search

Razish / japp

JA++ server and client modification for Jedi Academy
GNU General Public License v2.0
44 stars 30 forks source link

Crash due to global memory assigned before initialized. #452

Closed Charlese2 closed 8 months ago

Charlese2 commented 10 months ago

Ja++ crashes on map load because bgAllAnims gets set when registering CVars before BG_InitAnimsets is called to Initialize the memory. The crash is elsewhere, but this is the Call Stack of it setting bgAllAnims before it gets memset to 0.

OJK640B.tmp!BG_ParseAnimationFile(const char * filename, animation_s * animset, unsigned int isHumanoid) Line 2159
OJK640B.tmp!CG_RegisterClientModelname(clientInfo_s * ci, const char * modelName, const char * skinName, const char * teamName, int clientNum) Line 308
OJK640B.tmp!CG_LoadClientInfo(clientInfo_s * ci) Line 641
OJK640B.tmp!CG_SetDeferredClientInfo(clientInfo_s * ci) Line 898
OJK640B.tmp!CG_NewClientInfo(int clientNum, unsigned int entitiesInitialized) Line 1191
OJK640B.tmp!CVU_ForceOwnSaber() Line 350
OJK640B.tmp!CG_RegisterCvars() Line 588
OJK640B.tmp!CG_Init(int serverMessageNum, int serverCommandSequence, int clientNum, unsigned int demoPlayback) Line 1719

Moving trap->GetGameState(&cgs.gameState); in https://github.com/Razish/japp/commit/7df0369e04cb121b4b3a16c1bb34125956108c94 is what made the crash start happening because CG_ConfigString has a valid game state when it is called in CG_NewClientInfo. It no longer skips the rest of the code on the first pass because of the config string being valid.

Charlese2 commented 10 months ago

======================================== JA++ Crash Log

Version: JA++, 32 bits, Nov 3 2023, 243c728 (Windows) Side: Client-side Build Date/Time: Nov 3 2023 12:13:06 Operating system: Microsoft (build 22621), 64-bit Crash type: Exception

      Exception Information

Process: E:\JediAcademy\openjk.x86.exe Exception in module: OJKA534.tmp Exception Address: 0x15988177 (OJKA534.tmp+0x68177) Exception Code: 0xC0000005 (Access Violation) Attempted to read data at: 0x00000004

          Register Dump

General Purpose & Control Registers: EAX: 0x00000000, EBX: 0x00000000, ECX: 0x00000000, EDX: 0x00000000 EDI: 0x01EE0008, ESI: 0x0F806C2C, ESP: 0x01CFE2EC, EBP: 0x01CFE338 EIP: 0x15988177

Segment Registers: CS: 0x00000023, DS: 0x0000002B, ES: 0x0000002B FS: 0x00000053, GS: 0x0000002B, SS: 0x0000002B

