<div dir="ltr"><div>Hi Stephane,</div><div>I first tried with a debug VM on OSX and could not trigger the failure.</div><div>A fast VM though does easily fail, here is where when launched via lldb:<br></div><div><br></div><div>* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x38)<br> frame #0: 0x10df6c75 Squeak3D`b3dAddBackFill(fillList=0x05cff2b8, aFace=0x05cc6b18) at b3dMain.c:994:21 [opt]<br> 991 if(minZ <= (firstFace->minZ + lastFace->minZ) * 0.5) {<br> 992 /* search front to back */<br> 993 face = firstFace->nextFace;<br>-> 994 while(face->minZ < minZ) face = face->nextFace;<br> 995 } else {<br> 996 /* search back to front */<br> 997 face = lastFace->prevFace; /* already checked if lastFace->minZ <= minZ */</div><div><div><div><br></div></div><div>Looking at full code of function, I do not see any logic error in b3dAddBackFill:</div><div>if faces are correctly sorted by increasing minZ, the while loop on line 994 should always exit before reaching NULL</div><div><br></div></div><div>Though, it seems that we exhaust the face chain without encoutering the condition on line 994 and dereference a NULL pointer.</div><div>Why only with fast VM? It might be yet another case of Undefined Behavior (UB)...<div>I have thus recompiled the VM with UB sanitizer, and there is indeed some UB reported:</div></div><div><br></div><div>../../platforms/Cross/plugins/Squeak3D/b3dMain.c:1252:29: runtime error: left shift of negative value -760<br>../../platforms/Cross/plugins/Squeak3D/b3dMain.c:1254:25: runtime error: left shift of negative value -751<br>../../platforms/Cross/plugins/Squeak3D/b3dDraw.c:317:33: runtime error: left shift of negative value -802<br>../../platforms/Cross/plugins/Squeak3D/b3dDraw.c:318:33: runtime error: left shift of negative value -802<br>../../platforms/Cross/plugins/Squeak3D/b3dDraw.c:316:33: runtime error: left shift of negative value -114<br>../../platforms/Cross/plugins/Squeak3D/b3dMain.c:829:61: runtime error: left shift of negative value -2</div><div><br></div><div>Though, the instrumented fast VM does not fail...</div><div>It might be that some aggressive optimizations assuming the absence of UB do not occur with all the instrumentation stuff embedded...</div><div><br></div><div>So it's not going to be easy to debug.</div><div>The only way I see is eliminating UB...</div><div>By protecting those left shift with (unsigned) cast, I also made the crash disappear, which is a good clue.<br></div><div><br></div><div>IMO, declaring a left shift of negative int UB is sort of FOOLISH.</div><div>Yes, some overflow of sign bit by a 0 could happen, EXACTLY like overflow of sign bit by a 1 could happen for positive!!!</div><div>For me, it should be implementation defined eventually for those exotic machines using sign/magnitude rather than 2-complement.<br></div><div>But we cannot easily control what the standard committee decide, we have to cope with...</div><div><br></div><div>We will have to protect each and every left shift in b3d with a cast...<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 5 févr. 2020 à 16:28, Stéphane Rollandin <<a href="mailto:lecteur@zogotounga.net">lecteur@zogotounga.net</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br>
Hello,<br>
<br>
I made up a fairly repeatable way to crash the Squeak3D plugin again.<br>
<br>
Just evaluate the doIt proposed in the image at:<br>
<a href="http://www.zogotounga.net/swap/crashlab4.zip" rel="noreferrer" target="_blank">http://www.zogotounga.net/swap/crashlab4.zip</a><br>
<br>
Things go wrong about every other time on my system, sometimes with a <br>
crash dump (one is featured in the archive), sometimes silently.<br>
<br>
You will have to way about 20 seconds for the animation to reach the <br>
critical point (when it stops, but sometimes before).<br>
<br>
BTW this animation also features a number of glitches - it would be nice <br>
to fix that too, but this is another topic.<br>
<br>
Stef<br>
</blockquote></div>