[code][bug]King Welmar bug

From: Mike Breuer (mbreuer@new.rr.com)
Date: 10/07/01

After some recent code changes, I began seeing periodic crashes in the
king_welmar SPECIAL in castle.c.  At first I thought I had a buffer
overflow somewhere, but after careful checking, I could find nothing in
my recent changes to cause the crash.  I checked the archives, and a
similar complaint was posted in January, but no solutions.  I believe I
have tracked down the problem.  In my case, the crash was occurring in
perform_act() in comm.c, due to an invalid string being passed from the
king_welmar proc.  Here's a summary of what I believe was causing this.

king_welmar uses three different path variables, declared as const char
arrays.  Welmar will follow one of these three paths depending on time
of day.  The current path is pointed to by static const char *path.  Two
other statics hold other state information.

The problem, I believe, is that this code makes the assumption that the
three path arrays will always exist at the same address in memory.  Many
compilers will take const strings and place them in global memory as a
way to trim duplicates and save allocation time.  If your compiler is
doing this for you, then no bug manifests itself.  It seems that even
under normal circumstances, the arrays do have the same address almost
every time the function is called.

What I think happens is that occasionally, one of the paths begin while
Welmar is fighting, and that when the function is called from a
different place (from perform_violence() in fight.c), the char arrays
end up having different addresses.  I'm not positive on this; it is only
a working theory.  I've put quite a bit of effort into tracking the
problem, which I won't go into here, but will be happy to explain to
anyone who is curious.  All of my data supports this theory.

The fix is to either declare the three path arrays as static, or to
declare the "path" variable as an array of 15 instead of a simple
pointer, and then use strcpy() to populate the path instead of pointing.
I used the first solution and have not had a crash since.


   | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
   | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |

This archive was generated by hypermail 2b30 : 12/06/01 PST