search

libretro / RetroArch

Cross-platform, sophisticated frontend for the libretro API. Licensed GPLv3.
http://www.libretro.com
GNU General Public License v3.0
10.1k stars 1.81k forks source link

Core options manager crash #6371

Open andres-asm opened 6 years ago

andres-asm commented 6 years ago

Description

Some cores change the core options depending on context. For instance sameboy shows different core options depending if you're running in single mode or dual mode.

This improves the user experience by showing only relevant options.

So on sameboy in single mode we have 4 options, in dual mode we have 10.

If you change the mode from single to dual and restart all works well If you change the mode from dual to single and reload and then go back to menu it crashes with the following stacktrace

(gdb) bt
#0  0x0000000000470d6e in core_option_manager_get_val (opt=0x18460ca0, idx=4)
    at managers/core_option_manager.c:320
#1  0x000000000055d3cd in menu_action_setting_disp_set_label_core_options (
    list=0xc467820, w=0x5acec6c, type=65540, i=5,
    label=0xc33ba90 "deferred_rpl_entry_actions", s=0x5ace990 "", len=255,
    entry_label=0x0, path=0x184c9f20 "Emulated model for Game Boy #1",
    s2=0x5aceab0 "", len2=255) at menu/cbs/menu_cbs_get_value.c:1640
#2  0x0000000000541b93 in menu_entry_get (entry=0x5acec60, stack_idx=0, i=5,
    userdata=0xc467820, use_representation=true)
    at menu/widgets/menu_entry.c:334
#3  0x0000000000519606 in xmb_draw_items (video_info=0x5acf860,
    xmb=0xc33c190, list=0xc467820, current=1, cat_selection_ptr=3,
    color=0x940740 <item_color>, width=1920, height=1080)
    at menu/drivers/xmb.c:2677
#4  0x000000000051b48c in xmb_frame (data=0xc33c190, video_info=0x5acf860)
    at menu/drivers/xmb.c:3217
#5  0x0000000000523772 in menu_driver_frame (video_info=0x5acf860)
    at menu/menu_driver.c:1596
#6  0x00000000005a9b3a in gl_frame (data=0xb3070a0, frame=0xb317cf0,
    frame_width=160, frame_height=144, frame_count=75, pitch=640,
    msg=0xc70580 <video_driver_msg> "", video_info=0x5acf860)
    at gfx/drivers/gl.c:1142
#7  0x000000000044cad5 in video_driver_frame (data=0xb317cf0, width=160,
    height=144, pitch=640) at gfx/video_driver.c:2499
#8  0x000000006cf4d241 in sameboy_libretro!retro_run ()
   from D:\GameData\Emulators\RetroArch\libretro\sameboy_libretro.dll
#9  0x0000000000402efd in core_run () at core_impl.c:415
#10 0x000000000051f5ed in menu_display_libretro (is_idle=false,
    rarch_is_inited=true, rarch_is_dummy_core=false) at menu/menu_driver.c:416
#11 0x0000000000523911 in menu_driver_render (is_idle=false,
    rarch_is_inited=true, rarch_is_dummy_core=false)
    at menu/menu_driver.c:1637
#12 0x0000000000407641 in runloop_check_state (settings=0xb2a4770,
    input_nonblock_state=false, sleep_ms=0x5acfdc0) at retroarch.c:2589
#13 0x000000000040856c in runloop_iterate (sleep_ms=0x5acfdc0)
    at retroarch.c:3137
#14 0x000000000040170f in rarch_main (argc=5, argv=0x9a4ee80, data=0x0)
    at frontend/frontend.c:131
#15 0x000000000040176f in SDL_main (argc=5, argv=0x9a4ee80)
    at frontend/frontend.c:154
#16 0x00000000007efe18 in main_getcmdline ()
#17 0x00000000004013c7 in __tmainCRTStartup ()
    at C:/repo/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:337
#18 0x00000000004014cb in WinMainCRTStartup ()
    at C:/repo/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:187

Expected behavior

It shouldn't crash

Steps to reproduce the bug

  1. Load sameboy in single mode
  2. Change core option to dual mode, close content
  3. Load the same game from history
  4. Change core option to single mode, close content
  5. Load the same game from history
  6. Press F1 to go back to menu
inactive123 commented 6 years ago

Is this issue still ongoing or has it since been fixed?

orbea commented 5 years ago

It crashes here so I think its ongoing.

