Opened 16 years ago

Closed 16 years ago

#1017 closed defect (fixed)

0.5.0 RC: INDY3EGA: Script crash in Berlin

Reported by: SF/dfabulich Owned by: fingolfin
Priority: blocker Component: Engine: SCUMM
Keywords: script Cc:
Game: Indiana Jones 3

Description

Go to Berlin to retrieve the Grail Diary. You'll see
the animation with Hitler, and then when we cut away to
the far away scene where you reacquire the book from
Elsa, you get a script crash... the debugger comes up
and the game doesn't continue. You get the following
error: "ERROR: Value 201 is out of bounds (0,1) in
script 5 (Illegal box 201)"

A save game is attached right before this animation.
Select the first conversation option and the guard will
let you through to Berlin. Note that it sometimes
takes a few tries to reproduce the bug using this saved
game, but I can almost always reproduce it within about
three attempts. If Elsa comes on screen, the bug has
not been reproduced; exit ScummVM and try again.

I'm playing on the Spanish EGA version, Win2K, ScummVM
0.5.0pre-cvs, Built on Jul 14 2003 03:24:03.

Ticket imported from: #770690. Ticket imported from: bugs/1017.

Attachments (3)

indy3ega.s01 (53.6 KB ) - added by SF/dfabulich 16 years ago.
Saved game right outside Berlin; choose conversation option 1
indy3ega_speedwalk.txt (6.3 KB ) - added by SF/dfabulich 16 years ago.
Speed walkthrough to Berlin... takes about half an hour
script-6.dmp (21 bytes ) - added by SF/dfabulich 16 years ago.
My Spanish EGA script 6 dump. Got "ERROR: Value 40 is out of bounds (0,1) in script 6 (Illegal box 40)"

Download all attachments as: .zip

Change History (33)

by SF/dfabulich, 16 years ago

Attachment: indy3ega.s01 added

Saved game right outside Berlin; choose conversation option 1

comment:1 by SF/quietust, 16 years ago

I had noticed the exact same thing last night with the
Amiga/English version with the early July 12 snapshot build,
but was unable to reproduce it.
I also noticed some intermittent glitchy behaviour when you
give Hitler something to sign. The first time I gave him the
pass, he just stood there for a moment and then walked
away; subsequent times, it'd show him signing it (as
expected).

comment:2 by fingolfin, 16 years ago

Can't use the attached save game w/o a spanish Indy3EGA

comment:3 by fingolfin, 16 years ago

Summary: INDY3EGA: (RC?) Script crash in BerlinINDY3EGA: Script crash in Berlin

comment:4 by SF/quietust, 16 years ago

I've uploaded a savegame for the Amiga version, immediately
after arriving at Berlin (at the burning books).
Since I didn't post this bug, it won't let me attach the file, so
I've uploaded it at the following URL instead:

http://qmt.ath.cx/~quietust/scumm/berlin.zip

ScummVM 0.5.0pre-cvs Built on Jul 13 2003 20:50:42

comment:5 by SF/ender, 16 years ago

MEGA PRIORITY BOOOOOOOST POWER! YEAAAAAHAAAHHH!

.. ahem.

comment:6 by SF/ender, 16 years ago

Priority: normalblocker
Summary: INDY3EGA: Script crash in Berlin0.5.0 RC: INDY3EGA: Script crash in Berlin

comment:7 by fingolfin, 16 years ago

Sadly I can't use that savegame either.

comment:8 by fingolfin, 16 years ago

Sadly I can't use that savegame either.

comment:9 by SF/quietust, 16 years ago

I'd offer to let you borrow my Amiga datafiles to resolve this
bug, but somehow I don't think that would be looked upon
favorably by the ScummVM team, LucasArts, and/or
SourceForge.

by SF/dfabulich, 16 years ago

Attachment: indy3ega_speedwalk.txt added

Speed walkthrough to Berlin... takes about half an hour

comment:10 by SF/dfabulich, 16 years ago

Looks like there's only one thing to be done: I've attached
a speed walkthrough to this bug. With liberal use of
Ctrl-F, you should be able to get there pretty quickly,
especially if you've ever beaten the game before and had
simply forgotten details.

