Polymer: crash in polymer_updatesprite
I stumbled upon a set of crashes, most common of which is in polymer_updatesprite.
GRP is for "Duke Nukem 3D: Atomic Edition (WT)".
Build info:
$ make -j14 RELEASE=0 CUSTOMOPT=-g OPTLEVEL=00,2436s INFO| EDuke32 r10355- 2e2d5f20
0,2436s INFO| Built Aug 24 2023 10:35:10, GCC 11.4.0, 64-bit
Logs don't show any errors except for:
Thread 1 "eduke32" received signal SIGSEGV, Segmentation fault.
Most common stack trace:
#0 __memmove_avx_unaligned_erms ()
at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:429
#1 0x00005555559d3abc in polymer_updatesprite(int32_t) (snum=25)
at source/build/src/polymer.cpp:4105
#2 0x00005555559c62f7 in polymer_drawsprite(int32_t) (snum=25)
at source/build/src/polymer.cpp:1568
#3 0x000055555592265b in renderDrawSprite(int32_t) (snum=25)
at source/build/src/engine.cpp:7053
#4 0x000055555592ee3e in renderDrawMasks() () at source/build/src/engine.cpp:10279
#5 0x0000555555715064 in G_DrawRooms(int32_t, int32_t)
(playerNum=0, smoothRatio=32794) at source/duke3d/src/game.cpp:1155
#6 0x000055555573b7f7 in drawframe_entry(mco_coro*) (co=0x20002000100)
at source/duke3d/src/game.cpp:6485
#7 0x00005555558b7c46 in _mco_main(mco_coro*) (co=0x20002000100)
at source/build/include/minicoro.h:533
snum and smoothRatio values are different each time (e.g. 0, 15, 8, 4 and 16402, 16410, 32792, 32787 respectively) and the rest seems to be the same.
This crash is a bit difficult to reproduce, the most reliable way I found so far is:
- Load attached save file.
- Equip RPG and start frantically running around the room and shooting at everything.
- At some point, usually around 10th shot, the game crashes.
It also seems that crash does not happen if "Dynamic Lights" option is set to "Map only" or "Off".
Other crashes that I encountered but don't have a way to reproduce:
#0 0x00005555559dd2a9 in polymer_planeinlight(_prplane const&, _prlight const&)
(plane=..., light=...) at source/build/src/polymer.cpp:5921
#1 0x00005555559de5d3 in polymer_culllight(int16_t) (lighti=0)
at source/build/src/polymer.cpp:6161
#2 0x00005555559dccde in polymer_updatelights() ()
at source/build/src/polymer.cpp:5801
#3 0x00005555559c40e3 in polymer_drawrooms(int32_t, int32_t, int32_t, fix16_t, fix16_t, int16_t)
(daposx=30218, daposy=9008, daposz=-18059, daang=34443264, dahoriz=5478153, dacursectnum=170)
at source/build/src/polymer.cpp:1122
#4 0x000055555592c3d5 in renderDrawRoomsQ16(int32_t, int32_t, int32_t, fix16_t, fix16_t, int16_t)
(daposx=30218, daposy=9008, daposz=-18059, daang=34443264, dahoriz=5478153, dacursectnum=170)
at source/build/src/engine.cpp:9449
#5 0x0000555555714f9c in G_DrawRooms(int32_t, int32_t) (playerNum=0, smoothRatio=32794)
at source/duke3d/src/game.cpp:1145
#6 0x000055555573b7f7 in drawframe_entry(mco_coro*) (co=0x20002000100)
at source/duke3d/src/game.cpp:6485
#7 0x00005555558b7c46 in _mco_main(mco_coro*) (co=0x20002000100)
at source/build/include/minicoro.h:533
21,5355s MEM| mimalloc: error:
21,5355s MEM| buffer overflow in heap block 0x20000137fc0 of size 440: write after 440 bytes
Thread 1 "eduke32" received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737331984896) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737331984896)
at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737331984896)
at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737331984896, signo=signo@entry=6)
at ./nptl/pthread_kill.c:89
#3 0x00007ffff74a3476 in __GI_raise (sig=sig@entry=6)
at ../sysdeps/posix/raise.c:26
#4 0x00007ffff74897f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x0000555555ae221c in mi_error_default(int) (err=14)
at source/mimalloc/src/options.c:400
#6 0x0000555555ae235f in _mi_error_message(int, char const*, ...)
(err=14, fmt=0x555555caf798 "buffer overflow in heap block %p of size %zu: write after %zu bytes\n")
at source/mimalloc/src/options.c:431
#7 0x0000555555ad61cf in mi_check_padding(mi_page_t const*, mi_block_t const*)
(page=0x20000000678, block=0x20000137fc0) at source/mimalloc/src/alloc.c:333
#8 0x0000555555ad6a7a in mi_free(void*) (p=0x20000137fc0)
at source/mimalloc/src/alloc.c:568
#9 0x0000555555a2eb7a in sm::GenericAllocator::Free(void*, void*)
(instance=0x0, p=0x20000137fc0) at source/build/src/smmalloc_generic.cpp:81
#10 0x0000555555700617 in sm::Allocator::Free(void*)
(this=0x20000040000, p=0x20000137fc0) at source/build/include/smmalloc.h:478
#11 0x0000555555700865 in _sm_free(sm_allocator, void*)
(allocator=0x20000040000, p=0x20000137fc0)
at source/build/include/smmalloc.h:857
#12 0x00005555559c496c in xfree (ptr=0x20000137fc0)
at source/build/include/compat.h:1442
#13 polymer_drawmasks() () at source/build/src/polymer.cpp:1299
#14 0x000055555592eea1 in renderDrawMasks() () at source/build/src/engine.cpp:10293
#15 0x0000555555715064 in G_DrawRooms(int32_t, int32_t)
(playerNum=0, smoothRatio=32787) at source/duke3d/src/game.cpp:1155
#16 0x000055555573b7f7 in drawframe_entry(mco_coro*) (co=0x20002000100)
at source/duke3d/src/game.cpp:6485
#17 0x00005555558b7c46 in _mco_main(mco_coro*) (co=0x20002000100)
at source/build/include/minicoro.h:533