Segfault in the quick menu

[kivutar]

Description

I get this segfault:

Thread 1 "retroarch" received signal SIGSEGV, Segmentation fault.
menu_event_kb_set (down=false, key=3976642272) at menu/menu_event.c:118
118       menu_event_kb_set_internal(key, ((menu_event_kb_is_set(key) & 1) << 1) | down);
(gdb) bt
#0  menu_event_kb_set (down=false, key=3976642272) at menu/menu_event.c:118
#1  0x00005555555dd334 in input_keyboard_event (down=<optimized out>, code=3976642272, character=0, mod=<optimized out>, device=<optimized out>) at input/input_driver.c:2069
#2  0x00007fffeddad1c8 in ffi_call_unix64 () from /usr/lib/libffi.so.6
#3  0x00007fffeddacc2a in ffi_call () from /usr/lib/libffi.so.6
#4  0x00007ffff6684bad in ?? () from /usr/lib/libwayland-client.so.0
#5  0x00007ffff6681679 in ?? () from /usr/lib/libwayland-client.so.0
#6  0x00007ffff66829b4 in wl_display_dispatch_queue_pending () from /usr/lib/libwayland-client.so.0
#7  0x00005555556dee7e in flush_wayland_fd (data=<optimized out>) at gfx/drivers_context/wayland_ctx.c:609
#8  gfx_ctx_wl_check_window (data=0x5555571d3700, quit=0x7fffffffe306, resize=0x7fffffffe307, width=0x7fffffffe308, height=0x7fffffffe30c, is_shutdown=<optimized out>)
    at gfx/drivers_context/wayland_ctx.c:637
#9  0x00005555555e37b9 in video_context_driver_check_window (size_data=size_data@entry=0x7fffffffe310) at gfx/video_driver.c:2843
#10 0x00005555556edcbd in gl_alive (data=0x555557284fe0) at gfx/drivers/gl.c:2234
#11 0x00005555555e33fb in video_driver_get_status (frame_count=frame_count@entry=0x7fffffffe3a8, is_alive=is_alive@entry=0x7fffffffe3a7, is_focused=is_focused@entry=0x7fffffffe3a6)
    at gfx/video_driver.c:2657
#12 0x000055555559c938 in runloop_check_state (settings=settings@entry=0x7ffff7fc8010, input_nonblock_state=input_nonblock_state@entry=false, sleep_ms=0x7fffffffe52c) at retroarch.c:2410
#13 0x00005555555a0c24 in runloop_iterate (sleep_ms=0x7fffffffe52c) at retroarch.c:3056
#14 0x000055555559a6f0 in rarch_main (argc=<optimized out>, argv=<optimized out>, data=0x0) at frontend/frontend.c:131
#15 0x00007fffef473f6a in __libc_start_main () from /usr/lib/libc.so.6
#16 0x000055555559780a in _start ()

Steps to reproduce the bug

1. Launch a game from a Playlist
2. Trigger the quick menu
3. Hit DOWN quickly

Bisect Results

[Try to bisect and tell us when this started happening]

Version/Commit

You can find this information under Information/System Information

• RetroArch: [version/commit]

Environment information

• OS: Arch Linux with Wayland
• Compiler: [In case you are running local builds]

[kivutar]

With the sanitizers, I get this:

