08177: wwfroyal: Crashes MAME when entering game test mode

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
08177	Crash/Freeze	Critical (emulator)	Always	Jan 9, 2022, 17:44	Nov 15, 2022, 00:25

Tester	Kale	View Status	Public	Platform	MAME (Official Binary)
Assigned To		Resolution	Open	OS	Windows 10/11 (64-bit)
Status [?]	Confirmed			Driver	sega/naomi.cpp
Version	0.239	Fixed in Version		Build	64-bit
		Fixed in Git Commit		Github Pull Request #

Summary	08177: wwfroyal: Crashes MAME when entering game test mode
Description	WWF Royal Rumble crashes MAME with a meaningless stack trace when entering in game test mode. It will load that for a bit with a black screen then punts.
Steps To Reproduce	Press F2 when NAOMI logo appears; Press '9' until game test mode is highlighted; Press F2 to enter into game test mode, wait until game crashes;
Additional Information	It seems to access a bit of naomi_m2_board::read_callback fn before crashing, which isn't consistent (i.e. same NVRAM/.inp doesn't give same results on different runs) and may not be the culprit. Stack trace is so meaningless that it may "eat" letters when dumping (i.e. "xptio at P000000010fb9 (ot fo): ACC VAT\nWhi attptig to ra ory at")
Github Commit

Flags
Regression Version
Affected Sets / Systems	wwfroyal

Attached Files	0005.png (3,449 bytes) Jan 9, 2022, 17:45 Uploaded by Kale

No.19668 Kale Developer Jan 9, 2022, 17:44 edited on: Jan 9, 2022, 17:44	Tested back to 0.190, where this still happens.
No.19671 Kale Developer Jan 10, 2022, 17:31 edited on: Jan 10, 2022, 17:32	Robbbert managed to find that this crash specifically happens at https://github.com/mamedev/mame/blob/e13b47e557a2c9e7728f6565d6378b623610f414/src/mame/machine/315-5881_crypt.cpp#L961 Specifically that the line_buffer_size check for(int i=0; i != line_buffer_size;) { should be a < instead of a != We are not sure about how safe it is tho ...
No.20817 Firewave Senior Tester Nov 15, 2022, 00:25 edited on: Nov 16, 2022, 12:21	The set is marked as MNW. 0.249 on Linux reports (the allocation trace is not symbolized since the symbolizer ran out of memory): ==21350==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000645c81 at pc 0x7f1bc0bd635a bp 0x7fffd7025a50 sp 0x7fffd7025a48 WRITE of size 1 at 0x615000645c81 thread T0 #0 0x7f1bc0bd6359 in sega_315_5881_crypt_device::line_fill() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/315-5881_crypt.cpp:999:18 #1 0x7f1bc0bd3e6b in sega_315_5881_crypt_device::do_decrypt(unsigned char&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/315-5881_crypt.cpp:185:4 #2 0x7f1bc0dc9d5c in naomi_m2_board::board_get_buffer(unsigned char&, unsigned int&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/naomim2.cpp:149:19 #3 0x7f1bc0d8092d in naomi_board::rom_data_r() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/naomibd.cpp:155:2 #4 0x7f1bd4fb8995 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11 #5 0x7f1bd4fb8995 in std::enable_if<(((std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned char ()> >::value) \|\| (std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned short ()> >::value)) \|\| (std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned int ()> >::value)) \|\| (std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned long ()> >::value), unsigned short>::type handler_entry_read_delegate<1, -1, emu::device_delegate<unsigned short ()> >::read_impl<emu::device_delegate<unsigned short ()> >(unsigned int, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:65:9 #6 0x7f1bd4fb88f0 in handler_entry_read_delegate<1, -1, emu::device_delegate<unsigned short ()> >::read(unsigned int, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:70:9 #7 0x7f1bd9b5b165 in handler_entry_read_units<3, 0>::read(unsigned int, unsigned long) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_heu.cpp:92:74 #8 0x7f1bd4a10920 in emu::detail::handler_entry_size<3>::uX dispatch_read<0, 3, 0>(unsigned int, unsigned int, emu::detail::handler_entry_size<3>::uX, handler_entry_read<3, 0> const* const) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1570:47 #9 0x7f1bd5e9d548 in handler_entry_read_dispatch<14, 3, 0>::read(unsigned int, unsigned long) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedr.ipp:132:9 #10 0x7f1bd4acd600 in emu::detail::handler_entry_size<3>::uX dispatch_read<1, 3, 0>(unsigned int, unsigned int, emu::detail::handler_entry_size<3>::uX, handler_entry_read<3, 0> const const*) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1570:47 #11 0x7f1bd4acd4ad in address_space_specific<1, 3, 0, (util::endianness)0>::read_native(unsigned int, unsigned long) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_aspace.cpp:433:10 #12 0x7f1bd4a8097f in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_aspace.cpp:454:86 #13 0x7f1bd4a8097f in memory_read_generic<3, 0, util::endianness::little, 2, true, (lambda at ../../../../../src/emu/emumem_aspace.cpp:454:24)> /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:797:11 #14 0x7f1bd4a8097f in address_space_specific<1, 3, 0, (util::endianness)0>::read_dword(unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_aspace.cpp:463:125 #15 0x7f1b73adf515 (/dev/zero+0xe0515) 0x615000645c81 is located 1 bytes to the right of 512-byte region [0x615000645a80,0x615000645c80) allocated by thread T0 here: #0 0x7f1bb439b97d (/mnt/s/GitHub/mame/mame+0x24e1d97d) (BuildId: 5ea94812d72bae4c) #1 0x7f1bc0bd1d7d (/mnt/s/GitHub/mame/mame+0x31653d7d) (BuildId: 5ea94812d72bae4c) #2 0x7f1bd3dc8790 (/mnt/s/GitHub/mame/mame+0x4484a790) (BuildId: 5ea94812d72bae4c) #3 0x7f1bda655e5f (/mnt/s/GitHub/mame/mame+0x4b0d7e5f) (BuildId: 5ea94812d72bae4c) #4 0x7f1bda653e34 (/mnt/s/GitHub/mame/mame+0x4b0d5e34) (BuildId: 5ea94812d72bae4c) #5 0x7f1bda656c5c (/mnt/s/GitHub/mame/mame+0x4b0d8c5c) (BuildId: 5ea94812d72bae4c) #6 0x7f1bd2766c6f (/mnt/s/GitHub/mame/mame+0x431e8c6f) (BuildId: 5ea94812d72bae4c) #7 0x7f1bd3b1dfe6 (/mnt/s/GitHub/mame/mame+0x4459ffe6) (BuildId: 5ea94812d72bae4c) #8 0x7f1bd3b21b2f (/mnt/s/GitHub/mame/mame+0x445a3b2f) (BuildId: 5ea94812d72bae4c) #9 0x7f1bd276ba4f (/mnt/s/GitHub/mame/mame+0x431eda4f) (BuildId: 5ea94812d72bae4c) #10 0x7f1bda94cd0b (/mnt/s/GitHub/mame/mame+0x4b3ced0b) (BuildId: 5ea94812d72bae4c) #11 0x7f1b8d689209 (/lib/x86_64-linux-gnu/libc.so.6+0x29209) (BuildId: 48b7efd5cbf9d6337df8a48de709d1f6f68f368e) SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/s/GitHub/mame/mame+0x31658359) (BuildId: 5ea94812d72bae4c) Shadow bytes around the buggy address: 0x0c2a800c0b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800c0b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a800c0b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a800c0b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a800c0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2a800c0b90:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800c0ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a800c0bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a800c0bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a800c0bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a800c0be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

