Reported directly to devteam, zapping wand of undead turning at a
shopkeeper's corpse would cause a crash.  'Traits' to fully recreate
the shk were attached to the corpse, but the temporary monster
created on the map intended to be relaced by the shk didn't have any
eshk struct, and the sequence replmon() -> replshk() -> inhishop()
attempted to access mtmp->mextra->eshk when trying to reattach the
shk to his/her shop.  No other mextra structs involve pointer fixups,
so pets, priests, vault guards don't need extra handling.

I tested four cases.  #1 and #3 had no shop bill at the time; I'm not
sure about #2.  These all worked.
 1) shk killed inside shop, resurrected there;
 2) killed outside shop on the shop level, resurrected there;
 3) killed inside his shop, corpse carried to different level before
    being resurrected;
 4) killed and resurrected on different level from shop after hero
    stole something (teleported out of shop with unpaid item)--shk
    left shop to chase hero and followed him/her up some stairs.

> [1. perm_invent is kept in flags so persists across save/restore, but
>  perm_invent capability can change if player restores with a different
>  interface--or same one running on a different-sized display--so it
>  ought to be in iflags instead.]

Not addressed here.

> 2. perm_invent window does not get updated when charging a wand (or
> other chargeable item presumably), with a scroll of charging.

Most scrolls rely on useup() -> update_inventory(), but charging uses up
the scroll early so that it will be gone from inventory when choosing an
item to charge.  It needed an explicit update_inventory() after charging.

> 3. update_inventory(), is called from setworn(), which is called from
> dorestore(), when loading a save.  Segfaults have been observed in
> variants based on this code (though not yet in vanilla 3.6.1), so it's
> possible this may be unsafe.  The update_inventory() call in setworn()
> could be protected with "if (!restoring) ..."

tty doesn't support perm_invent, so this might be a win32 issue.
I've made the suggested change, but a better fix would be to turn off
perm_invent as soon as options processing (new game) or options restore
(old game unless/until #1 gets changed) has finished setting things up,
then turn it back on at the end of moveloop()'s prolog when play is
about to start.

 = =

Most of the read.c change is reordering prototypes to match the order
of the corresponding functions.  I did this when adding a new static
routine, then ended up discarding that routine.

Fix "objects[0] class #1 not in order!" panic.  The new check to
make sure that the elements of objects[] were in ascending order
by object class uses a plain 'char' index so -1 to indicate 'no
previous value' didn't work on a system using unsigned chars.

Verfied by temporarily adding '-funsigned-char' to CFLAGS before
and after the revision.  Before: panic, after: no panic.

Fixes #337

Report raises two issues:
1) if you perform magic mapping while engulfed (or underwater) the
map got updated and player could view it with cursor+autodescribe,
but when done viewing it did not switch back to the limited engulfed
(or underwater) display.
2) when picking a teleport destination while engulfed/underwater you
have to pick the spot while seeing only the limited view of the map
that is shown while engulfed/underwater.

This fixes #1.  I'm inclined to classify #2 as traditional behavior
and am not going to try to figure out a fix for it.

Fixes #483

Add a page citation for passage #1 and change the wording of that
passage to match the book:  the second "does not need" should be
"doesn't even need".

Also make the comments about various added passages (for other
books) be more consistent.

Add four new passages to Carpe Jugulum, bringing total to 12.

A couple of fixes for the Fifth Elephant are mixed in:  page reference
and italics for passage #1, correct the spelling of "doublet" in #9.

Add page citations to passages 1 and 2 and missing italics to #1.

Add five new pssages, bringing total to 13.

Add a page citation to passage #1; add six new passages (bringing
total to 14).

Add a page citation to passage #1 of Night Watch, and add five new
passages, briging the total to 12.

Add four new passages to The Wee Free Men, bringing the total to 13.

Report was for curses but issue is in the core so any interface
that supports persistent inventory is affected.  Reading a not-yet-
discovered scroll of blank paper wasn't always updating perm_invent
to show change in formatted description when it became discovered.

Would only happen on turn #1 (so the scroll needed to be acquired
via autopickup at starting location or via wizard mode wish so that
it could be read before any game time elapsed) when the object
discovery routine deliberately avoided updating perm_invent.  Fix
by using a different way than moves==1 to decide whether an object
is being discovered because it is part of hero's initial inventory.

Treat the first kill of any unique monster as a major event (for
inclusion in dumplog).  Revival and repeat kill is not major but
can still be seen during the game via the #chronicle command.

Show the minor event more often:  in addition to death #1 it was
being shown on death 5, 10, 50, 100, 150, 200, and 250.  Add 2, 3,
and 25 to that list.

If you were on a level teleporter, the spoteffects() call after
the hero gets expelled could end up going to a new level and
freeing all the monst chains from the level you were originally
engulfed on.