orbea commented 5 years ago 
Thread 1 "retroarch" received signal SIGSEGV, Segmentation fault.
0x000000000053978a in strlcpy_retro__ (dest=0x7fffffffc931 "ame Boy Color", 
    source=0x64656c62616e66 <error: Cannot access memory at address 0x64656c62616e66>, size=255) at libretro-common/compat/compat_strl.c:38
38        while (--n && (*dest++ = *source++)) src_size++;
(gdb) bt
#0  0x000000000053978a in strlcpy_retro__ (dest=0x7fffffffc931 "ame Boy Color", 
    source=0x64656c62616e66 <error: Cannot access memory at address 0x64656c62616e66>, size=255) at libretro-common/compat/compat_strl.c:38
#1  0x000000000061b86d in menu_action_setting_disp_set_label_core_options (
    list=0x11d7f00, w=0x7fffffffcccc, type=65540, i=4, 
    label=0x170b2d0 "deferred_rpl_entry_actions", s=0x7fffffffc930 "", len=255, 
    entry_label=0x0, path=0x14e0580 "Emulated model for Game Boy #1", 
    s2=0x7fffffffcb50 "", len2=255) at menu/cbs/menu_cbs_get_value.c:1185
#2  0x00000000005fe731 in menu_entry_get (entry=0x7fffffffccc0, stack_idx=0, 
    i=4, userdata=0x11d7f00, use_representation=true)
    at menu/widgets/menu_entry.c:337
#3  0x00000000005c3f79 in xmb_draw_items (video_info=0x7fffffffd8d0, 
    xmb=0x13373a0, list=0x11d7f00, current=0, cat_selection_ptr=3, 
    color=0xa38020 <item_color>, width=1680, height=1050)
    at menu/drivers/xmb.c:3097
#4  0x00000000005c7bbb in xmb_frame (data=0x13373a0, video_info=0x7fffffffd8d0)
    at menu/drivers/xmb.c:4054
#5  0x00000000005dae60 in menu_driver_frame (video_info=0x7fffffffd8d0)
    at menu/menu_driver.c:1894
#6  0x0000000000674831 in gl_frame (data=0x1336b50, frame=0x1142fa0, 
    frame_width=160, frame_height=144, frame_count=31, pitch=640, 
    msg=0xa98540 <video_driver_msg> "100%: Sony PLAYSTATION(R)3 Controller configured in port #0.", video_info=0x7fffffffd8d0) at gfx/drivers/gl.c:1125
#7  0x0000000000479e99 in video_driver_frame (data=0x1142fa0, width=160, 
    height=144, pitch=640) at gfx/video_driver.c:2644
#8  0x0000000000477c0b in video_driver_cached_frame () at gfx/video_driver.c:1431
#9  0x00000000005d6428 in menu_display_libretro (is_idle=false, 
    rarch_is_inited=true, rarch_is_dummy_core=false) at menu/menu_driver.c:548
#10 0x00000000005db00d in menu_driver_render (is_idle=false, 
    rarch_is_inited=true, rarch_is_dummy_core=false) at menu/menu_driver.c:1935
#11 0x00000000004184df in runloop_check_state (settings=0x7fffefe3d010, 
    input_nonblock_state=false, sleep_ms=0x7fffffffe0f0) at retroarch.c:2845
#12 0x00000000004195b1 in runloop_iterate (sleep_ms=0x7fffffffe0f0)
    at retroarch.c:3508
#13 0x0000000000412717 in rarch_main (argc=1, argv=0x7fffffffe208, data=0x0)
    at frontend/frontend.c:141
#14 0x0000000000412774 in main (argc=1, argv=0x7fffffffe208)
    at frontend/frontend.c:170

Full GDB log - https://paste.ee/p/P4leL

orbea commented 5 years ago

asan

$ ./retroarch
Connecting device 1 into port 0
Connecting device 1 into port 1
Connecting device 1 into port 0
Connecting device 1 into port 1
Saving battery for Game Boy 2 to: /media/data/home/games/roms/.saves/retroarch/SameBoy/Legend of Zelda, The - Link's Awakening DX (USA, Europe).srm.2
Connecting device 1 into port 0
Connecting device 1 into port 1
=================================================================
==25005==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00006a5d0 at pc 0x00000055dcbb bp 0x7ffeed2e6b10 sp 0x7ffeed2e6b08
READ of size 8 at 0x60c00006a5d0 thread T0
    #0 0x55dcba in core_option_manager_get_val managers/core_option_manager.c:331
    #1 0x840ecf in menu_action_setting_disp_set_label_core_options menu/cbs/menu_cbs_get_value.c:1179
    #2 0x800e5a in menu_entry_get menu/widgets/menu_entry.c:337
    #3 0x77d85b in xmb_draw_items menu/drivers/xmb.c:3108
    #4 0x786921 in xmb_frame menu/drivers/xmb.c:4065
    #5 0x7bb8a1 in menu_driver_frame menu/menu_driver.c:1894
    #6 0x911aa1 in gl_frame gfx/drivers/gl.c:1125
    #7 0x50b941 in video_driver_frame gfx/video_driver.c:2644
    #8 0x5063a8 in video_driver_cached_frame gfx/video_driver.c:1431
    #9 0x7ae413 in menu_display_libretro menu/menu_driver.c:548
    #10 0x7bbc21 in menu_driver_render menu/menu_driver.c:1935
    #11 0x425042 in runloop_check_state /home/orbea/gittings/forks/RetroArch/retroarch.c:2868
    #12 0x42737f in runloop_iterate /home/orbea/gittings/forks/RetroArch/retroarch.c:3564
    #13 0x41a5fd in rarch_main frontend/frontend.c:141
    #14 0x41a733 in main frontend/frontend.c:170
    #15 0x7f27225bac66 in __libc_start_main (/lib64/libc.so.6+0x22c66)
    #16 0x40fd59 in _start (/media/gittings/forks/RetroArch/retroarch+0x40fd59)

0x60c00006a5d0 is located 16 bytes to the right of 128-byte region [0x60c00006a540,0x60c00006a5c0)
allocated by thread T0 here:
    #0 0x7f2725fb1118 in calloc (/usr/lib64/libasan.so.5+0xe9118)
    #1 0x55d6ee in core_option_manager_new managers/core_option_manager.c:197
    #2 0x4225e2 in rarch_ctl /home/orbea/gittings/forks/RetroArch/retroarch.c:1989
    #3 0x54c9ca in rarch_environment_cb /home/orbea/gittings/forks/RetroArch/dynamic.c:1236
    #4 0x7f271ad60c31 in retro_load_game (/usr/lib64/libretro/sameboy_libretro.so+0x10c31)
    #5 0x44a6a2 in content_file_load tasks/task_content.c:631
    #6 0x44b6ff in content_file_init tasks/task_content.c:815
    #7 0x451762 in content_init tasks/task_content.c:1945
    #8 0x42fbfa in event_init_content /home/orbea/gittings/forks/RetroArch/command.c:1298
    #9 0x42ffc2 in command_event_init_core /home/orbea/gittings/forks/RetroArch/command.c:1367
    #10 0x4333f4 in command_event /home/orbea/gittings/forks/RetroArch/command.c:2380
    #11 0x421057 in retroarch_main_init /home/orbea/gittings/forks/RetroArch/retroarch.c:1400
    #12 0x448e7b in content_load tasks/task_content.c:282
    #13 0x44bdf7 in task_load_content tasks/task_content.c:884
    #14 0x44c518 in command_event_cmd_exec tasks/task_content.c:1001
    #15 0x44dddd in task_push_load_content_from_playlist_from_menu tasks/task_content.c:1219
    #16 0x80a4aa in default_action_ok_load_content_from_playlist_from_menu menu/cbs/menu_cbs_ok.c:1545
    #17 0x80b8bd in action_ok_playlist_entry_collection menu/cbs/menu_cbs_ok.c:1759
    #18 0x801dd0 in menu_entry_action menu/widgets/menu_entry.c:455
    #19 0x89cae1 in generic_menu_iterate menu/drivers/menu_generic.c:232
    #20 0x7bbebf in menu_driver_iterate menu/menu_driver.c:2011
    #21 0x424fc7 in runloop_check_state /home/orbea/gittings/forks/RetroArch/retroarch.c:2859
    #22 0x42737f in runloop_iterate /home/orbea/gittings/forks/RetroArch/retroarch.c:3564
    #23 0x41a5fd in rarch_main frontend/frontend.c:141
    #24 0x41a733 in main frontend/frontend.c:170
    #25 0x7f27225bac66 in __libc_start_main (/lib64/libc.so.6+0x22c66)

SUMMARY: AddressSanitizer: heap-buffer-overflow managers/core_option_manager.c:331 in core_option_manager_get_val
Shadow bytes around the buggy address:
  0x0c1880005460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880005470: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1880005480: 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa fa
  0x0c1880005490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c18800054a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c18800054b0: 00 00 00 00 00 00 00 00 fa fa[fa]fa fa fa fa fa
  0x0c18800054c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c18800054d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c18800054e0: 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa fa
  0x0c18800054f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880005500: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25005==ABORTING