5642: Option to remove weak hook & bounce r=def- a=Jupeyy
Fixes#5641
server side only
## Checklist
- [x] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: Jupeyy <jupjopjap@gmail.com>
5715: Use djb2 for snapshot item hashlist r=def- a=Robyt3
The previous hash function was heavily biased towards the hash buckets 64-79, making those buckets overflow faster, which results in snapshot CRC errors and lags.
Using the djb2 hash yields an almost even distribution over the entire range of values.
Source for djb2: http://www.cse.yorku.ca/~oz/hash.html
(we incidentally use the same implementation for `str_quickhash`)
Sample which compares the usage of hash buckets in the test map from #5454 with the old and new hash function: [SnapshotHash.csv](https://github.com/ddnet/ddnet/files/9285148/SnapshotHash.csv) (this table also differentiates between the source and target of the snapshot delta)
Closes#4379.
## Checklist
- [X] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: Robert Müller <robytemueller@gmail.com>
The previous hash function was heavily biased towards the hash buckets 64-79, making those buckets overflow faster, which results in snapshot CRC errors and lags.
Using the djb2 hash yields an almost even distribution over the entire range of values.
http://www.cse.yorku.ca/~oz/hash.html
5706: Fix shift-leftclick-drag with empty selection to delete (fixes#5705) r=C0D3D3V a=def-
<!-- What is the motivation for the changes of this pull request -->
## Checklist
- [x] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: Dennis Felsing <dennis@felsin9.de>
1. Open any map, including an empty one.
2. Select a brush, e.g. size 2x2.
3. Shift click to repeat the brush over a larger area, e.g. 10x10.
4. This causes a buffer-overflow / crash with ASAN:
```
=================================================================
==4826==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000f5040 at pc 0x55db7d0aa743 bp 0x7fffe4e191f0 sp 0x7fffe4e191e0
READ of size 4 at 0x6060000f5040 thread T0
0 0x55db7d0aa742 in CLayerTiles::GetTile(int, int) src/game/editor/layer_tiles.cpp:50
1 0x55db7d0d23e1 in CLayerTiles::FillSelection(bool, CLayer*, CUIRect) src/game/editor/layer_tiles.cpp:437
2 0x55db7cf196e9 in CEditor::DoMapEditor(CUIRect) src/game/editor/editor.cpp:2641
3 0x55db7cfa7755 in CEditor::Render() src/game/editor/editor.cpp:5747
4 0x55db7cfd2a56 in CEditor::OnRender() src/game/editor/editor.cpp:6437
5 0x55db7c23e02d in CClient::Run() src/engine/client/client.cpp:3374
6 0x55db7c2a9f7b in main src/engine/client/client.cpp:4762
0x6060000f5040 is located 0 bytes to the right of 64-byte region [0x6060000f5000,0x6060000f5040)
allocated by thread T0 here:
0 0x7f9b21db5787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107
1 0x55db7d0a9a86 in CLayerTiles::CLayerTiles(int, int) src/game/editor/layer_tiles.cpp:39
2 0x55db7d0cf0ed in CLayerTiles::BrushGrab(CLayerGroup*, CUIRect) src/game/editor/layer_tiles.cpp:387
3 0x55db7cf18191 in CEditor::DoMapEditor(CUIRect) src/game/editor/editor.cpp:2612
4 0x55db7cfa7755 in CEditor::Render() src/game/editor/editor.cpp:5747
5 0x55db7cfd2a56 in CEditor::OnRender() src/game/editor/editor.cpp:6437
6 0x55db7c23e02d in CClient::Run() src/engine/client/client.cpp:3374
SUMMARY: AddressSanitizer: heap-buffer-overflow src/game/editor/layer_tiles.cpp:50 in CLayerTiles::GetTile(int, int)
Shadow bytes around the buggy address:
0x0c0c800169b0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c800169c0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c800169d0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c800169e0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c800169f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c80016a00: 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd
0x0c0c80016a10: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80016a20: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80016a30: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80016a40: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80016a50: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4826==ABORTING
```
5692: Refactor `GetClientVersion`, remove many `version.h` includes, fix potential use of undefined value r=def- a=Robyt3
Some refactoring to reduce duplicate code and to remove includes.
## Checklist
- [X] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: Robert Müller <robytemueller@gmail.com>
The `CServer::GetClientVersion` method needs the `version.h` include, so it's moved from the header to the source file, so the include can be removed from the header.
The `GetClientVersion` method is often called with the same `Client != SERVER_DEMO_CLIENT ? GetClientVersion(Client) : CLIENT_VERSIONNR` expression, which also needs the `version.h` include. This expression is moved inside the method, so the include can be removed from all the server entities' and player code.
The `CGameContext::GetClientVersion` method is made a delegate to reduce duplicate code.
The includes of the server entities are also organized further.
5686: Fix editor image delete r=def- a=Jupeyy
fixes#5675
## Checklist
- [ ] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: Jupeyy <jupjopjap@gmail.com>
5678: Reset selected quads when switching layers (fixes#5673) r=Jupeyy a=def-
<!-- What is the motivation for the changes of this pull request -->
## Checklist
- [x] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: def <dennis@felsin9.de>
5614: Fix clang-tidy 14 mingw issues (fixes#5612) r=heinrich5991 a=def-
Strangely I didn't get all of the errors.
## Checklist
- [ ] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: def <dennis@felsin9.de>
/media/ddnet/src/engine/server.h:135:3: error: Address of stack memory associated with local variable 'aBuf' is still referred to by the stack variable 'tmp' upon returning to the caller. This will be a dangling reference [clang-analyzer-core.StackAddressEscape,-warnings-as-errors]
return SendPackMsgOne(pMsg, Flags, ClientID);
^
/media/ddnet/src/game/server/gamecontext.cpp:4084:5: note: Assuming the condition is false
if(pFilter[0])
^~~~~~~~~~
/media/ddnet/src/game/server/gamecontext.cpp:4084:2: note: Taking false branch
if(pFilter[0])
^
/media/ddnet/src/game/server/gamecontext.cpp:4088:2: note: Calling 'CGameContext::SendChatTarget'
SendChatTarget(ClientID, aBuf);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/media/ddnet/src/game/server/gamecontext.cpp:401:5: note: Assuming field 'm_SvDemoChat' is not equal to 0
if(g_Config.m_SvDemoChat)
^~~~~~~~~~~~~~~~~~~~~
/media/ddnet/src/game/server/gamecontext.cpp:401:2: note: Taking true branch
if(g_Config.m_SvDemoChat)
^
/media/ddnet/src/game/server/gamecontext.cpp:402:3: note: Calling 'IServer::SendPackMsg'
Server()->SendPackMsg(&Msg, MSGFLAG_VITAL | MSGFLAG_NOSEND, -1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/media/ddnet/src/engine/server.h:71:3: note: Taking true branch
if(ClientID == -1)
^
/media/ddnet/src/engine/server.h:73:19: note: Assuming the condition is true
for(int i = 0; i < MaxClients(); i++)
^~~~~~~~~~~~~~~~
/media/ddnet/src/engine/server.h:73:4: note: Loop condition is true. Entering loop body
for(int i = 0; i < MaxClients(); i++)
^
/media/ddnet/src/engine/server.h:74:8: note: Assuming the condition is true
if(ClientIngame(i))
^~~~~~~~~~~~~~~
/media/ddnet/src/engine/server.h:74:5: note: Taking true branch
if(ClientIngame(i))
^
/media/ddnet/src/engine/server.h:77:15: note: Calling 'IServer::SendPackMsgTranslate'
Result = SendPackMsgTranslate(&tmp, Flags, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/media/ddnet/src/engine/server.h:118:6: note: Assuming field 'm_ClientID' is >= 0
if(pMsg->m_ClientID >= 0 && !Translate(pMsg->m_ClientID, ClientID))
^~~~~~~~~~~~~~~~~~~~~
/media/ddnet/src/engine/server.h:118:6: note: Left side of '&&' is true
/media/ddnet/src/engine/server.h:118:31: note: Assuming the condition is true
if(pMsg->m_ClientID >= 0 && !Translate(pMsg->m_ClientID, ClientID))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/media/ddnet/src/engine/server.h:118:3: note: Taking true branch
if(pMsg->m_ClientID >= 0 && !Translate(pMsg->m_ClientID, ClientID))
^
/media/ddnet/src/engine/server.h:125:6: note: Assuming the condition is false
if(IsSixup(ClientID))
^~~~~~~~~~~~~~~~~
/media/ddnet/src/engine/server.h:125:3: note: Taking false branch
if(IsSixup(ClientID))
^
/media/ddnet/src/engine/server.h:135:3: note: Address of stack memory associated with local variable 'aBuf' is still referred to by the stack variable 'tmp' upon returning to the caller. This will be a dangling reference
return SendPackMsgOne(pMsg, Flags, ClientID);
^
5627: Fix shift + left click in editor (fixes#5626) r=heinrich5991 a=def-
<!-- What is the motivation for the changes of this pull request -->
## Checklist
- [x] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [ ] Considered possible null pointers and out of bounds array indexing
- [ ] Changed no physics that affect existing maps
- [ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: Dennis Felsing <dennis@felsin9.de>
5658: Fix game freezing up on duplicate snapshot r=def- a=Fireball-Teeworlds
If a duplicate snapshot is received (for the same tick), we add both to the SnapshotStorage and end up with the same snapshot as both Cur and Prev. This results in GameInfraTick returning "inf" and results in "NaN" downstream in a few places, getting the CollLine logic stuck.
Some debug info (tcpdump, gdb, perf): https://gist.github.com/Fireball-Teeworlds/ad0016d2551a2e4d4cb5691023493856
Apparently this doesn't really happen in the wild, unless you have a buggy network stack. In which case it happens frequently enough to pinpoint the issue :D
(fixes#5657)
## Checklist
- [X] Tested the change ingame
- [ ] Provided screenshots if it is a visual change
- [ ] Tested in combination with possibly related configuration options
- [ ] Written a unit test (especially base/) or added coverage to integration test
- [X] Considered possible null pointers and out of bounds array indexing
- [X] Changed no physics that affect existing maps
- [X] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--undefinedbehavioursanitizer-or-valgrinds-memcheck) (optional)
Co-authored-by: Fireball <fireball.teeworlds@gmail.com>
If a duplicate snapshot is received (for the same tick), we add both to the SnapshotStorage and end up with the same snapshot as both Cur and Prev. This results in GameInfraTick returning "inf" and results in "NaN" downstream in a few places, getting the CollLine logic stuck.
Apparently this doesn't really happen in the wild, unless you have a buggy network stack. In which case it happens frequently enough to pinpoint the issue :D
Add `CSnapshot::IsValid` to check if a snapshot unpacked from a snapshot delta or demo is valid:
- ensure number of items and data size are not negative
- ensure that the actual size of the snapshot matches the size derived from its member variables
- ensure item offsets are within the valid range
- ensure item sizes are not negative
Add `CSnapshot::TotalSize` and `CSnapshot::OffsetSize` utility functions.
Minor improvements to related error messages.
Fixes buffer overflow:
```
==47744==ERROR: AddressSanitizer: global-buffer-overflow on address 0x558618e3767f at pc 0x558614b9bdfb bp 0x7ffe58a32cd0 sp 0x7ffe58a32cc0
READ of size 4 at 0x558618e3767f thread T0
0x558614b9bdfa in CSnapshotItem::Type() const src/engine/shared/snapshot.h:16
0x558615c3c911 in CSnapshot::GetItemType(int) const src/engine/shared/snapshot.cpp:29
0x558614aebaba in CClient::UnpackAndValidateSnapshot(CSnapshot*, CSnapshot*) src/engine/client/client.cpp:2264
0x558614af87cb in CClient::OnDemoPlayerSnapshot(void*, int) src/engine/client/client.cpp:2598
0x558615b9db1a in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:659
0x558615babd3f in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007
0x558614afb08b in CClient::Update() src/engine/client/client.cpp:2686
0x558614b1d9eb in CClient::Run() src/engine/client/client.cpp:3296
0x558614b8e64f in main src/engine/client/client.cpp:4761
```
And fixes a buffer overflow that manifests itself as an internal ASan error:
```
=================================================================
==4755==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_descriptions.cc:79 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
0x7f0bf5f368be in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:72
0x7f0bf5f54eee in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cc:77
0x7f0bf5e4cb6f in GetShadowKind ../../../../src/libsanitizer/asan/asan_descriptions.cc:79
0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:95
0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:92
0x7f0bf5e4e386 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cc:440
0x7f0bf5e50e94 in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) ../../../../src/libsanitizer/asan/asan_errors.cc:380
0x7f0bf5f35f4d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cc:460
0x7f0bf5e86f5e in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
0x558234873f1d in mem_zero src/base/system.cpp:213
0x55823481fc27 in CSnapshotBuilder::NewItem(int, int, int) src/engine/shared/snapshot.cpp:675
0x55823481be65 in CSnapshotDelta::UnpackDelta(CSnapshot*, CSnapshot*, void const*, int) src/engine/shared/snapshot.cpp:380
0x558234776641 in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:631
0x5582347861a9 in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007
0x5582336d4c7d in CClient::Update() src/engine/client/client.cpp:2695
0x5582336f75dd in CClient::Run() src/engine/client/client.cpp:3305
0x558233768241 in main src/engine/client/client.cpp:4770
```
```
src/game/server/teams.cpp:484:35: runtime error: shift exponent -1 is negative
0x55d065b241c4 in CGameTeams::TeamMask(int, int, int) src/game/server/teams.cpp:484
0x55d0657f92ed in CCharacter::TickDefered() src/game/server/entities/character.cpp:821
0x55d065a5d04c in CGameWorld::Tick() src/game/server/gameworld.cpp:283
0x55d0659327e6 in CGameContext::OnTick() src/game/server/gamecontext.cpp:852
0x55d0656e6a88 in CServer::Run() src/engine/server/server.cpp:2807
0x55d0657164f1 in main src/engine/server/server.cpp:3904
```
```
src/game/client/components/chat.cpp:795:89: runtime error: index -1 out of bounds for type 'CClientData [64]'
#0 0x55c133fd047a in CChat::AddLine(int, int, char const*) src/game/client/components/chat.cpp:795
#1 0x55c133fc80b5 in CChat::OnMessage(int, void*) src/game/client/components/chat.cpp:570
#2 0x55c134677688 in CGameClient::OnMessage(int, CUnpacker*, int, bool) src/game/client/gameclient.cpp:770
#3 0x55c133c282d2 in CClient::OnDemoPlayerMessage(void*, int) src/engine/client/client.cpp:2627
#4 0x55c134ccdcba in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:679
#5 0x55c134cdac81 in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007
#6 0x55c133c2a08b in CClient::Update() src/engine/client/client.cpp:2686
#7 0x55c133c4c9eb in CClient::Run() src/engine/client/client.cpp:3296
#8 0x55c133cbd64f in main src/engine/client/client.cpp:4761
```
