Opened 14 years ago

Closed 13 years ago

Last modified 13 years ago

#5335 closed defect (fixed)

SCI Fanmade - Ocean Battle: Crash while playing

Reported by: SF/escarlate Owned by: bluegr
Priority: normal Component: Engine: SCI
Version: Keywords: script
Cc: Game: SCI Fanmade

Description

Game Version: DOS/English ScummVM Version: 1.2.0svn52559 Operating System: Win32 (XP SP2)

The console log:

Uninitialized read for temp 1 from method RoomScript::doit (script 1, room 488,localCall 1f17)!

Ticket imported from: #3059871. Ticket imported from: bugs/5335.

Change History (5)

comment:1 by bluegr, 14 years ago

Partially fixed in rev #52581

The fix is partial, as the game will crash when losing and attempting to restart (for a different reason - there's an issue when uninstantiating a script), thus I'm leaving this one open for now

comment:2 by digitall, 13 years ago

Tried playing Ocean Battle to replicate this on Linux x86_32 with: ScummVM 1.3.0git3512-gacb9879-dirty (Mar 1 2011 19:15:17) Features compiled in: Vorbis FLAC MP3 ALSA SEQ TiMidity RGB zLib FluidSynth Theora

This segfaults after you place your last ship ready to start playing.

A valgrind run prevents this happening and shows the cause as: ==19368== Invalid write of size 2 ==19368== at 0x81BDFF9: Sci::setChar(Sci::SegmentRef const&, unsigned int, char) (seg_manager.cpp:617) ==19368== by 0x81BE12C: Sci::SegManager::strncpy(Sci::reg_t, char const*, unsigned int) (seg_manager.cpp:647) ==19368== by 0x81BE388: Sci::SegManager::strcpy(Sci::reg_t, char const*) (seg_manager.cpp:706) ==19368== by 0x81ADFEA: Sci::kFormat(Sci::EngineState*, int, Sci::reg_t*) (kstring.cpp:413) ==19368== by 0x81C6024: Sci::callKernelFunc(Sci::EngineState*, int, int) (vm.cpp:718) ==19368== by 0x81C7A9D: Sci::run_vm(Sci::EngineState*) (vm.cpp:1192) ==19368== by 0x8191433: Sci::SciEngine::runGame() (sci.cpp:663) ==19368== by 0x819034E: Sci::SciEngine::run() (sci.cpp:353) ==19368== by 0x804F384: runGame(PluginSubclass<MetaEngine> const*, OSystem&, Common::String const&) (main.cpp:213) ==19368== by 0x804FF14: scummvm_main (main.cpp:423) ==19368== by 0x804E436: main (posix-main.cpp:48) ==19368== Address 0x65ba5d8 is 0 bytes after a block of size 176 alloc'd ==19368== at 0x4025DCE: operator new[](unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19368== by 0x81B76F6: Common::Array<Sci::reg_t>::reserve(unsigned int) (array.h:246) ==19368== by 0x81B6D51: Common::Array<Sci::reg_t>::resize(unsigned int) (array.h:257) ==19368== by 0x81BD4E5: Sci::SegManager::allocLocalsSegment(Sci::Script*) (seg_manager.cpp:371) ==19368== by 0x81B963C: Sci::Script::initialiseLocals(Sci::SegManager*) (script.cpp:481) ==19368== by 0x81BEDA9: Sci::SegManager::instantiateScript(int) (seg_manager.cpp:1014) ==19368== by 0x81BD303: Sci::SegManager::getScriptSegment(int, Sci::ScriptLoadType) (seg_manager.cpp:342) ==19368== by 0x81AB9DC: Sci::kScriptID(Sci::EngineState*, int, Sci::reg_t*) (kscripts.cpp:216) ==19368== by 0x81C6024: Sci::callKernelFunc(Sci::EngineState*, int, int) (vm.cpp:718) ==19368== by 0x81C7A9D: Sci::run_vm(Sci::EngineState*) (vm.cpp:1192) ==19368== by 0x8191433: Sci::SciEngine::runGame() (sci.cpp:663) ==19368== by 0x819034E: Sci::SciEngine::run() (sci.cpp:353) ==19368== ==19368== Invalid read of size 2 ==19368== at 0x81BE049: Sci::setChar(Sci::SegmentRef const&, unsigned int, char) (seg_manager.cpp:626) ==19368== by 0x81BE12C: Sci::SegManager::strncpy(Sci::reg_t, char const*, unsigned int) (seg_manager.cpp:647) ==19368== by 0x81BE388: Sci::SegManager::strcpy(Sci::reg_t, char const*) (seg_manager.cpp:706) ==19368== by 0x81ADFEA: Sci::kFormat(Sci::EngineState*, int, Sci::reg_t*) (kstring.cpp:413) ==19368== by 0x81C6024: Sci::callKernelFunc(Sci::EngineState*, int, int) (vm.cpp:718) ==19368== by 0x81C7A9D: Sci::run_vm(Sci::EngineState*) (vm.cpp:1192) ==19368== by 0x8191433: Sci::SciEngine::runGame() (sci.cpp:663) ==19368== by 0x819034E: Sci::SciEngine::run() (sci.cpp:353) ==19368== by 0x804F384: runGame(PluginSubclass<MetaEngine> const*, OSystem&, Common::String const&) (main.cpp:213) ==19368== by 0x804FF14: scummvm_main (main.cpp:423) ==19368== by 0x804E436: main (posix-main.cpp:48) ==19368== Address 0x65ba5da is 2 bytes after a block of size 176 alloc'd ==19368== at 0x4025DCE: operator new[](unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19368== by 0x81B76F6: Common::Array<Sci::reg_t>::reserve(unsigned int) (array.h:246) ==19368== by 0x81B6D51: Common::Array<Sci::reg_t>::resize(unsigned int) (array.h:257) ==19368== by 0x81BD4E5: Sci::SegManager::allocLocalsSegment(Sci::Script*) (seg_manager.cpp:371) ==19368== by 0x81B963C: Sci::Script::initialiseLocals(Sci::SegManager*) (script.cpp:481) ==19368== by 0x81BEDA9: Sci::SegManager::instantiateScript(int) (seg_manager.cpp:1014) ==19368== by 0x81BD303: Sci::SegManager::getScriptSegment(int, Sci::ScriptLoadType) (seg_manager.cpp:342) ==19368== by 0x81AB9DC: Sci::kScriptID(Sci::EngineState*, int, Sci::reg_t*) (kscripts.cpp:216) ==19368== by 0x81C6024: Sci::callKernelFunc(Sci::EngineState*, int, int) (vm.cpp:718) ==19368== by 0x81C7A9D: Sci::run_vm(Sci::EngineState*) (vm.cpp:1192) ==19368== by 0x8191433: Sci::SciEngine::runGame() (sci.cpp:663) ==19368== by 0x819034E: Sci::SciEngine::run() (sci.cpp:353) ==19368==

By running with ./scummvm -d 5 --debugflags=Strings, the string errors seem to be associated with string calls of the form: Formatting "Shots left: %d "

Hopefully this will help someone locate the cause and fix.

comment:3 by bluegr, 13 years ago

It's trying to write the kFormat string to a local which is near the end of the script and smaller than the actual string

comment:4 by bluegr, 13 years ago

A script bug. Fixed in c3d8f56.

comment:5 by bluegr, 13 years ago

Owner: set to bluegr
Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.