SDL2 crash on macOS when using cheap controller

[kamfretoz]

Backstory

A little bit of backstory of how i got here. First of all, do note that i'm running Hackintosh on macOS Ventura 13.6.1 (I hope its still acceptable). I've been using this system to test PCSX2 stuff (I'm part of PCSX2 testers), and noticed that PCSX2 would often times crashes on startup. Me and someone from the team nailed it down to PCSX2 crashing only when the controller i use are connected to the system. We determined it to be an SDL bug with this specific cheap controllers, I'll post more details of it below.

More details

SDL2 version built from the latest commit https://github.com/libsdl-org/SDL/commit/58e179c8b50feff2a321003886f218a7b006c4d0 (as of the time during testing)

CMake Flag:

-DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_SHARED_LINKER_FLAGS=-fsanitize=address -DSDL_TESTS=ON

The crash was reproduced by running ./build/test/testgamecontroller built with ASAN

Crash logs was taken with address sanitizer build:

kamfretoz@HeckinBeast SDL % ./build/test/testgamecontroller
testgamecontroller(31638,0x7ff85ca44700) malloc: nano zone abandoned due to inability to reserve vm space.
2024-07-07 16:56:05.595 testgamecontroller[31638:139284] INFO: There are 0 game controller(s) attached (0 joystick(s))
2024-07-07 16:56:06.042 testgamecontroller[31638:139284] INFO: Game controller device 0 added.
2024-07-07 16:56:06.042 testgamecontroller[31638:139284] INFO: Opened game controller Generic USB Joystick
2024-07-07 16:56:06.042 testgamecontroller[31638:139284] INFO: Mapping: 05004f02ac05000004000000d0c06d04,Generic USB Joystick,a:b0,b:b1,x:b4,y:b5,guide:b2,start:b3,leftstick:b11,rightstick:b14,leftshoulder:b10,rightshoulder:b13,dpup:b9,dpdown:b6,dpleft:b7,dpright:b8,leftx:a0,lefty:a1~,rightx:a2,righty:a3~,lefttrigger:b12,righttrigger:b15,crc:024f,platform:Mac OS X
=================================================================
==31638==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000013b30 at pc 0x000100dddce1 bp 0x7ff7bfea04a0 sp 0x7ff7bfe9fc58
WRITE of size 8 at 0x602000013b30 thread T0
    #0 0x100dddce0 in wrap_memcpy+0xfc0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x28ce0)
    #1 0x102faeda5  (IOHIDLib:x86_64+0x10da5)
    #2 0x7ff819470d9b in __CFMachPortPerform+0x119 (CoreFoundation:x86_64h+0xaad9b)
    #3 0x7ff8194433f2 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__+0x28 (CoreFoundation:x86_64h+0x7d3f2)
    #4 0x7ff819443332 in __CFRunLoopDoSource1+0x21b (CoreFoundation:x86_64h+0x7d332)
    #5 0x7ff819441fb0 in __CFRunLoopRun+0xa85 (CoreFoundation:x86_64h+0x7bfb0)
    #6 0x7ff819440ec0 in CFRunLoopRunSpecific+0x22f (CoreFoundation:x86_64h+0x7aec0)
    #7 0x7ff822ec2f3c in RunCurrentEventLoopInMode+0x123 (HIToolbox:x86_64+0x2ef3c)
    #8 0x7ff822ec2b83 in ReceiveNextEventCommon+0xc6 (HIToolbox:x86_64+0x2eb83)
    #9 0x7ff822ec2aa7 in _BlockUntilNextEventMatchingListInModeWithFilter+0x3f (HIToolbox:x86_64+0x2eaa7)
    #10 0x7ff81c4dd25b in _DPSNextEvent+0x359 (AppKit:x86_64+0x3e25b)
    #11 0x7ff81c4dc105 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x4bd (AppKit:x86_64+0x3d105)
    #12 0x1006e8479 in Cocoa_PumpEventsUntilDate SDL_cocoaevents.m:526
    #13 0x1006e8b44 in Cocoa_PumpEvents SDL_cocoaevents.m:562
    #14 0x1000f8a2c in SDL_PumpEventsInternal SDL_events.c:921
    #15 0x1000f88fa in SDL_PumpEvents_REAL SDL_events.c:956
    #16 0x1000d9a39 in SDL_PumpEvents SDL_dynapi_procs.h:150
    #17 0x10006453b in loop testgamecontroller.c:572
    #18 0x10006869e in main testgamecontroller.c:957
    #19 0x7ff81900d41e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e)

