Bug 1380525

Summary: [abrt] flobopuyo: PuyoGame::notifyReductions(): flobopuyo killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: flobopuyoAssignee: Andrea Musuruane <musuruan>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: musuruan, seb_ott
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/0ceb1e1e3f45393073c6e402cf46fd3c05e27b62
Whiteboard: abrt_hash:c4cf44b169d7231a4161cccdf01e63308d2e9cca;
Fixed In Version: flobopuyo-0.20-19.fc25 flobopuyo-0.20-19.fc24 flobopuyo-0.20-19.fc23 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-19 21:18:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages
none
proposed fix
none
additional fix none

Description Michael Cronenworth 2016-09-29 20:30:31 UTC 
Description of problem:
Start a game. Allow the first pair of orbs to reach the bottom. As soon as the orbs touch the bottom the game crashes.

Version-Release number of selected component:
flobopuyo-0.20-18.fc24

Additional info:
reporter:       libreport-2.7.2
backtrace_rating: 4
cmdline:        flobopuyo
crash_function: PuyoGame::notifyReductions
executable:     /usr/bin/flobopuyo
global_pid:     13111
kernel:         4.7.4-200.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            1810

Truncated backtrace:
Thread no. 1 (6 frames)
 #0 PuyoGame::notifyReductions at PuyoGame.cpp:640
 #1 PuyoGame::cycle at PuyoGame.cpp:168
 #2 PuyoView::cycleGame at PuyoView.cpp:233
 #3 PuyoStarter::run at PuyoStarter.cpp:559
 #4 PuyoCommander::startSingleGameLoop at PuyoCommander.cpp:1315
 #5 PuyoCommander::run at PuyoCommander.cpp:722
Comment 1 Michael Cronenworth 2016-09-29 20:30:35 UTC 
Created attachment 1206041 [details]
File: backtrace
Comment 2 Michael Cronenworth 2016-09-29 20:30:36 UTC 
Created attachment 1206042 [details]
File: cgroup
Comment 3 Michael Cronenworth 2016-09-29 20:30:37 UTC 
Created attachment 1206043 [details]
File: core_backtrace
Comment 4 Michael Cronenworth 2016-09-29 20:30:38 UTC 
Created attachment 1206044 [details]
File: dso_list
Comment 5 Michael Cronenworth 2016-09-29 20:30:39 UTC 
Created attachment 1206045 [details]
File: environ
Comment 6 Michael Cronenworth 2016-09-29 20:30:40 UTC 
Created attachment 1206046 [details]
File: limits
Comment 7 Michael Cronenworth 2016-09-29 20:30:41 UTC 
Created attachment 1206047 [details]
File: maps
Comment 8 Michael Cronenworth 2016-09-29 20:30:42 UTC 
Created attachment 1206048 [details]
File: mountinfo
Comment 9 Michael Cronenworth 2016-09-29 20:30:43 UTC 
Created attachment 1206049 [details]
File: namespaces
Comment 10 Michael Cronenworth 2016-09-29 20:30:44 UTC 
Created attachment 1206050 [details]
File: open_fds
Comment 11 Michael Cronenworth 2016-09-29 20:30:45 UTC 
Created attachment 1206051 [details]
File: proc_pid_status
Comment 12 Michael Cronenworth 2016-09-29 20:30:46 UTC 
Created attachment 1206052 [details]
File: var_log_messages
Comment 13 Sebastian Ott 2016-11-12 16:24:48 UTC 
Created attachment 1220031 [details]
proposed fix
Comment 14 Sebastian Ott 2016-11-12 16:26:19 UTC 
The problem is in this code:

PuyoPuyo *markedPuyo = getPuyoAt(u, v);
if (markedPuyo->getPuyoState() == PUYO_MARKED) {

getPuyoAt() can return NULL which is dereferenced in the next line

a fix is attached
Comment 15 Andrea Musuruane 2016-11-12 17:47:28 UTC 
Sebastian, thank you very much for the patch. It fixes this particular issue (when the first pair of puyos reach the bottom) but unluckily the game segfaults later when you form a group of four puyos of the same colour that will blow up :-(

(gdb) bt
#0  PuyoPuyo::getPuyoState (this=0x0) at PuyoGame.cpp:63
#1  0x0000000000415159 in PuyoGame::getFallingState (this=<optimized out>)
    at PuyoGame.h:113
#2  AnimatedPuyo::render (this=this@entry=0x1eda040) at AnimatedPuyo.cpp:99
#3  0x0000000000413ceb in PuyoView::render (this=0x1e81570) at PuyoView.cpp:294
#4  0x0000000000420f77 in PuyoStarter::draw (this=0x7ffd856e5b00)
    at PuyoStarter.cpp:86
#5  0x000000000040edaf in PuyoCommander::updateAll (this=0x7ffd856e5e20, 
    starter=starter@entry=0x7ffd856e5b00, extra_surf=extra_surf@entry=0x0)
    at PuyoCommander.cpp:1390
#6  0x00000000004226a7 in PuyoStarter::run (this=this@entry=0x7ffd856e5b00, 
    _score1=_score1@entry=0, _score2=_score2@entry=0, lives=lives@entry=3, 
    point1=point1@entry=0, point2=point2@entry=0) at PuyoStarter.cpp:752
#7  0x0000000000410648 in PuyoCommander::startSingleGameLoop (
    this=this@entry=0x7ffd856e5e20) at PuyoCommander.cpp:1315
#8  0x0000000000410a68 in PuyoCommander::run (this=this@entry=0x7ffd856e5e20)
    at PuyoCommander.cpp:722
#9  0x0000000000402f2a in main (argc=<optimized out>, argv=<optimized out>)
    at main.cpp:96
Comment 16 Sebastian Ott 2016-11-12 19:15:58 UTC 
I can't reproduce these bugs in my own build from source. Could you post the compiler options you set in the rpmbuild so that I can reproduce this.

I fear that scanning all of that code for even the most obvious bugs would be a huge effort.

If I could reproduce these bugs in my own builds, I could fix one bug after an other.

..I'll look into this tomorrow.
Comment 17 Andrea Musuruane 2016-11-12 20:26:19 UTC 
(In reply to Sebastian Ott from comment #16)
> I can't reproduce these bugs in my own build from source. Could you post the
> compiler options you set in the rpmbuild so that I can reproduce this.

On my system:

$ rpm --eval %optflags
-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic

> I fear that scanning all of that code for even the most obvious bugs would
> be a huge effort.
> 
> If I could reproduce these bugs in my own builds, I could fix one bug after
> an other.
> 
> ..I'll look into this tomorrow.

Thanks!
Comment 18 Sebastian Ott 2016-11-13 13:00:27 UTC 
(In reply to Andrea Musuruane from comment #17)
> (In reply to Sebastian Ott from comment #16)
> > I can't reproduce these bugs in my own build from source. Could you post the
> > compiler options you set in the rpmbuild so that I can reproduce this.
> $ rpm --eval %optflags
> -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
> -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
> -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
> -mtune=generic
> 

Thanks. With that I can reproduce the segfault with the self build binary..
Comment 19 Sebastian Ott 2016-11-13 14:59:26 UTC 
Created attachment 1220153 [details]
additional fix
Comment 20 Sebastian Ott 2016-11-13 15:07:02 UTC 
Fixed another couple of bugs. With the attached fixes (you'll need both) that game no longer segfaults (it was tested for half an hour).
Comment 21 Andrea Musuruane 2016-11-13 18:33:52 UTC 
I also tested it for about half an hour and it seems fine to me too! Thanks!!!

I'll try to release a new version in the next hours.
Comment 22 Fedora Update System 2016-11-13 20:49:25 UTC 
flobopuyo-0.20-19.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-536eb6a746
Comment 23 Fedora Update System 2016-11-13 20:49:32 UTC 
flobopuyo-0.20-19.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-4ef8b64c96
Comment 24 Fedora Update System 2016-11-13 20:49:37 UTC 
flobopuyo-0.20-19.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f843ac739e
Comment 25 Fedora Update System 2016-11-15 02:25:55 UTC 
flobopuyo-0.20-19.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4ef8b64c96
Comment 26 Fedora Update System 2016-11-15 02:29:53 UTC 
flobopuyo-0.20-19.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-536eb6a746
Comment 27 Fedora Update System 2016-11-15 13:26:21 UTC 
flobopuyo-0.20-19.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f843ac739e
Comment 28 Fedora Update System 2016-11-19 21:18:27 UTC 
flobopuyo-0.20-19.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2016-11-23 03:53:47 UTC 
flobopuyo-0.20-19.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2016-11-24 08:24:42 UTC 
flobopuyo-0.20-19.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.