root/1.8.3/trunk/src/destroy.c

/**
 * \file destroy.c
 *
 * \brief Destroying objects and consistency checking.
 *
 * This file has two main parts. One part is the functions for destroying
 * objects and getting objects off of the free list. The major public
 * functions here are do_destroy(), free_get(), and purge().
 *
 * The other part is functions for checking the consistency of the
 * database, and repairing any inconsistencies that are found. The
 * major function in this group is dbck().
 * 
 *
 * These lengthy comments are by Ralph Melton, December 1995.
 *
 * First, a discourse on the theory of how we handle destruction.
 *
 * We want to maintain the following invariants:
 * 1. All destroyed objects are on the free list. (linked through the next
 *    fields.)
 * 2. All objects on the free list are destroyed objects.
 * 3. No undestroyed object has its next, contents, location, or home
 *    field pointing to a destroyed object.
 * 4. No object's zone or parent is a destroyed object.
 * 5. No object's owner is a destroyed object.
 * 
 * For the sake of efficiency, we allow indirect locks and other locks to
 * refer to destroyed objects; boolexp.c had better be able to cope with
 * these.
 *
 *
 * There are three logically distinct parts to destroying an object:
 *
 * Part 1: we do all the permissions checks, check for the SAFE flag
 * and the override switch, and decide that yes, we are going to destroy
 * this object.
 *
 * Part 2: we eliminate all the links from other objects in the database
 * to this object. This processing may depend on the object's type.
 *
 * Part 3: (logically concurrent with part 2, and must happen together
 * with part 2) Remove any commands the object may have in the queue,
 * free all the storage associated with the object, set the name to
 * 'Garbage', and set this object to be a destroyed object, and put it
 * on the free list. This process is independent of object type.
 *
 * Note that phases 2 and 3 do not have to happen immediately after Phase 1.
 * To allow some delay, we set the object GOING, and then process it on
 * the check that happens every ten minutes. 
 *
 */

#include "config.h"

#include <ctype.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>

#include "copyrite.h"
#include "conf.h"
#include "mushdb.h"
#include "match.h"
#include "externs.h"
#include "log.h"
#include "game.h"
#include "extmail.h"
#include "malias.h"
#include "attrib.h"
#include "dbdefs.h"
#include "flags.h"
#include "lock.h"
#include "confmagic.h"



dbref first_free = NOTHING;   /**< Object at top of free list */

static dbref what_to_destroy(dbref player, char *name, int confirm);
static void pre_destroy(dbref player, dbref thing);
static void free_object(dbref thing);
static void empty_contents(dbref thing);
static void clear_thing(dbref thing);
static void clear_player(dbref thing);
static void clear_room(dbref thing);
static void clear_exit(dbref thing);

static void check_fields(void);
static void check_connected_rooms(void);
static void mark_connected(dbref loc);
static void check_connected_marks(void);
static void mark_contents(dbref loc);
static void check_contents(void);
static void check_locations(void);
static void check_zones(void);
static int attribute_owner_helper
  (dbref player, dbref thing, dbref parent, char const *pattern, ATTR *atr,
   void *args);

extern void remove_all_obj_chan(dbref thing);
extern void chan_chownall(dbref old, dbref new);

extern struct db_stat_info current_state;

/** Mark an object */
#define SetMarked(x)    Type(x) |= TYPE_MARKED
/** Unmark an object */
#define ClearMarked(x)  Type(x) &= ~TYPE_MARKED


/* Section I: do_destroy() and related functions. This section is where
 * the human interface of do_destroy() should largely be determined.
 */

