Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#10001 closed defect (fixed)

TITANIC: MaitreD Random Crashes

Reported by: dafioram Owned by: wjp
Priority: high Component: Engine: Titanic
Version: Keywords:
Cc: Game: Starship Titanic

Description

OS: Win7-64
Game: Titanic GOG version c
ScummVM: 1.10.0git-4073-g2005ed7

In the restaurant when you are infront of the MaitreD the game will often crash. Its hard to narrow this down to reproducible steps, since it happens at random times.

Its seems like it happens more often if I am clicking and if I have prod'ed the MaitreD a few times and he is dancing. Several times scummvm has crashed as soon as I reach the MaitreD. It also happens without clicking anything, but that is less likely.

Scummvm closes immediately with no message when it crashes.

Demo: https://streamable.com/a4big

When the video goes blank thats when scummvm exits.

3965-gc55132b no crash
3986-gc3f8f1a crash
4073-g2005ed7 crash

Attachments (1)

titanic-win-1.005 (106.0 KB ) - added by dafioram 7 years ago.
restaurant

Download all attachments as: .zip

Change History (11)

by dafioram, 7 years ago

Attachment: titanic-win-1.005 added

restaurant

comment:1 by wjp, 7 years ago

Can't reproduce a crash here, but valgrind give somewhat randomly reproducible warnings:

==31679== Conditional jump or move depends on uninitialised value(s)
==31679==    at 0x6F7978: huffDescCompare (indeo.cpp:119)
==31679==    by 0x6F7978: Image::Indeo::IVIHuffTab::decodeHuffDesc(Image::Indeo::IVI45DecContext*, int, int) (indeo.cpp:155)
==31679==    by 0x6E179A: Image::Indeo4Decoder::decodePictureHeader() (indeo4.cpp:206)
==31679==    by 0x6FB0EC: Image::Indeo::IndeoDecoderBase::decodeIndeoFrame() (indeo.cpp:502)
==31679==    by 0x6E047C: Image::Indeo4Decoder::decodeFrame(Common::SeekableReadStream&) (indeo4.cpp:80)
==31679==    by 0x6C2392: Video::AVIDecoder::AVIVideoTrack::decodeFrame(Common::SeekableReadStream*) (avi_decoder.cpp:889)
==31679==    by 0x6C2921: Video::AVIDecoder::handleNextPacket(Video::AVIDecoder::TrackStatus&) (avi_decoder.cpp:538)
==31679==    by 0x6C29CF: Video::AVIDecoder::readNextPacket() (avi_decoder.cpp:445)
==31679==    by 0x6D11E1: Video::VideoDecoder::decodeNextFrame() (video_decoder.cpp:178)
==31679==    by 0x617185: Titanic::AVISurface::renderFrame() (avi_surface.cpp:377)
==31679==    by 0x5EA8EE: Titanic::OSMovie::handleEvents(Titanic::CMovieEventList&) (movie.cpp:163)
==31679==    by 0x5FEFF3: Titanic::CGameManager::updateMovies() (game_manager.cpp:236)
==31679==    by 0x5FF2F8: Titanic::CGameManager::update() (game_manager.cpp:167)
==31679==  Uninitialised value was created by a heap allocation
==31679==    at 0x4C2A610: operator new(unsigned long) (vg_replace_malloc.c:334)
==31679==    by 0x6D9279: Image::createBitmapCodec(unsigned int, int, int, int) (codec.cpp:216)
==31679==    by 0x6C1430: createCodec (avi_decoder.cpp:962)
==31679==    by 0x6C1430: Video::AVIDecoder::AVIVideoTrack::AVIVideoTrack(int, Video::AVIDecoder::AVIStreamHeader const&, Video::AVIDecoder::BitmapInfoHeader const&, unsigned char*) (avi_decoder.cpp:873)
==31679==    by 0x6C1CEE: Video::AVIDecoder::handleStreamHeader(unsigned int) (avi_decoder.cpp:297)
==31679==    by 0x6C1F44: Video::AVIDecoder::parseNextChunk() (avi_decoder.cpp:169)
==31679==    by 0x6C230F: Video::AVIDecoder::handleList(unsigned int) (avi_decoder.cpp:228)
==31679==    by 0x6C1FB4: Video::AVIDecoder::parseNextChunk() (avi_decoder.cpp:151)
==31679==    by 0x6C230F: Video::AVIDecoder::handleList(unsigned int) (avi_decoder.cpp:228)
==31679==    by 0x6C1FB4: Video::AVIDecoder::parseNextChunk() (avi_decoder.cpp:151)
==31679==    by 0x6C3197: Video::AVIDecoder::loadStream(Common::SeekableReadStream*) (avi_decoder.cpp:368)
==31679==    by 0x61658C: Titanic::AVISurface::AVISurface(Titanic::CResourceKey const&) (avi_surface.cpp:56)
==31679==    by 0x5EA67E: Titanic::OSMovie::OSMovie(Titanic::CResourceKey const&, Titanic::CVideoSurface*) (movie.cpp:85)
==31679==
==31823== Thread 4 SDLAudioDev1:
==31823== Use of uninitialised value of size 8
==31823==    at 0x59B3CCC: III_decode (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x59B5B2A: mad_layer_III (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x59AEBA6: mad_frame_decode (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x7AA960: Audio::BaseMP3Stream::decodeMP3Data(Common::ReadStream&) (mp3.cpp:166)
==31823==    by 0x7AACFA: Audio::BaseMP3Stream::fillBuffer(Common::ReadStream&, short*, int) (mp3.cpp:322)
==31823==    by 0x7C4C26: Audio::CopyRateConverter<false, false>::flow(Audio::AudioStream&, short*, unsigned int, unsigned short, unsigned short) (rate.cpp:315)
==31823==    by 0x7A4EE9: Audio::Channel::mix(short*, unsigned int) (mixer.cpp:621)
==31823==    by 0x7A4FFA: Audio::MixerImpl::mixCallback(unsigned char*, unsigned int) (mixer.cpp:293)
==31823==    by 0x4E4FC61: SDL_RunAudio (in /usr/lib64/libSDL2-2.0.so.0.4.1)
==31823==    by 0x4EAB25B: SDL_RunThread (in /usr/lib64/libSDL2-2.0.so.0.4.1)
==31823==    by 0x4EF5ED8: RunThread (in /usr/lib64/libSDL2-2.0.so.0.4.1)
==31823==    by 0x8FB7443: start_thread (in /lib64/libpthread-2.22.so)
==31823==  Uninitialised value was created by a heap allocation
==31823==    at 0x4C29FA0: malloc (vg_replace_malloc.c:299)
==31823==    by 0x59B5D12: mad_layer_III (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x59AEBA6: mad_frame_decode (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x7AA960: Audio::BaseMP3Stream::decodeMP3Data(Common::ReadStream&) (mp3.cpp:166)
==31823==    by 0x7AB390: Audio::MP3Stream::MP3Stream(Common::SeekableReadStream*, DisposeAfterUse::Flag) (mp3.cpp:359)
==31823==    by 0x7AB908: Audio::makeMP3Stream(Common::SeekableReadStream*, DisposeAfterUse::Flag) (mp3.cpp:534)
==31823==    by 0x7B1589: Audio::makeWAVStream(Common::SeekableReadStream*, DisposeAfterUse::Flag) (wave.cpp:208)
==31823==    by 0x5D9094: Titanic::CWaveFile::audioStream() (wave_file.cpp:183)
==31823==    by 0x612E9F: Titanic::QMixer::qsWaveMixPump() (qmixer.cpp:239)
==31823==    by 0x6132A2: Titanic::QMixer::qsWaveMixPlayEx(int, unsigned int, Titanic::CWaveFile*, int, Titanic::QMIXPLAYPARAMS const&) (qmixer.cpp:166)
==31823==    by 0x5D6F27: Titanic::QSoundManager::playWave(Titanic::CWaveFile*, int, unsigned int, Titanic::CProximity&) (sound_manager.cpp:426)
==31823==    by 0x5F47CA: Titanic::CTrueTalkManager::playSpeech(Titanic::TTtalker*, Titanic::TTroomScript*, Titanic::CViewItem*, bool) (true_talk_manager.cpp:536)
==31823==
==31823== Use of uninitialised value of size 8
==31823==    at 0x59B3D18: III_decode (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x59B5B2A: mad_layer_III (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x59AEBA6: mad_frame_decode (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x7AA960: Audio::BaseMP3Stream::decodeMP3Data(Common::ReadStream&) (mp3.cpp:166)
==31823==    by 0x7AACFA: Audio::BaseMP3Stream::fillBuffer(Common::ReadStream&, short*, int) (mp3.cpp:322)
==31823==    by 0x7C4C26: Audio::CopyRateConverter<false, false>::flow(Audio::AudioStream&, short*, unsigned int, unsigned short, unsigned short) (rate.cpp:315)
==31823==    by 0x7A4EE9: Audio::Channel::mix(short*, unsigned int) (mixer.cpp:621)
==31823==    by 0x7A4FFA: Audio::MixerImpl::mixCallback(unsigned char*, unsigned int) (mixer.cpp:293)
==31823==    by 0x4E4FC61: SDL_RunAudio (in /usr/lib64/libSDL2-2.0.so.0.4.1)
==31823==    by 0x4EAB25B: SDL_RunThread (in /usr/lib64/libSDL2-2.0.so.0.4.1)
==31823==    by 0x4EF5ED8: RunThread (in /usr/lib64/libSDL2-2.0.so.0.4.1)
==31823==    by 0x8FB7443: start_thread (in /lib64/libpthread-2.22.so)
==31823==  Uninitialised value was created by a heap allocation
==31823==    at 0x4C29FA0: malloc (vg_replace_malloc.c:299)
==31823==    by 0x59B5D12: mad_layer_III (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x59AEBA6: mad_frame_decode (in /usr/lib64/libmad.so.0.2.1)
==31823==    by 0x7AA960: Audio::BaseMP3Stream::decodeMP3Data(Common::ReadStream&) (mp3.cpp:166)
==31823==    by 0x7AB390: Audio::MP3Stream::MP3Stream(Common::SeekableReadStream*, DisposeAfterUse::Flag) (mp3.cpp:359)
==31823==    by 0x7AB908: Audio::makeMP3Stream(Common::SeekableReadStream*, DisposeAfterUse::Flag) (mp3.cpp:534)
==31823==    by 0x7B1589: Audio::makeWAVStream(Common::SeekableReadStream*, DisposeAfterUse::Flag) (wave.cpp:208)
==31823==    by 0x5D9094: Titanic::CWaveFile::audioStream() (wave_file.cpp:183)
==31823==    by 0x612E9F: Titanic::QMixer::qsWaveMixPump() (qmixer.cpp:239)
==31823==    by 0x6132A2: Titanic::QMixer::qsWaveMixPlayEx(int, unsigned int, Titanic::CWaveFile*, int, Titanic::QMIXPLAYPARAMS const&) (qmixer.cpp:166)
==31823==    by 0x5D6F27: Titanic::QSoundManager::playWave(Titanic::CWaveFile*, int, unsigned int, Titanic::CProximity&) (sound_manager.cpp:426)
==31823==    by 0x5F47CA: Titanic::CTrueTalkManager::playSpeech(Titanic::TTtalker*, Titanic::TTroomScript*, Titanic::CViewItem*, bool) (true_talk_manager.cpp:536)

comment:2 by dafioram, 7 years ago

Would it make sense to add asserts to this area of the code so we can see what exactly is getting tripped for me?

comment:3 by wjp, 7 years ago

First valgrind warning is probably caused by an uninitialized IVIHuffTab::_custDesc::_numRows.

comment:4 by dreammaster, 7 years ago

asserts may only be useful if we could first narrow down the crash to a specific point. wjp's work with Valgrind may be helpful. I've added in anitialisation of _numRows.. lets see if it makes any difference for you. Given that I too can't replicate a crash locally.

comment:5 by dafioram, 7 years ago

It still seg faults in the latest (411cc2c).

comment:6 by dafioram, 7 years ago

Thread 1 "scummvm2" received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) backtrace
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000007b6cf1 in Common::String::String (this=0x7ffffffb7950, 
    str=0x6767695720706948 <error: Cannot access memory at address 0x6767695720706948>) at common/str.cpp:43
#2  0x000000000045dd7f in Titanic::CString::CString (this=0x7ffffffb7950, 
    str=0x6767695720706948 <error: Cannot access memory at address 0x6767695720706948>) at ./engines/titanic/support/string.h:44
#3  0x00000000004e463d in Titanic::CMaitreDLegs::AnimateMaitreDMsg (
    this=0x1f5ca30, msg=0x7ffffffb7a30)
    at engines/titanic/game/maitred/maitred_legs.cpp:71
#4  0x0000000000500036 in Titanic::CMessage::perform (this=0x7ffffffb7a30, 
    treeItem=0x1f5ca30) at engines/titanic/messages/messages.cpp:105
#5  0x00000000004ffddb in Titanic::CMessage::execute (this=0x7ffffffb7a30, 
    target=0x1f5b270, classDef=0x0, flags=1)
    at engines/titanic/messages/messages.cpp:58
#6  0x0000000000511be7 in Titanic::CMaitreD::NPCPlayTalkingAnimationMsg (
    this=0x1f5b270, msg=0x7ffffffb7af0)
    at engines/titanic/npcs/maitre_d.cpp:168
#7  0x0000000000500036 in Titanic::CMessage::perform (this=0x7ffffffb7af0, 
    treeItem=0x1f5b270) at engines/titanic/messages/messages.cpp:105
#8  0x00000000004ffddb in Titanic::CMessage::execute (this=0x7ffffffb7af0, 
    target=0x1f5b270, classDef=0x0, flags=3)
    at engines/titanic/messages/messages.cpp:58
Last edited 7 years ago by wjp (previous) (diff)

comment:7 by dafioram, 7 years ago

Starting program: /home/ubuntu/ScummVM/Builds/variable/scummvm2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffebe2f700 (LWP 11260)]
[New Thread 0x7fffeb62e700 (LWP 11261)]
[New Thread 0x7fffd3dc5700 (LWP 11262)]
[New Thread 0x7fffcb5c2700 (LWP 11263)]
[New Thread 0x7fffcadc1700 (LWP 11264)]