[INFO] [EGL]: eglSwapInterval(1)
[INFO] [PulseAudio]: Pausing.
gfx/drivers_context/wayland_ctx.c:179:26: runtime error: index 464 out of bounds for type 'retro_key [323]'
gfx/drivers_context/wayland_ctx.c:179:26: runtime error: load of address 0x55a5cf310e40 with insufficient space for an object of type 'retro_key'
0x55a5cf310e40: note: pointer points here
 29 7f 00 00  40 a2 a6 db 29 7f 00 00  80 e1 a7 db 29 7f 00 00  80 63 a7 db 29 7f 00 00  80 58 a7 db
              ^ 
menu/menu_event.c:93:34: runtime error: index 3685130816 out of bounds for type 'unsigned char [323]'
menu/menu_event.c:93:34: runtime error: load of address 0x55a6aa491100 with insufficient space for an object of type 'unsigned char'
0x55a6aa491100: note: pointer points here
<memory cannot be printed>
ASAN:DEADLYSIGNAL
=================================================================
==14077==ERROR: AddressSanitizer: SEGV on unknown address 0x55a6aa491100 (pc 0x55a5cabce7dd bp 0x7ffeb52c3330 sp 0x7ffeb52c3310 T0)
==14077==The signal is caused by a READ memory access.
    #0 0x55a5cabce7dc in menu_event_kb_is_set menu/menu_event.c:93
    #1 0x55a5cabce962 in menu_event_kb_set menu/menu_event.c:118
    #2 0x55a5cabc32f6 in menu_input_key_event menu/menu_driver.c:1486
    #3 0x55a5ca9e6ac0 in input_keyboard_event input/input_driver.c:2069
    #4 0x55a5cad01fe3 in keyboard_handle_key gfx/drivers_context/wayland_ctx.c:178
    #5 0x7f29dc7b11c7 in ffi_call_unix64 (/usr/lib/libffi.so.6+0x61c7)
    #6 0x7f29dc7b0c29 in ffi_call (/usr/lib/libffi.so.6+0x5c29)
    #7 0x7f29e5b7dbac  (/usr/lib/libwayland-client.so.0+0x8bac)
    #8 0x7f29e5b7a678  (/usr/lib/libwayland-client.so.0+0x5678)
    #9 0x7f29e5b7b9b3 in wl_display_dispatch_queue_pending (/usr/lib/libwayland-client.so.0+0x69b3)
    #10 0x55a5cad0494e in flush_wayland_fd gfx/drivers_context/wayland_ctx.c:609
    #11 0x55a5cad04e3b in gfx_ctx_wl_check_window gfx/drivers_context/wayland_ctx.c:637
    #12 0x55a5ca9fc960 in video_context_driver_check_window gfx/video_driver.c:2843
    #13 0x55a5cad622ed in gl_alive gfx/drivers/gl.c:2234
    #14 0x55a5ca9fb7fb in video_driver_get_status gfx/video_driver.c:2657
    #15 0x55a5ca920120 in runloop_check_state /home/kivutar/libretro-super/retroarch/retroarch.c:2410
    #16 0x55a5ca92336d in runloop_iterate /home/kivutar/libretro-super/retroarch/retroarch.c:3056
    #17 0x55a5ca912cbc in rarch_main frontend/frontend.c:131
    #18 0x55a5ca912e23 in main frontend/frontend.c:151
    #19 0x7f29dde77f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
    #20 0x55a5ca906dd9 in _start (/home/kivutar/libretro-super/retroarch/retroarch+0x1cdddd9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV menu/menu_event.c:93 in menu_event_kb_is_set
==14077==ABORTING

[orbea]

Have you tried to bisect this?

[orbea]

For the record I can't reproduce this, but I also don't have wayland.

[jeremyvisser]

I bisected this today, and found that the offending commit is 3d61c7fdfc2d75d6401ffd321982d8e27526d7fe. It was an "MSVC buildfix" by @twinaphex with no other context included, so it's unclear what the impact of reverting this would be.

[orbea]

@jeremyvisser and @kivutar Is this still an issue?

[jeremyvisser]

I just tried to reproduce this. Interestingly enough, I still had the exact same source directory around from when I posted my earlier comment.

After a rebuild (I was forced to rebuild, as the old binary depended on libav*.so that I no longer had), I can no longer reproduce the issue, either on the revision I bisected above, or the current stable release (1.7.5).

My guess is that the bug was in fact outside of RetroArch itself that has since been fixed. I still don’t understand how 3d61c7fdfc2d75d6401ffd321982d8e27526d7fe could have been the trigger for such a bug, whether it was inside or outside of RetroArch.

[orbea]

Thanks for the reply, I guess we will consider this fixed, but please let us know if you can reproduce it again in the future.

[jeremyvisser]

Okay, I could reproduce this again after testing on different hardware.

Where I failed to reproduce (either on 'good' or 'bad' revisions) was on Intel hardware.

But on AMD Radeon hardware, with the amdgpu driver, I can reproduce the issue on latest HEAD or the stable release 1.7.5. Just to double-check, I re-bisected this and got 3d61c7fdfc2d75d6401ffd321982d8e27526d7fe as the offending commit.

Here's my video card:

01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Cape Verde XT [Radeon HD 7770/8760 / R7 250X]

Running on Wayland, with GNOME 3.30.2 as the compositor.

And some glxinfo output:

OpenGL renderer string: AMD Radeon HD 7700 Series (VERDE, DRM 3.27.0, 4.20.0-arch1-1-ARCH, LLVM 7.0.0)
OpenGL core profile version string: 4.5 (Core Profile) Mesa 18.3.1
OpenGL core profile shading language version string: 4.50

Operating system is Arch Linux, with Mesa 18.3.1 and Linux 4.20.0-arch1-1-ARCH.

Please let me know what more information I need to provide.

[orbea]

Thanks for testing, I suspect the reason I can not reproduce this with amdgpu is the lack of gnome3 and / or wayland.

[RobLoach]

Which core/game? Isn't happening here for me.

[jeremyvisser]

Any core/game. For example, I can reproduce this on Genesis Plus GX with Sonic 2, Mupen64plus with Perfect Dark, or ScummVM with Curse of Monkey Island.