Segmentation fault in run_script_main on mapserver startup

[b]Summary:[/b]
run_script_main appears to try accessing map[-1], causing a segmentation fault.
This appears happens on a clean Hercules setup, on mapserver startup, with no custom NPCs.

[b]Steps to reproduce:[/b][code=auto:0]*[g:master !] haru@serenity ~/test $ git log --oneline -1 ada0f13 Merge pull request #28 from jaBote/master *[g:master !] haru@serenity ~/test $ gcc --version | head -n 1 gcc (Gentoo 4.6.3 p1.11, pie-0.5.2) 4.6.3 *[g:master !] haru@serenity ~/test $ git diff diff --git a/configure b/configure index 6268092..aa490b2 100755 --- a/configure +++ b/configure @@ -5355,6 +5355,7 @@ case $enable_debug in CFLAGS="$CFLAGS -g -DDEBUG" ;; "gdb") + LDFLAGS="$LDFLAGS -ggdb" CFLAGS="$CFLAGS -ggdb -DDEBUG" ;; esac diff --git a/configure.in b/configure.in index f52fcf0..5809da8 100644 --- a/configure.in +++ b/configure.in @@ -714,6 +714,7 @@ case $enable_debug in CFLAGS="$CFLAGS -g -DDEBUG" ;; "gdb") + LDFLAGS="$LDFLAGS -ggdb" CFLAGS="$CFLAGS -ggdb -DDEBUG" ;; esac *[g:master !] haru@serenity ~/test $ ./configure --enable-debug=gdb checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking whether make sets $(MAKE)... yes checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ISO C89... (cached) none needed checking how to run the C preprocessor... gcc -E checking for ar... /usr/bin/ar checking whether byte ordering is bigendian... no checking whether gcc produces 32bit code... yes checking whether gcc supports __thread specifier (TLS)... yes checking whether gcc supports -Wno-unused-parameter... yes checking whether gcc supports -flto... yes checking whether gcc supports -Wno-pointer-sign... yes checking whether gcc can actually use -Wno-pointer-sign... yes checking whether gcc supports -Wno-switch... yes checking whether gcc supports -fPIC... yes checking how to make shared objects... -shared checking whether gcc needs -fPIC for shared objects... no checking whether gcc supports -fno-strict-aliasing... yes checking for setrlimit... yes checking for strnlen... yes checking for uselocale... yes checking for newlocale... yes checking for freelocale... yes checking xlocale.h usability... yes checking xlocale.h presence... yes checking for xlocale.h... yes checking for inflateEnd in -lz... yes checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes checking for library containing sqrt... -lm checking for library containing clock_gettime... -lrt checking whether CLOCK_MONOTONIC is supported and works... yes checking for pthread_create in -lpthread... yes checking for pthread_sigmask in -lpthread... yes checking for pthread_attr_init in -lpthread... yes checking for pthread_attr_setstacksize in -lpthread... yes checking for pthread_attr_destroy in -lpthread... yes checking for pthread_cancel in -lpthread... yes checking for pthread_join in -lpthread... yes checking for mysql_config... /usr/bin/mysql_config checking for mysql_init in -lmysqlclient... yes checking mysql.h usability... yes checking mysql.h presence... yes checking for mysql.h... yes checking MySQL library (required)... yes (5.1.67) checking for pcre_study in -lpcre... yes checking PCRE library (optional)... yes checking host OS... Linux checking for MinGW... no configure: creating ./config.status config.status: creating Makefile config.status: creating src/common/Makefile config.status: creating 3rdparty/mt19937ar/Makefile config.status: creating 3rdparty/libconfig/Makefile config.status: creating src/char/Makefile config.status: creating src/login/Makefile config.status: creating src/plugins/Makefile config.status: creating src/map/Makefile config.status: creating src/tool/Makefile config.status: creating src/test/Makefile *[g:master !] haru@serenity ~/test $ make clean && make sql {snip} *[g:master !] haru@serenity ~/test $ gdb ./map-server GNU gdb (Gentoo 7.5.1 p2) 7.5.1 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu". For bug reporting instructions, please see: <http://bugs.gentoo.org/>... Reading symbols from /home/haru/test/map-server...done. (gdb) r Starting program: /home/haru/test/map-server {snip} [Info]: Done loading '13929' NPCs: -'3188' Warps -'215' Shops -'10526' Scripts -'3118' Spawn sets -'45761' Mobs Cached -'0' Mobs Not Cached Program received signal SIGSEGV, Segmentation fault. 0x080fecd5 in run_script_main (st=0xaafa0cf4) at script.c:3465 3465 if( nd && map[nd->bl.m].instance_id > 0 ) (gdb) bt #0 0x080fecd5 in run_script_main (st=0xaafa0cf4) at script.c:3465 #1 0x080fe9eb in run_script.part.62 (oid=110009257, rid=0, pos=0, rootscript=0xaaa6a6ec) at script.c:3315 #2 run_script (rootscript=0xaaa6a6ec, pos=0, rid=0, oid=110009257) at script.c:3304 #3 0x08248659 in npc_event_doall_sub (key=..., data=0xacfedd4, ap=0xbffff0f8 "\\\361\377\277\034\361\377\277") at npc.c:367 #4 0x08162d0d in db_obj_vforeach.149278 (self=0xadda6e04, func=0x8248514 <npc_event_doall_sub>, args=0xbffff0f8 "\\\361\377\277\034\361\377\277") at db.c:1937 #5 0x08232e23 in db_obj_foreach.149218 (self=0xadda6e04, func=0x8248514 <npc_event_doall_sub>) at db.c:1983 #6 0x081e35ec in npc_event_doall_id (name=0x8294316 "OnInit", rid=0) at npc.c:422 #7 0x081e3587 in npc_event_doall (name=0x8294316 "OnInit") at npc.c:413 #8 0x081c15b9 in npc_event_do_oninit () at npc.c:484 #9 0x08201562 in do_init (argc=1, argv=0xbffff2f4) at map.c:5412 #10 0x082009fa in main (argc=1, argv=0xbffff2f4) at core.c:342 (gdb) bt full #0 0x080fecd5 in run_script_main (st=0xaafa0cf4) at script.c:3465 cmdcount = 655360 gotocount = 2048 sd = 0xafb stack = 0xa9ad1ea4 nd = 0xaaa677b4 #1 0x080fe9eb in run_script.part.62 (oid=110009257, rid=0, pos=0, rootscript=0xaaa6a6ec) at script.c:3315 st = 0xaafa0cf4 #2 run_script (rootscript=0xaaa6a6ec, pos=0, rid=0, oid=110009257) at script.c:3304 No locals. #3 0x08248659 in npc_event_doall_sub (key=..., data=0xacfedd4, ap=0xbffff0f8 "\\\361\377\277\034\361\377\277") at npc.c:367 p = 0xaaa6a693 "::OnInit" ev = 0xaaa6a62c c = 0xbffff15c name = 0xbffff11c "::OnInit" rid = 0 __FUNCTION__ = "npc_event_doall_sub" __FUNCTION__ = "npc_event_doall_sub" #4 0x08162d0d in db_obj_vforeach.149278 (self=0xadda6e04, func=0x8248514 <npc_event_doall_sub>, args=0xbffff0f8 "\\\361\377\277\034\361\377\277") at db.c:1937 argscopy = 0xbffff0f8 "\\\361\377\277\034\361\377\277" i = 2 sum = 0 node = 0xacfedc4 parent = 0xac62624 #5 0x08232e23 in db_obj_foreach.149218 (self=0xadda6e04, func=0x8248514 <npc_event_doall_sub>) at db.c:1983 args = 0xbffff0f8 "\\\361\377\277\034\361\377\277" ret = 8 #6 0x081e35ec in npc_event_doall_id (name=0x8294316 "OnInit", rid=0) at npc.c:422 c = 7 buf = "::OnInit\000\037*\b\234\033*\bj\001\000\000\024\002\000\000\000\000\000\000\210\361\377\277\004\000\025\b\023\000\000\000\000\000db_alloc:nodes:init:ve" #7 0x081e3587 in npc_event_doall (name=0x8294316 "OnInit") at npc.c:413 No locals. #8 0x081c15b9 in npc_event_do_oninit () at npc.c:484 No locals. #9 0x08201562 in do_init (argc=1, argv=0xbffff2f4) at map.c:5412 i = 1 __FUNCTION__ = "do_init" __FUNCTION__ = "do_init" #10 0x082009fa in main (argc=1, argv=0xbffff2f4) at core.c:342 No locals. (gdb) print nd->bl.m $1 = -1 (gdb) print nd->name $2 = "Knight1", '\000' <repeats 17 times> (gdb) print *nd $3 = {bl = {next = 0x0, prev = 0x0, id = 110009257, m = -1, x = 0, y = 0, type = BL_NPC}, ud = {bl = 0x0, walkpath = {path_len = 0 '\000', path_pos = 0 '\000', path = '\000' <repeats 31 times>}, skilltimerskill = {0x0 <repeats 15 times>}, skillunit = {0x0 <repeats 25 times>}, skillunittick = {{tick = 0, id = 0} <repeats 25 times>}, attacktarget_lv = 0, to_x = 0, to_y = 0, skillx = 0, skilly = 0, skill_id = 0, skill_lv = 0, skilltarget = 0, skilltimer = 0, target = 0, target_to = 0, attacktimer = 0, walktimer = 0, chaserange = 0, attackabletime = 0, canact_tick = 0, canmove_tick = 0, dir = 0 '\000', walk_count = 0 '\000', target_count = 0 '\000', state = {change_walk_target = 0, skillcastcancel = 0, attack_continue = 0, walk_easy = 0, running = 0, speed_changed = 0}}, vd = 0x0, sc = { option = 0, opt3 = 0, opt1 = 0, opt2 = 0, count = 0 '\000', jb_flag = 0 '\000', comet_x = 0, comet_y = 0, bs_counter = 0 '\000', data = {0x0 <repeats 555 times>}}, master_nd = 0x0, class_ = -1, speed = 200, name = "Knight1", '\000' <repeats 17 times>, exname = "Knight1", '\000' <repeats 17 times>, chat_id = 0, touching_id = 0, next_walktime = 0, size = 0, status = {hp = 0, sp = 0, max_hp = 0, max_sp = 0, str = 0, agi = 0, vit = 0, int_ = 0, dex = 0, luk = 0, batk = 0, matk_min = 0, matk_max = 0, speed = 0, amotion = 0, adelay = 0, dmotion = 0, mode = 0, hit = 0, flee = 0, cri = 0, flee2 = 0, def2 = 0, mdef2 = 0, aspd_rate2 = 0, aspd_rate = 0, def = 0, mdef = 0, def_ele = 0 '\000', ele_lv = 0 '\000', size = 0 '\000', race = 0 '\000', rhw = {atk = 0, atk2 = 0, range = 0, ele = 0 '\000', matk = 0, wlv = 0 '\000'}, lhw = {atk = 0, atk2 = 0, range = 0, ele = 0 '\000', matk = 0, wlv = 0 '\000'}}, level = 0, stat_point = 0, chatdb = 0x0, path = 0xaad16eec "npc/jobs/2-1/knight.txt", subtype = SCRIPT, src_id = 0, u = {scr = {script = 0xaaa6a6ec, xs = -1, ys = -1, guild_id = 0, timer = 0, timerid = -1, timeramount = 3, rid = 0, timertick = 0, timer_event = 0xaad1709c, label_list_num = 7, label_list = 0xb1939c84}, shop = {shop_item = 0xaaa6a6ec, count = -1}, warp = { xs = -22804, ys = -21850, x = -1, y = -1, mapindex = 0}, tomb = {md = 0xaaa6a6ec, kill_time = -1, killer_name = "\000\000\000\000\000\000\000\000\377\377\377\377\003\000\000\000\000\000\000\000\000\000\000"}}} [/code]