Mind Vision has Aura Effect SPELL_AURA_BIND_SIGHT which adds the target to a special Map container i_objectsToSwitch, used to switch grid containers for target Creatures of this Aura Effect.
When the target is a Creature, when the Creature is removed from world it's added to i_objectsToSwitch and then to i_objectsToRemove, iterated in this order in Map::RemoveAllObjectsInRemoveList() so the reference in i_objectsToSwitch is valid.
When the target is a Player, when the Player logs out it's added to i_objectsToSwitch but then Map::RemovePlayerFromMap() deletes the Player, leaving an invalid reference in i_objectsToSwitch.
Since the whole point of i_objectsToSwitch is to store Creatures and since the stored references are used only if the condition "GetTypeId() == TYPEID_UNIT" is verified, it's safe to add only objects of TYPEID_UNIT type to the container.
Valgrind log:
Invalid read of size 4
at 0xC52332: Object::GetTypeId() const (Object.h:140)
by 0xF540D3: Map::RemoveAllObjectsInRemoveList() (Map.cpp:2136)
by 0xF53CD2: Map::DelayedUpdate(unsigned int) (Map.cpp:2087)
by 0xF639B1: MapManager::Update(unsigned int) (MapManager.cpp:292)
by 0x107CB40: World::Update(unsigned int) (World.cpp:2025)
by 0xBEB263: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0x1213792: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x515EA35: ACE_OS_Thread_Adapter::invoke() (in /usr/lib/libACE-6.0.3.so)
by 0x5F19F8D: start_thread (pthread_create.c:311)
by 0x6A46E1C: clone (clone.S:113)
Address 0x401eacac is 12 bytes inside a block of size 11,736 free'd
at 0x4C2B59C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0xD80239: Player::~Player() (Player.cpp:915)
by 0xF4D5A2: void Map::DeleteFromWorld<Player>(Player*) (Map.cpp:319)
by 0xF4EBBB: Map::RemovePlayerFromMap(Player*, bool) (Map.cpp:687)
by 0xFCC18D: WorldSession::LogoutPlayer(bool) (WorldSession.cpp:531)
by 0xF1EDD5: WorldSession::HandleLogoutRequestOpcode(WorldPacket&) (MiscHandler.cpp:403)
by 0xFCAE37: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0x107EBC6: World::UpdateSessions(unsigned int) (World.cpp:2615)
by 0x107C94B: World::Update(unsigned int) (World.cpp:1978)
by 0xBEB263: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0x1213792: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x515EA35: ACE_OS_Thread_Adapter::invoke() (in /usr/lib/libACE-6.0.3.so)
Fix GuildMember flags left uninitialized when creating a new guild.
Valgrind log:
Conditional jump or move depends on uninitialised value(s)
at 0xEE49CE: Guild::Member::WritePacket(WorldPacket&) const (Guild.cpp:714)
by 0xEE721E: Guild::HandleRoster(WorldSession*) (Guild.cpp:1314)
by 0xEE9EBA: Guild::SendLoginInfo(WorldSession*) (Guild.cpp:1920)
by 0xEEB689: Guild::AddMember(unsigned long, unsigned char) (Guild.cpp:2230)
by 0xEE6A09: Guild::Create(Player*, std::string const&) (Guild.cpp:1199)
by 0x12A71F9: guild_commandscript::HandleGuildCreateCommand(ChatHandler*, char const*) (cs_guild.cpp:92)
by 0xC47DBE: ChatHandler::ExecuteCommandInTable(ChatCommand*, char const*, std::string const&) (Chat.cpp:362)
by 0xC47C23: ChatHandler::ExecuteCommandInTable(ChatCommand*, char const*, std::string const&) (Chat.cpp:343)
by 0xC488C4: ChatHandler::ParseCommands(char const*) (Chat.cpp:489)
by 0x1188EE3: WorldSession::HandleMessagechatOpcode(WorldPacket&) (ChatHandler.cpp:217)
by 0xFCAE37: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0x107EBC6: World::UpdateSessions(unsigned int) (World.cpp:2615)
Modify how InstanceSave is deleted so the local mutex can be released before deleting the class itself.
Valgrind log:
Invalid read of size 4
at 0x662662B: __pthread_mutex_unlock_usercnt (pthread_mutex_unlock.c:52)
by 0x55D3C55: ACE_OS::mutex_unlock(pthread_mutex_t*) (OS_NS_Thread.cpp:2335)
by 0xB20057: Player::CleanupsBeforeDelete(bool) (OS_NS_Thread.inl:3519)
by 0xD0E2FA: WorldSession::LogoutPlayer(bool) (WorldSession.cpp:527)
by 0xC66D34: WorldSession::HandleLogoutRequestOpcode(WorldPacket&) (MiscHandler.cpp:403)
by 0xD0EA82: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0xD9AD66: World::UpdateSessions(unsigned int) (World.cpp:2615)
by 0xD9BEC4: World::Update(unsigned int) (World.cpp:1978)
by 0xA035E5: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0xEC8D39: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:183)
by 0x55D7555: ACE_OS_Thread_Adapter::invoke() (OS_Thread_Adapter.cpp:103)
by 0x6622B4F: start_thread (pthread_create.c:304)
Address 0x1884bb08 is 56 bytes inside a block of size 104 free'd
at 0x4C279DC: operator delete(void*) (vg_replace_malloc.c:457)
by 0xC9D533: InstanceSaveManager::RemoveInstanceSave(unsigned int) (InstanceSaveMgr.cpp:159)
by 0xC9E826: InstanceSave::UnloadIfEmpty() (InstanceSaveMgr.cpp:238)
by 0xB2003E: Player::CleanupsBeforeDelete(bool) (InstanceSaveMgr.h:84)
by 0xD0E2FA: WorldSession::LogoutPlayer(bool) (WorldSession.cpp:527)
by 0xC66D34: WorldSession::HandleLogoutRequestOpcode(WorldPacket&) (MiscHandler.cpp:403)
by 0xD0EA82: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0xD9AD66: World::UpdateSessions(unsigned int) (World.cpp:2615)
by 0xD9BEC4: World::Update(unsigned int) (World.cpp:1978)
by 0xA035E5: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0xEC8D39: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:183)
by 0x55D7555: ACE_OS_Thread_Adapter::invoke() (OS_Thread_Adapter.cpp:103)
m_MonthlyQuestChanged was initialized only when loading a Player from DB and left uninitialized when creating a new Player.
Valgrind log:
Conditional jump or move depends on uninitialised value(s)
at 0x1148E2A: Player::_SaveMonthlyQuestStatus(Trinity::AutoPtr<Transaction, ACE_Thread_Mutex>&) (Player.cpp:19694)
by 0x1146510: Player::SaveToDB(bool) (Player.cpp:19191)
by 0x14F5D5C: WorldSession::HandleCharCreateCallback(Trinity::AutoPtr<PreparedResultSet, ACE_Thread_Mutex>, CharacterCreateInfo*) (CharacterHandler.cpp:660)
Closes#10620
Signed-off-by: Nay <dnpd.dd@gmail.com>
Initialized UpdateMask::_bits to NULL in all constructors.
UpdateMask(UpdateMask const& right) constructor sets the field count with SetCount() method before any field initialization. This means that SetCount() will call delete[] on the uninitialized _bits pointer field, leading to undefined behavior.
Remove mutex from BigNumber class - it didn't do what it was advertised to do - consider using the "locked" array outside of the function in which it was "locked".
On current clean TDB, there are a total of 106 creatures using
SMART_EVENT_FRIENDLY_HEALTH (non-PCT) which has a flat first parameter, but
only 8 of these use the event correctly (and therefore only 8 of them
actually work).
Closes#10520
