DREAMWEB: crash due to failed assertion in DreamWebEngine::deleteExFrame

[huntekye]

Version:
I encountered this issue first on ScummVM 2.8.1, and then built it from git with no change to the outcome.

For me the problem occurs at a specific point in the game, at which point the game crashes.
To reproduce:
I installed DreamWeb on Arch using the package manager yay, and confirmed that the bug occurs using both Sway (Wayland) and i3 (X11). In the game, while trying to leave the DreamWeb after killing General Stirling, Ryan uses the key to be transported back to Spark's bar, but at the moment that it seems the scene should change, instead the game crashes. Below is the full output I get from the dreamweb process:

$ scummvm -v
ScummVM 2.8.1 (Mar 16 2024 08:27:46)
Using SDL backend with SDL 2.30.8
Features compiled in: TAINTED Vorbis FLAC MP3 ALSA SEQ sndio TiMidity RGB zLib MPEG2 FluidSynth Theora AAC A/52 FreeType2 FriBiDi JPEG PNG GIF TTS cloud (servers, local) ENet SDL2 TinyGL OpenGL (with shaders)
$ dreamweb
WARNING: Couldn't initialize text to speech through speech-dispatcher!
User picked target 'dreamweb' (engine ID 'dreamweb', game ID 'dreamweb')...
   Looking for a plugin supporting this target... DreamWeb
Running DreamWeb (CD/DOS/English)
dreamweb.r00: 3b5c87717fc40cc5a5ae19c155662ee3, 152918 bytes.
dreamweb.r02: d6fe5e3590ec1eea42ff65c10b023e0f, 198681 bytes.
WARNING: Unknown scaler; defaulting to 1!
scummvm: engines/dreamweb/object.cpp:448: void DreamWeb::DreamWebEngine::deleteExFrame(uint8): Assertion `frame->ptr() + frame->width*frame->height <= _vars._exFramePos' failed.
/usr/bin/dreamweb: line 3: 37666 Aborted                 (core dumped) scummvm "$@" -f -p /usr/share/dreamweb dreamweb

And again with the git version of ScummVM:

$ scummvm -v
ScummVM 2.9.0git (Oct 24 2024 20:23:21)
Using SDL backend with SDL 2.30.8
Features compiled in: TAINTED Vorbis FLAC MP3 ALSA SEQ sndio TiMidity RGB zLib MPEG2 FluidSynth OpenMPT Theora VPX AAC A/52 FreeType2 FriBiDi JPEG PNG GIF TTS cloud (servers, local) ENet SDL2 TinyGL OpenGL (with shaders) 
$ dreamweb 
WARNING: DebugManager::addDebugChannels(): No debug channels were added, list is empty!
WARNING: DebugManager::addDebugChannels(): No debug channels were added, list is empty!
WARNING: Couldn't initialize text to speech through speech-dispatcher!
User picked target 'dreamweb' (engine ID 'dreamweb', game ID 'dreamweb')...
Running DreamWeb (CD/DOS/English)
dreamweb.r00: 3b5c87717fc40cc5a5ae19c155662ee3, 152918 bytes.
dreamweb.r02: d6fe5e3590ec1eea42ff65c10b023e0f, 198681 bytes.
WARNING: Unknown scaler; defaulting to 1!
scummvm: engines/dreamweb/object.cpp:448: void DreamWeb::DreamWebEngine::deleteExFrame(uint8): Assertion `frame->ptr() + frame->width*frame->height <= _vars._exFramePos' failed.
/usr/bin/dreamweb: line 3: 124674 Aborted                 (core dumped) scummvm "$@" -f -p /usr/share/dreamweb dreamweb

Where the last two lines seem to describe that ​this assertion failed. It's unclear to me exactly what a frame is in this context, but on the chance that this is related to the size of the screen/window, the following information might be helpful: Since I'm running on a MacBook Pro 14,1, the resolution is fairly high, 2560x1600, and although I usually run with Sway with the output scaled to 1.5, I checked that the problem is the same with the nominal scaling as well.
I've attached a save file, DREAMWEB.D01, at the correct point in the game, so one should simply have to load the game, walk to the plinth, use the key on it, and wait a few moments for the game to crash.

Game language:
English.

Game Version:
DreamWeb was downloaded from ​http://downloads.sourceforge.net/scummvm/dreamweb-cd-uk-1.1.zip, and when run it seems to report its version as Running DreamWeb (CD/DOS/English).

My system:

$ neofetch --off
OS: Arch Linux x86_64 
Host: MacBookPro14,1 1.0 
Kernel: 6.9.7-arch1-1 
Uptime: 4 hours, 30 mins 
Packages: 1552 (pacman) 
Shell: bash 5.2.37 
Resolution: 2560x1600 
WM: sway 
Theme: Arc-Dark [GTK2/3] 
Icons: Arc [GTK2/3] 
Terminal: terminator 
CPU: Intel i5-7360U (4) @ 3.600GHz 
GPU: Intel Iris Plus Graphics 640 
Memory: 6485MiB / 15860MiB 

Save game:
Attached; DREAMWEB.D01

[huntekye]

I've done a bit more digging on this and got debugger output from scummvm and some stacktraces from the coredump! I also noticed that the dreamweb wrapper script that came with the Arch package was forcing fullscreen mode, so I double checked that windowed mode doesn't change anything—it still crashes in exactly the same way.

Debugging output (in this case from the test I did of windowed output):

$ scummvm -d9 --debugflags=Animation,SaveLoad -F -p /usr/share/dreamweb dreamweb
Debuglevel (from command line): 9
WARNING: DebugManager::addDebugChannels(): No debug channels were added, list is empty!
WARNING: DebugManager::addDebugChannels(): No debug channels were added, list is empty!
WARNING: Couldn't initialize text to speech through speech-dispatcher!
Using SDL Video Driver "wayland"
OpenGL: GL context initialized
OpenGL version: 4.6 (Compatibility Profile) Mesa 24.2.4-arch1.1
OpenGL vendor: Intel
OpenGL renderer: Mesa Intel(R) Iris(R) Plus Graphics 640 (Kaby Lake GT3e) (KBL GT3)
OpenGL: version 4.6
OpenGL: GLSL version string: 4.60
OpenGL: GLSL version: 460
OpenGL: Max texture size: 16384
OpenGL: NPOT texture support: 1
OpenGL: Shader support: 1
OpenGL: Shader support for engines: 1
OpenGL: Multitexture support: 1
OpenGL: FBO support: 1
OpenGL: Multisample FBO support: 1
OpenGL: Multisample max number: 16
OpenGL: Packed pixels support: 1
OpenGL: Packed depth stencil support: 1
OpenGL: Unpack subimage support: 1
OpenGL: OpenGL ES depth 24 support: 0
OpenGL: Texture edge clamping support: 1
OpenGL: Texture border clamping support: 1
OpenGL: Texture mirror repeat support: 1
OpenGL: Texture max level support: 1
Invalid joystick: 0
creating SurfaceSDL graphics manager
creating OpenGL graphics manager
creating SurfaceSDL graphics manager
Using SDL Audio Driver "pulseaudio"
Output sample rate: 44100 Hz
Output buffer size: 1024 samples
Output channels: 2
HardwareInput with ID 'JOY_START' not known
HardwareInput with ID 'JOY_LEFT_STICK_Y-' not known
HardwareInput with ID 'JOY_LEFT_STICK_Y+' not known
HardwareInput with ID 'JOY_LEFT_STICK_X-' not known
HardwareInput with ID 'JOY_LEFT_STICK_X+' not known
HardwareInput with ID 'JOY_RIGHT_SHOULDER' not known
CPU extensions:
SSE2(enabled) AVX2(enabled) NEON(not supported)
User picked target 'dreamweb' (engine ID 'dreamweb', game ID 'dreamweb')...
Totally found 1 matches
Running DreamWeb (CD/DOS/English)
dreamweb.r00: 3b5c87717fc40cc5a5ae19c155662ee3, 152918 bytes.
dreamweb.r02: d6fe5e3590ec1eea42ff65c10b023e0f, 198681 bytes.
HardwareInput with ID 'JOY_A' not known
HardwareInput with ID 'JOY_B' not known
HardwareInput with ID 'JOY_LEFT_SHOULDER' not known
HardwareInput with ID 'JOY_Y' not known
HardwareInput with ID 'JOY_X' not known
HardwareInput with ID 'JOY_UP' not known
HardwareInput with ID 'JOY_DOWN' not known
HardwareInput with ID 'JOY_LEFT' not known
HardwareInput with ID 'JOY_RIGHT' not known
Setting 640 x 480 -> 640 x 480 -- 1
FSDirectory::createReadStreamForMember('gui-icons.dat') -> '/usr/share/scummvm/gui-icons.dat'
Opening hashed: gui-icons.dat
FSDirectory::createReadStreamForMember('gui-icons.dat') -> '/usr/share/scummvm/gui-icons.dat'
generateZipSet: Loaded pack file: gui-icons.dat
Opening hashed: THEMERC
Opening hashed: THEMERC
Opening hashed: THEMERC
Opening hashed: THEMERC
Opening hashed: THEMERC
Opening hashed: THEMERC
Opening hashed: THEMERC
Opening hashed: THEMERC
Loading theme scummremastered.zip
Opening hashed: THEMERC
FSDirectory::createReadStreamForMember('fonts.dat') -> '/usr/share/scummvm/fonts.dat'
Opening hashed: FreeSansBold.ttf
FSDirectory::createReadStreamForMember('fonts.dat') -> '/usr/share/scummvm/fonts.dat'
Opening hashed: FreeSans.ttf
FSDirectory::createReadStreamForMember('fonts.dat') -> '/usr/share/scummvm/fonts.dat'
Opening hashed: FreeSans.ttf
FSDirectory::createReadStreamForMember('fonts.dat') -> '/usr/share/scummvm/fonts.dat'
Opening hashed: SourceCodeVariable-Roman.ttf
Finished loading theme scummremastered.zip
WARNING: Unknown scaler; defaulting to 1!
	gettime: 12:14:29
	gettime: 12:14:29
FSDirectory::createReadStreamForMember('DREAMWEB.C00') -> '/usr/share/dreamweb/DREAMWEB.C00'
Opening hashed: DREAMWEB.C00
FSDirectory::createReadStreamForMember('DREAMWEB.G00') -> '/usr/share/dreamweb/DREAMWEB.G00'
Opening hashed: DREAMWEB.G00
FSDirectory::createReadStreamForMember('DREAMWEB.G01') -> '/usr/share/dreamweb/DREAMWEB.G01'
Opening hashed: DREAMWEB.G01
FSDirectory::createReadStreamForMember('DREAMWEB.S00') -> '/usr/share/dreamweb/DREAMWEB.S00'
Opening hashed: DREAMWEB.S00
FSDirectory::createReadStreamForMember('DREAMWEB.T80') -> '/usr/share/dreamweb/DREAMWEB.T80'
Opening hashed: DREAMWEB.T80
FSDirectory::createReadStreamForMember('DREAMWEB.T84') -> '/usr/share/dreamweb/DREAMWEB.T84'
Opening hashed: DREAMWEB.T84
loadSounds(0, DREAMWEB.V99)
FSDirectory::createReadStreamForMember('DREAMWEB.V99') -> '/usr/share/dreamweb/DREAMWEB.V99'
Opening hashed: DREAMWEB.V99
table size = 72
offset: 00000000, size: 18432
offset: 00004800, size: 12288
offset: 00007800, size: 24576
offset: 0000d800, size: 53248
offset: 0001a800, size: 135168
offset: 0003b800, size: 57344
offset: 00049800, size: 92160
offset: 00060000, size: 86016
offset: 00075000, size: 49152
offset: 00081000, size: 163840
offset: 000a9000, size: 4096
offset: 000aa000, size: 6144
FSDirectory::createReadStreamForMember('DREAMWEB.PAL') -> '/usr/share/dreamweb/DREAMWEB.PAL'
Opening hashed: DREAMWEB.PAL
FSDirectory::createReadStreamForMember('DREAMWEB.G08') -> '/usr/share/dreamweb/DREAMWEB.G08'
Opening hashed: DREAMWEB.G08
DreamWebEngine::processEvents() KeyDown keycode:312 ascii:0x00
DreamWebEngine::processEvents() KeyDown keycode:303 ascii:0x00
DreamWebEngine::processEvents() KeyDown keycode:312 ascii:0x00
DreamWebEngine::processEvents() KeyDown keycode:312 ascii:0x00
DreamWebEngine::processEvents() KeyDown keycode:303 ascii:0x00
DreamWebEngine::processEvents() KeyDown keycode:32 ascii:0x20
key pressed = 0020
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:276 ascii:0x114
DreamWebEngine::processEvents() KeyDown keycode:276 ascii:0x114
DreamWebEngine::processEvents() KeyDown keycode:276 ascii:0x114
DreamWebEngine::processEvents() KeyDown keycode:276 ascii:0x114
DreamWebEngine::processEvents() KeyDown keycode:276 ascii:0x114
DreamWebEngine::processEvents() KeyDown keycode:276 ascii:0x114
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
DreamWebEngine::processEvents() KeyDown keycode:275 ascii:0x113
### This is ~ the point when the key is put in the plinth ###
DreamWebEngine::processEvents() KeyDown keycode:311 ascii:0x00
Setting 640 x 480 -> 640 x 480 -- 1
Loading theme scummremastered.zip
Opening hashed: THEMERC
Finished loading theme scummremastered.zip
HardwareInput with ID 'JOY_A' not known
HardwareInput with ID 'JOY_Y' not known
HardwareInput with ID 'JOY_UP' not known
HardwareInput with ID 'JOY_DOWN' not known
HardwareInput with ID 'JOY_LEFT' not known
HardwareInput with ID 'JOY_RIGHT' not known
	gettime: 12:14:53
loadPosition: slot 1 filename DREAMWEB.D01
FSDirectory::createReadStreamForMember('DREAMWEB.R47') -> '/usr/share/dreamweb/DREAMWEB.R47'
Opening hashed: DREAMWEB.R47
loadRoomsSample(sample:35)
cancelCh1()
stopSound(1)
loadSounds(1, DREAMWEB.V35)
FSDirectory::createReadStreamForMember('DREAMWEB.V35') -> '/usr/share/dreamweb/DREAMWEB.V35'
Opening hashed: DREAMWEB.V35
table size = 60
offset: 00000000, size: 1136640
offset: 00115800, size: 36864
offset: 0011e800, size: 30720
offset: 00126000, size: 53248
offset: 00133000, size: 53248
offset: 00140000, size: 118784
offset: 0015d000, size: 2048
offset: 0015d800, size: 223232
offset: 00194000, size: 133120
offset: 001b4800, size: 20480
playChannel0(index:12, repeat:255)
playSound(channel:0, id:12, loops:255)
playChannel1(index:14)
playSound(channel:1, id:14, loops:1)
playChannel1(index:13)
playSound(channel:1, id:13, loops:1)
playChannel1(index:15)
playSound(channel:1, id:15, loops:1)
playChannel1(index:16)
playSound(channel:1, id:16, loops:1)
FSDirectory::createReadStreamForMember('DREAMWEB.R01') -> '/usr/share/dreamweb/DREAMWEB.R01'
Opening hashed: DREAMWEB.R01
loadRoomsSample(sample:1)
cancelCh0()
stopSound(0)
cancelCh1()
stopSound(1)
loadSounds(1, DREAMWEB.V01)
FSDirectory::createReadStreamForMember('DREAMWEB.V01') -> '/usr/share/dreamweb/DREAMWEB.V01'
Opening hashed: DREAMWEB.V01
table size = 30
offset: 00000000, size: 106496
offset: 0001a000, size: 145408
offset: 0003d800, size: 30720
offset: 00045000, size: 55296
offset: 00052800, size: 4096
scummvm: engines/dreamweb/object.cpp:448: void DreamWeb::DreamWebEngine::deleteExFrame(uint8): Assertion `frame->ptr() + frame->width*frame->height <= _vars._exFramePos' failed.
Aborted (core dumped)

My immpression is that there isn't really much useful information here.

Stacktraces from as reported by coredumpctl:

$ coredumpctl dump --output=dreamweb_coredump_20241026
           PID: 14873 (scummvm)
           UID: 1000 (_____)
           GID: 1000 (_____)
        Signal: 6 (ABRT)
     Timestamp: Sat 2024-10-26 _____ (2h 56min ago)
  Command Line: scummvm -d9 --debugflags=Animation,SaveLoad -f -p /usr/share/dreamweb dreamweb
    Executable: /usr/bin/scummvm
 Control Group: /user.slice/user-1000.slice/session-1.scope
          Unit: session-1.scope
         Slice: user-1000.slice
       Session: 1
     Owner UID: 1000 (_____)
       Boot ID: 562a065adc624ba58fd59068d6e91ae8
    Machine ID: 0dbf78d7239e450c8874c026bc0be68e
      Hostname: _____
       Storage: /var/lib/systemd/coredump/core.scummvm.1000.562a065adc624ba58fd59068d6e91ae8.14873.1729959313000000.zst (present)
  Size on Disk: 7.3M
       Message: Process 14873 (scummvm) of user 1000 dumped core.
                
                Stack trace of thread 14873:
                #0  0x00007159bcca53f4 n/a (libc.so.6 + 0x963f4)
                #1  0x00007159bcc4c120 raise (libc.so.6 + 0x3d120)
                #2  0x00007159bcc334c3 abort (libc.so.6 + 0x244c3)
                #3  0x00007159bcc333df n/a (libc.so.6 + 0x243df)
                #4  0x00007159bcc44177 __assert_fail (libc.so.6 + 0x35177)
                #5  0x000062fc858a7a4b _ZN8DreamWeb14DreamWebEngine13deleteExFrameEh (scummvm + 0xf5fa4b)
                #6  0x000062fc858a7aa1 _ZN8DreamWeb14DreamWebEngine14deleteExObjectEh (scummvm + 0xf5faa1)
                #7  0x000062fc858a7e34 _ZN8DreamWeb14DreamWebEngine13resetLocationEh (scummvm + 0xf5fe34)
                #8  0x000062fc858a809a _ZN8DreamWeb14DreamWebEngine10entryAnimsEv (scummvm + 0xf6009a)
                #9  0x000062fc85909b3f _ZN8DreamWeb14DreamWebEngine8dreamwebEv (scummvm + 0xfc1b3f)
                #10 0x000062fc8590d2e0 _ZN8DreamWeb14DreamWebEngine3runEv (scummvm + 0xfc52e0)
                #11 0x000062fc84a4bf24 runGame (scummvm + 0x103f24)
                #12 0x000062fc84a639e3 scummvm_main (scummvm + 0x11b9e3)
                #13 0x000062fc849e4b8a main (scummvm + 0x9cb8a)
                #14 0x00007159bcc34e08 n/a (libc.so.6 + 0x25e08)
                #15 0x00007159bcc34ecc __libc_start_main (libc.so.6 + 0x25ecc)
                #16 0x000062fc849ed085 _start (scummvm + 0xa5085)
                
                Stack trace of thread 14897:
                #0  0x00007159bcd1a63d __poll (libc.so.6 + 0x10b63d)
                #1  0x00007159bc3049b7 n/a (libpulse.so.0 + 0x339b7)
                #2  0x00007159bc2ee45c pa_mainloop_poll (libpulse.so.0 + 0x1d45c)
                #3  0x00007159bc2f861c pa_mainloop_iterate (libpulse.so.0 + 0x2761c)
                #4  0x00007159bc2f86d1 pa_mainloop_run (libpulse.so.0 + 0x276d1)
                #5  0x00007159bc308bf2 n/a (libpulse.so.0 + 0x37bf2)
                #6  0x00007159babd52b7 n/a (libpulsecommon-17.0.so + 0x5c2b7)
                #7  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #8  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                
                Stack trace of thread 14905:
                #0  0x00007159bcc9fa19 n/a (libc.so.6 + 0x90a19)
                #1  0x00007159bcca2479 pthread_cond_wait (libc.so.6 + 0x93479)
                #2  0x00007159a44cecae n/a (libgallium-24.2.4-arch1.1.so + 0xcecae)
                #3  0x00007159a44ab6bc n/a (libgallium-24.2.4-arch1.1.so + 0xab6bc)
                #4  0x00007159a44cebdd n/a (libgallium-24.2.4-arch1.1.so + 0xcebdd)
                #5  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #6  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                
                Stack trace of thread 14902:
                #0  0x00007159bcc9fa19 n/a (libc.so.6 + 0x90a19)
                #1  0x00007159bccab63b n/a (libc.so.6 + 0x9c63b)
                #2  0x00007159be786a29 n/a (libSDL2-2.0.so.0 + 0x140a29)
                #3  0x00007159be6c084e n/a (libSDL2-2.0.so.0 + 0x7a84e)
                #4  0x00007159be7862ea n/a (libSDL2-2.0.so.0 + 0x1402ea)
                #5  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #6  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                
                Stack trace of thread 14904:
                #0  0x00007159bcc9fa19 n/a (libc.so.6 + 0x90a19)
                #1  0x00007159bcca2479 pthread_cond_wait (libc.so.6 + 0x93479)
                #2  0x00007159a44cecae n/a (libgallium-24.2.4-arch1.1.so + 0xcecae)
                #3  0x00007159a44ab6bc n/a (libgallium-24.2.4-arch1.1.so + 0xab6bc)
                #4  0x00007159a44cebdd n/a (libgallium-24.2.4-arch1.1.so + 0xcebdd)
                #5  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #6  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                
                Stack trace of thread 14898:
                #0  0x00007159bcc9fa19 n/a (libc.so.6 + 0x90a19)
                #1  0x00007159bcca2479 pthread_cond_wait (libc.so.6 + 0x93479)
                #2  0x00007159bc305aad pa_threaded_mainloop_wait (libpulse.so.0 + 0x34aad)
                #3  0x00007159be73626d n/a (libSDL2-2.0.so.0 + 0xf026d)
                #4  0x00007159be7862ea n/a (libSDL2-2.0.so.0 + 0x1402ea)
                #5  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #6  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                
                Stack trace of thread 14910:
                #0  0x00007159bcc9fa19 n/a (libc.so.6 + 0x90a19)
                #1  0x00007159bcca2479 pthread_cond_wait (libc.so.6 + 0x93479)
                #2  0x00007159a44cecae n/a (libgallium-24.2.4-arch1.1.so + 0xcecae)
                #3  0x00007159a44ab6bc n/a (libgallium-24.2.4-arch1.1.so + 0xab6bc)
                #4  0x00007159a44cebdd n/a (libgallium-24.2.4-arch1.1.so + 0xcebdd)
                #5  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #6  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                
                Stack trace of thread 14899:
                #0  0x00007159bcc9fa19 n/a (libc.so.6 + 0x90a19)
                #1  0x00007159bcca2479 pthread_cond_wait (libc.so.6 + 0x93479)
                #2  0x00007159bc305aad pa_threaded_mainloop_wait (libpulse.so.0 + 0x34aad)
                #3  0x00007159be73563d n/a (libSDL2-2.0.so.0 + 0xef63d)
                #4  0x00007159be662836 n/a (libSDL2-2.0.so.0 + 0x1c836)
                #5  0x00007159be7862ea n/a (libSDL2-2.0.so.0 + 0x1402ea)
                #6  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #7  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                
                Stack trace of thread 14911:
                #0  0x00007159bcc9fa19 n/a (libc.so.6 + 0x90a19)
                #1  0x00007159bcca2479 pthread_cond_wait (libc.so.6 + 0x93479)
                #2  0x00007159a44cecae n/a (libgallium-24.2.4-arch1.1.so + 0xcecae)
                #3  0x00007159a44ab6bc n/a (libgallium-24.2.4-arch1.1.so + 0xab6bc)
                #4  0x00007159a44cebdd n/a (libgallium-24.2.4-arch1.1.so + 0xcebdd)
                #5  0x00007159bcca339d n/a (libc.so.6 + 0x9439d)
                #6  0x00007159bcd2849c n/a (libc.so.6 + 0x11949c)
                ELF object binary architecture: AMD x86-64
More than one entry matches, ignoring rest.

It seems like the first thread is the interesting one here.

Let me know if adding the entire core file would be helpful!

[sluicebox]

Thanks for reporting this. I don't know what a dreamweb is, but this bug sounded bad so I took a look. Fix pending: ​https://github.com/scummvm/scummvm/pull/6209

This crash has been occurring since release 1.6.0 in 2013.

[sluicebox <22204938+sluicebox@…>]

In 77151b61:

DREAMWEB: Fix index overflow and crash in deleteExFrame

Fixes bug #15420

[bluegr]

Nice work @sluicebox! :)
Dreamweb is a game that contains many objects, most of which are red herrings. This would explain why this bug went undetected: people that followed a walkthrough didn't pick up unused objects.

Since @huntekye verified that this fixes the issue, I'm closing this bug.

[huntekye]

It looks like this patch might have caused a new problem:

scummvm: engines/dreamweb/backdrop.cpp:270: void DreamWeb::DreamWebEngine::showAllEx(): Assertion `currentFrame < 256' failed.

I feel like that error sort of speaks for itself, but the specific issue here was that with the patched version of ScummVM, the sprite for the "passcard" object now appears corrupted. Upon trying to drop the passcard, the game crashes with the error above.

It's true, I've picked up a lot of the useless objects because I enjoy their often-interesting descriptions.

I'll attached a new save file for this one: DREAMWEB.D06.
To reproduce this error from it: Load the saved game "game1.5_passcard", open the inventory (click on the dude's face), click on the passcard (10th position on page 3 of the inventory), drop it by moving it to the trash can, and then (try to) exit the inventory.

[sluicebox]

Thanks! I've created a new ticket: #15436