Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[L4D2] Chainsaw server crash (again) #3607

Open
accelerator74 opened this issue Jul 2, 2021 · 5 comments
Open

[L4D2] Chainsaw server crash (again) #3607

accelerator74 opened this issue Jul 2, 2021 · 5 comments

Comments

@accelerator74
Copy link

In continuation of the issue #2526.

After the update (2.2.1.3) from June 15, 2021, the function on which the crash occurs has changed. Now the crash happens on the CSoundControllerImp::SoundChangePitch(CSoundPatch *, float, float) function. The reason is the same as it was, as described by @ProdigySim in previous issue. Need to check for CSoundPach value is not NULL.

@accelerator74
Copy link
Author

accelerator74 commented Jul 9, 2021

(gdb) bt
#0  0xed380b40 in CSoundControllerImp::SoundChangePitch(CSoundPatch*, float, float) () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#1  0xed3f6c2f in CChainsaw::ItemPostFrame() () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#2  0xed2dbb8f in CBasePlayer::ItemPostFrame() () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#3  0xed3b98c5 in CTerrorPlayer::ItemPostFrame() () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#4  0xed6787e9 in CBasePlayer::PostThink() () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#5  0xed5217cb in CCSPlayer::PostThink() () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#6  0xed8a26b6 in CTerrorPlayer::PostThink() () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#7  0xed68aefe in CPlayerMove::RunPostThink(CBasePlayer*) () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#8  0xed68b6e0 in CPlayerMove::RunCommand(CBasePlayer*, CUserCmd*, IMoveHelper*) () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#9  0xed669eb3 in CBasePlayer::PlayerRunCommand(CUserCmd*, IMoveHelper*) () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#10 0xed520537 in CCSPlayer::PlayerRunCommand(CUserCmd*, IMoveHelper*) () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
#11 0xed891300 in CTerrorPlayer::PlayerRunCommand(CUserCmd*, IMoveHelper*) () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
[...]

CSoundControllerImp::SoundChangePitch(CSoundPatch*, float, float)

(gdb) info registers
eax            0x0                 0
ecx            0x0                 0
edx            0xedadc048          -307380152
ebx            0xfffeeca0          -70496
esp            0xfffeebd8          0xfffeebd8
ebp            0xfffeebd8          0xfffeebd8
esi            0x16355de0          372596192
edi            0xdd46a20           232024608
eip            0xed380b40          0xed380b40 <CSoundControllerImp::SoundChangePitch(CSoundPatch*, float, float)+16>
eflags         0x210202            [ IF RF ID ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99
k0             0x0                 0
k1             0x0                 0
k2             0x0                 0
k3             0x0                 0
k4             0x0                 0
k5             0x0                 0
k6             0x0                 0
k7             0x0                 0
(gdb) disassemble
Dump of assembler code for function _ZN19CSoundControllerImp16SoundChangePitchEP11CSoundPatchff:
   0xed380b30 <+0>:	push   %ebp
   0xed380b31 <+1>:	mov    %esp,%ebp
   0xed380b33 <+3>:	mov    0xc(%ebp),%eax
   0xed380b36 <+6>:	movss  0x10(%ebp),%xmm1
   0xed380b3b <+11>:	movss  0x14(%ebp),%xmm0
=> 0xed380b40 <+16>:	orl    $0x2,0x50(%eax)
   0xed380b44 <+20>:	movss  %xmm0,0x10(%ebp)
   0xed380b49 <+25>:	movss  %xmm1,0xc(%ebp)
   0xed380b4e <+30>:	mov    %eax,0x8(%ebp)
   0xed380b51 <+33>:	pop    %ebp
   0xed380b52 <+34>:	jmp    0xed380aa0 <_ZN14CSoundEnvelope9SetTargetEff>
End of assembler dump.