Thread 1 "scummvm2" received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00000000007b6cf1 in Common::String::String (this=0x7ffffffb7c80,

str=0x6767695720706948 <error: Cannot access memory at address 0x6767695720706948>) at common/str.cpp:43

#2 0x000000000045dd7f in Titanic::CString::CString (this=0x7ffffffb7c80,

str=0x6767695720706948 <error: Cannot access memory at address 0x6767695720706948>) at ./engines/titanic/support/string.h:44

#3 0x00000000004e463d in Titanic::CMaitreDLegs::AnimateMaitreDMsg (this=0x1f5d7c0, msg=0x7ffffffb7d60)

at engines/titanic/game/maitred/maitred_legs.cpp:71

#4 0x0000000000500036 in Titanic::CMessage::perform (this=0x7ffffffb7d60, treeItem=0x1f5d7c0)

at engines/titanic/messages/messages.cpp:105

#5 0x00000000004ffddb in Titanic::CMessage::execute (this=0x7ffffffb7d60, target=0x1f5c000, classDef=0x0, flags=1)

at engines/titanic/messages/messages.cpp:58

#6 0x0000000000511be7 in Titanic::CMaitreD::NPCPlayTalkingAnimationMsg (this=0x1f5c000, msg=0x7ffffffb7e30)

at engines/titanic/npcs/maitre_d.cpp:168

#7 0x0000000000500036 in Titanic::CMessage::perform (this=0x7ffffffb7e30, treeItem=0x1f5c000)

at engines/titanic/messages/messages.cpp:105

#8 0x00000000004ffddb in Titanic::CMessage::execute (this=0x7ffffffb7e30, target=0x1f5c000, classDef=0x0, flags=3)

at engines/titanic/messages/messages.cpp:58

#9 0x000000000051c4cd in Titanic::CTrueTalkNPC::MovieEndMsg (this=0x1f5c000, msg=0x7ffffffb7f50)

at engines/titanic/npcs/true_talk_npc.cpp:160

#10 0x0000000000500036 in Titanic::CMessage::perform (this=0x7ffffffb7f50, treeItem=0x1f5c000)

at engines/titanic/messages/messages.cpp:105

#11 0x00000000004ffddb in Titanic::CMessage::execute (this=0x7ffffffb7f50, target=0x1f5c000, classDef=0x0, flags=3)

at engines/titanic/messages/messages.cpp:58

#12 0x0000000000583a64 in Titanic::CGameManager::updateMovies (this=0x1a8e280) at engines/titanic/game_manager.cpp:245
#13 0x000000000058362b in Titanic::CGameManager::update (this=0x1a8e280) at engines/titanic/game_manager.cpp:167
#14 0x0000000000587ded in Titanic::CMainGameWindow::mouseChanged (this=0x151af30) at engines/titanic/main_game_window.cpp:229
#15 0x0000000000587eef in Titanic::CMainGameWindow::mouseMove (this=0x151af30, mousePos=...) at engines/titanic/main_game_window.cpp:263
#16 0x0000000000582117 in Titanic::Events::pollEvents (this=0x1518d50) at engines/titanic/events.cpp:102
#17 0x0000000000582146 in Titanic::Events::pollEventsAndWait (this=0x1518d50) at engines/titanic/events.cpp:108
#18 0x000000000045d465 in Titanic::TitanicEngine::run (this=0x14d0f40) at engines/titanic/titanic.cpp:144
#19 0x000000000040e00e in runGame (plugin=0xce3e80, system=..., edebuglevels=...) at base/main.cpp:263
#20 0x000000000040f1d1 in scummvm_main (argc=1, argv=0x7fffffffdf38) at base/main.cpp:529
#21 0x000000000040c17e in main (argc=1, argv=0x7fffffffdf38) at backends/platform/sdl/posix/posix-main.cpp:45

Version 0, edited 7 years ago by dafioram (next)

comment:8 by wjp, 7 years ago

Thanks, that backtrace is very useful. This might now be fixed by 4c27396aaae3ee31849a2934ca932149414f1290.

comment:9 by dafioram, 7 years ago

Owner: set to wjp
Resolution: fixed
Status: newclosed

That did the trick.

comment:10 by dreammaster, 7 years ago

Excellent collaboration tracking down the bug guys. Well done :)

Note: See TracTickets for help on using tickets.