[Scummvm-tracker] [ScummVM] #10814: QFG4: Crash in cave when fighting Pit Horror below the tightrope

Vhati trac at scummvm.org
Fri Nov 23 21:32:37 CET 2018 

#10814: QFG4: Crash in cave when fighting Pit Horror below the tightrope
--------------------------------+-------------------------
  Reporter:  Vhati              |      Owner:  (none)
      Type:  defect             |     Status:  new
  Priority:  normal             |  Component:  Engine: SCI
Resolution:                     |   Keywords:  SCI32
      Game:  Quest for Glory 4  |
--------------------------------+-------------------------

Comment (by Vhati):

 @m-kiewitz:
 > how do you edit comments?

 On the right, where you see a permalink ("comment:27") hover below that,
 and buttons will appear.
 \\
 \\
 > Actually executing it would also work

 Perhaps I shouldn't have redacted my speculation. Relevant now.

 " " "
 * The author may have been acting out of a general sense that the truth
 evaluation of void funcs is erratic.
   * In the specific case of what I disassembled above, SetNowSeen() could
 exist as a pseudo-condition unaided, always non-zero. This is only because
 its stack was pushed, from acc, immediately before the callk, with an
 object arg.
   * Wrapping a void func in a bitwise OR ensures that however it compiles,
 it will evaluate to non-zero.
 " " "
 \\
 \\
 I'll quote the disasm of wipeSpell again, for juxtaposition.
 {{{
 002e:0404: 78             push1
 002e:0405: 72 10 00       lofsa horror[1694]
 002e:0408: 36             push
 002e:0409: 43 0a 02 00    callk SetNowSeen[a],  0002
 002e:040d: 36             push
 002e:040e: 35 01          ldi   01
 002e:0410: 14             or
 }}}
 \\
 \\
 I just stepped through one of those other occurrences that weirdly *was
 not* crashing.
 \\
 \\
 script 870 - attackRight::doit()
 {{{
 002d:049c: 78             push1
 Step #177110
 002d:049d: 89 c3          lsg   c3              ; 195
 Step #177111
 002d:049f: 43 0a 02 00    callk SetNowSeen[a],  0002
  Kernel params: (0060:338f)
 Step #177112
 002d:04a3: 36             push
 Step #177113
 002d:04a4: 35 01          ldi   01
 Step #177114
 002d:04a6: 14             or
 Step #177115
 }}}
 This is time, the void func 'returns' a 1.

 Which makes the OR arithmetic superficially valid. The object arg had been
 loaded directly into the stack from a global (lsg). Looking back farther,
 the last value of acc came from the **count** of arguments.

 In the event that a call's arg count were NOT pushed, the leaked
 accumulator could get weirder still, even causing the void func to
 'return' 0.

--
Ticket URL: <https://bugs.scummvm.org/ticket/10814#comment:30>
ScummVM <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list