ZDoom

It doesn't matter where the overlays are, they are all ticked from TickPSprites, and that was were things went wrong.

A quick note, the overlays are on the player actors themselves, not the weapons. I know specifics weren't specified.

Goddamnit. What's up with the editor? It's not the first time it removed some tildes on its own.

Could [url=https://github.com/coelckers/gzdoom/commit/1767dd6a420ac7a2426e215d84783d375ecf7628#diff-a851ba4ce5a28d702399594105ede64bR2767]this line[/url] actually be a typo? Shouldn't it be "thing->flags &= ~MF_PICKUP;" (missing ~)?

I also think that the morphing logic needs some serious evaluation. Having the pickup function morph the player is inherently unsafe so all it should really do is to queue the transition and let it actually be done in a safe place like PlayerThink or Tick.

It only happens with some weapons. And from the look of it there's some exceptional fuckery going on here, because the item pickup gets called from some overlay! That's a situation the code isn't prepared for. It worked in older versions because it reused the same player pointer that got initially passed in, but the new code re-retrieves it from the passed actor. And with how morphs work that link got broken in here.

Now I got to find the messed up movement in D4D.

EDIT: A_CheckBlock is the perpetrator. This function calls P_CheckPosition which handles item pickups. Not a good idea to allow this in a supposedly pure checking function.

Load any map with D4D, press K to summon the rune and pick it up.

It doesn't have 100% reproduction rate but it somehow depends on moment when the rune has been picked up.
If morphing has been completed (this means that code path from the first callstack was taken) I press L to unmorph and repeat.

Sometimes the rune spawns in front of player and you need to move to grab it.
But sometimes it spawns too close and so will be picked up in the same or maybe in the next frame. This case aborts VM usually.

I don't even get it to abort. What precisely do I have to do to trigger the error?

if (!player) return;

It will crash only if you will add the following check to [b]PlayerPawn.CheckWeaponChange()[/b] and [b]PlayerPawn.CheckWeaponFire()[/b]:[code]if (!player) return;
[/code]
Otherwise it will abort VM with reading NULL address exception. Of course, it will abort if morphing will happen during code path from the second callstack.
For this reason the issue cannot be reproduced with [b]give baronrune[/b] and [b]morphme[/b] CCMDs. The rune must be picked up during [b]P_PlayerThink()[/b] call.

Hard to say because I don't get it to crash.

+bind k "summon baronrune"
+bind l "morphme"

I tried to investigate the problem but would like to ask Graf to take a look.
[spoiler=Callstack for correct morph][code]#0 P_MorphPlayer(player_t*, player_t*, PClassActor*, int, int, PClassActor*, PClassActor*) at src/g_shared/a_morph.cpp:66
#1 AF__PlayerInfo_MorphPlayer(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/g_shared/a_morph.cpp:190
#2 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#3 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#4 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#5 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#6 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#7 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#8 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#9 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#10 VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#11 AInventory::CallTryPickup(AActor*, AActor**) at src/g_inventory/a_pickups.cpp:518
#12 DoGiveInventory(AActor*, bool, VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:2317
#13 AF_AActor_A_GiveInventory(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:2333
#14 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#15 VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#16 AStateProvider::CallStateChain(AActor*, FState*) at src/p_actionfunctions.cpp:187
#17 AF_ACustomInventory_CallStateChain(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:229
#18 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#19 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#20 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#21 VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#22 AActor::CallTouch(AActor*) at src/p_mobj.cpp:1740
#23 P_TouchSpecialThing(AActor*, AActor*) at src/p_interaction.cpp:114
#24 PIT_CheckThing(FMultiBlockThingsIterator&, FMultiBlockThingsIterator::CheckResult&, FBoundingBox const&, FCheckPosition&) at src/p_map.cpp:1658
#25 P_CheckPosition(AActor*, TVector2<double> const&, FCheckPosition&, bool) at src/p_map.cpp:1803
#26 P_TryMove(AActor*, TVector2<double> const&, int, secplane_t const*, FCheckPosition&, bool) at src/p_map.cpp:2242
#27 P_XYMovement(AActor*, TVector2<double>) at src/p_mobj.cpp:2515
#28 AActor::Tick() at src/p_mobj.cpp:4436
#29 APlayerPawn::Tick() at src/p_user.cpp:989
#30 AF_DThinker_Tick(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/dthinker.cpp:557
#31 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#32 VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#33 DThinker::CallTick() at src/dthinker.cpp:567
#34 DThinker::TickThinkers(FThinkerList*, FThinkerList*) at src/dthinker.cpp:535
#35 DThinker::RunThinkers() at src/dthinker.cpp:481
#36 P_Ticker() at src/p_tick.cpp:136
#37 G_Ticker() at src/g_game.cpp:1232
#38 TryRunTics() at src/d_net.cpp:1951
#39 D_DoomLoop() at src/d_main.cpp:1038
#40 D_DoomMain() at src/d_main.cpp:2717[/code][/spoiler][spoiler=Difference in callstack for morph that aborts VM][code]...
#27 AF_AActor_CheckBlock(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_actionfunctions.cpp:6497
#28 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#29 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#30 VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#31 FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**) at src/info.cpp:152
#32 DPSprite::SetState(FState*, bool) at src/p_pspr.cpp:509
#33 AF_DPSprite_SetState(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_pspr.cpp:541
#34 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#35 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#36 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#37 VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#38 P_PlayerThink(player_t*) at src/p_user.cpp:2311
...[/code][/spoiler]
I guess the issue with the latter is changing of PlayerPawn object, unmorphed one will have [b]player[/b] member set to [b]nullptr[/b].
For some reason this works fine when morph happens during [b]APlayerPawn::Tick()[/b] but fails if called from [b]P_PlayerThink()[/b] function.

I'm using D4D Alpha 5 with these bindings:[code]+bind k "summon baronrune"
+bind l "morphme"[/code]
Picking up summoned rune will end with one of callstacks above and depending on origin of morph it will work fine or abort with error.

Addition of null checks to scripting side won't solve the problem.
This will rather postpone it to a later moment when the game will crash because of [b]nullptr[/b] value of [b]player[/b] argument:[spoiler=Callstack][code]#0 DObject* GC::ReadBarrier<DObject>(DObject*&) at src/dobjgc.h:99
#1 TObjPtr<DBot*>::operator==(DBot*) at src/dobjgc.h:213
#2 P_CheckWeaponButtons(player_t*) at src/p_pspr.cpp:876
#3 AF_APlayerPawn_CheckWeaponButtons(VMValue*, TArray<VMValue, VMValue>&, int, VMReturn*, int) at src/p_pspr.cpp:908
#4 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:686
#5 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) at src/scripting/vm/vmexec.h:705
#6 VMCall(VMFunction*, VMValue*, int, VMReturn*, int) at src/scripting/vm/vmframe.cpp:463
#7 P_PlayerThink(player_t*) at src/p_user.cpp:2311
#8 P_Ticker() at src/p_tick.cpp:130
#9 G_Ticker() at src/g_game.cpp:1232
#10 TryRunTics() at src/d_net.cpp:1951
#11 D_DoomLoop() at src/d_main.cpp:1038
#12 D_DoomMain() at src/d_main.cpp:2717[/code][/spoiler]

[url=https://forum.zdoom.org/viewtopic.php?f=43&t=54843]Download D4D here.[/url]

There is a VM abort with mods like D4D occurring whenever picking up demon runes. One of the things I noticed is the [url=https://github.com/coelckers/gzdoom/commit/b84f7bcadad55a925d5a2226cc3d307b98f1d059#diff-9e2daeb2926e243ec52303e8b3c196f7L991]null pointer check[/url] that was actually doable in the C++ side of things.

[url=https://github.com/coelckers/gzdoom/commit/b84f7bcadad55a925d5a2226cc3d307b98f1d059#diff-c9afa34c1545dcd6104077ed08cf42dbR371]This scriptified counterpart[/url] does not and cannot from the looks of it, since attempting to put a null pointer check for the player causes a crash since the player is a struct.

The abort happens on [url=https://github.com/coelckers/gzdoom/commit/b84f7bcadad55a925d5a2226cc3d307b98f1d059#diff-c9afa34c1545dcd6104077ed08cf42dbR374]this line precisely.[/url]