Cool VL Viewer forum
http://sldev.free.fr/forum/

Crash on teleport
http://sldev.free.fr/forum/viewtopic.php?f=4&t=2311		 Page 1 of 1
Author:  kathrine [ 2022-10-12 23:07:58 ]
Post subject:  Crash on teleport
Hi Henri,

this is the log and dump for the crash on teleport i had today. Seems to be in the viewer code.

Kathrine

Attachments:
crash.zip [59.87 KiB]
Downloaded 201 times
Author:  Henri Beauchamp [ 2022-10-12 23:54:57 ]
Post subject:  Re: Crash on teleport
Yes, it is a very weird (*) crash at the very end of LLSpatialBridge::cleanupReferences(), but I am also seeing some (lame and ineffective/bogus) attempt to work around such a crash in LL's own viewer code. My guess is that the mDrawable pointer (which is not a smart pointer while drawables are ref-counted) ends up pointing on a deleted drawable during the method execution...

If you compile the viewer yourself, you could replace that method (in linden/indra/newview/llspatialpartition.cpp) with the modified version I made for next release:
Code:
void LLSpatialBridge::cleanupReferences()
{
   // Hold a LLPointer on mDrawable (which is a LLDrawable*) to prevent it
   // from getting destroyed during this method execution, should its refcount
   // fall down to 0. HB
   LLPointer<LLDrawable> drawablep = mDrawable;

   LLDrawable::cleanupReferences();

   if (mDrawable)
   {
      drawablep->setGroup(NULL);

      if (drawablep->getVObj())
      {
         LLViewerObject::const_child_list_t& child_list =
            drawablep->getVObj()->getChildren();
         for (LLViewerObject::child_list_t::const_iterator
               iter = child_list.begin(), end = child_list.end();
             iter != end; ++iter)
         {
            LLViewerObject* child = *iter;
            if (!child) continue;

            LLDrawable* drawable = child->mDrawable;
            if (drawable)
            {
               drawable->setGroup(NULL);
            }
         }
      }

      drawablep->setSpatialBridge(NULL);
      mDrawable = NULL;
   }
}


(*) With a totally bogus disassembly showing the destruction of a LLConstPointer<LLInventoryObject> smart pointer that got nothing to do here (no LLInventoryObject dealt with in the renderer code itself) !... Bug in MSVC ?... In the Windows debug DLL ? :shock:
Author:  kathrine [ 2022-11-30 00:49:07 ]
Post subject:  Crash during teleport
Hi Henri,

got another crash for you, some invalid pointer write according to the debugger (windb).

Logs and crash dump attached.

For analysis of this file, run !analyze -v
ntdll!NtGetContextThread+0x14:
00007ffb`e362eef4 c3 ret
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


KEY_VALUES_STRING: 1

Key : AV.Fault
Value: Write

Key : Analysis.CPU.mSec
Value: 608

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 9006

Key : Analysis.IO.Other.Mb
Value: 6

Key : Analysis.IO.Read.Mb
Value: 0

Key : Analysis.IO.Write.Mb
Value: 12

Key : Analysis.Init.CPU.mSec
Value: 140

Key : Analysis.Init.Elapsed.mSec
Value: 19624

Key : Analysis.Memory.CommitPeak.Mb
Value: 102

Key : Timeline.OS.Boot.DeltaSec
Value: 315885

Key : Timeline.Process.Start.DeltaSec
Value: 976

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1

Key : WER.Process.Version
Value: 1.30.0.29


FILE_IN_CAB: CoolVLViewer.dmp

CONTEXT: (.ecxr)
rax=000001b10839eb60 rbx=000001af90e00cb8 rcx=000001af90e00bb0
rdx=000001aee59f0000 rsi=000001b10839eb60 rdi=000001aff58525f0
rip=00007ff642a6ebbd rsp=0000001346fddf00 rbp=0000000000000000
r8=000001aee5be94c0 r9=0000000000000001 r10=000001aee59f0000
r11=0000001346fdde00 r12=0000000000000000 r13=00007ff642380000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
CoolVLViewer+0x6eebbd:
00007ff6`42a6ebbd 4889ae90010000 mov qword ptr [rsi+190h],rbp ds:000001b1`0839ecf0=????????????????
Resetting default scope

