Closed ghost closed 5 years ago
This might be related. https://github.com/libretro/RetroArch/issues/7822
Updated stacktrace.
$ ./retroarch
=================================================================
==23205==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe39456a7f at pc 0x00000058e7ca bp 0x7ffe39456160 sp 0x7ffe39456158
READ of size 1 at 0x7ffe39456a7f thread T0
#0 0x58e7c9 in font_driver_reshape_msg gfx/font_driver.c:884
#1 0x58f2ee in font_driver_render_msg gfx/font_driver.c:967
#2 0x90e499 in gl_set_osd_msg gfx/drivers/gl.c:833
#3 0x505568 in video_driver_set_osd_msg gfx/video_driver.c:1184
#4 0x7ba897 in menu_display_draw_text menu/menu_driver.c:1607
#5 0x76e9c0 in xmb_draw_text menu/drivers/xmb.c:847
#6 0x77bdda in xmb_draw_item menu/drivers/xmb.c:2942
#7 0x77d956 in xmb_draw_items menu/drivers/xmb.c:3109
#8 0x786a1e in xmb_frame menu/drivers/xmb.c:4080
#9 0x7bb914 in menu_driver_frame menu/menu_driver.c:1894
#10 0x911b14 in gl_frame gfx/drivers/gl.c:1121
#11 0x50b99a in video_driver_frame gfx/video_driver.c:2639
#12 0x506401 in video_driver_cached_frame gfx/video_driver.c:1428
#13 0x7ae486 in menu_display_libretro menu/menu_driver.c:548
#14 0x7bbc94 in menu_driver_render menu/menu_driver.c:1935
#15 0x425042 in runloop_check_state /home/orbea/gittings/forks/RetroArch/retroarch.c:2867
#16 0x42737f in runloop_iterate /home/orbea/gittings/forks/RetroArch/retroarch.c:3562
#17 0x41a5fd in rarch_main frontend/frontend.c:141
#18 0x41a733 in main frontend/frontend.c:169
#19 0x7fec5e9eac66 in __libc_start_main (/lib64/libc.so.6+0x22c66)
#20 0x40fd59 in _start (/media/gittings/forks/RetroArch/retroarch+0x40fd59)
Address 0x7ffe39456a7f is located in stack of thread T0 at offset 287 in frame
#0 0x77a5fe in xmb_draw_item menu/drivers/xmb.c:2793
This frame has 6 object(s):
[32, 64) 'rotate_draw'
[96, 136) 'ticker'
[192, 256) 'mymat_tmp'
[288, 543) 'tmp' <== Memory access at offset 287 underflows this variable
[576, 1088) 'entry_sublabel'
[1120, 5216) 'entry_path'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow gfx/font_driver.c:884 in font_driver_reshape_msg
Shadow bytes around the buggy address:
0x100047282cf0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f2 f2 f2
0x100047282d00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100047282d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100047282d20: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100047282d30: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2
=>0x100047282d40: f2 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2[f2]
0x100047282d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100047282d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
0x100047282d70: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x100047282d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100047282d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23205==ABORTING
I tried to bisect this and got this commit.
a8ee5f6c44a6253bb4cfd6a8085ef46505cada6e is the first bad commit
commit a8ee5f6c44a6253bb4cfd6a8085ef46505cada6e
Author: aliaspider <aliaspider@gmail.com>
Date: Fri Feb 9 16:59:48 2018 +0100
restore some changes made in 9dc597cf6c629fae4962031956261d2429395063.
:040000 040000 86e4387e140fc22f16933461682fd26ff26862d7 ce4856621da8de86166908706aa5cd24677cb509 M menu
a8ee5f6c44a6253bb4cfd6a8085ef46505cada6e
With the bad commit it stops crashing with this change. (Not a fix)
diff --git a/menu/menu_setting.c b/menu/menu_setting.c
index ff952fec2d..e323ff140e 100644
--- a/menu/menu_setting.c
+++ b/menu/menu_setting.c
@@ -605,7 +605,6 @@ static void setting_get_string_representation_uint_user_language(void *data,
modes[RETRO_LANGUAGE_ESPERANTO] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_ESPERANTO);
modes[RETRO_LANGUAGE_POLISH] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_POLISH);
modes[RETRO_LANGUAGE_VIETNAMESE] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_VIETNAMESE);
- modes[RETRO_LANGUAGE_ARABIC] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_ARABIC);
strlcpy(s, modes[*msg_hash_get_uint(MSG_HASH_USER_LANGUAGE)], len);
}
This however doesn't seem to work with the master.
