Opened 3 years ago
Closed 3 years ago
#12739 closed defect (fixed)
AGS: Segfault on Urban Witch Story
Reported by: | Thunderforge | Owned by: | dreammaster |
---|---|---|---|
Priority: | normal | Component: | Engine: AGS |
Version: | Keywords: | urbanwitchstory | |
Cc: | Game: |
Description (last modified by )
A segfault happens consistently with Urban Witch Story.
Reproduction Steps
- Start a new game
- Go through the opening sequence by clicking through all the dialogue (fastest resolution is to choose "Is there anything else inside the house?" followed by "I don't want to waste your time"
- After being shown the controls for left-click and right-click, click on the police car
- Jackson will ask if everything is okay and then ScummVM will crash with a segfault
Crash Report
Process: scummvm [98050] Path: /Applications/ScummVM.app/Contents/MacOS/scummvm Identifier: org.scummvm.scummvm Version: 2.3.0git (2.3.0git) Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: scummvm [98050] User ID: 502 Date/Time: 2021-07-15 21:38:30.973 -0500 OS Version: macOS 11.4 (20F71) Report Version: 12 Anonymous UUID: 0AA5D204-3785-7750-75EA-380129269336 Sleep/Wake UUID: D8B221B7-F5AD-46D6-96A2-67A46005F199 Time Awake Since Boot: 360000 seconds Time Since Wake: 930 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00007febae774000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [98050] VM Regions Near 0x7febae774000: MALLOC_LARGE 7febae729000-7febae774000 [ 300K] rw-/rwx SM=PRV --> STACK GUARD 7ffeea573000-7ffeedd73000 [ 56.0M] ---/rwx SM=NUL stack guard for thread 0 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 org.scummvm.scummvm 0x0000000101a3d52e AGS3::BITMAP::getColor(unsigned char const*, unsigned char) const + 110 1 org.scummvm.scummvm 0x0000000101a3d07a 0x10168d000 + 3866746 2 org.scummvm.scummvm 0x0000000101a39ac9 0x10168d000 + 3853001 3 org.scummvm.scummvm 0x0000000101a77979 0x10168d000 + 4106617 4 org.scummvm.scummvm 0x0000000101ac3bcf 0x10168d000 + 4418511 5 org.scummvm.scummvm 0x0000000101ac2a4a 0x10168d000 + 4414026 6 org.scummvm.scummvm 0x0000000101ac0d07 0x10168d000 + 4406535 7 org.scummvm.scummvm 0x0000000101ac4e85 0x10168d000 + 4423301 8 org.scummvm.scummvm 0x0000000101bded30 0x10168d000 + 5578032 9 org.scummvm.scummvm 0x0000000101bde9c7 0x10168d000 + 5577159 10 org.scummvm.scummvm 0x0000000101bde487 0x10168d000 + 5575815 11 org.scummvm.scummvm 0x0000000101bde170 0x10168d000 + 5575024 12 org.scummvm.scummvm 0x0000000101bdeec9 0x10168d000 + 5578441 13 org.scummvm.scummvm 0x0000000101bde9c7 0x10168d000 + 5577159 14 org.scummvm.scummvm 0x0000000101ae1da8 0x10168d000 + 4541864 15 org.scummvm.scummvm 0x0000000101bdbcc0 0x10168d000 + 5565632 16 org.scummvm.scummvm 0x0000000101bde153 0x10168d000 + 5574995 17 org.scummvm.scummvm 0x0000000101bddbd8 0x10168d000 + 5573592 18 org.scummvm.scummvm 0x0000000101ae239f 0x10168d000 + 4543391 19 org.scummvm.scummvm 0x0000000101ae34d5 0x10168d000 + 4547797 20 