SetPlayerModel Crash when you have too much .ymts assigned to a freemode ped model

FumaPraQue · December 24, 2020, 10:56pm

Client (production/canary) and FXServer version

Client: Both | Server: Any?

What you expected to happen

To not crash when i use SetPlayerModel on a freemode ped model with extra 5/7/15 [B2372/B2189/B1604] ymts assigned to it.

What actually happens

It crashes when you assign 5/7/15 [B2372/B2189/B1604] extra ymts to a freemode ped model and uses the SetPlayerModel native.

Category of bug (eg. client, server, weapons, peds, native)

Client/Peds

Reproducible steps, preferably with example script(s)
Start the repro resource according to your game build, and use the SetPlayerModel native with any GTA:O freemode ped (mp_m_freemode_01 or mp_f_freemode_01) to see the crash ocurring.

Repro resource (B2372 only): CrashClothes2372.rar (7.8 KB)
Repro resource (B2189 only): CrashClothes.rar (12.2 KB)
Repro resource (B1604 only): CrashClothes1604.rar (22.5 KB)

Crash image on B2372:

Crash image on B2189:

Crash image on B1604:

B1604: Limit of extra .ymts assigned to a freemode ped: 14 (15+ will crash)
B2189: Limit of extra .ymts assigned to a freemode ped: 6 (7+ will crash)
B2372: Limit of extra .ymts assigned to a freemode ped: 4 (5+ will crash)

Crash hashes for each game build:
B1604: oven-happy-sad || GTA5.exe!sub_1406B14FC (0xf)
B2189: earth-august-saturn || FiveM_b2189_GTAProcess.exe!sub_1406D21B0 (0xf)
B2372: yellow-stairway-december || FiveM_b2372_GTAProcess.exe!sub_14070E7A8 (0xf)

Even mp_creaturesmetadata ymts will count on this crash, thats why on B2189 the limit has decreased in 8 units, due to the addition of mpvinewood, mpheist3, mpsummer & mpheist4 (each one adding 2 ymts).
And in the B2372, the limit has decreased in 2 units (in comparison to the B2189) due to the mptuner addition.

vasconcego · January 5, 2021, 11:33pm

Did you manage to solve it somehow? I also noticed that this is happening

FumaPraQue · February 7, 2021, 9:01pm

B1604 has that limit too, but it’s pretty higher than B2189. Today i hit the crash with 15 addon clothes packs, while B2189 it’s occur when i hit 7 or more. So it’s not related only to B2189.

Log on B1604:

InvokeNative: execution failed: Error executing native 0x00a1cadd00108836 at address 0x1407a0b54.
SCRIPT ERROR: Execution of native 00a1cadd00108836 in script host failed: Error executing native 0x00a1cadd00108836 at address 0x1407a0b54.^7
SetPlayerModel^7 (^5SetPlayerModel.lua^7:7)

Marius_Neuronis · February 7, 2021, 9:42pm

The same thing is happening to me, every time I try to put on men’s addon clothes it crashes me but the women’s doesn’t

[    243609] [b2060_GTAProce]             MainThrd/ InvokeNative: execution failed: Error executing native 0x00a1cadd00108836 at address 0x1407baccc.
[    243609] [b2060_GTAProce]             MainThrd/ ^1SCRIPT ERROR: Execution of native 00a1cadd00108836 in script host failed: Error executing native 0x00a1cadd00108836 at address 0x1407baccc.^7
[    243609] [b2060_GTAProce]             MainThrd/ ^3> SetPlayerModel^7 (^5SetPlayerModel.lua^7:7)
[    243625] [b2060_GTAProce]             MainThrd/ ^3> fn^7 (^5@spawnmanager/spawnmanager.lua^7:263)
[    243625] [b2060_GTAProce]             MainThrd/ InvokeNative: execution failed: Error executing native 0xe0a7d1e497ffcd6f at address 0x14060d1e5.
[    243640] [b2060_GTAProce]             MainThrd/ ^1SCRIPT ERROR: Execution of native e0a7d1e497ffcd6f in script host failed: Error executing native 0xe0a7d1e497ffcd6f at address 0x14060d1e5.^7
[    243640] [b2060_GTAProce]                23440/ ResourceCache::AddEntry: Saved cache:v1:7296d8241e68bfa46f5c17c01e32044bbc12e264 to the index cache.
[    243640] [b2060_GTAProce]             MainThrd/ ^3> SetPlayerWantedLevelNow^7 (^5SetPlayerWantedLevelNow.lua^7:5)
[    243640] [b2060_GTAProce]             MainThrd/ ^3> fn^7 (^5@av_D-Dispatch/client.lua^7:92)

