Opened 3 years ago

Closed 3 years ago

#12739 closed defect (fixed)

AGS: Segfault on Urban Witch Story

Reported by: Thunderforge Owned by: dreammaster
Priority: normal Component: Engine: AGS
Version: Keywords: urbanwitchstory
Cc: Game:

Description (last modified by Thunderforge)

A segfault happens consistently with Urban Witch Story.

Reproduction Steps

  1. Start a new game
  2. Go through the opening sequence by clicking through all the dialogue (fastest resolution is to choose "Is there anything else inside the house?" followed by "I don't want to waste your time"
  3. After being shown the controls for left-click and right-click, click on the police car
  4. Jackson will ask if everything is okay and then ScummVM will crash with a segfault

Crash Report

Process:               scummvm [98050]
Path:                  /Applications/ScummVM.app/Contents/MacOS/scummvm
Identifier:            org.scummvm.scummvm
Version:               2.3.0git (2.3.0git)
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           scummvm [98050]
User ID:               502

Date/Time:             2021-07-15 21:38:30.973 -0500
OS Version:            macOS 11.4 (20F71)
Report Version:        12
Anonymous UUID:        0AA5D204-3785-7750-75EA-380129269336

Sleep/Wake UUID:       D8B221B7-F5AD-46D6-96A2-67A46005F199

Time Awake Since Boot: 360000 seconds
Time Since Wake:       930 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00007febae774000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [98050]

VM Regions Near 0x7febae774000:
    MALLOC_LARGE             7febae729000-7febae774000 [  300K] rw-/rwx SM=PRV  
--> 
    STACK GUARD              7ffeea573000-7ffeedd73000 [ 56.0M] ---/rwx SM=NUL  stack guard for thread 0

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   org.scummvm.scummvm           	0x0000000101a3d52e AGS3::BITMAP::getColor(unsigned char const*, unsigned char) const + 110
1   org.scummvm.scummvm           	0x0000000101a3d07a 0x10168d000 + 3866746
2   org.scummvm.scummvm           	0x0000000101a39ac9 0x10168d000 + 3853001
3   org.scummvm.scummvm           	0x0000000101a77979 0x10168d000 + 4106617
4   org.scummvm.scummvm           	0x0000000101ac3bcf 0x10168d000 + 4418511
5   org.scummvm.scummvm           	0x0000000101ac2a4a 0x10168d000 + 4414026
6   org.scummvm.scummvm           	0x0000000101ac0d07 0x10168d000 + 4406535
7   org.scummvm.scummvm           	0x0000000101ac4e85 0x10168d000 + 4423301
8   org.scummvm.scummvm           	0x0000000101bded30 0x10168d000 + 5578032
9   org.scummvm.scummvm           	0x0000000101bde9c7 0x10168d000 + 5577159
10  org.scummvm.scummvm           	0x0000000101bde487 0x10168d000 + 5575815
11  org.scummvm.scummvm           	0x0000000101bde170 0x10168d000 + 5575024
12  org.scummvm.scummvm           	0x0000000101bdeec9 0x10168d000 + 5578441
13  org.scummvm.scummvm           	0x0000000101bde9c7 0x10168d000 + 5577159
14  org.scummvm.scummvm           	0x0000000101ae1da8 0x10168d000 + 4541864
15  org.scummvm.scummvm           	0x0000000101bdbcc0 0x10168d000 + 5565632
16  org.scummvm.scummvm           	0x0000000101bde153 0x10168d000 + 5574995
17  org.scummvm.scummvm           	0x0000000101bddbd8 0x10168d000 + 5573592
18  org.scummvm.scummvm           	0x0000000101ae239f 0x10168d000 + 4543391
19  org.scummvm.scummvm           	0x0000000101ae34d5 0x10168d000 + 4547797
20  org.scummvm.scummvm           	0x0000000101ae3593 0x10168d000 + 4547987
21  org.scummvm.scummvm           	0x0000000101bc06c8 0x10168d000 + 5453512
22  org.scummvm.scummvm           	0x0000000101bbfe7e 0x10168d000 + 5451390
23  org.scummvm.scummvm           	0x0000000101bc0e2f 0x10168d000 + 5455407
24  org.scummvm.scummvm           	0x0000000101bc0d83 0x10168d000 + 5455235
25  org.scummvm.scummvm           	0x0000000101bc2282 0x10168d000 + 5460610
26  org.scummvm.scummvm           	0x0000000101bb99fa 0x10168d000 + 5425658
27  org.scummvm.scummvm           	0x0000000101a1c6b5 0x10168d000 + 3733173
28  org.scummvm.scummvm           	0x00000001016c15ef 0x10168d000 + 214511
29  org.scummvm.scummvm           	0x00000001016bf594 0x10168d000 + 206228
30  org.scummvm.scummvm           	0x00000001016bbb10 0x10168d000 + 191248
31  libdyld.dylib                 	0x00007fff20331f5d start + 1

