Jump to content

Recommended Posts

This is a short guide on how to debug CTDs yourself.

 

What it means is you will try to find out as much information about the crash as possible.

 

First, open Data/SKSE/skse.ini, if it doesn't exist then create it.

 

Add this:

[Debug]
WriteMinidumps=1
Then wait for the game to crash.

 

Now you will have a crash dump in Documents/My Games/Skyrim/SKSE/Crashdumps

 

For example something like this 2015-05-08_16.26.42.dmp

 

This file is not readable by humans, it's for debugger but you can do online crashdump analysis. Here is one site that does this:

https://www.osronline.com/page.cfm?name=analyze

 

Once you submit you will receive a bunch of text, most of this is useless but there are few things that can be helpful to you or someone else.

 

Scroll down a bit and find the line that says:

EXCEPTION_RECORD:

 

Below it is the address in code where game crashed exactly. For example:

 

ExceptionAddress: 00d573a8 (TESV+0x009573a8)
It means that game was executing code on address 0xD573A8. It also says that the crash occurred in module TESV. If the crash had occurred in any SKSE plugin it would says that DLL name as module instead. Although it's still possible for a crash to be caused by SKSE plugin and happen in TESV module.

 

Now why is this address helpful?

 

1. Someone else may have the same crash, you can compare what you both have in common to narrow down cause.

2. Someone else may have had the same crash and already solved it.

3. I can look it up in game code to see what happens in the function, maybe it helps you narrow down cause.

4. You can compare if the crashes you are having are the same ones or different.

 

It could also be helpful to catalogue known crashes in a sticky or somewhere.

 

If you post your crash here include at least this information:

 

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00d573a8 (TESV+0x009573a8)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
3684fc20 00bf2fb8 00000000 16a9a770 3684fde0 TESV+0x9573a8
3684fc50 00000000 00000000 3684fcd4 00786b68 TESV+0x7f2fb8
And everything SKSE related from Loaded Module List. Example:

0c490000 0c577000 SKSE_Elys_Uncapper SKSE_Elys_Uncapper.dll
50e00000 50e80000 nioverride nioverride.dll
51110000 51122000 enbhelper enbhelper.dll
51310000 51332000 showRaceMenu_preCacheKiller showRaceMenu_preCacheKiller.dll
51340000 5140d000 StorageUtil StorageUtil.dll
51bf0000 51c76000 chargen chargen.dll
51c80000 51c96000 SpellInvisibilityPlugin SpellInvisibilityPlugin.dll
51ca0000 51ccb000 SexLabUtil SexLabUtil.dll
51cd0000 51d23000 SchlongsOfSkyrim SchlongsOfSkyrim.dll
51d30000 51d6c000 MfgConsole MfgConsole.dll
51d70000 51d86000 ItemSoulgemPlugin ItemSoulgemPlugin.dll
51f50000 51f66000 ItemPoisonPlugin ItemPoisonPlugin.dll
51f70000 5203a000 skse_1_9_32 skse_1_9_32.dll
52290000 522e3000 FirstPersonPlugin FirstPersonPlugin.dll
522f0000 5236a000 hook hook.dll
52530000 52546000 ItemArrowPlugin ItemArrowPlugin.dll
52550000 52566000 ItemChargePlugin ItemChargePlugin.dll
525b0000 525c6000 AutoLockpickPlugin AutoLockpickPlugin.dll
525d0000 525ef000 DoubleJumpPlugin DoubleJumpPlugin.dll
Some reported crashes so far:

 

 

 

 

 

Offset: 00d573a8 (TESV+0x009573a8)
When: loading finished
Cause: unknown
Result: skeleton is used in one thread while it was just deleted in another
Fix: unknown (may help to have less animations installed - guess only), make sure XPMS or XPMSE is not overriden by anything, run FNIS again
Related: animation binding, skeleton, string cache

Offset: 00a50a3d (TESV+0x00650a3d) [a512a1 in stack]
When: unknown
Cause: unknown
Result: BSFixedString is set to invalid string cache entry which causes a crash when trying to increment its reference count
Fix: unknown
Related: string cache

Offset: xxxxxxxx [nioverride+0xf96b in stack]
When: unknown - happens in nioverride module which is a DLL included with RaceMenu mod
Cause: unknown, possibly loaded into a cell with decapitated body
Result: unknown
Fix: unknown, possibly disable decapitations or stop using all mods that require this (racemenu, xpmse etc)
Related:

Offset: 0068701d (TESV+0x0028701d)
When: saving game
Cause: mod conflict
Result: multiple mods modify same record, in one instance of this crash it was leveled lists
Fix: unknown (Azzazzx traced it to Requiem, may vary)
Related: saving, BGSSaveLoadManager, mod conflict

Offset: 006bac9a (TESV+0x002bac9a)
When: unknown
Cause: unknown
Result: actor has base form set to NULL, reading flags from it causes a crash
Fix: unknown
Related: Actor, ActorBase

Offset: 00abeab4 (TESV+0x006beab4)
When: unknown
Cause: unknown
Result: unknown
Fix: unknown
Related: NiNode

Offset: 0046edf0 (TESV+0x0006edf0)
When: unknown
Cause: unknown
Result: comparing name of NiNode while the name pointer is invalid, possibly searching NiNode by name
Fix: unknown
Related: NiNode

Offset: 008b437c (TESV+0x004b437c) [nioverride+0x838c0 in stack]
When: loading save
Cause: unknown
Result: unknown
Fix: unknown
Related: script, nioverride, RaceMenu

Offset: 00cec5ec (TESV+0x008ec5ec)
When: unknown
Cause: unknown
Result: unknown
Fix: unknown
Related: rendering, particles

Offset: 00bdc33b (TESV+0x007dc33b)
When: unknown
Cause: unknown
Result: unknown
Fix: unknown
Related: animations

Offset: 0046ecf5 (TESV+0x0006ecf5)
When: removing clothes, other?
Cause: unknown (possibly incompatible skeleton)
Result: unknown
Fix: unknown (try installing different skeleton and re-running FNIS)
Related: skeleton, NiNode

Offset: 00d5c69f (TESV+0x0095c69f) [00d6305e in last control transfer]
When: unknown
Cause: unknown
Result: unknown
Fix: unknown
Related: unknown

 

Share this post


Link to post

Is their a performance cost (like with having papyrus logging turned on all the time) if you have this

 

 


Add this:
[Debug]
WriteMinidumps=1

 

Since i think one of the frustrations is that the game performs less well with logging turned on (papyrus) but if you crash with it turned off you are often unable to repeat whatever caused the crash to get a log to provide for debugging

Share this post


Link to post

No performance cost. It only writes once when the game crashes.

 

cool so a standard SKSE.ini should look like spoiler?

 

 

 

[Display]

iTintTextureResolution=2048

 

[General]

ClearInvalidRegistrations=1

 

[Memory]

DefaultHeapInitialAllocMB=768

ScrapHeapSizeMB=256

 

[Debug]

WriteMinidumps=1

 

 

 

Share this post


Link to post

Yes, now on game crash it will write the file. It's about 70 KB.

 

groovy, thanks for help

 

Okay tried and ran and got the below

 

 

 

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)

Online Crash Dump Analysis Service

See http://www.osronline.comfor more information

Windows 7 Version 7601 (Service Pack 1) MP (8 procs) Free x86 compatible

Product: WinNt, suite: SingleUserTS

kernel32.dll version: 6.1.7601.18798 (win7sp1_gdr.150316-1654)

Machine Name:

Debug session time: Sun May 10 09:09:44.000 2015 (UTC - 4:00)

System Uptime: not available

Process Uptime: 0 days 0:34:33.000

  Kernel time: 0 days 0:04:38.000

  User time: 0 days 0:49:45.000

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\oca.ini, error 2

TRIAGER: Could not open triage file : e:\dump_analysis\program\winxp\triage.ini, error 2

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\user.ini, error 2

*******************************************************************************

*                                                                             *

*                        Exception Analysis                                   *

*                                                                             *

*******************************************************************************

 

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\guids.ini, error 2

*** WARNING: Unable to verify timestamp for d3d9.dll

*** ERROR: Module load completed but symbols could not be loaded for d3d9.dll

*** WARNING: Unable to verify timestamp for hdtHighHeelNative.dll

*** ERROR: Module load completed but symbols could not be loaded for hdtHighHeelNative.dll

*** WARNING: Unable to verify timestamp for hdtPhysicsExtensions.dll

*** ERROR: Module load completed but symbols could not be loaded for hdtPhysicsExtensions.dll

*** WARNING: Unable to verify timestamp for XAudio2_6.dll

*** WARNING: Unable to verify timestamp for atiumdag.dll

*** ERROR: Module load completed but symbols could not be loaded for atiumdag.dll

*** WARNING: Unable to verify timestamp for hdtSkyrimMemPatch.dll

*** ERROR: Module load completed but symbols could not be loaded for hdtSkyrimMemPatch.dll

*** WARNING: Unable to verify timestamp for JContainers.dll

*** ERROR: Module load completed but symbols could not be loaded for JContainers.dll

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

 

FAULTING_IP:

+2645f7

d3b3d4e4 0000            add     byte ptr [eax],al

 

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)

ExceptionAddress: d3b3d4e4

   ExceptionCode: c0000005 (Access violation)

  ExceptionFlags: 00000000

NumberParameters: 2

   Parameter[0]: 00000001

   Parameter[1]: 00003d20

Attempt to write to address 00003d20

 

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

 

PROCESS_NAME:  TESV.exe

 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

 

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

 

EXCEPTION_PARAMETER1:  00000001

 

EXCEPTION_PARAMETER2:  00003d20

 

WRITE_ADDRESS:  00003d20

 

FOLLOWUP_IP:

TESV+2645f7

006645f7 ??              ???

 

FAULTING_THREAD:  000018e4

 

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

 

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

 

LAST_CONTROL_TRANSFER:  from 006645f7 to d3b3d4e4

 

STACK_TEXT:  

WARNING: Frame IP not in any known module. Following frames may be wrong.

12f8fefc 006645f7 ce88c640 01b2ecc0 3cdd0000 0xd3b3d4e4

12f8ff88 7672336a cbf28900 12f8ffd4 770892b2 TESV+0x2645f7

12f8ff94 770892b2 cbf28900 65dd8925 00000000 kernel32!BaseThreadInitThunk+0xe

12f8ffd4 77089285 00a4b4a0 cbf28900 00000000 ntdll!__RtlUserThreadStart+0x70

12f8ffec 00000000 00a4b4a0 cbf28900 00000000 ntdll!_RtlUserThreadStart+0x1b

 

 

SYMBOL_STACK_INDEX:  1

 

SYMBOL_NAME:  tesv+2645f7

 

FOLLOWUP_NAME:  MachineOwner

 

MODULE_NAME: TESV

 

IMAGE_NAME:  TESV.exe

 

DEBUG_FLR_IMAGE_TIMESTAMP:  51437ce5

 

STACK_COMMAND:  ~27s; .ecxr ; kb

 

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_TESV.exe!Unknown

 

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_tesv+2645f7

 

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/TESV_exe/1_9_32_0/51437ce5/unknown/0_0_0_0/bbbbbbb4/c0000005/d3b3d4e4.htm?Retriage=1

 

Followup: MachineOwner

 

 

 

was just running through solitude

 

 

Share this post


Link to post

 

 

FAULTING_IP:

+2645f7

d3b3d4e4 0000            add     byte ptr [eax],al

If you can get more instructions from the dump, you can search dlls and exe for that code and find out if it's skyrim or a mod causing CTDs.

 

If you have something like SoftIce you can set a breakpoint on that address and debug Bethesda's game for them for free!!! WOOOOOHOOOOOOO!!!!

 

Share this post


Link to post

I looked at the crash at the address you posted: 0x6645F7

 

This is a function where active effect list of an actor is updated by time delta (for example durations are updated and such).

 

One of the effects for you caused invalid virtual table call, not sure why, it would help to see registers but that website analysis doesn't show it. Don't know if any of this is helpful to you or someone.

Share this post


Link to post

I'm interested in this subject.

 

How do you know 0x6645F7 is a function and what it does?

Share this post


Link to post

All the information comes from reverse engineering.

 

0x6645F7 is in function 0x664470 where "this" is MagicTarget class.

I know that because it's called like this in one place:

MagicTarget::unk_664470(&v2->magicTarget, v2, v6, v5);

In that function happens this:

tList<ActiveEffect*> v5 = (*((int (**)(void))a1->vtable + 7))();

Then all entries in the list are iterated and this is what caused crash:

(*(void (__thiscall **)(ActiveEffect *))((void (__thiscall **)(_DWORD))v8->vtable + 2))(v8);

I don't know why though, it's possible the entry was a bad pointer.

Share this post


Link to post

It probably called or jumped to data segment (which is likely all zeroes) because opcode 0000 is really suspicious :) or eax is not a multiple of 4 in "add byte ptr [eax],al"

Share this post


Link to post

It isn't a valid address because under FAULTING_IP: it doesn't show module.

 

I looked at the function a bit more and I think it was trying to remove the active effect.

Share this post


Link to post

 

 

All the information comes from reverse engineering.

 

0x6645F7 is in function 0x664470 where "this" is MagicTarget class.

 

I know that because it's called like this in one place:

MagicTarget::unk_664470(&v2->magicTarget, v2, v6, v5);
In that function happens this:

tList<ActiveEffect*> v5 = (*((int (**)(void))a1->vtable + 7))();
Then all entries in the list are iterated and this is what caused crash:

(*(void (__thiscall **)(ActiveEffect *))((void (__thiscall **)(_DWORD))v8->vtable + 2))(v8);
I don't know why though, it's possible the entry was a bad pointer.

 

 

Awesome. What program do you use to get this?

Share this post


Link to post

Now I am sad.

 

I tried IDA some time ago and I just couldn't figure it out.

I can see the assembly code, but it is pretty much indecipherable for me.

 

Is there any way to turn that into C++ code? like MagicTarget::unk_664470, v2->magicTarget and so

Share this post


Link to post

I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace.

 

Have you identified that particular ctd in the past? Thanks.

Share this post


Link to post

I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace.

 

Have you identified that particular ctd in the past? Thanks.

 

It is caused by skeleton.

Share this post


Link to post

 

I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace.

 

Have you identified that particular ctd in the past? Thanks.

 

It is caused by skeleton.

 

 

Thanks for quick reply. Then is there a way to locate the skeleton file that is problematic?

Share this post


Link to post

Not easily, it's most likely the main character skeleton.

Hmm..  Since turning off the mods that modifies skeleton.hkx does nothing, so I'd probably need to turn off every mods that messes up with *.hkx. Thanks for the clue!

Share this post


Link to post

Yea I have the crash too I didn't find a good solution. If you need more information it happens when game deletes skeleton while it is being used in another thread, then the game does something like this:

strcmp(skeleton->objName, animationBinding->name)

But skeleton's objName is bad pointer or null because it was deleted already.

 

If I block skeleton's deletion then it doesn't help either, the crash just happens elsewhere. Something is handled very badly with the skeleton, I don't know why. Reading the forums a bit some people say to use 2.5 or earlier version of skeleton because 2.7+ caused crash. Don't know if that's true or not.

Share this post


Link to post

This should become a sticky, because this method is way better than the Papyrus to find why a game keeps on crashing

 

Share this post


Link to post

Yes, then more people may post their crash logs and we can start to have a list of addresses and what they are related to + what may cause them or how to fix.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×