Sign in to follow this  
Followers 0
mgr.inz.Player

"Instruction at referenced memory could not be read"

4 posts in this topic

Warning: nerd stuff

So, I loaded my old save (from third playthrough).
Just for screenshots for this guy (you can skip this spoiler):

I couln't fin a way to save Todd without cheating so I nocliped into the room where the zombies were (sorry Mxthe) and killed them. However, Once Matthew, Carl, Todd, and Eric got to the door which you close and put the axe between, it glitches out. The doors don't close but Matthew leans up against them as if they were. Then Carl ran out the door and died. After a few tries I was able to fix it but it still was iritating. Maybe this happend because I cheated, if it did could somemone tell me how I can save Todd?



My reply:

You just must keep trying. It is possible (without cheats).

If it is still irritating - there's the other way you can cheat. Make your own barricade with:

ent_create item_ammo_crate
Load a save just before you turn off that generator. Do not turn it off. Go back and create your own barricade (between desk and wall, so NPC can't go near that ventilation). Go back, turn off the generator, stick with your group.

S5uLDsZ.gif

 



And again, 3 minutes later, I encountered "Red Doors of Death".
I reported it earlier in "Bug Reports and Technical Support".

http://forums.wecreatestuff.com/index.php?/topic/1959-bug-reports-and-technical-support/#entry53406
78IG704.jpg


App crash, message: "Instruction at referenced memory could not be read".
yQ4UtIS.png
(under WinXP. If you are using Win7 you will see something different)

Only this specific door. Strange thing is: on my second playthrough I didn't get "Red Doors of Death".
It happened for the first time and third time.

I used debugger, this is what I got:
DWtBsKQ.png

OK. The real error message is: "Stack overflow".

I analyzed this piece of code:

145D5350     55             PUSH EBP
145D5351     8BEC           MOV EBP,ESP
145D5353  |. 8B91 D4060000  MOV EDX,DWORD PTR DS:[ECX+6D4]
145D5359  |. 56             PUSH ESI
145D535A  |. 83FA FF        CMP EDX,-1
145D535D  |. 74 50          JE SHORT server.145D53AF
145D535F  |. 8B35 18BE9D14  MOV ESI,DWORD PTR DS:[149DBE18]          ;  server.14A5E3E0
145D5365  |. 8BC2           MOV EAX,EDX
145D5367  |. 25 FF0F0000    AND EAX,0FFF
145D536C  |. 03C0           ADD EAX,EAX
145D536E  |. 8D44C6 04      LEA EAX,DWORD PTR DS:[ESI+EAX*8+4]
145D5372  |. C1EA 0C        SHR EDX,0C
145D5375  |. 3950 04        CMP DWORD PTR DS:[EAX+4],EDX
145D5378  |. 75 35          JNZ SHORT server.145D53AF
145D537A  |. 8B30           MOV ESI,DWORD PTR DS:[EAX]
145D537C  |. 85F6           TEST ESI,ESI
145D537E  |. 74 2F          JE SHORT server.145D53AF
145D5380  |. 3950 04        CMP DWORD PTR DS:[EAX+4],EDX
145D5383  |. 75 04          JNZ SHORT server.145D5389
145D5385  |. 8BC6           MOV EAX,ESI
145D5387  |. EB 02          JMP SHORT server.145D538B
145D5389  |> 33C0           XOR EAX,EAX
145D538B  |> D945 14        FLD DWORD PTR SS:[EBP+14]
145D538E  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
145D5390  |. 8B92 74010000  MOV EDX,DWORD PTR DS:[EDX+174]
145D5396  |. 51             PUSH ECX
145D5397  |. 8B4D 10        MOV ECX,DWORD PTR SS:[EBP+10]
145D539A  |. D91C24         FSTP DWORD PTR SS:[ESP]
145D539D  |. 51             PUSH ECX
145D539E  |. 8B4D 0C        MOV ECX,DWORD PTR SS:[EBP+C]
145D53A1  |. 51             PUSH ECX
145D53A2  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
145D53A5  |. 51             PUSH ECX
145D53A6  |. 8BC8           MOV ECX,EAX
145D53A8  |. FFD2           CALL EDX                                 ;  server.145D5350
145D53AA  |. 5E             POP ESI
145D53AB  |. 5D             POP EBP
145D53AC  |. C2 1000        RETN 10
145D53AF  |> D945 14        FLD DWORD PTR SS:[EBP+14]
145D53B2  |. 8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]
145D53B5  |. 8B55 0C        MOV EDX,DWORD PTR SS:[EBP+C]
145D53B8  |. 51             PUSH ECX                                 ; /Arg4
145D53B9  |. D91C24         FSTP DWORD PTR SS:[ESP]                  ; |
145D53BC  |. 50             PUSH EAX                                 ; |Arg3
145D53BD  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]             ; |
145D53C0  |. 52             PUSH EDX                                 ; |Arg2
145D53C1  |. 50             PUSH EAX                                 ; |Arg1
145D53C2  |. E8 49F6FFFF    CALL server.145D4A10                     ; \server.14534A10
145D53C7  |. 5E             POP ESI
145D53C8  |. 5D             POP EBP
145D53C9  \. C2 1000        RETN 10


I set breakpoint at the beginning of function (at 145D5350).
While opening normal doors, it breaks only once.
While opening double doors, it breaks once or two times (if left wing then once, if right wing then two times. Or vice versa).
While opening BROKEN double door, this function is endlessly called.

I stepped, line-by-line. This is what I found out:
- normal doors (any, single-door) - code at 145D538B is never reached
- double doors (any, double-door) - code at 145D538B is reached 1 time or never. (depends on which wing I chose)
- BROKEN double door I found - code at 145D538B is always reached. (doesn't depend on wing I chose)

For normal door:
start at 145D5350, up to 145D535D, then from 145D53AF to 145D53C9

For double door, left wing:
start at 145D5350, up to 145D535D, then from 145D53AF to 145D53C9

For double door, right wing:
start at 145D5350, up to 145D53A8,
"CALL EDX" calls function (at 145D5350, this time for left wing), function (recursive count = 1) ends normally
then, function (recursive count = 0) ends normally

So, there is recursion. I think this function is for seeking through list or tree.
(After seeking, probably it triggers parent object... or something)

For BROKEN double door, whatever wing. There is ENDLESS recursion:
start at 145D5350, up to 145D53A8,
"CALL EDX" - function calls itself
"CALL EDX" (recursive count = 1) - function calls itself
"CALL EDX" (recursive count = 2) - function calls itself
"CALL EDX" (recursive count = 3) - function calls itself
...
"CALL EDX" (recursive count = 901) - function calls itself
...
"CALL EDX" (recursive count = 9001) - function calls itself
...
CRASH, "Stack overflow". I see that stack is filled with "cyclic data".

Stack, when we are at 145D53A8 while recursive count = 4, BROKEN double door, looks like this:

[esp+00] valueZ
[esp+04] valueZ
[esp+08] 3
[esp+0C] 0
[esp+10] valueB
[esp+14] dummy
[esp+18] dummy
[esp+1C] valueZ
[esp+20] valueZ
[esp+24] 3
[esp+28] 0
[esp+2C] valueA
[esp+30] dummy
[esp+34] dummy
[esp+38] valueZ
[esp+3C] valueZ
[esp+40] 3
[esp+44] 0
[esp+48] valueB
[esp+4C] dummy
[esp+50] dummy
[esp+54] valueZ
[esp+58] valueZ
[esp+5C] 3
[esp+60] 0
[esp+64] valueA

I assume that normally, if recursive count is 4 and game doesn't crash, it should be like this




...
[esp+10] valueD
...
[esp+2C] valueC
...
[esp+48] valueB
...
[esp+64] valueA





And:
Also, I figured out that placing "RETN 10" at the beginning of function I can basically turn off:
door closing/opening, switches flipping, desk drawer moving, etc.


My patch:


I'm checking if:
[esp+10] is equal to [esp+48]
and
[esp+2C] is equal to [esp+64]

So this

...
[esp+10] valueB
...
[esp+2C] valueA
...
[esp+48] valueB
...
[esp+64] valueA

And this

...
[esp+10] valueA
...
[esp+2C] valueA
...
[esp+48] valueA
...
[esp+64] valueA

Will be detected.



If both conditions are true, then endless recursion loop is detected.
I force quiting main function and all recursively called functions.

I don't know if it is good enough, because it treats the symptoms not the disease.

Unfortunately, user Stahlin never sent his save (crash when close to the workshop area).
So, for now, I can say this fix treats "Red Doors of Death" only. (doors I found)

 

I created modified server.dll (goes here sourcemods\Underhell\bin) and played for 50 minutes.
No "Stack overflow" crash or other errors caused by my modification.



After loading this save, do you get hl2.exe crash while trying to open this door?
http://www.mediafire.com/?89b1sa9xak4c899

After using this dll, do you still have hl2.exe crash?
http://www.mediafire.com/?ixdfwl5rrwindad

Share this post


Link to post
Share on other sites

I barely understood about 95% of that stuff, but after I realised that this is about Todd, I couldn't stop reading. I thought its impossible to save him

Share this post


Link to post
Share on other sites

If you have crash to desktop* while using some doors,switches,levers or valves:

 

- WinXP will throw "memory could not be read" message window, sometimes without any message

- Win7 and newer will throw "APPCRASH"

 

then you can try modified file "server.dll"

 

*caused by "stack overflow" exception

 

@Donut, uhm, this whole topic isn't about Todd. :p:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0