05883: snespal [sgboyj]: [debug] AddressSanitizer: heap-use-after-free saving save state

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
05883	Crash/Freeze	Critical (emulator)	Always	Mar 19, 2015, 11:17	Dec 31, 2017, 23:45

Tester	Firewave	View Status	Public	Platform
Assigned To		Resolution	Open	OS
Status [?]	Acknowledged			Driver	snes.cpp
Version	0.159	Fixed in Version		Build	Debug

Summary	05883: snespal [sgboyj]: [debug] AddressSanitizer: heap-use-after-free saving save state
Description	Doesn't happen with snes. ==31175==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fcc20c01800 at pc 0x000000eb081c bp 0x7fff62f24010 sp 0x7fff62f237c8 READ of size 64074 at 0x7fcc20c01800 thread T0 #0 0xeb081b in __asan_memcpy /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435:3 #1 0x6750c5a in read_buf /home/notroot/trunk/3rdparty/zlib/deflate.c:1088:5 #2 0x6750c5a in fill_window /home/notroot/trunk/3rdparty/zlib/deflate.c:1467 #3 0x675cba4 in deflate_slow /home/notroot/trunk/3rdparty/zlib/deflate.c:1745:13 #4 0x6755fb2 in deflate /home/notroot/trunk/3rdparty/zlib/deflate.c:905:48 #5 0x5fb6879 in osd_or_zlib_write(core_file, void const, unsigned long long, unsigned int, unsigned int) /home/notroot/trunk/src/lib/util/corefile.c:1028:10 #6 0x5fb6879 in core_fwrite(core_file, void const, unsigned int) /home/notroot/trunk/src/lib/util/corefile.c:789 #7 0x5b19bb9 in emu_file::write(void const, unsigned int) /home/notroot/trunk/src/emu/fileio.c:609:10 #8 0x5d08001 in save_manager::write_file(emu_file&) /home/notroot/trunk/src/emu/save.c:317:7 #9 0x5c2187f in running_machine::handle_saveload() /home/notroot/trunk/src/emu/machine.c:916:84 #10 0x5c20125 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:405:5 #11 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #12 0x5a489fc in cli_frontend::execute(int, char*) /home/notroot/trunk/src/emu/clifront.c:220:15 #13 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9 #14 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #15 0xe40368 in _start (/home/notroot/trunk/mess64d+0xe40368) 0x7fcc20c01800 is located 0 bytes inside of 239743-byte region [0x7fcc20c01800,0x7fcc20c3c07f) freed by thread T0 here: #0 0xec7042 in free /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3 #1 0x677d108 in osd_free(void) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:103:2 #2 0x5fb2a04 in free_file_line(void, char const, int, bool) /home/notroot/trunk/src/lib/util/corealloc.c:178:2 #3 0x5f77b0f in operator delete[](void) /home/notroot/trunk/src/lib/util/corealloc.h:66:87 #4 0x5f77b0f in bitmap_t::reset() /home/notroot/trunk/src/lib/util/bitmap.c:208 #5 0x5f77b0f in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:134 #6 0x5f79260 in bitmap_t::resize(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:183:3 #7 0x5d1b203 in screen_device::realloc_screen_bitmaps() /home/notroot/trunk/src/emu/screen.c:538:3 #8 0x5d191e6 in screen_device::configure(int, int, rectangle const&, long long) /home/notroot/trunk/src/emu/screen.c:456:2 #9 0x5270365 in snes_ppu_device::dynamic_res_change() /home/notroot/trunk/src/emu/video/snes_ppu.c:2012:3 #10 0x5270365 in snes_ppu_device::write(address_space&, unsigned int, unsigned char) /home/notroot/trunk/src/emu/video/snes_ppu.c:2468 #11 0x2dc5d01 in snes_state::snes_w_io(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mame/machine/snes.c:484:3 #12 0x1f02543 in snes_console_state::snessgb_hi_w(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mess/drivers/snes.c:905:4 #13 0x1f02543 in snes_console_state::snessgb_lo_w(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mess/drivers/snes.c:913 #14 0x5c986d0 in delegate_base<void, address_space&, unsigned int, unsigned char, unsigned char, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/lib/util/delegate.h:655:90 #15 0x5c986d0 in handler_entry_write::write8(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/emu/memory.c:420 #16 0x5c986d0 in address_space_specific<unsigned char, (endianness_t)0, true>::write_native(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1141 #17 0x5c977d8 in address_space_specific<unsigned char, (endianness_t)0, true>::write_byte(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1426:70 #18 0x3aa2e7e in g65816_device::g65816i_write_8_normal(unsigned int, unsigned int) /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:244:2 #19 0x3b1f927 in g65816_device::g65816i_9d_M1X1() /home/notroot/trunk/src/emu/cpu/g65816/g65816op.h:1666:1 #20 0x3b2cc71 in g65816_device::g65816i_execute_M1X1(int) /home/notroot/trunk/src/emu/cpu/g65816/g65816op.h:1954:4 #21 0x3aacf66 in g65816_device::execute_run() /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:709:23 #22 0x3aacf66 in non-virtual thunk to g65816_device::execute_run() /home/notroot/trunk/src/emu/cpu/g65816/g65816.c:706 #23 0x5d0e76c in device_execute_interface::run() /home/notroot/trunk/src/emu/diexec.h:191:15 #24 0x5d0e76c in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:476 #25 0x5c20108 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:397:5 #26 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #27 0x5a489fc in cli_frontend::execute(int, char) /home/notroot/trunk/src/emu/clifront.c:220:15 #28 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9 #29 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) previously allocated by thread T0 here: #0 0xec7322 in __interceptor_malloc /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x677d0f8 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:89:9 #2 0x5fb218a in malloc_file_line(unsigned long, char const, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25 #3 0x5f77d3b in operator new[](unsigned long) /home/notroot/trunk/src/lib/util/corealloc.h:64:97 #4 0x5f77d3b in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:149 #5 0x5d18fd2 in screen_device::register_screen_bitmap(bitmap_t&) /home/notroot/trunk/src/emu/screen.c:803:2 #6 0x1e90e21 in gb_lcd_device::common_start() /home/notroot/trunk/src/mess/video/gb_lcd.c:217:2 #7 0x1e9421b in sgb_lcd_device::device_start() /home/notroot/trunk/src/mess/video/gb_lcd.c:326:2 #8 0x5a65c8d in device_t::start() /home/notroot/trunk/src/emu/device.c:409:2 #9 0x5c1f63e in running_machine::start_all_devices() /home/notroot/trunk/src/emu/machine.c:1105:6 #10 0x5c1cd41 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:287:2 #11 0x5c1fe5a in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:351:3 #12 0x5c18316 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #13 0x5a489fc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15 #14 0x2f2588f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9 #15 0x7fcc2e480ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-use-after-free /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435 __asan_memcpy Shadow bytes around the buggy address: 0x0ffa041782b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffa041782f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ffa04178300:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffa04178350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Steps To Reproduce
Additional Information