           Module List

0x00270000 - openjk.x86 - E:\JediAcademy\openjk.x86.exe 0x77BB0000 - ntdll - C:\WINDOWS\SYSTEM32\ntdll.dll 0x76AB0000 - KERNEL32 - C:\WINDOWS\System32\KERNEL32.DLL 0x75ED0000 - KERNELBASE - C:\WINDOWS\System32\KERNELBASE.dll 0x6E280000 - apphelp - C:\WINDOWS\SYSTEM32\apphelp.dll 0x75850000 - USER32 - C:\WINDOWS\System32\USER32.dll 0x77910000 - win32u - C:\WINDOWS\System32\win32u.dll 0x77B20000 - GDI32 - C:\WINDOWS\System32\GDI32.dll 0x762C0000 - gdi32full - C:\WINDOWS\System32\gdi32full.dll 0x763B0000 - msvcp_win - C:\WINDOWS\System32\msvcp_win.dll 0x684C0000 - WSOCK32 - C:\WINDOWS\SYSTEM32\WSOCK32.dll 0x76900000 - ucrtbase - C:\WINDOWS\System32\ucrtbase.dll 0x771A0000 - msvcrt - C:\WINDOWS\System32\msvcrt.dll 0x73660000 - WINMM - C:\WINDOWS\SYSTEM32\WINMM.dll 0x77270000 - SHELL32 - C:\WINDOWS\System32\SHELL32.dll 0x76250000 - WS2_32 - C:\WINDOWS\System32\WS2_32.dll 0x77040000 - RPCRT4 - C:\WINDOWS\System32\RPCRT4.dll 0x77930000 - ADVAPI32 - C:\WINDOWS\System32\ADVAPI32.dll 0x76A20000 - sechost - C:\WINDOWS\System32\sechost.dll 0x7BEE0000 - MSVCP140 - E:\JediAcademy\MSVCP140.dll 0x7BEC0000 - VCRUNTIME140 - E:\JediAcademy\VCRUNTIME140.dll 0x10000000 - OpenAL32 - E:\JediAcademy\OpenAL32.dll 0x76BA0000 - ole32 - C:\WINDOWS\System32\ole32.dll 0x76DC0000 - combase - C:\WINDOWS\System32\combase.dll 0x79870000 - SDL2 - E:\JediAcademy\SDL2.dll 0x75AC0000 - IMM32 - C:\WINDOWS\System32\IMM32.DLL 0x77100000 - OLEAUT32 - C:\WINDOWS\System32\OLEAUT32.dll 0x76430000 - SETUPAPI - C:\WINDOWS\System32\SETUPAPI.dll 0x75740000 - VERSION - C:\WINDOWS\SYSTEM32\VERSION.dll 0x75C90000 - shcore - C:\WINDOWS\System32\shcore.dll 0x6FE60000 - CRYPTSP - C:\WINDOWS\SYSTEM32\CRYPTSP.dll 0x6FE30000 - rsaenh - C:\WINDOWS\system32\rsaenh.dll 0x70020000 - CRYPTBASE - C:\WINDOWS\SYSTEM32\CRYPTBASE.dll 0x75E60000 - bcryptPrimitives - C:\WINDOWS\System32\bcryptPrimitives.dll 0x73BE0000 - windows.storage - C:\WINDOWS\SYSTEM32\windows.storage.dll 0x73570000 - wintypes - C:\WINDOWS\SYSTEM32\wintypes.dll 0x77B50000 - shlwapi - C:\WINDOWS\System32\shlwapi.dll 0x6FFF0000 - SspiCli - C:\WINDOWS\SYSTEM32\SspiCli.dll 0x799B0000 - rd-vanilla_x86 - E:\JediAcademy\rd-vanilla_x86.dll 0x5D260000 - OPENGL32 - C:\WINDOWS\SYSTEM32\OPENGL32.dll 0x5C230000 - GLU32 - C:\WINDOWS\SYSTEM32\GLU32.dll 0x6A9A0000 - dxcore - C:\WINDOWS\SYSTEM32\dxcore.dll 0x743B0000 - uxtheme - C:\WINDOWS\system32\uxtheme.dll 0x75D60000 - MSCTF - C:\WINDOWS\System32\MSCTF.dll 0x74BF0000 - kernel.appcore - C:\WINDOWS\SYSTEM32\kernel.appcore.dll 0x76870000 - clbcatq - C:\WINDOWS\System32\clbcatq.dll 0x04750000 - nvoglv32 - C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_677da8a9230cea15\nvoglv32.dll 0x733B0000 - WTSAPI32 - C:\WINDOWS\SYSTEM32\WTSAPI32.dll 0x716D0000 - msasn1 - C:\WINDOWS\SYSTEM32\msasn1.dll 0x6C4D0000 - cryptnet - C:\WINDOWS\SYSTEM32\cryptnet.dll 0x779B0000 - CRYPT32 - C:\WINDOWS\System32\CRYPT32.dll 0x6C550000 - drvstore - C:\WINDOWS\SYSTEM32\drvstore.dll 0x6FEE0000 - devobj - C:\WINDOWS\SYSTEM32\devobj.dll 0x74C10000 - cfgmgr32 - C:\WINDOWS\SYSTEM32\cfgmgr32.dll 0x70410000 - wldp - C:\WINDOWS\SYSTEM32\wldp.dll 0x76150000 - wintrust - C:\WINDOWS\System32\wintrust.dll 0x75B00000 - imagehlp - C:\WINDOWS\System32\imagehlp.dll 0x733F0000 - bcrypt - C:\WINDOWS\SYSTEM32\bcrypt.dll 0x6C500000 - gpapi - C:\WINDOWS\SYSTEM32\gpapi.dll 0x71D00000 - profapi - C:\WINDOWS\SYSTEM32\profapi.dll 0x07400000 - nvgpucomp32 - C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_677da8a9230cea15\nvgpucomp32.dll 0x6F990000 - ntmarta - C:\WINDOWS\SYSTEM32\ntmarta.dll 0x09A10000 - nvspcap - C:\WINDOWS\system32\nvspcap.dll 0x6A150000 - dwmapi - C:\WINDOWS\SYSTEM32\dwmapi.dll 0x6DD20000 - powrprof - C:\WINDOWS\SYSTEM32\powrprof.dll 0x6E010000 - UMPDC - C:\WINDOWS\SYSTEM32\UMPDC.dll 0x6DD90000 - WINSTA - C:\WINDOWS\SYSTEM32\WINSTA.dll 0x69230000 - textinputframework - C:\WINDOWS\SYSTEM32\textinputframework.dll 0x69F20000 - CoreMessaging - C:\WINDOWS\SYSTEM32\CoreMessaging.dll 0x605F0000 - CoreUIComponents - C:\WINDOWS\SYSTEM32\CoreUIComponents.dll 0x6A180000 - mscms - C:\WINDOWS\SYSTEM32\mscms.dll 0x7BC60000 - Windows.Internal.Graphics.Display.DisplayColorManagement - C:\Windows\System32\Windows.Internal.Graphics.Display.DisplayColorManagement.dll 0x6A7D0000 - dinput8 - C:\Windows\System32\dinput8.dll 0x69FF0000 - inputhost - C:\WINDOWS\SYSTEM32\inputhost.dll 0x6A700000 - HID - C:\WINDOWS\SYSTEM32\HID.DLL 0x66B80000 - XInput1_4 - C:\WINDOWS\SYSTEM32\XInput1_4.dll 0x57F00000 - dsound - C:\WINDOWS\System32\dsound.dll 0x57E40000 - ResampleDmo - C:\WINDOWS\System32\ResampleDmo.DLL 0x57EE0000 - winmmbase - C:\WINDOWS\SYSTEM32\winmmbase.dll 0x684B0000 - msdmo - C:\WINDOWS\System32\msdmo.dll 0x690A0000 - MMDevApi - C:\WINDOWS\System32\MMDevApi.dll 0x5ED10000 - AUDIOSES - C:\WINDOWS\SYSTEM32\AUDIOSES.DLL 0x67E20000 - resourcepolicyclient - C:\WINDOWS\SYSTEM32\resourcepolicyclient.dll 0x69120000 - Windows.UI - C:\Windows\System32\Windows.UI.dll 0x5F6B0000 - avrt - C:\WINDOWS\SYSTEM32\avrt.dll 0x6C950000 - napinsp - C:\WINDOWS\system32\napinsp.dll 0x6C930000 - pnrpnsp - C:\WINDOWS\system32\pnrpnsp.dll 0x6FB50000 - mswsock - C:\WINDOWS\System32\mswsock.dll 0x6E910000 - DNSAPI - C:\WINDOWS\SYSTEM32\DNSAPI.dll 0x6FA40000 - IPHLPAPI - C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL 0x75AF0000 - NSI - C:\WINDOWS\System32\NSI.dll 0x6E830000 - winrnr - C:\WINDOWS\System32\winrnr.dll 0x6C910000 - wshbth - C:\WINDOWS\system32\wshbth.dll 0x6C8F0000 - nlansp_c - C:\WINDOWS\system32\nlansp_c.dll 0x6E220000 - fwpuclnt - C:\WINDOWS\System32\fwpuclnt.dll 0x6FEA0000 - rasadhlp - C:\Windows\System32\rasadhlp.dll 0x7A4F0000 - OJKA2A2 - C:\Users\knigh\AppData\Local\Temp\OJKA2A2.tmp 0x78AF0000 - MSVCP140D - C:\WINDOWS\SYSTEM32\MSVCP140D.dll 0x78BB0000 - ucrtbased - C:\WINDOWS\SYSTEM32\ucrtbased.dll 0x6C1C0000 - dbghelp - C:\WINDOWS\SYSTEM32\dbghelp.dll 0x78AD0000 - VCRUNTIME140D - C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll 0x15920000 - OJKA534 - C:\Users\knigh\AppData\Local\Temp\OJKA534.tmp

