TFS 0.X OTX error - crash [segmentation fault]

[leo123456]

Hi people, I have this bug.

Segmentation Fault.

Log gdb:

0x00000000004e8465 in Game::changeSpeed (this=<optimized out>, creature=creature@entry=0x227ca00, varSpeed=<optimized out>) at game.cpp:4577
4577                    spectator->getPlayer()->sendChangeSpeed(creature, creature->getStepSpeed());
(gdb) bt
#0  0x00000000004e8465 in Game::changeSpeed (this=<optimized out>, creature=creature@entry=0x227ca00, varSpeed=<optimized out>) at game.cpp:4577
#1  0x000000000051ce2c in ConditionSpeed::endCondition (this=0x14f598a0, creature=0x227ca00, reason=<optimized out>) at condition.cpp:1451
#2  0x000000000059ca4a in removeConditions (reason=CONDITIONEND_CLEANUP, onlyPersistent=false, this=0x227ca00) at creature.cpp:1568
#3  Creature::~Creature (this=0x227ca00, __vtt_parm=<optimized out>, __in_chrg=<optimized out>) at creature.cpp:93
#4  0x00000000005c1954 in Player::~Player (this=this@entry=0x227ca00, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at player.cpp:137
#5  0x00000000005c1999 in Player::~Player (this=0x227ca00, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at player.cpp:161
#6  0x000000000042a1d7 in unRef (this=<optimized out>) at thing.h:110
#7  Monster::onCreatureLeave (this=0x10626d80, creature=0x227ca00) at monster.cpp:373
#8  0x000000000042d107 in Monster::onCreatureMove (this=0x10626d80, creature=0x227ca00, newTile=<optimized out>, newPos=..., oldTile=<optimized out>, oldPos=..., teleport=false)
    at monster.cpp:202
#9  0x00000000004d6eb1 in Tile::moveCreature (this=0x2c09e5c0, actor=actor@entry=0x0, creature=creature@entry=0x227ca00, toCylinder=toCylinder@entry=0x2c0a5720,
    forceTeleport=forceTeleport@entry=false) at tile.cpp:487
#10 0x00000000004e7f8f in Game::internalMoveCreature (this=0x88bb40 <g_game>, actor=actor@entry=0x0, creature=0x227ca00, fromCylinder=fromCylinder@entry=0x2c09e5c0,
    toCylinder=toCylinder@entry=0x2c0a5720, flags=flags@entry=1, forceTeleport=forceTeleport@entry=false) at game.cpp:1331
#11 0x000000000057e7e5 in LuaInterface::luaDoRelocate (L=0x228b700) at luascript.cpp:4275
#12 0x00007ffff7bb8f78 in ?? () from /usr/lib/x86_64-linux-gnu/liblua5.1.so.0
#13 0x00007ffff7bc36af in ?? () from /usr/lib/x86_64-linux-gnu/liblua5.1.so.0
#14 0x00007ffff7bb93cd in ?? () from /usr/lib/x86_64-linux-gnu/liblua5.1.so.0
#15 0x00007ffff7bb86eb in ?? () from /usr/lib/x86_64-linux-gnu/liblua5.1.so.0
#16 0x00007ffff7bb955a in ?? () from /usr/lib/x86_64-linux-gnu/liblua5.1.so.0
#17 0x00007ffff7bb534d in lua_pcall () from /usr/lib/x86_64-linux-gnu/liblua5.1.so.0
#18 0x000000000055b0b6 in LuaInterface::callFunction (this=0x13f4690, params=params@entry=7) at luascript.cpp:980
#19 0x000000000048149a in MoveEvent::executeStep (this=0xd7c6370, actor=0x0, creature=0x1c7de00, item=<optimized out>, pos=..., fromPos=..., toPos=...) at movement.cpp:1235
#20 0x0000000000483f60 in MoveEvents::onCreatureMove (this=0x13f4680, actor=actor@entry=0x0, creature=creature@entry=0x1c7de00, fromTile=fromTile@entry=0x2c09e5c0, toTile=<optimized out>,
    isStepping=isStepping@entry=false) at movement.cpp:607
#21 0x00000000004d5dc5 in Tile::postRemoveNotification (this=0x2c09e5c0, actor=0x0, thing=0x1c7e7d8, newParent=0x2c0a5720, index=2, isCompleteRemoval=<optimized out>) at tile.cpp:1566
#22 0x00000000004d6f00 in Tile::moveCreature (this=0x2c09e5c0, actor=actor@entry=0x0, creature=creature@entry=0x1c7de00, toCylinder=toCylinder@entry=0x2c0a5720,
    forceTeleport=forceTeleport@entry=false) at tile.cpp:489
#23 0x00000000004e7f8f in Game::internalMoveCreature (this=this@entry=0x88bb40 <g_game>, actor=actor@entry=0x0, creature=creature@entry=0x1c7de00,
    fromCylinder=fromCylinder@entry=0x2c09e5c0, toCylinder=0x2c0a5720, flags=flags@entry=32, forceTeleport=forceTeleport@entry=false) at game.cpp:1331
#24 0x00000000004e814d in Game::internalMoveCreature (this=0x88bb40 <g_game>, creature=creature@entry=0x1c7de00, direction=<optimized out>, flags=32) at game.cpp:1309
#25 0x000000000059e254 in Creature::onWalk (this=0x1c7de00) at creature.cpp:265
#26 0x00000000004e6bf2 in Game::checkCreatureWalk (this=0x88bb40 <g_game>, creatureId=<optimized out>) at game.cpp:4478
#27 0x000000000059dfa8 in Creature::addEventWalk (this=this@entry=0x1c7de00, firstStep=<optimized out>) at creature.cpp:350
Python Exception <class 'IndexError'> list index out of range:
#28 0x000000000059e2b6 in Creature::startAutoWalk (this=this@entry=0x1c7de00, listDir=std::list) at creature.cpp:335
#29 0x00000000004e13e6 in Game::playerMove (this=<optimized out>, playerId=<optimized out>, dir=EAST) at game.cpp:2314
#30 0x000000000048b740 in operator() (this=0x330955e0) at /usr/include/boost/function/function_template.hpp:767
#31 operator() (this=0x330955d0) at dispatcher.h:34
#32 Dispatcher::dispatcherThread (this=0x889780 <Dispatcher::getInstance()::dispatcher>) at dispatcher.cpp:64
#33 0x00007ffff79a2a4a in ?? () from /usr/lib/x86_64-linux-gnu/libboost_thread.so.1.54.0
#34 0x00007ffff597a184 in start_thread (arg=0x7ffff2d74700) at pthread_create.c:312
#35 0x00007ffff56a703d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

My game.cpp
hastebin
Help-me please.

 

[Frikx]

Did you modify the sources?

 

[leo123456]

@Frikx

No, i dont.

 

[leo123456]

BUMP

 

[Frikx]

That's strange.

When does it happen? Are you able to replicate the error?

 

[Webtimize]

Did you walk on a specific tile or change walkspeed the moment it dropped segfault? It seems to be something related to creature/player speed. Seems like something after a lua function is crashing, so it might be an action/movement.

 

[leo123456]

@Frikx

I can not reproduce the error because I do not know where it occurs.

@webtimize

It has no floor that changes the speed. But you have 1 item that changes speed. However I use it several times and the server does not give the error.

 

[Webtimize]

I can see that something is being teleported (stack 10, 0x88bb40 -> 0x227ca00), and then the speed was changed for the creature (+ all spectators?) (stack 1).

 

[leo123456]

@webtimize @Gesior.pl


What could this be? Because the server does not have it. Would you protect this function in game.cpp?

 

[Gesior.pl]

Looks like bugged LUA script or serious engine bug.

From GDB:
1. some player did step (walk on some 'quest' tile probably)
2. some LUA script tried to move tile items&creatures from tile X to Y (player walks on tile Z and it teleports other player)
3. there was some monster that saw player teleporting out from his screen (23x23 tiles area around monster)
4. monster remove player from 'players on screen' list
5. for some reason that player was removed more times then it was added (there is 'reference' counter in OTSes), now server 'state' is unstable, some serious bug!
5. that player has 'haste' spell, remove it from RAM
6. server sent to people around player 'he changed speed'
7. one of spectators was probably player who was removed from RAM already (player that teleports and whos speed is changing)
8. ====== send 'network packet' to player that does not exist in RAM = CRASH


REPRODUCE:
Search for 'relocate' in all files inside 'data/movements'. There must be some bugged script with function containing 'relocate'/'Relocate' in name.
Go that place in game (where one player can teleport other player by walking on tile).
Summon some monster (as GM, spawn monster) near player and use haste on player that will be teleported.
Walk on tile to make other player teleport.
CRASH

You can try to modify that script to do not use 'relocate' function - use 'doTeleportThing' instead. Maybe 'relocate' is bugged in C++.

I HAD REPORT ABOUT SIMILAR 'unRef' PROBLEM IN TFS 0.4 (with createItemEx and movement of that item).
Removing compilator flag '-O2' fixed it! I could not find a reason of crash, but on Windows server worked fine and on Linux it did crash.
I told owner to compare compiler flags and it was only change, so he removed it from Makefile.am, but I don't see '-O2' flag in 'otxserver' options.

@leo123456 What operating system do you use for server? What OTX version do you use (version 2 or version 3?, protocol 7.7 or 8.6 or 10.x?)?