Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05866 Misc. Critical (emulator) Always Mar 5, 2015, 17:45 15 days ago
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Open OS
Status [?] Acknowledged Driver taito_f3.cpp
Version 0.159 Fixed in Version Build Debug
Summary 05866: pbobble3, pbobble3j, pbobble3u, pbobble4, pbobble4j, pbobble4u, rayforce, rayforcej: [debug] AddressSanitizer: heap-buffer-overflow
Description
==25732==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc576a8f87f at pc 0x00000470bda3 bp 0x7ffffdb78bc0 sp 0x7ffffdb78bb8
READ of size 1 at 0x7fc576a8f87f thread T0
    #0 0x470bda2 in taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int) /home/notroot/trunk/src/mame/video/taito_f3.c:1483:35
    #1 0x4705b62 in taito_f3_state::scanline_draw(bitmap_rgb32&, rectangle const&) /home/notroot/trunk/src/mame/video/taito_f3.c:2521:3
    #2 0x4706ca2 in taito_f3_state::screen_update_f3(screen_device&, bitmap_rgb32&, rectangle const&) /home/notroot/trunk/src/mame/video/taito_f3.c:3188:2
    #3 0x813ffb0 in delegate_base<unsigned int, screen_device&, bitmap_rgb32&, rectangle const&, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(screen_device&, bitmap_rgb32&, rectangle const&) const /home/notroot/trunk/src/lib/util/delegate.h:652:76
    #4 0x813ffb0 in screen_device::update_partial(int) /home/notroot/trunk/src/emu/screen.c:625
    #5 0x81d8f52 in video_manager::finish_screen_updates() /home/notroot/trunk/src/emu/video.c:649:3
    #6 0x81d853f in video_manager::frame_update(bool) /home/notroot/trunk/src/emu/video.c:202:27
    #7 0x813f362 in screen_device::vblank_begin() /home/notroot/trunk/src/emu/screen.c:822:3
    #8 0x813f029 in screen_device::device_timer(emu_timer&, unsigned int, int, void*) /home/notroot/trunk/src/emu/screen.c:404:4
    #9 0x8136b63 in device_t::timer_expired(emu_timer&, unsigned int, int, void*) /home/notroot/trunk/src/emu/device.h:191:83
    #10 0x8136b63 in device_scheduler::execute_timers() /home/notroot/trunk/src/emu/schedule.c:902
    #11 0x813263b in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:517:2
    #12 0x804fe48 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:397:5
    #13 0x8047ee6 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11
    #14 0x7e79dbc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #15 0x575d9bb in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9
    #16 0x7fc59b076ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #17 0x116cdfc in _start (/home/notroot/trunk/mame64d+0x116cdfc)

0x7fc576a8f87f is located 0 bytes to the right of 262271-byte region [0x7fc576a4f800,0x7fc576a8f87f)
allocated by thread T0 here:
    #0 0x114f78b in __interceptor_malloc /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x8b42538 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:89:9
    #2 0x8419fca in malloc_file_line(unsigned long, char const*, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25
    #3 0x83e3242 in operator new[](unsigned long) /home/notroot/trunk/src/lib/util/corealloc.h:64:97
    #4 0x83e3242 in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:149
    #5 0x81603ae in tilemap_t::init(tilemap_manager&, device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, device_delegate<unsigned int (unsigned int, unsigned int, unsigned int, unsigned int)>, int, int, int, int) /home/notroot/trunk/src/emu/tilemap.c:392:2
    #6 0x8165e98 in tilemap_manager::create(device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, tilemap_standard_mapper, int, int, int, int, tilemap_t*) /home/notroot/trunk/src/emu/tilemap.c:1547:31
    #7 0x46f37a2 in taito_f3_state::video_start_f3() /home/notroot/trunk/src/mame/video/taito_f3.c:627:18
    #8 0x7f23cf5 in delegate_base<void, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()() const /home/notroot/trunk/src/lib/util/delegate.h:649:42
    #9 0x7f23cf5 in driver_device::device_start() /home/notroot/trunk/src/emu/driver.c:229
    #10 0x7e970fc in device_t::start() /home/notroot/trunk/src/emu/device.c:409:2
    #11 0x804f33a in running_machine::start_all_devices() /home/notroot/trunk/src/emu/machine.c:1105:6
    #12 0x804ca64 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:287:2
    #13 0x804fb73 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:351:3
    #14 0x8047ee6 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11
    #15 0x7e79dbc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #16 0x575d9bb in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9
    #17 0x7fc59b076ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/notroot/trunk/src/mame/video/taito_f3.c:1483 taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)
Shadow bytes around the buggy address:
  0x0ff92ed49eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff92ed49f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x0ff92ed49f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  ASan internal: fe
Steps To Reproduce
Additional Information
Flags Debug build specific
Regression Version
Affected Sets / Systems pbobble3, pbobble3j, pbobble3u, pbobble4, pbobble4j, pbobble4u, rayforce, rayforcej
Attached Files
 
Relationships
There are no relationsihp linked to this issue.
Notes
2
User avatar
No.11506
B2K24
Moderator
Mar 11, 2015, 17:49
-----------------------------------------------------
Exception at EIP=000000000396F5E2 (taito_f3_state::draw_scanlines(bitmap_rgb32&,
 int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)+0x1d
72): ACCESS VIOLATION
While attempting to read memory at 0000000057CE2000
-----------------------------------------------------
RAX=0000000057CE2000 RBX=0000000000000000 RCX=000000004495D528 RDX=0000000000000
100
RSI=0000000000000001 RDI=0000000000325BF0 RBP=0000000000227D20 RSP=0000000000227
C70
 R8=000000000000002E R9=0000000000227EA0 R10=00000000000000FF R11=0000000000000
1F8
R12=0000000000000018 R13=0000000000000012 R14=0000000000000000 R15=0000000000000
000
-----------------------------------------------------
Stack crawl:
  0000000000227C70: 000000000396F5E2 (taito_f3_state::draw_scanlines(bitmap_rgb3
2&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)+0
x1d72)
  0000000000228200: 0000000001A06E32 (taito_f3_state::scanline_draw(bitmap_rgb32
&, rectangle const&)+0x1a20)
  0000000000228290: 0000000001A08100 (taito_f3_state::screen_update_f3(screen_de
vice&, bitmap_rgb32&, rectangle const&)+0x0450)
  00000000002282C0: 0000000003DC6615 (delegate_base<unsigned int, screen_device&
, bitmap_rgb32&, rectangle const&, _noparam, _noparam, _noparam, _noparam, _nopa
ram, _noparam, _noparam, _noparam, _noparam>::operator()(screen_device&, bitmap_
rgb32&, rectangle const&) const+0x0035)
  0000000000228330: 0000000002D2C7F4 (screen_device::update_partial(int)+0x0206)

  00000000002283A0: 0000000002E5E445 (video_manager::finish_screen_updates()+0x0
05f)
  0000000000228410: 0000000002E5CFAD (video_manager::frame_update(bool)+0x008d)
  00000000002284A0: 0000000002D2D160 (screen_device::vblank_begin()+0x00fa)
  00000000002284F0: 0000000002D2BB57 (screen_device::device_timer(emu_timer&, un
signed int, int, void*)+0x003d)
  0000000000228530: 0000000003D770E1 (device_t::timer_expired(emu_timer&, unsign
ed int, int, void*)+0x0041)
  0000000000228580: 0000000003AFA8AC (device_scheduler::execute_timers()+0x00fc)

  0000000000228640: 0000000002D2971E (device_scheduler::timeslice()+0x05ac)
  0000000000228710: 0000000002D9A444 (running_machine::run(bool)+0x02b0)
  000000000022F4F0: 0000000002DA8E5A (machine_manager::execute()+0x01f8)
  000000000022F750: 0000000002E2CD7F (cli_frontend::execute(int, char**)+0x085f)

  000000000022FDF0: 000000000209B0D9 (utf8_main(int, char**)+0x020d)
  000000000022FE50: 0000000003131169 (wmain+0x00b9)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 0000000076A25A4D (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 0000000076EBBA01 (RtlUserThreadStart+0x0021)
User avatar
No.14592
Firewave
Senior Tester
15 days ago
Still happening in 0.193

==118824==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f47f703d800 at pc 0x000004a6ffd0 bp 0x7ffffdfbfce0 sp 0x7ffffdfbfcd8
READ of size 1 at 0x7f47f703d800 thread T0
    #0 0x4a6ffcf in taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:1499:35
    #1 0x4a67c74 in taito_f3_state::scanline_draw(bitmap_rgb32&, rectangle const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:2537:3
    #2 0x4a6a61f in taito_f3_state::screen_update_f3(screen_device&, bitmap_rgb32&, rectangle const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:3204:2
    #3 0xe7ac0e2 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11
    #4 0xe7ac0e2 in screen_device::update_partial(int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1220
    #5 0xe833c67 in video_manager::finish_screen_updates() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:694:10
    #6 0xe8332a0 in video_manager::frame_update(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:208:27
    #7 0xe7aa719 in screen_device::vblank_begin() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1524:21
    #8 0xe7a9c7c in screen_device::device_timer(emu_timer&, unsigned int, int, void*) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:997:4
    #9 0xe795168 in timer_expired /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.h:520:83
    #10 0xe795168 in device_scheduler::execute_timers() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:906
    #11 0xe78ea0f in device_scheduler::timeslice() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:530:2
    #12 0xe6a324b in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:357:17
    #13 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19
    #14 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22
    #15 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3
    #16 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18
    #17 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9
    #18 0x7f481d3e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x1431838 in _start (/mnt/mame/mame64+0x1431838)

0x7f47f703d800 is located 0 bytes to the right of 262144-byte region [0x7f47f6ffd800,0x7f47f703d800)
allocated by thread T0 here:
    #0 0x14fd8a2 in operator new[](unsigned long) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:95:3
    #1 0xf13f7e6 in bitmap_t::allocate(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:210:16
    #2 0xe7ebb97 in tilemap_t::init(tilemap_manager&, device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, device_delegate<unsigned int (unsigned int, unsigned int, unsigned int, unsigned int)>, unsigned short, unsigned short, unsigned int, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/tilemap.cpp:395:13
    #3 0xe7f204a in tilemap_manager::create(device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, tilemap_standard_mapper, unsigned short, unsigned short, unsigned int, unsigned int, tilemap_t*) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/tilemap.cpp:1564:67
    #4 0x4a56aad in taito_f3_state::video_start_f3() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:636:38
    #5 0xe1f1018 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11
    #6 0xe1f1018 in driver_device::device_start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/driver.cpp:223
    #7 0xe0e345d in device_t::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.cpp:489:2
    #8 0xe6a1f65 in running_machine::start_all_devices() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:1040:13
    #9 0xe6a005d in running_machine::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:265:2
    #10 0xe6a2a41 in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:310:3
    #11 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19
    #12 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22
    #13 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3
    #14 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18
    #15 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9
    #16 0x7f481d3e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:1499:35 in taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)
Shadow bytes around the buggy address:
  0x0fe97edffab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe97edffac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe97edffad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe97edffae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe97edffaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe97edffb00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe97edffb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe97edffb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe97edffb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe97edffb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe97edffb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb