[fixed][10870] Crash at learning skills

[danny1991]

Mangos Version: 10870

Custom Patches: AHBot & ScriptDev2

SD2 Version: 1908

Database Name and Version : YTDB_0.14.0_R576

I'm Night Elf - Warrior - Level 14 and when I'm going to Darnassus to learn class skills it happen a crash.

Revision: * * 10870 1ab7f02529d01e9729f0e6d6f0f98168b98f5ea7
Date 14:12:2010. Time 0:8 
//=====================================================
*** Hardware ***
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4000+
Number Of Processors: 2
Physical Memory: 2096504 KB (Available: 122948 KB)
Commit Charge Limit: 4193008 KB

*** Operation System ***
Windows Vista or Windows Server 2008 Professional (Version 6.1, Build 7600)

//=====================================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address:  00789BC2 01:00388BC2 C:\\Mangos\\Compiled_10870\\mangosd.exe

Registers:
EAX:00000000
EBX:E9AF3D80
ECX:6165A214
EDX:00000000
ESI:F37056CC
EDI:0000009D
CS:EIP:0023:00789BC2
SS:ESP:002B:085EFC64  EBP:085EFCEC
DS:002B  ES:002B  FS:0053  GS:002B
Flags:00010246

Call stack:
Address   Frame     Function      SourceFile
00789BC2  00000000  WorldSession::SendTrainerList+212
0078B4FD  00000000  WorldSession::SendTrainerList+7D
0053C8C3  00000000  Player::OnGossipSelect+263
0078A470  00000000  WorldSession::HandleGossipSelectOptionOpcode+370
005EFF81  00000000  WorldSession::ExecuteOpcode+21
005F4919  00000000  WorldSession::Update+C9
00473598  00000000  World::UpdateSessions+98
00474FEF  00000000  World::Update+19F
00445E39  00000000  WorldRunnable::run+E9
004543E0  00000000  ACE_Based::Thread::ThreadTask+10
72F37254  00000000  ACE_OS_Thread_Adapter::invoke+74
7310C6DE  00000000  _endthreadex+3A
7310C788  00000000  _endthreadex+E4
74FA3677  00000000  BaseThreadInitThunk+12
77079D42  00000000  RtlInitializeExceptionChain+63
77079D15  00000000  RtlInitializeExceptionChain+36
========================
Local Variables And Parameters

Call stack:
Address   Frame     Function      SourceFile
00789BC2  00000000  WorldSession::SendTrainerList+212
   Local  <user defined> 'guid'
   Local  <user defined> 'strTitle'
   Local  <user defined> 'unit'
punting on symbol count_pos
   Local  <user defined> 'data'
punting on symbol fDiscountMod
   Local  <user defined> 'cSpells'
punting on symbol can_learn_primary_prof
   Local  <user defined> 'tSpells'
punting on symbol count
   Local  <user defined> 'itr'
   Local  <user defined> 'itr'

0078B4FD  00000000  WorldSession::SendTrainerList+7D
   Local  <user defined> 'guid'
   Local  <user defined> 'str'

0053C8C3  00000000  Player::OnGossipSelect+263
   Local  <user defined> 'pSource'
punting on symbol gossipListId
punting on symbol menuId
   Local  <user defined> 'menu_item'
   Local  <user defined> 'gossipmenu'
   Local  <user defined> 'pMenuData'
punting on symbol moneyTake
punting on symbol gossipOptionId
   Local  <user defined> 'guid'

0078A470  00000000  WorldSession::HandleGossipSelectOptionOpcode+370
   Local  <user defined> 'recv_data'
   Local  <user defined> 'code'
punting on symbol menuId
   Local  <user defined> 'guid'

005EFF81  00000000  WorldSession::ExecuteOpcode+21
   Local  <user defined> 'opHandle'
   Local  <user defined> 'packet'

005F4919  00000000  WorldSession::Update+C9
punting on symbol diff
   Local  <user defined> 'updater'
   Local  <user defined> 'packet'

00473598  00000000  World::UpdateSessions+98
punting on symbol diff
   Local  <user defined> 'sess'
   Local  <user defined> 'next'
   Local  <user defined> 'updater'

00474FEF  00000000  World::Update+19F
punting on symbol diff
punting on symbol maxClientsNum

00445E39  00000000  WorldRunnable::run+E9
punting on symbol prevSleepTime

004543E0  00000000  ACE_Based::Thread::ThreadTask+10
punting on symbol param

72F37254  00000000  ACE_OS_Thread_Adapter::invoke+74
punting on symbol status

7310C6DE  00000000  _endthreadex+3A

7310C788  00000000  _endthreadex+E4

74FA3677  00000000  BaseThreadInitThunk+12

77079D42  00000000  RtlInitializeExceptionChain+63

77079D15  00000000  RtlInitializeExceptionChain+36

========================
Global Variables

Update 1: I'm trying again and again a crash. I look to both files and same values but look.

