id summary reporter owner description type status priority component version resolution keywords cc game 10884 SCI: ECO1: Mosaic puzzle crash (CD version) sluicebox sluicebox "The temple (room 140) has a complex script bug in the CD version which can crash the interpreter when solving the mosaic puzzle after loading a game that was saved during the puzzle. The bug causes invalid memory access which locks up Sierra's interpreter and can cause ScummVM to fail an assertion. This is a script bug that puts the game in a state that's unsafe to save. When restoring and solving the puzzle the interpreter will attempt to use a stale hunk address from before the restore. For this bug to occur, the conch shell must still be on the pedestal in the center of the room. To reproduce in Sierra's interpreter with attached save game: 1. Click Do on the mosaic to bring up the puzzle 2. Save the game 3. Load the new saved game 4. Solve the puzzle (manually or by clicking Help a lot) 5. The game will freeze To reproduce in ScummVM with attached save game 1. Enter temple 2. Click Do on the mosaic to bring up the puzzle 3. In the debugger type ""send shell underBits"" and record the result 4. Save the game 5. Load the new saved game 6. In the debugger type ""send shell underBits"" to see that the value hasn't changed 7. In the debugger type ""segtable"" and record the hunk segment 8. Solve the puzzle (manually or by clicking Help a lot) 9. If the hunk segment equals shell:underBits' segment then an assertion will fail, otherwise there will be a console warning such as ""Attempt to free Hunk from address 002c:051e: Invalid segment type 9!"" To quickly test the script patch with attached save game 1. Enter temple 2. Click Do on the mosaic to bring up the puzzle 3. In the debugger type ""send shell underBits"" to see that it is zero The script patch fully disposes of shell's resources when the puzzle is displayed so that it's safe to save the game." defect closed normal Engine: SCI fixed original has-pull-request EcoQuest 1