Viewing Issue Advanced Details
Jump to Notes ]
snes.cpp
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
07503 Crash/Freeze Critical (emulator) Always Nov 27, 2019, 09:38 16 days ago
Tester Robbbert View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Open OS Windows Vista/7/8 (64-bit)
Status [?] Confirmed Driver snes.cpp
Version 0.216 Fixed in Version Build 64-bit
Fixed in Git Commit Github Pull Request #
Summary MESS-specific 07503: snes, snespal: Assorted titles crash upon launch
Description The following sets crash Mame, with a dump usually consisting of '--------------------------'.

aryol, bluesb, bluesbu, nipachim, ranmagek, tecmonbaj, tecmonbaja, tecmonbau, tecmonbaup, yuyu, yuyua.


Mariopnt, mariopntu produce a black screen and a continual tone at startup.


In 0.209, these games all worked, except for mariopnt(u), which produced a black screen with a tune.
Steps To Reproduce these sets are all in the software list, so

>mame64 snes <item-name>
or
>mame64 snespal <item-name>

will suffice.
Additional Information Some sets show other bugs before the crash occurs.

bluesb, bluesbu - the title screen is squashed into the top half.

ranmagek - (snes) the screen is squashed into the top half, and duplicated in the bottom half. (snespal) crashes at start.

yuyu - the screen bounces slightly up and down before crashing.

This is the only dump I was able to get:
C:\MAME>mame snespal ranmagek

-----------------------------------------------------
Exception at EIP=0000000005981255 (screen_device::create_composited_bitmap()+0x0195): ACCESS VIOLATION
While attempting to write memory at 00000000249d0000
-----------------------------------------------------
RAX=0000000000004000 RBX=000000000000026f RCX=0000000012012e40 RDX=0000000000000000
RSI=00000000000002aa RDI=000000001ce54760 RBP=0000000000000270 RSP=0000000000228f48
 R8=00000000010ec000 R9=0000000000000000 R10=00000000249d0004 R11=0000000001550000
R12=0000000012013538 R13=000000000ddeee30 R14=00000000000000b0 R15=000000000dabdff0
-----------------------------------------------------
Stack crawl:
  0000000000228f80: 0000000005981255 (screen_device::create_composited_bitmap()+0x0195)
  0000000000228fd0: 0000000005981468 (screen_device::update_quads()+0x01d8)
  0000000000229050: 00000000059b7f7a (video_manager::finish_screen_updates()+0x019a)
  00000000002290d0: 00000000059b94e8 (video_manager::frame_update(bool)+0x0158)
  0000000000229130: 0000000005980df7 (screen_device::vblank_begin()+0x01e7)
  00000000002291a0: 0000000005984835 (screen_device::device_timer(emu_timer&, unsigned int, int, void*)+0x0175)
  00000000002291e0: 0000000005978dda (emu_timer::device_timer_expired(emu_timer&, void*, int)+0x002a)
  0000000000229270: 000000000597c5ca (device_scheduler::timeslice()+0x015a)
  00000000002293e0: 0000000005934e38 (running_machine::run(bool)+0x0288)
  000000000022f090: 0000000003cb5710 (mame_machine_manager::execute()+0x01e0)
  000000000022f350: 0000000003d2c8f7 (cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::c
har_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > c
onst&)+0x01b7)
  000000000022f640: 0000000003d2ccb6 (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocato
r<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0056)
  000000000022f6a0: 0000000003cb34c7 (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char,
 std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
> > >&)+0x0027)
  000000000022fe50: 000000000a0f3037 (main+0x0187)
  000000000022ff20: 00000000004013a5 (__tmainCRTStartup+0x0225)
  000000000022ff50: 000000000040150b (mainCRTStartup+0x001b)
  000000000022ff80: 0000000076e3556d (BaseThreadInitThunk+0x000d)
  000000000022ffd0: 0000000076f9385d (RtlUserThreadStart+0x001d)
Github Commit
Flags
Regression Version
Affected Sets / Systems snes, snespal
Attached Files
? file icon 07503.diff (543 bytes) Mar 19, 2020, 06:18 Uploaded by AmatCoder
[Show Content]
Relationships
related to 07556Confirmed  snes, snespal [ctrigger and clones]: chrono trigger consistently causes segfault 
Notes
4
User avatar
No.17383
Firewave
Senior Tester
Feb 2, 2020, 10:06
edited on: Feb 2, 2020, 10:35
 snespal -cart ranmagek
==21176==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x46151180 at pc 0x05cb0e44 bp 0x166fb79c sp 0x166fb790