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x00007febae774000  rbx: 0x00000000ffffffff  rcx: 0x0000000000000003  rdx: 0x0000000000000004
  rdi: 0x00007febaa1bce68  rsi: 0x00007febae774000  rbp: 0x00007ffeee56efb0  rsp: 0x00007ffeee56ef90
   r8: 0x0000000000000004   r9: 0x00007ffeee56f000  r10: 0x00000000ffffffff  r11: 0x0000000000000001
  r12: 0xf11ceef51e2f00ad  r13: 0x000000000000000c  r14: 0x00007febad185000  r15: 0x00000001061a7800
  rip: 0x0000000101a3d52e  rfl: 0x0000000000210246  cr2: 0x00007febae774000
  
Logical CPU:     2
Error Code:      0x00000004 (no mapping for user data read)
Trap Number:     14

Thread 0 instruction stream:
  75 e8 88 55 e7 0f b6 45-e7 89 c1 83 e9 01 89 45  u..U...E.......E
  e0 0f 84 27 00 00 00 e9-00 00 00 00 8b 45 e0 83  ...'.........E..
  e8 02 0f 84 25 00 00 00-e9 00 00 00 00 8b 45 e0  ....%.........E.
  83 e8 04 0f 84 23 00 00-00 e9 2c 00 00 00 48 8b  .....#....,...H.
  45 e8 0f b6 08 89 4d fc-e9 2b 00 00 00 48 8b 45  E.....M..+...H.E
  e8 0f b7 08 89 4d fc e9-1c 00 00 00 48 8b 45 e8  .....M......H.E.
 [8b]08 89 4d fc e9 0e 00-00 00 48 8d 3d 57 50 b0  ...M......H.=WP.	<==
  03 31 c0 e8 ca 0b 67 03-8b 45 fc 48 83 c4 20 5d  .1....g..E.H.. ]
  c3 90 55 48 89 e5 41 57-41 56 41 55 41 54 53 48  ..UH..AWAVAUATSH
  81 ec 48 01 00 00 8b 45-28 4c 8b 55 20 4c 8b 5d  ..H....E(L.U L.]
  18 48 8b 5d 10 48 89 7d-d0 40 88 75 cf 88 55 ce  .H.].H.}.@.u..U.
  88 4d cd 44 88 45 cc 4c-89 4d c0 48 8b 7d d0 4c  .M.D.E.L.M.H.}.L
  
Thread 0 last branch register state not available.

Versions

ScummVM Mac x64: gacf0b1fbcf 2021-07-13
Operating System: macOS 11.4

Change History (5)

comment:1 by Thunderforge, 3 years ago

Description: modified (diff)

comment:2 by Thunderforge, 3 years ago

Description: modified (diff)

comment:3 by digitall, 3 years ago

No crash on x86_64, but there are clear invalid accesses if run with valgrind including one in the getColor function indicated. Trace follows:

==24271== Syscall param write(buf) points to uninitialised byte(s)
==24271== at 0x79EF6CF: write (in /lib64/libc-2.33.so)
==24271== by 0x7981D14: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.33.so)
==24271== by 0x79810A5: new_do_write (in /lib64/libc-2.33.so)
==24271== by 0x798240D: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib64/libc-2.33.so)
==24271== by 0x797703C: fwrite (in /lib64/libc-2.33.so)
==24271== by 0x3AF4162: StdioStream::write(void const*, unsigned int) (stdiostream.cpp:111)
==24271== by 0x3A9E4DC: Common::OutSaveFile::write(void const*, unsigned int) (savefile.cpp:52)
==24271== by 0xCA2C02: AGS3::AGS::Shared::FileStream::Close() (file_stream.cpp:52)
==24271== by 0xCA2AF9: AGS3::AGS::Shared::FileStream::~FileStream() (file_stream.cpp:43)
==24271== by 0xCA2B31: AGS3::AGS::Shared::FileStream::~FileStream() (file_stream.cpp:44)
==24271== by 0xCC9069: Common::DefaultDeleter<AGS3::AGS::Shared::Stream>::operator()(AGS3::AGS::Shared::Stream*) (ptr.h:383)
==24271== by 0xCC84AE: Common::ScopedPtr<AGS3::AGS::Shared::Stream, Common::DefaultDeleter<AGS3::AGS::Shared::Stream> >::~ScopedPtr() (ptr.h:406)
==24271== Address 0x1b668439 is 72,857 bytes inside a block of size 1,085,440 alloc'd
==24271== at 0x6DE27E5: malloc (vg_replace_malloc.c:380)
==24271== by 0x995283: Common::MemoryWriteStreamDynamic::ensureCapacity(unsigned int) (memstream.h:196)
==24271== by 0x995450: Common::MemoryWriteStreamDynamic::write(void const*, unsigned int) (memstream.h:216)
==24271== by 0xCA307B: AGS3::AGS::Shared::FileStream::Write(void const*, unsigned long) (file_stream.cpp:135)
==24271== by 0xD65A9F: AGS3::ManagedObjectPool::WriteToDisk(AGS3::AGS::Shared::Stream*) (managed_object_pool.cpp:272)
==24271== by 0xD63EFE: AGS3::ccSerializeAllObjects(AGS3::AGS::Shared::Stream*) (cc_dynamic_object.cpp:86)
==24271== by 0xD78568: AGS3::AGS::Engine::SavegameComponents::WriteManagedPool(AGS3::AGS::Shared::Stream*) (savegame_components.cpp:971)
==24271== by 0xD792FF: AGS3::AGS::Engine::SavegameComponents::WriteComponent(AGS3::AGS::Shared::Stream*, AGS3::AGS::Engine::SavegameComponents::ComponentHandler&) (savegame_components.cpp:1237)
==24271== by 0xD7948F: AGS3::AGS::Engine::SavegameComponents::WriteAllCommon(AGS3::AGS::Shared::Stream*) (savegame_components.cpp:1250)
==24271== by 0xD72B16: AGS3::AGS::Engine::SaveGameState(AGS3::AGS::Shared::Stream*) (savegame.cpp:754)
==24271== by 0xD1341B: AGS3::save_game(int, char const*) (game.cpp:928)
==24271== by 0xD26F58: AGS3::SetRestartPoint() (global_game.cpp:381)
==24271==
==24271== Invalid read of size 4
==24271== at 0xCBC857: AGS3::BITMAP::getColor(unsigned char const*, unsigned char) const (surface.h:271)
==24271== by 0xCBABAD: AGS3::BITMAP::draw(AGS3::BITMAP const*, Common::Rect const&, int, int, bool, bool, bool, int, int, int, int) (surface.cpp:179)
==24271== by 0xCB7A55: AGS3::blit(AGS3::BITMAP const*, AGS3::BITMAP*, int, int, int, int, int, int) (gfx.cpp:107)
==24271== by 0xCE5852: AGS3::AGS::Shared::Bitmap::Blit(AGS3::AGS::Shared::Bitmap*, int, int, int, int, int, int, AGS3::AGS::Shared::BitmapMaskOption) (allegro_bitmap.cpp:192)
==24271== by 0xE23641: AGS3::DialogOptions::Redraw() (dialog.cpp:779)
==24271== by 0xE2240C: AGS3::DialogOptions::Show() (dialog.cpp:596)
==24271== by 0xE2459F: AGS3::show_dialog_options(int, int, bool) (dialog.cpp:1020)
==24271== by 0xE24913: AGS3::do_conversation(int) (dialog.cpp:1101)
==24271== by 0xDAD209: AGS3::post_script_cleanup() (script.cpp:530)
==24271== by 0xDAC919: AGS3::RunScriptFunctionIfExists(AGS3::ccInstance*, char const*, int, AGS3::RuntimeScriptValue const*) (script.cpp:382)
==24271== by 0xDACA9F: AGS3::RunTextScript(AGS3::ccInstance*, char const*) (script.cpp:414)
==24271== by 0xDAC3A6: AGS3::RunScriptFunction(AGS3::ScriptInstType, char const*, unsigned long, AGS3::RuntimeScriptValue const&, AGS3::RuntimeScriptValue const&) (script.cpp:271)
==24271== Address 0x1f783140 is 0 bytes after a block of size 307,200 alloc'd
==24271== at 0x6DE75B1: calloc (vg_replace_malloc.c:1117)
==24271== by 0x3BEBB79: Graphics::Surface::create(short, short, Graphics::PixelFormat const&) (surface.cpp:76)
==24271== by 0x3BDB24D: Graphics::ManagedSurface::create(short, short, Graphics::PixelFormat const&) (managed_surface.cpp:153)
==24271== by 0x3BDAB4A: Graphics::ManagedSurface::ManagedSurface(int, int, Graphics::PixelFormat const&) (managed_surface.cpp:60)
==24271== by 0xCBC89A: AGS3::Surface::Surface(int, int, Graphics::PixelFormat const&) (surface.h:284)
==24271== by 0xCBBE7F: AGS3::create_bitmap_ex(int, int, int) (surface.cpp:450)
==24271== by 0xCE50F0: AGS3::AGS::Shared::Bitmap::Create(int, int, int) (allegro_bitmap.cpp:71)
==24271== by 0xCE652A: AGS3::AGS::Shared::BitmapHelper::CreateBitmap(int, int, int) (bitmap.cpp:35)
==24271== by 0xE21B12: AGS3::DialogOptions::Prepare(int, bool) (dialog.cpp:484)
==24271== by 0xE24593: AGS3::show_dialog_options(int, int, bool) (dialog.cpp:1019)
==24271== by 0xE24913: AGS3::do_conversation(int) (dialog.cpp:1101)
==24271== by 0xDAD209: AGS3::post_script_cleanup() (script.cpp:530)
==24271==
* ENGINE HAS SHUTDOWN
==24271== Mismatched free() / delete / delete []
==24271== at 0x6DE670B: operator delete[](void*) (vg_replace_malloc.c:938)
==24271== by 0xCC2919: AGS3::GameSetupStructBase::Free() (game_setup_struct_base.cpp:77)
==24271== by 0xCBD21B: AGS3::GameSetupStruct::Free() (game_setup_struct.cpp:56)
==24271== by 0xCBD05E: AGS3::GameSetupStruct::~GameSetupStruct() (game_setup_struct.cpp:52)
==24271== by 0xCB0061: AGS3::Globals::~Globals() (globals.cpp:439)
==24271== by 0xCA91D4: AGS::AGSEngine::~AGSEngine() (ags.cpp:97)
==24271== by 0xCA9241: AGS::AGSEngine::~AGSEngine() (ags.cpp:98)
==24271== by 0x967E83: runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) (main.cpp:320)
==24271== by 0x96968D: scummvm_main (main.cpp:604)
==24271== by 0x96535E: main (posix-main.cpp:45)
==24271== Address 0x1b517340 is 0 bytes inside a block of size 16 alloc'd
==24271== at 0x6DE27E5: malloc (vg_replace_malloc.c:380)
==24271== by 0xCA89CD: AGS3::ags_strdup(char const*) (string_compat.cpp:52)
==24271== by 0xCDEB41: AGS3::AGS::Shared::SetDefaultGlmsg(AGS3::GameSetupStruct&, int, char const*) (main_game_file.cpp:631)
==24271== by 0xCDEB7D: AGS3::AGS::Shared::SetDefaultGlobalMessages(AGS3::GameSetupStruct&) (main_game_file.cpp:636)
==24271== by 0xCDFAEB: AGS3::AGS::Shared::UpdateGameData(AGS3::AGS::Shared::LoadedGameEntities&, AGS3::GameDataVersion) (main_game_file.cpp:803)
==24271== by 0xD92ECF: AGS3::load_game_file() (game_file.cpp:191)
==24271== by 0xD8C170: AGS3::engine_load_game_data() (engine.cpp:430)
==24271== by 0xD908A0: AGS3::initialize_engine(AGS3::std::map<AGS3::AGS::Shared::String, AGS3::std::map<AGS3::AGS::Shared::String, AGS3::AGS::Shared::String, Common::Less<AGS3::AGS::Shared::String> >, Common::Less<AGS3::AGS::Shared::String> > const&) (engine.cpp:1199)
==24271== by 0xCA981A: AGS::AGSEngine::run() (ags.cpp:183)
==24271== by 0x967D9D: runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) (main.cpp:307)
==24271== by 0x96968D: scummvm_main (main.cpp:604)
==24271== by 0x96535E: main (posix-main.cpp:45)
==24271==

comment:4 by dreammaster, 3 years ago

Thanks for the report. When rendering talk dialog options, it was requesting to draw from an area outside the source bitmap. The drawing code had guards for attempts to draw outside the destination surface area, but not the source. I've committed a fix.

comment:5 by dreammaster, 3 years ago

Owner: set to dreammaster
Resolution: fixed
Status: newclosed

I also fixed the writing of unitialized palette data in the savegame files.

Note: See TracTickets for help on using tickets.