Opened 8 years ago
Closed 4 years ago
#19 closed defect (fixed)
Selectbox destroys stack when given more than 11 name,func pairs
|Reported by:||finticemo||Owned by:||yrizoud|
I've just encountered a reliably reproducable major crash with DBToolbox scripts (downloadable from http://www.pixeljoint.com/forum/forum_posts.asp?TID=12854&PN=1)
How to reproduce:
- Have the DBToolbox scripts accessible somewhere.
- Grab a brush with the normal brush grab tool -- the used 20x18 area in the attached image.
- Activate the _DBTOOLBOX.lua to bring up DBTOOLBOX's main menu
- Select 'ABSOLUTE'
- Enter '28' in the X-Size entry, and '32' in the Y-Size entry. Click OK
- A message box will come up saying 'SIMPLE'. This is normal.
- As soon as you click to close that message box, GraFX2 core-dumps.
It is worth noting that you *must* access the function through _DBTOOLBOX.lua to invoke this crash.
Accessing it directly as bru_db_AdvancedScaling.lua does not cause a crash, it works fine!
So I've concluded it is a side effect of something that _DBTOOLBOX.lua does.
(what _DBTOOLBOX.lua does is really just : Define some functions which call selectbox(), concatenate a bit of text, and in one case, call messagebox(). The only unusual aspect AFAICS is how many options are in the selectbox()es -- up to 12.)
Crash log and sample image to apply the above steps with are attached.
Change History (15)
by , 8 years ago
by , 8 years ago
sample image to reproduce crash with
comment:1 by , 8 years ago
Some details I should have mentioned:
- grafx2 SVN r2116 ("Layer preview: add a 1px border..")
- DBToolbox 1.3 (the current one available in the linked forum thread)
- Lua 5.2.3
- GCC 4.9.2
- Arch Linux, x86_64 platform
I can dig up the version of SDL etc if needed. I haven't bothered yet because as far as I can see, the problem is fairly clearly related to interaction with Lua.
EDIT: Sorry, I just realized I left some steps out of the 'how to reproduce' list as well...
After step 3, You need to click on SPRITE, then on Scale Advanced. Then proceed with step 4.
I have also confirmed this behaviour with 'Smart outline WIP'.
If you immediately click 'Quit' instead of selecting any other item after step 3, no crash occurs. However, if you click BRUSH and then click 'Back' followed by 'Quit', the crash occurs. So this is the most simple way to reproduce the crash:
- Open the brush factory and run _DBTOOLBOX.lua
- click BRUSH
- click Back
- click Quit
To me, this indicates that the crash condition occurs most likely as a result of step 2.
So I'll post the definition of sf_brush here, but as far as I can see it's perfectly ordinary:
"Brush Info (t)", function () dofile("inf_db_BrushInfo.lua"); end,
"Crop margins (b)", function () dofile("bru_db_CropMargins.lua"); end,
"Brush 2 Image (i)", function () dofile("pic_db_Brush2Picture.lua"); end,
--"(UberRotScale) (b)", function () dofile("bru_db_uberRotScale.lua"); end,
"Scale Simple (b)", function () dofile("bru_db_BrushScaleSimple.lua"); end,
"Scale Advanced (b)", function () dofile("bru_db_AdvancedScaling.lua"); end,
--"Scale Matrix (b)", function () dofile("bru_db_ScaleBrush3.lua"); end,
"Extract PenColor (b)", function () dofile("bru_db_ExtractPenColor.lua"); end,
"Apply PenColor (b)", function () dofile("bru_db_ApplyColor.lua");end,
"Smart Outline WIP (b)", function () dofile("bru_db_smartOutline.lua");end,
--"Waves Distortion (b)", function () dofile("bru_db_Waves.lua"); end,
comment:2 by , 8 years ago
|Summary:||Coredump on DBToolbox 'Scale Sprite ->ABSOLUTE' → Selectbox destroys stack when given more than 11 name,func pairs|
comment:3 by , 8 years ago
Okay, I've narrowed this down by making an edited version of _DBTOOLBOX.lua.
I'll attach it as _DEBUGTOOLBOX.lua . Place it in the same directory as _DBTOOLBOX.lua, and follow the procedure:
- Open the brush factory and run _DEBUGTOOLBOX.lua
- Click BRUSH
- Click Back
- Click Quit
This should cause the coredump.
This edited file is very simple, and has one line marked with 'if you comment this line, the crash will not occur'.
However, I've tested with other lines too. The crash condition is simply 'provide >= 11 name, function pairs to selectbox()', so any change that reduces the number of name,function pairs to 10 or less will prevent the crash from occurring.
by , 8 years ago
minimalized version of _DBTOOLBOX.lua that triggers the crash
comment:4 by , 8 years ago
Ok :/ well, since v1.3 of the Toolbox I've already limited all selectbox entries to max 10 (more is just messy anyways)...good to know that is safe at least!
comment:5 by , 8 years ago
|Priority:||major → critical|
|Status:||new → accepted|
comment:6 by , 5 years ago
|Milestone:||2.5 → 2.6|
comment:7 by , 5 years ago
Does someone reproduce with GrafX2 2.5 or 2.6 ?
I've failed to reproduce the problem, but I've got only dawnbringer toolbox v1.4
comment:8 by , 5 years ago
I just found the toolbox v1.3
and I don't reproduce the bug neither.
I'm using lua 5.3.5, FreeBSD
comment:9 by , 5 years ago
However I have a crash when displaying the long select box when I'm in a 320x200 resolution.
The Select box is too big to fit the screen...
(gdb) bt #0 0x0000000801976916 in memcpy () from /lib/libc.so.7 #1 0x00000000004512cf in Read_line_screen_simple (x_pos=<optimized out>, y_pos=<optimized out>, width=196, line=0x803249b40 "") at pxsimple.c:292 #2 0x000000000043be25 in Save_background (buffer=0x711c20 <Window_background>, x_pos=<optimized out>, y_pos=65525, width=width@entry=196, height=height@entry=230) at engine.c:86 #3 0x000000000043cca5 in Open_window (width=width@entry=196, height=<optimized out>, title=title@entry=0x8028f73d8 "Brush") at engine.c:1627 #4 0x0000000000472a71 in L_SelectBox (L=0x8029f0008) at factory.c:1324 #5 0x0000000800fb3d7b in ?? () from /usr/local/lib/liblua-5.3.so #6 0x0000000800fc262c in ?? () from /usr/local/lib/liblua-5.3.so #7 0x0000000800fb3fe9 in ?? () from /usr/local/lib/liblua-5.3.so #8 0x0000000800faebca in lua_callk () from /usr/local/lib/liblua-5.3.so #9 0x0000000000472bcb in L_SelectBox (L=0x8029f0008) at factory.c:1351
comment:11 by , 5 years ago
If no-one is able to reproduce, I propose to close this issue
comment:12 by , 4 years ago
|Status:||accepted → closed|
I think we can assume this bug is fixed.
Do not hesitate to re-open if that is not the case