When the player aborts the command at the movement prompt, we write
back stale ships or land units, triggering a generation oops. Any
updates made by other threads meanwhile are wiped out, triggering a
seqno mismatch oops.
Broken in commit 24000b4, v4.3.33. Fix by restoring the lost
shp_nav_stay_behind() and lnd_mar_stay_behind() calls.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
When the player declines to abandon a sector, we write back stale land
units, triggering a generation oops. Any updates made by other
threads meanwhile are wiped out, triggering a seqno mismatch oops.
The culprit is lnd_abandon_askyn(): when the player declines, it
returns without calling check_sect_ok(), check_land_ok(). Broken in
commit 7c1b166, v4.3.33. Fix it.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
recvclient() calls ef_make_stale() only when it does actual I/O, via
io_output() and io_input(). Missed in commit 2fa5f652, v4.3.24. Call
it directly when it doesn't do actual I/O.
This makes navi-march-test expose a bug in march: when the player
declines to abandon a sector, we write back stale land units,
triggering a generation oops.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Testing whether the compiler supports it is a bit tricky.
The obvious AX_APPEND_COMPILE_FLAGS([-fstack-protector-strong])
doesn't suffice, since some ports of the GNU toolchain reportedly pass
this test, then fail to link. That's because the compiler accepts the
flag, duly emits references to helper code in libc, but libc doesn't
provide, and linking fails.
Instead, use AX_APPEND_LINK_FLAGS with an input source that makes the
compiler emit the extra stack checking code. This requires the latest
version from the autoconf-archive, so update m4/ax* to commit e3d948b.
Also update m4/my_append_compile_flags.m4 to keep it in sync with
upstream's ax_append_compile_flags.m4.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
When savecore can't find a core dump, it reports something like
ls: cannot access core.*: No such file or directory
to stderr, and fails. If privlog is set, it also mails out a "Could
not save core dump" note.
Suppress the error message, and mail out "Could not find core dump to
save" instead.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Contemporary compilers can squeeze out some extra performance by
assuming the program never executes code that has undefined behavior
according to the C standard. Unfortunately, this can break programs.
Pointing out that these programs are non-conforming is as correct as
it is unhelpful, at least as long as the compiler is unable to
diagnose the non-conformingness.
Since keeping our programs working is a lot more important to us than
running them as fast as possible, forbid some assumptions that are
known to break real-world programs:
* Aliasing: perfectly clean programs don't engage in type-punning, and
perfectly conforming programs do it only in full accordance with the
standard's (subtle!) aliasing rules. Neither kind of perfection is
realistic for us, therefore -fno-strict-aliasing.
* Signed integer overflow: perfectly clean programs won't ever do
signed integer arithmetic that overflows. This is an imperfect
program, therefore -fno-strict-overflow.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
MALLOC_CHECK_=3 makes glibc check for memory allocation programming
errors. It's the factory default, but set it anyway just in case
someone disabled it for speed.
Non-zero MALLOC_PERTURB_ makes glibc wipe memory value on allocation
and deallocation. The actual value determines the bit pattern. Set
it to the value of environment variable EMPIRE_CHECK_MALLOC_PERTURB or
else a pseudo-random number, and record it in sandbox/malloc-perturb.
See mallopt(3) for more information.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
When the player aborts the command at the movement prompt, or declines
to abandon a sector, unit_move() returns without freeing the list.
Found with valgrind. Broken in commit 24000b4 and commit 7c1b166,
both v4.3.33.
Free the list on these returns, too.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
shp_nav_gauntlet() and lnd_mar_gauntlet() read beyond the list head
when the list is empty. The values read aren't used then. Could
conceivably crash the server anyway, but it's unlikely.
Empty list happens when shp_nav_dir(), lnd_mar_dir() empty the list
and return zero. Broken in commit beedf8d, v4.3.33. Occurs in
navi-march-test (since the last commit) and in retreat-test.
Change shp_nav_dir() and lnd_mar_dir() to return one then. For
additional safety, make shp_nav_gauntlet() and lnd_mar_gauntlet() oops
on empty list and recover safely.
I think I originally found this bug with -fsanitize, but I've since
upgraded, and I can't diagnose it that way anymore.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
The code computing the length of the flight path checks whether the
path ends with 'h'. When getpath() returns an empty path, it accesses
flightpath[-1]. This could set the length to -1 (unlikely), or crash
(even less likely). The former could be abused to gain mobility for
sufficiently inefficient or short-ranged planes. Found with valgrind.
Broken in commit 404a76f7, v4.3.27.
Historically, getpath() could return paths with or without 'h', and
the check was necessary. It returned an empty path only when the
player gave no input, aborting the command. When the player entered
the assembly point's coordinates, it returned "h".
