search

citizenfx / fivem

The source code for the Cfx.re modification frameworks, such as FiveM, RedM and LibertyM, as well as FXServer.
https://cfx.re/
3.48k stars 2.06k forks source link

Client crash when drawing emojis #1572

Closed rdelian closed 2 years ago

rdelian commented 2 years ago

Info

Since a lot of my users started to crash recently with 'some gfx errors' and I didn't update the gamemode in a while, I started to investigate it.

The trigger seems to be Drawing on screen with natives, especially when I draw Emojis + Chars, but GetTextScreenLineCount / EndTextCommandGetWidth has to be called too.

-- CitizenFX_log
Exception in unsafe stubbed GFx hooks: c0000005 at 00007ff730943c63.
*client_crash*

If you need crash dumps or any aditional informations, let me know.

Repro

https://github.com/rdelian/repro_gfx_err/blob/main/client.lua It takes a few seconds before the crash, sometimes it just fails to draw anything on screen and it will throw a client script error

Client: b2189 Canary

blattersturm commented 2 years ago

This might be a repro for this report from the forums, yes. Not entirely certain as you didn't mention what crash you got, but it matches the pattern.

rdelian commented 2 years ago

I will provide a few dumps in the next 15 minutes or so

blattersturm commented 2 years ago

I somehow can't currently repro it on debug builds at least when waiting 'a few seconds' (b2699, at ~143 FPS, ran for two minutes now and it doesn't die), but the mention of measuring text (on MainThrd) while drawing similar text (on Render) makes it look like a race condition somewhere.

rdelian commented 2 years ago

CfxCrashDump_2022_08_14_13_41_42.zip CfxCrashDump_2022_08_14_13_45_16.zip

A way to instant crash (for me atleast) is to put GetTextWidth(TEXT, 0.3) in a for loop

blattersturm commented 2 years ago

It does seem to correctly crash on retail builds, with a crash in the GFx heap allocator (after showing some broken emoji for a frame).

This might be somewhat related to 103e46dc947a4bd3a6276ba418a74c8d639fc60b, or it might be a different way the original issue represents itself (checking Sentry data shows that this is indeed the latter).

Confusing, still, is how debug builds seem to be immune to this one.

blattersturm commented 2 years ago

Peculiar bonus is how a locally-built retail-style build also seems immune to this. Is this another case of having inadvertently fixed it somewhere locally, or a long chain of side effects leading to this being 'fine'?

blattersturm commented 2 years ago

This turned out to be an anticheat hook having a curious side effect. Fixed in fivem-private@0e12b5487213ad821d8d70741fee7bbe0abd5a1b.