No.19668

Kale

Developer

Jan 9, 2022, 17:44

edited on: Jan 9, 2022, 17:44

Tested back to 0.190, where this still happens.

No.19671

Kale

Developer

Jan 10, 2022, 17:31

edited on: Jan 10, 2022, 17:32

Robbbert managed to find that this crash specifically happens at https://github.com/mamedev/mame/blob/e13b47e557a2c9e7728f6565d6378b623610f414/src/mame/machine/315-5881_crypt.cpp#L961

Specifically that the line_buffer_size check

for(int i=0; i != line_buffer_size;) {

should be a < instead of a !=

We are not sure about how safe it is tho ...

No.20817

Firewave

Senior Tester

Nov 15, 2022, 00:25

edited on: Nov 16, 2022, 12:21

The set is marked as MNW.

0.249 on Linux reports (the allocation trace is not symbolized since the symbolizer ran out of memory):

==21350==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000645c81 at pc 0x7f1bc0bd635a bp 0x7fffd7025a50 sp 0x7fffd7025a48
WRITE of size 1 at 0x615000645c81 thread T0
    #0 0x7f1bc0bd6359 in sega_315_5881_crypt_device::line_fill() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/315-5881_crypt.cpp:999:18
    #1 0x7f1bc0bd3e6b in sega_315_5881_crypt_device::do_decrypt(unsigned char*&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/315-5881_crypt.cpp:185:4
    #2 0x7f1bc0dc9d5c in naomi_m2_board::board_get_buffer(unsigned char*&, unsigned int&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/naomim2.cpp:149:19
    #3 0x7f1bc0d8092d in naomi_board::rom_data_r() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/mame/sega/naomibd.cpp:155:2
    #4 0x7f1bd4fb8995 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11
    #5 0x7f1bd4fb8995 in std::enable_if<(((std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned char ()> >::value) || (std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned short ()> >::value)) || (std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned int ()> >::value)) || (std::is_same<emu::device_delegate<unsigned short ()>, emu::device_delegate<unsigned long ()> >::value), unsigned short>::type handler_entry_read_delegate<1, -1, emu::device_delegate<unsigned short ()> >::read_impl<emu::device_delegate<unsigned short ()> >(unsigned int, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:65:9
    #6 0x7f1bd4fb88f0 in handler_entry_read_delegate<1, -1, emu::device_delegate<unsigned short ()> >::read(unsigned int, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:70:9
    #7 0x7f1bd9b5b165 in handler_entry_read_units<3, 0>::read(unsigned int, unsigned long) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_heu.cpp:92:74
    #8 0x7f1bd4a10920 in emu::detail::handler_entry_size<3>::uX dispatch_read<0, 3, 0>(unsigned int, unsigned int, emu::detail::handler_entry_size<3>::uX, handler_entry_read<3, 0> const* const*) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1570:47
    #9 0x7f1bd5e9d548 in handler_entry_read_dispatch<14, 3, 0>::read(unsigned int, unsigned long) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedr.ipp:132:9
    #10 0x7f1bd4acd600 in emu::detail::handler_entry_size<3>::uX dispatch_read<1, 3, 0>(unsigned int, unsigned int, emu::detail::handler_entry_size<3>::uX, handler_entry_read<3, 0> const* const*) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1570:47
    #11 0x7f1bd4acd4ad in address_space_specific<1, 3, 0, (util::endianness)0>::read_native(unsigned int, unsigned long) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_aspace.cpp:433:10
    #12 0x7f1bd4a8097f in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_aspace.cpp:454:86
    #13 0x7f1bd4a8097f in memory_read_generic<3, 0, util::endianness::little, 2, true, (lambda at ../../../../../src/emu/emumem_aspace.cpp:454:24)> /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:797:11
    #14 0x7f1bd4a8097f in address_space_specific<1, 3, 0, (util::endianness)0>::read_dword(unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_aspace.cpp:463:125
    #15 0x7f1b73adf515  (/dev/zero+0xe0515)

0x615000645c81 is located 1 bytes to the right of 512-byte region [0x615000645a80,0x615000645c80)
allocated by thread T0 here:
    #0 0x7f1bb439b97d  (/mnt/s/GitHub/mame/mame+0x24e1d97d) (BuildId: 5ea94812d72bae4c)
    #1 0x7f1bc0bd1d7d  (/mnt/s/GitHub/mame/mame+0x31653d7d) (BuildId: 5ea94812d72bae4c)
    #2 0x7f1bd3dc8790  (/mnt/s/GitHub/mame/mame+0x4484a790) (BuildId: 5ea94812d72bae4c)
    #3 0x7f1bda655e5f  (/mnt/s/GitHub/mame/mame+0x4b0d7e5f) (BuildId: 5ea94812d72bae4c)
    #4 0x7f1bda653e34  (/mnt/s/GitHub/mame/mame+0x4b0d5e34) (BuildId: 5ea94812d72bae4c)
    #5 0x7f1bda656c5c  (/mnt/s/GitHub/mame/mame+0x4b0d8c5c) (BuildId: 5ea94812d72bae4c)
    #6 0x7f1bd2766c6f  (/mnt/s/GitHub/mame/mame+0x431e8c6f) (BuildId: 5ea94812d72bae4c)
    #7 0x7f1bd3b1dfe6  (/mnt/s/GitHub/mame/mame+0x4459ffe6) (BuildId: 5ea94812d72bae4c)
    #8 0x7f1bd3b21b2f  (/mnt/s/GitHub/mame/mame+0x445a3b2f) (BuildId: 5ea94812d72bae4c)
    #9 0x7f1bd276ba4f  (/mnt/s/GitHub/mame/mame+0x431eda4f) (BuildId: 5ea94812d72bae4c)
    #10 0x7f1bda94cd0b  (/mnt/s/GitHub/mame/mame+0x4b3ced0b) (BuildId: 5ea94812d72bae4c)
    #11 0x7f1b8d689209  (/lib/x86_64-linux-gnu/libc.so.6+0x29209) (BuildId: 48b7efd5cbf9d6337df8a48de709d1f6f68f368e)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/s/GitHub/mame/mame+0x31658359) (BuildId: 5ea94812d72bae4c)
Shadow bytes around the buggy address:
  0x0c2a800c0b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c0b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a800c0b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a800c0b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a800c0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a800c0b90:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c0ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a800c0bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a800c0bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a800c0bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a800c0be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb