197604 – games/cube: crashes when built with clang 3.6 + -O1 or higher

Bug 197604 - games/cube: crashes when built with clang 3.6 + -O1 or higher

Summary: games/cube: crashes when built with clang 3.6 + -O1 or higher

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-02-13 22:38 UTC by Jan Beich
Modified:	2015-02-20 07:41 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Fix invalid dereferencing of null reference (4.93 KB, patch) 2015-02-14 00:49 UTC, Dimitry Andric	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan Beich freebsd_committer

2015-02-13 22:38:05 UTC

/projects/clang360-import@278313 during build shows

physics.cpp:50:14: warning: reference cannot be bound to dereferenced null pointer in well-defined C++
      code; pointer may be assumed to always convert to true [-Wundefined-bool-conversion]
        if(!&mmi || !mmi.h) continue;
           ~ ^~~

which leads to

(lldb) target create "/usr/local/libexec/cube_client" --core "/var/tmp/cube_client.1001.core"
Core file '/var/tmp/cube_client.1001.core' (x86_64) was loaded.
Process 0 stopped
* thread #1: tid = 0, 0x0000000000411297 cube_client`mmcollide(d=0x0000000807c88300, hi=0x00007fffffffb664, lo=0x00007fffffffb660) + 87 at physics.cpp:50, name = 'cube_client', stop reason = signal SIGSEGV
    frame #0: 0x0000000000411297 cube_client`mmcollide(d=0x0000000807c88300, hi=0x00007fffffffb664, lo=0x00007fffffffb660) + 87 at physics.cpp:50
   47           entity &e = ents[i];
   48           if(e.type!=MAPMODEL) continue;
   49           mapmodelinfo &mmi = getmminfo(e.attr2);
-> 50           if(!&mmi || !mmi.h) continue;
   51           const float r = mmi.rad+d->radius;
   52           if(fabs(e.x-d->o.x)<r && fabs(e.y-d->o.y)<r)
   53           {
(lldb) fr v
(dynent *) d = 0x0000000807c88300
(float &) hi = 0x00007fffffffb664: {
  &hi = 4
}
(float &) lo = 0x00007fffffffb660: {
  &lo = -4.5
}
(int) i = 0
(entity &) e = 0x0000000808e7b112: {
  persistent_entity = (x = 37, y = 51, z = 0, attr1 = 134, type = '\x0e', attr2 = '\t', attr3 = '\0', attr4 = '\0')
  spawned = false
}
(mapmodelinfo &) mmi = 0x0000000000000000
(const float) r = <variable not available>
(lldb) bt
* thread #1: tid = 0, 0x0000000000411297 cube_client`mmcollide(d=0x0000000807c88300, hi=0x00007fffffffb664, lo=0x00007fffffffb660) + 87 at physics.cpp:50, name = 'cube_client', stop reason = signal SIGSEGV
  * frame #0: 0x0000000000411297 cube_client`mmcollide(d=0x0000000807c88300, hi=0x00007fffffffb664, lo=0x00007fffffffb660) + 87 at physics.cpp:50
    frame #1: 0x0000000000411ae4 cube_client`collide(d=0x0000000807c88300, spawn=true, drop=0, rise=0) + 1892 at physics.cpp:129
    frame #2: 0x00000000004075c7 cube_client`entinmap(d=0x0000000807c88300) + 215 at clientgame.cpp:265
    frame #3: 0x0000000000406fc1 cube_client`spawnplayer(d=0x0000000807c88300) + 305 at clientgame.cpp:294
    frame #4: 0x0000000000407e3d cube_client`startmap(name=0x00007fffffffba40) + 93 at clientgame.cpp:440
    frame #5: 0x0000000000422244 cube_client`load_world(mname=0x00007fffffffba40) + 2084 at worldio.cpp:316
    frame #6: 0x0000000000408460 cube_client`localservertoclient(buf=<unavailable>, len=<unavailable>) + 576 at clients2c.cpp:130
    frame #7: 0x000000000041abcf cube_client`multicast(packet=0x0000000807e4beb0, sender=-1) + 47 at server.cpp:293
    frame #8: 0x000000000041aa91 cube_client`process(packet=0x0000000807e4beb0, sender=<unavailable>) + 1217 at server.cpp:260
    frame #9: 0x000000000041b0b0 cube_client`localclienttoserver(packet=0x0000000807e4beb0) + 16 at server.cpp:299
    frame #10: 0x0000000000405911 cube_client`c2sinfo(d=<unavailable>) + 1009 at client.cpp:273
    frame #11: 0x00000000004074e3 cube_client`updateworld(millis=135) + 323 at clientgame.cpp:251
    frame #12: 0x000000000040f1e0 cube_client`main(argc=<unavailable>, argv=<unavailable>) + 1456 at main.cpp:188
    frame #13: 0x0000000000404aaf cube_client`_start(ap=<unavailable>, cleanup=<unavailable>) + 367 at crt1.c:78

Can you reproduce?

Comment 1 Dimitry Andric freebsd_committer

2015-02-14 00:49:00 UTC

Created attachment 152952 [details]
Fix invalid dereferencing of null reference

Yes, I can reproduce.  This code is crazy, here is a patch to fix it.

Comment 2 Jan Beich freebsd_committer

2015-02-20 06:31:20 UTC

Comment on attachment 152952 [details]
Fix invalid dereferencing of null reference

Works fine *with* the patch. Also tested no runtime regressions with gcc49 or within a jail of:
- 10.1R i386
- 10.0R amd64
- 9.3R i386
- 8.4R amd64

Comment 3 commit-hook freebsd_committer

2015-02-20 06:54:11 UTC

A commit references this bug:

Author: jbeich
Date: Fri Feb 20 06:53:39 UTC 2015
New revision: 379412
URL: https://svnweb.freebsd.org/changeset/ports/379412

Log:
  - Fix invalid dereferencing of null reference which causes startup
    crash for cube_client when built with clang 3.6 + -O1 or higher [1]
  - Properly track libenet dependency [2]

  PR:		197604 [1]
  PR:		197605 [2]
  Submitted by:	dim [1]

Changes:
  head/games/cube/Makefile
  head/games/cube/files/patch-entities.cpp
  head/games/cube/files/patch-physics.cpp
  head/games/cube/files/patch-protos.h
  head/games/cube/files/patch-rendermd2.cpp

Comment 4 Jan Beich freebsd_committer

2015-02-20 07:41:56 UTC

Tentatively closing unless other Cube ports may crash in similar way. For one, games/assaultcube has the warning (see bug 197582 comment 9) but doesn't crash.