/* Methinks it's time to consider human interfaces criteria for destruction
 * as well as to consider the invariants that need to be maintained.
 *
 * My major criteria are these (with no implied ranking, since I haven't
 * decided how they balance out):
 * 
 * 1) It's easy to destroy things you intend to destroy.
 * 
 * 2) It's easy to correct from destroying things that you don't intend
 * to destroy. This includes both typos and realizing that you didn't mean
 * to destroy that. This principle requires two sub-principles:
 *      a) The player gets notified when something 'important' gets
 *         marked to be destroyed--and gets told .what. is marked.
 *      b) The actual destruction of the important thing is delayed
 *         long enough that you can recover from it.
 *
 * 3) You can't destroy something you don't have the proper privileges to
 * destroy. (Obvious, but still worth writing down.)
 *
 * To try to achieve a reasonable balance between items 1) and 2), we
 * have the following design:
 * Everything is finally destroyed on the second purge after the @destroy
 * command is done, unless it is set !GOING in the meantime.
 * @destroying an object while it is set GOING destroys it immediately.
 *
 * Let me introduce a little jargon for this discussion:
 *      pre-destroying an object == setting it GOING, running the @adestroy.
 *              (Pre-destroying corresponds to phase 1 above.)
 *      purging an object == actually irrevocably making it vanish.
 *              (This corresponds to phases 2 and 3 above.)
 *      undestroying an object == setting it !GOING, etc.
 *
 * We would also like to have an @adestroy attribute that contains
 * code to be executed when the object is destroyed. This is
 * complicated by the fact that the object is going to be
 * destroyed. To work around this, we run the @adestroy when the
 * object is pre-destroyed, not when it's actually purged. This
 * introduces the possibility that the adestroy may be invoked for
 * something that is then undestroyed. To compensate for that, we run
 * the @startup attribute when something is undestroyed.
 *
 * Another issue is how to run the @adestroy for objects that are
 * destroyed as a consequence of other objects being destroyed. For
 * example, when rooms are destroyed, any exits leading from those
 * rooms are also destroyed, and when a player is destroyed, !SAFE
 * objects they own may also be destroyed.
 * 
 * To handle this, we do the following:
 * pre-destroying a room pre-destroys all its exits.
 * pre-destroying a player pre-destroys all the objects that will be purged
 * when that player is purged.
 *
 * This requires the following about undestroys:
 * undestroying an exit undestroys its source room.
 * undestroying any object requires undestroying its owner.
 *
 * But it also seems to require the following in order to make '@destroy
 * foo; @undestroy foo' a no-op for all foo:
 * undestroying a room undestroys all its exits.
 * undestroying a player undestroys all its GOING things.
 * 
 * Now, consider this scenario:
 * Player A owns room #1. Player B owns exit #2, whose source is room #1.
 * Player B owns thing #3. Player A and player B are both pre-destroyed;
 * none of the objects are set SAFE. Thing #3 is then undestroyed.
 * 
 * If you trace through the dependencies, you find that this involves
 * undestroying all the objects, including both players! Is that what
 * we want? It seems to me that it would be very surprising in practice.
 * 
 * To reconcile this, we introduce the following compromise.
 * undestroying a room undestroys all exits in the room that are not owned
 *      by a GOING player or set SAFE..
 * undestroying a player undestroys all objects he owns that are not exits
 *      in a GOING room that he does not own.
 * 
 * In this way, the propagation of previous scenario would die out at exit
 * #2, which would stay GOING. Metaphorically, there are two 'votes' for
 * its destruction: the destruction of room #1, and the destruction of
 * player B. Undestroying player B by undestroying thing #3 removes one
 * of the 'votes' for exit #2's destruction, but there would still be
 * the vote from room #1.  
 */


/** Determine what object to destroy and if we're allowed.
 * Do all matching and permissions checking. Returns the object to be
 * destroyed if all the permissions checks are successful, otherwise
 * return NOTHING.
 */
static dbref
what_to_destroy(dbref player, char *name, int confirm)
{
  dbref thing;

  thing = noisy_match_result(player, name, NOTYPE, MAT_EVERYTHING);
  if (thing == NOTHING)
    return NOTHING;

  if (IsGarbage(thing)) {
    notify(player, T("Destroying that again is hardly necessary."));
    return NOTHING;
  }
  if (God(thing)) {
    notify(player, T("Destroying God would be blasphemous."));
    return NOTHING;
  }
  /* To destroy, you must either:
   * 1. Control it
   * 2. Control its source or destination if it's an exit
   * 3. Be dealing with a dest-ok thing and pass its lock/destroy
   */
  if (!controls(player, thing) &&
      !(IsExit(thing) &&
        (controls(player, Destination(thing)) ||
         controls(player, Source(thing)))) &&
      !(DestOk(thing) && eval_lock(player, thing, Destroy_Lock))) {
    notify(player, T("Permission denied."));
    return NOTHING;
  }
  if (thing == PLAYER_START || thing == MASTER_ROOM || thing == BASE_ROOM ||
      thing == DEFAULT_HOME || God(thing)) {
    notify(player, T("That is too special to be destroyed."));
    return NOTHING;
  }
  if (REALLY_SAFE) {
    if (Safe(thing) && !DestOk(thing)) {
      notify(player,
             T
             ("That object is set SAFE. You must set it !SAFE before destroying it."));
      return NOTHING;
    }
  } else {                      /* REALLY_SAFE */
    if (Safe(thing) && !DestOk(thing) && !confirm) {
      notify(player, T("That object is marked SAFE. Use @nuke to destroy it."));
      return NOTHING;
    }
  }
  /* check to make sure there's no accidental destruction */
  if (!confirm && !Owns(player, thing) && !DestOk(thing)) {
    notify(player,
           T("That object does not belong to you. Use @nuke to destroy it."));
    return NOTHING;
  }
  /* what kind of thing we are destroying? */
  switch (Typeof(thing)) {
  case TYPE_PLAYER:
    if (!IsPlayer(player)) {
      notify(player, T("Programs don't kill people; people kill people!"));
      return NOTHING;
    }
    /* The only player a player can own() is themselves...
     * If they somehow manage to own() another player, they can't
     * nuke that one either...which seems like a good plan, although
     * the error message is a bit confusing. -DTC
     */
    if (!Wizard(player)) {
      notify(player, T("Sorry, no suicide allowed."));
      return NOTHING;
    }
    /* Already checked for God(thing), so use Wizard() */
    if (Wizard(thing) && !God(player)) {
      notify(player, T("Even you can't do that!"));
      return NOTHING;
    }
    if (Connected(thing)) {
      notify(player,
             T("How gruesome. You may not destroy players who are connected."));
      return NOTHING;
    }
    if (!confirm) {
      notify(player, T("You must use @nuke to destroy a player."));
      return NOTHING;
    }
    break;
  case TYPE_THING:
    if (!confirm && Wizard(thing)) {
      notify(player,
             T("That object is set WIZARD. You must use @nuke to destroy it."));
      return NOTHING;
    }
    break;
  case TYPE_ROOM:
    break;
  case TYPE_EXIT:
    break;
  }
  return thing;

}


/** User interface to destroy an object.
 * \verbatim
 * This is the top-level function for @destroy.
 * \endverbatim
 * \param player the enactor.
 * \param name name of object to destroy.
 * \param confirm if 1, called with /override (or nuke).
 */
void
do_destroy(dbref player, char *name, int confirm)
{
  dbref thing;
  thing = what_to_destroy(player, name, confirm);
  if (!GoodObject(thing))
    return;

