Crash in R_ClipVisSprite portal floorclip code
Encountered a crash in master
while playing the Autumn 2021 ULDC v1.3 lobby map. Looks like that function hasn't changed in next
so this hasn't been fixed yet?
Various details from gdb: (I had the debugger attached while playing)
R_ClipVisSprite (spr=<optimized out>, spr@entry=0x1bbabc64,
x1=<optimized out>, x1@entry=0, x2=1920, dsstart=0x225a0848,
portal=0x1c2005a0) at r_things.c:2987
2987 if (spr->clipbot[x] > portal->floorclip[x - portal->start])
(gdb) bt
#0 R_ClipVisSprite (spr=<optimized out>, spr@entry=0x1bbabc64,
x1=<optimized out>, x1@entry=0, x2=1920, dsstart=0x225a0848,
portal=0x1c2005a0) at r_things.c:2987
#1 0x005a2d61 in R_ClipSprites (dsstart=0x225a0848,
portal=portal@entry=0x1c2005a0) at r_things.c:3002
#2 0x0058e6b1 in R_RenderPlayerView (player=0x19d9680 <players>)
at r_main.c:1558
#3 0x00436c0d in D_Display () at d_main.c:427
#4 0x00436fca in D_Display () at d_main.c:271
#5 D_SRB2Loop () at d_main.c:745
#6 0x00404f3f in SDL_main (argc=argc@entry=4, argv=argv@entry=0x2f0000)
at sdl/i_main.c:258
#7 0x0061fb1a in main_getcmdline ()
at ../src/main/windows/SDL_windows_main.c:175
#8 0x0061fc15 in WinMain@16 (hInst=0x400000, hPrev=0x0,
szCmdLine=0x6604ab4 "-software -skipintro -console", sw=10)
at ../src/main/windows/SDL_windows_main.c:204
#9 0x00661d1d in main (flags=4, cmdline=0x6821878, inst=0x6821ae0)
at C:/_/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crt0_c.c:18
(gdb) p spr
$1 = <optimized out>
(gdb) p portal
$2 = (portal_t *) 0x1c2005a0
(gdb) p spr.clipbot
value has been optimized out
(gdb) p spr.clipbot[x]
value has been optimized out
(gdb) p portal.floorclip
$3 = (int16_t *) 0x1c75e4e8
(gdb) p portal.start
$4 = 1920
(gdb) p x
$5 = 0
(gdb) p portal.floorclip[x - portal.start]
Cannot access memory at address 0x1c75d5e8
(gdb) list
2982
2983 if (portal)
2984 {
2985 for (x = x1; x <= x2; x++)
2986 {
2987 if (spr->clipbot[x] > portal->floorclip[x - portal->start])
2988 spr->clipbot[x] = portal->floorclip[x - portal->start];
2989 if (spr->cliptop[x] < portal->ceilingclip[x - portal->start])
2990 spr->cliptop[x] = portal->ceilingclip[x - portal->start];
2991 }
(gdb) p spr
$6 = <optimized out>
(gdb) p spr@entry
$7 = (vissprite_t *) 0x1bbabc64
(gdb) p spr@entry.mo
There is no member named mo.
(gdb) p spr@entry.mobj
$8 = (mobj_t *) 0x1a99ab20
(gdb) p spr@entry.mobj.type
$9 = MT_THOK
(gdb) p portal.end
$10 = 1920
If I understood correctly, the code is trying to access portal->floorclip[-1920]
.