[Issue Report]: Unexpected Crash Report

[D1-Constantine]

Operating System

Windows x64

DevilutionX version

1.5.3

Describe

We were playing with Curses on TCP connection when the game suddenly crashed, according to him he did nothin specific like item-swapping, etc.
I luckily was streaming so I managed to get a lip out of it that you can check here: https://www.twitch.tv/d1_constantine/clip/TentativeCredulousAnacondaTBCheesePull-MoRygAJrCKSxulpz

EDIT: on further notice I saw that I saw highlighting the Town Portal Curses made beforehand when the game crashed, maybe it has to do with something.

To Reproduce

No idea

Expected Behavior

Game should not crash

Additional context

No response

[kphoenix137]

Can you reproduce it with similar circumstances? You and the other player in a TCP game, and you highlight his Town Portal. Ideally same join order as well.

[D1-Constantine]

Can you reproduce it with similar circumstances? You and the other player in a TCP game, and you highlight his Town Portal. Ideally same join order as well.

Don't think so, it's not as simple as play TCP and highlight a portal, it 100% have other things going on there

[Firnblut]

Crashes in TCP are not connected to townportals. I can't tell you how to reproduce it. It happens frequently and I haven't been able to recognise a pattern so far, but it happened multiple times with no portal involved.

I'm sorry, I should've watched the video before posting. When the game crashed for us, it didn't show devX not working but just disappeared completely, so it's probably a separate issue. Still leaving the comment just in case it's useful to anybody.

[StephenCWills]

@Firnblut How frequently does it happen (as in, how long would I have to play in order to encounter it)? Who were you playing with (was it over the internet or LAN)? We only need it to happen once while debugging to learn more.

Also, I'm not sure if there's any real difference between "devilutionx.exe has stopped working" and just outright crashing to desktop. Windows OS is a bit of a black box in this regard, and any Google search is going to flood you with generic articles on "how to fix the problem" as an end user.

[Firnblut]

@StephenCWills
It was over internet, we had 3 to 4 players in the game. Time until it happens varied a lot. Sometimes we weren't even able to enter the dungeon, sometimes we were able to clear multiple floors (in an IM run, so floors can take some time).

How do I run it in debugging? I might try to setup some tcp games and hope for it to crash.

[StephenCWills]

Okay, that doesn't sound very promising then. Technically, to run the game in a debugger, you only need to configure your debugger to launch the executable. But to get anything useful out of it, you'll probably need to follow the build instructions, but create a Debug build of 1.5 instead of a Release build of master. Then attach the debugger to your Debug build and place a breakpoint on line 52 of appfat.cpp. It's not really something I'd expect users to be able/willing to do.

If you're running the game on Windows, then perhaps you can find some logs in Event Viewer for me? Navigate to Windows Logs > Application and look for anything with something like "appcrash" or "Application Error" or "faulting module" in the description around the time that the crashes occurred.

[Firnblut]

@StephenCWills
Here it is:

-<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-<System>
  <Provider Name="Application Error" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2025-02-09T18:09:34.0135238Z" /> 
  <EventRecordID>126908</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="0" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>**removed**-Desktop</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>devilutionx.exe</Data> 
  <Data>0.0.0.0</Data> 
  <Data>00000000</Data> 
  <Data>devilutionx.exe</Data> 
  <Data>0.0.0.0</Data> 
  <Data>00000000</Data> 
  <Data>c0000005</Data> 
  <Data>0000000000048e15</Data> 
  <Data>1b54</Data> 
  <Data>01db7b11e1d572b8</Data> 
  <Data>F:\Spiele\Diablo\Devilution1.4.1\devilutionx.exe</Data> 
  <Data>F:\Spiele\Diablo\Devilution1.4.1\devilutionx.exe</Data> 
  <Data>3579a8ad-0d51-43eb-b79a-3bcf4e34f14b</Data> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>

Note that while the folder says 1.4.1, that's actually 1.5.3, I just didn't bother renaming the folder.

[StephenCWills]

@Firnblut I don't suppose you can share the information under the General tab instead of the Details tab? It's unintuitive, I know, but the XML view doesn't label the fields under the EventData section.

[Firnblut]

@StephenCWills Sure thing, sorry, I didn't know what we were looking for:

Name der fehlerhaften Anwendung: devilutionx.exe, Version: 0.0.0.0, Zeitstempel: 0x00000000
Name des fehlerhaften Moduls: devilutionx.exe, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000048e15
ID des fehlerhaften Prozesses: 0x1b54
Startzeit der fehlerhaften Anwendung: 0x01db7b11e1d572b8
Pfad der fehlerhaften Anwendung: F:\Spiele\Diablo\Devilution1.4.1\devilutionx.exe
Pfad des fehlerhaften Moduls: F:\Spiele\Diablo\Devilution1.4.1\devilutionx.exe
Berichtskennung: 3579a8ad-0d51-43eb-b79a-3bcf4e34f14b
Vollständiger Name des fehlerhaften Pakets: 
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: 

Additional information: This is not an issue on a single computer, it happened to different players on different machines, so it's unlikely to be a hardware issue.

On another note: I'm not running DevX as admin, idk if it might be significant. Or maybe this can be fixed by turning off DEP for devX?

[StephenCWills]

Please do not run as admin or turn off DEP. DevilutionX should run fine without privilege escalation and with DEP on. We just need to figure out where offset 0x48e15 is and go from there.

To be clear, you are using devilutionx-windows-x86_64.zip, not devilutionx-windows-i386.zip, correct?

[Firnblut]

Yep, that‘s correct.

[StephenCWills]

I found the line of code based on the "fehleroffset" in the crash report, with high confidence.

devilutionX/Source/items.cpp

Line 2864 in ba5a9d6

sprites = player.AnimationData[static_cast<size_t>(graphic)].spritesForDirection(player._pdir);

The error occurs in PlayerAnimationData::spritesForDirection() because there is no sprite list for the direction that was passed in.

No telling whether this is the same error @D1-Constantine encountered, but it could be. Rather, there's no way to tell at this point, so we should probably just assume that it is.

[AJenbo]

Can you also please get an MD5 sum of your diabdat.mpq

[StephenCWills]

Actually, rather than a buffer overrun due to the sprite list being too short, it may be more likely that sprites is std::nullopt...

devilutionX/Source/player.h

Lines 204 to 207 in d92bdd2

	[[nodiscard]] ClxSpriteList spritesForDirection(Direction direction) const
	{
	return (*sprites)[static_cast<size_t>(direction)];
	}

I was able to reproduce a similar error with the following change.

diff --git a/Source/player.cpp b/Source/player.cpp
index e5c3dcc12..84e4a098e 100644
--- a/Source/player.cpp
+++ b/Source/player.cpp
@@ -2049,6 +2049,9 @@ void LoadPlrGFX(Player &player, player_graphic graphic)
 	if (animationData.sprites)
 		return;
 
+	if (DebugToggle)
+		return;
+
 	const HeroClass cls = GetPlayerSpriteClass(player._pClass);
 	const PlayerWeaponGraphic animWeaponId = GetPlayerWeaponGraphic(graphic, static_cast<PlayerWeaponGraphic>(player._pgfxnum & 0xF));

There are a handful of possibilities that could cause LoadPlrGfx() to return early like this.

• Attack animation in town
• Hit recovery animation in town
• Death animation with weapon
• Block animation in town
• Block animation when not equipped for blocking

However, I don't know how to trigger any of these possibilities during normal play.

[Firnblut]

I can safely say the crash I provided the log for didn‘t occur while anybody was in town. It might have been somebody dying at that time though.

We had crashes with nobody dying though and I‘m pretty sure we had crashes with nobody dying nor anybody in town.

We also only experienced crashes when playing over TCP. We play fairly frequently and only switched to tcp a while back. Never experienced anything like that while playing via ZeroTier.

I will provide the MD5 sum tomorrow.

[StephenCWills]

We had crashes with nobody dying though and I‘m pretty sure we had crashes with nobody dying nor anybody in town.

I don't suppose you have any crash logs where Fehleroffset is something other than 0x0000000000048e15?

[Firnblut]

@StephenCWills I looked through the other crash logs and yes, the others have another offset.
The one I posted first involved a death (can't really say if it was at exactly that time), the others didn't. Seems to be the same offset for all other crashes.

Name der fehlerhaften Anwendung: devilutionx.exe, Version: 0.0.0.0, Zeitstempel: 0x00000000
Name des fehlerhaften Moduls: devilutionx.exe, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0x40000015
Fehleroffset: 0x00000000001084cb
ID des fehlerhaften Prozesses: 0x1b58
Startzeit der fehlerhaften Anwendung: 0x01db7593f0d4f5b8
Pfad der fehlerhaften Anwendung: F:\Spiele\Diablo\Devilution1.4.1\devilutionx.exe
Pfad des fehlerhaften Moduls: F:\Spiele\Diablo\Devilution1.4.1\devilutionx.exe
Berichtskennung: 1905d073-a417-452a-9ee6-a7dcaa885794
Vollständiger Name des fehlerhaften Pakets: 
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: 

@AJenbo
I used https://emn178.github.io/online-tools/md5_checksum.html and it gave me this checksum: 68f049866b44688a7af65ba766bef75a

[AJenbo]

md5 looks good

[StephenCWills]

0x00000000001084cb is the one in HandleDisconnect().

devilutionX/Source/dvlnet/base.cpp

Line 111 in faa4486

ABORT(); // we were dropped by the owner?!?

Somehow, I almost forgot about this. Maybe because we have proper exception handling in 1.6.0.

devilutionX/Source/dvlnet/base.cpp

Lines 113 to 114 in 3970aae

	if (*newPlayer == plr_self)
	return tl::make_unexpected("We were dropped by the owner?");

[Firnblut]

I will have the other players look through their crash logs. I probably wasn‘t the host of those games, so maybe the host‘s game crashing was the reason for the disconnect?

[StephenCWills]

Well, in order for the host to send a PT_DISCONNECT packet, their game client must still be running. They are created by the function SNetDropPlayer(), which gets called if a client sends a bad (out of range/unrecognized) command or times out due to the hourglass.

[Firnblut]

Okay, so I have the crash reports from another player who was host for our games.

This one happened shorty after my crash that I posted the first log about.

Name der fehlerhaften Anwendung: devilutionx.exe, Version: 0.0.0.0, Zeitstempel: 0x00000000
Name des fehlerhaften Moduls: devilutionx.exe, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000000001257f3
ID des fehlerhaften Prozesses: 0x2278
Startzeit der fehlerhaften Anwendung: 0x01db7b11a78e9e5d
Pfad der fehlerhaften Anwendung: C:\Diablo\Diablo-Mods\DevilutionX\devilutionx.exe
Pfad des fehlerhaften Moduls: C:\Diablo\Diablo-Mods\DevilutionX\devilutionx.exe
Berichtskennung: f285a0b7-ac26-41c8-94fd-8c288fe50196
Vollständiger Name des fehlerhaften Pakets: 
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: 

The logs from other crashes show 0x00000000001084cb as well.

Idk if it's of any help, but the crash logs on his system come with two additional information logs:

Fehlerbucket , Typ 0
Ereignisname: APPCRASH
Antwort: Nicht verfügbar
CAB-Datei-ID: 0

Problemsignatur:
P1: devilutionx.exe
P2: 0.0.0.0
P3: 00000000
P4: devilutionx.exe
P5: 0.0.0.0
P6: 00000000
P7: c0000005
P8: 00000000001257f3
P9: 
P10: 

Angefügte Dateien:

Diese Dateien befinden sich möglicherweise hier:
\?\C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_devilutionx.exe_32b4dcf7b233ac3e03ee53feb4cabe6179e9823_debdf4a2_dad24779-e349-4389-bea4-ee820e865f96

Analysesymbol: 
Es wird erneut nach einer Lösung gesucht: 0
Berichts-ID: f285a0b7-ac26-41c8-94fd-8c288fe50196
Berichtstatus: 4
Bucket mit Hash: 
CAB-Datei-Guid: 0

Fehlerbucket 2191094626890227333, Typ 4
Ereignisname: APPCRASH
Antwort: Nicht verfügbar
CAB-Datei-ID: 0

Problemsignatur:
P1: devilutionx.exe
P2: 0.0.0.0
P3: 00000000
P4: devilutionx.exe
P5: 0.0.0.0
P6: 00000000
P7: c0000005
P8: 00000000001257f3
P9: 
P10: 

Angefügte Dateien:
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER18F6.tmp.WERInternalMetadata.xml

Diese Dateien befinden sich möglicherweise hier:
\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_devilutionx.exe_32b4dcf7b233ac3e03ee53feb4cabe6179e9823_debdf4a2_dad24779-e349-4389-bea4-ee820e865f96

Analysesymbol: 
Es wird erneut nach einer Lösung gesucht: 0
Berichts-ID: f285a0b7-ac26-41c8-94fd-8c288fe50196
Berichtstatus: 268435456
Bucket mit Hash: 45c2dc88208bd0995e6854f4490f1e85
CAB-Datei-Guid: 0

[StephenCWills]

0x00000000001257f3 is in DrawPlayer(), specifically the call to AnimationInfo::currentSprite().

DevilutionX/Source/engine/render/scrollrt.cpp

Line 405 in ba5a9d6

const ClxSprite sprite = player.previewCelSprite ? *player.previewCelSprite : player.AnimInfo.currentSprite();

Seems similar to the issue with CalcPlrItemVals(). Either sprites has no value or getFrameToUseForRendering() is reading out of bounds. Maybe if I was a little better at reading assembly, I could figure out which.

DevilutionX/Source/engine/animationinfo.h

Line 66 in ba5a9d6

return (*sprites)[getFrameToUseForRendering()];

EDIT: Actually, while trying to make sense of this, I forgot there was another line of code involved here.

DevilutionX/Source/engine/clx_sprite.hpp

Line 138 in ba5a9d6

return LoadLE32(&data_[4 + spriteIndex * 4]);

This suggests sprites does have a value, but 4 * spriteIndex + 4 is out of bounds, so that implicates getFrameToUseForRendering() in this case.