Commit 404a76f7 accidentally changed it to return "" then. Also broke
flying to the assembly point's coordinates. Commit 0f1e14f (v4.3.31)
fixed that part by changing getpath()'s contract: always return paths
without 'h' ("" simply means empty path), and return NULL on invalid
input, including no input.
The flawed check is superfluous since then. Drop it.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
There's just one, in show_product().
Use new BUILD_ASSERT() there, because its contract is even simpler
than BUILD_ASSERT_ONE()'s.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
We want to cause a diagnostic when NSC_SITYPE()'s argument isn't
implemented. Commit aa6ad9d's solution is to have the macro expand
into 1/0 then. Works with GCC, but Clang always warns "division by
zero is undefined".
The better, portable way to conditionally break the build is an array
type with a size that's negative when the build should fail, else
positive. Implement that wrapped in a sizeof() to make it an
expression as macro BUILD_ASSERT_ONE(), and use it in NSC_SITYPE().
No more warnings from Clang 3.5.0. GCC still produces its "may be
used uninitialized" false positives.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
We've always squashed them when the time difference is smaller than
TEL_SECONDS, regardless of sign. This involves passing the difference
to abs(), implicitly casting from time_t to int, which triggers a
Clang warning.
I could clean this up to get rid of the warning, but time should never
go backwards, and trying to make things prettier when it does isn't
worthwhile. Simply drop the abs().
While there, drop the function comment. It's been inaccurate since
Empire 3 dropped mail.c, and bogus since commit 17223e8 (v4.3.29)
added tel_cont.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Commit eb1512d (v4.3.6) added the '=' if stopped before efficiency.
Commit 016249c (v4.3.6) changed it to '!' without updating info ship,
plane, land, nuke.
Reported-by: Harald Katzer
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
The cost of firing naval guns is 15 mobility with option NOMOBCOST
disabled. Mobility.t is correct.
Fix Options.t not to claim submarines pay half the sector movement
cost when NOMOBCOST is enabled.
Fix fire.t not to claim ships pay half the sector movement cost when
NOMOBCOST is disabled.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Don't list options separately for major server versions. It's only of
historical interest, which "info History" satisfies.
Make it a list (.L) instead of preformatted text (.nf).
Fix up so the option explanations are full sentences, starting with a
capital letter and ending with a period.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
... when referring to a function's parameter or a struct/union's
member.
The idea of using FOO comes from the GNU coding standards:
The comment on a function is much clearer if you use the argument
names to speak about the argument values. The variable name
itself should be lower case, but write it in upper case when you
are speaking about the value rather than the variable itself.
Thus, "the inode number NODE_NUM" rather than "an inode".
Upcasing names is problematic for a case-sensitive language like C,
because it can create ambiguity. Moreover, it's too much shouting for
my taste.
GTK-Doc's convention to prefix the identifier with @ makes references
to variables stand out nicely. The rest of the GTK-Doc conventions
make no sense for us, however.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Renaming carg() would be smarter, but I'd rather do that as part of a
consistent renaming of all command functions, and I'm not up to that
right now.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Using ctime() as pr()'s first argument is safe, because its value
never contains '%'. Clean it up anyway, so we can enable
-Wformat-security.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
When AC_PROG_CC detects GCC, Make.mk adds a bunch of flags to CFLAGS.
Works only for flags that any version of gcc in use accepts.
Instead, make configure add the flags that actually work to CFLAGS.
This will let us add flags that work only for some compilers.
The new autoconf macros are from autoconf-archive v2015.02.24.
Unfortunately, AX_APPEND_COMPILE_FLAGS doesn't work reliably for
-Wno-*: gcc complains about unknown -Wno-foo only when other
diagnostics are being produced. Test -Wfoo instead of -Wno-foo, and
rename to MY_APPEND_COMPILE_FLAGS.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
This reverts commit f4d8d64bb3.
Breaks retreat after ship got sunk by bombs or missile.
ship_bomb() and launch_missile() pass .shp_own to retreat_ship().
Wrong after putship(), because putship() resets the owner when the
ship got sunk. retreat_ship() then oopses and fails to retreat the
surviving members of the group.
Other callers save the owner before putting the ship, and pass that.
We could change these two to do the same. But since we're trying to
get a release out, simply revert the broken commit instead.
The __UNCONST() stolen from NetBSD assumes unsigned long can hold a
pointer. Not true with Win64's LLP64 data model. There, we cast the
64 bit pointer to 32 bits and back. Works only because Windows puts
the stack at a very low address, and the casts don't actually change
the pointer.
Dumb it down to a straight cast to void * for safety.
Thanks to Harald Katzer and Ron Koenderink for their help figuring out
the bug's impact.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Redirections and the execute command let the user read and write files
and run programs on the local system.
Restricted mode prevents such access. This is useful when you want to
grant somebody access to just Empire, but not to the host system's
user account that runs the client.
Signed-off-by: Marisa Giancarla <fstltna@me.com>
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