      Disassembly/Source code

Crash location located at 0x15988177: OJKA534.tmp::CG_PlayerAnimEvents(+0x107) [Func at 0x15988070] Source code: E:\japp\cgame\cg_players.cpp:1704(+0x3)

^^^^^^^^^^

--- E:\japp\cgame\cg_players.cpp:1696(+0x3) ---

0x1598814E - cmp edx, [ebp-0x30]
0x15988151 - jz short 0x1598815c (CG_PlayerAnimEvents+0xEC)

--- E:\japp\cgame\cg_players.cpp:1697 ---

0x15988153 - mov dword ptr [ebp-0x20], 0x0 0x1598815A - jmp short 0x159881c3

--- E:\japp\cgame\cg_players.cpp:1702 ---

0x1598815C - mov dword ptr [ebp-0x20], 0x1

--- E:\japp\cgame\cg_players.cpp:1703 ---

0x15988163 - imul eax, [ebp+0x8], 0x44
0x15988167 - imul ecx, [ebp-0x1c], 0x7
0x1598816B - add ecx, [eax+0x168c1020]
0x15988171 - mov [ebp-0x14], ecx

--- E:\japp\cgame\cg_players.cpp:1704 ---

0x15988174 - mov edx, [ebp-0x14]

============================================= 0x15988177 - movsx eax, word ptr [edx+0x4] <-- Exception

0x1598817B - test eax, eax
0x1598817D - jge short 0x15988188
0x1598817F - mov dword ptr [ebp-0x34], 0x1 0x15988186 - jmp short 0x1598818f
0x15988188 - mov dword ptr [ebp-0x34], 0x0 0x1598818F - mov ecx, [ebp-0x34]
0x15988192 - mov [ebp-0x38], ecx

--- E:\japp\cgame\cg_players.cpp:1705 ---

0x15988195 - mov edx, [ebp-0x14]
0x15988198 - movsx eax, byte ptr [edx+0x6] 0x1598819C - cmp eax, 0xff
vvvvvvvvvv

            Backtrace

OJKA534.tmp::CG_PlayerAnimEvents(+0x107) [0x15988177] - (E:\japp\cgame\cg_players.cpp:1704) OJKA534.tmp::CG_TriggerAnimSounds(+0x1B5) [0x15984465] - (E:\japp\cgame\cg_players.cpp:1848) OJKA534.tmp::CG_Player(+0x36CE) [0x1597D6EE] - (E:\japp\cgame\cg_players.cpp:7244) OJKA534.tmp::CG_AddCEntity(+0x185) [0x1594BE25] - (E:\japp\cgame\cg_ents.cpp:2707) OJKA534.tmp::CG_AddPacketEntities(+0x241) [0x159430B1] - (E:\japp\cgame\cg_ents.cpp:2815) OJKA534.tmp::CG_DrawActiveFrame(+0x66A) [0x159B03DA] - (E:\japp\cgame\cg_view.cpp:2184) openjk.x86.exe::CGVM_DrawActiveFrame(+0x8D) [0x002DBA5D] - (E:\OpenJK\codemp\client\cl_cgameapi.cpp:79) openjk.x86.exe::CL_CGameRendering(+0x4F) [0x002D9FCF] - (E:\OpenJK\codemp\client\cl_cgame.cpp:600) openjk.x86.exe::SCR_DrawScreenField(+0xC1) [0x002F5581] - (E:\OpenJK\codemp\client\cl_scrn.cpp:464) openjk.x86.exe::SCR_UpdateScreen(+0x61) [0x002F5D11] - (E:\OpenJK\codemp\client\cl_scrn.cpp:516) openjk.x86.exe::CL_Frame(+0x1DC) [0x002EE57C] - (E:\OpenJK\codemp\client\cl_main.cpp:2209) openjk.x86.exe::Com_Frame(+0x229) [0x0028C699] - (E:\OpenJK\codemp\qcommon\common.cpp:1588) openjk.x86.exe::SDL_main(+0x161) [0x0033AAB1] - (E:\OpenJK\shared\sys\sys_main.cpp:813) openjk.x86.exe::main_getcmdline(+0xD5) [0x00279385] - (c:\projects\sdl\src\main\windows\sdl_windows_main.c:74) openjk.x86.exe::WinMain(+0x5) [0x00279445] - (c:\projects\sdl\src\main\windows\sdl_windows_main.c:104) openjk.x86.exe::__scrt_common_main_seh(+0xF8) [0x00382E74] - (D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288) KERNEL32.DLL::BaseThreadInitThunk(+0x19) [0x76AC7BA9] ntdll.dll::RtlInitializeExceptionChain(+0x6B) [0x77C1BD3B] ntdll.dll::RtlClearBits(+0xBF) [0x77C1BCBF]

        Extra Information
Charlese2 commented 9 months ago

I can get it to crash if I start ja++ directly by using +set fs_game japlus. It won't crash if I let the engine switch mods on server connect. The server seems to send a ConfigString command which ends up making bgallAnims[0] not NULL again. 

OJKBD37.tmp!BG_ParseAnimationFile(const char * filename, animation_s * animset, unsigned int isHumanoid) Line 2158
OJKBD37.tmp!CG_RegisterClientModelname(clientInfo_s * ci, const char * modelName, const char * skinName, const char * teamName, int clientNum) Line 308
OJKBD37.tmp!CG_LoadClientInfo(clientInfo_s * ci) Line 641
OJKBD37.tmp!CG_NewClientInfo(int clientNum, unsigned int entitiesInitialized) Line 1189
OJKBD37.tmp!CG_ConfigStringModified() Line 733
OJKBD37.tmp!CG_ServerCommand() Line 1228
OJKBD37.tmp!CG_ExecuteNewServerCommands(int latestSequence) Line 1393
OJKBD37.tmp!CG_SetInitialSnapshot(snapshot_s * snap) Line 82
OJKBD37.tmp!CG_ProcessSnapshots() Line 310
OJKBD37.tmp!CG_DrawActiveFrame(int serverTime, stereoFrame_e stereoView, unsigned int demoPlayback) Line 2053