fix(gta-core-five): guard vertex pool pop against stale head pointer …#3821
Open
st860923 wants to merge 1 commit intocitizenfx:masterfrom
Open
fix(gta-core-five): guard vertex pool pop against stale head pointer …#3821st860923 wants to merge 1 commit intocitizenfx:masterfrom
st860923 wants to merge 1 commit intocitizenfx:masterfrom
Conversation
github-actions
Bot
added
the
invalid
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal of this PR
Fix a crash that occurs on servers with many players when multiple peds are being rendered simultaneously.
This is a widely reported crash across many servers and has been the # 1 crash on my server.
How is this PR achieving the goal
The vertex pool uses a lock-free pop with
CMPXCHG16B. A TOCTOU race allows another thread to pop and reuse a slot before the first thread dereferences the head pointer, causing it to read vertex data instead of a valid next pointer. This results in a non-canonical address dereference.So I validate the head pointer before the dereference (bit 47 check). If stale, we jump back to the top of the existing CAS retry loop which is matching the original retry-on-failure semantics instead of crashing.
And I try to pattern scanning with no hardcoded offsets in case future build have another match.
This PR applies to the following area(s)
FiveM
Successfully tested on
Game builds: v3095, v3258, v3717
Platforms: Windows
Checklist
Fixes issues
GTA5_b3258.exe!sub_1416BEE88 (0x5e), GTA5_b3095.exe!sub_1416A8D60 (0x5e)
3258 user report in discord
3095 user report in discord