The initial parts of struct loststr and struct empobj must match.
Commit 49780e2c screwed that up for members lost_uid/uid, which also
broke the equivalence of lost_owner/own. Since lost_uid is not used,
the former had no effect. But the latter broke xdvisible(). Could
make xdump lost leak information.
Commit a680c811 reorderd struct loststr members to make lost_timestamp
equivalent to new struct empobj member timestamp, but failed due to
the bug in commit 49780e2c. Commit f33b96b1 then set the timestamp
through empobj, which screwed up timestamps in lostitems, i.e. it
broke incremental xdump lost.
Output often arrives in chunks other than lines. Hard to read in the
journal. Delay journalling until we got a full line or our buffer is
exhausted. This is less precise, but it'll do for now.
Use country number as journal thread ID when possible
Before, we used the value of empth_thread(). That can be mapped to
countries by tracking login and logout. Easy for machines (except
when the journal is rotated while players are logged in), but tedious
for humans.
Quick version for Hvy Metal II. Needs further work for the stock
code.
Commit 79407e68 (v4.3.11) changed recvclient() to keep failing after
receiving EOF from player. This was bad, because some places getting
input check player->aborted instead of recvclient() failure, and
player->aborted wasn't set on EOF. Bugs caused by this:
* comm_bomb(), ship_bomb(), plane_bomb(), land_bomb() went into an
infinite loop that eventually ate all memory.
* deli(), desi(), dist(), fly(), morale(), zdon(), att_prompt(),
ask_move_in() interpreted EOF as empty input instead of no more
input.
Change status() to check player->eof instead of io_error() and
io_eof(). Ignore value of command().
(cherry picked from commit 9c5854c8c93979c1744c97c90df672070e080a99)
Oops when player thread keeps reading input unsuccessfully
Reading input fails after EOF and while the current command is
aborted. Commands should detect that and fail. If a command neglects
to do that in a loop, the loop can become infinite. This is
especially bad after EOF, because then the client might not read
output anymore. Output gets buffered until memory runs out.
Mitigate such bugs by counting how many calls have failed in a row,
oopsing on the 256th, and sleeping one minute from the 256th on.
(cherry picked from commit 49c24d7b78d728f84ab4932572914aab71ddbc1e)
fly() reads the carrier, then passes it to pln_dropoff(), which writes
it back. fly() also calls pln_oneway_to_carrier_ok(), which updates
the carrier when its plane summary information is incorrect.
The old code called it between reading the carrier and passing it to
pln_dropoff(). This made pln_dropoff() wipe out the plane summary
update, and triggered a seqno mismatch oops. Broken by introduction
of pln_oneway_to_carrier_ok() in commit 1127762c, v4.2.17.
Missile interdiction leaves behind used up missiles with the
PLN_LAUNCHED flag set. This can lead to a bogus warning from
pln_zap_transient_flags() on server restart.
Fix flying commands not to let planes do double duty as escorts
Commit 7ca4f412 (v4.3.12) marked planes flying a sortie with
PLN_LAUNCHED, and made pln_arm() reject planes with that flag set.
This was designed to reject escorts that were already flying as
bombers. It didn't work, because the test for PLN_LAUNCHED used a
stale copy of the plane created by pln_sel(). Fix by getting a fresh
copy.
The bug always existed, but the botched fix in commit 7ca4f412 made it
worse. Before, ac_encounter() dropped escorts that were also bombers,
so the bug merely wasted plane fuel. After, such planes were
effectively duplicated, and damage to one of them, usually the bomber,
was wiped out. Abusable.
(cherry picked from commit 801780043fd2629b0859013d12caada2e8060688)
Fix seqno mismatch and use-after-free in shp_sweep()
The code wrote the swept sector after calling shp_check_one_mines().
This failed to use up the mine that hit the minesweeper, and triggered
a seqno mismatch oops.
The code wrote the minesweeper after calling shp_check_one_mines().
This used freed memory when the minesweeper got sunk there.
Don't unlimber when guns unsuccessfully try to fire
This happened when fire command failed becayse the gun lacked shells,
and when other ways to fire failed because the gun was inefficient,
embarked, lacked mil, guns or shells.
Don't let non-light units board ships that can't carry them
ask_olist() let non-light land units board ships that can carry only
light units. If the board succeeds, the non-light unit move onto the
ship and then are stuck there.
(cherry picked from commit 6d38a0493032b3b13adbbcbd07b65663e7368be3)
perform_mission() needs to know whether it is targeting ships or
something else, because the rules differ: submarines interdict only
ships, land units get their damage reduced when interdicting ships,
and different news are generated.
The old code assumed it was targeting ships when the target sector was
sea. Wrong when interdicting ships in harbors, bridges and such.