WRITE of size 4 at 0x46151180 thread T0

    #0 0x5cb0e43 in screen_device::create_composited_bitmap s:\dev\mame0217\src\emu\screen.cpp:1741

    #1 0x5cb9441 in screen_device::update_quads s:\dev\mame0217\src\emu\screen.cpp:1768

    #2 0x6146b76 in video_manager::finish_screen_updates s:\dev\mame0217\src\emu\video.cpp:863

    #3 0x614709d in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:217

    #4 0x5cb99d2 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660

    #5 0x5cb1cf5 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959

    #6 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317

    #7 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907

    #8 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544

    #9 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372

    #10 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261

    #11 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267

    #12 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283

    #13 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392

    #14 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323

    #15 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288

    #16 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)

    #17 0x76f17b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)

    #18 0x76f17b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)



0x46151180 is located 0 bytes to the right of 1702272-byte region [0x45fb1800,0x46151180)

allocated by thread T0 here:

    #0 0xc728bd in operator new[] D:\agent\_work\6\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:102

    #1 0x1c80fcb in bitmap_t::allocate s:\dev\mame0217\src\lib\util\bitmap.cpp:249

    #2 0x1c819a7 in bitmap_t::resize s:\dev\mame0217\src\lib\util\bitmap.cpp:289

    #3 0x5cb4f3a in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1129

    #4 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024

    #5 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f)

    #6 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60)

    #7 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98)

    #8 0x1b8f70a in snes_console_state::snes20_hi_w+0x38a (s:\dev\mame0217\mame.exe+0x1bcf70a)

    #9 0x1b8feab in snes_console_state::snes20_lo_w+0x9b (s:\dev\mame0217\mame.exe+0x1bcfeab)

    #10 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b)

    #11 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140

    #12 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52

    #13 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610

    #14 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630

    #15 0x7bc8c56 in g65816_device::g65816i_write_8_normal+0xe6 (s:\dev\mame0217\mame.exe+0x7c08c56)

    #16 0x8e49cbf in g65816_device::g65816i_8d_E+0xdf (s:\dev\mame0217\mame.exe+0x8e89cbf)

    #17 0x8e53315 in g65816_device::g65816i_execute_M1X1+0x335 (s:\dev\mame0217\mame.exe+0x8e93315)

    #18 0x7bc6063 in g65816_device::execute_run+0x53 (s:\dev\mame0217\mame.exe+0x7c06063)

    #19 0x5faacb7 in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:495

    #20 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372

    #21 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261

    #22 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267

    #23 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283

    #24 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392

    #25 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323

    #26 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288

    #27 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)



SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\emu\screen.cpp:1741 in screen_device::create_composited_bitmap

Shadow bytes around the buggy address:

  0x38c2a1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x38c2a1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x38c2a200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x38c2a210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x38c2a220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x38c2a230:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x38c2a240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x38c2a250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x38c2a260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x38c2a270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x38c2a280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==21176==ABORTING

snespal -cart aryol
==20324==ERROR: AddressSanitizer: negative-size-param: (size=-4)

    #0 0xc622a8 in __asan_wrap_memmove D:\agent\_work\6\s\src\vctools\crt\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:784

    #1 0x5caf437 in screen_device::allocate_scan_bitmaps s:\dev\mame0217\src\emu\screen.cpp:666

    #2 0x5cb50c2 in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1140

    #3 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024

    #4 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f)

    #5 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60)

    #6 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98)

    #7 0x1b8f70a in snes_console_state::snes20_hi_w+0x38a (s:\dev\mame0217\mame.exe+0x1bcf70a)

    #8 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b)

    #9 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140

    #10 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52

    #11 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610

    #12 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630

    #13 0x7bc8c56 in g65816_device::g65816i_write_8_normal+0xe6 (s:\dev\mame0217\mame.exe+0x7c08c56)

    #14 0x8e49cbf in g65816_device::g65816i_8d_E+0xdf (s:\dev\mame0217\mame.exe+0x8e89cbf)

    #15 0x8e53315 in g65816_device::g65816i_execute_M1X1+0x335 (s:\dev\mame0217\mame.exe+0x8e93315)

    #16 0x7bc6063 in g65816_device::execute_run+0x53 (s:\dev\mame0217\mame.exe+0x7c06063)

    #17 0x5faacb7 in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:495

    #18 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372

    #19 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261

    #20 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267

    #21 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283

    #22 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392

    #23 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323

    #24 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288

    #25 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)

    #26 0x76f17b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)

    #27 0x76f17b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)



0x462cf7d4 is located 1876 bytes inside of 2844-byte region [0x462cf080,0x462cfb9c)

allocated by thread T0 here:

    #0 0xc724cd in operator new D:\agent\_work\6\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:99

    #1 0xc781f1 in std::_Allocate<8,std::_Default_allocate_traits,0>+0x71 (s:\dev\mame0217\mame.exe+0xcb81f1)

    #2 0x5c15f5b in std::vector<char32_t,std::allocator<char32_t> >::_Emplace_reallocate<char32_t const &> C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\include\vector:745

    #3 0x5caf331 in screen_device::allocate_scan_bitmaps s:\dev\mame0217\src\emu\screen.cpp:651

    #4 0x5cb50c2 in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1140

    #5 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024

    #6 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f)

    #7 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60)

    #8 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98)

    #9 0x1b8f70a in snes_console_state::snes20_hi_w+0x38a (s:\dev\mame0217\mame.exe+0x1bcf70a)

    #10 0x1b8feab in snes_console_state::snes20_lo_w+0x9b (s:\dev\mame0217\mame.exe+0x1bcfeab)

    #11 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b)

    #12 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140

    #13 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52

    #14 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610

    #15 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630

    #16 0x7bc8c56 in g65816_device::g65816i_write_8_normal+0xe6 (s:\dev\mame0217\mame.exe+0x7c08c56)

    #17 0x8e4a843 in g65816_device::g65816i_9f_E+0xe3 (s:\dev\mame0217\mame.exe+0x8e8a843)

    #18 0x8e501b5 in g65816_device::g65816i_execute_M1X0+0x335 (s:\dev\mame0217\mame.exe+0x8e901b5)

    #19 0x7bc6063 in g65816_device::execute_run+0x53 (s:\dev\mame0217\mame.exe+0x7c06063)

    #20 0x5faacb7 in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:495

    #21 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372

    #22 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261

    #23 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267

    #24 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283

    #25 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392

    #26 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323

    #27 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288



SUMMARY: AddressSanitizer: negative-size-param D:\agent\_work\6\s\src\vctools\crt\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:784 in __asan_wrap_memmove

==20324==ABORTING
User avatar
No.17490
Robbbert
Developer
Mar 16, 2020, 00:51
 Is the failure commit and version known?

If it's related to 7593, can they be joined in a relationship?
User avatar
No.17494
AmatCoder
Tester
Mar 19, 2020, 06:37
 It is not related to 07593.

Into "allocate_scan_bitmaps()" function you are removing elements from "m_scan_bitmaps" vector which changes the size. This lead to accessing elements beyond your list.

I have uploaded a diff file just as an example of how to fix it.
User avatar
No.19231
thankyoumame
Tester
16 days ago
 Please test smashten too. MAME crashes when I try to launch it.