search

multitheftauto / mtasa-blue

Multi Theft Auto is a game engine that incorporates an extendable network play element into a proprietary commercial single-player game.
https://multitheftauto.com
GNU General Public License v3.0
1.42k stars 438 forks source link

Crash when plane explode #448

Open ArranTuna opened 6 years ago

ArranTuna commented 6 years ago

Describe the bug The MTA (client) crashes when a nearby plane explodes. Tried with 4 people, all crashed.

To Reproduce

Jayceon said:

onVehicleDamage works fine, but the client side onClientVehicleDamage does not.

  • Run this resource (planecrash.zip).
  • Explode the a plane by flying into the wall or explode using an RPG/Rhino
  • Observe the client crash

The crash disappears when I remove onClientVehicleDamage event.

@StifflersMom said:

This script also does the same:

  • crun addEventHandler("onClientVehicleDamage", root, function() setElementHealth(source,1) end)
  • Take a hydra and blow / crash it.
  • Seems to work only with planes and vortex.

Sounds like a similar problem with peds (mantis 8926)

Here is a crash dump: https://bugs.mtasa.com/file_download.php?file_id=1425&type=bug

Expected behavior no crash

MTA Client: client_1.5.5-release-13192

Additional context From https://bugs.mtasa.com/view.php?id=9911

botder commented 5 years ago

To work around the crash you should never use setElementHealth on the vehicle in onClientVehicleDamage, if it's blown.

Stack trace

0   CClientExplosionManager::Create [MTA]
1   CExplosion::AddExplosion
2   CWorld::TriggerExplosion
3   CWorld::TriggerExplosionSectorList
4   [CPlaceable vtable] + 0xE0 (vftable offset of VehicleDamage) => 0x6C6F6F70
    ^ 0x6A7650 - CAutomobile::VehicleDamage
    ^ 0x6B8EC0 - CBike::VehicleDamage
    ^ 0x6CC4B0 - CPlane::VehicleDamage
    ^ 0x6D63E0 - CVehicle::VehicleDamage

What is crashing

If you respawn the blown vehicle with setElementHealth you forcefully invalidate the CVehicle pointer in the hook for vehicle damage, the game code continues with the invalidated pointer and then crashes. See lines 800-802 in the code below. https://github.com/multitheftauto/mtasa-blue/blob/af24918613ff52490a0fe1c63bbb053688726718/Client/mods/deathmatch/logic/CClientVehicle.cpp#L793-L810

What I tried

There was a crash similiar to this one with onClientVehicleCollision and I have resolved it by updating the CPU registers with the new CVehicle pointer. https://github.com/multitheftauto/mtasa-blue/blob/af24918613ff52490a0fe1c63bbb053688726718/Client/mods/deathmatch/logic/CClientGame.cpp#L4597-L4598 https://github.com/multitheftauto/mtasa-blue/blob/af24918613ff52490a0fe1c63bbb053688726718/Client/multiplayer_sa/CMultiplayerSA_VehicleCollision.cpp#L70-L80

Why it didn't work

I changed the hooks for VehicleDamage to update the CPU registers according to the hooked position in the game code and it worked, but the game code re-used the already deleted CVehicle in the next world update and crashed in CPlane::ProcessControl.

What you could do

Figure out why the game still uses the deleted CVehicle. You can get the code from my branch: crashfix/issue-448