Yello !

I'm fixing some pretty serious bugs in my application, and there's only a single one left. I have literally not a single clue nor anything that remotely looks like a clue about what's happening. It's all very very weird to me.

I'm almost certain that no one can help me and that I'm doomed. I really don't see how this happened, given that valgrind certified that my application is clean. I have a single error, and that's the one that crashes the game:

==16527== Invalid read of size 4
==16527== at 0x4FEED5D: asCContext::Prepare(asIScriptFunction*) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x81263EC: StatController::TraitToggled(std::string const&) (statsheet.cpp:270)
==16527== by 0x81327C3: Observatory::Signal<void (std::string const&)>::Observer<StatController>::operator()(std::string const&) (in /home/plaristote/Work/fallout-equestria/build/game)
==16527== by 0x811F0A2: Observatory::Signal<void (std::string const&)>::Emit(std::string const&) (observatory.hpp:196)
==16527== by 0x812B963: StatViewRocket::TraitClicked(Rocket::Core::Event&) (statsheet.cpp:891)
==16527== by 0x813276F: Observatory::Signal<void (Rocket::Core::Event&)>::Observer<StatViewRocket>::operator()(Rocket::Core::Event&) (in /home/plaristote/Work/fallout-equestria/build/game)
==16527== by 0x811DE0E: Observatory::Signal<void (Rocket::Core::Event&)>::Emit(Rocket::Core::Event&) (observatory.hpp:196)
==16527== by 0x811D2B4: RocketListener::ProcessEvent(Rocket::Core::Event&) (rocket_extension.hpp:10)
==16527== by 0x4E04059: Rocket::Core::EventDispatcher::TriggerEvents(Rocket::Core::Event*) (in /usr/lib/libRocketCore.so.1.2.1)
==16527== by 0x4E0428C: Rocket::Core::EventDispatcher::DispatchEvent(Rocket::Core::Element*, Rocket::Core::StringBase<char> const&, Rocket::Core::Dictionary const&, bool) (in /usr/lib/libRocketCore.so.1.2.1)
==16527== by 0x4E4355A: Rocket::Core::Element::DispatchEvent(Rocket::Core::StringBase<char> const&, Rocket::Core::Dictionary const&, bool) (in /usr/lib/libRocketCore.so.1.2.1)
==16527== by 0x4E35119: Rocket::Core::Context::ProcessMouseButtonUp(int, int) (in /usr/lib/libRocketCore.so.1.2.1)
==16527== Address 0xd3e7560 is 0 bytes inside a block of size 332 free'd
==16527== at 0x402A45C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==16527== by 0x5020EB5: asCScriptFunction::Release() const (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x501431F: asCScriptEngine::CallObjectMethod(void*, asSSystemFunctionInterface*, asCScriptFunction*) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x50143D9: asCScriptEngine::CallObjectMethod(void*, int) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x4FF2D47: asCGarbageCollector::DestroyOldGarbage() (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x4FF387F: asCGarbageCollector::AddScriptObjectToGC(void*, asCObjectType*) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x5023291: asCScriptFunction::asCScriptFunction(asCScriptEngine*, asCModule*, asEFuncType) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x4FF7D30: asCModule::AddScriptFunction(int, int, char const*, asCDataType const&, asCDataType*, asETypeModifiers*, asCString**, int, bool, asCObjectType*, bool, bool, bool, bool, bool, bool, asCString const&) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x4FA5400: asCBuilder::RegisterScriptFunction(int, asCScriptNode*, asCScriptCode*, asCObjectType*, bool, bool, asCString const&, bool) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x4FAAC9A: asCBuilder::RegisterNonTypesFromScript(asCScriptNode*, asCScriptCode*, asCString const&) (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x4FAB1DB: asCBuilder::ParseScripts() (in /usr/lib/libangelscript-2.23.1.so)
==16527== by 0x4FAB639: asCBuilder::Build() (in /usr/lib/libangelscript-2.23.1.so)

Followed by an output that isn't from valgrind:
pure virtual method called
terminate called without an active exception

It could be that the context is incorrect. So in doubt I created the context just before calling.
It could be that the function pointer is incorrect. So in doubt I re-loaded the function just before the calling as well.
I don't understand... what else could it be ?

I don't think this is relevant (I would have to post 30 000 lines of code to make it relevant, since the bug doesn't make sense at all... i guess), but here's the code that crashes:

void StatModel::ToggleTrait(const string& trait)
{
Data dtrait = _statsheet["Traits"][trait];
bool is_active = (!dtrait.Nil()) && dtrait == 1;
if (_scriptActivateTraits)
{
string tmp = trait;
bool updated;
_scriptContext = Script::Engine::Get()->CreateContext();
_scriptActivateTraits = _scriptModule->GetFunctionByDecl("bool ActivateTraits(Data, string, bool)");
_scriptContext->Prepare(_scriptActivateTraits);
_scriptContext->SetArgObject(0, &_statsheet);
_scriptContext->SetArgObject(1, &tmp);
_scriptContext->SetArgByte(2, !is_active);
_scriptContext->Execute();
if (_scriptContext->GetReturnByte())
UpdateAllValues();
_scriptContext->Release();
}
}

I'll take any advice on how to debug this.

It looks a bit odd that you first check if _scriptActivateTraits is true (or not null), then overwrite it with another function pointer. Is that logically correct?

The crash is happening because the asIScriptFunction pointer passed to Prepare() has already been released and destroyed. Is perhaps _scriptActivateTraits a smart pointer that releases the previous asIScriptFunction pointer when the new pointer is assigned? The asIScriptFunction pointer received from GetFunctionByDecl shouldn't be released, unless you manually call AddRef first.

Anyway, I suggest you set a memory breakpoint on the asIScriptFunction pointer that is freed and then accessed by Prepare. That ought to give you a clue where things is going wrong.

Regards,
Andreas