07503: snes, snespal: Assorted titles crash upon launch

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
07503	Crash/Freeze	Critical (emulator)	Always	Nov 27, 2019, 09:38	Oct 31, 2021, 12:42

Tester	Robbbert	View Status	Public	Platform	MAME (Self-compiled)
Assigned To		Resolution	Open	OS	Windows Vista/7/8 (64-bit)
Status [?]	Confirmed			Driver	nintendo/snes.cpp
Version	0.216	Fixed in Version		Build	64-bit
		Fixed in Git Commit		Github Pull Request #

Summary	07503: snes, snespal: Assorted titles crash upon launch
Description	The following sets crash Mame, with a dump usually consisting of '--------------------------'. aryol, bluesb, bluesbu, nipachim, ranmagek, tecmonbaj, tecmonbaja, tecmonbau, tecmonbaup, yuyu, yuyua. Mariopnt, mariopntu produce a black screen and a continual tone at startup. In 0.209, these games all worked, except for mariopnt(u), which produced a black screen with a tune.
Steps To Reproduce	these sets are all in the software list, so >mame64 snes <item-name> or >mame64 snespal <item-name> will suffice.
Additional Information	Some sets show other bugs before the crash occurs. bluesb, bluesbu - the title screen is squashed into the top half. ranmagek - (snes) the screen is squashed into the top half, and duplicated in the bottom half. (snespal) crashes at start. yuyu - the screen bounces slightly up and down before crashing. This is the only dump I was able to get: C:\MAME>mame snespal ranmagek ----------------------------------------------------- Exception at EIP=0000000005981255 (screen_device::create_composited_bitmap()+0x0195): ACCESS VIOLATION While attempting to write memory at 00000000249d0000 ----------------------------------------------------- RAX=0000000000004000 RBX=000000000000026f RCX=0000000012012e40 RDX=0000000000000000 RSI=00000000000002aa RDI=000000001ce54760 RBP=0000000000000270 RSP=0000000000228f48 R8=00000000010ec000 R9=0000000000000000 R10=00000000249d0004 R11=0000000001550000 R12=0000000012013538 R13=000000000ddeee30 R14=00000000000000b0 R15=000000000dabdff0 ----------------------------------------------------- Stack crawl: 0000000000228f80: 0000000005981255 (screen_device::create_composited_bitmap()+0x0195) 0000000000228fd0: 0000000005981468 (screen_device::update_quads()+0x01d8) 0000000000229050: 00000000059b7f7a (video_manager::finish_screen_updates()+0x019a) 00000000002290d0: 00000000059b94e8 (video_manager::frame_update(bool)+0x0158) 0000000000229130: 0000000005980df7 (screen_device::vblank_begin()+0x01e7) 00000000002291a0: 0000000005984835 (screen_device::device_timer(emu_timer&, unsigned int, int, void)+0x0175) 00000000002291e0: 0000000005978dda (emu_timer::device_timer_expired(emu_timer&, void, int)+0x002a) 0000000000229270: 000000000597c5ca (device_scheduler::timeslice()+0x015a) 00000000002293e0: 0000000005934e38 (running_machine::run(bool)+0x0288) 000000000022f090: 0000000003cb5710 (mame_machine_manager::execute()+0x01e0) 000000000022f350: 0000000003d2c8f7 (cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::c har_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > c onst&)+0x01b7) 000000000022f640: 0000000003d2ccb6 (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocato r<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0056) 000000000022f6a0: 0000000003cb34c7 (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0027) 000000000022fe50: 000000000a0f3037 (main+0x0187) 000000000022ff20: 00000000004013a5 (__tmainCRTStartup+0x0225) 000000000022ff50: 000000000040150b (mainCRTStartup+0x001b) 000000000022ff80: 0000000076e3556d (BaseThreadInitThunk+0x000d) 000000000022ffd0: 0000000076f9385d (RtlUserThreadStart+0x001d)
Github Commit

Flags
Regression Version
Affected Sets / Systems	snes, snespal

Attached Files	07503.diff (543 bytes) Mar 19, 2020, 06:18 Uploaded by AmatCoder [Show Content]

No.17383 Firewave Senior Tester Feb 2, 2020, 10:06 edited on: Feb 2, 2020, 10:35	snespal -cart ranmagek ==21176==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x46151180 at pc 0x05cb0e44 bp 0x166fb79c sp 0x166fb790 WRITE of size 4 at 0x46151180 thread T0 #0 0x5cb0e43 in screen_device::create_composited_bitmap s:\dev\mame0217\src\emu\screen.cpp:1741 #1 0x5cb9441 in screen_device::update_quads s:\dev\mame0217\src\emu\screen.cpp:1768 #2 0x6146b76 in video_manager::finish_screen_updates s:\dev\mame0217\src\emu\video.cpp:863 #3 0x614709d in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:217 #4 0x5cb99d2 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660 #5 0x5cb1cf5 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959 #6 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317 #7 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907 #8 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544 #9 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372 #10 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261 #11 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267 #12 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283 #13 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392 #14 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323 #15 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #16 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #17 0x76f17b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #18 0x76f17b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) 0x46151180 is located 0 bytes to the right of 1702272-byte region [0x45fb1800,0x46151180) allocated by thread T0 here: #0 0xc728bd in operator new[] D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:102 #1 0x1c80fcb in bitmap_t::allocate s:\dev\mame0217\src\lib\util\bitmap.cpp:249 #2 0x1c819a7 in bitmap_t::resize s:\dev\mame0217\src\lib\util\bitmap.cpp:289 #3 0x5cb4f3a in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1129 #4 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024 #5 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f) #6 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60) #7 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98) #8 0x1b8f70a in snes_console_state::snes20_hi_w+0x38a (s:\dev\mame0217\mame.exe+0x1bcf70a) #9 0x1b8feab in snes_console_state::snes20_lo_w+0x9b (s:\dev\mame0217\mame.exe+0x1bcfeab) #10 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b) #11 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140 #12 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52 #13 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610 #14 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630 #15 0x7bc8c56 in g65816_device::g65816i_write_8_normal+0xe6 (s:\dev\mame0217\mame.exe+0x7c08c56) #16 0x8e49cbf in g65816_device::g65816i_8d_E+0xdf (s:\dev\mame0217\mame.exe+0x8e89cbf) #17 0x8e53315 in g65816_device::g65816i_execute_M1X1+0x335 (s:\dev\mame0217\mame.exe+0x8e93315) #18 0x7bc6063 in g65816_device::execute_run+0x53 (s:\dev\mame0217\mame.exe+0x7c06063) #19 0x5faacb7 in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:495 #20 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372 #21 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261 #22 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267 #23 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283 #24 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392 #25 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323 #26 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #27 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\emu\screen.cpp:1741 in screen_device::create_composited_bitmap Shadow bytes around the buggy address: 0x38c2a1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x38c2a1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x38c2a200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x38c2a210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x38c2a220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x38c2a230:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x38c2a240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x38c2a250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x38c2a260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x38c2a270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x38c2a280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==21176==ABORTING snespal -cart aryol ==20324==ERROR: AddressSanitizer: negative-size-param: (size=-4) #0 0xc622a8 in __asan_wrap_memmove D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:784 #1 0x5caf437 in screen_device::allocate_scan_bitmaps s:\dev\mame0217\src\emu\screen.cpp:666 #2 0x5cb50c2 in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1140 #3 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024 #4 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f) #5 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60) #6 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98) #7 