chocolate-doom
chocolate-doom copied to clipboard
"Use of uninitialised value of size 8" in Freedoom Phase 1
Background
Version of Chocolate Doom: 40e600b
Operating System and version: Ubuntu 19.10
Game: Doom
Any loaded WADs and mods (please include full command line): freedoom1.wad
Bug description
Observed behavior: Start Freedom Phase 1 and let the demo play out. This memory error will occur:
==13561== Use of uninitialised value of size 8
==13561== at 0x156D13: R_DrawColumn (r_draw.c:139)
==13561== by 0x15951D: R_RenderSegLoop (r_segs.c:336)
==13561== by 0x159B5C: R_StoreWallRange (r_segs.c:711)
==13561== by 0x16509A: R_ClipPassWallSegment (r_bsp.c:218)
==13561== by 0x16548B: R_Subsector (r_bsp.c:538)
==13561== by 0x165533: R_RenderBSPNode (r_bsp.c:576)
==13561== by 0x165533: R_RenderBSPNode (r_bsp.c:576)
==13561== by 0x165533: R_RenderBSPNode (r_bsp.c:576)
==13561== by 0x165533: R_RenderBSPNode (r_bsp.c:576)
==13561== by 0x165533: R_RenderBSPNode (r_bsp.c:576)
==13561== by 0x165533: R_RenderBSPNode (r_bsp.c:576)
==13561== by 0x165533: R_RenderBSPNode (r_bsp.c:576)
Expected behavior: No memory error.
With origin tracking:
Use of uninitialised value of size 8
at 0x153A73: R_DrawColumn (r_draw.c:139)
by 0x1561DD: R_RenderSegLoop (r_segs.c:336)
by 0x15681C: R_StoreWallRange (r_segs.c:711)
by 0x1617BA: R_ClipPassWallSegment (r_bsp.c:218)
by 0x161B9B: R_Subsector (r_bsp.c:538)
by 0x161C3F: R_RenderBSPNode (r_bsp.c:576)
by 0x161C3F: R_RenderBSPNode (r_bsp.c:576)
by 0x161C3F: R_RenderBSPNode (r_bsp.c:576)
by 0x161C3F: R_RenderBSPNode (r_bsp.c:576)
by 0x161C3F: R_RenderBSPNode (r_bsp.c:576)
by 0x161C3F: R_RenderBSPNode (r_bsp.c:576)
by 0x161C3F: R_RenderBSPNode (r_bsp.c:576)
Uninitialised value was created by a heap allocation
at 0x483577F: malloc (vg_replace_malloc.c:309)
by 0x11D4E8: AutoAllocMemory (i_system.c:113)
by 0x11D4E8: I_ZoneBase (i_system.c:153)
by 0x1382BD: Z_Init (z_zone.c:106)
by 0x13B6AD: D_DoomMain (d_main.c:1240)
by 0x11D040: main (i_main.c:66)
This is nasty. Something is clearly left uninitialized but it's hard to track because of the memory pooling. It might be possible to narrow this down by cooperating with Valgrind and marking the zone alloc/dealloc function with appropriate Valgrind macros.
It might be possible to narrow this down by cooperating with Valgrind and marking the zone alloc/dealloc function with appropriate Valgrind macros.
Indeed this would be incredibly helpful. Any idea how to do this with Valgrind? It is currently close to impossible to detect invalid writes into Z_Malloc()d memory.
http://valgrind.org/docs/manual/mc-manual.html#mc-manual.mempools
Stack trace with memory pool disabled:
Invalid read of size 1
at 0x158B48: R_DrawColumn (r_draw.c:139)
by 0x15B1DD: R_RenderSegLoop (r_segs.c:336)
by 0x15B796: R_StoreWallRange (r_segs.c:711)
by 0x166BBA: R_ClipPassWallSegment (r_bsp.c:218)
by 0x166F8B: R_Subsector (r_bsp.c:538)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
Address 0x16cf0af7 is 15 bytes after a block of size 552 alloc'd
at 0x48407B5: malloc (vg_replace_malloc.c:381)
by 0x13A3C1: Z_Malloc (z_native.c:262)
by 0x157A7A: R_GenerateComposite (r_data.c:242)
by 0x157DE4: R_GetColumn (r_data.c:395)
by 0x15B1D0: R_RenderSegLoop (r_segs.c:334)
by 0x15B796: R_StoreWallRange (r_segs.c:711)
by 0x166F8B: R_Subsector (r_bsp.c:538)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
by 0x16702F: R_RenderBSPNode (r_bsp.c:576)
It's reading entirely outside the buffer. This just keeps getting worse...
Could this be a Medusa?