WoW 1.12.1 Null Pointer Exception on Cthun, tracking down the issue

[flawblure]

Hey guys, I've been playing on Lightshope and my guild keeps running into critical errors on Cthun. Right when the Giant Claw spawns it seems everyone in visual range gets a critical error after it uses trample.

The crash occurs at 00671D43 with this stack trace:

Code:

00671D43 0019FAAC 0001:00270D43 E:\WoW_Classic\_WoW.exe
006AACA8 0019FB6C 0001:002A9CA8 E:\WoW_Classic\_WoW.exe
006AA911 0019FBBC 0001:002A9911 E:\WoW_Classic\_WoW.exe
0067233E 0019FBDC 0001:0027133E E:\WoW_Classic\_WoW.exe
00633B4B 0019FCD8 0001:00232B4B E:\WoW_Classic\_WoW.exe
00634152 0019FD44 0001:00233152 E:\WoW_Classic\_WoW.exe
00616D1B 0019FD70 0001:00215D1B E:\WoW_Classic\_WoW.exe
00616F3E 0019FDCC 0001:00215F3E E:\WoW_Classic\_WoW.exe
00616707 0019FDF8 0001:00215707 E:\WoW_Classic\_WoW.exe
00615B6F 0019FE18 0001:00214B6F E:\WoW_Classic\_WoW.exe
00616840 0019FE58 0001:00215840 E:\WoW_Classic\_WoW.exe
00420FDA 0019FE7C 0001:0001FFDA E:\WoW_Classic\_WoW.exe
00420D68 0019FED8 0001:0001FD68 E:\WoW_Classic\_WoW.exe
00420BF1 0019FEF0 0001:0001FBF1 E:\WoW_Classic\_WoW.exe
0040411E 0019FF80 0001:0000311E E:\WoW_Classic\_WoW.exe
749A8744 0019FF94 0001:00008744 C:\WINDOWS\System32\KERNEL32.DLL
77CA582D 0019FFDC 0001:0006482D C:\WINDOWS\SYSTEM32\ntdll.dll
77CA57FD 0019FFEC 0001:000647FD C:\WINDOWS\SYSTEM32\ntdll.dll

The cause of the crash seems to be a pointer from ebp+var_4

Code:

.text:00671D3D                 mov     eax, [ebp+var_4]
.text:00671D40                 mov     edx, [ebx-16h]
.text:00671D43                 movzx   eax, word ptr [eax] ; cthun critical

Which I believe is coming from 00671CF3

Code:

.text:00671CF3                 mov     ebx, offset unk_C62566
.text:00671CF8
.text:00671CF8 loc_671CF8:                             ; CODE XREF: cthun_crash_root+204j
.text:00671CF8                 cmp     [ebx], dx
.text:00671CFB                 mov     ecx, [ebx-0Ah]
.text:00671CFE                 mov     [ebp+var_4], ecx

Which would put our null pointer at unk_C62566 - 0Ah?

At this point I'm unsure where to continue - I need to get a live crash in IDA during Cthun but I'm not sure if I'll get a chance on a live server. Has anyone experienced this crash, or poked around in this area of WoWs memory and know what's going on? If I had to hazard a guess I'd say it has to do with the spell animations


My snooping has lead me to this topic https://us.battle.net/forums/en/wow/topic/1648732450#1 about making WoW "large address aware" The error is a null pointer however there is a call on 00671D16 before the crash. The sub does not take unk_C62566-0Ah however so I'm not certain the relation.

Code:

.text:00671D01                 mov     [ebp+var_14], edx
.text:00671D04                 jbe     loc_671EB2
.text:00671D0A                 lea     ebx, [ebx+0]
.text:00671D10
.text:00671D10 loc_671D10:                             ; CODE XREF: cthun_crash_root+1EAj
.text:00671D10                 push    1
.text:00671D12                 push    1
.text:00671D14                 mov     ecx, esi
.text:00671D16                 call    fn_AUCFacetTempest

And in this fn_AUCFacetTempest it references "AUCFacet@NTempest@@" that seems to be a keyword for addon memory exceptions

[namreeb]

I can't explain the crash, but I can explain a bit what is going on here in this stack trace. This is a copy/paste of your stack trace with function names inserted:

Code:

00671D43 0019FAAC 0001:00270D43 E:\WoW_Classic\_WoW.exe
006AACA8 0019FB6C 0001:002A9CA8 E:\WoW_Classic\_WoW.exe
006AA911 0019FBBC 0001:002A9911 E:\WoW_Classic\_WoW.exe
0067233E 0019FBDC 0001:0027133E E:\WoW_Classic\_WoW.exe
00633B4B 0019FCD8 0001:00232B4B E:\WoW_Classic\_WoW.exe
00634152 0019FD44 0001:00233152 E:\WoW_Classic\_WoW.exe 
00616D1B 0019FD70 0001:00215D1B E:\WoW_Classic\_WoW.exe CMovement::SimpleRequestMove
00616F3E 0019FDCC 0001:00215F3E E:\WoW_Classic\_WoW.exe CMovement::ApplyMovement
00616707 0019FDF8 0001:00215707 E:\WoW_Classic\_WoW.exe CMovement::ExecuteMovement
00615B6F 0019FE18 0001:00214B6F E:\WoW_Classic\_WoW.exe CMovement::MoveUnits
00616840 0019FE58 0001:00215840 E:\WoW_Classic\_WoW.exe MovementIdleMoveUnits
00420FDA 0019FE7C 0001:0001FFDA E:\WoW_Classic\_WoW.exe SynthesizeIdle
00420D68 0019FED8 0001:0001FD68 E:\WoW_Classic\_WoW.exe SchedulerThreadProc
00420BF1 0019FEF0 0001:0001FBF1 E:\WoW_Classic\_WoW.exe IEvtSchedulerProcess
0040411E 0019FF80 0001:0000311E E:\WoW_Classic\_WoW.exe WinMain

The client reads movement into a buffer for later processing. This is that delayed processing. Basically you are receiving a bad movement packet for a unit, possibly the Giant Claw.

[tutrakan]

...

Code:

00671D43 0019FAAC 0001:00270D43 E:\WoW_Classic\_WoW.exe
006AACA8 0019FB6C 0001:002A9CA8 E:\WoW_Classic\_WoW.exe
006AA911 0019FBBC 0001:002A9911 E:\WoW_Classic\_WoW.exe
0067233E 0019FBDC 0001:0027133E E:\WoW_Classic\_WoW.exe
00633B4B 0019FCD8 0001:00232B4B E:\WoW_Classic\_WoW.exe
00634152 0019FD44 0001:00233152 E:\WoW_Classic\_WoW.exe 
00616D1B 0019FD70 0001:00215D1B E:\WoW_Classic\_WoW.exe CMovement::SimpleRequestMove
00616F3E 0019FDCC 0001:00215F3E E:\WoW_Classic\_WoW.exe CMovement::ApplyMovement
00616707 0019FDF8 0001:00215707 E:\WoW_Classic\_WoW.exe CMovement::ExecuteMovement
00615B6F 0019FE18 0001:00214B6F E:\WoW_Classic\_WoW.exe CMovement::MoveUnits
00616840 0019FE58 0001:00215840 E:\WoW_Classic\_WoW.exe MovementIdleMoveUnits
00420FDA 0019FE7C 0001:0001FFDA E:\WoW_Classic\_WoW.exe SynthesizeIdle
00420D68 0019FED8 0001:0001FD68 E:\WoW_Classic\_WoW.exe SchedulerThreadProc
00420BF1 0019FEF0 0001:0001FBF1 E:\WoW_Classic\_WoW.exe IEvtSchedulerProcess
0040411E 0019FF80 0001:0000311E E:\WoW_Classic\_WoW.exe WinMain

...

Code:

00671D43 0019FAAC 0001:00270D43 E:\WoW_Classic\_WoW.exe CWorld::TriDataToFacetData
006AACA8 0019FB6C 0001:002A9CA8 E:\WoW_Classic\_WoW.exe CMap::GetFacetsMapObjs
006AA911 0019FBBC 0001:002A9911 E:\WoW_Classic\_WoW.exe CMap::GetFacets
0067233E 0019FBDC 0001:0027133E E:\WoW_Classic\_WoW.exe CWorld::GetFacets
00633B4B 0019FCD8 0001:00232B4B E:\WoW_Classic\_WoW.exe CMovement::GetMoveFacets
00634152 0019FD44 0001:00233152 E:\WoW_Classic\_WoW.exe CMovement_C::CollideRequestMove
...