FumaPraQue · February 26, 2021, 3:22am

New informations i got after doing some research:

The crash is not related to the amount of Clothes packs loaded. It’s related to the amount of .ymts assigned to a ped model. Even mp_creaturesmetadata ymts will cause that crash.
It’s not related only to B2189, it’s can happen too on B1604. The difference is: On newer builds, the amount of ymts already assigned to MP Peds are higher than in older builds. For example: Cayo Perico Build has 8 more ymts assigned to every MP Ped than B1604 (4 CPedVariationInfo & 4 CCreatureMetaData) due to the last 4 DLCs added into the game (Diamond Casino, Casino Heist, Summer & Cayo Perico). So, i added a new repro resource to B1604 too.

Hope those infos can help in order to trace that.

nta · February 26, 2021, 7:35am

Appears to be a case of rage::fwMetaDataStore (.#mt streaming module) not having loaded some specific requested metadata file, but the game assuming it would have.

Might just be a maximum size in some request list.

nta · February 26, 2021, 7:42am

… oh, no, don’t say this is fwArchetypeStreamingModule::GetDependencies (overridden as CModelInfoStreamingModule) ending up with a maximum amount? This metadata store entry is also used from the resource-paged-in callback in CPedModelInfo, so that’d imply this metadata has to be loaded before the MI is loaded…

nta · February 26, 2021, 7:45am

Correct. A CPedModelInfo gets some long list of .#mt files added as dependency before streaming in, and despite Rockstar’s best efforts to pass a limit of 80 (direct and indirect?) dependencies to this fetch in rage::strRequestMgr::RequestObject, I guess that’s… not enough.

nta · February 26, 2021, 8:01am

Not sure if this is trivial to fix, stack-allocated bits and I’m really not feeling like having a function with this many downstream dependencies change its stack frame size leading to exception handling getting really confused.

nta · February 26, 2021, 11:15am

Done.

FumaPraQue · February 26, 2021, 12:38pm

Thanks. I tested it on B1604 and it’s working nicely.

One question: Is this fix supposed to be working on B2189 too? I tested both builds, and the game still crashing on B2189, but now with a different crash than the previous reported one:

Dump file generated: 57abf15e-67a7-41f7-8398-7e0ebc98b8e4.dmp (5.1 MB)

nta · February 26, 2021, 12:38pm

Might be hitting another limit there, maybe.

FumaPraQue · February 26, 2021, 12:46pm

Yeah, really seems. I tested the previous repro resource to B2189 and it is not causing that new crash. I’m looking into it to know what is causing it to provide a new repro resource for that.

FumaPraQue · February 26, 2021, 12:53pm

This repro resource to B1604 is now triggering that new crash on B2189. (Difference between those repro resources: The B1604 one has more .ymts & .metas than the B2189).

nta · February 26, 2021, 1:52pm

Right, seems there’s way more places with the 80 item limit, many of which not trivial to patch.

nta · February 26, 2021, 1:56pm

Might’ve found another workaround here.

FumaPraQue · February 26, 2021, 3:03pm

Both builds are working properly now. Thanks!

nta · March 1, 2021, 8:06am

This fix and the other one have been backed out since a number of servers were having new, unreproducible crashes with remarkably high prevalence.

Honza147_Vu · March 1, 2021, 9:56am

Hi, could you make this FIX again? Since we are also having this issue, and now when we join our server, we get instant crash. I dont think this one issue could be the one that making other crash? We tested it on canary version of FiveM and did not have any issues. Thank you.

FumaPraQue · March 1, 2021, 2:17pm

Oh, it’s sad but i understand. If you want to test another fix approach someday, i will be here to help testing it!