I am the first to admit that I do not know what to look for. But, playing around with GDB, I found something that looks interesting.
It looks like the map data is being generated bad.
(gdb) down
#0 0x00147458 in TR_TestBoxInBrush (trace_data=0xbfffa3bc, brush=0x1062e9bc) at src/common/tracing.c:800
800 plane = side->plane;
(gdb) down
Bottom (i.e., innermost) frame selected; you cannot go down.
(gdb) list
795 return;
796
797 for (i = 0; i < brush->numsides; i++) {
798 side = &myTile->brushsides[brush->firstbrushside + i];
799 #ifdef COMPILE_UFO
800 plane = side->plane;
801 #else
802 plane = myTile->planes + side->planenum;
803 #endif
804
(gdb) p i
$15 = 0
(gdb) p side
$16 = (cBspBrushSide_t *) 0x3a8ab02c
(gdb) p *side
Cannot access memory at address 0x3a8ab02c
(gdb) p *brush
$17 = {
contentFlags = 16777216,
numsides = 134217728,
firstbrushside = 571998208,
checkcount = 1
}
(gdb) up
#1 0x00147a30 in TR_TestInLeaf (trace_data=0xbfffa3bc, leafnum=11) at src/common/tracing.c:900
900 TR_TestBoxInBrush(trace_data, b);
(gdb) list
895 continue; /* already checked this brush in another leaf */
896 b->checkcount = checkcount;
897
898 if (!(trace_data->contents && b->contentFlags & trace_data->contents) || (b->contentFlags & trace_data->rejects))
899 continue;
900 TR_TestBoxInBrush(trace_data, b);
901 if (!trace_data->trace.fraction)
902 return;
903 }
904 }
(gdb) p b
$18 = (cBspBrush_t *) 0x1062e9bc
(gdb) p *b
$19 = {
contentFlags = 16777216,
numsides = 134217728,
firstbrushside = 571998208,
checkcount = 1
}
877 static void TR_TestInLeaf (boxtrace_t *trace_data, int leafnum)
878 {
879 int k;
880 const TR_LEAF_TYPE *leaf;
881 TR_TILE_TYPE *myTile = trace_data->tile;
882
883 assert(leafnum > LEAFNODE);
884 assert(leafnum <= myTile->numleafs);
(gdb)
885
886 leaf = &myTile->leafs[leafnum];
887 if (!(leaf->contentFlags & trace_data->contents) || (leaf->contentFlags & trace_data->rejects))
888 return;
889
890 /* trace line against all brushes in the leaf */
891 for (k = 0; k < leaf->numleafbrushes; k++) {
892 const int brushnum = myTile->leafbrushes[leaf->firstleafbrush + k];
893 cBspBrush_t *b = &myTile->brushes[brushnum];
894 if (b->checkcount == checkcount)
(gdb) p brushnum
$20 = 537
(gdb) p leaf
$21 = (const cBspLeaf_t *) 0x29c6f084
(gdb) p *leaf
$22 = {
contentFlags = 1,
firstleafbrush = 2,
numleafbrushes = 1
}
Leaf looks good, but brushnum looks bad. So part of trace_data looks good, and part of it scrambled.
(gdb) p myTile
$23 = (mapTile_t *) 0x5bfbf54
(gdb) p *myTile
$24 = {
name = "wilderness", '\0' <repeats 53 times>,
numbrushsides = 8155,
brushsides = 0x29cab02c,
numtexinfo = 1767,
surfaces = 0x29c4e02c,
numplanes = 9290,
planes = 0x29c7d02c,
numnodes = 6939,
nodes = 0x29cbb02c,
numleafs = 6946,
leafs = 0x29c6f02c,
emptyleaf = 1,
numleafbrushes = 2598,
leafbrushes = 0x1062b22c,
nummodels = 258,
models = 0x2950902c,
numbrushes = 732,
brushes = 0x1062c82c,
box_planes = 0x29caa5f4,
box_headnode = 6939,
box_brush = 0x1062f5ec,
box_leaf = 0x29c7c93c,
tnodes = 0x29cf902c,
numtheads = 6,
thead = {0, 24, 920, 1680, 6412, 6478, 0 <repeats 252 times>},
theadlevel = {0 <repeats 258 times>},
numcheads = 153,
cheads = {{
cnode = 0,
level = 0
}, {
cnode = 17,
level = 0
}, {
cnode = 24,
level = 252
}, {
cnode = 157,
level = 252
}, {
cnode = 331,
level = 252
}, {
cnode = 361,
level = 252
}, {
... snip ...
}, {
cnode = 6922,
level = 257
}, {
cnode = 6928,
level = 257
}, {
cnode = 0,
level = 0
} <repeats 65383 times>},
wpMins = {128, 118, 0},
wpMaxs = {193, 197, 7}
}
There's enough obvious meaningful information in there that I don't suspect an invalid pointer, but some of the data in there is invalid -- it's crashing in the next subroutine down.
(gdb) p k
$25 = 0
(gdb) p leafnum
$26 = 11
(gdb) p leaf
$27 = (const cBspLeaf_t *) 0x29c6f084
(gdb) p *leaf
$28 = {
contentFlags = 1,
firstleafbrush = 2,
numleafbrushes = 1
}
(gdb) p brushnum
$29 = 537
Looks a little high
Some earlier looking around:
(gdb) up
#2 0x00148720 in TR_BoxTrace (tile=0x5bfbf54, start=0xbfffba10, end=0xbfffba10, mins=0xbfffb9f8, maxs=0xbfffba04, headnode=0, brushmask=-1, brushreject=0, fraction=2) at src/common/tracing.c:1106
1106 TR_TestInLeaf(&trace_data, leafs[i]);
(gdb) list
1101 c2[i] += 1;
1102 }
1103
1104 numleafs = TR_BoxLeafnums_headnode(&trace_data, c1, c2, leafs, MAX_LEAFS, headnode, &topnode);
1105 for (i = 0; i < numleafs; i++) {
1106 TR_TestInLeaf(&trace_data, leafs[i]);
1107 if (trace_data.trace.allsolid)
1108 break;
1109 }
1110 VectorCopy(start, trace_data.trace.endpos);
(gdb) p i
$12 = 4
(gdb) p numleafs
$13 = 11
(gdb) p leafs
$14 = {1, 6, 8, 10, 11, 12, 13, 14, 15, 17, 18, 0, 0, 0, 0, -- snip --
Numleafs looks good, and this isn't the first time through the loop. So the data seems to be partially valid, and partially invalid.
As a side note: Do not use "i" as an array subscript. Reason: The notation "[ i ]" in code triggers bbcode ...
