Opened 17 years ago

Closed 17 years ago

#1017 closed defect (fixed)

0.5.0 RC: INDY3EGA: Script crash in Berlin

Reported by: SF/dfabulich Owned by: fingolfin
Priority: blocker Component: Engine: SCUMM
Keywords: script Cc:
Game: Indiana Jones 3

Description

Go to Berlin to retrieve the Grail Diary. You'll see the animation with Hitler, and then when we cut away to the far away scene where you reacquire the book from Elsa, you get a script crash... the debugger comes up and the game doesn't continue. You get the following error: "ERROR: Value 201 is out of bounds (0,1) in script 5 (Illegal box 201)"

A save game is attached right before this animation. Select the first conversation option and the guard will let you through to Berlin. Note that it sometimes takes a few tries to reproduce the bug using this saved game, but I can almost always reproduce it within about three attempts. If Elsa comes on screen, the bug has not been reproduced; exit ScummVM and try again.

I'm playing on the Spanish EGA version, Win2K, ScummVM 0.5.0pre-cvs, Built on Jul 14 2003 03:24:03.

Ticket imported from: #770690. Ticket imported from: bugs/1017.

Attachments (3)

indy3ega.s01 (53.6 KB ) - added by SF/dfabulich 17 years ago.
Saved game right outside Berlin; choose conversation option 1
indy3ega_speedwalk.txt (6.3 KB ) - added by SF/dfabulich 17 years ago.
Speed walkthrough to Berlin... takes about half an hour
script-6.dmp (21 bytes ) - added by SF/dfabulich 17 years ago.
My Spanish EGA script 6 dump. Got "ERROR: Value 40 is out of bounds (0,1) in script 6 (Illegal box 40)"

Download all attachments as: .zip

Change History (33)

by SF/dfabulich, 17 years ago

Attachment: indy3ega.s01 added

Saved game right outside Berlin; choose conversation option 1

comment:1 by SF/quietust, 17 years ago

I had noticed the exact same thing last night with the Amiga/English version with the early July 12 snapshot build, but was unable to reproduce it. I also noticed some intermittent glitchy behaviour when you give Hitler something to sign. The first time I gave him the pass, he just stood there for a moment and then walked away; subsequent times, it'd show him signing it (as expected).

comment:2 by fingolfin, 17 years ago

Can't use the attached save game w/o a spanish Indy3EGA

comment:3 by fingolfin, 17 years ago

Summary: INDY3EGA: (RC?) Script crash in BerlinINDY3EGA: Script crash in Berlin

comment:4 by SF/quietust, 17 years ago

I've uploaded a savegame for the Amiga version, immediately after arriving at Berlin (at the burning books). Since I didn't post this bug, it won't let me attach the file, so I've uploaded it at the following URL instead:

http://qmt.ath.cx/~quietust/scumm/berlin.zip

ScummVM 0.5.0pre-cvs Built on Jul 13 2003 20:50:42

comment:5 by SF/ender, 17 years ago

MEGA PRIORITY BOOOOOOOST POWER! YEAAAAAHAAAHHH!

.. ahem.

comment:6 by SF/ender, 17 years ago

Priority: normalblocker
Summary: INDY3EGA: Script crash in Berlin0.5.0 RC: INDY3EGA: Script crash in Berlin

comment:7 by fingolfin, 17 years ago

Sadly I can't use that savegame either.

comment:8 by fingolfin, 17 years ago

Sadly I can't use that savegame either.

comment:9 by SF/quietust, 17 years ago

I'd offer to let you borrow my Amiga datafiles to resolve this bug, but somehow I don't think that would be looked upon favorably by the ScummVM team, LucasArts, and/or SourceForge.

by SF/dfabulich, 17 years ago

Attachment: indy3ega_speedwalk.txt added

Speed walkthrough to Berlin... takes about half an hour

comment:10 by SF/dfabulich, 17 years ago

Looks like there's only one thing to be done: I've attached a speed walkthrough to this bug. With liberal use of Ctrl-F, you should be able to get there pretty quickly, especially if you've ever beaten the game before and had simply forgotten details.

Good luck!

comment:11 by fingolfin, 17 years ago

What's the status of this? The "crash" (i.e. call to error) should be fixed as of a few days ago (or rather, worked around)...

comment:12 by SF/quietust, 17 years ago

ScummVM 0.5.0pre-cvs (Jul 20 2003 00:33:19) Just tried it with the Amiga version of Indy3 and it's still happening (but not always):

Value 253 is out of bounds (0,2) in script 6 (Illegal box 253)

comment:13 by fingolfin, 17 years ago

Actually that's a completely different kind of error - the first one you reported was "normal", it's an "off-by-one" error we've seen several times. The value here is way off (253, or -3). This would hint at a script error.

Can you please post the full error? The cryptic numbers at the start of the error message actually have a meaning and help in tracking down the problem. Furthermore, can you attach a dump of your scrip 6. To get one, first create a directory called "dumps" in the same dir as scummvm is in; then run scummvm with the -u option (.e.g.: ./scummvm -u indy3ega

That will put a file called script-6.dmp (besides others) into the 'dumps' directory. Please attach that file to this tracker item.

comment:14 by SF/quietust, 17 years ago

ScummVM 0.5.0pre-cvs (Jul 20 2003 00:33:19), Amiga version of indy3ega

Took me about 3 tries to get it to work, but this time the numbers were a bit different:

Value 207 is out of bounds (0,2) in script 6 (Illegal box 207)

Since I didn't post this bug, I can't attach the file; I've uploaded script-6.dmp (21 bytes, seems a bit small...) at the following URL:

http://qmt.ath.cx/~quietust/scumm/script6.zip

comment:15 by fingolfin, 17 years ago

You mean that's the complete error message? There is no "ERROR:" first, and no other numbers?! that's extremly odd.

comment:16 by SF/quietust, 17 years ago

I had pasted the text being printed to my command prompt (running under Windows 2000); the only difference between that and the text being printed to the ScummVM error console was the "ERROR: " at the beginning.

comment:17 by fingolfin, 17 years ago

That's odd. Normally all error message ScummVM look like this:

(19:381:0x259C): Invalid actor 46 in o5_getActorFacing

I.e. they start with a triplet of numbers inside parentheses. The only case this doesn't happen is when the invocation occurs while _currentScript == 255...

OK, can you please run the game with the "-d7" option, and log the output. This will output a trace of instructions ScummVM executes. Only the last couple lines before the crash are of interest, those could be put into a comment to this tracker item. Thanks!

comment:18 by SF/quietust, 17 years ago

After having some strange problems with that CVS build (getting a segfault with debug output on and an assert in boxes.cpp:375 otherwise), I downloaded the latest build from the website - ScummVM 0.5.0pre-cvs (Jul 21 2003 02:04:07)

With -d7 output, these are the last 25 (the size of my command window) lines visible:

Script 113, offset 0x29: [7A] o5_verbOps() Script 113, offset 0x2d: [A8] o5_notEqualZero() Script 113, offset 0x52: [A0] o5_stopObjectCode() Script 6, offset 0x15: [A0] o5_stopObjectCode() Script 117, offset 0x9a: [32] o5_setCameraAt() Script 117, offset 0x9d: [5D] o5_setClass() Script 117, offset 0xa4: [11] o5_animateActor() Script 117, offset 0xa7: [5D] o5_setClass() Script 117, offset 0xae: [5D] o5_setClass() Script 117, offset 0xb5: [13] o5_actorSet() Script 117, offset 0xbb: [2D] o5_putActorInRoom() Script 117, offset 0xbe: [1] o5_putActor() Script 117, offset 0xc4: [2D] o5_putActorInRoom() Script 117, offset 0xc7: [1] o5_putActor() loadResource(Costume,2) Script 117, offset 0xcd: [2D] o5_putActorInRoom() Script 117, offset 0xd0: [1] o5_putActor() Script 117, offset 0xd6: [11] o5_animateActor() Script 117, offset 0xd9: [11] o5_animateActor() Script 117, offset 0xdc: [11] o5_animateActor() Script 117, offset 0xdf: [11] o5_animateActor() Script 117, offset 0xe2: [80] o5_breakHere() Script 117, offset 0xe3: [1E] o5_walkActorTo() Script 117, offset 0xe9: [3B] o5_getActorScale() Value 152 is out of bounds (0,2) (Illegal box 152)

Strangely enough, now it isn't even telling me what the script number is!

by SF/dfabulich, 17 years ago

Attachment: script-6.dmp added

My Spanish EGA script 6 dump. Got "ERROR: Value 40 is out of bounds (0,1) in script 6 (Illegal box 40)"

comment:19 by fingolfin, 17 years ago

It doesn't show the script number anymore because I removed that, with good reasons: the error function will output the script number anyway, *if* there is a current script. The script number that the boxes check printed was actually a bogus random value, derived from accessing an invalid location in the scripts array.

Anyway, this looks much better now. Can you again run the game with the "-u" option. This time i need script 117 (or maybe if it's not to big, just take all the scripts it dumps, and put them into a single zip).

comment:20 by SF/quietust, 17 years ago

http://qmt.ath.cx/~quietust/scumm/indydump.zip

comment:21 by fingolfin, 17 years ago

OK, the output matches the scripts. That last o5_getActorScale() actually corresponds to waitForActor(3) in Indy. There is nothing in that opcode which directly could cause that error. The fact that you get seemingly random values for the box indicates that there is maybe an out-of-bounds access or so going on (so valgrind might be useful)... a stack trace (to see what lead to that error would definitely be very useful <sigh>

comment:22 by SF/quietust, 17 years ago

An out-of-bound access would be consistent with the fact that sometimes the script crash is replaced by a segfault. Instructions on how to produce a stack trace under win32 would be most useful - I have Visual C++ 6.0 if it is necessary to recompile.

comment:23 by fingolfin, 17 years ago

I don't know anything about Visual C++ 6.0. Normally, what you would have to do is to compile ScummVM using it, then set a breakpoint in function error() (in common/engine.cpp). Dunno how that is done in VC++, but there probably is some menu for it, usually you have to open the source file, go to the line you want a breakpoint in, then use some command to set a breakpoint htere. Next you have to run ScummVM in debug mode; in most IDEs there is both a "Run" and a "Debug" menu command, but again, I don't know VC++, so i can only guess.. If that worked, then next time you hit the error(), it should drop you into the debugger, and there should be a stack trace visible there - i.e. it should show you which function called error() (and in which line of it), and which function called *that* etc.

comment:24 by SF/quietust, 17 years ago

Compiled a debug version from the 20030721 source snapshot (CVS isn't working with pserver right now).

Script execution log (last 25 entries): Script 113, offset 0x29: [7A] o5_verbOps() Script 113, offset 0x2d: [A8] o5_notEqualZero() Script 113, offset 0x52: [A0] o5_stopObjectCode() Script 6, offset 0x15: [A0] o5_stopObjectCode() Script 117, offset 0x9a: [32] o5_setCameraAt() Script 117, offset 0x9d: [5D] o5_setClass() Script 117, offset 0xa4: [11] o5_animateActor() Script 117, offset 0xa7: [5D] o5_setClass() Script 117, offset 0xae: [5D] o5_setClass() Script 117, offset 0xb5: [13] o5_actorSet() Script 117, offset 0xbb: [2D] o5_putActorInRoom() Script 117, offset 0xbe: [1] o5_putActor() Script 117, offset 0xc4: [2D] o5_putActorInRoom() Script 117, offset 0xc7: [1] o5_putActor() loadResource(Costume,2) Script 117, offset 0xcd: [2D] o5_putActorInRoom() Script 117, offset 0xd0: [1] o5_putActor() Script 117, offset 0xd6: [11] o5_animateActor() Script 117, offset 0xd9: [11] o5_animateActor() Script 117, offset 0xdc: [11] o5_animateActor() Script 117, offset 0xdf: [11] o5_animateActor() Script 117, offset 0xe2: [80] o5_breakHere() Script 117, offset 0xe3: [1E] o5_walkActorTo() Script 117, offset 0xe9: [3B] o5_getActorScale() Value 128 is out of bounds (0,2) (Illegal box 128)

Stack trace (immediately before the above error message was printed): error(const char * 0x005fdd74 `string') line 164 checkRange(int 2, int 0, int 128, const char * 0x00611e54 `string') line 2399 Scumm::getBoxBaseAddr(int 128) line 293 + 24 bytes Scumm::getBoxFlags(int 128) line 123 + 12 bytes Actor::walkActorOld() line 1420 + 15 bytes Scumm::walkActors() line 794 Scumm::scummLoop(int 6) line 1307 Scumm::mainRun() line 1098 + 12 bytes Scumm::go() line 748 main(int 2, char * * 0x00b42dd0) line 230 + 19 bytes mainCRTStartup() line 206 + 25 bytes KERNEL32! 7c4e87f5()

comment:25 by SF/quietust, 17 years ago

Savegames for the PC version of indy3ega and indy3[vga] are attached to defect #774783 - "INDY3EGA - problems in Berlin with Hitler" - I can only seem to get the crash to happen in the EGA version.

comment:26 by fingolfin, 17 years ago

Owner: set to fingolfin

comment:27 by fingolfin, 17 years ago

That stacktrace looks promising. If it's correct, that would indicate that getPathToDestBox() returns a bogus value. To this end it would be interesting to know what the values of walkbox, walkdata.destbox were. To find out, you could insert this into actor.cpp, after line 1411 (which contains the call to getPathToDestBox):

printf("walkbox = %d, walkdata.destbox = %d, next_box = %d\n", walkbox, walkdata.destbox, next_box);

Then recompile, and tell me what it prints just before the crash.

In the meantime, I'll try your new savegames. Thanks for your help :-)

comment:28 by fingolfin, 17 years ago

The problem seems to be a bug (?) in the datafiles. In particular, the boxmatrix is incomplete (I verified that this is a problem in the datafile itself, not just a case of ScummVM not reading it completely). In particular, the room (room resource 46) where you meet Hitler and where the crash occurs contains 2 boxes. One is the "main" box, and one is small and is the one Hitler walks in.

Now, the boxmatrix only consists of these 4 bytes: 00 00 00 ff This is a valid matrix for a room with only 1 box. But for a room with 2 boxes, it's bogus. ScummVM will read *past* it, into random memory. The reason it seemed to work in the original is (once more) only due to the fact that the memory following the box data isn't random there, rather the rest of the data file follows. Thus no problem occurs.

I'll see what I can do...

comment:29 by fingolfin, 17 years ago

Resolution: fixed
Status: newclosed

comment:30 by fingolfin, 17 years ago

Fixed in CVS. Works great for me now. You may have to wait some time till the public CVS has the changes; but tomorrows source tarball or the daily build, should have the fix.

Note: See TracTickets for help on using tickets.