Hi,
That thing gets more and more interesting: I was mislead by the belief that 'next' would behave as 'nexti' at the end of the known C code. But obviosly it doesn't.
Well, Empire Earth doesn't crash on return from Main_DirectDraw_Release, but quite a bit later in its own code. It tries to call Main_DirectDrawSurfaceRelease for an allready freed surface: From the crash dump:
First chance exception: page fault on read access to 0xaaaaaaaa in 32-bit code (0xaaaaaaaa). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:003b GS:0033 EIP:aaaaaaaa ESP:7fc1fc58 EBP:7f2703e0 EFLAGS:00210293( - 00 RISA1C) EAX:7fe049f0 EBX:00000001 ECX:7fe01b38 EDX:7803a11c ESI:7f288aa0 EDI:7f288acc Stack dump: 0x7fc1fc58: 7dbbd6d7 7fe049f0 7f288aa0 7f2703e0 0x7fc1fc68: 00000001 7dbb1c20 7dbc59b4 00000000 0x7fc1fc78: 7f9f24fc 00000001 7fa24015 7dbc5998 0x7fc1fc88: 7fa23451 7dbc5998 7f270838 00000000 0x7fc1fc98: 00000002 7dbb9a14 7fa6bda1 00000000 0x7fc1fca8: 7fc1fd04 00000000 0052ba8b 5c575f20 Backtrace: =>1 0xaaaaaaaa (0x7f2703e0) 2 0x00000000 (0x00000000) 0xaaaaaaaa: addb %al,0x0(%eax)
The surface to to release is in %eax and the 2nd element on the stack: 7fe049f0.
From the log, a few lines before the crash:
warn:ddraw:Main_DirectDrawSurface_ForceDestroy destroying surface 0x7fe049f0 with refcnt 1 The address of the function is taken from the surface structur and now points to 0xaaaaaaaa.
(I do not expect a reply to this mail. I write it for a few reasons: *Someone might have seen something like this allready *Someone(maybe I) might search the archives sometimes and find this information usefull. If I shouldn't do so, just tell me)