search

tonioni / WinUAE

WinUAE Amiga emulator
http://www.winuae.net/
547 stars 89 forks source link

segfault when changing chipmemsize #48

Open rofl0r opened 10 years ago

rofl0r commented 10 years ago

happens in latest PUAE when changing chipmem size to 2048 kb from first call to gui_display

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7d659cc in free (p=0x7ffff5e9d020) at src/malloc/malloc.c:486
486             if (IS_MMAPPED(self)) {
(gdb) bt
#0  0x00007ffff7d659cc in free (p=0x7ffff5e9d020) at src/malloc/malloc.c:486
#1  0x00000000005659b6 in mapped_free (
    p=0x7ffff5e9d020 <Address 0x7ffff5e9d020 out of bounds>)
    at src/memory.c:1573
#2  0x0000000000565dbb in allocate_memory () at src/memory.c:1871
#3  0x0000000000566c63 in memory_reset () at src/memory.c:2176
#4  0x00000000005611a0 in reset_all_systems () at src/main.c:916
#5  0x0000000000483c2f in custom_reset (hardreset=true, keyboardreset=false)
    at src/custom.c:7798
#6  0x000000000057cb92 in m68k_go (may_quit=1) at src/newcpu.c:4218

1869            if (bogomem_bank.allocated != currprefs.bogomem_size) {
1870                    if (!(bogomem_bank.allocated == 0x200000 && currprefs.bogomem_size == 0x180000)) {
1871                            mapped_free (bogomem_bank.baseaddr);
1872                            bogomem_bank.baseaddr = NULL;
1873                            bogomem_bank.allocated = 0;

memory.cpp around line 1750 does

chipmem_bank.allocated = memsize1 + memsize2;
mapped_malloc (&chipmem_bank);
chipmem_bank.allocated = currprefs.chipmem_size;
bogomem_bank.baseaddr = chipmem_bank.baseaddr + memsize1;

so bogomem gets an offset into the mem allocated for chipmem.

however other parts of the code malloc the memory for bogomem directly:

1881                            if (bogomem_bank.allocated) {
1882                                    bogomem_bank.baseaddr = mapped_malloc (bogomem_bank.allocated, _T("bogo"));
1883                                    if (bogomem_bank.baseaddr == 0) {

so it seems that the code free'ing the bogomem cant be sure whether it deals with a chunk pointing into the middle of chipmem or a separate chunk. in the first case, calling free on the bogomem address is UB.

rofl0r commented 10 years ago

@frodesolheim mentioned that the issue could be related to bitrotted code in NATMEM_OFFSET ifdefs