Dev Crit hook causing segfault

[mrtizmo]

The Dev Crit hook was added in this commit:

d1b8c89

In my local VM that code seems to work fine. However, when I run nwn on our hosted environment (esxi) I always get a segfault in that code. The NWNX modules are loaded in a different order on the hosted environment too, if that matters.

The symptom is that in a module on the hosted environment, if a PC uses a weapon like a longsword, as soon as the PC attacks any NPC/creature, then nwserver segfaults.

Ubuntu 16.04 32bit VM for both hosted VM and local VM

Here is some output from debugging in GDB:

$ gdb --args ./nwserver -publicserver 0 -servername "tester" -port 5142 -dmpassword dmpass -playerpassword playerpass -oneparty 0 -pvp 2 -difficulty 3 -elc 0 -ilr 0 -reloadwhenempty 0 -module "mymodule" -maxclients 14 -servervault 0 -maxlevel 40 -gametype 0 -autosaveinterval 0
(gdb) set exec-wrapper env 'LD_PRELOAD=./nwnx2.so' 'LD_LIBRARY_PATH=lib/:$LD_LIBRARY_PATH'
(gdb) run

Thread 1 "nwserver" received signal SIGSEGV, Segmentation fault.
0x672f4dec in ?? ()
(gdb) backtrace
#0  0x672f4dec in ?? ()
#1  0xb7a0b0f0 in CNWSCreatureStats__GetEpicWeaponDevastatingCritical_hook(CNWSCreatureStats*, CNWSItem*) ()
   from ./nwnx_events.so
#2  0x080ed086 in CNWSCreature::ResolvePostMeleeDamage(CNWSObject *) ()
#3  0x080e9a28 in CNWSCreature::ResolveMeleeAttack(CNWSObject *, int, int) ()
#4  0x080e6fd9 in CNWSCreature::ResolveAttack(unsigned long, int, int) ()
#5  0x080e687d in CNWSCreature::AIActionAttackObject(CNWSObjectActionNode *) ()
#6  0x081c264e in CNWSObject::RunActions(unsigned long, unsigned long, unsigned long long) ()
#7  0x08119285 in CNWSCreature::AIUpdate(void) ()
#8  0x08096161 in CServerAIMaster::UpdateState(void) ()
#9  0x080a0530 in CServerExoAppInternal::MainLoop(void) ()
#10 0xb7f7a4ea in Hook_MainLoopInner(void*) () from ./nwnx2.so
#11 0x0804bbe7 in main ()

(gdb) i r
eax            0xb7a12320       -1214176480
ecx            0xdc7f8f0        231209200
edx            0xb7a12320       -1214176480
ebx            0x1      1
esp            0xbfffebac       0xbfffebac
ebp            0xbfffebf8       0xbfffebf8
esi            0x11a80910       296225040
edi            0x11a2bba0       295877536
eip            0x672f4dec       0x672f4dec
eflags         0x10296  [ PF AF SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

(gdb) x/10i &d_ret_code_dc
 0xb7a12320 <d_ret_code_dc>:  jmp    0x672f4dec
 0xb7a12325 <d_ret_code_dc+5>:        or     %cl,-0x2a97f3bb(%ebx)
 0xb7a1232b <d_ret_code_dc+11>:       insb   (%dx),%es:(%edi)
 0xb7a1232c <d_ret_code_dc+12>:       adc    $0xc308,%eax
 0xb7a12331 <d_ret_code_dc+17>:       add    %al,(%eax)
 0xb7a12333 <d_ret_code_dc+19>:       add    %al,(%eax)
 0xb7a12335 <d_ret_code_dc+21>:       add    %al,(%eax)
 0xb7a12337 <d_ret_code_dc+23>:       add    %al,(%eax)
 0xb7a12339 <d_ret_code_dc+25>:       add    %al,(%eax)
 0xb7a1233b <d_ret_code_dc+27>:       add    %al,(%eax)

(gdb) x/10i 0x08156ccc
 0x8156ccc <GetEpicWeaponDevastatingCritical__17CNWSCreatureStatsP8CNWSItem>: push   $0xb7a0b0bb
 0x8156cd1 <GetEpicWeaponDevastatingCritical__17CNWSCreatureStatsP8CNWSItem+5>:       ret
 0x8156cd2 <GetEpicWeaponDevastatingCritical__17CNWSCreatureStatsP8CNWSItem+6>:       mov    0xc(%ebp),%eax
 0x8156cd5 <GetEpicWeaponDevastatingCritical__17CNWSCreatureStatsP8CNWSItem+9>:       test   %eax,%eax
 0x8156cd7 <GetEpicWeaponDevastatingCritical__17CNWSCreatureStatsP8CNWSItem+11>:      mov    0x8(%ebp),%edx
 0x8156cda <GetEpicWeaponDevastatingCritical__17CNWSCreatureStatsP8CNWSItem+14>:      je
 0x8156f60 <GetEpicWeaponDevastatingCritical__17CNWSCreatureStatsP8CNWSItem+660>

I compared the content of instructions in d_ret_code_dc between running the module on my hosted environment vs my local environment, and it seems that the code being placed into there on the hosted environment is just garbage. As you can see, it wants to jump to a bogus address.

I had to comment out these Dev Crit hook changes to get things working again.

[Christian-Vassallo]

Confirmed.