penguin-command dies randomly

tags 184437 help

I can reproduce this bug under Mac OS X only (at least I think it is
this bug...), but I am unable to locate the problem.

Here's the backtrace (line numbers might slightly differ, because I'm
using my current dev version):

Thread 0 Crashed:
0 SDL 0x30008fec SDL_SoftBlit + 0xcc
1 SDL 0x3001f5c0 SDL_LowerBlit + 0x11c
2 SDL 0x3001f7a8 SDL_UpperBlit + 0x1d4
3 ??? 0x0001c540 BlitToBB + 0xe8 (gfx.c:393)
4 ??? 0x00020550 DestroyTarget + 0xa4
(missile.c:104)
5 ??? 0x0001d66c HandleBomb + 0x8f0 (bomb.c:84)
6 ??? 0x0000c680 ProcessEvents + 0xe0
(game.c:316)
7 ??? 0x0000cef8 StartGame + 0x1d4 (game.c:429)
8 ??? 0x0001fd90 SDL_main + 0x138 (main.c:460)

So the critical line seems to be line 104 in missile.c:
BlitPart(rect.x,rect.y,BackBuffer,rect);

I really can't see any problem with it. And to make the whole problem
even more strange, the bug seems to only occur when playing the game
with sound.

Any help with this is appreciated,
Karl

submitter 182669 !
submitter 184437 !
submitter 210814 !
submitter 230301 !
submitter 267014 !

I think I'm running into the same bug. Debian Etch (testing), on an
x86 (Celeron D). It typically takes about 15 minutes to segfault.
I don't think the bug is where you think it is. It is a different
operation every time. That usually means memory corruption. Also, in my
debug core dump, argc is a ridiculously high value, 136100536. Memory
corruption all right.

It does not occur with sound off. That may be because it is a sound
issue, or it could be because the corrupted memory is never used. It
took me 24 minutes to segfault my debug build. The unusually high
playtime is probably a result of the fact that most of the information
in a debug executable is not used during play time, so it took longer
to corrupt an important part.

I'm working on this bug (probably the same one.) Give me a few days. I
think I should have it by then. I am good at this sort of thing.

-Brandon

tags 184437 + patch

I don't think this bug is actually in penguin-command. I think it is in
sdl-mixer. Or maybe it is in libpng. The conditions that make
penguin-command crash are really weird. It seems that a .mod file has
to be playing in the background while a png file is blitted to the
screen. Like I said, weird.

I have a simple patch that fixes this segfault for me. Here it is:

----- Patch begin -------
diff -r src-orig/sound.c src/sound.c
8c8
< {"ramagard.s3m","icefront.s3m","pennight.mod","datajack.s3m"};
---
> {"ramagard.s3m","icefront.s3m","datajack.s3m"};

diff -r src-orig/sound.h src/sound.h
3c3
< #define MUSICNUM 4
---
> #define MUSICNUM 3
------- Patch end -------

Yep. Not asking sdl-mixer to play a mod file fixes it, at least it does
for me. I've narrowed down where I think the segfault occurs, and I
think the problem is genuinely with sdl-mixer playing mod files. If I
am right, this patch will work for everybody.

While debugging, I tried replacing that line in sound.c with 4
pennights. I thought it would crash more. It didn't crash at all. I
also tried moving it to the front, back, and second position. It didn't
crash under those seemingly identical situations. Like I said, weird.

Also worthy of note, is that every time I got penguin-command to crash
, it was playing song #2 (starting from 0). Here is a log I have been
keeping. I only added to this log sometimes when penguin-command would
crash. I am not including the core dumps. If someone wants them, email
me.

Matches core penguin-command1.core
I was using libsdl1.2debian-oss here.

~$ penguin-command
** Starting SDL init **
** Init video **
** Set video mode **
** Create buffers **
** Finding Joysticks **
** Init joystick **
** Loading Title Screen **
** Opening Audio Mixer **
   8 channels allocated
** Loading Music **
** Loading Sounds **

Warning: I could not open the options file for read:
/home/wk/.penguin-command
The error that occured was:
No such file or directory

** Playing Music **
** Ready to enter Menu **
Now playing song #1
** Fade in Music **
** Showing Title Screen **
** Blit Background **
** Background image drawn **
** Loading Font **
** Init Font **
** Loading Images **
Now playing song #1
FPS 74.932544
Now playing song #0
** Fade in Music **
** Showing Title Screen **
** Blit Background **
** Background image drawn **
Now playing song #2
FPS 74.029192
** Fade in Music **
** Showing Title Screen **
** Blit Background **
** Background image drawn **
Segmentation fault (core dumped)

Matches core penguin-command2.core
I was using libsdl1.2debian-alsa here.

** Starting SDL init **
** Init video **
** Set video mode **
** Create buffers **
** Finding Joysticks **
** Init joystick **
** Loading Title Screen **
** Opening Audio Mixer **
   8 channels allocated
** Loading Music **
** Loading Sounds **
** Playing Music **
** Ready to enter Menu **
Now playing song #1
** Fade in Music **
** Showing Title Screen **
** Blit Background **
** Background image drawn **
** Loading Font **
** Init Font **
** Loading Images **
Now playing song #1
Now playing song #0
FPS 73.957016
** Fade in Music **
** Showing Title Screen **
** Blit Background **
** Back...

tags 184437 + patch

Hi Brandon,

> I have a simple patch that fixes this segfault for me. Here it is:

This seems to work well. It's a pity not to use this nice music, but
since it is clearly better than an occasional crash.

> While debugging, I tried replacing that line in sound.c with 4
> pennights. I thought it would crash more. It didn't crash at all. I
> also tried moving it to the front, back, and second position. It
> didn't
> crash under those seemingly identical situations. Like I said, weird.

I guess this is the reason why I didn't succeed in identifying the
mod file, which causes the crash.

> Also worthy of note, is that every time I got penguin-command to crash
> , it was playing song #2 (starting from 0). Here is a log I have been
> keeping. I only added to this log sometimes when penguin-command would
> crash. I am not including the core dumps. If someone wants them, email
> me.

Interesting. I will think a bit more about this (and test a bit more
myself). It might be a good clue.

> Core was generated by `penguin-command'.
> Program terminated with signal 11, Segmentation fault.
> #0 0xb7eb1413 in SDL_LowerBlit () from /usr/lib/libSDL-1.2.so.0
> (gdb) backtrace
> #0 0xb7eb1413 in SDL_LowerBlit () from /usr/lib/libSDL-1.2.so.0
> #1 0xb7eb16b4 in SDL_UpperBlit () from /usr/lib/libSDL-1.2.so.0
> #2 0x0804ceea in Blit (Xpos=136111496, Ypos=510, image=0x805a750) at
> gfx.c:331 #3 0x0804bdab in DrawCannon (x=20, y=0) at game.c:160
> #4 0x0804c0ad in ProcessEvents () at game.c:322
> #5 0x0804c314 in StartGame () at game.c:429
> #6 0x0804b1df in main (argc=136100536, argv=0x0) at main.c:460
> (gdb)
>
> Notice that this has some things in common with the trace that Karl
> provided a few years ago, but some things are distinctly different.

It probably crashes in Blit, because the function is the most memory
intensive one. This really looks like memory corruption.

Thanks for your hard work. I'd like to do some more testing before
applying the patch, to get sure it really works around this bug (and
hopefully get some more details). The crash doesn't occur very
frequently, so It'll probably take some time. I'll write again within
the next week.

Thanks again,
Karl

This patch really seems to work around the problem. I applied it
upstream and I'll update the debian package soon. Better solutions
than the one in this patch are still welcome, of course.

-- Karl

Source: penguin-command
Source-Version: 1.6.11-1

We believe that the bug you reported is fixed in the latest version of
penguin-command, which is due to be installed in the Debian FTP archive:

penguin-command_1.6.11-1.diff.gz
  to pool/main/p/penguin-command/penguin-command_1.6.11-1.diff.gz
penguin-command_1.6.11-1.dsc
  to pool/main/p/penguin-command/penguin-command_1.6.11-1.dsc
penguin-command_1.6.11-1_i386.deb
  to pool/main/p/penguin-command/penguin-command_1.6.11-1_i386.deb
penguin-command_1.6.11.orig.tar.gz
  to pool/main/p/penguin-command/penguin-command_1.6.11.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Karl Bartel <email address hidden> (supplier of updated penguin-command package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Mar 2007 14:12:45 +0200
Source: penguin-command
Binary: penguin-command
Architecture: source i386
Version: 1.6.11-1
Distribution: unstable
Urgency: low
Maintainer: Karl Bartel <email address hidden>
Changed-By: Karl Bartel <email address hidden>
Description:
 penguin-command - a missile command clone
Closes: 184437 292264 381610
Changes:
 penguin-command (1.6.11-1) unstable; urgency=low
 .
   * New upstream release
   * Fixed in upstream: Segfault in SDL (Closes: #184437)
   * Fixed in upstream: buffer overflow causes crash from env-var HOME (Closes: #292264)
   * Automake and autoconf should not be required anymore (Closes: #381610)
   * Switched to cdbs for package creation
Files:
 c476231fe205ac8ea351ed97e4f30d6f 695 games optional penguin-command_1.6.11-1.dsc
 4dcf0073d62f28e47af18a922a1badc3 1123574 games optional penguin-command_1.6.11.orig.tar.gz
 a4c1c2c404b00b9aa8929e28947a71f6 2084 games optional penguin-command_1.6.11-1.diff.gz
 bd33270e05c8d8c7c84559781700b19d 955594 games optional penguin-command_1.6.11-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGCRdefMEUy5xtXlkRAvxnAJ9oioELy8yrRh4J383KcFVrbqwINgCbBc0O
Ae6XIaY8O5z5ixnkwvOFHJg=
=3Z8E
-----END PGP SIGNATURE-----

This bug is indeed a fault of SDL-mixer. It has to do with a variable,
md_sndchn, which is either not properly updated, or used
inappropriately. I'm going to notify SDL-mixer upstream, as well as the
debian team, and give them a patch.

The workaround, for penguin-command, and any other program that uses
an affected version of SDL-mixer (all of them), is to not load music
files of varying channels. ramagard.s3m, icefront.s3m, and datajack.s3m
all have 8 channels. pennight.mod has 4 channels. You can bring
pennight.mod back, if you remaster it to have 8 channels.
Alternatively, you could choose to not load more than one music file at
a time. The problem occurs when the last music file loaded has a
different number of channels than the one you want to play. If you load
and play every time, I don't think you'll have a problem, except for
memory and/or lag between songs.

In penguin-command, the last file loaded is datajack.s3m, with 8
channels. That is why it crashed when it tried to play pennight.mod,
which has only has 4 channels.

Please use the word debian somewhere in the body or subject of the
message if you want to email me with any questions.