Hard-hitting crash in CClientDisplayManager::RemoveFromList

[Dutchman101]

Describe the bug

This crash is currently the top #2 according to our crash stats.

Module = C:\Program Files (x86)\MTA San Andreas 1.6\mods\deathmatch\client.dll
Code = 0xC0000005
Offset = 0x00035328 // (or 0x00035350, 0x00035346)

EAX=0177FA7C  EBX=2F34E8B8  ECX=40608000  EDX=40608000  ESI=2FA8AA40
EDI=57375648  EBP=0177FA6C  ESP=0177FA60  EIP=5D765328  FLG=00010206
CS=0023   DS=002B  SS=002B  ES=002B   FS=0053  GS=002B

*Note: It will either crash on Line 74 or Line 78, a different instruction in the same function.
Line of crash:
CClientDisplayManager.cpp#L74
OR
CClientDisplayManager.cpp#L78

Full dump analysis of case #1: https://pastebin.com/zBkWNvQp
Stack trace 1 (Line 74 - if (m_bCanRemoveFromList), offset 00035328):

0177fa6c 5d764f31     57375648 05c75bd9 0177fa9c client!CClientDisplayManager::RemoveFromList+0x8
0177fa88 5d7c61ed     05c75bf9 0cfc4eb8 2f34e8b0 client!CClientDisplay::~CClientDisplay+0x31
0177faa8 5d7dca98     00000001 138f5368 138f5368 client!CClientVectorGraphic::`scalar deleting destructor'+0x6d
0177fad0 5d813061     05c75ba5 1a0c78b8 138f5368 client!CElementDeleter::DoDeleteAll+0x28
0177faf4 5d78c812     05c75a49 0cfc4e20 1a0c78b8 client!CResourceManager::~CResourceManager+0x51
0177fb18 5d7722d3     05c75a2d 01a760c0 0cfc4e20 client!CClientManager::~CClientManager+0x62
0177fb7c 5d73c988     01b17dc0 5f111157 01b17dc0 client!CClientGame::~CClientGame+0x6f3
0177fb84 5f111157     01b17dc0 5f1103cf 01a760c0 client!CClient::ClientShutdown+0x58
0177fb8c 5f1103cf     01a760c0 0acd4180 5f0c47ee core!CModManager::Unload+0x97
0177fb98 5f0c47ee     d0854654 0cc8dd40 0acd4180 core!CModManager::DoPulsePostFrame+0xf
0177fc70 5f170b79     d0854690 0cc8dd40 00000000 core!CCore::DoPostFramePulse+0x71e
0177fcb4 5f178070     0acd4180 041696e0 007f99b0 core!CDirect3DEvents9::OnPresent+0x1a9
0177fd18 007f9b12     0cc8dd40 00000000 00000000 core!CProxyDirect3DDevice9::Present+0x30
WARNING: Stack unwind information not available. Following frames may be wrong.
0177fd30 041696e0     007f99b0 00000000 007fb1c3 gta_sa+0x3f9b12
00000000 00000000     00000000 00000000 00000000 0x41696e0

Full dump analysis of case #2: https://pastebin.com/k7MJFs2s
Stack trace 2 (Line 78 - m_List.remove(pDisplay; offset 00035350):

