Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
06268 Crash/Freeze Critical (emulator) Always Jul 1, 2016, 05:08 Jul 1, 2016, 06:06
Tester cuavas View Status Public Platform MAME (Self-compiled)
Assigned To cuavas Resolution Fixed OS Windows Vista/7/8 (64-bit)
Status [?] Resolved Driver
Version 0.175 Fixed in Version 0.176 Build
Summary 06268: MAME can crash when switching languages
Description This is reproducible on Windows and Linux with the latest source from git (mame0171-3623-g507cb50). The easiest way to reproduce the crash is select a language that has a proper external translation, switch to a language that lacks a proper external translation, and then try to switch language again. Stack trace is from a 64-bit Linux build, but the same thing happens on Windows as well. I don't know if this happens in 0.175 or if it's somehow related to Nathan's refactoring of the menu code.

Program received signal SIGSEGV, Segmentation fault.
0x000000351348636a in strlen () from /lib64/libc.so.6
(gdb) where
#0 0x000000351348636a in strlen () from /lib64/libc.so.6
#1 0x000000000090dabb in render_font::utf8string_width (this=0x1e0c820, height=height@entry=0.0326651819, aspect=aspect@entry=0.746674061, utf8string=utf8string@entry=0x7c00000077 <error: Cannot access memory at address 0x7c00000077>)
    at ../../../../../src/emu/rendfont.cpp:445
#2 0x000000000058ef7c in mame_ui_manager::get_string_width (this=0x1db4590, s=s@entry=0x7c00000077 <error: Cannot access memory at address 0x7c00000077>, text_size=text_size@entry=1) at ../../../../../src/frontend/mame/ui/ui.cpp:508
#3 0x00000000005f9658 in ui::menu::draw (this=this@entry=0x49b7d60, flags=flags@entry=0, origx0=<optimized out>, origy0=<optimized out>) at ../../../../../src/frontend/mame/ui/menu.cpp:731
#4 0x000000000060443a in ui::menu::process (this=this@entry=0x49b7d60, flags=flags@entry=0, x0=x0@entry=0, y0=y0@entry=0) at ../../../../../src/frontend/mame/ui/menu.cpp:401
#5 0x000000000061004c in ui::menu_selector::handle (this=0x49b7d60) at ../../../../../src/frontend/mame/ui/selector.cpp:59
#6 0x000000000060068b in do_handle (this=<optimized out>) at ../../../../../src/frontend/mame/ui/menu.cpp:1236
#7 ui::menu::ui_handler (container=<optimized out>, mui=...) at ../../../../../src/frontend/mame/ui/menu.cpp:1257
#8 0x0000000000599923 in operator() (container=<optimized out>, __closure=<optimized out>) at ../../../../../src/frontend/mame/ui/ui.h:193
#9 std::_Function_handler<unsigned int (render_container*), void mame_ui_manager::set_handler<mame_ui_manager&>(ui_callback_type, unsigned int (*)(render_container*, mame_ui_manager&), mame_ui_manager&)::{lambda(render_container*)#1}>::_M_invoke(std::_Any_data const&, render_container*&&) (__functor=..., __args#0=<optimized out>) at /opt/anteline/gcc51/include/c++/5.1.1/functional:1857
#10 0x0000000000591465 in operator() (__args#0=0x1765c20, this=0x1db45b8) at /opt/anteline/gcc51/include/c++/5.1.1/functional:2271
#11 mame_ui_manager::update_and_render (this=0x1db4590, container=0x1765c20) at ../../../../../src/frontend/mame/ui/ui.cpp:400
#12 0x0000000000549ebf in emulator_info::draw_user_interface (machine=...) at ../../../../../src/frontend/mame/mame.cpp:330
#13 0x00000000009638a8 in video_manager::frame_update (this=0x1db4740, from_debugger=from_debugger@entry=false) at ../../../../../src/emu/video.cpp:225
#14 0x00000000008f908c in running_machine::run (this=this@entry=0x7fffffff6b10, quiet=quiet@entry=true) at ../../../../../src/emu/machine.cpp:346
#15 0x000000000054ac61 in mame_machine_manager::execute (this=this@entry=0x1705610) at ../../../../../src/frontend/mame/mame.cpp:226
#16 0x00000000005b7789 in cli_frontend::execute (this=this@entry=0x7fffffffd800, argc=argc@entry=3, argv=argv@entry=0x7fffffffdc98) at ../../../../../src/frontend/mame/clifront.cpp:282
#17 0x0000000000549e6d in emulator_info::start_frontend (options=..., osd=..., argc=argc@entry=3, argv=argv@entry=0x7fffffffdc98) at ../../../../../src/frontend/mame/mame.cpp:325
#18 0x0000000000437466 in main (argc=3, argv=0x7fffffffdc98) at ../../../../../src/osd/sdl/sdlmain.cpp:214
Steps To Reproduce 1. Start MAME with a translation loaded with no machine, e.g. ./mametiny64 -language Italian
2. Tab to bottom pane of UI, select "Configura Opzioni" (first item) and press return/enter
3. Select "Personalizza UI" (first item after the separator) and press return/enter
4. Select "Lingua" (third item) and press return/enter
5. If you're lucky, MAME will crash, if not keep going
6. Select "Ukrainian" and press return/enter
7. Press escape twice to reload the main menu with the new options
8. Tab to bottom pane of UI, select "Configure Options" (first item) and press return/enter
9. Select "Customize UI" (first item after the separator) and press return/enter
10. Select "Language" (third item) and press return/enter
11. MAME should definitely crash this time if it didn't already at step 5
Additional Information
Flags
Regression Version
Affected Sets / Systems
Attached Files
 
Relationships
There are no relationsihp linked to this issue.
Notes
3
User avatar
No.12869
cuavas
Administrator
Jul 1, 2016, 05:11
valgrind output:

==13595== Memcheck, a memory error detector
==13595== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==13595== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==13595== Command: ./mametiny64 -language Italian
==13595==
==13595== Conditional jump or move depends on uninitialised value(s)
==13595== at 0x48F943: sdl_window_info::update_cursor_state() (window.cpp:244)
==13595== by 0x4905A8: sdl_window_info::update() (window.cpp:562)
==13595== by 0x48C22A: sdl_osd_interface::update(bool) (video.cpp:144)
==13595== by 0x963921: video_manager::frame_update(bool) (video.cpp:234)
==13595== by 0x58EA85: mame_ui_manager::set_startup_text(char const*, bool) (ui.cpp:365)
==13595== by 0x548B6A: mame_machine_manager::create_ui(running_machine&) (mame.cpp:277)
==13595== by 0x8F8D86: running_machine::start() (machine.cpp:214)
==13595== by 0x8F8FB4: running_machine::run(bool) (machine.cpp:301)
==13595== by 0x54AC60: mame_machine_manager::execute() (mame.cpp:226)
==13595== by 0x5B7788: cli_frontend::execute(int, char**) (clifront.cpp:282)
==13595== by 0x549E6C: emulator_info::start_frontend(emu_options&, osd_interface&, int, char**) (mame.cpp:325)
==13595== by 0x437465: main (sdlmain.cpp:214)
==13595==
==13595== Conditional jump or move depends on uninitialised value(s)
==13595== at 0x48F970: sdl_window_info::update_cursor_state() (window.cpp:225)
==13595== by 0x4905A8: sdl_window_info::update() (window.cpp:562)
==13595== by 0x48C22A: sdl_osd_interface::update(bool) (video.cpp:144)
==13595== by 0x963921: video_manager::frame_update(bool) (video.cpp:234)
==13595== by 0x58EA85: mame_ui_manager::set_startup_text(char const*, bool) (ui.cpp:365)
==13595== by 0x548B6A: mame_machine_manager::create_ui(running_machine&) (mame.cpp:277)
==13595== by 0x8F8D86: running_machine::start() (machine.cpp:214)
==13595== by 0x8F8FB4: running_machine::run(bool) (machine.cpp:301)
==13595== by 0x54AC60: mame_machine_manager::execute() (mame.cpp:226)
==13595== by 0x5B7788: cli_frontend::execute(int, char**) (clifront.cpp:282)
==13595== by 0x549E6C: emulator_info::start_frontend(emu_options&, osd_interface&, int, char**) (mame.cpp:325)
==13595== by 0x437465: main (sdlmain.cpp:214)
==13595==
==13595== Conditional jump or move depends on uninitialised value(s)
==13595== at 0x5F910D: ui::menu::draw(unsigned int, float, float) (menu.cpp:700)
==13595== by 0x604439: ui::menu::process(unsigned int, float, float) (menu.cpp:401)
==13595== by 0x61004B: ui::menu_selector::handle() (selector.cpp:59)
==13595== by 0x60068A: ui::menu::ui_handler(render_container*, mame_ui_manager&) (menu.cpp:1236)
==13595== by 0x599922: std::_Function_handler<unsigned int (render_container*), void mame_ui_manager::set_handler<mame_ui_manager&>(ui_callback_type, unsigned int (*)(render_container*, mame_ui_manager&), unsigned int (render_container*, mame_ui_manager&))::{lambda(render_container*)#1}>::_M_invoke(std::_Any_data const&, render_container*&&) (ui.h:193)
==13595== by 0x591464: mame_ui_manager::update_and_render(render_container*) (functional:2271)
==13595== by 0x549EBE: emulator_info::draw_user_interface(running_machine&) (mame.cpp:330)
==13595== by 0x9638A7: video_manager::frame_update(bool) (video.cpp:225)
==13595== by 0x8F908B: running_machine::run(bool) (machine.cpp:346)
==13595== by 0x54AC60: mame_machine_manager::execute() (mame.cpp:226)
==13595== by 0x5B7788: cli_frontend::execute(int, char**) (clifront.cpp:282)
==13595== by 0x549E6C: emulator_info::start_frontend(emu_options&, osd_interface&, int, char**) (mame.cpp:325)
==13595==
==13595== Conditional jump or move depends on uninitialised value(s)
==13595== at 0x5F9118: ui::menu::draw(unsigned int, float, float) (menu.cpp:704)
==13595== by 0x604439: ui::menu::process(unsigned int, float, float) (menu.cpp:401)
==13595== by 0x61004B: ui::menu_selector::handle() (selector.cpp:59)
==13595== by 0x60068A: ui::menu::ui_handler(render_container*, mame_ui_manager&) (menu.cpp:1236)
==13595== by 0x599922: std::_Function_handler<unsigned int (render_container*), void mame_ui_manager::set_handler<mame_ui_manager&>(ui_callback_type, unsigned int (*)(render_container*, mame_ui_manager&), unsigned int (render_container*, mame_ui_manager&))::{lambda(render_container*)#1}>::_M_invoke(std::_Any_data const&, render_container*&&) (ui.h:193)
==13595== by 0x591464: mame_ui_manager::update_and_render(render_container*) (functional:2271)
==13595== by 0x549EBE: emulator_info::draw_user_interface(running_machine&) (mame.cpp:330)
==13595== by 0x9638A7: video_manager::frame_update(bool) (video.cpp:225)
==13595== by 0x8F908B: running_machine::run(bool) (machine.cpp:346)
==13595== by 0x54AC60: mame_machine_manager::execute() (mame.cpp:226)
==13595== by 0x5B7788: cli_frontend::execute(int, char**) (clifront.cpp:282)
==13595== by 0x549E6C: emulator_info::start_frontend(emu_options&, osd_interface&, int, char**) (mame.cpp:325)
==13595==
==13595== Use of uninitialised value of size 8
==13595== at 0x4A092F2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13595== by 0x61BAF1: ui::text_layout::add_text(char const*, ui::text_layout::char_style const&) (text.cpp:115)
==13595== by 0x590388: mame_ui_manager::draw_text_full(render_container*, char const*, float, float, float, ui::text_layout::text_justify, ui::text_layout::word_wrapping, mame_ui_manager::draw_mode, rgb_t, rgb_t, float*, float*, float) (text.h:77)
==13595== by 0x5F9626: ui::menu::draw(unsigned int, float, float) (menu.cpp:725)
==13595== by 0x604439: ui::menu::process(unsigned int, float, float) (menu.cpp:401)
==13595== by 0x61004B: ui::menu_selector::handle() (selector.cpp:59)
==13595== by 0x60068A: ui::menu::ui_handler(render_container*, mame_ui_manager&) (menu.cpp:1236)
==13595== by 0x599922: std::_Function_handler<unsigned int (render_container*), void mame_ui_manager::set_handler<mame_ui_manager&>(ui_callback_type, unsigned int (*)(render_container*, mame_ui_manager&), unsigned int (render_container*, mame_ui_manager&))::{lambda(render_container*)#1}>::_M_invoke(std::_Any_data const&, render_container*&&) (ui.h:193)
==13595== by 0x591464: mame_ui_manager::update_and_render(render_container*) (functional:2271)
==13595== by 0x549EBE: emulator_info::draw_user_interface(running_machine&) (mame.cpp:330)
==13595== by 0x9638A7: video_manager::frame_update(bool) (video.cpp:225)
==13595== by 0x8F908B: running_machine::run(bool) (machine.cpp:346)
==13595==
==13595== Invalid read of size 1
==13595== at 0x4A092F2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13595== by 0x61BAF1: ui::text_layout::add_text(char const*, ui::text_layout::char_style const&) (text.cpp:115)
==13595== by 0x590388: mame_ui_manager::draw_text_full(render_container*, char const*, float, float, float, ui::text_layout::text_justify, ui::text_layout::word_wrapping, mame_ui_manager::draw_mode, rgb_t, rgb_t, float*, float*, float) (text.h:77)
==13595== by 0x5F9626: ui::menu::draw(unsigned int, float, float) (menu.cpp:725)
==13595== by 0x604439: ui::menu::process(unsigned int, float, float) (menu.cpp:401)
==13595== by 0x61004B: ui::menu_selector::handle() (selector.cpp:59)
==13595== by 0x60068A: ui::menu::ui_handler(render_container*, mame_ui_manager&) (menu.cpp:1236)
==13595== by 0x599922: std::_Function_handler<unsigned int (render_container*), void mame_ui_manager::set_handler<mame_ui_manager&>(ui_callback_type, unsigned int (*)(render_container*, mame_ui_manager&), unsigned int (render_container*, mame_ui_manager&))::{lambda(render_container*)#1}>::_M_invoke(std::_Any_data const&, render_container*&&) (ui.h:193)
==13595== by 0x591464: mame_ui_manager::update_and_render(render_container*) (functional:2271)
==13595== by 0x549EBE: emulator_info::draw_user_interface(running_machine&) (mame.cpp:330)
==13595== by 0x9638A7: video_manager::frame_update(bool) (video.cpp:225)
==13595== by 0x8F908B: running_machine::run(bool) (machine.cpp:346)
==13595== Address 0xffffffff is not stack'd, malloc'd or (recently) free'd
==13595==
==13595==
==13595== Process terminating with default action of signal 11 (SIGSEGV)
==13595== Access not within mapped region at address 0xFFFFFFFF
==13595== at 0x4A092F2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13595== by 0x61BAF1: ui::text_layout::add_text(char const*, ui::text_layout::char_style const&) (text.cpp:115)
==13595== by 0x590388: mame_ui_manager::draw_text_full(render_container*, char const*, float, float, float, ui::text_layout::text_justify, ui::text_layout::word_wrapping, mame_ui_manager::draw_mode, rgb_t, rgb_t, float*, float*, float) (text.h:77)
==13595== by 0x5F9626: ui::menu::draw(unsigned int, float, float) (menu.cpp:725)
==13595== by 0x604439: ui::menu::process(unsigned int, float, float) (menu.cpp:401)
==13595== by 0x61004B: ui::menu_selector::handle() (selector.cpp:59)
==13595== by 0x60068A: ui::menu::ui_handler(render_container*, mame_ui_manager&) (menu.cpp:1236)
==13595== by 0x599922: std::_Function_handler<unsigned int (render_container*), void mame_ui_manager::set_handler<mame_ui_manager&>(ui_callback_type, unsigned int (*)(render_container*, mame_ui_manager&), unsigned int (render_container*, mame_ui_manager&))::{lambda(render_container*)#1}>::_M_invoke(std::_Any_data const&, render_container*&&) (ui.h:193)
==13595== by 0x591464: mame_ui_manager::update_and_render(render_container*) (functional:2271)
==13595== by 0x549EBE: emulator_info::draw_user_interface(running_machine&) (mame.cpp:330)
==13595== by 0x9638A7: video_manager::frame_update(bool) (video.cpp:225)
==13595== by 0x8F908B: running_machine::run(bool) (machine.cpp:346)
==13595== If you believe this happened as a result of a stack
==13595== overflow in your program's main thread (unlikely but
==13595== possible), you can try to increase the size of the
==13595== main thread stack using the --main-stacksize= flag.
==13595== The main thread stack size used in this run was 8388608.
==13595==
==13595== HEAP SUMMARY:
==13595== in use at exit: 74,513,845 bytes in 58,515 blocks
==13595== total heap usage: 356,591 allocs, 298,076 frees, 227,450,023 bytes allocated
==13595==
==13595== LEAK SUMMARY:
==13595== definitely lost: 20,987 bytes in 474 blocks
==13595== indirectly lost: 0 bytes in 0 blocks
==13595== possibly lost: 8,381,645 bytes in 37,416 blocks
==13595== still reachable: 66,111,213 bytes in 20,625 blocks
==13595== suppressed: 0 bytes in 0 blocks
==13595== Rerun with --leak-check=full to see details of leaked memory
==13595==
==13595== For counts of detected and suppressed errors, rerun with: -v
==13595== Use --track-origins=yes to see where uninitialised values come from
==13595== ERROR SUMMARY: 74 errors from 6 contexts (suppressed: 7 from 3)
Killed
User avatar
No.12870
cuavas
Administrator
Jul 1, 2016, 05:40
On further investigation, there's something wrong with how it's calculating the number of rows to draw and where the top line should be. It gets into the following state:
this->item.size() = 54
visible_lines = 26
top_line = 37
show_top_arrow = true
show_bottom_arrow = true

So it's clearly confused - if the top line is 37, there's no way it can display 26 items. There simply aren't enough in the list of 54. So it runs off the end of the vector and reads garbage from uninitialised memory.
User avatar
No.12871
cuavas
Administrator
Jul 1, 2016, 06:06
Fixed in mame0175-53-g0630edb