Mtasa-blue: Crash on reconnect 1.5.8-release-20704.0.000

I couldn't reproduce it. There's no crash for me. Tested on my local server.
MTA:SA Server v1.5.8-release-20704
Multi Theft Auto v1.5.8-release-20704

The server I tried on was Prime Freeroam. As well, here's a replication from someone in our help channel.

https://cdn.discordapp.com/attachments/278521065435824128/775838171564081192/crash.mp4

1.5.8-20724 normal flight

I have crash with some servers. Maybe related to engineRestreamWorld

Did not test other versions

The crash was first seen in r20704, so it's definately a recently introduced bug. More than 150 users have crashed on that nightly (let alone what would happen if it exists nightly).

There is something weird though.. all of my IDB's claim that offset is CStreaming::SetMissionDoesntRequireModel, but how does it make sense for MTA to use single player mission-related functions.. does it?

Well, if it's correct, then the crash occurs on the line of red dot below:

Full stack trace:

CONTEXT:  (.ecxr)
eax=0000003c ebx=00000000 ecx=00000000 edx=0000d002 esi=00000003 edi=00000003
eip=00409cfc esp=0177f8ec ebp=0177f918 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
gta_sa+0x9cfc:
00409cfc 0fbf710a        movsx   esi,word ptr [ecx+0Ah]   ds:002b:0000000a=????
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00409cfc (gta_sa+0x00009cfc)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0000000a
Attempt to read from address 0000000a

PROCESS_NAME:  gta_sa.exe

READ_ADDRESS:  0000000a 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0000000a

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0177f918 63a70fd9     132424d0 319ff308 00058309 gta_sa!CStreaming::SetMissionDoesntRequireModel (0x9cfc)
0177f9a0 63a6f62b     13242784 319ff308 00000000 client!CClientGame::Event_OnIngame+0x1f9
0177faf4 63a6e64b     13242600 01cb3408 01d26700 client!CClientGame::DoPulses+0xafb
0177fb70 681bbcb3     01cb3408 07abbb40 68174192 client!CClientGame::DoPulsePostFrame+0x6eb
0177fb7c 68174192     3ea1b344 07c61268 07abbb40 core!CModManager::DoPulsePostFrame+0x53
0177fc6c 6821df84     3ea1b398 07c61268 00000000 core!CCore::DoPostFramePulse+0x8b2
0177fcb0 68225170     07abbb40 0517d7f0 007f99b0 core!CDirect3DEvents9::OnPresent+0x164
0177fd14 007f9b12     07c61268 00000000 00000000 core!CProxyDirect3DDevice9::Present+0x30


SYMBOL_NAME:  gta_sa+9cfc

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_READ_c0000005_gta_sa.exe!Unknown

The first line of stacktrace corresponds with this "mission" crash offset as well.
Maybe we need @saml1er with his reversing skills to tell if all IDB's got it wrong when it comes to that function, or not.

Seems reasonable for GTA to crash there IMHO.
ms_modelInfoPtrs is modified by us, I presume GTA expected a model to be loaded and it wasn't.
But anyways, I'm not sure about this a 100%.

There is something weird though.. all of my IDB's claim that offset is CStreaming::SetMissionDoesntRequireModel, but how does it make sense for MTA to use single player mission-related functions.. does it?

By setting the misison required flag, gta will not stream out the model no matter how far the player is away from it.

ms_modelInfoPtrs is modified by us, I presume GTA expected a model to be loaded and it wasn't.

Yes, seems so. Definitely caused by recent changes.

Repro code

-- skins count is >= 15
for i = 1, 15 do
    engineRequestModel( 'ped' )
end

  v11 = 300;
  do
  {
    CStreaming::RemoveModel(v11);
    v12 = CModelInfo::ms_modelInfoPtrs[v11];
    result = CKeyGen::GetUppercaseKey(v14, v13, gta_empty_string);
    ++v11;
    v12->clump.base.m_nKey = result;
  }
  while ( v11 <= 319 );

When v11 == 313

0x40E560