    #0 0xba0507 in free
    #1 0x87feda in dealloc_monst src/mon.c:2369
    #2 0x880a02 in dmonsfree src/mon.c:2194
    #3 0x9a7aa2 in savelev_core src/save.c:507
    #4 0x9a7a21 in savelev src/save.c:466
    #5 0x71eb9d in goto_level src/do.c:1483
    #6 0x71833f in deferred_goto src/do.c:1903
    #7 0xa2533f in level_tele src/teleport.c:1117
    #8 0xa2567b in level_tele_trap src/teleport.c:1198
    #9 0xa5c007 in trapeffect_level_telep src/trap.c:1861
    #10 0xa5f856 in trapeffect_selector src/trap.c:2497
    #11 0xa47497 in dotrap src/trap.c:2586
    #12 0x7d669b in spoteffects src/hack.c:2859
    #13 0x89d495 in xkilled src/mon.c:3187

The latter parts of xkilled() after the spoteffects() call would
then attempt to dereference the free'd monst pointer.

Save a copy of the monst struct prior to spoteffects() if you were
expelled, then point at the reference copy afterwards.

Resolves #938

Try to fix a fuzzer issue.  I wasn't able to reproduce it so am not
sure whether this actually fixes it.  A mimic seemed to be mimicking
object #1 (generic ILLOBJ_CLASS object which shouldn't occur) rather
than #0 (strange object).  Strange object always has dknown==1 and
generic objects should always have dknown==0 but farlook of mystery
object #1 had its dknown flag set.

An earlier fix to force non-Null oc_name when formatting objects in
order to pacify the static analyzer might have been the reason that
the problem couldn't be reproduced.

This includes a few miscellaneous changes made while unsuccessfully
hunting for the problem.

This is a re-creation of a project that was lost years ago while not
quite finished.  The old version included some instrumentation to
measure how many hits it takes to kill things during actual play; that
wasn't ready for prime time and this hasn't attempted to redo it.

Changes:
1) improves martial arts and bare-handed combat:  they now have a
   chance to hit twice when skill is better than 'basic'; 20% chance
   for second hit at skilled, 40% at expert, 60% at master, and 80% at
   grandmaster; when attacking more than once, strength bonus is
   handled as in #2;
2) nerfs two-weapon combat a bit:  hitting twice uses only 3/4 strength
   bonus on each hit, but when both attacks hit that's 3/2 bonus from
   strength which is still more than you get for one hit at a time;
3) beefs up two-handed weapons:  hitting via melee with a two-handed
   weapon uses 3/2 of stength bonus to reflect the increased influence
   of strength; isn't done for applied polearms though.

The reduction in strength bonus for two-weapon has far less impact
than it might sound, due to rounding up with the low values involved.
| full   3/4
|  +1 -> +1
|  +2 -> +2
|  +3 -> +2
|  +4 -> +3
|  +5 -> +4
|  +6 -> +5
The small reduction also doesn't matter if/when current hit happens to
deal a killing blow anyway.

Rings of increase damage apply at full value to every hit, same as
before.

When hitting bare-handed (#1 without gloves), a silver ring on either
hand continues to give a damage bonus against silver haters when you
make an ordinary single attack.  However if you attack twice, a silver
ring only applies on the first hit when it is worn on the right hand
and only applies on the second hit when worn on the left hand.  (Two
hits with a silver ring on each hand will give silver bonus for both.)

We might conceivably need to add support for a count prefix of 1 to
let player explicitly avoid a second bare-handed/martial-arts hit
attempt (similar to how throw and fire accept a count to limit missile
volley amount).

Kicking has been ignored.

On GitHub issue 1090, Rhialto wrote:
Hi! I am currently in the process of adapting the pkgsrc packaging of NetHack 3.6.7 to include the curses window option. A bit late perhaps...

While working on that, I ran into a case of a NULL pointer being used. Apparently when linking with ncurses, this doesn't cause problems, but NetBSD's own curses doesn't like it, and crashes the game.

Here is the stack trace. It happens when #quitting, I think just before the high scores are about to be shown (but I guess it should show in the stack trace if I'm totally correct with that):

