tv_nsec = 0
},
st_ctimespec = {
tv_sec = 1236708856,
tv_nsec = 0
},
st_size = 331399,
st_blocks = 648,
st_blksize = 4096,
st_flags = 0,
st_gen = 0,
st_lspare = 0,
st_qspare = {0, 0}
}
arg = (svalue_t *) 0x100170ff0
var_rest = 3
num_var = 3
rover = (variable_t *) 0x101b0eda0
rcp = (restore_cleanup_t *) 0x101018bf0
ctx = (struct restore_context_s *) 0x101027f88
nesting = 1
#17 0x0000000100055d9d in eval_instruction (first_instruction=0x101b0ed2a "?\003\034\003Q\\\n", initial_sp=0x100170fe0) at interpret.c:8103
code = 68
pc = (bytecode_p) 0x101b0ed34 "k\037\020?"
fp = (svalue_t *) 0x100170ff0
sp = (svalue_t *) 0x100170ff0
num_arg = -1
instruction = 296
full_instr = 296
expected_stack = (svalue_t *) 0x0
ap = (svalue_t *) 0x100170ff0
use_ap = false
off_tab = {0, 8, 24, 56, 120, 248, 504, 1016, 2040, 4088, 8184, 16376, 32760, 65528, 131064, 262136, 524280, 1048568, 2097144, 4194296}
#18 0x000000010006e28f in apply_low (fun=0x101027088, ob=0x101b0ee88, num_arg=1, b_ign_prot=true, allowRefs=false) at interpret.c:16954
flags = 24
funstart = (fun_hdr_p) 0x101b0ed28 ""
fx = 0
progp = (program_t *) 0x101b0ec60
save_csp = (struct control_stack *) 0x1001905c0
ix = 29065
#19 0x000000010006e449 in int_apply (fun=0x101027088, ob=0x101b0ee88, num_arg=1, b_ign_prot=true, b_use_default=true) at interpret.c:17032
No locals.
#20 0x000000010006e901 in sapply_int (fun=0x101027088, ob=0x101b0ee88, num_arg=1, b_find_static=true, b_use_default=true) at interpret.c:17193
expected_sp = (svalue_t *) 0x100170fe0
#21 0x000000010009606a in reset_object (ob=0x101b0ee88, arg=5) at object.c:899
No locals.
#22 0x00000001000dcef9 in load_object (lname=0x10042a980 "secure/errord", create_super=false, depth=0, isMasterObj=false, chain=0x0) at simulate.c:2152
svp = (svalue_t *) 0x101024100
j = -1
save_current = (object_t *) 0x101ae4878
fd = 5
ob = (object_t *) 0x101b0ee88
save_command_giver = (object_t *) 0x0
i = 12
c_st = {
st_dev = 234881029,
st_ino = 13515208,
st_mode = 33188,
st_nlink = 1,
st_uid = 1000,
st_gid = 1000,
st_rdev = 0,
st_atimespec = {
tv_sec = 1236713853,
tv_nsec = 0
},
st_mtimespec = {
tv_sec = 1236710176,
tv_nsec = 0
},
st_ctimespec = {
tv_sec = 1236710176,
tv_nsec = 0
},
st_size = 831,
st_blocks = 8,
st_blksize = 4096,
st_flags = 0,
st_gen = 0,
st_lspare = 0,
st_qspare = {0, 0}
}
name_length = 13
name = 0x10100dee8 "/secure/errord"
fname = 0x10100def8 "secure/errord.c"
prog = (program_t *) 0x101b0ec60
nlink = {
prev = 0x0,
name = 0x10100dee9 "secure/errord"
}
#23 0x00000001000dd7fc in lookfor_object (str=0x101ae0c38, bLoad=true) at simulate.c:2420
ob = (object_t *) 0x0
pName = 0x10042a980 "secure/errord"
isMasterObj = false
#24 0x00000001000e1a0e in f_load_object (sp=0x100170fd0) at simulate.c:4493
ob = (object_t *) 0x200000000
#25 0x0000000100055d9d in eval_instruction (first_instruction=0x101b0c5c6 "\036", initial_sp=0x100170fc0) at interpret.c:8103
code = 36
pc = (bytecode_p) 0x101b0c5ca "?b\\\031"
fp = (svalue_t *) 0x100170fb0
sp = (svalue_t *) 0x100170fd0
num_arg = -1
instruction = 264
full_instr = 264
expected_stack = (svalue_t *) 0x0
ap = (svalue_t *) 0x100170fb0
use_ap = false
off_tab = {0, 8, 24, 56, 120, 248, 504, 1016, 2040, 4088, 8184, 16376, 32760, 65528, 131064, 262136, 524280, 1048568, 2097144, 4194296}
#26 0x00000001000d9484 in catch_instruction (flags=0, offset=5, i_sp=0x10046f350, i_pc=0x101b0c5c6 "\036", i_fp=0x100170fb0, reserve_cost=4000, i_context=0x0) at simulate.c:449
rc = false
old_out_of_memory = false
new_pc = (bytecode_p) 0x101b0c5cb "b\\\031"
#27 0x00000001000582f1 in eval_instruction (first_instruction=0x101b0c5c2 "a\037", initial_sp=0x100170fb0) at interpret.c:9511
offset = 5
flags = 0
reserve_cost = 4000
pc = (bytecode_p) 0x101b0c5c6 "\036"
fp = (svalue_t *) 0x100170fb0
sp = (svalue_t *) 0x100170fc0
num_arg = -1
instruction = 31
full_instr = 31
expected_stack = (svalue_t *) 0x0
ap = (svalue_t *) 0x100170fd0
use_ap = false
off_tab = {0, 8, 24, 56, 120, 248, 504, 1016, 2040, 4088, 8184, 16376, 32760, 65528, 131064, 262136, 524280, 1048568, 2097144, 4194296}
#28 0x000000010006e28f in apply_low (fun=0x101004898, ob=0x101ae4878, num_arg=1, b_ign_prot=true, allowRefs=false) at interpret.c:16954
flags = 16777392
funstart = (fun_hdr_p) 0x101b0c5c0 "\001"
fx = 8
progp = (program_t *) 0x101b0c460
save_csp = (struct control_stack *) 0x1001904c0
ix = 18842
#29 0x000000010006e449 in int_apply (fun=0x101004898, ob=0x101ae4878, num_arg=1, b_ign_prot=true, b_use_default=false) at interpret.c:17032
No locals.
#30 0x000000010006e901 in sapply_int (fun=0x101004898, ob=0x101ae4878, num_arg=1, b_find_static=true, b_use_default=false) at interpret.c:17193
expected_sp = (svalue_t *) 0x100170fa0
#31 0x000000010006f326 in apply_master_ob (fun=0x101004898, num_arg=1, external=false) at interpret.c:17503
reserve_used = false
error_recovery_info = {
rt = {
last = 0x100140700,
type = 2
},
flags = 1606413488,
con = {
text = {1511344, 1, 1606413664, 32767, 1606413424, 32767, 0, 0, 0, 0, 0, 0, 0, 0, 455262, 1, 530, 0, 8112, 1606353791, 0, 32767, 1, 1572864, 1, 0, 0, 28199032, 1, 1606413712, 32767, 28199032, 1, 16904192, 1, 1606413632, 32767}
}
}
save_sp = (svalue_t *) 0x100170fb0
save_csp = (struct control_stack *) 0x100190440
result = (svalue_t *) 0x10000e6fb
eval_cost_reserve = 1024
#32 0x000000010000e65e in preload_objects (eflag=0) at backend.c:1293
prefiles = (vector_t *) 0x1010249c0
ret = (svalue_t *) 0x100136e00
ix = 0
ix0 = 0
num_prefiles = 1
#33 0x0000000100082333 in main (argc=4, argv=0x7fff5fbff250) at main.c:630
i = 5
p = 0x7fff5fbff1f4 "\005"
set = 8192
rc = 0
Trace dump:
secure/master secure/master.c line 144
0x101b0c87a: 10 0 cstring0 (0: -1) line 144
0x101b0c87c: 24 return (1: 0)
0x101b0c52a: 10 0 cstring0 (0: 0) line 8
0x101b0c52c: 309 81 seteuid (1: 1)
0x101b0c52e: 92 pop_value (1: 1)
0x101b0c52f: 18 19 clit (0: 0) line 9
0x101b0c531: 10 1 cstring0 (1: 1)
0x101b0c533: 366 36 set_driver_hook (2: 2) line 16
0x101b0c535: 18 12 clit (0: 0) line 17
0x101b0c537: 10 2 cstring0 (1: 1)
0x101b0c539: 10 3 cstring0 (2: 2)
0x101b0c53b: 10 4 cstring0 (3: 3)
0x101b0c53d: 166 3 aggregate (4: 4)
0x101b0c540: 366 36 set_driver_hook (2: 2)
0x101b0c542: 18 6 clit (0: 0) line 18
0x101b0c544: 10 5 cstring0 (1: 1)
0x101b0c546: 366 36 set_driver_hook (2: 2)
0x101b0c548: 18 5 clit (0: 0) line 19
0x101b0c54a: 10 5 cstring0 (1: 1)
0x101b0c54c: 366 36 set_driver_hook (2: 2)
0x101b0c54e: 18 4 clit (0: 0) line 20
0x101b0c550: 10 6 cstring0 (1: 1)
0x101b0c552: 366 36 set_driver_hook (2: 2)
0x101b0c554: 18 2 clit (0: 0) line 21
0x101b0c556: 184 no_warn_deprecated (1: 1)
0x101b0c557: 22 2 closure (1: 1)
0x101b0c55c: 366 36 set_driver_hook (2: 2)
0x101b0c55e: 97 save_arg_frame (0: 0) line 23
0x101b0c55f: 10 7 cstring0 (1: 1)
0x101b0c561: 292 64 quote (2: 2)
0x101b0c563: 15 const0 (2: 2)
0x101b0c564: 374 44 symbol_function (3: 3)
0x101b0c566: 10 8 cstring0 (2: 2)
0x101b0c568: 411 21 funcall (3: 3)
0x101b0c56a: 98 restore_arg_frame (2: 2)
0x101b0c56b: 106 branch_when_zero (1: 1)
0x101b0c57e: 25 return0 (0: 0) line 24
secure/master program deallocated line 0
0x7fff5fbfecf0: 392 0 allocate (1: 0) line 0
0x7fff5fbfecf2: 24 return (1: 0)
secure/master secure/master.c line 29
0x101b0c59a: 10 0 cstring0 (0: 0) line 29
0x101b0c59c: 309 81 seteuid (1: 1)
0x101b0c59e: 92 pop_value (1: 1)
0x101b0c59f: 10 10 cstring0 (0: 0) line 31
0x101b0c5a1: 166 1 aggregate (1: 1)
0x101b0c5a4: 24 return (1: 1)
0x101b0c5c2: 97 save_arg_frame (0: 0) line 35
0x101b0c5c3: 31 1280 catch (1: 1)
0x101b0c5c6: 30 0 local (1: 1)
0x101b0c5c8: 264 load_object (2: 2)
0x101b0c8e2: 97 save_arg_frame (0: 5) line 150
0x101b0c8e3: 30 0 local (1: 6)
0x101b0c8e5: 171 previous_object0 (2: 7)
0x101b0c8e6: 110 call_function (3: 8)
0x101b0c7e2: 96 514 clear_locals (0: 10) line 114
0x101b0c7e5: 30 0 local (0: 10) line 117
0x101b0c7e7: 201 stringp (1: 11)
0x101b0c7e8: 60 ! (1: 11)
0x101b0c7e9: 39 4 || (1: 11)
0x101b0c7eb: 30 1 local (0: 10)
0x101b0c7ed: 196 objectp (1: 11)
0x101b0c7ee: 60 ! (1: 11)
0x101b0c7ef: 106 branch_when_zero (1: 11)
0x101b0c7f3: 97 save_arg_frame (0: 10) line 120
0x101b0c7f4: 30 0 local (1: 11)
0x101b0c7f6: 110 call_function (2: 12)
0x101b0c5ea: 96 769 clear_locals (0: 16) line 39
0x101b0c5ed: 30 0 local (0: 16) line 42
0x101b0c5ef: 196 objectp (1: 17)
0x101b0c5f0: 106 branch_when_zero (1: 17)
0x101b0c601: 30 0 local (0: 16) line 44
0x101b0c603: 201 stringp (1: 17)
0x101b0c604: 106 13 branch_when_zero (1: 17)
0x101b0c606: 97 save_arg_frame (0: 16) line 45
0x101b0c607: 30 0 local (1: 17)
0x101b0c609: 15 const0 (2: 18)
0x101b0c60a: 110 call_function (3: 19)
secure/master secure/master/file_access.c line 6
0x10103f9f2: 96 514 clear_locals (0: 22) line 6
0x10103f9f5: 30 0 local (0: 22) line 9
0x10103f9f7: 107 branch_when_non_zero (1: 23)
0x10103f9fe: 30 0 local (0: 22) line 11
0x10103fa00: 15 const0 (1: 23)
0x10103fa01: 184 no_warn_deprecated (2: 24)
0x10103fa02: 61 index (2: 24)
0x10103fa03: 28 switch (1: 23)
0x10103faaa: 30 1 local (0: 22) line 29
0x10103faac: 38 -12543 && (1: 23)
0x10103faaf: 38 && (1: 23)
0x10103fab7: 38 && (1: 23)
0x10103fac1: 106 branch_when_zero (1: 23)
0x10103fae2: 30 0 local (0: 22) line 32
0x10103fae4: 10 0 cstring0 (1: 23)
0x10103fae6: 341 11 explode (2: 24)
0x10103fae8: 10 1 cstring0 (1: 23)
0x10103faea: 10 2 cstring0 (2: 24)
0x10103faec: 166 2 aggregate (3: 25)
0x10103faef: 43 - (2: 24)
0x10103faf0: 123 2 push_local_variable_lvalue (1: 23)
0x10103faf2: 41 (void)= (2: 24) line 33
0x10103faf3: 27 break (0: 22)
0x10103fb1a: 105 branch (0: 22) line 34
0x10103fb30: 97 save_arg_frame (0: 22)
0x10103fb31: 30 2 local (1: 23)
0x10103fb33: 10 7 cstring0 (2: 24)
0x10103fb35: 427 37 member (3: 25)
0x10103fb37: 98 restore_arg_frame (2: 24)
0x10103fb38: 123 3 push_local_variable_lvalue (1: 23)
0x10103fb3a: 40 = (2: 24)
0x10103fb3b: 17 nconst1 (1: 23)
0x10103fb3c: 52 != (2: 24)
0x10103fb3d: 109 34 bbranch_when_non_zero (1: 23)
0x10103fb3f: 30 2 local (0: 22) line 36
0x10103fb41: 24 return (1: 23)
secure/master secure/master.c line 45
0x101b0c60d: 98 restore_arg_frame (2: 18) line 45
0x101b0c60e: 123 1 push_local_variable_lvalue (1: 17)
0x101b0c610: 41 (void)= (2: 18)