org.scummvm.scummvm 0x0000000101ae3593 0x10168d000 + 4547987 21 org.scummvm.scummvm 0x0000000101bc06c8 0x10168d000 + 5453512 22 org.scummvm.scummvm 0x0000000101bbfe7e 0x10168d000 + 5451390 23 org.scummvm.scummvm 0x0000000101bc0e2f 0x10168d000 + 5455407 24 org.scummvm.scummvm 0x0000000101bc0d83 0x10168d000 + 5455235 25 org.scummvm.scummvm 0x0000000101bc2282 0x10168d000 + 5460610 26 org.scummvm.scummvm 0x0000000101bb99fa 0x10168d000 + 5425658 27 org.scummvm.scummvm 0x0000000101a1c6b5 0x10168d000 + 3733173 28 org.scummvm.scummvm 0x00000001016c15ef 0x10168d000 + 214511 29 org.scummvm.scummvm 0x00000001016bf594 0x10168d000 + 206228 30 org.scummvm.scummvm 0x00000001016bbb10 0x10168d000 + 191248 31 libdyld.dylib 0x00007fff20331f5d start + 1 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x00007febae774000 rbx: 0x00000000ffffffff rcx: 0x0000000000000003 rdx: 0x0000000000000004 rdi: 0x00007febaa1bce68 rsi: 0x00007febae774000 rbp: 0x00007ffeee56efb0 rsp: 0x00007ffeee56ef90 r8: 0x0000000000000004 r9: 0x00007ffeee56f000 r10: 0x00000000ffffffff r11: 0x0000000000000001 r12: 0xf11ceef51e2f00ad r13: 0x000000000000000c r14: 0x00007febad185000 r15: 0x00000001061a7800 rip: 0x0000000101a3d52e rfl: 0x0000000000210246 cr2: 0x00007febae774000 Logical CPU: 2 Error Code: 0x00000004 (no mapping for user data read) Trap Number: 14 Thread 0 instruction stream: 75 e8 88 55 e7 0f b6 45-e7 89 c1 83 e9 01 89 45 u..U...E.......E e0 0f 84 27 00 00 00 e9-00 00 00 00 8b 45 e0 83 ...'.........E.. e8 02 0f 84 25 00 00 00-e9 00 00 00 00 8b 45 e0 ....%.........E. 83 e8 04 0f 84 23 00 00-00 e9 2c 00 00 00 48 8b .....#....,...H. 45 e8 0f b6 08 89 4d fc-e9 2b 00 00 00 48 8b 45 E.....M..+...H.E e8 0f b7 08 89 4d fc e9-1c 00 00 00 48 8b 45 e8 .....M......H.E. [8b]08 89 4d fc e9 0e 00-00 00 48 8d 3d 57 50 b0 ...M......H.=WP. <== 03 31 c0 e8 ca 0b 67 03-8b 45 fc 48 83 c4 20 5d .1....g..E.H.. ] c3 90 55 48 89 e5 41 57-41 56 41 55 41 54 53 48 ..UH..AWAVAUATSH 81 ec 48 01 00 00 8b 45-28 4c 8b 55 20 4c 8b 5d ..H....E(L.U L.] 18 48 8b 5d 10 48 89 7d-d0 40 88 75 cf 88 55 ce .H.].H.}.@.u..U. 88 4d cd 44 88 45 cc 4c-89 4d c0 48 8b 7d d0 4c .M.D.E.L.M.H.}.L Thread 0 last branch register state not available.
Versions
ScummVM Mac x64: gacf0b1fbcf 2021-07-13
Operating System: macOS 11.4
Change History (5)
comment:1 by , 3 years ago
Description: | modified (diff) |
---|
comment:2 by , 3 years ago
Description: | modified (diff) |
---|
comment:3 by , 3 years ago
comment:4 by , 3 years ago
Thanks for the report. When rendering talk dialog options, it was requesting to draw from an area outside the source bitmap. The drawing code had guards for attempts to draw outside the destination surface area, but not the source. I've committed a fix.
comment:5 by , 3 years ago
Owner: | set to |
---|---|
Resolution: | → fixed |
Status: | new → closed |
I also fixed the writing of unitialized palette data in the savegame files.
Note:
See TracTickets
for help on using tickets.
