07556: snes, snespal [ctrigger and clones]: chrono trigger consistently causes segfault

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
07556	Crash/Freeze	Critical (emulator)	Always	Feb 1, 2020, 22:08	Oct 30, 2021, 21:57

Tester	kmg	View Status	Public	Platform	MAME (Self-compiled)
Assigned To	AmatCoder	Resolution	Fixed	OS	MacOS X
Status [?]	Resolved			Driver	nintendo/snes.cpp
Version	0.217	Fixed in Version	0.238	Build	64-bit
		Fixed in Git Commit	41a8033	Github Pull Request #

Summary	07556: snes, snespal [ctrigger and clones]: chrono trigger consistently causes segfault
Description	Game always crashes upon entering any battle as the in-game windows with enemy name, etc are popping up.
Steps To Reproduce	Enter any battle in game. Or can even be seen by waiting 70 seconds or so while watching the opening montage. Game crashes in montage fight with "Flea".
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	snes, snespal [ctrigger and clones]

Attached Files

No.17382 Firewave Senior Tester Feb 2, 2020, 10:03 edited on: Feb 2, 2020, 10:35	snespal -cart ctrigger ================================================================= ==21728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x4af51180 at pc 0x05cb0e44 bp 0x166fb3fc sp 0x166fb3f0 WRITE of size 4 at 0x4af51180 thread T0 #0 0x5cb0e43 in screen_device::create_composited_bitmap s:\dev\mame0217\src\emu\screen.cpp:1741 #1 0x5cb9441 in screen_device::update_quads s:\dev\mame0217\src\emu\screen.cpp:1768 #2 0x6146b76 in video_manager::finish_screen_updates s:\dev\mame0217\src\emu\video.cpp:863 #3 0x614709d in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:217 #4 0x5cb99d2 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660 #5 0x5cb1cf5 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959 #6 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317 #7 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907 #8 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544 #9 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372 #10 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261 #11 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267 #12 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283 #13 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392 #14 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323 #15 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #16 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #17 0x76f17b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #18 0x76f17b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) 0x4af51180 is located 0 bytes to the right of 1702272-byte region [0x4adb1800,0x4af51180) allocated by thread T0 here: #0 0xc728bd in operator new[] D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:102 #1 0x1c80fcb in bitmap_t::allocate s:\dev\mame0217\src\lib\util\bitmap.cpp:249 #2 0x1c819a7 in bitmap_t::resize s:\dev\mame0217\src\lib\util\bitmap.cpp:289 #3 0x5cb4f3a in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1129 #4 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024 #5 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f) #6 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60) #7 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98) #8 0x1b90284 in snes_console_state::snes21_hi_w+0x94 (s:\dev\mame0217\mame.exe+0x1bd0284) #9 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b) #10 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140 #11 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52 #12 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610 #13 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630 #14 0x1bcaeb3 in snes_state::dma_transfer+0x163 (s:\dev\mame0217\mame.exe+0x1c0aeb3) #15 0x1bcb252 in snes_state::hdma+0x2d2 (s:\dev\mame0217\mame.exe+0x1c0b252) #16 0x1bcd106 in snes_state::snes_hblank_tick+0xb6 (s:\dev\mame0217\mame.exe+0x1c0d106) #17 0x1bc9c3a in snes_state::device_timer+0x18a (s:\dev\mame0217\mame.exe+0x1c09c3a) #18 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317 #19 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907 #20 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544 #21 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372 #22 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261 #23 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267 #24 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283 #25 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392 #26 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323 #27 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\emu\screen.cpp:1741 in screen_device::create_composited_bitmap Shadow bytes around the buggy address: 0x395ea1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x395ea1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x395ea200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x395ea210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x395ea220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x395ea230:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x395ea240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x395ea250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x395ea260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x395ea270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x395ea280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==21728==ABORTING

No.17382

Firewave

Senior Tester

Feb 2, 2020, 10:03

edited on: Feb 2, 2020, 10:35

snespal -cart ctrigger

=================================================================
==21728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x4af51180 at pc 0x05cb0e44 bp 0x166fb3fc sp 0x166fb3f0
WRITE of size 4 at 0x4af51180 thread T0
    #0 0x5cb0e43 in screen_device::create_composited_bitmap s:\dev\mame0217\src\emu\screen.cpp:1741
    #1 0x5cb9441 in screen_device::update_quads s:\dev\mame0217\src\emu\screen.cpp:1768
    #2 0x6146b76 in video_manager::finish_screen_updates s:\dev\mame0217\src\emu\video.cpp:863
    #3 0x614709d in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:217
    #4 0x5cb99d2 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660
    #5 0x5cb1cf5 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959
    #6 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317
    #7 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907
    #8 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544
    #9 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372
    #10 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261
    #11 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267
    #12 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283
    #13 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392
    #14 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323
    #15 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #16 0x75d06358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #17 0x76f17b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #18 0x76f17b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

