View Issue Details

IDProjectCategoryView StatusLast Update
0000001LDMud 3.2-devRuntimepublic2004-05-17 09:27
Reportermenaures Assigned Tolars 
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Summary0000001: walk_mapping + destruct crashes
DescriptionIn some cases, destructing an object during a walk_mapping can cause the driver to crash (happened in dev540 and in dev585 and dev586). I could not yet reproduce it by using simple code snippets, but it is always reproducible using a group of files used by our extension library.

If you need to reproduce the error, tell me. I'll provide the required code. For now, I only have a backtrace and logfile output.
Additional Information#####################################
last console output:
2003.05.30 03:08:44 Ref count in freed hash mapping: 1
No program to trace.
2003.05.30 03:08:44 LDMud aborting on fatal error.
Floating point exception
#######################################
last log output:
2003.05.30 03:08:44 Object used by walk_mapping destructed2003.05.30 03:08:44 program: p/Apps/Wetter/i/master.c, object: p/Apps/Wetter/beis
piel/wetter line 1138
' f_lade' in 'i/zauberstab/zauberstab.c (/i/zauberstab/zsoul.inc)' (' obj/zauberstab#7') line 268
' touch' in 'secure/simul_efun/simul_efun.c (/secure/simul_efun/map.inc)' (' obj/zauberstab#7') line 229
' create' in 'p/Apps/Wetter/beispiel/wetter.c' ('p/Apps/Wetter/beispiel/wetter') line 181
' create' in 'p/Apps/Wetter/i/master.c' ('p/Apps/Wetter/beispiel/wetter') line 1669
' init_zones' in 'p/Apps/Wetter/beispiel/wetter.c' ('p/Apps/Wetter/beispiel/wetter') line 167
' add_zone' in 'p/Apps/Wetter/i/master.c' ('p/Apps/Wetter/beispiel/wetter') line 601
' activate_zone' in 'p/Apps/Wetter/i/master.c' ('p/Apps/Wetter/beispiel/wetter') line 556
'scenario_control' in 'p/Apps/Wetter/beispiel/wetter.c' ('p/Apps/Wetter/beispiel/wetter') line 189
'scenario_control' in 'p/Apps/Wetter/i/master.c' ('p/Apps/Wetter/beispiel/wetter') line 1138
2003.05.30 03:08:44 Ref count in freed hash mapping: 1
2003.05.30 03:08:44 Dump of the call chain:
No program to trace.
#####################################
backtrace:
#0 0x080d91ee in dump_core () at simulate.c:586
        a = 0
0000001 0x080d117e in fatal (fmt=0x80fd600 "Ref count in freed hash mapping: %ld\n") at simulate.c:648
        va = 0xbfffd994 "\001"
        ts = 0x8110100 "2003.05.30 03:16:45"
        in_fatal = 1
0000002 0x080abc02 in _free_mapping (m=0x140612f8) at mapping.c:519
        mcp = (struct map_chain **) 0x0
        mc = (struct map_chain *) 0x5f22
        next = (struct map_chain *) 0x14122f1c
        next_dirty = (struct mapping_s *) 0x64
        hm = (struct hash_mapping *) 0x14126874
        cm = (struct condensed_mapping *) 0x140612d4
        str = (char **) 0x140612dc
        svp = (struct svalue_s *) 0x140612d4
        num_values = 1
        i = -8
        j = 336736028
0000003 0x08079c70 in free_svalue (v=0x1406116c) at interpret.c:1052
        type = 6
0000004 0x080abc4e in _free_mapping (m=0x14061214) at mapping.c:535
        mcp = (struct map_chain **) 0x141338c4
        mc = (struct map_chain *) 0x14061160
        next = (struct map_chain *) 0x14061160
        next_dirty = (struct mapping_s *) 0x64
        hm = (struct hash_mapping *) 0x141338a4
        cm = (struct condensed_mapping *) 0x140611f0
        str = (char **) 0x140611f8
        svp = (struct svalue_s *) 0x14061174
        num_values = 1
        i = 2
        j = 0
0000005 0x08079c70 in free_svalue (v=0x14060a70) at interpret.c:1052
        type = 6
0000006 0x080abc4e in _free_mapping (m=0x14120b7c) at mapping.c:535
        mcp = (struct map_chain **) 0x140c59cc
        mc = (struct map_chain *) 0x14060a64
        next = (struct map_chain *) 0x14060a64
        next_dirty = (struct mapping_s *) 0x14121e7c
        hm = (struct hash_mapping *) 0x140c59ac
        cm = (struct condensed_mapping *) 0x1411fe00
        str = (char **) 0x1411fe08
        svp = (struct svalue_s *) 0x14060a78
        num_values = 1
        i = 1
        j = 0
0000007 0x08079c70 in free_svalue (v=0x8aa1f04) at interpret.c:1052
        type = 6
0000008 0x080d3ca0 in remove_object (ob=0x8aa1cb8) at simulate.c:2591
        i = 58
        sent = (struct sentence_s *) 0xffffffff
0000009 0x080d3e58 in handle_newly_destructed_objects () at simulate.c:2660
        ob = (struct object_s *) 0x8aa1cb8
0000010 0x08055516 in cleanup_stuff () at backend.c:362
No locals.
0000011 0x08052f91 in backend () at backend.c:441
        buff = "lade wetter\0etter/beispiel\0\0\f\002\027@\203ð\026@\0@\001@à?#\024ä?#\024\0\0\0\0\0@\001@(\202\021\bè\201\021\bè\201\021\bH|\232\b\0\0\0\0\f\002\027@K\0\0\0\0@\001@\030Ýÿ¿va\v@ Ó\026@\0@\001@K", '\0' <repeats 11 times>, " Ó\026@ þ\025@nw\v@\023P\001@\"É\016\b%\0\0\0\f\002\027@\002", '\0' <repeats 11 times>, "\f\002\027@\001\0\0\0\004äÿ¿(äÿ¿1/\t@`> \bIÉ\016\b\003", '\0' <repeats 15 times>, "Æâÿ¿\n\0\0"...
0000012 0x080a917a in main (argc=2, argv=0xbffff684) at main.c:497
        i = 5
        p = 0xbffff60c "\005"
        set = {__val = {8192, 0 <repeats 31 times>}}
0000013 0x4005edb4 in __libc_start_main () from /lib/libc.so.6
No symbol table info available.
TagsNo tags attached.

Activities

menaures

2003-05-29 21:26

reporter   ~0000001

Oh yeah, there seems to be a newline missing in that "Object used by walk_mapping destructed" - message. Note this message in "last log output"

menaures

2003-06-04 13:12

reporter   ~0000005

Here's a code snippet which produces the crash. Have fun!

mapping foo = ([ "bar" : ([ "foo" ]) ]);

void bar(mapping m, mixed * arr) { arr += ({m}); }

void create()
{
    destruct(this_object());
    mixed * bar = ({});
    walk_mapping(foo, #'bar, &bar);
}

lars

2003-07-28 23:04

reporter   ~0000011

When the callback object was destructed before the first call, the VM stack pointer was one too low, so that the error handling did not perform the special walk-mapping cleanup routines.

Corrected in 3.2.10-dev.596.

Issue History

Date Modified Username Field Change
2003-05-29 21:18 menaures New Issue
2003-05-29 21:26 menaures Note Added: 0000001
2003-06-04 13:12 menaures Note Added: 0000005
2003-07-28 22:18 lars Status new => assigned
2003-07-28 22:18 lars Assigned To => lars
2003-07-28 23:04 lars Status assigned => resolved
2003-07-28 23:04 lars Resolution open => fixed
2003-07-28 23:04 lars Note Added: 0000011
2004-05-17 09:27 lars Status resolved => closed