CChainsaw::ItemPostFrame()

(gdb) frame 1
#1  0xed3f6c2f in CChainsaw::ItemPostFrame() () from /home/user/l4d2_coop/left4dead2/bin/server_srv.so
  0xed3f6bb2 <+2578>:	call   0xed38aea0 <_Z16ClearMultiDamagev>
   0xed3f6bb7 <+2583>:	lea    -0xcc(%ebp),%eax
   0xed3f6bbd <+2589>:	mov    %esi,(%esp)
   0xed3f6bc0 <+2592>:	mov    %eax,0xc(%esp)
   0xed3f6bc4 <+2596>:	lea    -0x158(%ebp),%eax
   0xed3f6bca <+2602>:	mov    %eax,0x8(%esp)
   0xed3f6bce <+2606>:	lea    -0x78(%ebp),%eax
   0xed3f6bd1 <+2609>:	mov    %eax,0x4(%esp)
   0xed3f6bd5 <+2613>:	call   0xed2d18f0 <_ZN11CBaseEntity19DispatchTraceAttackERK15CTakeDamageInfoRK6VectorP10CGameTrace>
   0xed3f6bda <+2618>:	call   0xed38af10 <_Z16ApplyMultiDamagev>
   0xed3f6bdf <+2623>:	mov    0x180c(%edi),%eax
   0xed3f6be5 <+2629>:	cmp    $0x64,%eax
   0xed3f6be8 <+2632>:	je     0xed3f7115 <_ZN9CChainsaw13ItemPostFrameEv+3957>
   0xed3f6bee <+2638>:	sub    $0xa,%eax
   0xed3f6bf1 <+2641>:	mov    $0x32,%edx
   0xed3f6bf6 <+2646>:	cmp    $0x31,%eax
   0xed3f6bf9 <+2649>:	cmovg  %eax,%edx
   0xed3f6bfc <+2652>:	mov    %edx,0x180c(%edi)
   0xed3f6c02 <+2658>:	call   0xed381370 <_ZN24CSoundEnvelopeController13GetControllerEv>
   0xed3f6c07 <+2663>:	mov    (%eax),%edx
   0xed3f6c09 <+2665>:	movl   $0x3e4ccccd,0xc(%esp)
   0xed3f6c11 <+2673>:	cvtsi2ssl 0x180c(%edi),%xmm0
   0xed3f6c19 <+2681>:	movss  %xmm0,0x8(%esp)
   0xed3f6c1f <+2687>:	mov    0x17fc(%edi),%ecx
   0xed3f6c25 <+2693>:	mov    %eax,(%esp)
   0xed3f6c28 <+2696>:	mov    %ecx,0x4(%esp)
   0xed3f6c2c <+2700>:	call   *0x30(%edx)
=> 0xed3f6c2f <+2703>:	mov    -0x180(%ebp),%eax
   0xed3f6c35 <+2709>:	mov    %eax,(%esp)
   0xed3f6c38 <+2712>:	call   0xed444bf0 <_ZNK14CountdownTimer3NowEv>
   0xed3f6c3d <+2717>:	fstps  -0x17c(%ebp)
   0xed3f6c43 <+2723>:	movss  -0x17c(%ebp),%xmm6
   0xed3f6c4b <+2731>:	addss  0xedac83d8,%xmm6
   0xed3f6c53 <+2739>:	comiss 0x1818(%edi),%xmm6
   0xed3f6c5a <+2746>:	movss  %xmm6,-0x17c(%ebp)
   0xed3f6c62 <+2754>:	jne    0xed3f703e <_ZN9CChainsaw13ItemPostFrameEv+3742>
   0xed3f6c68 <+2760>:	movss  0x1814(%edi),%xmm0
   0xed3f6c70 <+2768>:	comiss 0xedac83d8,%xmm0
   0xed3f6c77 <+2775>:	jne    0xed3f7013 <_ZN9CChainsaw13ItemPostFrameEv+3699>
   0xed3f6c7d <+2781>:	mov    (%esi),%eax
   0xed3f6c7f <+2783>:	mov    %esi,(%esp)
   0xed3f6c82 <+2786>:	call   *0x144(%eax)
   0xed3f6c88 <+2792>:	test   %eax,%eax
   0xed3f6c8a <+2794>:	je     0xed3f6814 <_ZN9CChainsaw13ItemPostFrameEv+1652>
   0xed3f6c90 <+2800>:	mov    0xede9ecac,%eax
   0xed3f6c95 <+2805>:	movss  0xc(%eax),%xmm0
   0xed3f6c9a <+2810>:	comiss 0x181c(%edi),%xmm0
   0xed3f6ca1 <+2817>:	jbe    0xed3f6d07 <_ZN9CChainsaw13ItemPostFrameEv+2919>
(gdb) info registers
eax            0x0                 0
ecx            0x0                 0
edx            0xedadc048          -307380152
ebx            0xfffeeca0          -70496
esp            0xfffeebe0          0xfffeebe0
ebp            0xfffeed98          0xfffeed98
esi            0x16355de0          372596192
edi            0xdd46a20           232024608
eip            0xed3f6c2f          0xed3f6c2f <CChainsaw::ItemPostFrame()+2703>
eflags         0x210202            [ IF RF ID ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99
k0             0x0                 0
k1             0x0                 0
k2             0x0                 0
k3             0x0                 0
k4             0x0                 0
k5             0x0                 0
k6             0x0                 0
k7             0x0                 0

@lunatixxx
Copy link

I never ever saw my server crash because of that. Maybe it only happens on some version of linux?

@fbef0102
Copy link

fbef0102 commented Nov 30, 2023

l4d2 linux only

Crash ID:
W7GA-MVNC-CSPA
EPVU-4FYP-FIG5

@Hawkins93
Copy link

Hawkins93 commented Nov 30, 2023

This code here is for the current function:

#pragma semicolon 1
#pragma newdecls required

#include <sourcemod>
#include <dhooks>

public void OnPluginStart()
{
	char sPath[PLATFORM_MAX_PATH];
	BuildPath(Path_SM, sPath, sizeof(sPath), "gamedata/chainsaw_fix.txt");
	if( !FileExists(sPath) )
	{
		File hFile = OpenFile(sPath, "w+");

		if( hFile == null )
			SetFailState("Error: Couldn't create gamedata/chainsaw_fix.txt file.");

		hFile.WriteLine("\"Games\"");
		hFile.WriteLine("{");
		hFile.WriteLine("	\"left4dead2\"");
		hFile.WriteLine("	{");
		hFile.WriteLine("		\"Functions\"");
		hFile.WriteLine("		{");
		hFile.WriteLine("			\"CSoundControllerImp::SoundChangePitch\"");
		hFile.WriteLine("			{");
		hFile.WriteLine("				\"signature\"		\"CSoundControllerImp::SoundChangePitch\"");
		hFile.WriteLine("				\"callconv\"		\"thiscall\"");
		hFile.WriteLine("				\"return\"		\"int\"");
		hFile.WriteLine("				\"this\"			\"address\"");
		hFile.WriteLine("			}");
		hFile.WriteLine("		}");
		hFile.WriteLine("		\"Signatures\"");
		hFile.WriteLine("		{");
		hFile.WriteLine("			/* CSoundControllerImp::SoundChangePitch(CSoundPatch*, float, float) */");
		hFile.WriteLine("			\"CSoundControllerImp::SoundChangePitch\"");
		hFile.WriteLine("			{");
		hFile.WriteLine("				\"library\"		\"server\"");
		hFile.WriteLine("				\"linux\"			\"@_ZN19CSoundControllerImp16SoundChangePitchEP11CSoundPatchff\"");
		hFile.WriteLine("			}");
		hFile.WriteLine("		}");
		hFile.WriteLine("	}");
		hFile.WriteLine("}");

		delete hFile;
	}

	Handle hGameConf = LoadGameConfigFile("chainsaw_fix");
	if( hGameConf == null ) SetFailState("Failed to load gamedata/chainsaw_fix.");
	Handle hDetour = DHookCreateFromConf(hGameConf, "CSoundControllerImp::SoundChangePitch");
	if( !hDetour )
		SetFailState("Failed to find \"CSoundControllerImp::SoundChangePitch\" signature.");
	if( !DHookEnableDetour(hDetour, false, SoundChangePitch) )
		SetFailState("Failed to detour \"CSoundControllerImp::SoundChangePitch\".");
	delete hDetour;
	delete hGameConf;
}

// CChainsaw::ItemPostFrame() crash fix
public MRESReturn SoundChangePitch(int pThis, Handle hReturn, Handle hParams)
{
	if(!pThis)
	{
		DHookSetReturn(hReturn, 0);
		return MRES_Supercede;
	}
	
	return MRES_Ignored;
}

@fbef0102
Copy link

fbef0102 commented Nov 30, 2023

This code here is for the current function:

Nice, Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants