ClassiCube icon indicating copy to clipboard operation
ClassiCube copied to clipboard

Published 20 hours ago verified publisher icon UnknownShadow200

Crash receiving chat

Open UnknownShadow200 opened this issue 3 years ago • 2 comments

The string buffer gets corrupted somehow r20 = length r21 = buffer r22 = i

ClassiCube crashed.
Reason: Unhandled signal 11 (code 1) at 0x40A4E1195E3993A0
Commit SHA: 800cfe0
-- registers --
r0 =00000079CE5FF6D0 r1 =0000000000150015 r2 =0000000000000015 r3 =00000079CE5FEE3C
r4 =00000079CE5FF5DA r5 =0000000000000000 r6 =8080808080808080 r7 =FEFEFEFEFEFEFEFF
r8 =0000000000449815 r9 =000000000000224C r10=40A4E1195E397154 r11=00000000000001FF
r12=000000795C8E1728 r13=000000795C8E1724 r14=000000000000001C r15=000000795C8DFB88
r16=00000079CC05B868 r17=00000079CC007FF0 r18=0000007977030000 r19=00000079CE5FF6D0
r20=0000000000000015 r21=40A4E1195E3993A0 r22=0000000000000000 r23=00000079CC260000
r24=00000079CC260000 r25=00000079CC186038 r26=00000079CC23B4A0 r27=00000079CC23BEA0
r28=00000079CC260000 r29=00000079CE5FF660 r30=00000079CC00FE8C
sp =00000079CE5FF660 pc =00000079CBFBFF44
-- backtrace --
0x00000079CBFE47D8 - libclassicube.so
0x00000079CBFE4EB0 - libclassicube.so
0x00000079CBFE4A68 - libclassicube.so
0x00000079CBFE496C - libclassicube.so
0x00000062983A4D84 - app_process64
0x0000007A6BF98678 - [vdso](__kernel_rt_sigreturn+0)
0x00000079CBFBFF44 - libclassicube.so = 176F44 ; Drawer2D_IsEmptyText
0x00000079CC00FE8C - libclassicube.so = 1C6E8C ; TextGroupWidget_Redraw
0x00000079CC00FE34 - libclassicube.so = 1C6E34 ; TextGroupWidget_ShiftUp
0x00000079CC00218C - libclassicube.so = 1B918C ; ChatScreen_ChatReceived
0x00000079CBFCA934 - libclassicube.so = 181934 ; Event_RaiseChat
0x00000079CBFBB008 - libclassicube.so(Chat_AddOf+140) = 172008 
  (Delta = 79CBFBB008 - 172008 = 79CBE49000)
0x00000079CBFFB1BC - libclassicube.so = 1B21BC ; HandleChat
0x00000079CC00536C - libclassicube.so = 1BC36C
0x00000079CBFCE8C8 - libclassicube.so = 1858C8 ; PerformScheduledTasks
0x00000079CBFCE758 - libclassicube.so = 185758 ; Game_RenderFrame

UnknownShadow200 avatar Jul 22 '21 12:07 UnknownShadow200

Similiar crash

Crash time: 01/11/2021 06:07:55
ClassiCube crashed.
Reason: Unhandled signal 11 (code 1) at 0x40979A77C7823230
Commit SHA: f6dc9d97
-- registers --
r0 =40979A77C7823220 r1 =0000007CADDC192C r2 =0000000000000029 r3 =0000000000000000
r4 =0000007CADDC1955 r5 =40979A77C7823249 r6 =26B0662620C26626 r7 =616E72657445206F
r8 =203A65727570456C r9 =6E6F20746F6E6626 r10=6C616E7265744520 r11=26203A6572757045
r12=206E6F20746F6E66 r13=6574697320656874 r14=0000000000000046 r15=000000000000001D
r16=0000007CADEDA238 r17=0000007D9B59AF00 r18=0000007CAD558000 r19=0000007CADFBEBF0
r20=0000007CADDC1970 r21=0000000000002818 r22=0000007CAE0D8398 r23=0000007CAE0DD000
r24=0000007CAE0DD000 r25=0000007CAE002E28 r26=0000007CAE0B86F0 r27=0000007CAE0B90F0
r28=0000007CAE0DD000 r29=0000007CADDC18C0 r30=0000007CADE7642C
sp =0000007CADDC18C0 pc =0000007D9B59ADC8
-- backtrace --
0x0000007CADE624DC - libclassicube.so
0x0000007CADE62BD8 - libclassicube.so
0x0000007CADE62790 - libclassicube.so
0x0000007CADE62694 - libclassicube.so
0x00000057702E6DC4 - app_process64
0x0000007DA1946628 - [vdso](__kernel_rt_sigreturn+0)
0x0000007D9B59ADC8 - libc.so ; memcpy
0x0000007CADE7642C - libclassicube.so ; 0x1B042C, Mem_Copy
0x0000007CADE85F9C - libclassicube.so(StringsBuffer_Add+180) ; 1BFF9C, StringsBuffer_Add
0x0000007CADE387C8 - libclassicube.so(Chat_AddOf+68) ; 1727C8, Chat_AddOf
0x0000007CADE78FB8 - libclassicube.so ; 1B2FB8, HandleChat
(origin=7CADE38784  exe = 172784 --> delta = 7CADCC6000)

UnknownShadow200 avatar Nov 01 '21 12:11 UnknownShadow200

Relevant assembly notes for the similar crash

; disassembly of StringsBuffer_Add
void __cdecl StringsBuffer_Add(cc_stringsBuffer* buffer, cc_string* str)
        001bfef4 fd 03 00 91     mov        x29,sp           ; x29=sp
        001bfef8 f5 03 00 aa     mov        x21,x0           ; x21=buf
        001bfefc a8 ce 41 b8     ldr        w8,[x21, #0x1c]! ;  w8=buf->_flagsCapacity
        001bff00 f3 03 00 aa     mov        _BUF,x0          ; x19=buf
        001bff04 f4 03 01 aa     mov        _STR,x1          ; x20=str
        001bff08 68 00 00 35     cbnz       w8,LAB_001bff14  ;if (w8 != 0) goto LAB_001bff14;
        001bff0c e0 03 13 aa     mov        buffer,x19       ; x0=x19
        001bff10 a6 ff ff 97     bl         StringsBuffer_Init
LAB_001bff14 
        001bff14 68 12 40 b9     ldr        w8,[_BUF, #0x10] ;  w8=MEM[buf->count]
        001bff18 69 1e 40 b9     ldr        w9,[_BUF, #0x1c] ;  w9=MEM[buf->_flagsCapacity]
        001bff1c 1f 01 09 6b     cmp        w8,w9            ;  NE=w8!=n9
        001bff20 e1 00 00 54     b.ne       LAB_001bff3c     ;if (NE) goto LAB_001bff3c;
        001bff24 60 22 00 91     add        x0,_BUF,#0x8     ;  x0=buf->flagsCapacity
        001bff28 82 00 80 52     mov        w2,#0x4          ;  w2=4
        001bff2c 03 20 80 52     mov        w3,#0x100        ;  w3=256
        001bff30 04 40 80 52     mov        w4,#0x200        ;  w4=512
        001bff34 e1 03 15 aa     mov        x1,x21           ;  x1=x21
        001bff38 68 06 00 94     bl         Utils_Resize     ;  CALL Utils_Resize
LAB_001bff3c
        001bff3c 88 12 40 79     ldrh       w8,[_STR, #0x8]  ;  w8=MEM[str->length]
        001bff40 69 26 54 b9     ldr        w9,[_BUF,#0x1424];  w9=MEM[buf->_lenMask]
        001bff44 3f 01 08 6b     cmp        w9,w8            ;  GE=w9>=w8
        001bff48 8a 00 00 54     b.ge       LAB_001bff58     ;if (GE) goto LAB_001bff58;
        001bff4c 00 fb ff f0     adrp       x0,0x122000 
        001bff50 00 1c 37 91     add        x0=>s_String_too_big_to_insert_into_St_001   = "String too big to insert into
        001bff54 38 72 ff 97     bl         Logger_Abort     ; DIE
LAB_001bff58
        001bff58 e1 03 13 aa     mov        x1,_BUF          ;  x1=buf
        001bff5c 28 8c 41 b8     ldr        w8,[x1, #0x18]!  ;  w8=MEM[buf->_textCapacity],x1=buf->_textCapacity
        001bff60 89 12 40 79     ldrh       w9,[_STR, #0x8]  ;  w9=MEM[str->length]
        001bff64 35 c0 9f b8     ldursw     x21,[x1, #-0x4]  ; x21=MEM[buf->totalLength] ; (_textCapacity - 4) = totallength
        001bff68 a9 02 09 0b     add        w9,w21,w9        ;  w9=w21+w9
        001bff6c 3f 01 08 6b     cmp        w9,w8            ;  LT=w9<w8
        001bff70 cb 00 00 54     b.lt       LAB_001bff88     ;if (LT) goto LAB_001bff88;
        001bff74 22 00 80 52     mov        w2,#0x1          ;  w2=1
        001bff78 03 00 82 52     mov        w3,#0x1000       ;  w3=4096
        001bff7c 04 00 84 52     mov        w4,#0x2000       ;  w4=8192   
        001bff80 e0 03 13 aa     mov        x0,_BUF          ;  x0=buf
        001bff84 55 06 00 94     bl         Utils_Resize     ;  CALL Utils_Resize
LAB_001bff88 
        001bff88 68 02 40 f9     ldr        x8,[_BUF]        ;  x8=MEM[buf->_textBuffer]
        001bff8c 81 02 40 f9     ldr        x1,[_STR]        ;  x1=MEM[str->data]
        001bff90 82 12 40 79     ldrh       w2,[_STR, #0x8]  ;  w2=MEM[str->length]
        001bff94 00 01 15 8b     add        x0,x8,x21        ;  x0=x8+x21
        001bff98 21 c1 ff 97     bl         Mem_Copy
; register state before memcpy
x19 = buf
x20 = str
 w8 = [buf->_textCapacity]
 w9 = [str->length]
x21 = [buf->totalLength]
 x8 = [buf->_textBuffer]
 x0 = [buf->_textBuffer+buf->totalLength] ; dst parameter
 x1 = [str->buffer] ; src parameter
 x2 = [str->length] ; count parameter

; registers in memcpy https://android.googlesource.com/platform/bionic/+/refs/heads/master/libc/arch-arm64/generic/bionic/memcpy_base.S
 x4 = x1+x2 ;srcend
 x5 = x0+x2 ;dstend
 x6-x13 = TEMPS ; (chatline characters in reverse order)

Looks like everything is fine, except that dst has been corrupted somehow to point to bogus memory

UnknownShadow200 avatar Nov 01 '21 12:11 UnknownShadow200