New crash related to textures

[Dutchman101]

Describe the bug
There is a newly introduced, way too popular crash on offset 0x00014a86, which was first seen on build r20579.

Dumptrace

CONTEXT:  (.ecxr)
eax=2dca1a78 ebx=00000002 ecx=0000001c edx=00000549 esi=2dca1a78 edi=2d99ad18
eip=5dfd4a86 esp=0177fa10 ebp=0177fa10 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
multiplayer_sa!OnMY_RwTextureDestroy+0x6:
5dfd4a86 83785401        cmp     dword ptr [eax+54h],1 ds:002b:2dca1acc=????????
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 5dfd4a86 (multiplayer_sa!OnMY_RwTextureDestroy+0x00000006)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 2dca1acc
Attempt to read from address 2dca1acc

PROCESS_NAME:  gta_sa.exe

READ_ADDRESS:  2dca1acc 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  2dca1acc

STACK_TEXT:  
0177fa10 5dfd4860     2dca1a78 0074da49 2d99ad18 multiplayer_sa!OnMY_RwTextureDestroy+0x6
0177fa40 0074da49     2dca1a78 00000001 0074e171 multiplayer_sa!HOOK_RwTextureDestroy+0x10
WARNING: Stack unwind information not available. Following frames may be wrong.
0177fa4c 0074e171     2d9a4b50 240412d0 2db629e8 gta_sa!RpMaterialDestroy (0x34da49)
0177fa64 0074cd3e     240412f0 2dc2dcc0 0074a366 gta_sa!rpMaterialListDeinitialize (0x34e171)
00000000 00000000     00000000 00000000 00000000 gta_sa!RpGeometryDestroy (0x34cd3e)


FAULTING_SOURCE_LINE:  C:\TeamCity\buildAgent\work\675e5b8e8f135823\Client\multiplayer_sa\CMultiplayerSA_RwResources.cpp @ 77

FAULTING_SOURCE_LINE_NUMBER:  77

SYMBOL_NAME:  multiplayer_sa!OnMY_RwTextureDestroy+6

MODULE_NAME: multiplayer_sa.dll

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_multiplayer_sa.dll!OnMY_RwTextureDestroy

See below crash stats:

As we know, each count is a victim, it remains 1 even if they get the crash multiple times. So i think this isssue should block 1.5.8 release.

The build where it started (r20579) introduced the following changes:

I used offset variance and filtered from 1.5.6 on, so it's for sure that one of these changes caused the crash. It actually makes sense, because DX related changes fit the stack trace at the beginning of this issue.

To reproduce
Unknown - used crash stats after it happened to myself, which was a crash on disconnect

Version
r20579 and later

[Dutchman101]

The crash happens on this line:

mtasa-blue/Client/multiplayer_sa/CMultiplayerSA_RwResources.cpp

Line 77 in e11685c

if (pTexture->refs == 1)

But obviously it comes (gets called) from elsewhere, as that file hasn't changed recently.

Am i right to say these 2 commits in the "crash first seen" build are suspect: 19f2c95, b86d6c9 ?

It remains possible that builds below r20579 weren't circulated sufficiently to happen to someone that will cause it to enter crash stats. So, the culprit can be a change that's only a little older.

[Dutchman101]

New suspect cause: 767a41c (correct me if i'm wrong - guess that's the "changes to tea functions" @botder referred to?)
cc @Pirulax

Reason:

Since no one protested my suggestion for it to block 1.5.8, and too many people are crashing, there we go.

[Dutchman101]

I just noticed that the teaEncode change was in r20595, so it's not possibly related as this crash was first seen in r20579.. so it wasn't what botder felt it was, this is an unrelated bug and we still need to fix it asap nonetheless.

[sbx320]

The only commit from the list that I'd consider likely to cause this issue is the VS upgrade. The argparser changes do not impact any rendering code (as none of that is using the new argparser afaik). The remaining commits are either server only or CI/debug build things.

[Dutchman101]

The only commit from the list that I'd consider likely to cause this issue

well, as i indicated:

It remains possible that builds below r20579 weren't circulated sufficiently to happen to someone that will cause it to enter crash stats. So, the culprit can be a change that's only a little older.

there's no well-circulated build close to r20579 (older), so if you're right about that list i included then it must be an earlier change that caused it. We really just need someone better than me, to debug and dig deeper based on crash dumps..

[Dutchman101]

The crashing didn't stop, it only shifted to offset 0x00014b76

But the new dump at https://upload.mtasa.com/u/550305806/client_1.5.7-release-20627.0.000_multiplayersa_00014b76_5_CPxMb_CB7A459E_5657_0AF_DFF27_20200817_2122.dmp_ contains a more complete stacktrace:

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 6ee14b76 (multiplayer_sa!OnMY_RwTextureDestroy+0x00000006)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 37ad0f84
Attempt to read from address 37ad0f84

PROCESS_NAME:  gta_sa.exe

READ_ADDRESS:  37ad0f84 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  37ad0f84

STACK_TEXT:  
0177fa20 6ee14950     37ad0f30 0074da49 2fd4bd40 multiplayer_sa!OnMY_RwTextureDestroy+0x6
0177fa98 6e440391     1ede53b0 0177facc 6687f377 multiplayer_sa!HOOK_RwTextureDestroy+0x10
37ab8608 00000000     00000005 37abaed4 00000000 game_sa!CRenderWareSA::DestroyDFF+0x11

So now it's DFF unloading related?

Also, i might have been wrong about when it started:

Those builds are old enough for the symbols to be purged, so i can't make sure it's the same crash. But besides the offset similarity, it also has in common that it became a Top 3 MTA crash (on MTA modules) for example on r20447 so it's probably just the same thing, as it pulled that off again.

Note that, again, r20447 was a widely circulated build, so it can again be a change that came a little earlier.

Suspects (changes shortly before that mark): dfa9b50, d5722d5, 46dbbe7, 629f974, 5138de0

All of these changes are texture & model related, and so is the crash. I guess we gotta assign this issue to @saml1er

Merging PR #1623 should fix this issue.