Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
07556 Crash/Freeze Critical (emulator) Always Feb 1, 2020, 22:08 Oct 30, 2021, 21:57
Tester kmg View Status Public Platform MAME (Self-compiled)
Assigned To AmatCoder Resolution Fixed OS MacOS X
Status [?] Resolved Driver snes.cpp
Version 0.217 Fixed in Version 0.238 Build 64-bit
Fixed in Git Commit 41a8033 Github Pull Request #
Summary MESS-specific 07556: snes, snespal [ctrigger and clones]: chrono trigger consistently causes segfault
Description Game always crashes upon entering any battle as the in-game windows with enemy name, etc are popping up.
Steps To Reproduce Enter any battle in game. Or can even be seen by waiting 70 seconds or so while watching the opening montage. Game crashes in montage fight with "Flea".
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems snes, snespal [ctrigger and clones]
Attached Files
 
Relationships
related to 07503Confirmed  snes, snespal: Assorted titles crash upon launch 
Notes
1
User avatar
No.17382
Firewave
Senior Tester
Feb 2, 2020, 10:03
edited on: Feb 2, 2020, 10:35
snespal -cart ctrigger
=================================================================
==21728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x4af51180 at pc 0x05cb0e44 bp 0x166fb3fc sp 0x166fb3f0
WRITE of size 4 at 0x4af51180 thread T0
    #0 0x5cb0e43 in screen_device::create_composited_bitmap s:\dev\mame0217\src\emu\screen.cpp:1741
    #1 0x5cb9441 in screen_device::update_quads s:\dev\mame0217\src\emu\screen.cpp:1768
    #2 0x6146b76 in video_manager::finish_screen_updates s:\dev\mame0217\src\emu\video.cpp:863
    #3 0x614709d in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:217
    #4 0x5cb99d2 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660
    #5 0x5cb1cf5 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959
    #6 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317
    #7 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907
    #8 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544
    #9 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372
    #10 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261
    #11 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267
    #12 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283
    #13 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392
    #14 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323
    #15 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #16 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #17 0x76f17b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #18 0x76f17b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

0x4af51180 is located 0 bytes to the right of 1702272-byte region [0x4adb1800,0x4af51180)
allocated by thread T0 here:
    #0 0xc728bd in operator new[] D:\agent\_work\6\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:102
    #1 0x1c80fcb in bitmap_t::allocate s:\dev\mame0217\src\lib\util\bitmap.cpp:249
    #2 0x1c819a7 in bitmap_t::resize s:\dev\mame0217\src\lib\util\bitmap.cpp:289
    #3 0x5cb4f3a in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1129
    #4 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024
    #5 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f)
    #6 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60)
    #7 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98)
    #8 0x1b90284 in snes_console_state::snes21_hi_w+0x94 (s:\dev\mame0217\mame.exe+0x1bd0284)
    #9 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b)
    #10 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140
    #11 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52
    #12 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610
    #13 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630
    #14 0x1bcaeb3 in snes_state::dma_transfer+0x163 (s:\dev\mame0217\mame.exe+0x1c0aeb3)
    #15 0x1bcb252 in snes_state::hdma+0x2d2 (s:\dev\mame0217\mame.exe+0x1c0b252)
    #16 0x1bcd106 in snes_state::snes_hblank_tick+0xb6 (s:\dev\mame0217\mame.exe+0x1c0d106)
    #17 0x1bc9c3a in snes_state::device_timer+0x18a (s:\dev\mame0217\mame.exe+0x1c09c3a)
    #18 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317
    #19 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907
    #20 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544
    #21 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372
    #22 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261
    #23 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267
    #24 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283
    #25 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392
    #26 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323
    #27 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288

SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\emu\screen.cpp:1741 in screen_device::create_composited_bitmap
Shadow bytes around the buggy address:
  0x395ea1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x395ea230:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==21728==ABORTING