I bisected again while removing RETRO_LANGUAGE_ARABIC
from menu/menu_settings.c
before each build and found this commit where it started to crash again.
6338039ac0c469420ed9a25cc3cc980501cc2b22 is the first bad commit
commit 6338039ac0c469420ed9a25cc3cc980501cc2b22
Author: Alfrix <alfredomonclus@gmail.com>
Date: Mon Oct 15 22:32:03 2018 -0300
Move Privacy settings to User
:040000 040000 bd104f80cbc6f41c0c2059acb9f9d40268ebe9a9 96ff48dd3674ac00c35f7bd8b892f92a719673cc M menu
6338039ac0c469420ed9a25cc3cc980501cc2b22
sed -i '/RETRO_LANGUAGE_ARABIC/d' menu/menu_setting.c
This hack prevents the crashes with the master.
@alfrix and @aliaspider Any help you can provide would be appreciated!
diff --git a/menu/menu_displaylist.c b/menu/menu_displaylist.c
index a891d68701..9f14e76157 100644
--- a/menu/menu_displaylist.c
+++ b/menu/menu_displaylist.c
@@ -6451,9 +6451,6 @@ bool menu_displaylist_ctl(enum menu_displaylist_ctl_state type, menu_displaylist
break;
case DISPLAYLIST_USER_SETTINGS_LIST:
menu_entries_ctl(MENU_ENTRIES_CTL_CLEAR, info->list);
- menu_displaylist_parse_settings_enum(menu, info,
- MENU_ENUM_LABEL_PRIVACY_SETTINGS,
- PARSE_ACTION, false);
if (menu_displaylist_parse_settings_enum(menu, info,
MENU_ENUM_LABEL_ACCOUNTS_LIST,
@@ -7086,6 +7083,8 @@ bool menu_displaylist_ctl(enum menu_displaylist_ctl_state type, menu_displaylist
MENU_ENUM_LABEL_USER_SETTINGS, PARSE_ACTION, false);
ret = menu_displaylist_parse_settings_enum(menu, info,
MENU_ENUM_LABEL_DIRECTORY_SETTINGS, PARSE_ACTION, false);
+ ret = menu_displaylist_parse_settings_enum(menu, info,
+ MENU_ENUM_LABEL_PRIVACY_SETTINGS, PARSE_ACTION, false);
info->need_push = true;
break;
case DISPLAYLIST_HORIZONTAL:
diff --git a/menu/menu_setting.c b/menu/menu_setting.c
index 592008b136..4f9ac396f0 100644
--- a/menu/menu_setting.c
+++ b/menu/menu_setting.c
@@ -1928,7 +1928,6 @@ static void setting_get_string_representation_uint_user_language(
modes[RETRO_LANGUAGE_ESPERANTO] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_ESPERANTO);
modes[RETRO_LANGUAGE_POLISH] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_POLISH);
modes[RETRO_LANGUAGE_VIETNAMESE] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_VIETNAMESE);
- modes[RETRO_LANGUAGE_ARABIC] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_ARABIC);
modes[RETRO_LANGUAGE_GREEK] = msg_hash_to_str(MENU_ENUM_LABEL_VALUE_LANG_GREEK);
strlcpy(s, modes[*msg_hash_get_uint(MSG_HASH_USER_LANGUAGE)], len);
}
Description
When running under ASAN on Linux, trying to change the language in certain circumstances produces a stack overflow:
Happens at least with both xmb and ozone.
Expected behavior
No stack overflow.
Actual behavior
Stack overflow.
Steps to reproduce the bug
It can be triggered a few different ways:
(assuming XMB)
Bisect Results
Issue is somewhere between 1.7.0 (good) and 1.7.1 (bad), but too many commits had to be skipped during the bisect because they all crashed on startup.
Version/Commit
Environment information