Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

floor sanity no_charge obj not inside tended shop! 60b0007b8050 floor: 2 uncursed +'s {10} #15

Open
elunna opened this issue Jan 1, 2024 · 0 comments
Open

floor sanity no_charge obj not inside tended shop! 60b0007b8050 floor: 2 uncursed +'s {10} #15

elunna opened this issue Jan 1, 2024 · 0 comments

Comments

@elunna
Copy link
Owner

elunna commented Jan 1, 2024

Found while fuzzing, no rr recording.

Suddenly, the dungeon collapses.
floor sanity no_charge obj not inside tended shop! 60b0007b8050 floor: 2 uncursed +'s {10}
  Generating more information you may report:

(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737339570112)
    at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737339570112)
    at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737339570112, signo=signo@entry=6)
    at ./nptl/pthread_kill.c:89
#3  0x00007ffff7282476 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/posix/raise.c:26
#4  0x00007ffff72687f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x0000555555943e82 in NH_abort (
    why=0x7fffffffd1f0 "floor sanity no_charge obj not inside tended shop! 60b0007b8050 floor: 2 uncursed +'s {10}") at end.c:212
#6  0x0000555555946c31 in panic (str=0x555556031e20 "%s") at end.c:946
#7  0x0000555555bec7c4 in impossible (
    s=0x555555fd0e20 "%s no_charge obj not inside tended shop! %s %s: %s")
    at pline.c:532
#8  0x0000555555a99f7b in insane_object (obj=0x60b0007b8050, 
    fmt=0x555555fd0e20 "%s no_charge obj not inside tended shop! %s %s: %s", 
    mesg=0x555555fd0540 "floor sanity", mon=0x0) at mkobj.c:3162
#9  0x0000555555a9919d in shop_obj_sanity (obj=0x60b0007b8050, 
    mesg=0x555555fd0540 "floor sanity") at mkobj.c:3041
#10 0x0000555555a98489 in objlist_sanity (objlist=0x60b0002a9540, wheretype=1, 
    mesg=0x555555fd0540 "floor sanity") at mkobj.c:2935
#11 0x0000555555a9774f in obj_sanity_check () at mkobj.c:2838
#12 0x00005555558021d8 in sanity_check () at cmd.c:4278
#13 0x0000555555769ad9 in moveloop_core () at allmain.c:184
#14 0x000055555576c478 in moveloop (resuming=0 '\000') at allmain.c:574
#15 0x0000555555e71241 in main (argc=4, argv=0x7fffffffe4a8)
    at ../sys/unix/unixmain.c:310


(gdb) p gt.toplines
$1 = "It's solid stone.", '\000' <repeats 282 times>

(gdb) p *obj
$2 = {nobj = 0x60b000b7e8f0, v = {v_nexthere = 0x0, v_ocontainer = 0x0, 
    v_ocarry = 0x0}, cobj = 0x0, o_id = 5569303, ox = 73, oy = 4, otyp = 285, 
  owt = 10, quan = 2, spe = 90 'Z', oclass = 7 '\a', invlet = 68 'D', 
  oartifact = 0 '\000', where = 1 '\001', timed = 0, cursed = 0, blessed = 0, 
  unpaid = 0, no_charge = 1, known = 1, dknown = 1, bknown = 1, rknown = 1, 
  oeroded = 0, oeroded2 = 0, oerodeproof = 0, olocked = 0, obroken = 0, 
  otrapped = 0, recharged = 0, lamplit = 0, globby = 0, greased = 0, 
  nomerge = 0, how_lost = 2, in_use = 0, bypass = 0, cknown = 0, lknown = 0, 
  pickup_prev = 0, ghostly = 0, corpsenm = -1, usecount = 0, oeaten = 0, 
  age = 5842376, owornmask = 0, lua_ref_cnt = 0, omigr_from_dnum = 0, 
  omigr_from_dlevel = 0, oextra = 0x0}
(gdb) 

Obj appears to be a slime mold
elunna pushed a commit that referenced this issue Dec 23, 2024
@nhmall
avoid double free
1746f57 
If freedynamicdata() gets called twice, for whatever reason, a "double free" can occur.

warning: 44     ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7c8b26e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7c6e8ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7c6f7b6 in __libc_message_impl (fmt=fmt@entry=0x7ffff7e148d7 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:132
#6  0x00007ffff7ceefe5 in malloc_printerr (str=str@entry=0x7ffff7e17bf0 "free(): double free detected in tcache 2")
    at ./malloc/malloc.c:5772
#7  0x00007ffff7cf154f in _int_free (av=0x7ffff7e49ac0 <main_arena>, p=<optimized out>, have_lock=0)
    at ./malloc/malloc.c:4541
#8  0x00007ffff7cf3d9e in __GI___libc_free (mem=0x555555ad82a0) at ./malloc/malloc.c:3398
#9  0x00005555557c12e9 in free_rect () at rect.c:48
#10 0x00005555557d77a2 in freedynamicdata () at save.c:1240
#11 0x0000555555682754 in nh_terminate (status=0) at end.c:1671
#12 0x000055555589af15 in opt_terminate () at ../sys/unix/unixmain.c:768
#13 0x000055555589af7a in after_opt_showpaths (dir=0x0) at ../sys/unix/unixmain.c:796
#14 0x0000555555693dd9 in do_deferred_showpaths (code=0) at files.c:4491
#15 0x0000555555778405 in initoptions () at options.c:6948
#16 0x0000555555899cd9 in main (argc=2, argv=0x7fffffffdad8) at ../sys/unix/unixmain.c:151
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elunna