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff642a6ebbd (CoolVLViewer+0x00000000006eebbd)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000001b10839ecf0
Attempt to write to address 000001b10839ecf0

PROCESS_NAME: CoolVLViewer.exe

WRITE_ADDRESS: 000001b10839ecf0

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgef hrt werden.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000001

EXCEPTION_PARAMETER2: 000001b10839ecf0

STACK_TEXT:
00000013`46fddf00 00007ff6`42493e50 : 000001af`90e00bb0 000001b1`0839ec68 00000013`46fde2b0 00000000`00000000 : CoolVLViewer+0x6eebbd
00000013`46fddf30 00007ff6`42493e11 : 000001b0`00000000 000001af`90e00cb8 00000000`00000000 00000000`00000000 : CoolVLViewer+0x113e50
00000013`46fde070 00007ff6`42c4b623 : 000001af`00000000 000001af`1b8c2ef0 00000000`00000000 000001af`1b8c2ef0 : CoolVLViewer+0x113e11
00000013`46fde1b0 00007ff6`42dc7d30 : 000001ae`00000000 00000000`00000000 00000000`00000000 00007ff6`43c2d884 : CoolVLViewer+0x8cb623
00000013`46fde330 00007ff6`42c7fd8f : 00000000`00000000 00000000`00000000 00000000`00000001 000001af`1b8c2ef0 : CoolVLViewer+0xa47d30
00000013`46fde360 00007ff6`42c2b45a : 00000000`00000001 000001af`1b8c2ef0 00000000`00000000 00000000`0000002f : CoolVLViewer+0x8ffd8f
00000013`46fde390 00007ff6`42f9a8c6 : 000001ae`bbf4c5a0 00007ff6`42380000 000001b0`00000001 000001ae`bc0e9001 : CoolVLViewer+0x8ab45a
00000013`46fde580 00007ff6`42efc537 : 000001ae`bc0782b0 000001ae`bbf50800 00000013`46fde7c8 00000000`00000000 : CoolVLViewer+0xc1a8c6
00000013`46fde780 00007ff6`42efb3a7 : 00000002`00000001 00000000`00000000 00000000`00000028 00007ff6`00000018 : CoolVLViewer+0xb7c537
00000013`46fdeae0 00007ff6`424494f9 : 000002df`7f1c7b77 00000000`0000a2c2 000001ae`e7df2040 00007ff6`42380000 : CoolVLViewer+0xb7b3a7
00000013`46fdeb10 00007ff6`42447cb0 : 00000000`00000000 00000000`00000000 00000000`00000000 000001b0`c93b0410 : CoolVLViewer+0xc94f9
00000013`46fdecf0 00007ff6`42441ffa : 000001ae`bbf21d00 00000013`46fdf000 00007ff6`00000000 00007ff6`00000000 : CoolVLViewer+0xc7cb0
00000013`46fdefc0 00007ff6`424570dc : 000001ae`bbf21df0 000001ae`bbf21df0 00000013`46fdf200 000001ae`e7df2040 : CoolVLViewer+0xc1ffa
00000013`46fdf190 00007ff6`42e09da6 : 00007ff6`43687248 000001ae`00000001 000001ae`ba24b650 00007ff6`43cd8e30 : CoolVLViewer+0xd70dc
00000013`46fdf340 00007ff6`43557cc2 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : CoolVLViewer+0xa89da6
00000013`46fdf8e0 00007ffb`e34a74b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CoolVLViewer+0x11d7cc2
00000013`46fdf920 00007ffb`e35e26a1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000013`46fdf950 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


STACK_COMMAND: ~0s; .ecxr ; kb

SYMBOL_NAME: CoolVLViewer+6eebbd

MODULE_NAME: CoolVLViewer

IMAGE_NAME: CoolVLViewer.exe

FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CoolVLViewer.exe!Unknown

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

IMAGE_VERSION: 1.30.0.29

FAILURE_ID_HASH: {f66af9c6-28be-d913-9442-c9c0ccef16e3}

Attachments:
File comment: Log
CoolVLViewer_27940.zip [18.75 KiB]
Downloaded 182 times
File comment: Crashdump
dmp.zip [30.16 KiB]
Downloaded 191 times
Author:  Henri Beauchamp [ 2022-11-30 11:23:42 ]
Post subject:  Re: Crash on teleport
I merged your new topic here, since it is exactly the same bug... I thought I had it plugged, but apparently not.