This has always been broken. Except when checking a submarine's
target: there it tested argument s, which is gross, but at least it
works. That code was added in v4.0.8.
Replace the broken test by the gross hack everywhere. This fixes news
and damage from land units when ships get interdicted in non-sea
sectors.
(cherry picked from commit 3e251b474fb90089c15ea8b5ece4c4f74962d0c0)
Commit 092a52f2 (v4.3.4) removed the code to estimate defense, because
the use of the estimate had been disabled since v4.0.0. This
accidentally removed the reporting of defending units, because
get_dlist() reported them when called for an estimate, and not when
called for real.
Fix by removing the unused estimate capability from get_dlist(). It
now reports defending units always.
(cherry picked from commit 64f44e99044a8b28b8631a27fc882a959f737f84)
Avoid seqno mismatch oops in recursive land unit supply
Before s_commod() attempts to recursively supply a supply unit it
wants to use as supply source, it zaps the unit's load. When
actually_doit is false, it later restores the old load by overwriting
the change with a saved copy of the unit. That triggers a seqno
mismatch oops.
The value of diffx() had the wrong sign when the arguments differed by
WORLD_X / 2. Same for diffy() and WORLD_Y / 2. satmap() used them to
find the vector from map center to ship or land unit to put on the
map, and got incorrect values for ships and land units directly
opposite to the center in x or y. The bug made satmap() read a
pointer out bounds of its malloced radbuf[], and then write through
that with unpredictable consequences.
Broken in 4.2.12. The original bug was in Empire 1.1: it
miscalculated where to put ships on the map (no crash). An incomplete
fix for radmap() and satmap() appeared in Chainsaw 2 (still no crash).
radmap() got fixed correctly in Chainsaw 3, but satmap() was
forgotten. That one got "fixed" in 4.2.7, and again in 4.2.12, but
both "fixes" were flawed and could crash.
Broken in commit 5f764285 (v4.3.12) for negative multiples of WORLD_X
and WORLD_Y, respectively.
This could theoretically lead to buffer overruns and other
unpleasantness. None have been reproduced, though.
(cherry picked from commit 7680acc39fd63684c6854f27e99a2a5e18712473)
Disable incorrect use of resupply_all() in load and lload
load_land_ship() and load_land_land() automatically resupply the land
units they load. This can draw supplies from the sector where the
land units are. When load() and lload() later update the sector, they
wipe out the update made for drawing supplies, and we get a seqno
mismatch oops. Highly abusable.
navi() reads the ships into a list. When the ships get interdicted,
and lack flak shells, ac_shipflak() tries to get one and updates the
ship. When the ship in the list is later written back, e.g. to apply
interdiction damage, the flak shell is wiped out, and we get a seqno
mismatch oops.
Disable automatic flak shell supply in ac_ship_flak() for now. This
is related to commit f7d61817, which disabled automatic supply of
shells in ac_doflak() and shp_missile_defense().
Thu Apr 24 12:20:52 2008 Oops: bug in ../src/lib/subs/plnsub.c:1146
#3 0x080e64f4 in oops (msg=0x0, file=0x80ff1ca "../src/lib/subs/plnsub.c",
line=1146) at ../src/lib/gen/log.c:141
#4 0x080bce6c in pln_damage (pp=0x8415b60, x=82, y=20, type=115 's',
nukedamp=0x84158bc, noisy=1) at ../src/lib/subs/plnsub.c:1146
#5 0x080684f2 in launch_missile (pp=0x8415b60, sublaunch=0)
at ../src/lib/commands/laun.c:281
#6 0x08067c79 in laun () at ../src/lib/commands/laun.c:111
Because supply_commod() updates supply sources it used, the caller
must not cache objects that could be supply sources across a supply
call. This is very easy to get wrong.
ac_doflak() supplies flak shells if the sector hasn't enough for its
guns. It caches the sector that receives them. If the sector has
some shells, but not enough, it supplies them to itself, causing it to
be updated from within supply_commod(). ac_doflak() then adds the
supplied shells to its cached sector, then writes that back. This
doubles shells already there, and triggers a a seqno mismatch oops.
shp_missile_defense() has similar problems, only for ships.
Disable ac_doflak() and shp_missile_defense() for now, to at least
reduce the oopsing to manageable levels.
Most likely other calls of supply_commod() are also wrong. Many of
them can't be just disabled, because supply is too relevant to
gameplay there.
Storing track in sectors is problematic, because we need to update
adjacent sectors when updating a sector in a way that changes its
capability to extend railway into its neighbors. This invalidates
cached adjacent sectors, and calling code may not be prepared for
that. Specifically, bridge building caches the bridge head, and
writes it back later, wiping out the track update.
Replace struct sctstr member sct_track by new sct_rail_track(). Make
selector track virtual. Remove the code to keep sct_track up-to-date:
set_railway(), update_railway().
Unfortunately, this causes cyclic dependencies between link libraries:
the virtual selector needs to be referenced from src/lib/global/nsc.c,
and it needs to reference stuff from src/lib/common/file.c. Hack
around it in Make.mk for now.
We don't want to starve tiny populations, because that would require
players to move trivial amounts of food after explore and such.
growfood() used to simply grow at least 1f when a sector was about to
starve. That food is almost never eaten by a tiny population, so we
effectively got some production without work. Fix by taking away that
free food after people ate, in do_feed().
This catches output dependency violations, e.g. two threads doing a
read-modify-write without synchronization.
New struct emptypedstr member seqno. Make sure all members of unit
empobj_storage share it. Set it in ef_blank() and ef_set_uid(), step
it in ef_write(). fairland and files don't use ef_set_uid(); need to
set it manually in files.c's main() and file_sct_init().
Factor do_read() out of fillcache() to make it available for
new get_seqno().
A sector type's terrain (struct dchrstr member d_terrain) is the
sector type of its underlying terrain. Sector types occuring in
d_terrain are terrain types, and must have their own type in
d_terrain. Players can change sector types only to those with the
same terrain.
The builtin configuration defines terrain types sea, mountain,
wasteland, wilderness and plains. It gives bridge span and tower
terrain sea, and everything else terrain wilderness. Hence, the stock
game remains unchanged.
Deities can use terrain to create sector types that can be developed
only in limited ways.
Change fire to always fire guns when the target is beyond range
multifire() drops depth charges if the target is a submarine, else it
fires guns. It fails if the target is out of range. But players
could still find out whether the target is a sub then, because depth
charge shell use differs from gun fire shell use. This loophole
existed before 4.0.6, and was reopened by commit a3ad623b (v4.3.12).
Change multifire() to always use guns if the target is out of range.
While there, treat failure from shp_dchrg() and shp_fire() the same,
so that the player can't distinguish the two cases. Failure there
should not happen.
Commit a3ad623b (v4.3.12) made depth charging fail when there's just
one shell. This let players find all submarine uids. It basically
reopened the loophole closed in commit aa26c53e (v4.2.20).
Fix by making shp_dchrg() with just one shell succeed and return
damage like fire from one gun.
Fix fire command to detect when the firing object changes
multifire() failed to take into account that the firing firing sector,
ship or land unit can change while it is getting the target argument.
It thus clobbered any updates made to the firing object while it was
sleeping for the target argument. Abusable. Broken when Chainsaw
introduced MULTIFIRE.
Journal input of special cookies "ctld" and "aborted"
The latter is necessary to interpret the journal correctly. The
former isn't, as it should always lead to a logout straight away, but
treating it just the same is simple and doesn't hurt.
Behavior differs for the following scenario: if, while the thread
sleeps in io_input() called from recvclient(), at least one line of
input arrives and the thread gets awakened by the update aborting
commands, then the old code throws away the first line of input, but
the new code doesn't.
Commit 7ca4f412 fixed tracking of planes flying a sortie by marking
them with flag PLN_LAUNCHED. It failed to write SAMs and planes
flying missions back to the plane file, in sam_intercept() and
mission_pln_arm(). The only known problem with that is fairly
harmless: when the mission damages planes on the ground, the planes
flying it get damaged as if they were still sitting in their bases,
but the damage gets wiped out when they land.
The same issue applies to missiles. So they need to be tracked as
well. Do that in msl_hit().
While there, remove a few redundant PLN_LAUNCHED sanity checks.
When fixing planes stuck in the air, we fixed them only in memory, so
when a fixed plane wasn't written to disk for other reasons before the
next game start, it had to be fixed again.
Change pln_zap_transient_flags() to write them out.
These *are* called while player->aborted. Could be avoided, but: the
reason for not wanting to prompt then is to have each prompt consume a
line of input. That's actually not feasible, because when we wait for
an argument (after prompting for it) when the update aborts commands,
we can't consume the argument we prompted for.
Checking l_ammo before lnd_dam() oopses when something attempts to
fire from a land unit type that can't fire (l_dam == 0) and uses no
ammo. Such usage is perfectly fine. Move the check to the correct
place.
Change oops() to call the new oops_handler function pointer instead of
offering a fixed set of actions. Change server's main() to install a
handler for the action requested by -E.
Some losing implementations of strptime() such as FreeBSD's happily
succeed when they fully consumed the first argument, regardless of
whether they matched the full second argument or not. This causes
lines without directives to be interpreted as "next Sunday".