CTD with 20071008 zip

mpmq · Post by **mpmq** » Tue Oct 16, 2007 11:54 pm

I get a CTD anytime I try and click a link to the spell scroll for Speed of Ellowind Rk. II.

It looks like it crashes because it thinks it needs to display a DD dmg component of the spell, which it does not have.

I've re-downloaded the zip and rebuilt everything and it still crashes in the same spot every time. Debug info is attached.

Debug spew output:

The thread 0x4CC has exited with code 0 (0x0).
nonexclusive mode
[MQ2]MQ2Map::OnAddSpawn(Rejection) = 13255
[MQ2]MQ2Map::OnRemoveSpawn(Kias) = 12787
[MQ2]MQ2Map::OnRemoveSpawn(Lebtik's_corpse0) = 12961
[MQ2]MQ2Map::OnRemoveSpawn(Nicknick) = 12959
[MQ2]count = 192

[MQ2]count = 20

[MQ2]Adding WndNotification target 'ItemDisplayWindow'
[MQ2]Adding WndNotification target 'IDW_ItemDescriptionTab'
[MQ2]Adding WndNotification target 'IDW_ItemLoreTab'

Disassembly:

0154CFE0 je __output+22Dh (0154cde3)
0154CFE6 dec eax
0154CFE7 dec eax
0154CFE8 je __output+4E9h (0154d09f)
0154CFEE sub eax,3
0154CFF1 jne __output+60Ah (0154d1c0)
0154CFF7 mov dword ptr [ebp-2Ch],27h
0154CFFE jmp __output+486h (0154d03c)
0154D000 sub eax,ecx
0154D002 sar eax,1
0154D004 jmp __output+607h (0154d1bd)
0154D009 test ecx,ecx
0154D00B jne __output+460h (0154d016)
0154D00D mov ecx,dword ptr [___nullstring (0157eae8)]
0154D013 mov dword ptr [ebp-8],ecx
0154D016 mov eax,ecx
0154D018 mov edx,esi
0154D01A dec esi
0154D01B test edx,edx
0154D01D je __output+471h (0154d027)
crash point------>0154D01F cmp byte ptr [eax],0
0154D022 je __output+471h (0154d027)
0154D024 inc eax
0154D025 jmp __output+462h (0154d018)
0154D027 sub eax,ecx
0154D029 jmp __output+607h (0154d1bd)
0154D02E mov dword ptr [ebp-10h],8
0154D035 mov dword ptr [ebp-2Ch],7
0154D03C test byte ptr [ebp-4],80h
0154D040 mov dword ptr [ebp-0Ch],10h
0154D047 je __output+4F0h (0154d0a6)
0154D049 mov al,byte ptr [ebp-2Ch]
0154D04C mov byte ptr [ebp-16h],30h
0154D050 add al,51h
0154D052

Call Stack:

MQ2MAIN! _output + 1129 bytes
MQ2MAIN! sprintf + 46 bytes
ShowSpellSlotInfo(EQData::_SPELL * 0x07218428, char * 0x00126965) line 2614 + 5 bytes
MQ2ITEMDISPLAY! ItemDisplayHook::ItemSetSpell_Detour(int,bool,int) + 1677 bytes
MQ2ITEMDISPLAY! ItemDisplayHook::SetItem_Detour(class EQClasses::EQ_Item *,bool) + 8477 bytes
EQGAME! 005a4cb5()
EQGAME! 00484e1b()
EQGAME! 00631f70()
e1300d3b()

MQ2Utilities.cpp:

Code: Select all

        sprintf(szTemp, "Increase experience rate by %d percent.",pSpell->Base[i]); 
         strcat(szBuff, szTemp); 
         break; 
      case 339: //Cast DoT as well 
         sprintf(szTemp, "Cast DoT as Well(%d%% Chance, Spell: %s)", pSpell->Base[i], GetSpellNameByID(pSpell->Base2[i])); 
        strcat(szBuff, szTemp); 
         break; 
      case 340: //Cast DD as well 
[b]CRASH HERE ---->[/b]        sprintf(szTemp, "Cast DD as Well(%d%% Chance, Spell: %s)", pSpell->Base[i], GetSpellNameByID(pSpell->Base2[i])); 
         strcat(szBuff, szTemp); 
         break;

dont_know_at_all · Post by **dont_know_at_all** » Wed Oct 17, 2007 4:08 am

Is that spell on an item or were you displaying the scroll?

mpmq · Post by **mpmq** » Wed Oct 17, 2007 4:14 am

dont_know_at_all wrote:Is that spell on an item or were you displaying the scroll?

The spell scroll. Sorry, I should have been clearer about that.

Here is a link to the Allakazam entry for the item I'm trying to click:

http://everquest.allakhazam.com/db/item.html?item=53591

dont_know_at_all · Post by **dont_know_at_all** » Wed Oct 17, 2007 4:27 am

Cool. That's enough data to fix it. I'll crash it tomorrow with this item and have a look at the spell info calcs. According to lucy, there should be no attribute with a value of 340...

dont_know_at_all · Post by **dont_know_at_all** » Wed Oct 17, 2007 1:34 pm

Doesn't crash for me. It even displays the correct data. Do you have the latest build?

SemaJynot · Post by **SemaJynot** » Wed Oct 17, 2007 6:32 pm

Not just the OP. I just downloaded to make sure latest source, recompiled, did a /link Ellowind and clicked the rk2 scroll, and boom to desktop.

I've had this occur when inspecting some buffs as well, I'll keep an eye out for which do it and keep a list.

mpmq · Post by **mpmq** » Wed Oct 17, 2007 7:04 pm

dont_know_at_all wrote:Doesn't crash for me. It even displays the correct data. Do you have the latest build?

Yes. as I stated above I've re-downloaded the latest zip several times and rebuilt and it still crashes on me.

And like Sema, I've had it crash a few times while inspecting some buffs. I'll try and get a list of those too.

dont_know_at_all · Post by **dont_know_at_all** » Wed Oct 17, 2007 7:34 pm

I have some bazaar search macros that I use that display a large number items (you have to display them to get access to the DisplayItem TLO) and I haven't seen any of these crashes.

Are you sure that MQ2ItemDisplay was built from the same tree as MQ2Main?

One other piece of data: when it crashes and there is this line:
ShowSpellSlotInfo(EQData::_SPELL * 0x07218428, char * 0x00126965) line 2614 + 5 bytes

Can you do a "dt -r3 XXX EQData::_SPELL", where XXX is the address of the _SPELL in that line?

dont_know_at_all · Post by **dont_know_at_all** » Thu Oct 18, 2007 1:08 am

ieatacid suggested this fix:
line 2246 of MQ2Utilities.cpp

Code: Select all

sprintf(szTemp, "Chance to Critical Hit for %s by %d%%", [color=red]szSkills[pSpell->Base2[i]][/color],pSpell->Base[i]);

to

Code: Select all

sprintf(szTemp, "Chance to Critical Hit for %s by %d%%", [color=green]pSpell->Base2[i]>=0?szSkills[pSpell->Base2[i]]:"All Skills"[/color],pSpell->Base[i]);

SemaJynot · Post by **SemaJynot** » Thu Oct 18, 2007 5:51 pm

That fixed it.

mpmq · Post by **mpmq** » Thu Oct 18, 2007 6:30 pm

That fixed it for me also. Thanks!

mpmq · Post by **mpmq** » Sat Oct 20, 2007 2:00 am

Just wondering...

I was seeing it the problem with MQ compiled with Visual Studio 6 (with all service packs). How about you Sema?

Downloaded the VS 2008 beta on a different computer and it didn't see the problem with fresh zip download/compile (different OS also, XP vs Vista). I'm guessing dkaa was using something more current than VS6.

dont_know_at_all · Post by **dont_know_at_all** » Sat Oct 20, 2007 3:18 am

Yes, I can repro the problem with vc6.

With vc6, only two bytes are reserved before szSkills:

Code: Select all

        ORG $+2
_szSkills DD    FLAT:??_C@_08BHNM@1H?5Blunt?$AA@

With vc7+, six bytes are reserved before szSkills:

Code: Select all

        ORG $+6
_szSkills DD    FLAT:??_C@_08FONAOEFJ@1H?5Blunt?$AA@

When Base2 was -1, the pointer would be grabbed from szSkill-4. Since there were only 2 bytes of zeros with vc6, the pointer would likely be non-NULL and also not valid. sprintf is smart enough to handle a NULL pointer.

mpmq · Post by **mpmq** » Sat Oct 20, 2007 5:11 am

Nice debugging there....

I have to ask, who is the chick with the orange hair? I know I've seen that before, but can't quite place it....

TMS · Post by **TMS** » Sat Oct 20, 2007 5:31 am

mpmq wrote:Nice debugging there....

I have to ask, who is the chick with the orange hair? I know I've seen that before, but can't quite place it....

The 5th Element, Name is Milla Jovovich.

I really dislike this movie, but it's very popular :-)