Follow-up Comment #2, bug #24171 (project freeciv):
Looking at disassembly, I think this is caused when dereferencing
pc->phs.handlers.
int send_packet_chat_msg_req(struct connection *pc, const struct
packet_chat_msg_req *packet)
{
if(!pc->used) {
log_error("WARNING: trying to send data to the closed connection %s",
conn_description(pc));
return -1;
}
fc_assert_ret_val_msg(pc->phs.handlers->send[PACKET_CHAT_MSG_REQ].packet !=
NULL, -1,
"Handler for PACKET_CHAT_MSG_REQ not installed");
return pc->phs.handlers->send[PACKET_CHAT_MSG_REQ].packet(pc, packet);
}
I think this pointer could be invalid when packet_handlers_free() (which is an
atexit() handler) has been called before the client's at_exit() gets to run.
Since atexit handlers are called in reverse order of registration, and the
client at_exit() is registered at client startup whereas the packets.c
packet_handlers_free() is registered on demand and I think that's on making a
connection to the server for the first time, it looks inevitable to me that
at_exit() will reference freed storage (unless atexit() doesn't call
client_kill_server(), but on quitting a running game I think it always will).
Running the current S2_6 client on Linux under valgrind confirms this
diagnosis.
This packet_handlers hash and atexit handler is new on S2_6 (patch #5565).
It's probably a bad idea to have dependencies between atexit() handlers.
Probably packet_handlers_free() should be called explicitly from somewhere.
Not sure where.
Disassembly of the Windows build:
0056b8dc <_send_packet_chat_msg_req>:
56b8dc: 55 push %ebp
56b8dd: 89 e5 mov %esp,%ebp
56b8df: 53 push %ebx
56b8e0: 83 ec 24 sub $0x24,%esp
56b8e3: 8b 5d 08 mov 0x8(%ebp),%ebx
56b8e6: 8b 55 0c mov 0xc(%ebp),%edx
56b8e9: 80 7b 08 00 cmpb $0x0,0x8(%ebx)
56b8ed: 74 1d je 56b90c
<_send_packet_chat_msg_req # => log_error()
56b8ef: 8b 83 ac 06 00 00 mov 0x6ac(%ebx),%eax
* 56b8f5: 8b 40 68 mov 0x68(%eax),%eax
56b8f8: 85 c0 test %eax,%eax
56b8fa: 74 24 je 56b920
<_send_packet_chat_msg_req # => fc_assert_fail()
Valgrind memcheck output for S2_6 r30795 on Linux amd64:
Invalid read of size 8
at 0x5EC325: send_packet_chat_msg_req (packets_gen.c:4504)
by 0x5EC3F5: dsend_packet_chat_msg_req (packets_gen.c:4515)
by 0x475909: client_kill_server (connectdlg_common.c:150)
by 0x47332D: emergency_exit (client_main.c:223)
by 0x47332D: at_exit (client_main.c:231)
by 0x76F7258: __run_exit_handlers (exit.c:82)
by 0x76F72A4: exit (exit.c:104)
by 0x473A05: client_exit (client_main.c:727)
by 0x473D9C: client_main (client_main.c:670)
by 0x76DCEC4: (below main) (libc-start.c:287)
Address 0x1a13a790 is 208 bytes inside a block of size 4,000 free'd
at 0x4C2BDEC: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x61B4A6: genhash_slot_free (genhash.c:483)
by 0x61B4A6: genhash_clear (genhash.c:595)
by 0x61B531: genhash_destroy (genhash.c:298)
by 0x5642A4: packet_handler_hash_destroy (spechash.h:419)
by 0x5642A4: packet_handlers_free (packets.c:806)
by 0x76F7258: __run_exit_handlers (exit.c:82)
by 0x76F72A4: exit (exit.c:104)
by 0x473A05: client_exit (client_main.c:727)
by 0x473D9C: client_main (client_main.c:670)
by 0x76DCEC4: (below main) (libc-start.c:287)
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?24171>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
