- --
Viewing Issue Advanced Details
ID | Category [?] | Severity [?] | Reproducibility | Date Submitted | Last Update |
---|---|---|---|---|---|
05866 | Misc. | Critical (emulator) | Always | Mar 5, 2015, 17:45 | Nov 10, 2022, 10:48 |
Tester | Firewave | View Status | Public | Platform | MAME (Self-compiled) |
Assigned To | Resolution | Fixed | OS | ||
Status [?] | Resolved | Driver | |||
Version | 0.159 | Fixed in Version | Build | Debug | |
Fixed in Git Commit | Github Pull Request # | ||||
Summary | 05866: pbobble3, pbobble3j, pbobble3u, pbobble4, pbobble4j, pbobble4u, rayforce, rayforcej: [debug] AddressSanitizer: heap-buffer-overflow | ||||
Description |
==25732==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc576a8f87f at pc 0x00000470bda3 bp 0x7ffffdb78bc0 sp 0x7ffffdb78bb8 READ of size 1 at 0x7fc576a8f87f thread T0 #0 0x470bda2 in taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int) /home/notroot/trunk/src/mame/video/taito_f3.c:1483:35 #1 0x4705b62 in taito_f3_state::scanline_draw(bitmap_rgb32&, rectangle const&) /home/notroot/trunk/src/mame/video/taito_f3.c:2521:3 #2 0x4706ca2 in taito_f3_state::screen_update_f3(screen_device&, bitmap_rgb32&, rectangle const&) /home/notroot/trunk/src/mame/video/taito_f3.c:3188:2 #3 0x813ffb0 in delegate_base<unsigned int, screen_device&, bitmap_rgb32&, rectangle const&, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(screen_device&, bitmap_rgb32&, rectangle const&) const /home/notroot/trunk/src/lib/util/delegate.h:652:76 #4 0x813ffb0 in screen_device::update_partial(int) /home/notroot/trunk/src/emu/screen.c:625 #5 0x81d8f52 in video_manager::finish_screen_updates() /home/notroot/trunk/src/emu/video.c:649:3 #6 0x81d853f in video_manager::frame_update(bool) /home/notroot/trunk/src/emu/video.c:202:27 #7 0x813f362 in screen_device::vblank_begin() /home/notroot/trunk/src/emu/screen.c:822:3 #8 0x813f029 in screen_device::device_timer(emu_timer&, unsigned int, int, void*) /home/notroot/trunk/src/emu/screen.c:404:4 #9 0x8136b63 in device_t::timer_expired(emu_timer&, unsigned int, int, void*) /home/notroot/trunk/src/emu/device.h:191:83 #10 0x8136b63 in device_scheduler::execute_timers() /home/notroot/trunk/src/emu/schedule.c:902 #11 0x813263b in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:517:2 #12 0x804fe48 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:397:5 #13 0x8047ee6 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #14 0x7e79dbc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15 #15 0x575d9bb in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9 #16 0x7fc59b076ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #17 0x116cdfc in _start (/home/notroot/trunk/mame64d+0x116cdfc) 0x7fc576a8f87f is located 0 bytes to the right of 262271-byte region [0x7fc576a4f800,0x7fc576a8f87f) allocated by thread T0 here: #0 0x114f78b in __interceptor_malloc /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x8b42538 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:89:9 #2 0x8419fca in malloc_file_line(unsigned long, char const*, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25 #3 0x83e3242 in operator new[](unsigned long) /home/notroot/trunk/src/lib/util/corealloc.h:64:97 #4 0x83e3242 in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:149 #5 0x81603ae in tilemap_t::init(tilemap_manager&, device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, device_delegate<unsigned int (unsigned int, unsigned int, unsigned int, unsigned int)>, int, int, int, int) /home/notroot/trunk/src/emu/tilemap.c:392:2 #6 0x8165e98 in tilemap_manager::create(device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, tilemap_standard_mapper, int, int, int, int, tilemap_t*) /home/notroot/trunk/src/emu/tilemap.c:1547:31 #7 0x46f37a2 in taito_f3_state::video_start_f3() /home/notroot/trunk/src/mame/video/taito_f3.c:627:18 #8 0x7f23cf5 in delegate_base<void, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()() const /home/notroot/trunk/src/lib/util/delegate.h:649:42 #9 0x7f23cf5 in driver_device::device_start() /home/notroot/trunk/src/emu/driver.c:229 #10 0x7e970fc in device_t::start() /home/notroot/trunk/src/emu/device.c:409:2 #11 0x804f33a in running_machine::start_all_devices() /home/notroot/trunk/src/emu/machine.c:1105:6 #12 0x804ca64 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:287:2 #13 0x804fb73 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:351:3 #14 0x8047ee6 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #15 0x7e79dbc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15 #16 0x575d9bb in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9 #17 0x7fc59b076ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/notroot/trunk/src/mame/video/taito_f3.c:1483 taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int) Shadow bytes around the buggy address: 0x0ff92ed49eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff92ed49ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff92ed49ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff92ed49ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff92ed49ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff92ed49f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07] 0x0ff92ed49f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff92ed49f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff92ed49f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff92ed49f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff92ed49f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe |
||||
Steps To Reproduce | |||||
Additional Information | |||||
Github Commit | |||||
Flags | Debug build specific | ||||
Regression Version | |||||
Affected Sets / Systems | pbobble3, pbobble3j, pbobble3u, pbobble4, pbobble4j, pbobble4u, rayforce, rayforcej | ||||
Attached Files
|
|||||
Relationships
There are no relationship linked to this issue. |
Notes
3
No.11506
B2K24 Senior Tester
Mar 11, 2015, 17:49
|
----------------------------------------------------- Exception at EIP=000000000396F5E2 (taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)+0x1d 72): ACCESS VIOLATION While attempting to read memory at 0000000057CE2000 ----------------------------------------------------- RAX=0000000057CE2000 RBX=0000000000000000 RCX=000000004495D528 RDX=0000000000000 100 RSI=0000000000000001 RDI=0000000000325BF0 RBP=0000000000227D20 RSP=0000000000227 C70 R8=000000000000002E R9=0000000000227EA0 R10=00000000000000FF R11=0000000000000 1F8 R12=0000000000000018 R13=0000000000000012 R14=0000000000000000 R15=0000000000000 000 ----------------------------------------------------- Stack crawl: 0000000000227C70: 000000000396F5E2 (taito_f3_state::draw_scanlines(bitmap_rgb3 2&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)+0 x1d72) 0000000000228200: 0000000001A06E32 (taito_f3_state::scanline_draw(bitmap_rgb32 &, rectangle const&)+0x1a20) 0000000000228290: 0000000001A08100 (taito_f3_state::screen_update_f3(screen_de vice&, bitmap_rgb32&, rectangle const&)+0x0450) 00000000002282C0: 0000000003DC6615 (delegate_base<unsigned int, screen_device& , bitmap_rgb32&, rectangle const&, _noparam, _noparam, _noparam, _noparam, _nopa ram, _noparam, _noparam, _noparam, _noparam>::operator()(screen_device&, bitmap_ rgb32&, rectangle const&) const+0x0035) 0000000000228330: 0000000002D2C7F4 (screen_device::update_partial(int)+0x0206) 00000000002283A0: 0000000002E5E445 (video_manager::finish_screen_updates()+0x0 05f) 0000000000228410: 0000000002E5CFAD (video_manager::frame_update(bool)+0x008d) 00000000002284A0: 0000000002D2D160 (screen_device::vblank_begin()+0x00fa) 00000000002284F0: 0000000002D2BB57 (screen_device::device_timer(emu_timer&, un signed int, int, void*)+0x003d) 0000000000228530: 0000000003D770E1 (device_t::timer_expired(emu_timer&, unsign ed int, int, void*)+0x0041) 0000000000228580: 0000000003AFA8AC (device_scheduler::execute_timers()+0x00fc) 0000000000228640: 0000000002D2971E (device_scheduler::timeslice()+0x05ac) 0000000000228710: 0000000002D9A444 (running_machine::run(bool)+0x02b0) 000000000022F4F0: 0000000002DA8E5A (machine_manager::execute()+0x01f8) 000000000022F750: 0000000002E2CD7F (cli_frontend::execute(int, char**)+0x085f) 000000000022FDF0: 000000000209B0D9 (utf8_main(int, char**)+0x020d) 000000000022FE50: 0000000003131169 (wmain+0x00b9) 000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a) 000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018) 000000000022FF80: 0000000076A25A4D (BaseThreadInitThunk+0x000d) 000000000022FFD0: 0000000076EBBA01 (RtlUserThreadStart+0x0021) |
---|---|
No.14592
Firewave Senior Tester
Dec 31, 2017, 23:42
|
Still happening in 0.193==118824==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f47f703d800 at pc 0x000004a6ffd0 bp 0x7ffffdfbfce0 sp 0x7ffffdfbfcd8 READ of size 1 at 0x7f47f703d800 thread T0 #0 0x4a6ffcf in taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:1499:35 #1 0x4a67c74 in taito_f3_state::scanline_draw(bitmap_rgb32&, rectangle const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:2537:3 #2 0x4a6a61f in taito_f3_state::screen_update_f3(screen_device&, bitmap_rgb32&, rectangle const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:3204:2 #3 0xe7ac0e2 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11 #4 0xe7ac0e2 in screen_device::update_partial(int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1220 #5 0xe833c67 in video_manager::finish_screen_updates() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:694:10 #6 0xe8332a0 in video_manager::frame_update(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:208:27 #7 0xe7aa719 in screen_device::vblank_begin() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1524:21 #8 0xe7a9c7c in screen_device::device_timer(emu_timer&, unsigned int, int, void*) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:997:4 #9 0xe795168 in timer_expired /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.h:520:83 #10 0xe795168 in device_scheduler::execute_timers() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:906 #11 0xe78ea0f in device_scheduler::timeslice() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:530:2 #12 0xe6a324b in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:357:17 #13 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19 #14 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22 #15 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3 #16 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18 #17 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9 #18 0x7f481d3e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #19 0x1431838 in _start (/mnt/mame/mame64+0x1431838) 0x7f47f703d800 is located 0 bytes to the right of 262144-byte region [0x7f47f6ffd800,0x7f47f703d800) allocated by thread T0 here: #0 0x14fd8a2 in operator new[](unsigned long) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:95:3 #1 0xf13f7e6 in bitmap_t::allocate(int, int, int, int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/bitmap.cpp:210:16 #2 0xe7ebb97 in tilemap_t::init(tilemap_manager&, device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, device_delegate<unsigned int (unsigned int, unsigned int, unsigned int, unsigned int)>, unsigned short, unsigned short, unsigned int, unsigned int) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/tilemap.cpp:395:13 #3 0xe7f204a in tilemap_manager::create(device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, tilemap_standard_mapper, unsigned short, unsigned short, unsigned int, unsigned int, tilemap_t*) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/tilemap.cpp:1564:67 #4 0x4a56aad in taito_f3_state::video_start_f3() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:636:38 #5 0xe1f1018 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11 #6 0xe1f1018 in driver_device::device_start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/driver.cpp:223 #7 0xe0e345d in device_t::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.cpp:489:2 #8 0xe6a1f65 in running_machine::start_all_devices() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:1040:13 #9 0xe6a005d in running_machine::start() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:265:2 #10 0xe6a2a41 in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:310:3 #11 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19 #12 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22 #13 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3 #14 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18 #15 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9 #16 0x7f481d3e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/video/taito_f3.cpp:1499:35 in taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int) Shadow bytes around the buggy address: 0x0fe97edffab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe97edffac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe97edffad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe97edffae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe97edffaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe97edffb00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe97edffb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe97edffb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe97edffb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe97edffb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe97edffb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb |
No.20776
Firewave Senior Tester
Nov 5, 2022, 18:02
edited on: Nov 10, 2022, 10:47 |
This appears to trigger a different issue now by default (i.e. -video bgfx) - filed https://mametesters.org/view.php?id=8512 about it. No ASAN error using 0.249 on Linux with non-bgfx "-video none", "-video soft" or "-video opengl" backends. |