Jump to content

Welcome to LoversLab
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

How to debug CTD

ctd crash guide

  • Please log in to reply
935 replies to this topic

#1
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts
This is a short guide on how to debug CTDs yourself.

What it means is you will try to find out as much information about the crash as possible.

First, open Data/SKSE/skse.ini, if it doesn't exist then create it.

Add this:
[Debug]
WriteMinidumps=1
Then wait for the game to crash.

Now you will have a crash dump in Documents/My Games/Skyrim/SKSE/Crashdumps

For example something like this 2015-05-08_16.26.42.dmp

This file is not readable by humans, it's for debugger but you can do online crashdump analysis. Here is one site that does this:
https://www.osronlin...fm?name=analyze

Once you submit you will receive a bunch of text, most of this is useless but there are few things that can be helpful to you or someone else.

Scroll down a bit and find the line that says:
EXCEPTION_RECORD:

Below it is the address in code where game crashed exactly. For example:

ExceptionAddress: 00d573a8 (TESV+0x009573a8)
It means that game was executing code on address 0xD573A8. It also says that the crash occurred in module TESV. If the crash had occurred in any SKSE plugin it would says that DLL name as module instead. Although it's still possible for a crash to be caused by SKSE plugin and happen in TESV module.

Now why is this address helpful?

1. Someone else may have the same crash, you can compare what you both have in common to narrow down cause.
2. Someone else may have had the same crash and already solved it.
3. I can look it up in game code to see what happens in the function, maybe it helps you narrow down cause.
4. You can compare if the crashes you are having are the same ones or different.

It could also be helpful to catalogue known crashes in a sticky or somewhere.

If you post your crash here include at least this information:

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00d573a8 (TESV+0x009573a8)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
3684fc20 00bf2fb8 00000000 16a9a770 3684fde0 TESV+0x9573a8
3684fc50 00000000 00000000 3684fcd4 00786b68 TESV+0x7f2fb8
And everything SKSE related from Loaded Module List. Example:
0c490000 0c577000 SKSE_Elys_Uncapper SKSE_Elys_Uncapper.dll
50e00000 50e80000 nioverride nioverride.dll
51110000 51122000 enbhelper enbhelper.dll
51310000 51332000 showRaceMenu_preCacheKiller showRaceMenu_preCacheKiller.dll
51340000 5140d000 StorageUtil StorageUtil.dll
51bf0000 51c76000 chargen chargen.dll
51c80000 51c96000 SpellInvisibilityPlugin SpellInvisibilityPlugin.dll
51ca0000 51ccb000 SexLabUtil SexLabUtil.dll
51cd0000 51d23000 SchlongsOfSkyrim SchlongsOfSkyrim.dll
51d30000 51d6c000 MfgConsole MfgConsole.dll
51d70000 51d86000 ItemSoulgemPlugin ItemSoulgemPlugin.dll
51f50000 51f66000 ItemPoisonPlugin ItemPoisonPlugin.dll
51f70000 5203a000 skse_1_9_32 skse_1_9_32.dll
52290000 522e3000 FirstPersonPlugin FirstPersonPlugin.dll
522f0000 5236a000 hook hook.dll
52530000 52546000 ItemArrowPlugin ItemArrowPlugin.dll
52550000 52566000 ItemChargePlugin ItemChargePlugin.dll
525b0000 525c6000 AutoLockpickPlugin AutoLockpickPlugin.dll
525d0000 525ef000 DoubleJumpPlugin DoubleJumpPlugin.dll
Some reported crashes so far:

Spoiler

  • 21

AdBot

AdBot
  • Advert

#2
pinky6225

pinky6225

    Supplier of the finest electromagnetic candy

  • Supporter
  • PipPipPipPipPip
  • 2,667 posts

Is their a performance cost (like with having papyrus logging turned on all the time) if you have this

 

 


Add this:
[Debug]
WriteMinidumps=1

 

Since i think one of the frustrations is that the game performs less well with logging turned on (papyrus) but if you crash with it turned off you are often unable to repeat whatever caused the crash to get a log to provide for debugging


  • 1

#3
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts
No performance cost. It only writes once when the game crashes.
  • 0

#4
Blackness blackness is...

Blackness blackness is...

    Despairing reality

  • Members
  • PipPipPipPipPip
  • 1,035 posts

hey thanks!  :)  i may try this at some point. if serious CTD comeback.


  • 0

#5
pinky6225

pinky6225

    Supplier of the finest electromagnetic candy

  • Supporter
  • PipPipPipPipPip
  • 2,667 posts

No performance cost. It only writes once when the game crashes.

 

cool so a standard SKSE.ini should look like spoiler?

 

Spoiler

 


  • 0

#6
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts
Yes, now on game crash it will write the file. It's about 70 KB.
  • 0

#7
pinky6225

pinky6225

    Supplier of the finest electromagnetic candy

  • Supporter
  • PipPipPipPipPip
  • 2,667 posts

Yes, now on game crash it will write the file. It's about 70 KB.

 

groovy, thanks for help

 

Okay tried and ran and got the below

 

Spoiler

 

was just running through solitude

 

 


  • 0

#8
nooblet123

nooblet123

    Mega Poster

  • Members
  • PipPipPipPipPip
  • 755 posts

 



FAULTING_IP:
+2645f7
d3b3d4e4 0000            add     byte ptr [eax],al

If you can get more instructions from the dump, you can search dlls and exe for that code and find out if it's skyrim or a mod causing CTDs.

 

If you have something like SoftIce you can set a breakpoint on that address and debug Bethesda's game for them for free!!! WOOOOOHOOOOOOO!!!!

 


  • 0

#9
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts
I looked at the crash at the address you posted: 0x6645F7

This is a function where active effect list of an actor is updated by time delta (for example durations are updated and such).

One of the effects for you caused invalid virtual table call, not sure why, it would help to see registers but that website analysis doesn't show it. Don't know if any of this is helpful to you or someone.
  • 0

#10
b3lisario

b3lisario

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,894 posts
I'm interested in this subject.

How do you know 0x6645F7 is a function and what it does?
  • 0

#11
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts

All the information comes from reverse engineering.

 

0x6645F7 is in function 0x664470 where "this" is MagicTarget class.

I know that because it's called like this in one place:

MagicTarget::unk_664470(&v2->magicTarget, v2, v6, v5);

In that function happens this:

tList<ActiveEffect*> v5 = (*((int (**)(void))a1->vtable + 7))();

Then all entries in the list are iterated and this is what caused crash:

(*(void (__thiscall **)(ActiveEffect *))((void (__thiscall **)(_DWORD))v8->vtable + 2))(v8);

I don't know why though, it's possible the entry was a bad pointer.


  • 1

#12
nooblet123

nooblet123

    Mega Poster

  • Members
  • PipPipPipPipPip
  • 755 posts

It probably called or jumped to data segment (which is likely all zeroes) because opcode 0000 is really suspicious :) or eax is not a multiple of 4 in "add byte ptr [eax],al"


  • 0

#13
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts

It isn't a valid address because under FAULTING_IP: it doesn't show module.

 

I looked at the function a bit more and I think it was trying to remove the active effect.


  • 0

#14
b3lisario

b3lisario

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,894 posts

Spoiler

Awesome. What program do you use to get this?
  • 0

#15
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts

IDA, alternatively you can just debug it and see where it was called from.


  • 0

#16
b3lisario

b3lisario

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,894 posts
Now I am sad.

I tried IDA some time ago and I just couldn't figure it out.
I can see the assembly code, but it is pretty much indecipherable for me.

Is there any way to turn that into C++ code? like MagicTarget::unk_664470, v2->magicTarget and so
  • 0

#17
nooblet123

nooblet123

    Mega Poster

  • Members
  • PipPipPipPipPip
  • 755 posts

probably a hex-rays decompiler plugin for ida


  • 0

#18
trongus

trongus

    Junior Member

  • Members
  • PipPip
  • 3 posts

I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace.

 

Have you identified that particular ctd in the past? Thanks.


  • 0

#19
h38fh2mf

h38fh2mf

    Mega Poster

  • Contributor
  • PipPipPipPipPip
  • 1,006 posts

I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace.

 

Have you identified that particular ctd in the past? Thanks.

 

It is caused by skeleton.


  • 0

#20
trongus

trongus

    Junior Member

  • Members
  • PipPip
  • 3 posts

 

I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace.

 

Have you identified that particular ctd in the past? Thanks.

 

It is caused by skeleton.

 

 

Thanks for quick reply. Then is there a way to locate the skeleton file that is problematic?


  • 0



Also tagged with one or more of these keywords: ctd, crash, guide