0x4af51180 is located 0 bytes to the right of 1702272-byte region [0x4adb1800,0x4af51180)
allocated by thread T0 here:
    #0 0xc728bd in operator new[] D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:102
    #1 0x1c80fcb in bitmap_t::allocate s:\dev\mame0217\src\lib\util\bitmap.cpp:249
    #2 0x1c819a7 in bitmap_t::resize s:\dev\mame0217\src\lib\util\bitmap.cpp:289
    #3 0x5cb4f3a in screen_device::realloc_screen_bitmaps s:\dev\mame0217\src\emu\screen.cpp:1129
    #4 0x5cb082a in screen_device::configure s:\dev\mame0217\src\emu\screen.cpp:1024
    #5 0x7fb6a2f in snes_ppu_device::dynamic_res_change+0x24f (s:\dev\mame0217\mame.exe+0x7ff6a2f)
    #6 0x7fbcd60 in snes_ppu_device::write+0xd60 (s:\dev\mame0217\mame.exe+0x7ffcd60)
    #7 0x1bcfa98 in snes_state::snes_w_io+0x48 (s:\dev\mame0217\mame.exe+0x1c0fa98)
    #8 0x1b90284 in snes_console_state::snes21_hi_w+0x94 (s:\dev\mame0217\mame.exe+0x1bd0284)
    #9 0xc7b99b in delegate_mfp::method_stub<brazehs<tpp2_noalu_state>,void,address_space &,unsigned int,unsigned char,unsigned char>+0x1b (s:\dev\mame0217\mame.exe+0xcbb99b)
    #10 0x6158390 in handler_entry_write_delegate<0,0,0,emu::device_delegate<void __cdecl(address_space &,unsigned int,unsigned char,unsigned char)> >::write s:\dev\mame0217\src\emu\emumem_hedp.cpp:140
    #11 0x699e170 in handler_entry_write_dispatch<24,0,0,0>::write s:\dev\mame0217\src\emu\emumem_hedw.ipp:52
    #12 0x5f810b4 in address_space_specific<0,0,0>::write_native s:\dev\mame0217\src\emu\emumem.cpp:610
    #13 0x5f7bdd4 in address_space_specific<0,0,1>::write_byte s:\dev\mame0217\src\emu\emumem.cpp:630
    #14 0x1bcaeb3 in snes_state::dma_transfer+0x163 (s:\dev\mame0217\mame.exe+0x1c0aeb3)
    #15 0x1bcb252 in snes_state::hdma+0x2d2 (s:\dev\mame0217\mame.exe+0x1c0b252)
    #16 0x1bcd106 in snes_state::snes_hblank_tick+0xb6 (s:\dev\mame0217\mame.exe+0x1c0d106)
    #17 0x1bc9c3a in snes_state::device_timer+0x18a (s:\dev\mame0217\mame.exe+0x1c09c3a)
    #18 0x5fa7a0d in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317
    #19 0x5fa80ac in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907
    #20 0x5fab12e in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544
    #21 0x5fb9530 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372
    #22 0x6e59e64 in mame_machine_manager::execute S:\dev\mame0217\src\frontend\mame\mame.cpp:261
    #23 0x6e79b2a in cli_frontend::start_execution S:\dev\mame0217\src\frontend\mame\clifront.cpp:267
    #24 0x6e71754 in cli_frontend::execute S:\dev\mame0217\src\frontend\mame\clifront.cpp:283
    #25 0x6e5ad79 in emulator_info::start_frontend S:\dev\mame0217\src\frontend\mame\mame.cpp:392
    #26 0xa0f24ae in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323
    #27 0x9e96df8 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288

SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\emu\screen.cpp:1741 in screen_device::create_composited_bitmap
Shadow bytes around the buggy address:
  0x395ea1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x395ea220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x395ea230:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x395ea280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==21728==ABORTING