M4: Orion Burger demo crashes when using the hamster wheel

[antoniou79]

This is on Windows 10, with a local build from current master HEAD, 2.9.0git with the interactive demo from the ScummVM website.

Steps:
After starting the playable part:

• climb down the chutes until the bottom level
• Use the hamster wheel.

ScummVM will crash with no error message, not in the default debug level at least.

In comparison, when demo is run with DosBox, that animation plays out fully, the door is raised and then lowered.

There are a few other discrepancies I could spot with running the demo with DosBox:

1. There is a drawing issue with the hamster wheel on ScummVM, when it's idle/unused, that DosBox does not have (screenshot attached). When the protagonist starts to use it, in ScummVM, its proper colors are restored.
2. The main menu for the demo when run with DosBox is minimal and different than the one with ScummVM (for the demo). I suspect that ScummVM shows the menu for the main game here.

[antoniou79]

Adding screenshots from the main menus (ScummVM and via DosBox).
The "Exit" option in the ScummVM menu does not work.

[dreammaster]

Thanks for the report details.

As far as the main menu is concerned, I've removed the two menu items that shouldn't be present. It's not exactly the same as the DosBox menu, but I consider it sufficient. As far as the mouse wheel goes, I sorted out the bugs. I couldn't get the demo to crash for me, but I was able to fix the initial colors, and the wheel & Wilbur disappearing after he starts running.

[antoniou79]

I can confirm that the colors issue is fixed, but I still get the crash when using the wheel.

Edit: I get the crash when building a release build with msys2/mingw64 from master HEAD, but not if building/debuging with Visual Studio. This is odd.

Edit 2: From testing with a couple configure options

• default (debug build) does not crash
• --disable-debug does not crash
• --disable-debug --enable-release crashes

Must have something to do with the release build optimizations

[antoniou79]

A few further findings on the crash issue:
It seems that just --enable-release without --disable-debug is enough to trigger the crash. Not sure if this is more helpful though.

Building on Linux Ubuntu 22.04 with --enable-release also leads to the crash. On Linux when crashing there sometimes mention of segmentation fault and sometimes I've seen some message about potential double free(). The messages I have gotten so far:
Crash to command line:

free(): double free detected in tcache 2
Aborted (core dumped)

Crash to command line:
Segmentation fault (core dumped)
Crash to debugger console:
ERROR: Register Index out of range - max: 33, requested 34.!

Might be related; during compilation there's this warning (coming from [-Waggressive-loop-optimizations]):

engines/m4/graphics/krn_pal.cpp: In function ‘void M4::krn_fade_to_grey(M4::RGB8*, int32, int32)’:
engines/m4/graphics/krn_pal.cpp:189:37: warning: iteration 32 invokes undefined behavior [-Waggressive-loop-optimizations]
  189 |                 _GP(translation)[i] = (uint8)bestMatch;
engines/m4/graphics/krn_pal.cpp:171:23: note: within this loop
  171 |         for (i = 0; i < 64; i++) {

Building with ASAN support, the game crashes upon launch so it's impossible to reach the point with the hamster wheel. The error output in that case is:

==27193==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000078441 at pc 0x7f78db43a397 bp 0x7ffdc115d680 sp 0x7ffdc115ce28
READ of size 32 at 0x619000078441 thread T0
    #0 0x7f78db43a396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x55effe10850d in OpenGL::Surface::copyRectToTexture(unsigned int, unsigned int, unsigned int, unsigned int, void const*, unsigned int) (/home/antoniou/Workspace/scummvm-official/scummvm+0x124a50d)
    #2 0x55effda97442 in M4::transShow(void*, void*, void*, int, int) (/home/antoniou/Workspace/scummvm-official/scummvm+0xbd9442)
    #3 0x55effda9ebf3 in M4::RestoreScreens(int, int, int, int) (/home/antoniou/Workspace/scummvm-official/scummvm+0xbe0bf3)
    #4 0x55effda3077b in M4::Vars::initMouseSeries(Common::String const&, M4::RGB8*) (/home/antoniou/Workspace/scummvm-official/scummvm+0xb7277b)
    #5 0x55effda15069 in M4::Burger::Vars::main_cold_data_init() (/home/antoniou/Workspace/scummvm-official/scummvm+0xb57069)
    #6 0x55effda301dd in M4::Vars::init() (/home/antoniou/Workspace/scummvm-official/scummvm+0xb721dd)
    #7 0x55effda20aa7 in M4::M4Engine::run() (/home/antoniou/Workspace/scummvm-official/scummvm+0xb62aa7)
    #8 0x55effd9adac5 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) (/home/antoniou/Workspace/scummvm-official/scummvm+0xaefac5)
    #9 0x55effd9b4339 in scummvm_main (/home/antoniou/Workspace/scummvm-official/scummvm+0xaf6339)
    #10 0x55effd8ca438 in main (/home/antoniou/Workspace/scummvm-official/scummvm+0xa0c438)
    #11 0x7f78d9629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7f78d9629e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x55effd8d1ad4 in _start (/home/antoniou/Workspace/scummvm-official/scummvm+0xa13ad4)

0x619000078441 is located 0 bytes to the right of 961-byte region [0x619000078080,0x619000078441)
allocated by thread T0 here:
    #0 0x7f78db4b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x55effda306b4 in M4::Vars::initMouseSeries(Common::String const&, M4::RGB8*) (/home/antoniou/Workspace/scummvm-official/scummvm+0xb726b4)
    #2 0x55effda15069 in M4::Burger::Vars::main_cold_data_init() (/home/antoniou/Workspace/scummvm-official/scummvm+0xb57069)
    #3 0x55effda301dd in M4::Vars::init() (/home/antoniou/Workspace/scummvm-official/scummvm+0xb721dd)
    #4 0x55effda20aa7 in M4::M4Engine::run() (/home/antoniou/Workspace/scummvm-official/scummvm+0xb62aa7)
    #5 0x55effd9adac5 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) (/home/antoniou/Workspace/scummvm-official/scummvm+0xaefac5)
    #6 0x55effd9b4339 in scummvm_main (/home/antoniou/Workspace/scummvm-official/scummvm+0xaf6339)
    #7 0x55effd8ca438 in main (/home/antoniou/Workspace/scummvm-official/scummvm+0xa0c438)
    #8 0x7f78d9629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c3280007030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280007040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280007050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280007060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280007070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280007080: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0c3280007090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800070a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800070b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800070c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800070d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27193==ABORTING