Revision: * * 10870 1ab7f02529d01e9729f0e6d6f0f98168b98f5ea7
Date 14:12:2010. Time 0:17 
//=====================================================
*** Hardware ***
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4000+
Number Of Processors: 2
Physical Memory: 2096504 KB (Available: 180408 KB)
Commit Charge Limit: 4193008 KB

*** Operation System ***
Windows Vista or Windows Server 2008 Professional (Version 6.1, Build 7600)

//=====================================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address:  00789BC2 01:00388BC2 C:\\Mangos\\Compiled_10870\\mangosd.exe

Registers:
EAX:00000000
EBX:E8F73D80
ECX:45FF978E
EDX:00000000
ESI:F37056CC
EDI:0000009D
CS:EIP:0023:00789BC2
SS:ESP:002B:084AFC64  EBP:084AFCEC
DS:002B  ES:002B  FS:0053  GS:002B
Flags:00010246

Call stack:
Address   Frame     Function      SourceFile
00789BC2  00000000  WorldSession::SendTrainerList+212
0078B4FD  00000000  WorldSession::SendTrainerList+7D
0053C8C3  00000000  Player::OnGossipSelect+263
0078A470  00000000  WorldSession::HandleGossipSelectOptionOpcode+370
005EFF81  00000000  WorldSession::ExecuteOpcode+21
005F4919  00000000  WorldSession::Update+C9
00473598  00000000  World::UpdateSessions+98
00474FEF  00000000  World::Update+19F
00445E39  00000000  WorldRunnable::run+E9
004543E0  00000000  ACE_Based::Thread::ThreadTask+10
72F37254  00000000  ACE_OS_Thread_Adapter::invoke+74
7310C6DE  00000000  _endthreadex+3A
7310C788  00000000  _endthreadex+E4
74FA3677  00000000  BaseThreadInitThunk+12
77079D42  00000000  RtlInitializeExceptionChain+63
77079D15  00000000  RtlInitializeExceptionChain+36
========================
Local Variables And Parameters

Call stack:
Address   Frame     Function      SourceFile
00789BC2  00000000  WorldSession::SendTrainerList+212
   Local  <user defined> 'guid'
   Local  <user defined> 'strTitle'
   Local  <user defined> 'unit'
punting on symbol count_pos
   Local  <user defined> 'data'
punting on symbol fDiscountMod
   Local  <user defined> 'cSpells'
punting on symbol can_learn_primary_prof
   Local  <user defined> 'tSpells'
punting on symbol count
   Local  <user defined> 'itr'
   Local  <user defined> 'itr'

0078B4FD  00000000  WorldSession::SendTrainerList+7D
   Local  <user defined> 'guid'
   Local  <user defined> 'str'

0053C8C3  00000000  Player::OnGossipSelect+263
   Local  <user defined> 'pSource'
punting on symbol gossipListId
punting on symbol menuId
   Local  <user defined> 'menu_item'
   Local  <user defined> 'gossipmenu'
   Local  <user defined> 'pMenuData'
punting on symbol moneyTake
punting on symbol gossipOptionId
   Local  <user defined> 'guid'

0078A470  00000000  WorldSession::HandleGossipSelectOptionOpcode+370
   Local  <user defined> 'recv_data'
   Local  <user defined> 'code'
punting on symbol menuId
   Local  <user defined> 'guid'

005EFF81  00000000  WorldSession::ExecuteOpcode+21
   Local  <user defined> 'opHandle'
   Local  <user defined> 'packet'

005F4919  00000000  WorldSession::Update+C9
punting on symbol diff
   Local  <user defined> 'updater'
   Local  <user defined> 'packet'

00473598  00000000  World::UpdateSessions+98
punting on symbol diff
   Local  <user defined> 'sess'
   Local  <user defined> 'next'
   Local  <user defined> 'updater'