0x1b8f70a in snes_console_state::snes20_hi_w+0x38a (s:\dev\mame0217\mame.exe+0x1bcf70a) #8 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b) #9 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140 #10 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52 #11 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610 #12 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630 #13 0x7bc8c56 in g65816_device::g65816i_write_8_normal+0xe6 (s:\dev\mame0217\mame.exe+0x7c08c56) #14 0x8e49cbf in g65816_device::g65816i_8d_E+0xdf (s:\dev\mame0217\mame.exe+0x8e89cbf) #15 0x8e53315 in g65816_device::g65816i_execute_M1X1+0x335 (s:\dev\mame0217\mame.exe+0x8e93315) #16 0x7bc6063 in g65816_device::execute_run+0x53 (s:\dev\mame0217\mame.exe+0x7c06063) #17 0x5faacb7 in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:495 #18 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372 #19 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261 #20 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267 #21 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283 #22 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392 #23 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323 #24 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #25 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #26 0x76f17b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #27 0x76f17b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) 0x462cf7d4 is located 1876 bytes inside of 2844-byte region [0x462cf080,0x462cfb9c) allocated by thread T0 here: #0 0xc724cd in operator new D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:99 #1 0xc781f1 in std::_Allocate<8,std::_Default_allocate_traits,0>+0x71 (s:\dev\mame0217\mame.exe+0xcb81f1) #2 0x5c15f5b in std::vector<char32_t,std::allocator<char32_t> >::_Emplace_reallocate<char32_t const &> C:\Program Files (x86)\Microsoft Visual Studio19\Community\VC\Tools\MSVC.24.28314\include\vector:745 #3 0x5caf331 in screen_device::allocate_scan_bitmaps s:\dev\mame0217\src\emu\screen.cpp:651 #4 0x5cb50c2 in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1140 #5 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024 #6 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f) #7 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60) #8 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98) #9 0x1b8f70a in snes_console_state::snes20_hi_w+0x38a (s:\dev\mame0217\mame.exe+0x1bcf70a) #10 0x1b8feab in snes_console_state::snes20_lo_w+0x9b (s:\dev\mame0217\mame.exe+0x1bcfeab) #11 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b) #12 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140 #13 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52 #14 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610 #15 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630 #16 0x7bc8c56 in g65816_device::g65816i_write_8_normal+0xe6 (s:\dev\mame0217\mame.exe+0x7c08c56) #17 0x8e4a843 in g65816_device::g65816i_9f_E+0xe3 (s:\dev\mame0217\mame.exe+0x8e8a843) #18 0x8e501b5 in g65816_device::g65816i_execute_M1X0+0x335 (s:\dev\mame0217\mame.exe+0x8e901b5) #19 0x7bc6063 in g65816_device::execute_run+0x53 (s:\dev\mame0217\mame.exe+0x7c06063) #20 0x5faacb7 in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:495 #21 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372 #22 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261 #23 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267 #24 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283 #25 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392 #26 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323 #27 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 SUMMARY: AddressSanitizer: negative-size-param D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:784 in __asan_wrap_memmove ==20324==ABORTING
No.17490 Robbbert Senior Tester Mar 16, 2020, 00:51	Is the failure commit and version known? If it's related to 7593, can they be joined in a relationship?
No.17494 AmatCoder Tester Mar 19, 2020, 06:37	It is not related to 07593. Into "allocate_scan_bitmaps()" function you are removing elements from "m_scan_bitmaps" vector which changes the size. This lead to accessing elements beyond your list. I have uploaded a diff file just as an example of how to fix it.
No.19231 thankyoumame Tester Sep 6, 2021, 01:24	Please test smashten too. MAME crashes when I try to launch it.
No.19390 hap Developer Oct 29, 2021, 14:14	Amat's crash fix is applied here: https://github.com/mamedev/mame/commit/41a80334ce442a42b4f62d64713534d9ad722145 The gfx bugs in "Additional Information" are part of this bug report? If not, this bug can be set to resolved.
No.19408 Robbbert Senior Tester Oct 31, 2021, 12:42	Tested all these games. All crashes have been fixed. Some other issues remain though. bluesb, bluesbu - the title screen is squashed into the top half. ranmagek - the screen is squashed into the top half, and duplicated in the bottom half. mariopnt, mariopntu - play a short tune followed by a tone - appears to have hung. These matters can be put into a new report if you think it would be better.