Ticket #13908: asan-indy3-vga-ring-bell.txt

File asan-indy3-vga-ring-bell.txt, 9.0 KB (added by dwatteau, 18 months ago)

Different ASAN issue in Indy3 DOS VGA, after hitting the boxing bell with the mallet

Line 
1==4807==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600048bc12 at pc 0x0001023a918a bp 0x700007ba3110 sp 0x700007ba3108
2READ of size 1 at 0x60600048bc12 thread T6
3 #0 0x1023a9189 in Scumm::Player_AD::updateSlot(Scumm::Player_AD::Channel*) player_ad.cpp:946
4 #1 0x1023a85fb in Scumm::Player_AD::updateChannel(Scumm::Player_AD::Channel*) player_ad.cpp:888
5 #2 0x1023a4ff6 in Scumm::Player_AD::updateSfx() player_ad.cpp:868
6 #3 0x10239f87e in Scumm::Player_AD::onTimer() player_ad.cpp:252
7 #4 0x1022add70 in Common::Functor0Mem<void, Scumm::ScummEngine_v70he>::operator()() const func.h:397
8 #5 0x102ded411 in OPL::EmulatedOPL::readBuffer(short*, int) fmopl.cpp:358
9 #6 0x102e1ff93 in Audio::CopyRateConverter<false, false>::flow(Audio::AudioStream&, short*, unsigned int, unsigned short, unsigned short) rate.cpp:314
10 #7 0x102e0f6f3 in Audio::Channel::mix(short*, unsigned int) mixer.cpp:648
11 #8 0x102e0ef7f in Audio::MixerImpl::mixCallback(unsigned char*, unsigned int) mixer.cpp:301
12 #9 0x102ab32ae in SdlMixerManager::callbackHandler(unsigned char*, int) sdl-mixer.cpp:184
13 #10 0x102ab31ae in SdlMixerManager::sdlCallback(void*, unsigned char*, int) sdl-mixer.cpp:191
14 #11 0x104109c43 in outputCallback+0x1ac (libSDL2-2.0.0.dylib:x86_64+0xe2c43)
15 #12 0x7ff820b66fe7 in ClientAudioQueue::CallOutputCallback(AudioQueueBuffer*)+0x11d (AudioToolbox:x86_64+0x45fe7)
16 #13 0x7ff820b4fa03 in ClientAudioQueue::FetchAndDeliverPendingCallbacks(unsigned int)+0x33b (AudioToolbox:x86_64+0x2ea03)
17 #14 0x7ff820b4f64d in _XCallbackNotificationsAvailable+0xa3 (AudioToolbox:x86_64+0x2e64d)
18 #15 0x7ff81fab3a8d in mshMIGPerform+0xeb (libAudioToolboxUtility.dylib:x86_64+0xea8d)
19 #16 0x7ff8131ef923 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__+0x28 (CoreFoundation:x86_64h+0x80923)
20 #17 0x7ff8131ef803 in __CFRunLoopDoSource1+0x26a (CoreFoundation:x86_64h+0x80803)
21 #18 0x7ff8131ede6a in __CFRunLoopRun+0x96e (CoreFoundation:x86_64h+0x7ee6a)
22 #19 0x7ff8131ece3b in CFRunLoopRunSpecific+0x231 (CoreFoundation:x86_64h+0x7de3b)
23 #20 0x10410973c in audioqueue_thread+0x43e (libSDL2-2.0.0.dylib:x86_64+0xe273c)
24 #21 0x10408d986 in SDL_RunThread+0x2b (libSDL2-2.0.0.dylib:x86_64+0x66986)
25 #22 0x1040fc7f2 in RunThread+0x8 (libSDL2-2.0.0.dylib:x86_64+0xd57f2)
26 #23 0x7ff8131284e0 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0)
27 #24 0x7ff813123f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a)
28
290x60600048bc12 is located 18 bytes inside of 58-byte region [0x60600048bc00,0x60600048bc3a)
30freed by thread T0 here:
31 #0 0x1048bb72d in wrap__ZdaPv+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c72d)
32 #1 0x10246a7a6 in Scumm::ResourceManager::Resource::nuke() resource.cpp:888
33 #2 0x1024655af in Scumm::ResourceManager::nukeResource(Scumm::ResType, unsigned short) resource.cpp:934
34 #3 0x10246a2f6 in Scumm::ResourceManager::expireResources(unsigned int) resource.cpp:1107
35 #4 0x102467e54 in Scumm::ResourceManager::createResource(Scumm::ResType, unsigned short, unsigned int) resource.cpp:858
36 #5 0x10246d253 in Scumm::ScummEngine::loadPtrToResource(Scumm::ResType, unsigned short, unsigned char const*) resource.cpp:1154
37 #6 0x1025146ee in Scumm::ScummEngine_v5::o5_verbOps() script_v5.cpp:2919
38 #7 0x1022add70 in Common::Functor0Mem<void, Scumm::ScummEngine_v70he>::operator()() const func.h:397
39 #8 0x102554ac1 in Scumm::ScummEngine::executeOpcode(unsigned char) script.cpp:492
40 #9 0x1025545df in Scumm::ScummEngine::executeScript() script.cpp:485
41 #10 0x10254fe2e in Scumm::ScummEngine::runScriptNested(int) script.cpp:337
42 #11 0x10254ecf3 in Scumm::ScummEngine::runScript(int, bool, bool, int*, int) script.cpp:89
43 #12 0x1024f7d49 in Scumm::ScummEngine_v5::o5_startScript() script_v5.cpp:2790
44 #13 0x1022add70 in Common::Functor0Mem<void, Scumm::ScummEngine_v70he>::operator()() const func.h:397
45 #14 0x102554ac1 in Scumm::ScummEngine::executeOpcode(unsigned char) script.cpp:492
46 #15 0x1025545df in Scumm::ScummEngine::executeScript() script.cpp:485
47 #16 0x10254fe2e in Scumm::ScummEngine::runScriptNested(int) script.cpp:337
48 #17 0x10254ecf3 in Scumm::ScummEngine::runScript(int, bool, bool, int*, int) script.cpp:89
49 #18 0x1025679f1 in Scumm::ScummEngine::endCutscene() script.cpp:1623
50 #19 0x102519a7c in Scumm::ScummEngine_v5::o5_endCutscene() script_v5.cpp:946
51 #20 0x1022add70 in Common::Functor0Mem<void, Scumm::ScummEngine_v70he>::operator()() const func.h:397
52 #21 0x102554ac1 in Scumm::ScummEngine::executeOpcode(unsigned char) script.cpp:492
53 #22 0x1025545df in Scumm::ScummEngine::executeScript() script.cpp:485
54 #23 0x10255be78 in Scumm::ScummEngine::runAllScripts() script.cpp:956
55 #24 0x10259ec06 in Scumm::ScummEngine::scummLoop(int) scumm.cpp:2526
56 #25 0x10259c162 in Scumm::ScummEngine::go() scumm.cpp:2289
57 #26 0x1025abb2d in Scumm::ScummEngine::run() scumm.h:510
58 #27 0x1020cce76 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:318
59 #28 0x1020c7da8 in scummvm_main main.cpp:619
60 #29 0x1020bce7d in main macosx-main.cpp:44
61
62previously allocated by thread T0 here:
63 #0 0x1048bb31d in wrap__Znam+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c31d)
64 #1 0x102467e67 in Scumm::ResourceManager::createResource(Scumm::ResType, unsigned short, unsigned int) resource.cpp:860
65 #2 0x1025cc748 in Scumm::ScummEngine::readSoundResourceSmallHeader(unsigned short) sound.cpp:2479
66 #3 0x102467039 in Scumm::ScummEngine::loadResource(Scumm::ResType, unsigned short) resource.cpp:691
67 #4 0x102465caa in Scumm::ScummEngine::ensureResourceLoaded(Scumm::ResType, unsigned short) resource.cpp:637
68 #5 0x1025b25d8 in Scumm::Sound::addSoundToQueue(int, int, int, int, int, int, int) sound.cpp:212
69 #6 0x1024fef3d in Scumm::ScummEngine_v5::o5_startSound() script_v5.cpp:2656
70 #7 0x1022add70 in Common::Functor0Mem<void, Scumm::ScummEngine_v70he>::operator()() const func.h:397
71 #8 0x102554ac1 in Scumm::ScummEngine::executeOpcode(unsigned char) script.cpp:492
72 #9 0x1025545df in Scumm::ScummEngine::executeScript() script.cpp:485
73 #10 0x10255be78 in Scumm::ScummEngine::runAllScripts() script.cpp:956
74 #11 0x10259ec06 in Scumm::ScummEngine::scummLoop(int) scumm.cpp:2526
75 #12 0x10259c162 in Scumm::ScummEngine::go() scumm.cpp:2289
76 #13 0x1025abb2d in Scumm::ScummEngine::run() scumm.h:510
77 #14 0x1020cce76 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:318
78 #15 0x1020c7da8 in scummvm_main main.cpp:619
79 #16 0x1020bce7d in main macosx-main.cpp:44
80 #17 0x1094ee52d in start+0x1cd (dyld:x86_64+0x552d)
81
82Thread T6 created by T0 here:
83 #0 0x1048a399c in wrap_pthread_create+0x5c (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4499c)
84 #1 0x1040fc7b7 in SDL_SYS_CreateThread+0x90 (libSDL2-2.0.0.dylib:x86_64+0xd57b7)
85 #2 0x10408da56 in SDL_CreateThreadWithStackSize_REAL+0x6f (libSDL2-2.0.0.dylib:x86_64+0x66a56)
86 #3 0x104108ee7 in COREAUDIO_OpenDevice+0x1d9 (libSDL2-2.0.0.dylib:x86_64+0xe1ee7)
87 #4 0x104033888 in open_audio_device+0x62f (libSDL2-2.0.0.dylib:x86_64+0xc888)
88 #5 0x104033204 in SDL_OpenAudio_REAL+0x6c (libSDL2-2.0.0.dylib:x86_64+0xc204)
89 #6 0x102ab1b99 in SdlMixerManager::init() sdl-mixer.cpp:72
90 #7 0x1020a3742 in OSystem_SDL::initBackend() sdl.cpp:284
91 #8 0x1020b9307 in OSystem_POSIX::initBackend() posix.cpp:92
92 #9 0x1020bdb71 in OSystem_MacOSX::initBackend() macosx.cpp:121
93 #10 0x1020c75dc in scummvm_main main.cpp:501
94 #11 0x1020bce7d in main macosx-main.cpp:44
95 #12 0x1094ee52d in start+0x1cd (dyld:x86_64+0x552d)
96
97SUMMARY: AddressSanitizer: heap-use-after-free player_ad.cpp:946 in Scumm::Player_AD::updateSlot(Scumm::Player_AD::Channel*)
98Shadow bytes around the buggy address:
99 0x1c0c00091730: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
100 0x1c0c00091740: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
101 0x1c0c00091750: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
102 0x1c0c00091760: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
103 0x1c0c00091770: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
104=>0x1c0c00091780: fd fd[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd
105 0x1c0c00091790: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
106 0x1c0c000917a0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
107 0x1c0c000917b0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
108 0x1c0c000917c0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
109 0x1c0c000917d0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
110Shadow byte legend (one shadow byte represents 8 application bytes):
111 Addressable: 00
112 Partially addressable: 01 02 03 04 05 06 07
113 Heap left redzone: fa
114 Freed heap region: fd
115 Stack left redzone: f1
116 Stack mid redzone: f2
117 Stack right redzone: f3
118 Stack after return: f5
119 Stack use after scope: f8
120 Global redzone: f9
121 Global init order: f6
122 Poisoned by user: f7
123 Container overflow: fc
124 Array cookie: ac
125 Intra object redzone: bb
126 ASan internal: fe
127 Left alloca redzone: ca
128 Right alloca redzone: cb
129==4807==ABORTING
130Abort trap: 6