Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05530 Crash/Freeze Critical (emulator) Always Apr 18, 2014, 05:15 14 days ago
Tester Malice View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Open OS Windows XP
Status [?] Confirmed Driver model2.cpp
Version 0.153 Fixed in Version Build Normal
Summary 05530: daytona: Test Mode crash on TGP test.
Description
mame daytona -w

-----------------------------------------------------
Exception at EIP=00EDB173 (rol_rgd(_t11_state*, unsigned short)+0x0023): ACCESS
VIOLATION
While attempting to read memory at 0B591000
-----------------------------------------------------
EAX=004003F8 EBX=0000D977 ECX=00000000 EDX=004003F8
ESI=0000A086 EDI=00000000 EBP=0A590020 ESP=0023B730
-----------------------------------------------------
Stack crawl:
  0A590020: 00EDB173 (rol_rgd(_t11_state*, unsigned short)+0x0023)
Steps To Reproduce Go into test mode try the TGP test.
Additional Information
Flags
Regression Version
Affected Sets / Systems daytona
Attached Files
png file icon 0000.png (2,421 bytes) Apr 18, 2014, 05:15 Uploaded by Malice
Malice
Relationships
related to 06148Confirmed All games in model2.cpp: Segmentation Fault 
Notes
6
User avatar
No.10588
Osso
Developer
Apr 18, 2014, 06:44
Program received signal SIGSEGV, Segmentation fault.
0x0000000001641c9a in geo_test (geo=0x4f4b3bf8, opcode=117440512,
    input=0x4dab3098) at src/mame/video/model2.c:2450
2450 data = geo->polygon_rom[address++];
(gdb) bt 10
#0 0x0000000001641c9a in geo_test (geo=0x4f4b3bf8, opcode=117440512,
    input=0x4dab3098) at src/mame/video/model2.c:2450
#1 0x0000000001642174 in geo_process_command (geo=0x4f4b3bf8,
    opcode=117440512, input=0x4dab3008) at src/mame/video/model2.c:2640
#2 0x0000000001642408 in geo_parse (state=0x409ebf88)
    at src/mame/video/model2.c:2688
#3 0x00000000016427c4 in model2_state::screen_update_model2 (
    this=0x409ebf88, screen=..., bitmap=..., cliprect=...)
    at src/mame/video/model2.c:2737
#4 0x000000000422ba9f in delegate_base<unsigned int, screen_device&, bitmap_rgb
32&, rectangle const&, _noparam, _noparam, _noparam, _noparam, _noparam, _nopara
m, _noparam, _noparam, _noparam>::operator() (this=0x409fc180, p1=...,
    p2=..., p3=...) at src/lib/util/delegate.h:652
#5 0x0000000002d8425c in screen_device::update_partial (this=0x409fbc68,
    scanline=383) at src/emu/screen.c:613
#6 0x0000000000000000 in ?? ()
(gdb) quit
A debugging session is active.

        Inferior 1 [process 6060] will be killed.

Quit anyway? (y or n) y
User avatar
No.14601
Firewave
Senior Tester
Jan 2, 2018, 18:49
==3108==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbb799fe800 at pc 0x000003f34f66 bp 0x7ffddb659550 sp 0x7ffddb659548
READ of size 4 at 0x7fbb799fe800 thread T0
    #0 0x3f34f65 in geo_test /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/model2.cpp:2338:11
    #1 0x3f34f65 in geo_process_command /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/model2.cpp:2528
    #2 0x3f34f65 in geo_parse /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/model2.cpp:2576
    #3 0x3f34f65 in model2_state::screen_update_model2(screen_device&, bitmap_rgb32&, rectangle const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/model2.cpp:2622
    #4 0xe7ac0e2 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11
    #5 0xe7ac0e2 in screen_device::update_partial(int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1220
    #6 0xe833c67 in video_manager::finish_screen_updates() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:694:10
    #7 0xe8332a0 in video_manager::frame_update(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:208:27
    #8 0xe7a9f66 in vblank_end /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1556:21
    #9 0xe7a9f66 in screen_device::device_timer(emu_timer&, unsigned int, int, void*) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1002
    #10 0xe795168 in timer_expired /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.h:520:83
    #11 0xe795168 in device_scheduler::execute_timers() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:906
    #12 0xe78ea0f in device_scheduler::timeslice() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:530:2
    #13 0xe6a324b in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:357:17
    #14 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19
    #15 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22
    #16 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3
    #17 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18
    #18 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9
    #19 0x7fbb9e94282f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #20 0x1431838 in _start (/mnt/mame/mame64+0x1431838)

0x7fbb799fe800 is located 0 bytes to the right of 16777216-byte region [0x7fbb789fe800,0x7fbb799fe800)
allocated by thread T0 here:
    #0 0x14fd722 in operator new(unsigned long) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:92:3
    #1 0xe227b44 in allocate /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/ext/new_allocator.h:104:27
    #2 0xe227b44 in allocate /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/alloc_traits.h:491
    #3 0xe227b44 in _M_allocate /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:170
    #4 0xe227b44 in _M_create_storage /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:185
    #5 0xe227b44 in _Vector_base /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:136
    #6 0xe227b44 in vector /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:278
    #7 0xe227b44 in memory_region::memory_region(running_machine&, char const*, unsigned int, unsigned char, endianness_t) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:4453
    #8 0xe1f8c6a in make_unique<memory_region, running_machine &, const char *&, unsigned int &, unsigned char &, endianness_t &> /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/unique_ptr.h:765:34
    #9 0xe1f8c6a in memory_manager::region_alloc(char const*, unsigned int, unsigned char, endianness_t) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1882
    #10 0xe7691fd in rom_load_manager::process_region_list() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/romload.cpp:1443:35
    #11 0xe76b8ef in rom_load_manager::rom_load_manager(running_machine&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/romload.cpp:1533:2
    #12 0xe69f947 in make_unique_clear<rom_load_manager, running_machine &> /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/corealloc.h:74:38
    #13 0xe69f947 in running_machine::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:238
    #14 0xe6a2a41 in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:310:3
    #15 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19
    #16 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22
    #17 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3
    #18 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18
    #19 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9
    #20 0x7fbb9e94282f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/model2.cpp:2338:11 in geo_test
Shadow bytes around the buggy address:
  0x0ff7ef337cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7ef337cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7ef337cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7ef337ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7ef337cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff7ef337d00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7ef337d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7ef337d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7ef337d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7ef337d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7ef337d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
User avatar
No.14763
Robbbert
Developer
Feb 20, 2018, 09:47
In geo_test, invalid parameters are being passed to the loop that tests the polygon rom, causing a buffer overflow.
User avatar
No.14768
Fortuna
Tester
Feb 21, 2018, 01:58
Confirmed too in windows 10 64bits, fullscreen and default configs
User avatar
No.14927
Osso
Developer
14 days ago
This doesn't seem to happen in current GIT.
User avatar
No.14930
wuemura
Tester
14 days ago
It doesn't crash like before but still, freezes at the TGP test.
mame0196-307-gef77d3f1aa-dirty