For next releases, I went into "super-safe" mode for that touchy part of the code, and came up with the following (feel free to test to try and break it, if you compile the viewer by yourself):
Code:
//virtual
void LLSpatialBridge::cleanupReferences()
{
   // Hold a LLPointer on mDrawable (which is a LLDrawable*) to prevent it
   // from getting destroyed during this method execution, should its refcount
   // fall down to 0. HB
   LLPointer<LLDrawable> drawablep = mDrawable;

   LLDrawable::cleanupReferences();

   if (drawablep.notNull())
   {
      LLViewerObject* vobjp = drawablep->getVObj().get();
      if (vobjp)
      {
         // In order to guard against modifications to the children list
         // that would result from setGroup(NULL) on them, build a vector
         // of LLPointer's on the drawables to operate upon, and then use
         // that vector's pointers to setGroup(NULL). HB
         LLViewerObject::const_child_list_t& child_list =
            vobjp->getChildren();
         std::vector<LLPointer<LLDrawable> > drawvec;
         drawvec.reserve(child_list.size());
         for (LLViewerObject::child_list_t::const_iterator
               iter = child_list.begin(), end = child_list.end();
             iter != end; ++iter)
         {
            LLViewerObject* childp = iter->get();
            if (childp)
            {
               LLDrawable* drawp = childp->mDrawable.get();
               if (drawp)
               {
                  drawvec.emplace_back(drawp);
               }
            }
         }
         // Now we can safely operate on children's drawables. HB
         for (U32 i = 0, count = drawvec.size(); i < count; ++i)
         {
            drawvec[i]->setGroup(NULL);
         }
      }
      // Do this *after* it got done on children. HB
      drawablep->setGroup(NULL);
      drawablep->setSpatialBridge(NULL);
      mDrawable = NULL;
   }
}


Many thanks for the bug report !
Author:  kathrine [ 2022-12-11 12:58:12 ]
Post subject:  Another TP crash (or maybe the same?)
Hi Henri,

tried the new viewer version from yesterday and had another crash on tp. Not sure if it is the same as before.

Logs attached.

Kathrine

Attachments:
crash_logs.zip [46.93 KiB]
Downloaded 180 times
Author:  Henri Beauchamp [ 2022-12-11 14:34:16 ]
Post subject:  Re: Another TP crash (or maybe the same?)
kathrine wrote:
tried the new viewer version from yesterday and had another crash on tp. Not sure if it is the same as before.
Yes, exactly the same crash !... I'm totally puzzled !

Apparently, an LLConstPointer<LLInventoryObject> gets destroyed (why LLInventoryObject while only LLViewerObject and children are normally affected, this is a total mystery ?!), and causes a re-referencing of that LLConstPointer from within its destructor (the crash probably happens in the unref() call following the invocation of warnUnreferenceDidAssignment() in llpointer.h)...

It leads me to think that this crash you get is specific to what your avatar is wearing (even though, I still fail to understand how this could lead to an LLInventoryObject de-referencing, which is *not* a rezzed entity, neither a child or parent class for a viewer object, even if it corresponds to to a rezzed object)...

Are you experiencing this crash while your avatar is wearing a specific outfit ?... Or perhaps do you have "Ignore bogus kill-attachment messages" disabled in the "Advanced" -> "Network" menu (it defaults to enabled and should be kept on: I might remove this option from the menu in the future) ?

For next release (and you could experiment it if you compile the viewer yourself), I commented out the "unref()" calls in both LLPointer::unref() and LLConstPointer::unref() (lines 184 and 311): at worst, this change would cause a memory leak, but might prevent the crash you are seeing. Since I never, ever saw the corresponding warning myself in my logs, this would be an acceptable "poor man fix" for your crash, at least until I understand what kind of spaghetti code can lead to this total mess !!! :shock:
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/