0177edbc 6edb4f31     498f2468 eec2f1d8 0177edec client!CClientDisplayManager::RemoveFromList+0x30
0177edd8 6ee161ed     eec2f1f8 220678b0 2d8bf580 client!CClientDisplay::~CClientDisplay+0x31
0177edf8 6ee2ca98     00000001 1e76eda8 1e76eda8 client!CClientVectorGraphic::`scalar deleting destructor'+0x6d
0177ee20 6ee63061     eec2f244 1e81b5b8 1e76eda8 client!CElementDeleter::DoDeleteAll+0x28
0177ee44 6eddc812     eec2f268 22067818 1e81b5b8 client!CResourceManager::~CResourceManager+0x51
0177ee68 6edc22d3     eec2f2cc 0177ef40 22067818 client!CClientManager::~CClientManager+0x62
0177eecc 6ed8c988     01a2a6f8 73841157 7399b130 client!CClientGame::~CClientGame+0x6f3
0177eed4 73841157     7399b130 73805691 6a1f5af0 client!CClient::ClientShutdown+0x58
0177eedc 73805691     6a1f5af0 7399b130 00003051 core!CModManager::Unload+0x97
0177ef2c 737db3d0     00000001 737dd5da 0177ef40 core!CCore::Quit+0x221
0177ef34 737dd5da     0177ef40 73997900 737dd4f1 core!CCommandFuncs::Exit+0x10
0177f148 738362cb     7399b130 739979e0 00000000 core!CCommands::Execute+0x15a
0177f164 73835639     14cb38d4 43c98000 44304000 core!CMainMenu::OnMenuClick+0x1cb
0177f194 6f6db4fb     14cb38d4 43c98000 44304000 core!CGUICallbackMethod<CMainMenu,bool,CGUIMouseEventArgs>::operator()+0x29
0177f1f4 6f6eb58b     0177f40c 08c69208 0177f40c cgui!CGUIElement_Impl::Event_OnClick+0x6b
0177f234 6f75d473     0177f40c 6f88cb78 6f88cb78 cgui!CGUI_Impl::Event_MouseClick+0x2b
0177f24c 6f73349c     0177f40c fe2c6929 6f88cb78 cgui!CEGUI::Event::operator()+0x33
0177f3b0 6f72df21     6f88cb78 0177f40c 6f88b4e8 cgui!CEGUI::GlobalEventSet::fireEvent+0xbc
0177f3dc 6f7026f9     6f88cb78 0177f40c 6f88b4e8 cgui!CEGUI::EventSet::fireEvent+0x21
0177f3f0 6f736236     0177f40c fe2c6ec9 089696d8 cgui!CEGUI::Window::onMouseClicked+0x19
0177f450 6f6ec7d0     00000000 0177f694 738212bb cgui!CEGUI::System::injectMouseButtonUp+0x156
0177f45c 738212bb     00000003 00000000 00000000 cgui!CGUI_Impl::ProcessMouseInput+0xd0
0177f694 7383fb23     000e0566 00000202 00000000 core!CLocalGUI::ProcessMessage+0x33b
0177f710 75a87943     000e0566 00000202 00000000 core!CMessageLoopHook::ProcessMessage+0xa43
0177f73c 75a7601d     7383f0e0 000e0566 00000202 user32!_InternalCallWinProc+0x2b
0177f844 75a7578a     7383f0e0 00000000 00000202 user32!UserCallWinProcCheckWow+0x49d
0177f8f4 7750ab9c     81b85661 0177f920 0177fa38 user32!CallWindowProcW+0x10a
0177f9ac 77549a6c     775383fe 000006c0 00000300 ntdll!RtlDeactivateActivationContextUnsafeFast+0x9c
0177f9b0 775383fe     000006c0 00000300 00000078 ntdll!NtTraceEvent+0xc
0177fabc 000e0566     00000020 80000022 00000000 ntdll!EtwpEventWriteFull+0x23e
WARNING: Frame IP not in any known module. Following frames may be wrong.
0177fae4 01e81348     00000000 7eb12a18 00000000 0xe0566
00000000 00000000     00000000 00000000 00000000 0x1e81348

Full dump analysis of case #3: https://pastebin.com/Gmd8tVSe
Stack trace 3 (Line 78 - m_List.remove(pDisplay; offset 00035346):