(gdb) bt
 #0  redrawwin (win=0x0) at /usr/src/lib/libcurses/touchwin.c:149
 #1  0x0000000017e104b4 in curses_refresh_nethack_windows () at ../win/curses/curswins.c:176
 #2  0x0000000017e1054a in curses_destroy_win (win=win@entry=0x7ad219520540) at ../win/curses/curswins.c:155
 #3  0x0000000017e1512c in curses_display_nhmenu (wid=<optimized out>, how=<optimized out>, _selected=0x7f7fff65d850) at ../win/curses/cursdial.c:771
 #4  0x0000000017e0ff81 in curses_select_menu (wid=wid@entry=21, how=how@entry=0, selected=selected@entry=0x7f7fff65d850) at ../win/curses/cursmain.c:607
 #5  0x0000000017e10257 in curses_display_nhwindow (wid=21, block=1) at ../win/curses/cursmain.c:385
 #6  0x0000000017ca8075 in really_done (how=<optimized out>, how@entry=13) at end.c:1609
 #7  0x0000000017ca993f in done (how=how@entry=13) at end.c:1201
 #8  0x0000000017ca9c85 in done2 () at end.c:381
 #9  done2 () at end.c:337
 #10 0x0000000017c489da in doextcmd () at cmd.c:363
 #11 0x0000000017c57e94 in rhack (cmd=<optimized out>, cmd@entry=0x0) at cmd.c:4909
 #12 0x0000000017c265da in moveloop (resuming=<optimized out>) at allmain.c:435
 #13 0x0000000017e1b862 in main (argc=<optimized out>, argv=<optimized out>) at ../sys/unix/unixmain.c:351
status_window is NULL here. Simply checking for NULL avoids the problem. I added checks for the other windows as well, while I was there.

If tutorial is entered, we get following leak on exit:

=================================================================
==81358==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 3 object(s) allocated from:
    #0 0x7f6996edefdf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
        NetHack#1 0x5601c255bcbb in alloc /home/miku/src/NetHack/src/alloc.c:71

Indirect leak of 5064 byte(s) in 3 object(s) allocated from:
    #0 0x7f6996edefdf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
        NetHack#1 0x5601c255be1e in alloc /home/miku/src/NetHack/src/alloc.c:71
	    NetHack#2 0x5601c255be1e in dupstr /home/miku/src/NetHack/src/alloc.c:236

SUMMARY: AddressSanitizer: 5160 byte(s) leaked in 6 allocation(s).

Fix this by freeing the cloned selection before returning.

If tutorial is entered, we get following leak on exit:

=================================================================
==81358==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 3 object(s) allocated from:
    #0 0x7f6996edefdf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
        #1 0x5601c255bcbb in alloc /home/miku/src/NetHack/src/alloc.c:71

Indirect leak of 5064 byte(s) in 3 object(s) allocated from:
    #0 0x7f6996edefdf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
        #1 0x5601c255be1e in alloc /home/miku/src/NetHack/src/alloc.c:71
	    #2 0x5601c255be1e in dupstr /home/miku/src/NetHack/src/alloc.c:236

SUMMARY: AddressSanitizer: 5160 byte(s) leaked in 6 allocation(s).

Fix this by freeing the cloned selection before returning.

Updates to NetHack 3.7 CMakeLists.txt

Add artefact tripe ration Liver of Ahriman

If freedynamicdata() gets called twice, for whatever reason, a "double free" can occur.

warning: 44     ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7c8b26e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7c6e8ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7c6f7b6 in __libc_message_impl (fmt=fmt@entry=0x7ffff7e148d7 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:132
#6  0x00007ffff7ceefe5 in malloc_printerr (str=str@entry=0x7ffff7e17bf0 "free(): double free detected in tcache 2")
    at ./malloc/malloc.c:5772
#7  0x00007ffff7cf154f in _int_free (av=0x7ffff7e49ac0 <main_arena>, p=<optimized out>, have_lock=0)
    at ./malloc/malloc.c:4541
#8  0x00007ffff7cf3d9e in __GI___libc_free (mem=0x555555ad82a0) at ./malloc/malloc.c:3398
#9  0x00005555557c12e9 in free_rect () at rect.c:48
#10 0x00005555557d77a2 in freedynamicdata () at save.c:1240
#11 0x0000555555682754 in nh_terminate (status=0) at end.c:1671
#12 0x000055555589af15 in opt_terminate () at ../sys/unix/unixmain.c:768
#13 0x000055555589af7a in after_opt_showpaths (dir=0x0) at ../sys/unix/unixmain.c:796
#14 0x0000555555693dd9 in do_deferred_showpaths (code=0) at files.c:4491
#15 0x0000555555778405 in initoptions () at options.c:6948
#16 0x0000555555899cd9 in main (argc=2, argv=0x7fffffffdad8) at ../sys/unix/unixmain.c:151

The two options are very similar but probably mutually exclusive
except when using look-here and look-into-container (both via ':')
with the default setting for 'sortloot', or with inventory when
'sortpack' has been toggled off.

This removes 'use_menu_glyphs' and changes 'menu_objsyms' from a
boolean to a compound taking six possible values:
| 0: no object symbols in menus,
| 1: append object class symbol to object header lines (same as old
|menu_objsyms boolean),
| 2: include object symbol in menu entry lines for objects (same as
|recently added use_menu_glyphs),
| 3: both 1 and 2,
| 4: display as #2 but only if the menu lacks class header lines,
| 5: if header lines are present, display as #1; if headers are not
|present, then display as #4 (which will implicitly be #2).
Default is #4.

Effectively replaces the options portion of pull request #1406 and
retains the functionality, but not as default for normal menus.

Guidebook.tex is only partially updated.  Someone else will need to
finish that.