Viewing Issue Advanced Details Jump to Notes ] snes.cpp
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05883 Crash/Freeze Critical (emulator) Always Mar 19, 2015, 11:17 21 days ago
Tester Firewave View Status Public Platform MESS (Self-compiled)
Assigned To Resolution Fixed OS
Status [?] Resolved   Driver snes.cpp
Version 0.159 Fixed in Version Build Debug
Summary MESS-specific 05883: snespal [sgboyj]: [debug] AddressSanitizer: heap-use-after-free saving save state
Description Doesn't happen with snes.

==31175==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fcc20c01800 at pc 0x000000eb081c bp 0x7fff62f24010 sp 0x7fff62f237c8
READ of size 64074 at 0x7fcc20c01800 thread T0
    #0 0xeb081b in __asan_memcpy /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435:3
    #1 0x6750c5a in read_buf /home/notroot/trunk/3rdparty/zlib/deflate.c:1088:5
    #2 0x6750c5a in fill_window /home/notroot/trunk/3rdparty/zlib/deflate.c:1467
    #3 0x675cba4 in deflate_slow /home/notroot/trunk/3rdparty/zlib/deflate.c:1745:13
    #4 0x6755fb2 in deflate /home/notroot/trunk/3rdparty/zlib/deflate.c:905:48
    #5 0x5fb6879 in osd_or_zlib_write(core_file*, void const*, unsigned long long, unsigned int, unsigned int*) /home/notroot/trunk/src/lib/util/corefile.c:1028:10
    #6 0x5fb6879 in core_fwrite(core_file*, void const*, unsigned int) /home/notroot/trunk/src/lib/util/corefile.c:789
    #7 0x5b19bb9 in emu_file::write(void const*, unsigned int) /home/notroot/trunk/src/emu/fileio.c:609:10
    #8 0x5d08001 in save_manager::write_file(emu_file&) /home/notroot/trunk/src/emu/save.c:317:7
    #9 0x5c2187f in running_machine::handle_saveload() /home/notroot/trunk/src/emu/machine.c:916:84
    #10 0x5c20125 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:405:5
    #11 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11
    #12 0x5a489fc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #13 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9
    #14 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #15 0xe40368 in _start (/home/notroot/trunk/mess64d+0xe40368)

0x7fcc20c01800 is located 0 bytes inside of 239743-byte region [0x7fcc20c01800,0x7fcc20c3c07f)
freed by thread T0 here:
    #0 0xec7042 in free /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
    #1 0x677d108 in osd_free(void*) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:103:2
    #2 0x5fb2a04 in free_file_line(void*, char const*, int, bool) /home/notroot/trunk/src/lib/util/corealloc.c:178:2
    #3 0x5f77b0f in operator delete[](void*) /home/notroot/trunk/src/lib/util/corealloc.h:66:87
    #4 0x5f77b0f in bitmap_t::reset() /home/notroot/trunk/src/lib/util/bitmap.c:208
    #5 0x5f77b0f in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:134
    #6 0x5f79260 in bitmap_t::resize(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:183:3
    #7 0x5d1b203 in screen_device::realloc_screen_bitmaps() /home/notroot/trunk/src/emu/screen.c:538:3
    #8 0x5d191e6 in screen_device::configure(int, int, rectangle const&, long long) /home/notroot/trunk/src/emu/screen.c:456:2
    #9 0x5270365 in snes_ppu_device::dynamic_res_change() /home/notroot/trunk/src/emu/video/snes_ppu.c:2012:3
    #10 0x5270365 in snes_ppu_device::write(address_space&, unsigned int, unsigned char) /home/notroot/trunk/src/emu/video/snes_ppu.c:2468
    #11 0x2dc5d01 in snes_state::snes_w_io(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mame/machine/snes.c:484:3
    #12 0x1f02543 in snes_console_state::snessgb_hi_w(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mess/drivers/snes.c:905:4
    #13 0x1f02543 in snes_console_state::snessgb_lo_w(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mess/drivers/snes.c:913
    #14 0x5c986d0 in delegate_base<void, address_space&, unsigned int, unsigned char, unsigned char, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/lib/util/delegate.h:655:90
    #15 0x5c986d0 in handler_entry_write::write8(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/emu/memory.c:420
    #16 0x5c986d0 in address_space_specific<unsigned char, (endianness_t)0, true>::write_native(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1141
    #17 0x5c977d8 in address_space_specific<unsigned char, (endianness_t)0, true>::write_byte(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1426:70
    #18 0x3aa2e7e in g65816_device::g65816i_write_8_normal(unsigned int, unsigned int) /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:244:2
    #19 0x3b1f927 in g65816_device::g65816i_9d_M1X1() /home/notroot/trunk/src/emu/cpu/g65816/g65816op.h:1666:1
    #20 0x3b2cc71 in g65816_device::g65816i_execute_M1X1(int) /home/notroot/trunk/src/emu/cpu/g65816/g65816op.h:1954:4
    #21 0x3aacf66 in g65816_device::execute_run() /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:709:23
    #22 0x3aacf66 in non-virtual thunk to g65816_device::execute_run() /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:706
    #23 0x5d0e76c in device_execute_interface::run() /home/notroot/trunk/src/emu/diexec.h:191:15
    #24 0x5d0e76c in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:476
    #25 0x5c20108 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:397:5
    #26 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11
    #27 0x5a489fc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #28 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9
    #29 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

previously allocated by thread T0 here:
    #0 0xec7322 in __interceptor_malloc /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x677d0f8 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:89:9
    #2 0x5fb218a in malloc_file_line(unsigned long, char const*, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25
    #3 0x5f77d3b in operator new[](unsigned long) /home/notroot/trunk/src/lib/util/corealloc.h:64:97
    #4 0x5f77d3b in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:149
    #5 0x5d18fd2 in screen_device::register_screen_bitmap(bitmap_t&) /home/notroot/trunk/src/emu/screen.c:803:2
    #6 0x1e90e21 in gb_lcd_device::common_start() /home/notroot/trunk/src/mess/video/gb_lcd.c:217:2
    #7 0x1e9421b in sgb_lcd_device::device_start() /home/notroot/trunk/src/mess/video/gb_lcd.c:326:2
    #8 0x5a65c8d in device_t::start() /home/notroot/trunk/src/emu/device.c:409:2
    #9 0x5c1f63e in running_machine::start_all_devices() /home/notroot/trunk/src/emu/machine.c:1105:6
    #10 0x5c1cd41 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:287:2
    #11 0x5c1fe5a in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:351:3
    #12 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11
    #13 0x5a489fc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #14 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9
    #15 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435 __asan_memcpy
Shadow bytes around the buggy address:
  0x0ffa041782b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffa041782c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffa041782d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffa041782e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffa041782f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ffa04178300:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffa04178310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffa04178320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffa04178330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffa04178340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffa04178350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Steps To Reproduce
Additional Information
Flags Debug build specific
Regression Version
Affected Sets / Systems snespal [sgboyj]
Attached Files
 


-  Notes
User avatar
No.11527
Tafoid
(Administrator)
Mar 19, 2015, 11:38
Windows 0.159 Debug MESS (Official) shows:

-----------------------------------------------------
Exception at EIP=762A9D8C (register_frame_ctor+0x7314fbdc): ACCESS VIOLATION
While attempting to read memory at 185A2000
-----------------------------------------------------
EAX=00000000 EBX=05C3CE0E ECX=00003C93 EDX=00000000
ESI=185A1FFE EDI=05C3D60C EBP=0028BA78 ESP=0028BA70
-----------------------------------------------------
Stack crawl:
  0028BA78: 762A9D8C (malloc+0x009e)
  0028BAC8: 01F17582 (deflate_slow+0x03e2)
  0028BB18: 01F194F9 (deflate+0x00f9)
  0028BB78: 01CCD01B (core_fwrite(core_file*, void const*, unsigned int)+0x00fb)

  0028BB98: 01B57B88 (emu_file::write(void const*, unsigned int)+0x0028)
  0028BBF8: 01B0DCC0 (save_manager::write_file(emu_file&)+0x0160)
  0028BDF8: 01AF06CE (running_machine::handle_saveload()+0x023e)
  0028BE98: 01AF16C3 (running_machine::run(bool)+0x0293)
  0028F898: 01ADE655 (machine_manager::execute()+0x03d5)
  0028FA78: 01BB0DDF (cli_frontend::execute(int, char**)+0x156f)
  0028FE98: 00C7753F (utf8_main(int, char**)+0x029f)
  0028FEC8: 01F1F9C1 (wmain+0x0071)
  0028FF88: 004013F0 (__tmainCRTStartup+0x0270)
  0028FF94: 76DD338A (BaseThreadInitThunk+0x0012)
  0028FFD4: 777A9F72 (RtlInitializeExceptionChain+0x0063)
  0028FFEC: 777A9F45 (RtlInitializeExceptionChain+0x0036)
User avatar
No.13964
Osso
(Developer)
21 days ago
Fixed in 0.170 or 0.171. Don't have a debug 0.170, but in 0.169 it crashes, in 0.171 it doesn't.