Crash due to string sharing
Issue #179
resolved
isTarget is crashing on exit, when it frees a local copy of an argument of type EventInfo. Copying an EventInfo instance does direct copies of internal strings, which I interpret to share the internal character array typed buffer. In theory, freeing the string in the local instance will corrupt the argument instance version. If the argument instance is then reused, it will eventually cause a crash.
Callstack:
Incursion.exe!free(void * pUserData) Line 49 + 0xb bytes C++
Incursion.exe!String::Empty() Line 114 + 0xc bytes C++
Incursion.exe!String::~String() Line 109 C++
Incursion.exe!EventInfo::~EventInfo() + 0x1ad bytes C++
>Incursion.exe!Magic::isTarget(EventInfo & _e, Thing * t) Line 299 + 0x19 bytes C++
Incursion.exe!Magic::MagicStrike(EventInfo & e) Line 1032 + 0x2c bytes C++
Incursion.exe!Creature::Event(EventInfo & e) Line 884 + 0xf bytes C++
Incursion.exe!ThrowTo(EventInfo & e, Object * t) Line 284 + 0xc bytes C++
Incursion.exe!ThrowEvent(EventInfo & e) Line 243 + 0x2b bytes C++
Incursion.exe!RealThrow(EventInfo & e) Line 343 + 0x9 bytes C++
Incursion.exe!ReThrow(short ev, EventInfo & e) Line 375 + 0x18 bytes C++
Incursion.exe!Creature::Strike(EventInfo & e) Line 4346 + 0xb bytes C++
Incursion.exe!Creature::Event(EventInfo & e) Line 761 + 0x16 bytes C++
Incursion.exe!ThrowTo(EventInfo & e, Object * t) Line 284 + 0xc bytes C++
Incursion.exe!ThrowEvent(EventInfo & e) Line 243 + 0x2b bytes C++
Incursion.exe!RealThrow(EventInfo & e) Line 343 + 0x9 bytes C++
Incursion.exe!ReThrow(short ev, EventInfo & e) Line 375 + 0x18 bytes C++
Incursion.exe!Magic::MagicStrike(EventInfo & e) Line 867 + 0xb bytes C++
Incursion.exe!Creature::Event(EventInfo & e) Line 884 + 0xf bytes C++
Incursion.exe!ThrowTo(EventInfo & e, Object * t) Line 284 + 0xc bytes C++
Incursion.exe!ThrowEvent(EventInfo & e) Line 243 + 0x2b bytes C++
Incursion.exe!RealThrow(EventInfo & e) Line 343 + 0x9 bytes C++
Incursion.exe!ReThrow(short ev, EventInfo & e) Line 375 + 0x18 bytes C++
Incursion.exe!Magic::ABallBeamBolt(EventInfo & e) Line 2074 + 0x14 bytes C++
Incursion.exe!Magic::MagicEvent(EventInfo & e) Line 781 + 0xc bytes C++
Incursion.exe!Creature::Event(EventInfo & e) Line 722 + 0xf bytes C++
Incursion.exe!ThrowTo(EventInfo & e, Object * t) Line 284 + 0xc bytes C++
Incursion.exe!ThrowEvent(EventInfo & e) Line 243 + 0x2b bytes C++
Incursion.exe!RealThrow(EventInfo & e) Line 343 + 0x9 bytes C++
Incursion.exe!ReThrow(short ev, EventInfo & e) Line 375 + 0x18 bytes C++
Incursion.exe!Creature::Invoke(EventInfo & e) Line 2911 + 0xb bytes C++
Incursion.exe!Creature::Event(EventInfo & e) Line 680 + 0x16 bytes C++
Incursion.exe!ThrowTo(EventInfo & e, Object * t) Line 284 + 0xc bytes C++
Incursion.exe!ThrowEvent(EventInfo & e) Line 243 + 0x2b bytes C++
Incursion.exe!RealThrow(EventInfo & e) Line 343 + 0x9 bytes C++
Incursion.exe!ThrowEff(short Ev, unsigned long eID, Object * p1, Object * p2, Object * p3, Object * p4) Line 492 + 0x18 bytes C++
Incursion.exe!Monster::ChooseAction() Line 1315 + 0x47 bytes C++
Incursion.exe!Game::Play() Line 293 + 0x12 bytes C++
Incursion.exe!Game::StartMenu() Line 2176 C++
Incursion.exe!main(int argc, char * * argv) Line 388 C++
Comments (2)
-
reporter
-
reporter
- changed status to resolved
Legacy bug! If you provide an assignment operator overload, then you should provide a matching copy constructor. The reason for this is that you are sometimes likely to assign in a variable declaration, which uses the latter not the former. Not providing the copy constructor, will do a bitwise copy which will result in this case in EventInfo instances sharing the same string references. The first to get destroyed, will destroy the strings it thinks it owns, and either corruption or crashing will then happen. Reported by Felius@Bay12. Fixes
#179→ <<cset 11ac4e3c2b61>>
- Log in to comment
Felius@Bay12 reported a case where corruption could be seen in formatted text. This was due to clobbered event strings caused by this problem.