05883: snespal [sgboyj]: [debug] AddressSanitizer: heap-use-after-free saving save state

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
05883	Crash/Freeze	Critical (emulator)	Always	Mar 19, 2015, 11:17	Jul 6, 2017, 13:10

Tester	Firewave	View Status	Public	Platform	MESS (Self-compiled)
Assigned To		Resolution	Fixed	OS
Status [?]	Resolved			Driver	snes.cpp
Version	0.159	Fixed in Version		Build	Debug

Summary	05883: snespal [sgboyj]: [debug] AddressSanitizer: heap-use-after-free saving save state
Description	Doesn't happen with snes. ==31175==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fcc20c01800 at pc 0x000000eb081c bp 0x7fff62f24010 sp 0x7fff62f237c8 READ of size 64074 at 0x7fcc20c01800 thread T0 #0 0xeb081b in __asan_memcpy /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435:3 #1 0x6750c5a in read_buf /home/notroot/trunk/3rdparty/zlib/deflate.c:1088:5 #2 0x6750c5a in fill_window /home/notroot/trunk/3rdparty/zlib/deflate.c:1467 #3 0x675cba4 in deflate_slow /home/notroot/trunk/3rdparty/zlib/deflate.c:1745:13 #4 0x6755fb2 in deflate /home/notroot/trunk/3rdparty/zlib/deflate.c:905:48 #5 0x5fb6879 in osd_or_zlib_write(core_file, void const, unsigned long long, unsigned int, unsigned int) /home/notroot/trunk/src/lib/util/corefile.c:1028:10 #6 0x5fb6879 in core_fwrite(core_file, void const, unsigned int) /home/notroot/trunk/src/lib/util/corefile.c:789 #7 0x5b19bb9 in emu_file::write(void const, unsigned int) /home/notroot/trunk/src/emu/fileio.c:609:10 #8 0x5d08001 in save_manager::write_file(emu_file&) /home/notroot/trunk/src/emu/save.c:317:7 #9 0x5c2187f in running_machine::handle_saveload() /home/notroot/trunk/src/emu/machine.c:916:84 #10 0x5c20125 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:405:5 #11 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #12 0x5a489fc in cli_frontend::execute(int, char*) /home/notroot/trunk/src/emu/clifront.c:220:15 #13 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9 #14 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #15 0xe40368 in _start (/home/notroot/trunk/mess64d+0xe40368) 0x7fcc20c01800 is located 0 bytes inside of 239743-byte region [0x7fcc20c01800,0x7fcc20c3c07f) freed by thread T0 here: #0 0xec7042 in free /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3 #1 0x677d108 in osd_free(void) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:103:2 #2 0x5fb2a04 in free_file_line(void, char const, int, bool) /home/notroot/trunk/src/lib/util/corealloc.c:178:2 #3 0x5f77b0f in operator delete[](void) /home/notroot/trunk/src/lib/util/corealloc.h:66:87 #4 0x5f77b0f in bitmap_t::reset() /home/notroot/trunk/src/lib/util/bitmap.c:208 #5 0x5f77b0f in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:134 #6 0x5f79260 in bitmap_t::resize(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:183:3 #7 0x5d1b203 in screen_device::realloc_screen_bitmaps() /home/notroot/trunk/src/emu/screen.c:538:3 #8 0x5d191e6 in screen_device::configure(int, int, rectangle const&, long long) /home/notroot/trunk/src/emu/screen.c:456:2 #9 0x5270365 in snes_ppu_device::dynamic_res_change() /home/notroot/trunk/src/emu/video/snes_ppu.c:2012:3 #10 0x5270365 in snes_ppu_device::write(address_space&, unsigned int, unsigned char) /home/notroot/trunk/src/emu/video/snes_ppu.c:2468 #11 0x2dc5d01 in snes_state::snes_w_io(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mame/machine/snes.c:484:3 #12 0x1f02543 in snes_console_state::snessgb_hi_w(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mess/drivers/snes.c:905:4 #13 0x1f02543 in snes_console_state::snessgb_lo_w(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mess/drivers/snes.c:913 #14 0x5c986d0 in delegate_base<void, address_space&, unsigned int, unsigned char, unsigned char, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/lib/util/delegate.h:655:90 #15 0x5c986d0 in handler_entry_write::write8(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/emu/memory.c:420 #16 0x5c986d0 in address_space_specific<unsigned char, (endianness_t)0, true>::write_native(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1141 #17 0x5c977d8 in address_space_specific<unsigned char, (endianness_t)0, true>::write_byte(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1426:70 #18 0x3aa2e7e in g65816_device::g65816i_write_8_normal(unsigned int, unsigned int) /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:244:2 #19 0x3b1f927 in g65816_device::g65816i_9d_M1X1() /home/notroot/trunk/src/emu/cpu/g65816/g65816op.h:1666:1 #20 0x3b2cc71 in g65816_device::g65816i_execute_M1X1(int) /home/notroot/trunk/src/emu/cpu/g65816/g65816op.h:1954:4 #21 0x3aacf66 in g65816_device::execute_run() /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:709:23 #22 0x3aacf66 in non-virtual thunk to g65816_device::execute_run() /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:706 #23 0x5d0e76c in device_execute_interface::run() /home/notroot/trunk/src/emu/diexec.h:191:15 #24 0x5d0e76c in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:476 #25 0x5c20108 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:397:5 #26 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #27 0x5a489fc in cli_frontend::execute(int, char) /home/notroot/trunk/src/emu/clifront.c:220:15 #28 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9 #29 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) previously allocated by thread T0 here: #0 0xec7322 in __interceptor_malloc /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x677d0f8 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:89:9 #2 0x5fb218a in malloc_file_line(unsigned long, char const, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25 #3 0x5f77d3b in operator new[](unsigned long) /home/notroot/trunk/src/lib/util/corealloc.h:64:97 #4 0x5f77d3b in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:149 #5 0x5d18fd2 in screen_device::register_screen_bitmap(bitmap_t&) /home/notroot/trunk/src/emu/screen.c:803:2 #6 0x1e90e21 in gb_lcd_device::common_start() /home/notroot/trunk/src/mess/video/gb_lcd.c:217:2 #7 0x1e9421b in sgb_lcd_device::device_start() /home/notroot/trunk/src/mess/video/gb_lcd.c:326:2 #8 0x5a65c8d in device_t::start() /home/notroot/trunk/src/emu/device.c:409:2 #9 0x5c1f63e in running_machine::start_all_devices() /home/notroot/trunk/src/emu/machine.c:1105:6 #10 0x5c1cd41 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:287:2 #11 0x5c1fe5a in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:351:3 #12 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #13 0x5a489fc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15 #14 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9 #15 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-use-after-free /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435 __asan_memcpy Shadow bytes around the buggy address: 0x0ffa041782b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ffa04178300:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Steps To Reproduce
Additional Information

