Print a message, send bulletin to owner. Affects ship key 'W', land
unit key 'W', and plane key 'f'. The message is necessary to give the
deity a chance to catch unexpected changes, e.g. a player modifying
retreat conditions right before the deity edits them. Watching out
for such changes is especially important with non-interactive edit.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
edit: Teleport planes and land units to carrier on load
Edit lets deities load units onto remote carriers, resulting in a
carriers having cargo in another sector. Not good. Cargo gets
teleported to its carrier belatedly when the carrier moves.
Better let edit take care of the teleport.
Also tell the deity that he just caused a teleport. Necessary to give
the deity a chance to catch unexpected changes, e.g. a player moving a
plane right before the deity edits it. Watching out for such changes
is especially important with non-interactive edit.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
edit: Report loading/unloading of planes & land units properly
Print a message, send bulletin to owner. Affects plane keys 's', 'y',
and land unit keys 'S', 'Y'. The message is necessary to give the
deity a chance to catch unexpected changes, e.g. a player loading a
plane right before the deity edits it. Watching out for such changes
is especially important with non-interactive edit.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
edit: Report unit loss and gain properly for unit key 'O'
Print a message describing the actual change. Necessary to give the
deity a chance to catch unexpected changes, e.g. a player boarding a
ship right before the deity edits it. Watching out for such changes
is especially important with non-interactive edit.
Code already sends bulletins. Also report news.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
edit: Report ship and land unit commodity change properly
Print a message describing the actual change. Necessary to give the
deity a chance to catch unexpected changes, e.g. a player unloading
stuff right before the deity edits it, leaving fewer items than the
deity intends to take. Watching out for such changes is especially
important with non-interactive edit.
Send bulletin to owner and report news exactly like the give command.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Print "unchanged" instead of "changed from X to X". Affects edit,
setresource, setsector. Suppress bulletin and news. Affects only
edit sector key 'L'.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Key 'L' copies the source sector to a destination sector. Bug: it
doesn't copy, it messes up the source sector badly instead, and can
smash the stack on some machines.
Root cause: doland() passes § instead of sect to ef_set_uid().
Impact:
1. ef_setuid() clobbers a few bytes at §.
When the bitfield and uid fit into sizeof(sect) bytes, it clobbers
just sect, which has no effect, because doland() returns without
using it again. This is the case on a typical 64-bit machine: bit
field and uid are both 4 bytes, sizeof(sect) is 8.
When they don't fit, whatever is adjacent to sect gets clobbered.
On a typical 32-bit machine with stack growing down, that's p.
Again, no effect, because doland() returns without using it again.
With stack growing up, it could well be the return address,
crashing the server.
2. ef_setuid() fails to update *sect. Impact (when we survive 1):
sect->sct_uid remains unchanged. putsect() writes to the source
sector instead of the destination sector, clobbering the source's
sct_x, sct_y. Breaks invariant sctoff(sct_x, sct_y) == sct_uid!
Subsequent edits are all applied to the source sector.
sect->sct_seqno remains unchanged. No effect, because we write to
the source sector, and the unchanged sequence number is the right
one there.
edit, setresource and setsector report change in three ways:
* Print a message.
* Send a bulletin to the changed object's owner. This should be done
if and only if the change is visible to the owner, e.g. in census or
xdump.
* Report divine aid in news. This should be done if and only if a
bulletin was sent, except for changes that are neither negative nor
positive, such as changing the distribution sector.
Fix the places that don't get it right for sectors:
cmd key sctstr member before after notes
-------------------------------------------------
edit l O sct_oldown -- B-
edit l F sct_fallout -- BN 1
edit l M sct_mines -- BN 2 3
edit l D sct_dist_x,y -- B- 1
edit l s sct_type -- B- 1
edit l S sct_newtype -- B- 1
setse ow sct_own B- BN
setse ol sct_oldown -- B-
setse e sct_effic -- BN 2
setse mo sct_mobil -- BN 2
setse a sct_avail -- BN 2
setse w sct_work -- BN 2
The two characters in columns before, after show whether the command
sends a bulletin (B) or not (-), and whether it reports news (N) or
not (-).
Notes:
1. Printed message massaged slightly for consistency with other keys.
2. Printed message improved to show the old value, too. Necessary to
give the deity a chance to catch unexpected changes, e.g. a player
laying mines right before the deity edits them. Watching out for
such changes is especially important with non-interactive edit.
3. Bulletin and news suppressed for occupied sectors.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
setsector() reads the first two characters unconditionally. Wrong if
the first character is NUL. The second character read isn't actually
used then. Screwed up in Chainsaw.
When getstarg() returns an empty string, it's always in the buffer
passed as third argument. Thus, reading the second character is
actually safe.
Clean it up anyway.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
setsector: Don't disclose number of landmines to occupier
When the deity sets the number of mines with setsector, the sector
owner (if any) is told the resulting number of mines. Even for
occupied sectors, where mines belong to the old owner, and thus
shouldn't be disclosed. Oops.
Fix setsector not to tell the sector owner anything then.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Option GODNEWS is documented to be about deities giving or taking
things from players. Nevertheless, edit, give, setsector and
setresource report news of deities meddling with things owned by
deities other than POGO. Don't.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
In the beginning, all bulletins came from POGO. Chainsaw changed edit
and give to send them from the deity using the command. Its new
command setresource sent from POGO regardless. Its new command
setsector did both.
Go back to sending them only from POGO.
Some of the affected bulletins don't mention the acting deity. Reword
them so they do.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Empty key arguments work fine when passed as command arguments, but
not interactively. For example, 'edit s 42 R ""' clears the retreat
path, but in an interactive 'edit s 43', 'R ""' sets it to "".
In Empire 1, omitting the argument made it empty. Empire 2 turned
that into an error without providing an alternative.
Switch to the common command parser, so that quoting works, and "" is
parsed as empty argument.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
give: Report number given when less than requested amount
Necessary to give the deity a chance to catch unexpected changes,
e.g. a player moving away stuff right before a give command, leaving
fewer items than the deity intends to take.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
give: Fix integer overflows on silly third arguments
give() silently caps the resulting number of items to 0..ITEM_MAX.
However, its test for "< 0" suffers integer overflow on two's
complement machines (i.e. practically everywhere) when the amount
argument is INT_MIN. give() proceeds as if the result was in range:
it sets the number of items to (short)(n + INT_MIN), telexes the owner
that INT_MIN items were stolen (obviously bogus), and tells the deity
that there are now n + INT_MIN items in X,Y.
On common machines, (short)(n + INT_MIN) == n, i.e. nothing is given.
On an oddball machine with short as wide as int, the cast to short
does nothing, item_prewrite() oopses, and corrects the number of items
to zero.
In both cases, output and telegram lie.
Likewise, its test for "> ITEM_MAX" suffers integer overflow for
sufficiently big amount arguments. Again, give() proceeds as if the
result was in range: it sets the number of items to (short)(n + amt),
telexes the owner that -amt items were stolen (obviously bogus), and
tells the deity that there are now close to INT_MIN items in X,Y.
On common machines, (short)(n + amt) = n + INT_MAX - amt - 1,
i.e. some items are stolen.
On an oddball machine with short as wide as int, the cast to short
does nothing, item_prewrite() oopses, and corrects the number of items
to zero.
Again, output and telegram lie.
Aside: setsector can suffer similar overflows, but it reports the
resulting change correctly. Good enough.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
edit: Don't permit putting a land unit or plane on two carriers
Only one of struct lndstr members lnd_ship, lnd_land may be
non-negative. When a deity screws that up, the server oopses. Be
nice: when setting one, zap the other.
Same for struct plnstr members pln_ship, pln_land.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
cmd key struct member wrong correct notes
-------------------------------------------------
edit l m sct_mobil 255 127 1
t sct_ptime 255 32767
edit c b nat_btu 1024 max_btus
edit p m pln_mobil 255 127 1
edit u F lnd_harden 255 127 1
Missing bounds supplied, arguments out of bounds are silently clipped
unless noted otherwise:
cmd key struct member bounds notes
---------------------------------------------------
edit c t nat_tgms 0 USHRT_MAX 2
m nat_reserve 0 INT_MAX
T... nat_level[] 0 infinity
edit s a shp_pstage 0 PLG_EXPOSED 3
b shp_ptime 0 32767
M shp_mobil -127 127
c... shp_item[] 0 load limit 4
edit u Y lnd_land -1 size of table 5
M lnd_mobil -127 127
S lnd_ship -1 size of table 5
Z lnd_retreat 0 100
c... lnd_item[] 0 load limit 4
edit p r pln_range 0 max range
s pln_ship -1 size of table 5
y pln_land -1 size of table 5
Notes:
1. Values between SCHAR_MAX and 255 were cast to signed char, changing
the sign.
2. The real upper bound is the number of telegrams in the mailbox, but
counting them isn't worth it.
3. This check is particularly important, because values out of bounds
make the server refuse to start without -F, and empdump -x warn
"export has errors, not importable as is".
4. Values outside 0..ITEM_MAX got caught and clipped by
item_prewrite(). This check avoids the oops, and tightens the upper
bound for units.
5. Argument out-of-bounds are rejected. This check is particularly
important, because unit numbers beyond the size of the table trigger
oopses.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
edit: Fix and unify handling of invalid country numbers
Negative numbers and numbers greater or equal than MAXNOC are invalid.
edit handles such arguments inconsistently:
cmd key struct member arg < 0 arg >= MAXNOC
---------------------------------------------------
edit l o sct_own reject MAXNOC - 1
O sct_oldown reject MAXNOC - 1
X sct_che_target 0 MAXNOC - 1
edit s O shp_own cast skip
edit u O lnd_own cast skip
edit p O pln_own cast skip
Legend:
0 replace arg by 0
MAXNOC - 1 replace arg by MAXNOC - 1
reject command fails
cast replace arg by (natid)arg
bug: can be >= MAXNOC!
skip ignore this key and arg
bug: telexes the owner he lost the unit, which is a lie
Unify to reject. Matches setsector.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
cname() calls getnatp(), and returns a null pointer when it fails.
Some systems (GNU, Windows) deal gracefully with printing null
strings, others crash.
Because we keep table EF_NATION entirely in memory, getnatp() should
fail only on invalid country number.
Rewrite prnatid() to catch this error and recover.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
edit: Rename some of helpers, and reorder parameters
doland() edits a sector, not a land unit. That one's called dounit().
Lacks taste. Call the helper for editing a FOO edit_FOO(), and make
the FOO * the first parameter instead of the last.
Rename the print helpers to print_FOO(), for consistency. Also frees
up identifier prnat for the next commit.
While there, clean up an unused #define.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
tests/actofgod: New, disabled for now because it oopses
This is a fairly comprehensive test of the deity commands to edit game
state: edit, setresource, setsector, give, swapsector.
The test makes edit screw up game state, triggering oopses. The
server refuses to start without -F then, and empdump -x warns "export
has errors, not importable as is". Until these bugs are fixed, skip
this test in "make check".
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
tests: Capture player output via journal instead of client
Capturing the client's output tests both client and server, which is
nice. However, player input isn't visible in the resulting file,
which makes it more difficult to understand.
Route player output to journal (econfig key "keep_journal 2"), and
ignore client output.
Separate tests for the client would be useful.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
satmap: Separate and align columns in output properly
Land unit coordinates run into efficiency in output of satellite when
the y coordinate is wider than three characters. Broken in Empire 2.
Restore the separating space.
Both ship and land unit table header aren't aligned with the table
body. Affects recon and sweep with spy planes, and satellite. Fix
the header.
Reported-by: William Fittge <ptkei2@gmail.com> Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
doc/coding section "git" is now redundant, except for the note on
avoiding whitespace changes. Move that to section "Code formatting",
and delete section "git".
Fix read beyond end of conditional argument on missing operand
nstr_parse_val() interprets argument "" as (empty) identifier, then
returns a pointer right beyond the end of the string.
The argument points into player->argbuf[]. If another argument
follows the conditional, it gets appended to the conditional. Else,
whatever's left there from previous commands gets appended. If the
argument is at the very end of player->argbuf[], we parse beyond the
buffer, until we run into a syntax error, or a zero byte.
Since player->argbuf[] is followed by a bunch of pointers, a syntax
error is almost certain. If we somehow manage to parse all the
pointers and player->lasttime, the runaway parse will end at
player->btused, because that's definitely zero when conditionals get
parsed.
Consistently require guns for dropping depth charges
The fire command requires at least one gun for depth charging, but
missions and return fire don't. Has always been that way, except
between 4.0.6 and commit a3ad623 (v4.3.12), when depth charging worked
exactly like gun fire, and guns were consistently required.
Change econfig key rollover_avail_max from 0 to 50
So you don't have to micromanage workers to maximize useful work.
The previous commit made the problem a bit worse. If you had a few
workers too many before, you perhaps produced an extra unit. Now, you
get to keep the extra work instead. Useless, unless it rolls over.
produce() limits production to how many units the workers can produce,
rounding randomly. It charges work for the units actually produced,
discarding fractions.
If you get lucky with the random rounding, you may get a bit of extra
work done for free. Else, you get to keep the unused work, and may
even be undercharged a tiny bit of work. Has always been that way.
The production command assumes the random rounding rounds up if and
only if the probability to do so is at least 50%. Thus, it's
frequently off by one for sectors producing at their worker limit.
The budget command runs the update code, and is therefore also off by
one, only differently.
Rather annoying for tech and research centers, where a single unit
matters. A tech center with full civilian population can produce 37.5
units in 60 etus. Given enough materials, it'll fluctuate between 37
and 38. Production consistently predicts 38, and budget randomly
predicts either 37 or 38. Both are off by one half the time.
Fix this as follows: limit production to the amount the workers can
produce (no rounding). Work becomes a hard limit, not subject to
random fluctuations. Randomly round the work charged for actual
production. On average, this charges exactly the work that's used.
More importantly, production and budget now predict how much gets
produced more accurately. They're still not exact, as the amount of
work available for production remains slightly random.
This also "fixes" the smoke test on a i686 Debian 6 box for me. The
root problem is that floating-point subexpressions may either be
computed in double precision or extended precision. Different
machines (or different compilers, or even different compiler flags)
may use different precision, and get different results.
Example: producing 108 units at one work per unit, sector p.e. 0.4
needs to charge 108 / 0.4 work. Computed in double precision, this
gets rounded to 270.0, then truncated to 270. In 80 bit extended
precision, it gets rounded to 269.999999999, then truncated to 269.
With random rounding instead of truncation, the probability for a
different result is vanishingly small. However, this commit
introduces truncation in another place. It just happens not to mess
up the smoke test there. I doubt this is the last time this kind of
problem upsets the smoke test.
Fix xdump nat column ip for connections from "long" IPv6 addresses
Broken in commit 3a7d7fa, which enlarged struct natstr member
nat_hostaddr[] from 32 to 46 characters, but neglected to update the
ca_len in nat_ca[]. Consequently, the address is truncated in xdump.
Can also break country * ?ip=... and such, but that's exotic.
Fix five year old show stopper bugs on big endian hosts
emp_server and empdump refuse to start on most big endian hosts,
because ef_verify_config() chokes on mdchr_ca[]:
Config meta uid 0 field type: value 0 is not in symbol table meta-type
Config meta uid 1 field type: value 0 is not in symbol table meta-type
Config meta uid 2 field type: value 0 is not in symbol table meta-type
Config meta uid 3 field type: value 0 is not in symbol table meta-type
Config meta uid 4 field type: value 0 is not in symbol table meta-type
Broken in commit 06a0036 (v4.3.12), which changed struct castr member
ca_type from packed_nsc_type (typedef'ed to char) to enum nsc_type,
but neglected to update the ca_type in mdchr_ca[].
On little endian hosts, the selector reads the least significant byte,
with sign extension. Happens to work, because the type values are all
sufficiently small integers.
On big endian hosts, the selector reads the most signiciant byte.
which is always zero (NSC_NOTYPE). Makes ef_verify_config() fail.
Except when sizeof(enum nsc_notype) == 1. Then selector type works
fine, and ef_verify_config() succeeds, but we run into the next
problem: the same commit also changed member ca_flags from nsc_flags
(typedef'ed to unsigned char) to int without updating the ca_type in
mdchr_ca[]. This breaks "only" xdump meta column flags.
v4.3.12 was released in April 2008. Either nobody has tried to run a
game on a big endian host since, or all who did gave up quietly,
without reporting the problem.
We clearly need to test on a wider range of machines.
Broken in commit 14ea670 (v4.3.8), which changed struct trdstr member
trd_type from char to short, but neglected to update the ca_type in
trade_ca[].
On little endian hosts, the selector reads the least significant byte,
with sign extension. Happens to work, because the type values are all
sufficiently small integers.
On big endian hosts, the selector reads the most signiciant byte,
which is always zero (EF_SECTOR). Messes up xdump trade badly.