00474FEF  00000000  World::Update+19F
punting on symbol diff
punting on symbol maxClientsNum

00445E39  00000000  WorldRunnable::run+E9
punting on symbol prevSleepTime

004543E0  00000000  ACE_Based::Thread::ThreadTask+10
punting on symbol param

72F37254  00000000  ACE_OS_Thread_Adapter::invoke+74
punting on symbol status

7310C6DE  00000000  _endthreadex+3A

7310C788  00000000  _endthreadex+E4

74FA3677  00000000  BaseThreadInitThunk+12

77079D42  00000000  RtlInitializeExceptionChain+63

77079D15  00000000  RtlInitializeExceptionChain+36

========================
Global Variables

[selector]

Program terminated with signal 11, Segmentation fault.
#0  WorldSession::SendTrainerList (this=0x7f26b5cb57c0, guid=..., strTitle=<value optimized out>) at ../../../src/game/NPCHandler.cpp:171
171         data << uint32(cSpells->trainerType ? cSpells->trainerType : tSpells->trainerType);
(gdb) bt
#0  WorldSession::SendTrainerList (this=0x7f26b5cb57c0, guid=..., strTitle=<value optimized out>) at ../../../src/game/NPCHandler.cpp:171
#1  0x0000000000687271 in WorldSession::SendTrainerList (this=0x7f26b5cb57c0, guid=<value optimized out>) at ../../../src/game/NPCHandler.cpp:111
#2  0x0000000000688290 in WorldSession::HandleGossipSelectOptionOpcode (this=0x7f26b5cb57c0, recv_data=<value optimized out>)
   at ../../../src/game/NPCHandler.cpp:385
#3  0x000000000083e700 in WorldSession::ExecuteOpcode (this=0x7f26b5cb57c0, opHandle=<value optimized out>, packet=0x7f26b5cd4c40)
   at ../../../src/game/WorldSession.cpp:921
#4  0x0000000000840fdb in WorldSession::Update (this=0x7f26b5cb57c0, diff=<value optimized out>, updater=...) at ../../../src/game/WorldSession.cpp:261
#5  0x000000000083a6e0 in World::UpdateSessions (this=0x7f26fd3d7900, diff=<value optimized out>) at ../../../src/game/World.cpp:1977
#6  0x000000000083b170 in World::Update (this=0x7f26fd3d7900, diff=54) at ../../../src/game/World.cpp:1491
#7  0x0000000000518fbd in WorldRunnable::run (this=<value optimized out>) at ../../../src/mangosd/WorldRunnable.cpp:60
#8  0x0000000000913a9a in ACE_Based::Thread::ThreadTask (param=0x86d8008) at ../../../src/shared/Threading.cpp:187
#9  0x00007f26ff1cda04 in start_thread () from /lib/libpthread.so.0
#10 0x00007f26fe78bd4d in clone () from /lib/libc.so.6
#11 0x0000000000000000 in ?? ()
(gdb) bt full
#0  WorldSession::SendTrainerList (this=0x7f26b5cb57c0, guid=..., strTitle=<value optimized out>) at ../../../src/game/NPCHandler.cpp:171
       cSpells = 0x7f26ec51ade8
       maxcount = 261
       fDiscountMod = 0.850000024
       can_learn_primary_prof = <value optimized out>
       tSpells = 0x0
       data = {<ByteBuffer> = {static DEFAULT_SIZE = 4096, _rpos = 0, _wpos = 8,
           _storage = {<std::_Vector_base<unsigned char, std::allocator<unsigned char> >> = {
               _M_impl = {<std::allocator<unsigned char>> = {<__gnu_cxx::new_allocator<unsigned char>> = {<No data fields>}, <No data fields>},
                 _M_start = 0x86d8000 "\\372 ", _M_finish = 0x86d8008 "", _M_end_of_storage = 0x86da6fe ""}}, <No data fields>}}, m_opcode = 433}
       count = 755297396
       unit = 0x7f26a17e4100
       count_pos = 47
#1  0x0000000000687271 in WorldSession::SendTrainerList (this=0x7f26b5cb57c0, guid=<value optimized out>) at ../../../src/game/NPCHandler.cpp:111
       str = {static npos = 18446744073709551615,
         _M_dataplus = {<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>},
           _M_p = 0x7f26a1c768a8 "Привет! Готовы к обучению?"}}
#2  0x0000000000688290 in WorldSession::HandleGossipSelectOptionOpcode (this=0x7f26b5cb57c0, recv_data=<value optimized out>)
   at ../../../src/game/NPCHandler.cpp:385
       pGo = 0x7f26a17e4100
       gossipListId = 0
       menuId = 4685
       guid = {m_guid = 17379390982625173754}
       code = {static npos = 18446744073709551615,
         _M_dataplus = {<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0xcbe6d8 ""}}
#3  0x000000000083e700 in WorldSession::ExecuteOpcode (this=0x7f26b5cb57c0, opHandle=<value optimized out>, packet=0x7f26b5cd4c40)
   at ../../../src/game/WorldSession.cpp:921
No locals.
#4  0x0000000000840fdb in WorldSession::Update (this=0x7f26b5cb57c0, diff=<value optimized out>, updater=...) at ../../../src/game/WorldSession.cpp:261
       opHandle = @0x7f26b6562d20
       packet = 0x7f26b5cd4c40
#5  0x000000000083a6e0 in World::UpdateSessions (this=0x7f26fd3d7900, diff=<value optimized out>) at ../../../src/game/World.cpp:1977
       pSession = 0x7f26b5cb57c0
       updater = {<PacketFilter> = {_vptr.PacketFilter = 0x9ec3b0, m_pSession = 0x7f26b5cb57c0}, <No data fields>}
       itr = {<std::tr1::__detail::_Hashtable_iterator_base<std::pair<unsigned int const, WorldSession*>, false>> = {_M_cur_node = 0x4d06b81c,
           _M_cur_bucket = 0xdba63}, <No data fields>}
       sess = <value optimized out>
#6  0x000000000083b170 in World::Update (this=0x7f26fd3d7900, diff=54) at ../../../src/game/World.cpp:1491
       autobroadcaston = 1
#7  0x0000000000518fbd in WorldRunnable::run (this=<value optimized out>) at ../../../src/mangosd/WorldRunnable.cpp:60
       diff = 54
       realCurrTime = <value optimized out>
       realPrevTime = <value optimized out>
       prevSleepTime = 49
#8  0x0000000000913a9a in ACE_Based::Thread::ThreadTask (param=0x86d8008) at ../../../src/shared/Threading.cpp:187
No locals.
#9  0x00007f26ff1cda04 in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#10 0x00007f26fe78bd4d in clone () from /lib/libc.so.6
No symbol table info available.
#11 0x0000000000000000 in ?? ()
No symbol table info available.

crash related to http://github.com/mangos/mangos/commit/605ecf175f19883529bf4c39354d2b06da75a46d

[Toinan67]

    TrainerSpellData const* cSpells = unit->GetTrainerSpells();
   TrainerSpellData const* tSpells = unit->GetTrainerTemplateSpells();

   if (!cSpells && !tSpells)
   {
       DEBUG_LOG("WORLD: SendTrainerList - Training spells not found for %s", guid.GetString().c_str());
       return;
   }

   uint32 maxcount = (cSpells ? cSpells->spellList.size() : 0) + (tSpells ? tSpells->spellList.size() : 0);

   WorldPacket data( SMSG_TRAINER_LIST, 8+4+4+maxcount*38 + strTitle.size()+1);
   data << ObjectGuid(guid);
   data << uint32(cSpells->trainerType ? cSpells->trainerType : tSpells->trainerType);

Something wrong with the last line : we use cSpells->trainerType without being sure it's not NULL.

data << uint32(cSpells && cSpells->trainerType ? cSpells->trainerType : tSpells->trainerType);

might be better?

[Schmoozerd]

Edit: IF I understand it correctly, type == 2 <=> at least one spell is a profession spell, so then we should use as fix something like

data << uint32(std::max(cSpells ? cSpells->trainerType : 0, tSpells ?  tSpells->trainerType : 0));

(my first idea was likely wrong)

[danny1991]

It's seems the problem is not from me. I hope will be allright.

[VladimirMangos]

Fixed in [10873]. In fact exactly what suggest Toinan67 but before look at thread content deep. Anyway thank you for report and thank you patch

Crash possible only if trainer have template only spells, so i glad see so quick use new feature

[added] about how better select trayner type. Currently we use 2 values only 0 and 2 in this place.

Without need support additional values unclear how better check it. Current way work for current state: we need use 2 if in full common list listed specific spells.