Opened 7 years ago

Closed 7 years ago

#9605 closed defect (fixed)

SCI: QFG3 (GOG): Uninitialized read on stats screen in Simbani bridge room

Reported by: wjp Owned by: wjp
Priority: normal Component: Engine: SCI
Version: Keywords:
Cc: Game: Quest for Glory 3

Description

Reported in #6806:

Opening and then closing the stats screen in the Simbani bridge room causes a crash with an uninitialized read:

Uninitialized read for temp 0 from method <invalid name>::notify (room 470, script 470, localCall ffffffff)!
Debugger entered, please switch to this console for input.
debug> bt
Call stack (current base: 0x0):
 0: script 994 - Glory::replay()
     obj@0001:34d2 pc=0004:04e5 sp=ST:0001 fp=ST:0000 argp:ST:0001
 1: script 0 - Glory::doit()
     by 0 obj@0001:34d2 pc=0001:0324 sp=ST:0006 fp=ST:0003 argp:ST:0002
 2: script 994 - Game::doit()
     by 1 obj@0001:34d2 pc=0004:067c sp=ST:000b fp=ST:0008 argp:ST:0007
 3: script 996 - User::doit()
     by 2 obj@001e:043c pc=001e:00a6 sp=ST:000d fp=ST:000d argp:ST:000c
 4: script 996 - User::handleEvent(001e:041c)
     by 3 obj@001e:043c pc=001e:0293 sp=ST:0015 fp=ST:0010 argp:ST:000e
 5: script 0 - mainIconBar::handleEvent(001e:041c)
     by 4 obj@0001:368e pc=0001:2772 sp=ST:0018 fp=ST:0018 argp:ST:0016
 6: script 937 - IconBar::handleEvent(001e:041c)
     by 5 obj@0001:368e pc=000a:05a8 sp=ST:0022 fp=ST:001b argp:ST:0019
 7: script 937 - mainIconBar::doit()
     by 6 obj@0001:368e pc=000a:0b42 sp=ST:0028 fp=ST:0024 argp:ST:0023
 8: script 937 - mainIconBar::dispatchEvent(001e:041c)
     by 7 obj@0001:368e pc=000a:0c43 sp=ST:0068 fp=ST:002b argp:ST:0029
 9: script 937 - mainIconBar::select(0001:382c, 0000:0001)
     by 8 obj@0001:368e pc=000a:0e91 sp=ST:006c fp=ST:006c argp:ST:0069
 a: script 0 - iconActions::select(0000:0001)
     by 9 obj@0001:382c pc=0001:2815 sp=ST:006f fp=ST:006f argp:ST:006d
 b: script 20 - actionBar::show()
     by a obj@0027:02aa pc=0027:011f sp=ST:0073 fp=ST:0073 argp:ST:0072
 c: script 15 - charSheet::doit()
     by b obj@0082:086f pc=0082:070c sp=ST:007f fp=ST:0075 argp:ST:0074
 d: script 470 - <invalid name>::notify(0000:fff1)
     by c obj@0085:1ae2 pc=0085:04b9 sp=ST:0083 fp=ST:0082 argp:ST:0080

Attachments (1)

qfg3-3.010 (49.8 KB ) - added by wjp 7 years ago.
savegame

Download all attachments as: .zip

Change History (4)

by wjp, 7 years ago

Attachment: qfg3-3.010 added

savegame

comment:1 by OmerMor, 7 years ago

Here's the decompiled rm470::notify() method (using SCI Companion):

(method (notify param1 param2 &tmp temp0)
	(switch param1
		(1
			(if (> argc 1) (= local6 param2))
			(= temp0 local6)
		)
		(3
			(if (> argc 1)
				(= local0 param2)
				(switch param2
					(3
						(= [local61 0] @local48)
						(uhuraTeller init: (ScriptID 34 1) @local48 local61)
					)
					(4
						(= [local61 0] @local53)
						(uhuraTeller init: (ScriptID 34 1) @local53 local61)
					)
					(10 ((ScriptID 34 1) dispose:))
				)
			)
			(= temp0 local0)
		)
	)
	(return temp0)
)

So it's seems like when param1 != {1,3}, temp0 won't be assigned before the function returns it, which would explain the crash.

In charSheet::doit(), there's only one call to notify:

(global2 notify: -15)

Where global2 holds the current room, which would be rm470 - the Simbani bridge room.

Last edited 7 years ago by OmerMor (previous) (diff)

comment:2 by OmerMor, 7 years ago

The only place where a value of -15 is handled by the notify function, is in Rm740 (The waterfall where you cross with the monkeys). There it is used to redraw the rope bridge after the stat screen closes.

Every other room (beside Rm740 and Rm470) does not override this function (defined in Rgn, and inherited by Rm and its many instances).

comment:3 by wjp, 7 years ago

Owner: set to wjp
Resolution: fixed
Status: newclosed

A fan patch shipped by GOG broke our existing workaround for this uninitialized read. Added a duplicate that works in this version.

Note: See TracTickets for help on using tickets.