Flags	Debug build specific
Regression Version
Affected Sets / Systems	snespal [sgboyj]

Attached Files

No.11527 Tafoid Administrator Mar 19, 2015, 11:38	Windows 0.159 Debug MESS (Official) shows: ----------------------------------------------------- Exception at EIP=762A9D8C (register_frame_ctor+0x7314fbdc): ACCESS VIOLATION While attempting to read memory at 185A2000 ----------------------------------------------------- EAX=00000000 EBX=05C3CE0E ECX=00003C93 EDX=00000000 ESI=185A1FFE EDI=05C3D60C EBP=0028BA78 ESP=0028BA70 ----------------------------------------------------- Stack crawl: 0028BA78: 762A9D8C (malloc+0x009e) 0028BAC8: 01F17582 (deflate_slow+0x03e2) 0028BB18: 01F194F9 (deflate+0x00f9) 0028BB78: 01CCD01B (core_fwrite(core_file, void const, unsigned int)+0x00fb) 0028BB98: 01B57B88 (emu_file::write(void const, unsigned int)+0x0028) 0028BBF8: 01B0DCC0 (save_manager::write_file(emu_file&)+0x0160) 0028BDF8: 01AF06CE (running_machine::handle_saveload()+0x023e) 0028BE98: 01AF16C3 (running_machine::run(bool)+0x0293) 0028F898: 01ADE655 (machine_manager::execute()+0x03d5) 0028FA78: 01BB0DDF (cli_frontend::execute(int, char)+0x156f) 0028FE98: 00C7753F (utf8_main(int, char*)+0x029f) 0028FEC8: 01F1F9C1 (wmain+0x0071) 0028FF88: 004013F0 (__tmainCRTStartup+0x0270) 0028FF94: 76DD338A (BaseThreadInitThunk+0x0012) 0028FFD4: 777A9F72 (RtlInitializeExceptionChain+0x0063) 0028FFEC: 777A9F45 (RtlInitializeExceptionChain+0x0036)
No.13964 Osso Developer Jul 6, 2017, 13:10	Fixed in 0.170 or 0.171. Don't have a debug 0.170, but in 0.169 it crashes, in 0.171 it doesn't.
No.14594 Firewave Senior Tester Dec 31, 2017, 23:45	Still happening in 0.193 READ of size 40608 at 0x7f594fd5a800 thread T0 #0 0x14bc561 in __asan_memcpy /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:466:3 #1 0xf4a45d0 in read_buf /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1176:5 #2 0xf4a45d0 in fill_window /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1534 #3 0xf4b1e7a in deflate_slow /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1941:13 #4 0xf4aa468 in deflate /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1003:18 #5 0xf18c9ca in compress /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/corefile.cpp:110:46 #6 0xf18c9ca in osd_or_zlib_write /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/corefile.cpp:1050 #7 0xf18c9ca in util::(anonymous namespace)::core_osd_file::write(void const, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/corefile.cpp:920 #8 0xe479c28 in emu_file::write(void const, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/fileio.cpp:584:18 #9 0xe77804f in save_manager::write_file(emu_file&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/save.cpp:326:12 #10 0xe6a5d0b in running_machine::handle_saveload() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:923:108 #11 0xe6a3210 in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:364:5 #12 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19 #13 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22 #14 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3 #15 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18 #16 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9 #17 0x7f596ebdb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x1431838 in _start (/mnt/mame/mame64+0x1431838) 0x7f594fd5a800 is located 0 bytes inside of 212784-byte region [0x7f594fd5a800,0x7f594fd8e730) freed by thread T0 here: #0 0x14fe4c2 in operator delete[](void) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:141:3 #1 0xf13f5fb in operator() /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/unique_ptr.h:119:2 #2 0xf13f5fb in reset /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/unique_ptr.h:581 #3 0xf13f5fb in reset /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:277 #4 0xf13f5fb in bitmap_t::allocate(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:196 #5 0xf140c3e in bitmap_t::resize(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:250:3 #6 0xe7a992d in screen_device::realloc_screen_bitmaps() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1131:18 #7 0xe7a61fa in screen_device::configure(int, int, rectangle const&, long) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1049:2 #8 0xd6197bf in dynamic_res_change /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/snes_ppu.cpp #9 0xd6197bf in snes_ppu_device::write(address_space&, unsigned int, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/snes_ppu.cpp:2476 #10 0x76f45aa in snes_state::snes_w_io(address_space&, unsigned int, unsigned char, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/machine/snes.cpp:484:10 #11 0x7694f33 in snessgb_hi_w /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/drivers/snes.cpp:909:4 #12 0x7694f33 in snes_console_state::snessgb_lo_w(address_space&, unsigned int, unsigned char, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/drivers/snes.cpp:917 #13 0xe24e059 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11 #14 0xe24e059 in write8 /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:468 #15 0xe24e059 in write_native /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1192 #16 0xe24e059 in address_space_specific<unsigned char, (endianness_t)0, 0, true>::write_byte(unsigned int, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1477 #17 0xa68a047 in g65816_device::g65816i_write_8_normal(unsigned int, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816.cpp:253:2 #18 0xa6f3e8c in g65816_device::g65816i_9d_M1X1() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816op.h:1668:1 #19 0xa6fe7a5 in g65816_device::g65816i_execute_M1X1(int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816op.h:1956:4 #20 0xa693e47 in execute_run /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816.cpp:718:22 #21 0xa693e47 in non-virtual thunk to g65816_device::execute_run() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816.cpp #22 0xe78e272 in run /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:188:15 #23 0xe78e272 in device_scheduler::timeslice() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:481 #24 0xe6a324b in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:357:17 #25 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19 #26 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22 #27 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3 #28 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18 #29 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9 #30 0x7f596ebdb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) previously allocated by thread T0 here: #0 0x14fd8a2 in operator new[](unsigned long) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:95:3 #1 0xf13f7e6 in bitmap_t::allocate(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:210:16 #2 0xe7a5f50 in screen_device::register_screen_bitmap(bitmap_t&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1505:9 #3 0xd3f060d in dmg_ppu_device::common_start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/gb_lcd.cpp:362:12 #4 0xd3f5538 in sgb_ppu_device::device_start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/gb_lcd.cpp:515:2 #5 0xe0e345d in device_t::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.cpp:489:2 #6 0xe6a1f65 in running_machine::start_all_devices() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:1040:13 #7 0xe6a005d in running_machine::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:265:2 #8 0xe6a2a41 in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:310:3 #9 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19 #10 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22 #11 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3 #12 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18 #13 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9 #14 0x7f596ebdb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-use-after-free /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:466:3 in __asan_memcpy Shadow bytes around the buggy address: 0x0feba9fa34b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feba9fa34c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feba9fa34d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feba9fa34e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feba9fa34f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0feba9fa3500:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0feba9fa3510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0feba9fa3520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0feba9fa3530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0feba9fa3540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0feba9fa3550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

No.11527

Tafoid

Administrator

Mar 19, 2015, 11:38

Windows 0.159 Debug MESS (Official) shows:

-----------------------------------------------------
Exception at EIP=762A9D8C (register_frame_ctor+0x7314fbdc): ACCESS VIOLATION
While attempting to read memory at 185A2000
-----------------------------------------------------
EAX=00000000 EBX=05C3CE0E ECX=00003C93 EDX=00000000
ESI=185A1FFE EDI=05C3D60C EBP=0028BA78 ESP=0028BA70
-----------------------------------------------------
Stack crawl:
  0028BA78: 762A9D8C (malloc+0x009e)
  0028BAC8: 01F17582 (deflate_slow+0x03e2)
  0028BB18: 01F194F9 (deflate+0x00f9)
  0028BB78: 01CCD01B (core_fwrite(core_file*, void const*, unsigned int)+0x00fb)

  0028BB98: 01B57B88 (emu_file::write(void const*, unsigned int)+0x0028)
  0028BBF8: 01B0DCC0 (save_manager::write_file(emu_file&)+0x0160)
  0028BDF8: 01AF06CE (running_machine::handle_saveload()+0x023e)
  0028BE98: 01AF16C3 (running_machine::run(bool)+0x0293)
  0028F898: 01ADE655 (machine_manager::execute()+0x03d5)
  0028FA78: 01BB0DDF (cli_frontend::execute(int, char**)+0x156f)
  0028FE98: 00C7753F (utf8_main(int, char**)+0x029f)
  0028FEC8: 01F1F9C1 (wmain+0x0071)
  0028FF88: 004013F0 (__tmainCRTStartup+0x0270)
  0028FF94: 76DD338A (BaseThreadInitThunk+0x0012)
  0028FFD4: 777A9F72 (RtlInitializeExceptionChain+0x0063)
  0028FFEC: 777A9F45 (RtlInitializeExceptionChain+0x0036)

No.13964

Osso

Developer

Jul 6, 2017, 13:10

Fixed in 0.170 or 0.171. Don't have a debug 0.170, but in 0.169 it crashes, in 0.171 it doesn't.

No.14594

Firewave

Senior Tester

Dec 31, 2017, 23:45

Still happening in 0.193

READ of size 40608 at 0x7f594fd5a800 thread T0

    #0 0x14bc561 in __asan_memcpy /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:466:3

    #1 0xf4a45d0 in read_buf /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1176:5

    #2 0xf4a45d0 in fill_window /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1534

    #3 0xf4b1e7a in deflate_slow /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1941:13

    #4 0xf4aa468 in deflate /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../3rdparty/zlib/deflate.c:1003:18

    #5 0xf18c9ca in compress /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/corefile.cpp:110:46

    #6 0xf18c9ca in osd_or_zlib_write /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/corefile.cpp:1050

    #7 0xf18c9ca in util::(anonymous namespace)::core_osd_file::write(void const*, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/corefile.cpp:920

    #8 0xe479c28 in emu_file::write(void const*, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/fileio.cpp:584:18