  /* If thing has already been marked for destruction, go ahead and
   * destroy immediately.
   */
  if (Going(thing)) {
    free_object(thing);
    notify(player, T("Destroyed."));
    return;
  }
  /* Present informative messages. */
  if (!REALLY_SAFE && Safe(thing))
    notify(player,
           T
           ("Warning: Target is set SAFE, but scheduling for destruction anyway."));
  switch (Typeof(thing)) {
  case TYPE_ROOM:
    /* wait until dbck */
    notify_except(Contents(thing), NOTHING,
                  T("The room shakes and begins to crumble."), 0);
    if (Owns(player, thing))
      notify_format(player,
                    T("You will be rewarded shortly for %s."),
                    object_header(player, thing));
    else {
      notify_format(player,
                    T
                    ("The wrecking ball is on its way for %s's %s and its exits."),
                    Name(Owner(thing)), object_header(player, thing));
      notify_format(Owner(thing),
                    T("%s has scheduled your room %s to be destroyed."),
                    Name(player), object_header(Owner(thing), thing));
    }
    break;
  case TYPE_PLAYER:
    /* wait until dbck */
    notify_format(player,
                  (DESTROY_POSSESSIONS ?
                   (REALLY_SAFE ?
                    T
                    ("%s and all their (non-SAFE) objects are scheduled to be destroyed.")
                    :
                    T
                    ("%s and all their objects are scheduled to be destroyed."))
                   : T("%s is scheduled to be destroyed.")),
                  object_header(player, thing));
    break;
  case TYPE_THING:
    if (!Owns(player, thing)) {
      notify_format(player, T("%s's %s is scheduled to be destroyed."),
                    Name(Owner(thing)), object_header(player, thing));
      if (!DestOk(thing))
        notify_format(Owner(thing),
                      T("%s has scheduled your %s for destruction."),
                      Name(player), object_header(Owner(thing), thing));
    } else {
      notify_format(player, T("%s is scheduled to be destroyed."),
                    object_header(player, thing));
    }
    break;
  case TYPE_EXIT:
    if (!Owns(player, thing)) {
      notify_format(Owner(thing),
                    T("%s has scheduled your %s for destruction."),
                    Name(player), object_header(Owner(thing), thing));
      notify_format(player,
                    T("%s's %s is scheduled to be destroyed."),
                    Name(Owner(thing)), object_header(player, thing));
    } else
      notify_format(player,
                    T("%s is scheduled to be destroyed."),
                    object_header(player, thing));
    break;
  default:
    do_log(LT_ERR, NOTHING, NOTHING, T("Surprising type in do_destroy."));
    return;
  }

  pre_destroy(player, thing);
  return;
}


/** Spare an object from slated destruction.
 * \verbatim
 * This is the top-level function for @undestroy.
 * Not undestroy, quite--it's actually 'remove it from its status as about
 * to be destroyed.'
 * \endverbatim
 * \param player the enactor.
 * \param name name of object to be spared.
 */
void
do_undestroy(dbref player, char *name)
{
  dbref thing;
  thing = noisy_match_result(player, name, NOTYPE, MAT_EVERYTHING);
  if (!GoodObject(thing)) {
    return;
  }
  if (!controls(player, thing)) {
    notify(player, T("Alas, your efforts of mercy are in vain."));
    return;
  }
  if (undestroy(player, thing)) {
    notify_format(Owner(thing),
                  T("Your %s has been spared from destruction."),
                  object_header(Owner(thing), thing));
    if (player != Owner(thing)) {
      notify_format(player,
                    T("%s's %s has been spared from destruction."),
                    Name(Owner(thing)), object_header(player, thing));
    }
  } else {
    notify(player, T("That can't be undestroyed."));
  }
}



/* Section II: Functions that manage the actual work of destroying
 * Objects.
 */

/* Schedule something to be destroyed, run @adestroy, etc. */
static void
pre_destroy(dbref player, dbref thing)
{
  dbref tmp;
  if (Going(thing) || IsGarbage(thing)) {
    /* we've already covered this thing. No need to do so again. */
    return;
  }
  set_flag_internal(thing, "GOING");
  clear_flag_internal(thing, "GOING_TWICE");

  /* Present informative messages, and do recursive destruction. */
  switch (Typeof(thing)) {
  case TYPE_ROOM:
    DOLIST(tmp, Exits(thing)) {
      pre_destroy(player, tmp);
    }
    break;
  case TYPE_PLAYER:
    if (DESTROY_POSSESSIONS) {
      for (tmp = 0; tmp < db_top; tmp++) {
        if (Owner(tmp) == thing &&
            (tmp != thing) && (!REALLY_SAFE || !Safe(thing))) {
          pre_destroy(player, tmp);
        }
      }
    }
    break;
  case TYPE_THING:
    break;
  case TYPE_EXIT:
    /* This is the only case in which we might end up destroying something
     * whose owner hasn't already been notified. */
    if ((Owner(thing) != Owner(Source(thing))) && Going(Source(thing))) {
      if (!Owns(player, thing)) {
        notify_format(Owner(thing),
                      T("%s has scheduled your %s for destruction."),
                      Name(player), object_header(Owner(thing), thing));
      }
    }
    break;
  default:
    do_log(LT_ERR, NOTHING, NOTHING, T("Surprising type in pre_destroy."));
    return;
  }

  if (ADESTROY_ATTR)
    did_it(player, thing, NULL, NULL, NULL, NULL, "ADESTROY", NOTHING);

  return;

}


/** Spare an object from destruction.
 * Not undestroy, quite--it's actually 'remove it from its status as about
 * to be destroyed.' This is the internal function used in hardcode.
 * \param player the enactor.
 * \param thing dbref of object to be spared.
 * \return 1 successful undestruction.
 * \return 0 thing is not a valid object to undestroy.
 */
int
undestroy(dbref player, dbref thing)
{
  dbref tmp;
  if (!Going(thing) || IsGarbage(thing)) {
    return 0;
  }
  clear_flag_internal(thing, "GOING");
  clear_flag_internal(thing, "GOING_TWICE");
  if (!Halted(thing))
    (void) queue_attribute_noparent(thing, "STARTUP", thing);
  /* undestroy owner, if need be. */
  if (Going(Owner(thing))) {
    if (Owner(thing) != player) {
      notify_format(player,
                    T("%s has been spared from destruction."),
                    object_header(player, Owner(thing)));
      notify_format(Owner(thing),
                    T("You have been spared from destruction by %s."),
                    Name(player));
    } else {
      notify(player, T("You have been spared from destruction."));
    }
    (void) undestroy(player, Owner(thing));
  }
  switch (Typeof(thing)) {
  case TYPE_PLAYER:
    if (DESTROY_POSSESSIONS)
      /* Undestroy all objects owned by players, except exits that are in
       * rooms owned by other players that are set GOING, since those will
       * be purged when the room is purged.
       */
      for (tmp = 0; tmp < db_top; tmp++) {
        if (Owns(thing, tmp) &&
            (tmp != thing) &&
            !(IsExit(tmp) && !Owns(thing, Source(tmp)) && Going(Source(tmp)))) {
          (void) undestroy(player, tmp);
        }
      }
    break;
  case TYPE_THING:
    break;
  case TYPE_EXIT:
    /* undestroy containing room. */
    if (Going(Source(thing))) {
      (void) undestroy(player, Source(thing));
      notify_format(player,
                    T("The room %s has been spared from destruction."),
                    object_header(player, Source(thing)));
      if (Owner(Source(thing)) != player) {
        notify_format(Owner(Source(thing)),
                      T("The room %s has been spared from destruction by %s."),
                      object_header(Owner(Source(thing)), Source(thing)),
                      Name(player));
      }
    }
    break;
  case TYPE_ROOM:
    /* undestroy exits in this room, except exits that are going to be
     * destroyed anyway due to a GOING player.
     */
    DOLIST(tmp, Exits(thing)) {
      if (DESTROY_POSSESSIONS ? (!Going(Owner(tmp)) || Safe(tmp)) : 1) {
        (void) undestroy(player, tmp);
      }
    }
    break;
  default:
    do_log(LT_ERR, NOTHING, NOTHING, T("Surprising type in un_destroy."));
    return 0;
  }
  return 1;
}


/* Does the real work of freeing all the memory and unlinking an object.
 * This is going to have to be very tightly coupled with the implementation;
 * if the database format changes, this will likely have to change too.
 */
static void
free_object(dbref thing)
{
  dbref i, loc;
  if (!GoodObject(thing))