0x101b0c611: 105 403376643 branch (0: 16) line 46
0x101b0c616: 30 1 local (0: 16) line 48
0x101b0c618: 200 sizeof (1: 17)
0x101b0c619: 123 3 push_local_variable_lvalue (1: 17)
0x101b0c61b: 41 (void)= (2: 18)
0x101b0c61c: 30 3 local (0: 16) line 49
0x101b0c61e: 18 2 clit (1: 17)
0x101b0c620: 49 < (2: 18)
0x101b0c621: 106 403376643 branch_when_zero (1: 17)
0x101b0c626: 30 1 local (0: 16) line 51
0x101b0c628: 15 const0 (1: 17)
0x101b0c629: 184 no_warn_deprecated (2: 18)
0x101b0c62a: 61 index (2: 18)
0x101b0c62b: 28 switch (1: 17)
0x101b0c6ed: 10 0 cstring0 (0: 16) line 78
0x101b0c6ef: 24 return (1: 17) line 82
0x101b0c7f9: 98 restore_arg_frame (2: 12) line 120
0x101b0c7fa: 123 2 push_local_variable_lvalue (1: 11)
0x101b0c7fc: 40 = (2: 12)
0x101b0c7fd: 107 branch_when_non_zero (1: 11)
0x101b0c801: 30 0 local (0: 10) line 123
0x101b0c803: 15 const0 (1: 11)
0x101b0c804: 18 2 clit (2: 12)
0x101b0c806: 66 .. (3: 13)
0x101b0c807: 10 39 cstring0 (1: 11)
0x101b0c809: 51 == (2: 12)
0x101b0c80a: 39 9 || (1: 11)
0x101b0c80c: 30 0 local (0: 10)
0x101b0c80e: 15 const0 (1: 11)
0x101b0c80f: 18 3 clit (2: 12)
0x101b0c811: 66 .. (3: 13)
0x101b0c812: 10 40 cstring0 (1: 11)
0x101b0c814: 51 == (2: 12)
0x101b0c815: 106 branch_when_zero (1: 11)
0x101b0c819: 30 2 local (0: 10) line 126
0x101b0c81b: 10 0 cstring0 (1: 11)
0x101b0c81d: 51 == (2: 12)
0x101b0c81e: 38 4 && (1: 11)
0x101b0c820: 30 1 local (0: 10)
0x101b0c822: 206 this_object (1: 11)
0x101b0c823: 51 == (2: 12)
0x101b0c824: 106 3 branch_when_zero (1: 11)
0x101b0c826: 10 0 cstring0 (0: 10)
0x101b0c828: 24 return (1: 11)
0x101b0c8e9: 98 restore_arg_frame (2: 7) line 150
0x101b0c8ea: 24 return (1: 6)
secure/errord secure/errord.c line 23
0x101b0ed2a: 206 this_object (0: 3) line 23
0x101b0ed2b: 256 28 getuid (1: 4)
0x101b0ed2d: 309 81 seteuid (1: 4)
0x101b0ed2f: 92 pop_value (1: 4)
0x101b0ed30: 10 0 cstring0 (0: 3) line 24
0x101b0ed32: 296 restore_object (1: 4)
secure/master secure/master/file_access.c line 41
0x10103fb62: 30 0 local (0: 9) line 41
0x10103fb64: 24 return (1: 10)
0x101b0ed34: 107 31 16 168 0 1 18 2
3 ' preload' in ' secure/master.c' (' secure/master') line 35
4120 ' CATCH' in (' secure/master')
4129 ' create' in ' secure/errord.c' (' secure/errord') line 24
|
|
System Description |
Homemud / Entwicklungssystem (64 bit)
|
|
Attached Files: |
config.h (20,629 bytes) 2009-03-10 16:05
http://ldmud.eu/file_download.php?file_id=199&type=bug
machine.h (13,611 bytes) 2009-03-10 16:06
http://ldmud.eu/file_download.php?file_id=200&type=bug |
|