    #9 0xe77804f in save_manager::write_file(emu_file&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/save.cpp:326:12

    #10 0xe6a5d0b in running_machine::handle_saveload() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:923:108

    #11 0xe6a3210 in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:364:5

    #12 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19

    #13 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22

    #14 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3

    #15 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18

    #16 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9

    #17 0x7f596ebdb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

    #18 0x1431838 in _start (/mnt/mame/mame64+0x1431838)



0x7f594fd5a800 is located 0 bytes inside of 212784-byte region [0x7f594fd5a800,0x7f594fd8e730)

freed by thread T0 here:

    #0 0x14fe4c2 in operator delete[](void*) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:141:3

    #1 0xf13f5fb in operator() /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/unique_ptr.h:119:2

    #2 0xf13f5fb in reset /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/unique_ptr.h:581

    #3 0xf13f5fb in reset /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:277

    #4 0xf13f5fb in bitmap_t::allocate(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:196

    #5 0xf140c3e in bitmap_t::resize(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:250:3

    #6 0xe7a992d in screen_device::realloc_screen_bitmaps() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1131:18

    #7 0xe7a61fa in screen_device::configure(int, int, rectangle const&, long) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1049:2

    #8 0xd6197bf in dynamic_res_change /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/snes_ppu.cpp

    #9 0xd6197bf in snes_ppu_device::write(address_space&, unsigned int, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/snes_ppu.cpp:2476

    #10 0x76f45aa in snes_state::snes_w_io(address_space&, unsigned int, unsigned char, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/machine/snes.cpp:484:10

    #11 0x7694f33 in snessgb_hi_w /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/drivers/snes.cpp:909:4

    #12 0x7694f33 in snes_console_state::snessgb_lo_w(address_space&, unsigned int, unsigned char, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/drivers/snes.cpp:917

    #13 0xe24e059 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11

    #14 0xe24e059 in write8 /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:468

    #15 0xe24e059 in write_native /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1192

    #16 0xe24e059 in address_space_specific<unsigned char, (endianness_t)0, 0, true>::write_byte(unsigned int, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1477

    #17 0xa68a047 in g65816_device::g65816i_write_8_normal(unsigned int, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816.cpp:253:2

    #18 0xa6f3e8c in g65816_device::g65816i_9d_M1X1() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816op.h:1668:1

    #19 0xa6fe7a5 in g65816_device::g65816i_execute_M1X1(int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816op.h:1956:4

    #20 0xa693e47 in execute_run /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816.cpp:718:22

    #21 0xa693e47 in non-virtual thunk to g65816_device::execute_run() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/g65816/g65816.cpp

    #22 0xe78e272 in run /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:188:15

    #23 0xe78e272 in device_scheduler::timeslice() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:481

    #24 0xe6a324b in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:357:17

    #25 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19

    #26 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22

    #27 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3

    #28 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18

    #29 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9

    #30 0x7f596ebdb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)



previously allocated by thread T0 here:

    #0 0x14fd8a2 in operator new[](unsigned long) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:95:3

    #1 0xf13f7e6 in bitmap_t::allocate(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:210:16

    #2 0xe7a5f50 in screen_device::register_screen_bitmap(bitmap_t&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1505:9

    #3 0xd3f060d in dmg_ppu_device::common_start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/gb_lcd.cpp:362:12

    #4 0xd3f5538 in sgb_ppu_device::device_start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/video/gb_lcd.cpp:515:2

    #5 0xe0e345d in device_t::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.cpp:489:2

    #6 0xe6a1f65 in running_machine::start_all_devices() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:1040:13

    #7 0xe6a005d in running_machine::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:265:2

    #8 0xe6a2a41 in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:310:3

    #9 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19

    #10 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22

    #11 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3

    #12 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18

    #13 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9

    #14 0x7f596ebdb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)



SUMMARY: AddressSanitizer: heap-use-after-free /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:466:3 in __asan_memcpy

Shadow bytes around the buggy address:

  0x0feba9fa34b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0feba9fa34c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0feba9fa34d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0feba9fa34e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0feba9fa34f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0feba9fa3500:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0feba9fa3510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0feba9fa3520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0feba9fa3530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0feba9fa3540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0feba9fa3550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb