MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001248VCMIMechanics - Battlespublic2013-03-24 13:202022-04-12 08:41
Reporterdev-random 
Assigned Tobeegee 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version0.92 
Target VersionFixed in Version0.94b 
Summary0001248: std::bad_alloc when opening spellbook in combat
DescriptionIn certain conditions, game crashes when user tries to open spellbook in combat.
Steps To Reproduce1. Have 2 heroes, one with large spellbook (>36 spells) and one with moderate one (13 to 23 spells, I guess. Bug is not reproducible with one-page spellbook.)
2. Use spellbook in combat by first hero, leaving it on 3rd+ page
3. Try to use spellbook in combat by second hero
4. Game crashes.
Additional InformationDebugging info:

Catchpoint 1 (exception thrown), 0x000003fff4940f20 in __cxa_throw () from /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libstdc++.so.6

(gdb) bt
#0 0x000003fff4940f20 in __cxa_throw () from /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libstdc++.so.6
#1 0x000003fff48d91e2 in std::__throw_bad_alloc() () from /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libstdc++.so.6
0000002 0x000002aaaad94e39 in allocate (__n=18446744073709551607, this=0x3ffe1494450)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/include/g++-v4/ext/new_allocator.h:90
0000003 _M_allocate (__n=18446744073709551607, this=0x3ffe1494450) at /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/include/g++-v4/bits/stl_vector.h:150
0000004 _M_range_initialize<__gnu_cxx::__normal_iterator<SpellID*, std::vector<SpellID> > > (__last=..., __first=..., this=0x3ffe1494450)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/include/g++-v4/bits/stl_vector.h:1111
0000005 _M_initialize_dispatch<__gnu_cxx::__normal_iterator<SpellID*, std::vector<SpellID> > > (__last=..., __first=..., this=0x3ffe1494450)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/include/g++-v4/bits/stl_vector.h:1091
0000006 std::vector<SpellID, std::allocator<SpellID> >::vector<__gnu_cxx::__normal_iterator<SpellID*, std::vector<SpellID> > > (this=0x3ffe1494450, __first=...,
    __last=..., __a=...) at /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/include/g++-v4/bits/stl_vector.h:340
0000007 0x000002aaaad8d31a in CSpellWindow::computeSpellsPerArea (this=0x3ffdd239800)
    at /var/tmp/portage/games-strategy/heroes3-vcmi-0.92/work/0.92/client/CSpellWindow.cpp:408
0000008 0x000002aaaad9214b in CSpellWindow::CSpellWindow (this=0x3ffdd239800, _myHero=<optimized out>, _myInt=<optimized out>, openOnBattleSpells=<optimized out>)
    at /var/tmp/portage/games-strategy/heroes3-vcmi-0.92/work/0.92/client/CSpellWindow.cpp:215

[cut]

(gdb) up 7
0000007 0x000002aaaad8d31a in CSpellWindow::computeSpellsPerArea (this=0x3ffdd239800)
    at /var/tmp/portage/games-strategy/heroes3-vcmi-0.92/work/0.92/client/CSpellWindow.cpp:408
408 spellsCurSite = std::vector<SpellID>(spellsCurSite.begin() + currentPage*12, spellsCurSite.end());

(gdb) list
403 std::sort(spellsCurSite.begin(), spellsCurSite.end(), spellsorter);
404 if(selectedTab == 4)
405 {
406 if(spellsCurSite.size() > 12)
407 {
408 spellsCurSite = std::vector<SpellID>(spellsCurSite.begin() + currentPage*12, spellsCurSite.end());
409 if(spellsCurSite.size() > 12)
410 {
411 spellsCurSite.erase(spellsCurSite.begin()+12, spellsCurSite.end());
412 }

(gdb) p spellsCurSite
$1 = std::vector of length 15, capacity 16 = {{num = SpellID::MAGIC_ARROW}, {num = SpellID::BLOODLUST}, {num = SpellID::CURSE}, {num = SpellID::CURE}, {
    num = SpellID::DISPEL}, {num = SpellID::PROTECTION_FROM_WATER}, {num = SpellID::SLOW}, {num = SpellID::DISRUPTING_RAY}, {num = SpellID::LIGHTNING_BOLT}, {
    num = SpellID::PRECISION}, {num = SpellID::PROTECTION_FROM_AIR}, {num = SpellID::REMOVE_OBSTACLE}, {num = SpellID::DESTROY_UNDEAD}, {
    num = SpellID::LAND_MINE}, {num = SpellID::MIRTH}}

(gdb) p currentPage
$2 = 2 '\002'

(gdb) down 3
0000004 _M_range_initialize<__gnu_cxx::__normal_iterator<SpellID*, std::vector<SpellID> > > (__last=..., __first=..., this=0x3ffe1494450)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/include/g++-v4/bits/stl_vector.h:1111
1111 this->_M_impl._M_start = this->_M_allocate(__n);

(gdb) p __n
$3 = 18446744073709551607

In other words: length of original vector is 15 (in my case) and code tries to copy items from 24th to last. That means negative length (-9) which turns into huge unsigned number causing std::bad_alloc.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0004110)
beegee (developer)
2013-11-03 18:17

Fixed in revision 3604.

- Issue History
Date Modified Username Field Change
2013-03-24 13:20 dev-random New Issue
2013-11-03 18:17 beegee Note Added: 0004110
2013-11-03 18:17 beegee Status new => resolved
2013-11-03 18:17 beegee Fixed in Version => 0.94b
2013-11-03 18:17 beegee Resolution open => fixed
2013-11-03 18:17 beegee Assigned To => beegee
2022-04-12 08:41 Povelitel Status resolved => closed

Site | Forums | Wiki | Slack | GitHub


Copyright © 2000 - 2024 MantisBT Team
Hosting provided by DigitalOcean