05878: AddressSanitizer: stack-buffer-underflow with -video bgfx

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
05878	Misc.	Critical (emulator)	Always	Mar 11, 2015, 17:22	Jan 3, 2018, 16:14

Tester	Firewave	View Status	Public	Platform	MAME (Self-compiled)
Assigned To		Resolution	No change required	OS
Status [?]	Closed			Driver
Version	0.159	Fixed in Version		Build	Debug
		Fixed in Git Commit		Github Pull Request #

Summary	05878: AddressSanitizer: stack-buffer-underflow with -video bgfx
Description	Happened with ubuntu 14.04.2 64-bit and clang 3.6.0 using VirtualBox 4.3.24. "-video soft" - works fine "-video opengl" - doesn't give an error and the X curser is shown, but nothing is being drawn at all ==1721==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f36ed0963e0 at pc 0x000000eafe23 bp 0x7f36ed095c00 sp 0x7f36ed0953b8 READ of size 1024 at 0x7f36ed0963e0 thread T11 #0 0xeafe22 in memcpy /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:480:3 #1 0x7f36f7090d6c (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0xf5d6c) #2 0x7f36f70966ec (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0xfb6ec) #3 0x7f36f70969c1 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0xfb9c1) #4 0x7f36f70ede59 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x152e59) #5 0x7f36f70ee8e2 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1538e2) #6 0x7f36f7084068 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0xe9068) #7 0x7f36f70853cf (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0xea3cf) #8 0x66fe8de in bgfx::isTextureFormatValid(bgfx::TextureFormat::Enum) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:896:4 #9 0x6715ef3 in bgfx::RendererContextGL::init() /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:1247:41 #10 0x66feace in bgfx::rendererCreateGL() /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:2574:3 #11 0x66bc62e in bgfx::rendererCreate(bgfx::RendererType::Enum) /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1490:33 #12 0x66bc62e in bgfx::Context::rendererExecCommands(bgfx::CommandBuffer&) /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1526 #13 0x66b3f36 in bgfx::Context::renderFrame() /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1219:3 #14 0x66d4da7 in bgfx::Context::renderThread(void) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:1916:12 #15 0x66eccf2 in bx::Thread::entry() /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:146:11 #16 0x66eccf2 in bx::Thread::threadFunc(void) /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:165 #17 0x7f3704a1a181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) #18 0x7f370160a47c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c) Address 0x7f36ed0963e0 is located in stack of thread T11 at offset 0 in frame #0 0x66fe69f in bgfx::isTextureFormatValid(bgfx::TextureFormat::Enum) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:876 This frame has 1 object(s): [32, 36) 'id' <== Memory access at offset 0 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions are supported) Thread T11 created by T10 here: #0 0xead900 in __interceptor_pthread_create /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:222:3 #1 0x66b48d3 in bx::Thread::init(int ()(void), void, unsigned int) /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:100:13 #2 0x66b48d3 in bgfx::Context::init(bgfx::RendererType::Enum) /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:964 #3 0x66c0ada in bgfx::init(bgfx::RendererType::Enum, bgfx::CallbackI, bx::ReallocatorI) /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:2023:3 #4 0x2f97999 in renderer_bgfx::create() /home/notroot/trunk/src/osd/modules/render/drawbgfx.c:168:2 #5 0x2f2180d in sdl_window_info::complete_create_wt(void, int) /home/notroot/trunk/src/osd/sdl/window.c:1265:6 #6 0x676a0ad in worker_thread_process(osd_work_queue, work_thread_info) /home/notroot/trunk/src/osd/modules/sync/work_osd.c:744:21 #7 0x67693da in worker_thread_entry(void) /home/notroot/trunk/src/osd/modules/sync/work_osd.c:668:4 #8 0x7f3704a1a181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) Thread T10 created by T0 here: #0 0xead900 in __interceptor_pthread_create /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:222:3 #1 0x676767a in osd_thread_create(void ()(void), void) /home/notroot/trunk/src/osd/modules/sync/sync_tc.c:320:7 #2 0x6768f27 in osd_work_queue_alloc(int) /home/notroot/trunk/src/osd/modules/sync/work_osd.c:241:20 #3 0x2f1f16d in sdl_osd_interface::window_init() /home/notroot/trunk/src/osd/sdl/window.c:218:16 #4 0x2f1c369 in sdl_osd_interface::video_init() /home/notroot/trunk/src/osd/sdl/video.c:103:7 #5 0x2f28ef5 in osd_common_t::init_subsystems() /home/notroot/trunk/src/osd/modules/lib/osdobj_common.c:511:7 #6 0x2f12a7d in sdl_osd_interface::init(running_machine&) /home/notroot/trunk/src/osd/sdl/sdlmain.c:611:2 #7 0x5c060f1 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:231:2 #8 0x5c09afa in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:351:3 #9 0x5c02006 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #10 0x5a326ec in cli_frontend::execute(int, char*) /home/notroot/trunk/src/emu/clifront.c:220:15 #11 0x2f11e0f in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:290:9 #12 0x7f3701531ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: stack-buffer-underflow /home/development/llvm/3.6.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:480 memcpy Shadow bytes around the buggy address: 0x0fe75da0ac20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe75da0ac30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe75da0ac40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe75da0ac50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe75da0ac60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe75da0ac70: 00 00 00 00 00 00 00 00 00 00 00 00[f1]f1 f1 f1 0x0fe75da0ac80: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe75da0ac90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe75da0aca0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 04 f2 0x0fe75da0acb0: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 04 f2 00 00 0x0fe75da0acc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems

Attached Files	virtualbox_bgfx.jpg (52,505 bytes) Mar 12, 2015, 18:22 Uploaded by Firewave -video bgfx output in VirtaulBox with 3D accleration enabled

No.11515 Firewave Senior Tester Mar 12, 2015, 18:21 edited on: Mar 12, 2015, 19:04	"opengl" works with "Enable 3D Acceleration" set in the virtual machine. Running "bgfx" with UndefinedBehaviorSanitizer gives the errors listed below and weird output (see attachement). Even with "Enable 3D Acceleration" the AddressSanititer error will still occur. 3rdparty/bgfx/src/bgfx_p.h:930:13: runtime error: index 10 out of bounds for type 'char [8]' #0 0x2b96a70 in bgfx::ConstantBuffer::write(void const, unsigned int) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:930:5 #1 0x2b96a70 in bgfx::ConstantBuffer::write(unsigned int) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:937 #2 0x2b96a70 in bgfx::ConstantBuffer::finish() /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:972 #3 0x2b96a70 in bgfx::ProgramGL::init() /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:2960 #4 0x2b96238 in bgfx::ProgramGL::create(bgfx::ShaderGL const&, bgfx::ShaderGL const&) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:2754:3 #5 0x2ba45e5 in bgfx::RendererContextGL::createProgram(bgfx::ProgramHandle, bgfx::ShaderHandle, bgfx::ShaderHandle) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:1596:4 #6 0x2b7d6af in bgfx::Context::rendererExecCommands(bgfx::CommandBuffer&) /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1757:6 #7 0x2b7b14d in bgfx::Context::renderFrame() /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1219:3 #8 0x2b857d7 in bgfx::Context::renderThread(void) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:1916:12 #9 0x2b8f698 in bx::Thread::entry() /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:146:11 #10 0x2b8f698 in bx::Thread::threadFunc(void) /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:165 #11 0x7f53e49f8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) #12 0x7f53e15e847c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c) 3rdparty/bgfx/src/bgfx_p.h:943:26: runtime error: index 10 out of bounds for type 'char [8]' #0 0x2ba1a37 in bgfx::ConstantBuffer::read(unsigned int) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:943:25 #1 0x2ba1a37 in bgfx::ConstantBuffer::read() /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:951 #2 0x2ba1a37 in bgfx::RendererContextGL::commit(bgfx::ConstantBuffer&) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:2267 #3 0x2b9a740 in bgfx::RendererContextGL::submit(bgfx::Frame, bgfx::ClearQuad&, bgfx::TextVideoMemBlitter&) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:4837:7 #4 0x2b7b185 in bgfx::Context::renderFrame() /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1222:4 #5 0x2b857d7 in bgfx::Context::renderThread(void) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:1916:12 #6 0x2b8f698 in bx::Thread::entry() /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:146:11 #7 0x2b8f698 in bx::Thread::threadFunc(void) /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:165 #8 0x7f53e49f8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) #9 0x7f53e15e847c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)
No.14605 Firewave Senior Tester Jan 2, 2018, 19:53 edited on: Jan 2, 2018, 19:58	The underflow no longer happens with 0.193 on ubuntu 16.04 (although swrast_dri is extremely slow) and I reported the other issue upstream - https://github.com/bkaradzic/bgfx/issues/1307 Also all other video modes work fine. Closing.

No.11515

Firewave

Senior Tester

Mar 12, 2015, 18:21

edited on: Mar 12, 2015, 19:04

"opengl" works with "Enable 3D Acceleration" set in the virtual machine.

Running "bgfx" with UndefinedBehaviorSanitizer gives the errors listed below and weird output (see attachement). Even with "Enable 3D Acceleration" the AddressSanititer error will still occur.

3rdparty/bgfx/src/bgfx_p.h:930:13: runtime error: index 10 out of bounds for type 'char [8]'
    #0 0x2b96a70 in bgfx::ConstantBuffer::write(void const*, unsigned int) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:930:5
    #1 0x2b96a70 in bgfx::ConstantBuffer::write(unsigned int) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:937
    #2 0x2b96a70 in bgfx::ConstantBuffer::finish() /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:972
    #3 0x2b96a70 in bgfx::ProgramGL::init() /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:2960
    #4 0x2b96238 in bgfx::ProgramGL::create(bgfx::ShaderGL const&, bgfx::ShaderGL const&) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:2754:3
    #5 0x2ba45e5 in bgfx::RendererContextGL::createProgram(bgfx::ProgramHandle, bgfx::ShaderHandle, bgfx::ShaderHandle) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:1596:4
    #6 0x2b7d6af in bgfx::Context::rendererExecCommands(bgfx::CommandBuffer&) /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1757:6
    #7 0x2b7b14d in bgfx::Context::renderFrame() /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1219:3
    #8 0x2b857d7 in bgfx::Context::renderThread(void*) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:1916:12
    #9 0x2b8f698 in bx::Thread::entry() /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:146:11
    #10 0x2b8f698 in bx::Thread::threadFunc(void*) /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:165
    #11 0x7f53e49f8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #12 0x7f53e15e847c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)

3rdparty/bgfx/src/bgfx_p.h:943:26: runtime error: index 10 out of bounds for type 'char [8]'
    #0 0x2ba1a37 in bgfx::ConstantBuffer::read(unsigned int) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:943:25
    #1 0x2ba1a37 in bgfx::ConstantBuffer::read() /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:951
    #2 0x2ba1a37 in bgfx::RendererContextGL::commit(bgfx::ConstantBuffer&) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:2267
    #3 0x2b9a740 in bgfx::RendererContextGL::submit(bgfx::Frame*, bgfx::ClearQuad&, bgfx::TextVideoMemBlitter&) /home/notroot/trunk/3rdparty/bgfx/src/renderer_gl.cpp:4837:7
    #4 0x2b7b185 in bgfx::Context::renderFrame() /home/notroot/trunk/3rdparty/bgfx/src/bgfx.cpp:1222:4
    #5 0x2b857d7 in bgfx::Context::renderThread(void*) /home/notroot/trunk/3rdparty/bgfx/src/bgfx_p.h:1916:12
    #6 0x2b8f698 in bx::Thread::entry() /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:146:11
    #7 0x2b8f698 in bx::Thread::threadFunc(void*) /home/notroot/trunk/3rdparty/bx/include/bx/thread.h:165
    #8 0x7f53e49f8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #9 0x7f53e15e847c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)

No.14605

Firewave

Senior Tester

Jan 2, 2018, 19:53

edited on: Jan 2, 2018, 19:58

The underflow no longer happens with 0.193 on ubuntu 16.04 (although swrast_dri is extremely slow) and I reported the other issue upstream - https://github.com/bkaradzic/bgfx/issues/1307

Also all other video modes work fine. Closing.