Flags	Debug build specific
Regression Version
Affected Sets / Systems	snespal [sgboyj]

Attached Files

No.11527 Tafoid Administrator Mar 19, 2015, 11:38	Windows 0.159 Debug MESS (Official) shows: ----------------------------------------------------- Exception at EIP=762A9D8C (register_frame_ctor+0x7314fbdc): ACCESS VIOLATION While attempting to read memory at 185A2000 ----------------------------------------------------- EAX=00000000 EBX=05C3CE0E ECX=00003C93 EDX=00000000 ESI=185A1FFE EDI=05C3D60C EBP=0028BA78 ESP=0028BA70 ----------------------------------------------------- Stack crawl: 0028BA78: 762A9D8C (malloc+0x009e) 0028BAC8: 01F17582 (deflate_slow+0x03e2) 0028BB18: 01F194F9 (deflate+0x00f9) 0028BB78: 01CCD01B (core_fwrite(core_file, void const, unsigned int)+0x00fb) 0028BB98: 01B57B88 (emu_file::write(void const, unsigned int)+0x0028) 0028BBF8: 01B0DCC0 (save_manager::write_file(emu_file&)+0x0160) 0028BDF8: 01AF06CE (running_machine::handle_saveload()+0x023e) 0028BE98: 01AF16C3 (running_machine::run(bool)+0x0293) 0028F898: 01ADE655 (machine_manager::execute()+0x03d5) 0028FA78: 01BB0DDF (cli_frontend::execute(int, char)+0x156f) 0028FE98: 00C7753F (utf8_main(int, char*)+0x029f) 0028FEC8: 01F1F9C1 (wmain+0x0071) 0028FF88: 004013F0 (__tmainCRTStartup+0x0270) 0028FF94: 76DD338A (BaseThreadInitThunk+0x0012) 0028FFD4: 777A9F72 (RtlInitializeExceptionChain+0x0063) 0028FFEC: 777A9F45 (RtlInitializeExceptionChain+0x0036)
No.13964 Osso Developer Jul 6, 2017, 13:10	Fixed in 0.170 or 0.171. Don't have a debug 0.170, but in 0.169 it crashes, in 0.171 it doesn't.

No.11527

Tafoid

Administrator

Mar 19, 2015, 11:38

Windows 0.159 Debug MESS (Official) shows:

-----------------------------------------------------
Exception at EIP=762A9D8C (register_frame_ctor+0x7314fbdc): ACCESS VIOLATION
While attempting to read memory at 185A2000
-----------------------------------------------------
EAX=00000000 EBX=05C3CE0E ECX=00003C93 EDX=00000000
ESI=185A1FFE EDI=05C3D60C EBP=0028BA78 ESP=0028BA70
-----------------------------------------------------
Stack crawl:
  0028BA78: 762A9D8C (malloc+0x009e)
  0028BAC8: 01F17582 (deflate_slow+0x03e2)
  0028BB18: 01F194F9 (deflate+0x00f9)
  0028BB78: 01CCD01B (core_fwrite(core_file*, void const*, unsigned int)+0x00fb)

  0028BB98: 01B57B88 (emu_file::write(void const*, unsigned int)+0x0028)
  0028BBF8: 01B0DCC0 (save_manager::write_file(emu_file&)+0x0160)
  0028BDF8: 01AF06CE (running_machine::handle_saveload()+0x023e)
  0028BE98: 01AF16C3 (running_machine::run(bool)+0x0293)
  0028F898: 01ADE655 (machine_manager::execute()+0x03d5)
  0028FA78: 01BB0DDF (cli_frontend::execute(int, char**)+0x156f)
  0028FE98: 00C7753F (utf8_main(int, char**)+0x029f)
  0028FEC8: 01F1F9C1 (wmain+0x0071)
  0028FF88: 004013F0 (__tmainCRTStartup+0x0270)
  0028FF94: 76DD338A (BaseThreadInitThunk+0x0012)
  0028FFD4: 777A9F72 (RtlInitializeExceptionChain+0x0063)
  0028FFEC: 777A9F45 (RtlInitializeExceptionChain+0x0036)

No.13964

Osso

Developer

Jul 6, 2017, 13:10

Fixed in 0.170 or 0.171. Don't have a debug 0.170, but in 0.169 it crashes, in 0.171 it doesn't.