On Mon, Sep 24, 2007 at 08:34:44AM +0200, Gerfried Fuchs wrote: > I finally managed to get a crash from hex-a-hop again, with my debug > built version: ... > Hope this is helpful, if you need something more please let me know.
I think it is. I looked at the code and found the following: class RenderObject has a member numStages, which holds a number. The allocated array member time has numStages elements. There are maxStages elements allocated. maxStages is always >= numstages. That's the theory. However, there seems to be a bug there: time is allocated in Reserve(). This function increases maxStages if needed and allocates the new amount of elements. In other words, Reserve makes sure that time has enough memory allocated to hold the elements that are supposed to be stored in there. A logical conclusion is that Reserve() must be called whenever numStages in increased. There is only one place where that happens, and that's in void Add(RenderStage* s, double t); However, the order is wrong: first Reserve() is called, and after that numStages is incremented. This can lead to referencing the last element of time which isn't allocated. I think this is the cause of the problem: the memmove from your backtrace moves the last element of time. All the above is also true for "stage", but that doesn't make the problem any better or worse. If it would crash on that, it always crashed on "time" just before. :-) Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://pcbcn10.phys.rug.nl/e-mail.html
signature.asc
Description: Digital signature