No crash on x86_64, but there are clear invalid accesses if run with valgrind including one in the getColor function indicated. Trace follows:
==24271== Syscall param write(buf) points to uninitialised byte(s)
==24271== at 0x79EF6CF: write (in /lib64/libc-2.33.so)
==24271== by 0x7981D14: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.33.so)
==24271== by 0x79810A5: new_do_write (in /lib64/libc-2.33.so)
==24271== by 0x798240D: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib64/libc-2.33.so)
==24271== by 0x797703C: fwrite (in /lib64/libc-2.33.so)
==24271== by 0x3AF4162: StdioStream::write(void const*, unsigned int) (stdiostream.cpp:111)
==24271== by 0x3A9E4DC: Common::OutSaveFile::write(void const*, unsigned int) (savefile.cpp:52)
==24271== by 0xCA2C02: AGS3::AGS::Shared::FileStream::Close() (file_stream.cpp:52)
==24271== by 0xCA2AF9: AGS3::AGS::Shared::FileStream::~FileStream() (file_stream.cpp:43)
==24271== by 0xCA2B31: AGS3::AGS::Shared::FileStream::~FileStream() (file_stream.cpp:44)
==24271== by 0xCC9069: Common::DefaultDeleter<AGS3::AGS::Shared::Stream>::operator()(AGS3::AGS::Shared::Stream*) (ptr.h:383)
==24271== by 0xCC84AE: Common::ScopedPtr<AGS3::AGS::Shared::Stream, Common::DefaultDeleter<AGS3::AGS::Shared::Stream> >::~ScopedPtr() (ptr.h:406)
==24271== Address 0x1b668439 is 72,857 bytes inside a block of size 1,085,440 alloc'd
==24271== at 0x6DE27E5: malloc (vg_replace_malloc.c:380)
==24271== by 0x995283: Common::MemoryWriteStreamDynamic::ensureCapacity(unsigned int) (memstream.h:196)
==24271== by 0x995450: Common::MemoryWriteStreamDynamic::write(void const*, unsigned int) (memstream.h:216)
==24271== by 0xCA307B: AGS3::AGS::Shared::FileStream::Write(void const*, unsigned long) (file_stream.cpp:135)
==24271== by 0xD65A9F: AGS3::ManagedObjectPool::WriteToDisk(AGS3::AGS::Shared::Stream*) (managed_object_pool.cpp:272)
==24271== by 0xD63EFE: AGS3::ccSerializeAllObjects(AGS3::AGS::Shared::Stream*) (cc_dynamic_object.cpp:86)
==24271== by 0xD78568: AGS3::AGS::Engine::SavegameComponents::WriteManagedPool(AGS3::AGS::Shared::Stream*) (savegame_components.cpp:971)
==24271== by 0xD792FF: AGS3::AGS::Engine::SavegameComponents::WriteComponent(AGS3::AGS::Shared::Stream*, AGS3::AGS::Engine::SavegameComponents::ComponentHandler&) (savegame_components.cpp:1237)
==24271== by 0xD7948F: AGS3::AGS::Engine::SavegameComponents::WriteAllCommon(AGS3::AGS::Shared::Stream*) (savegame_components.cpp:1250)
==24271== by 0xD72B16: AGS3::AGS::Engine::SaveGameState(AGS3::AGS::Shared::Stream*) (savegame.cpp:754)
==24271== by 0xD1341B: AGS3::save_game(int, char const*) (game.cpp:928)
==24271== by 0xD26F58: AGS3::SetRestartPoint() (global_game.cpp:381)
==24271==
==24271== Invalid read of size 4
==24271== at 0xCBC857: AGS3::BITMAP::getColor(unsigned char const*, unsigned char) const (surface.h:271)
==24271== by 0xCBABAD: AGS3::BITMAP::draw(AGS3::BITMAP const*, Common::Rect const&, int, int, bool, bool, bool, int, int, int, int) (surface.cpp:179)
==24271== by 0xCB7A55: AGS3::blit(AGS3::BITMAP const*, AGS3::BITMAP*, int, int, int, int, int, int) (gfx.cpp:107)
==24271== by 0xCE5852: AGS3::AGS::Shared::Bitmap::Blit(AGS3::AGS::Shared::Bitmap*, int, int, int, int, int, int, AGS3::AGS::Shared::BitmapMaskOption) (allegro_bitmap.cpp:192)
==24271== by 0xE23641: AGS3::DialogOptions::Redraw() (dialog.cpp:779)
==24271== by 0xE2240C: AGS3::DialogOptions::Show() (dialog.cpp:596)
==24271== by 0xE2459F: AGS3::show_dialog_options(int, int, bool) (dialog.cpp:1020)
==24271== by 0xE24913: AGS3::do_conversation(int) (dialog.cpp:1101)
==24271== by 0xDAD209: AGS3::post_script_cleanup() (script.cpp:530)
==24271== by 0xDAC919: AGS3::RunScriptFunctionIfExists(AGS3::ccInstance*, char const*, int, AGS3::RuntimeScriptValue const*) (script.cpp:382)
==24271== by 0xDACA9F: AGS3::RunTextScript(AGS3::ccInstance*, char const*) (script.cpp:414)
==24271== by 0xDAC3A6: AGS3::RunScriptFunction(AGS3::ScriptInstType, char const*, unsigned long, AGS3::RuntimeScriptValue const&, AGS3::RuntimeScriptValue const&) (script.cpp:271)
==24271== Address 0x1f783140 is 0 bytes after a block of size 307,200 alloc'd
==24271== at 0x6DE75B1: calloc (vg_replace_malloc.c:1117)
==24271== by 0x3BEBB79: Graphics::Surface::create(short, short, Graphics::PixelFormat const&) (surface.cpp:76)
==24271== by 0x3BDB24D: Graphics::ManagedSurface::create(short, short, Graphics::PixelFormat const&) (managed_surface.cpp:153)
==24271== by 0x3BDAB4A: Graphics::ManagedSurface::ManagedSurface(int, int, Graphics::PixelFormat const&) (managed_surface.cpp:60)
==24271== by 0xCBC89A: AGS3::Surface::Surface(int, int, Graphics::PixelFormat const&) (surface.h:284)
==24271== by 0xCBBE7F: AGS3::create_bitmap_ex(int, int, int) (surface.cpp:450)
==24271== by 0xCE50F0: AGS3::AGS::Shared::Bitmap::Create(int, int, int) (allegro_bitmap.cpp:71)
==24271== by 0xCE652A: AGS3::AGS::Shared::BitmapHelper::CreateBitmap(int, int, int) (bitmap.cpp:35)
==24271== by 0xE21B12: AGS3::DialogOptions::Prepare(int, bool) (dialog.cpp:484)
==24271== by 0xE24593: AGS3::show_dialog_options(int, int, bool) (dialog.cpp:1019)
==24271== by 0xE24913: AGS3::do_conversation(int) (dialog.cpp:1101)
==24271== by 0xDAD209: AGS3::post_script_cleanup() (script.cpp:530)
==24271==
* ENGINE HAS SHUTDOWN
==24271== Mismatched free() / delete / delete []
==24271== at 0x6DE670B: operator delete[](void*) (vg_replace_malloc.c:938)
==24271== by 0xCC2919: AGS3::GameSetupStructBase::Free() (game_setup_struct_base.cpp:77)
==24271== by 0xCBD21B: AGS3::GameSetupStruct::Free() (game_setup_struct.cpp:56)
==24271== by 0xCBD05E: AGS3::GameSetupStruct::~GameSetupStruct() (game_setup_struct.cpp:52)
==24271== by 0xCB0061: AGS3::Globals::~Globals() (globals.cpp:439)
==24271== by 0xCA91D4: AGS::AGSEngine::~AGSEngine() (ags.cpp:97)
==24271== by 0xCA9241: AGS::AGSEngine::~AGSEngine() (ags.cpp:98)
==24271== by 0x967E83: runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) (main.cpp:320)
==24271== by 0x96968D: scummvm_main (main.cpp:604)
==24271== by 0x96535E: main (posix-main.cpp:45)
==24271== Address 0x1b517340 is 0 bytes inside a block of size 16 alloc'd
==24271== at 0x6DE27E5: malloc (vg_replace_malloc.c:380)
==24271== by 0xCA89CD: AGS3::ags_strdup(char const*) (string_compat.cpp:52)
==24271== by 0xCDEB41: AGS3::AGS::Shared::SetDefaultGlmsg(AGS3::GameSetupStruct&, int, char const*) (main_game_file.cpp:631)
==24271== by 0xCDEB7D: AGS3::AGS::Shared::SetDefaultGlobalMessages(AGS3::GameSetupStruct&) (main_game_file.cpp:636)
==24271== by 0xCDFAEB: AGS3::AGS::Shared::UpdateGameData(AGS3::AGS::Shared::LoadedGameEntities&, AGS3::GameDataVersion) (main_game_file.cpp:803)
==24271== by 0xD92ECF: AGS3::load_game_file() (game_file.cpp:191)
==24271== by 0xD8C170: AGS3::engine_load_game_data() (engine.cpp:430)
==24271== by 0xD908A0: AGS3::initialize_engine(AGS3::std::map<AGS3::AGS::Shared::String, AGS3::std::map<AGS3::AGS::Shared::String, AGS3::AGS::Shared::String, Common::Less<AGS3::AGS::Shared::String> >, Common::Less<AGS3::AGS::Shared::String> > const&) (engine.cpp:1199)
==24271== by 0xCA981A: AGS::AGSEngine::run() (ags.cpp:183)
==24271== by 0x967D9D: runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) (main.cpp:307)
==24271== by 0x96968D: scummvm_main (main.cpp:604)
==24271== by 0x96535E: main (posix-main.cpp:45)
==24271==