0x602000013b30 is located 0 bytes inside of 8-byte region [0x602000013b30,0x602000013b38)
freed by thread T0 here:
    #0 0x100e92f89 in wrap_free+0xa9 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xddf89)
    #1 0x10012dafc in PLATFORM_free_hid_device hid.c:181
    #2 0x10012f7f7 in PLATFORM_hid_close hid.c:1177
    #3 0x100131d98 in SDL_hid_close_REAL SDL_hidapi.c:1573
    #4 0x1006a4219 in HIDAPI_SetupDeviceDriver SDL_hidapijoystick.c:534
    #5 0x1006a334c in HIDAPI_AddDevice SDL_hidapijoystick.c:951
    #6 0x10069d44d in HIDAPI_UpdateDeviceList SDL_hidapijoystick.c:1117
    #7 0x10069d0de in HIDAPI_JoystickInit SDL_hidapijoystick.c:617
    #8 0x10014f6d4 in SDL_JoystickInit SDL_joystick.c:645
    #9 0x10006b4cb in SDL_InitSubSystem_REAL SDL.c:300
    #10 0x10006bdc2 in SDL_Init_REAL SDL.c:375
    #11 0x1000d9276 in SDL_Init SDL_dynapi_procs.h:88
    #12 0x1000679fd in main testgamecontroller.c:815
    #13 0x7ff81900d41e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e)

previously allocated by thread T0 here:
    #0 0x100e93225 in wrap_calloc+0xa5 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xde225)
    #1 0x10012c4bb in PLATFORM_hid_open_path hid.c:854
    #2 0x100130f41 in SDL_hid_open_path_REAL SDL_hidapi.c:1463
    #3 0x1006a3f00 in HIDAPI_SetupDeviceDriver SDL_hidapijoystick.c:511
    #4 0x1006a334c in HIDAPI_AddDevice SDL_hidapijoystick.c:951
    #5 0x10069d44d in HIDAPI_UpdateDeviceList SDL_hidapijoystick.c:1117
    #6 0x10069d0de in HIDAPI_JoystickInit SDL_hidapijoystick.c:617
    #7 0x10014f6d4 in SDL_JoystickInit SDL_joystick.c:645
    #8 0x10006b4cb in SDL_InitSubSystem_REAL SDL.c:300
    #9 0x10006bdc2 in SDL_Init_REAL SDL.c:375
    #10 0x1000d9276 in SDL_Init SDL_dynapi_procs.h:88
    #11 0x1000679fd in main testgamecontroller.c:815
    #12 0x7ff81900d41e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x28ce0) in wrap_memcpy+0xfc0
Shadow bytes around the buggy address:
  0x602000013880: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x602000013900: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
  0x602000013980: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa fd fa
  0x602000013a00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x602000013a80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x602000013b00: fa fa fd fa fa fa[fd]fa fa fa fd fa fa fa fd fd
  0x602000013b80: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 00 00
  0x602000013c00: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
  0x602000013c80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x602000013d00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x602000013d80: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31638==ABORTING
zsh: abort      ./build/test/testgamecontroller

More details on the controller:

The controller itself is nothing more than a cheap Chinese DualShock knockoff controllers.

Pictured below:

Product & Vendor ID:

Generic   USB  Joystick  :

  Product ID:    0x0006
  Vendor ID:    0x0079
  Version:    1.07
  Speed:    Up to 1.5 Mb/s
  Manufacturer:    DragonRise Inc.  
  Location ID:    0x00a00000 / 10
  Current Available (mA):    500
  Current Required (mA):    500
  Extra Operating Current (mA):    0

[mattbeghin]

I have the same issue on macOS Monterey 12.6.1 / libSDL2-2.0.0.dylib installed with brew

