[L4D2] AwardTemplate crash

[accelerator74]

Hello. Very old crash of servers with this error. I am submitting all the data of this crash and hope for an early correction, thanks :) The error is related to all AwardTemplate, but more often of course it is Hindering Escape that drops out.

Stack trace:

0 server_srv.so!CHinderingEscapeAwardTemplate::FireGameEvent(IGameEvent) + 0x24d 1 engine_srv.so!CGameEventManager::FireEventIntern(IGameEvent, bool, bool) + 0x587 2 engine_srv.so!CGameEventManager::FireEvent(IGameEvent, bool) + 0x58 3 server_srv.so!CCSPlayer::FirePlayerHurtEvent(CTakeDamageInfo const&) + 0x1ea 4 server_srv.so!CTerrorPlayer::OnTakeDamage_Alive(CTakeDamageInfo const&) + 0x5b4 5 server_srv.so!CBaseCombatCharacter::OnTakeDamage(CTakeDamageInfo const&) + 0x9f 6 server_srv.so!CCSPlayer::OnTakeDamage(CTakeDamageInfo const&) + 0x6cc 7 server_srv.so!CTerrorPlayer::OnTakeDamage(CTakeDamageInfo const&) + 0x392 8 server_srv.so!CBaseEntity::TakeDamage(CTakeDamageInfo const&) + 0x27e 9 server_srv.so!ApplyMultiDamage() + 0x85 10 server_srv.so!CClaw::OnHit(CGameTrace&, Vector const&, bool) + 0x23d 11 server_srv.so!CTerrorWeapon::TestSwingCollision(Vector const&) + 0x582 12 server_srv.so!CTerrorWeapon::DoSwing() + 0x365 13 server_srv.so!CTerrorWeapon::ItemPostFrame() + 0x45b 14 server_srv.so!CBasePlayer::ItemPostFrame() + 0x47f 15 server_srv.so!CTerrorPlayer::ItemPostFrame() + 0xba 16 server_srv.so!CBasePlayer::PostThink() + 0xe3b 17 server_srv.so!CCSPlayer::PostThink() + 0xc5 18 server_srv.so!CTerrorPlayer::PostThink() + 0x140 19 server_srv.so!CPlayerMove::RunPostThink(CBasePlayer) + 0xb7 20 server_srv.so!CPlayerMove::RunCommand(CBasePlayer, CUserCmd, IMoveHelper) + 0x6ce 21 server_srv.so!CBasePlayer::PlayerRunCommand(CUserCmd, IMoveHelper) + 0x9c 22 server_srv.so!CCSPlayer::PlayerRunCommand(CUserCmd, IMoveHelper) + 0x1d9 23 server_srv.so!CTerrorPlayer::PlayerRunCommand(CUserCmd, IMoveHelper*) + 0x323 24 server_srv.so!CBasePlayer::PhysicsSimulate() + 0x594

Coredump: https://drive.google.com/file/d/1R-7-jpn07Cl_o7QZ8-5GsyQIya7iu1-n/view?usp=sharing Minidump: https://drive.google.com/file/d/1hPmnvByt_JoiaXbmIDlPoT31KuXPMLMR/view?usp=sharing

[accelerator74]

Disassemble: https://pastebin.com/CahEP9TN

   0xed67695d <+653>:   je     0xed676708 <_ZN29CHinderingEscapeAwardTemplate13FireGameEventEP10IGameEvent+56>
   0xed676963 <+659>:   movss  %xmm0,-0x1c(%ebp)
   0xed676968 <+664>:   mov    (%ebx),%eax
   0xed67696a <+666>:   lea    0x4(%ebx),%edx
   0xed67696d <+669>:   mov    %ebx,(%esp)
   0xed676970 <+672>:   mov    %edx,0x4(%esp)
=> 0xed676974 <+676>:   call   *0x4(%eax)
   0xed676977 <+679>:   movss  -0x1c(%ebp),%xmm0
   0xed67697c <+684>:   movss  %xmm0,0x4(%ebx)
   0xed676981 <+689>:   jmp    0xed676708 <_ZN29CHinderingEscapeAwardTemplate13FireGameEventEP10IGameEvent+56>

(gdb) info registers
eax            0x15                21
ecx            0x17547e50          391413328
edx            0x17547f64          391413604
ebx            0x17547f60          391413600
esp            0xffb89110          0xffb89110
ebp            0xffb89148          0xffb89148
esi            0x14fe07c0          352192448
edi            0xd528bf0           223513584
eip            0xed676974          0xed676974 <CHinderingEscapeAwardTemplate::FireGameEvent(IGameEvent*)+676>
eflags         0x210203            [ CF IF RF ID ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99
k0             0x0                 0
k1             0x0                 0
k2             0x0                 0
k3             0x0                 0
k4             0x0                 0
k5             0x0                 0
k6             0x0                 0
k7             0x0                 0

(gdb) info frame
Stack level 0, frame at 0xffb89150:
 eip = 0xed676974 in CHinderingEscapeAwardTemplate::FireGameEvent(IGameEvent*); saved eip = 0xf71a325f
 called by frame at 0xffb891e0
 Arglist at 0xffb89148, args: 
 Locals at 0xffb89148, Previous frame's sp is 0xffb89150
 Saved registers:
  ebx at 0xffb8913c, ebp at 0xffb89148, esi at 0xffb89140, edi at 0xffb89144, eip at 0xffb8914c

[shqke]

Hi! I've got here through user @A1mDev.

.text:0083D955 8D 5C C1 10                                   lea     ebx, [ecx+eax*8+10h] ; eax - client index
.text:0083D959 0F 2F 43 04                                   comiss  xmm0, dword ptr [ebx+4]
.text:0083D95D 0F 84 A5 FD FF FF                             jz      loc_83D708
.text:0083D963 F3 0F 11 45 E4                                movss   [ebp+var_1C], xmm0
.text:0083D968 8B 03                                         mov     eax, [ebx] ; eax being overwritten with vtable address
.text:0083D96A 8D 53 04                                      lea     edx, [ebx+4]
.text:0083D96D 89 1C 24                                      mov     [esp], ebx
.text:0083D970 89 54 24 04                                   mov     [esp+4], edx
.text:0083D974 FF 50 04                                      call    dword ptr [eax+4] ; calling a virtual method from IntervalTimer instance

Client index is 32, from ebx = ecx + eax * 8 + 0x10. Given register values, we have: ebx = 0x17547f60 and ecx = 0x17547e50, means eax = ( ebx - 0x10 - ecx ) / 8 = 32

Which means you have a plugin that increases player slots on your server and extensive bot spawn rules that don't let for a free client index to shift towards 0 (and eventually running out of indices).

Class CHinderingEscapeAwardTemplate has member variable array declared as IntervalTimer[32] (cross reference at constructor or allocation size). Crash happens when game tries to access 33rd element of array with 32 total elements.

Don't think Valve will help you out since it involves a third party code.

[accelerator74]

Thanks for clarifying! I will try to fix my slots extension code in this case.