Good luck!

comment:11 by fingolfin, 16 years ago

What's the status of this? The "crash" (i.e. call to error) should be
fixed as of a few days ago (or rather, worked around)...

comment:12 by SF/quietust, 16 years ago

ScummVM 0.5.0pre-cvs (Jul 20 2003 00:33:19)
Just tried it with the Amiga version of Indy3 and it's still
happening (but not always):

Value 253 is out of bounds (0,2) in script 6 (Illegal box 253)

comment:13 by fingolfin, 16 years ago

Actually that's a completely different kind of error - the first one
you reported was "normal", it's an "off-by-one" error we've seen
several times. The value here is way off (253, or -3). This would
hint at a script error.

Can you please post the full error? The cryptic numbers at the
start of the error message actually have a meaning and help in
tracking down the problem.
Furthermore, can you attach a dump of your scrip 6. To get one,
first create a directory called "dumps" in the same dir as
scummvm is in; then run scummvm with the -u option (.e.g.:
./scummvm -u indy3ega

That will put a file called script-6.dmp (besides others) into the
'dumps' directory. Please attach that file to this tracker item.

comment:14 by SF/quietust, 16 years ago

ScummVM 0.5.0pre-cvs (Jul 20 2003 00:33:19), Amiga version
of indy3ega

Took me about 3 tries to get it to work, but this time the
numbers were a bit different:

Value 207 is out of bounds (0,2) in script 6 (Illegal box 207)

Since I didn't post this bug, I can't attach the file; I've
uploaded script-6.dmp (21 bytes, seems a bit small...) at the
following URL:

http://qmt.ath.cx/~quietust/scumm/script6.zip

comment:15 by fingolfin, 16 years ago

You mean that's the complete error message? There is no
"ERROR:" first, and no other numbers?! that's extremly odd.

comment:16 by SF/quietust, 16 years ago

I had pasted the text being printed to my command prompt
(running under Windows 2000); the only difference between
that and the text being printed to the ScummVM error
console was the "ERROR: " at the beginning.

comment:17 by fingolfin, 16 years ago

That's odd. Normally all error message ScummVM look like this:

(19:381:0x259C): Invalid actor 46 in o5_getActorFacing

I.e. they start with a triplet of numbers inside parentheses. The
only case this doesn't happen is when the invocation occurs while
_currentScript == 255...

OK, can you please run the game with the "-d7" option, and log
the output. This will output a trace of instructions ScummVM
executes. Only the last couple lines before the crash are of
interest, those could be put into a comment to this tracker item.
Thanks!

comment:18 by SF/quietust, 16 years ago

After having some strange problems with that CVS build
(getting a segfault with debug output on and an assert in
boxes.cpp:375 otherwise), I downloaded the latest build from
the website - ScummVM 0.5.0pre-cvs (Jul 21 2003 02:04:07)

With -d7 output, these are the last 25 (the size of my
command window) lines visible:

Script 113, offset 0x29: [7A] o5_verbOps()
Script 113, offset 0x2d: [A8] o5_notEqualZero()
Script 113, offset 0x52: [A0] o5_stopObjectCode()
Script 6, offset 0x15: [A0] o5_stopObjectCode()
Script 117, offset 0x9a: [32] o5_setCameraAt()
Script 117, offset 0x9d: [5D] o5_setClass()
Script 117, offset 0xa4: [11] o5_animateActor()
Script 117, offset 0xa7: [5D] o5_setClass()
Script 117, offset 0xae: [5D] o5_setClass()
Script 117, offset 0xb5: [13] o5_actorSet()
Script 117, offset 0xbb: [2D] o5_putActorInRoom()
Script 117, offset 0xbe: [1] o5_putActor()
Script 117, offset 0xc4: [2D] o5_putActorInRoom()
Script 117, offset 0xc7: [1] o5_putActor()
loadResource(Costume,2)
Script 117, offset 0xcd: [2D] o5_putActorInRoom()
Script 117, offset 0xd0: [1] o5_putActor()
Script 117, offset 0xd6: [11] o5_animateActor()
Script 117, offset 0xd9: [11] o5_animateActor()
Script 117, offset 0xdc: [11] o5_animateActor()
Script 117, offset 0xdf: [11] o5_animateActor()
Script 117, offset 0xe2: [80] o5_breakHere()
Script 117, offset 0xe3: [1E] o5_walkActorTo()
Script 117, offset 0xe9: [3B] o5_getActorScale()
Value 152 is out of bounds (0,2) (Illegal box 152)

Strangely enough, now it isn't even telling me what the script
number is!

by SF/dfabulich, 16 years ago

Attachment: script-6.dmp added

My Spanish EGA script 6 dump. Got "ERROR: Value 40 is out of bounds (0,1) in script 6 (Illegal box 40)"

comment:19 by fingolfin, 16 years ago

It doesn't show the script number anymore because I removed
that, with good reasons: the error function will output the script
number anyway, *if* there is a current script. The script number
that the boxes check printed was actually a bogus random value,
derived from accessing an invalid location in the scripts array.

Anyway, this looks much better now. Can you again run the game
with the "-u" option. This time i need script 117 (or maybe if it's
not to big, just take all the scripts it dumps, and put them into a
single zip).

comment:20 by SF/quietust, 16 years ago

http://qmt.ath.cx/~quietust/scumm/indydump.zip

comment:21 by fingolfin, 16 years ago

OK, the output matches the scripts. That last o5_getActorScale()
actually corresponds to waitForActor(3) in Indy.
There is nothing in that opcode which directly could cause that
error. The fact that you get seemingly random values for the box
indicates that there is maybe an out-of-bounds access or so going
on (so valgrind might be useful)... a stack trace (to see what lead
to that error would definitely be very useful <sigh>

comment:22 by SF/quietust, 16 years ago

An out-of-bound access would be consistent with the fact
that sometimes the script crash is replaced by a segfault.
Instructions on how to produce a stack trace under win32
would be most useful - I have Visual C++ 6.0 if it is necessary
to recompile.

comment:23 by fingolfin, 16 years ago

I don't know anything about Visual C++ 6.0. Normally, what you
would have to do is to compile ScummVM using it, then set a
breakpoint in function error() (in common/engine.cpp). Dunno how
that is done in VC++, but there probably is some menu for it,
usually you have to open the source file, go to the line you want a
breakpoint in, then use some command to set a breakpoint htere.
Next you have to run ScummVM in debug mode; in most IDEs
there is both a "Run" and a "Debug" menu command, but again, I
don't know VC++, so i can only guess..
If that worked, then next time you hit the error(), it should drop
you into the debugger, and there should be a stack trace visible
there - i.e. it should show you which function called error() (and in
which line of it), and which function called *that* etc.

comment:24 by SF/quietust, 16 years ago

Compiled a debug version from the 20030721 source snapshot
(CVS isn't working with pserver right now).

Script execution log (last 25 entries):
Script 113, offset 0x29: [7A] o5_verbOps()
Script 113, offset 0x2d: [A8] o5_notEqualZero()
Script 113, offset 0x52: [A0] o5_stopObjectCode()
Script 6, offset 0x15: [A0] o5_stopObjectCode()
Script 117, offset 0x9a: [32] o5_setCameraAt()
Script 117, offset 0x9d: [5D] o5_setClass()
Script 117, offset 0xa4: [11] o5_animateActor()
Script 117, offset 0xa7: [5D] o5_setClass()
Script 117, offset 0xae: [5D] o5_setClass()
Script 117, offset 0xb5: [13] o5_actorSet()
Script 117, offset 0xbb: [2D] o5_putActorInRoom()
Script 117, offset 0xbe: [1] o5_putActor()
Script 117, offset 0xc4: [2D] o5_putActorInRoom()
Script 117, offset 0xc7: [1] o5_putActor()
loadResource(Costume,2)
Script 117, offset 0xcd: [2D] o5_putActorInRoom()
Script 117, offset 0xd0: [1] o5_putActor()
Script 117, offset 0xd6: [11] o5_animateActor()
Script 117, offset 0xd9: [11] o5_animateActor()
Script 117, offset 0xdc: [11] o5_animateActor()
Script 117, offset 0xdf: [11] o5_animateActor()
Script 117, offset 0xe2: [80] o5_breakHere()
Script 117, offset 0xe3: [1E] o5_walkActorTo()
Script 117, offset 0xe9: [3B] o5_getActorScale()
Value 128 is out of bounds (0,2) (Illegal box 128)

Stack trace (immediately before the above error message was
printed):
error(const char * 0x005fdd74 `string') line 164
checkRange(int 2, int 0, int 128, const char * 0x00611e54
`string') line 2399
Scumm::getBoxBaseAddr(int 128) line 293 + 24 bytes
Scumm::getBoxFlags(int 128) line 123 + 12 bytes
Actor::walkActorOld() line 1420 + 15 bytes
Scumm::walkActors() line 794
Scumm::scummLoop(int 6) line 1307
Scumm::mainRun() line 1098 + 12 bytes
Scumm::go() line 748
main(int 2, char * * 0x00b42dd0) line 230 + 19 bytes
mainCRTStartup() line 206 + 25 bytes
KERNEL32! 7c4e87f5()

comment:25 by SF/quietust, 16 years ago

Savegames for the PC version of indy3ega and indy3[vga] are
attached to defect #774783 - "INDY3EGA - problems in Berlin
with Hitler" - I can only seem to get the crash to happen in
the EGA version.

comment:26 by fingolfin, 16 years ago

Owner: set to fingolfin

comment:27 by fingolfin, 16 years ago

That stacktrace looks promising. If it's correct, that would indicate
that getPathToDestBox() returns a bogus value. To this end it
would be interesting to know what the values of walkbox,
walkdata.destbox were. To find out, you could insert this into
actor.cpp, after line 1411 (which contains the call to
getPathToDestBox):

printf("walkbox = %d, walkdata.destbox = %d, next_box =
%d\n", walkbox, walkdata.destbox, next_box);

Then recompile, and tell me what it prints just before the crash.

In the meantime, I'll try your new savegames. Thanks for your
help :-)

comment:28 by fingolfin, 16 years ago

The problem seems to be a bug (?) in the datafiles. In particular,
the boxmatrix is incomplete (I verified that this is a problem in
the datafile itself, not just a case of ScummVM not reading it
completely). In particular, the room (room resource 46) where
you meet Hitler and where the crash occurs contains 2 boxes. One
is the "main" box, and one is small and is the one Hitler walks in.

Now, the boxmatrix only consists of these 4 bytes:
00 00 00 ff
This is a valid matrix for a room with only 1 box. But for a room
with 2 boxes, it's bogus. ScummVM will read *past* it, into
random memory. The reason it seemed to work in the original is
(once more) only due to the fact that the memory following the
box data isn't random there, rather the rest of the data file
follows. Thus no problem occurs.

I'll see what I can do...

comment:29 by fingolfin, 16 years ago

Resolution: fixed
Status: newclosed

comment:30 by fingolfin, 16 years ago

Fixed in CVS. Works great for me now. You may have to wait
some time till the public CVS has the changes; but tomorrows
source tarball or the daily build, should have the fix.

Note: See TracTickets for help on using tickets.