0177edbc 5b504f31     525f4e50 09285fb2 0177edec client!CClientDisplayManager::RemoveFromList+0x26
0177edd8 5b5661ed     09285f92 169d5de0 2aec7c90 client!CClientDisplay::~CClientDisplay+0x31
0177edf8 5b57ca98     00000001 16db9378 16db9378 client!CClientVectorGraphic::`scalar deleting destructor'+0x6d
0177ee20 5b5b3061     09285c2e 16b46948 16db9378 client!CElementDeleter::DoDeleteAll+0x28
0177ee44 5b52c812     09285c02 169d5d48 16b46948 client!CResourceManager::~CResourceManager+0x51
0177ee68 5b5122d3     09285ca6 0177ef40 169d5d48 client!CClientManager::~CClientManager+0x62
0177eecc 5b4dc988     01993850 67311157 6746b130 client!CClientGame::~CClientGame+0x6f3
0177eed4 67311157     6746b130 672d5691 ba72a08c client!CClient::ClientShutdown+0x58
0177eedc 672d5691     ba72a08c 6746b130 00003051 core!CModManager::Unload+0x97
0177ef2c 672ab3d0     00000001 672ad5da 0177ef40 core!CCore::Quit+0x221
0177ef34 672ad5da     0177ef40 67467900 672ad4f1 core!CCommandFuncs::Exit+0x10
0177f148 673062cb     6746b130 674679e0 00000000 core!CCommands::Execute+0x15a
0177f164 67305639     14292044 43f48000 444e8000 core!CMainMenu::OnMenuClick+0x1cb
0177f194 639ab4fb     14292044 43f48000 444e8000 core!CGUICallbackMethod<CMainMenu,bool,CGUIMouseEventArgs>::operator()+0x29
0177f1f4 639bb58b     0177f40c 0edc74f8 0177f40c cgui!CGUIElement_Impl::Event_OnClick+0x6b
0177f234 63a2d473     0177f40c 63b5cb78 63b5cb78 cgui!CGUI_Impl::Event_MouseClick+0x2b
0177f24c 63a0349c     0177f40c 112e2c4a 63b5cb78 cgui!CEGUI::Event::operator()+0x33
0177f3b0 639fdf21     63b5cb78 0177f40c 63b5b4e8 cgui!CEGUI::GlobalEventSet::fireEvent+0xbc
0177f3dc 639d26f9     63b5cb78 0177f40c 63b5b4e8 cgui!CEGUI::EventSet::fireEvent+0x21
0177f3f0 63a06236     0177f40c 112e2baa 0b56a3a8 cgui!CEGUI::Window::onMouseClicked+0x19
0177f450 639bc7d0     00000000 0177f694 672f12bb cgui!CEGUI::System::injectMouseButtonUp+0x156
0177f45c 672f12bb     00000003 00000000 00000000 cgui!CGUI_Impl::ProcessMouseInput+0xd0
0177f694 6730fb23     000504b4 00000202 00000000 core!CLocalGUI::ProcessMessage+0x33b
0177f710 75fa7463     000504b4 00000202 00000000 core!CMessageLoopHook::ProcessMessage+0xa43
0177f73c 75f95b3d     6730f0e0 000504b4 00000202 user32!_InternalCallWinProc+0x2b
0177f844 75f952aa     6730f0e0 00000000 00000202 user32!UserCallWinProcCheckWow+0x49d
0177f87c 0177fa10     675f35c0 ffff044f 000504b4 user32!CallWindowProcW+0x10a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0177f894 033a01e9     765d81fe 1c530000 00000202 0x177fa10
00000000 00000000     00000000 00000000 00000000 0x33a01e9

Tasks:
Why is this monitor operation failing, resulting in a crash? What can we do to fix/avert it?

Version

Client: 1.6.0-r22951

[Dutchman101]

Why is this monitor operation failing, resulting in a crash? What can we do to fix/avert it?

It might be CEGUI related, because of the calls in the stack of Case 2 and 3.

[Lpsd]

As mentioned this is related to SVG, due to usage of smart pointer for the display instance CClientVectorGraphicDisplay. By the time this destructs, the display manager is already destructing itself (or, it's trying to handle a display instance which no longer exists).