Re: [hatari-devel] memory setup segfault (was: logging segfault)

[ Thread Index | Date Index | More lists.tuxfamily.org/hatari-devel Archives ] 

Hi Nicolas,

This is not logging issue, but Hatari memory setup one.
Over ~143 KB area of Hatari process memory, including its global variables, was overwritten with value 0x81, and preceding memory area with value 0x48.
Among those global variables, is FILE pointer to Hatari log file. Both in my and Laurent's case, Hatari segfaulted when fputs() tried to use the pointer that had been changed to invalid 0x8181818181818181 address. It's a bit miracle Hatari got that far... 

ASAN reports memory setup to be the culprit:
------------------------------------------
==10734==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5625d1dd6e20 at pc 0x5625ce3f0b68 bp 0x7ffc142ee490 sp 0x7ffc142ee488 
WRITE of size 1 at 0x5625d1dd6e20 thread T0
    #0 0x5625ce3f0b67 in map_banks2 src/cpu/memory.c:1959
    #1 0x5625ce3f0b67 in map_banks_ce src/cpu/memory.c:1988
    #2 0x5625ce3f0b67 in memory_map_Standard_RAM src/cpu/memory.c:1614
    #3 0x5625ce3f0f79 in memory_init src/cpu/memory.c:1748
    #4 0x5625ce2e9d4c in TOS_InitImage src/tos.c:1132
    #5 0x5625ce2c10f1 in Reset_ST src/reset.c:61
#6 0x5625ce23050b in Change_CopyChangedParamsToConfiguration src/change.c:504 
    #7 0x5625ce236b17 in Dialog_DoProperty src/dialog.c:70
    #8 0x5625ce2de904 in ShortCut_ActKey src/shortcut.c:297
0x5625d1dd6e20 is located 32 bytes to the left of global variable 'TTmem_mask' defined in 'src/cpu/memory.c:41:16' (0x5625d1dd6e40) of size 4 0x5625d1dd6e20 is located 0 bytes to the right of global variable 'ce_banktype' defined in 'src/cpu/memory.c:114:8' (0x5625d1dc6e20) of size 65536 
------------------------------------------
I could not reproduce this by switching from TT emulation to ST one, or with EmuTOS, only with real TOS. 


Smallest run-time change triggering the issue following...

1. Start Hatari with Falcon TOS and >4MB RAM:
hatari --machine falcon --tos tos404.img -s 8

2. Switch to 1.x / 2.x TOS + 4MB or less RAM in Hatari setup dialog

3. OK changes, so that emulation gets rebooted


	- Eero

On 23.9.2023 19.35, Eero Tamminen wrote:

Hi Laurent,
With your config I'm able to reproduce the segfault.  My patch did not have impact on it.  Will look into it now. 


     - Eero

On 23.9.2023 19.26, Eero Tamminen wrote:

Hi Laurent,
Thanks for the config!  I didn't have time to try it yet, but from reading the code, I noticed potential for stale FP usage in message repeat handling during Hatari startup. 

Attached patch should fix that.  Does it get rid of the crash?


     - Eero

On 23.9.2023 19.10, Laurent Sallafranque wrote:

Hi Eero,

Yes, I can still reproduce the bug.
Here are my files, attached to this mail.

I run hatari just by doing ./hatari   (no extra commands)
I wait until hatari reach the Falcon desktop.

Then, I open the GUI and I change :
In System, I change:
    - Machine type :  ST
    - Video timing : no change
    - Falcon DSP : None
    - Blitter, Patch timer-D and boot faster are left unchanged (and not checked) 

In CPU, I change:
    - CPU type : 68000
    - CPU Clock : 8 Mhz
    - FPU : None
    in CPU emulation parameters, I only uncheck MMU emulation, I leave the other parameters checked 

In ROM, I select the TOS 1.04 fr
In memory, I just change the memory setup to 512 kb
And that's all. I don't save the changes, I just click on Reset Machine and I get the "Core dump"
If I do the same (ie start from falcon mode, apply all the changes, but save the conf to hatari.cfg and then click to reset, I get the core dump, but when I restart hatari (./hatari), it starts well in ST mode.
The core dumps appears only when I want to switch from falcon to ST mode "on the fly".
To be noticed: if I start in STf mode and try to switch to falcon mode on the fly, it runs well. 


I've attached my hatari.conf file and my French 1.04 TOS (in case of).


Don't hesitate to ask for more tests or file if needed.

Regards
Laurent








Le 23/09/2023 à 17:22, Eero Tamminen a écrit :

Hi Laurent,

On 23.9.2023 1.08, Laurent Sallafranque wrote:

Hi again ,)
Another bug I encounter since ages. I don't remember if I already told you about it.
It's about running hatari in falcon mode and reconfigure it to run in ST mode.
I go to the GUI, set computer=ST, memory 520ko, CPU=68000, no FPU, TOS=1.04, .... 

I get core dump.
I'm not able to reproduce this, either when Falcon mode is set in Hatari config, or from command line.  Switching to ST mode at run time works fine for me in both cases. Address Sanitizer does not report anything either.
Can you still reproduce it with latest Hatari Git version?   If yes, could you send your Hatari config (hatari.cfg), and built config (CMakeCache.txt) files to me? 


    - Eero


Here is the trace I get if this can help.

Regards

Laurent


Reading symbols from hatari...
(gdb) r
Starting program: /home/laurent/Atari/hatari/build/src/hatari
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". INFO : Hatari v2.5.0-devel (Sep 22 2023), compiled on:  Sep 22 2023, 23:34:49 

[New Thread 0x7ffff5f1f640 (LWP 16925)]
[New Thread 0x7fffe2c59640 (LWP 16926)]
INFO : GEMDOS HDD emulation, C: <-> /media/Toshiba/Data_Laurent/Jeux/Atari/DiskDur.FAL. 
[New Thread 0x7fffe1449640 (LWP 16927)]

Thread 1 "hatari" received signal SIGSEGV, Segmentation fault.
__GI__IO_fputs (str=str@entry=0x55555695aff0 <MsgState+16> '\201' <repeats 200 times>..., fp=fp@entry=0x8181818181818181) at ./libio/iofputs.c:36 
36    ./libio/iofputs.c: Aucun fichier ou dossier de ce type.
(gdb)
(gdb) bt
#0  __GI__IO_fputs (str=str@entry=0x55555695aff0 <MsgState+16> '\201' <repeats 200 times>..., 
     fp=fp@entry=0x8181818181818181) at ./libio/iofputs.c:36
#1  0x0000555556082070 in printPendingMsgRepeat (fp=fp@entry=0x8181818181818181) 
     at /home/laurent/Atari/hatari/src/debug/log.c:276
#2  0x0000555556082365 in addMsgRepeat (fp=0x8181818181818181,
     line=line@entry=0x7ffffffbb4e0 "DEBUG: Loaded TOS version 1.04, starting at $fc0000, country code = 2, PAL\n") at /home/laurent/Atari/hatari/src/debug/log.c:302 
#3  0x00005555560826fa in Log_Printf (nType=nType@entry=LOG_DEBUG,
     psFormat=psFormat@entry=0x5555560ae4f0 "Loaded TOS version %i.%c%c, starting at $%x, country code = %i, %s\n") at /home/laurent/Atari/hatari/src/debug/log.c:398 #4  0x000055555574acf8 in TOS_InitImage () at /home/laurent/Atari/hatari/src/tos.c:1145 #5  0x000055555573c416 in Reset_ST (bCold=bCold@entry=true) at /home/laurent/Atari/hatari/src/reset.c:61 #6  0x000055555573c59a in Reset_Cold () at /home/laurent/Atari/hatari/src/reset.c:139 #7  0x000055555570d903 in Change_CopyChangedParamsToConfiguration (current=current@entry=0x7ffffffbb7a0,      changed=<optimized out>, bForceReset=<optimized out>) at /home/laurent/Atari/hatari/src/change.c:504 #8  0x000055555570fa96 in Dialog_DoProperty () at /home/laurent/Atari/hatari/src/dialog.c:70 #9  0x0000555555745d88 in ShortCut_ActKey () at /home/laurent/Atari/hatari/src/shortcut.c:297 #10 0x0000555555751aab in Video_InterruptHandler_VBL () at /home/laurent/Atari/hatari/src/video.c:4630 #11 0x000055555570f72b in CycInt_CallActiveHandler (Clock=<optimized out>) 
     at /home/laurent/Atari/hatari/src/cycInt.c:799
#12 0x000055555578aa7f in CycInt_Process_stop (stop_cond=0)
     at /home/laurent/Atari/hatari/src/includes/cycInt.h:141
#13 m68k_run_mmu030 () at /home/laurent/Atari/hatari/src/cpu/newcpu.c:6594 
#14 0x000055555578c407 in m68k_go (may_quit=may_quit@entry=1)
     at /home/laurent/Atari/hatari/src/cpu/newcpu.c:7796
#15 0x0000555555730461 in M68000_Start () at /home/laurent/Atari/hatari/src/m68000.c:307 #16 0x0000555555731df0 in main (argc=<optimized out>, argv=<optimized out>) 
     at /home/laurent/Atari/hatari/src/main.c:983
(gdb)

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/