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libSDL2-2.0.0.dylib 0x1054fdd6c hid_report_callback + 104 1 libSDL2-2.0.0.dylib 0x1054fdd5c hid_report_callback + 88 2 IOKit 0x1954ff718 IOHIDDeviceInputReportApplier + 72 3 CoreFoundation 0x192a93860 CFSetApplyFunction_block_invoke + 28 4 CoreFoundation 0x192a93688 CFBasicHashApply + 148 5 CoreFoundation 0x192a935cc CFSetApplyFunction + 328 6 IOKit 0x1954ff608 IOHIDDeviceInputReportWithTimeStampCallback + 140 7 IOHIDLib 0x106d8cec0 0x106d7c000 + 69312 8 CoreFoundation 0x192afd7f4 CFMachPortPerform + 308 9 CoreFoundation 0x192acd818 CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION + 60 10 CoreFoundation 0x192acd6d4 CFRunLoopDoSource1 + 604 11 CoreFoundation 0x192acbb68 CFRunLoopRun + 2372 12 CoreFoundation 0x192acaa84 CFRunLoopRunSpecific + 600 13 libSDL2-2.0.0.dylib 0x1054fd2a8 PLATFORM_hid_enumerate + 124 14 libSDL2-2.0.0.dylib 0x1054fea1c SDL_hid_enumerate_REAL + 52 15 libSDL2-2.0.0.dylib 0x1055c612c HIDAPI_UpdateDeviceList + 748 16 libSDL2-2.0.0.dylib 0x1055c662c HIDAPI_IsDevicePresent + 248 17 libSDL2-2.0.0.dylib 0x1055ca728 JoystickDeviceWasAddedCallback + 556 18 IOKit 0x195501b0c IOHIDManagerDeviceApplier + 564 19 CoreFoundation 0x192a93860 CFSetApplyFunction_block_invoke + 28 20 CoreFoundation 0x192a93688 CFBasicHashApply + 148 21 CoreFoundation 0x192a935cc CFSetApplyFunction + 328 22 IOKit 0x1955002f0 ApplyToDevices + 124 23 IOKit 0x195501e8c IOHIDManagerInitialEnumCallback + 48 24 CoreFoundation 0x192accf94 CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION + 28 25 CoreFoundation 0x192accee0 CFRunLoopDoSource0 + 208 26 CoreFoundation 0x192accbe0 CFRunLoopDoSources0 + 268 27 CoreFoundation 0x192acb560 __CFRunLoopRun + 828 28 CoreFoundation 0x192acaa84 CFRunLoopRunSpecific + 600 29 libSDL2-2.0.0.dylib 0x1055c9c48 DARWIN_JoystickInit + 444 30 libSDL2-2.0.0.dylib 0x10550517c SDL_JoystickInit + 196 31 libSDL2-2.0.0.dylib 0x1054d3dcc SDL_InitSubSystem_REAL + 400 32 joystick.cpython-313-darwin.so 0x104d5e4f0 init + 52 33 Python 0x1050002fc cfunction_vectorcall_NOARGS + 100 34 Python 0x104f97e48 _PyObject_CallNoArgsTstate + 72 35 base.cpython-313-darwin.so 0x1048f49c0 pg_mod_autoinit + 88 36 base.cpython-313-darwin.so 0x1048f6704 pg_init + 208 37 Python 0x1050002fc cfunction_vectorcall_NOARGS + 100 38 Python 0x104f976ec PyObject_Vectorcall + 92 39 Python 0x1050e3a1c _PyEval_EvalFrameDefault + 10036 40 Python 0x1050e104c PyEval_EvalCode + 296 41 Python 0x10515c8f8 run_eval_code_obj + 104 42 Python 0x10515c2e0 run_mod + 172 43 Python 0x10515a4c8 pyrun_file + 164 44 Python 0x10515955c _PyRun_SimpleFileObject + 256 45 Python 0x1051590c0 _PyRun_AnyFileObject + 80 46 Python 0x10518696c pymain_run_file_obj + 164 47 Python 0x105186624 pymain_run_file + 72 48 Python 0x10518578c Py_RunMain + 768 49 Python 0x105185de8 pymain_main + 352 50 Python 0x105185efc Py_BytesMain + 40 51 dyld 0x10492d08c start + 520

[slouken]

Are you also getting this with the SDL3 preview release?