/home/anal/dolphin-emu/Source/Core/Common/Src/MemArena.cpp

Bug Summary

File:	Source/Core/Common/Src/MemArena.cpp
Location:	line 196, column 28
Description:	Dereference of null pointer (loaded from field 'out_ptr_low')

Annotated Source Code

// Licensed under GPLv2

// Refer to the license.txt file included.

#include "Common.h"

#include "MemoryUtil.h"

#include "MemArena.h"

#ifdef _WIN32

#include <windows.h>

#else

#include <sys/stat.h>

#include <fcntl.h>

#include <unistd.h>

#include <cerrno>

#include <cstring>

#ifdef ANDROID

#include <sys/ioctl.h>

#include <linux1/ashmem.h>

#endif

#include <set>

#if defined(__APPLE__)

static const char* ram_temp_file = "/tmp/gc_mem.tmp";

#elif !defined(_WIN32) // non OSX unixes

static const char* ram_temp_file = "/dev/shm/gc_mem.tmp";

#endif

#ifdef ANDROID

#define ASHMEM_DEVICE "/dev/ashmem"

int AshmemCreateFileMapping(const char *name, size_t size)

{

int fd, ret;

fd = open(ASHMEM_DEVICE, O_RDWR02);

if (fd < 0)

return fd;

// We don't really care if we can't set the name, it is optional

ret = ioctl(fd, ASHMEM_SET_NAME, name);

ret = ioctl(fd, ASHMEM_SET_SIZE, size);

if (ret < 0)

{

close(fd);

NOTICE_LOG(MEMMAP, "Ashmem returned error: 0x%08x", ret)do { { if (LogTypes::LNOTICE <= 3) GenericLog(LogTypes::LNOTICE
, LogTypes::MEMMAP, "/home/anal/dolphin-emu/Source/Core/Common/Src/MemArena.cpp"
, 47, "Ashmem returned error: 0x%08x", ret); } } while (0);

return ret;

}

return fd;

}

#endif

void MemArena::GrabLowMemSpace(size_t size)

{

#ifdef _WIN32

hMemoryMapping = CreateFileMapping(INVALID_HANDLE_VALUE, NULL__null, PAGE_READWRITE, 0, (DWORD)(size), NULL__null);

#elif defined(ANDROID)

fd = AshmemCreateFileMapping("Dolphin-emu", size);

if (fd < 0)

{

NOTICE_LOG(MEMMAP, "Ashmem allocation failed")do { { if (LogTypes::LNOTICE <= 3) GenericLog(LogTypes::LNOTICE
, LogTypes::MEMMAP, "/home/anal/dolphin-emu/Source/Core/Common/Src/MemArena.cpp"
, 62, "Ashmem allocation failed"); } } while (0);

return;

}

#else

mode_t mode = S_IRUSR0400 | S_IWUSR0200 | S_IRGRP(0400 >> 3) | S_IROTH((0400 >> 3) >> 3);

fd = open(ram_temp_file, O_RDWR02 | O_CREAT0100, mode);

unlink(ram_temp_file);

if (ftruncate(fd, size) < 0)

ERROR_LOG(MEMMAP, "Failed to allocate low memory space")do { { if (LogTypes::LERROR <= 3) GenericLog(LogTypes::LERROR
, LogTypes::MEMMAP, "/home/anal/dolphin-emu/Source/Core/Common/Src/MemArena.cpp"
, 70, "Failed to allocate low memory space"); } } while (0);

return;

#endif

}

void MemArena::ReleaseSpace()

{

#ifdef _WIN32

CloseHandle(hMemoryMapping);

hMemoryMapping = 0;

#else

close(fd);

#endif

}

void *MemArena::CreateView(s64 offset, size_t size, void *base)

{

#ifdef _WIN32

return MapViewOfFileEx(hMemoryMapping, FILE_MAP_ALL_ACCESS, 0, (DWORD)((u64)offset), size, base);

#else

void *retval = mmap(

base, size,

PROT_READ0x1 | PROT_WRITE0x2,

MAP_SHARED0x01 | ((base == nullptr) ? 0 : MAP_FIXED0x10),

fd, offset);

if (retval == MAP_FAILED((void *) -1))

{

100

NOTICE_LOG(MEMMAP, "mmap on %s failed", ram_temp_file)do { { if (LogTypes::LNOTICE <= 3) GenericLog(LogTypes::LNOTICE
, LogTypes::MEMMAP, "/home/anal/dolphin-emu/Source/Core/Common/Src/MemArena.cpp"
, 100, "mmap on %s failed", ram_temp_file); } } while (0);

101

return nullptr;

102

}

103

else

104

{

105

return retval;

106

}

107

#endif

108

}

109

110

111

void MemArena::ReleaseView(void* view, size_t size)

112

{

113

#ifdef _WIN32

114

UnmapViewOfFile(view);

115

#else

116

munmap(view, size);

117

#endif

118

}

119

120

121

u8* MemArena::Find4GBBase()

122

{

123

#ifdef _M_X641

124

#ifdef _WIN32

125

// 64 bit

126

u8* base = (u8*)VirtualAlloc(0, 0xE1000000, MEM_RESERVE, PAGE_READWRITE);

127

VirtualFree(base, 0, MEM_RELEASE);

128

return base;

129

#else

130

// Very precarious - mmap cannot return an error when trying to map already used pages.

131

// This makes the Windows approach above unusable on Linux, so we will simply pray...

132

return reinterpret_cast<u8*>(0x2300000000ULL);

133

#endif

134

135

#else

136

// 32 bit

137

#ifdef _WIN32

138

// The highest thing in any 1GB section of memory space is the locked cache. We only need to fit it.

139

u8* base = (u8*)VirtualAlloc(0, 0x31000000, MEM_RESERVE, PAGE_READWRITE);

140

if (base) {

141

VirtualFree(base, 0, MEM_RELEASE);

142

}

143

return base;

144

#else

145

#ifdef ANDROID

146

// Android 4.3 changed how mmap works.

147

// if we map it private and then munmap it, we can't use the base returned.

148

// This may be due to changes in them support a full SELinux implementation.

149

const int flags = MAP_ANON0x20 | MAP_SHARED0x01;

150

#else

151

const int flags = MAP_ANON0x20 | MAP_PRIVATE0x02;

152

#endif

153

const u32 MemSize = 0x31000000;

154

void* base = mmap(0, MemSize, PROT_NONE0x0, flags, -1, 0);

155

if (base == MAP_FAILED((void *) -1)) {

156

PanicAlert("Failed to map 1 GB of memory space: %s", strerror(errno))MsgAlert(false, WARNING, "Failed to map 1 GB of memory space: %s"
, strerror((*__errno_location ())));

157

return 0;

158

}

159

munmap(base, MemSize);

160

return static_cast<u8*>(base);

161

#endif

162

#endif

163

}

164

165

166

// yeah, this could also be done in like two bitwise ops...

167

#define SKIP(a_flags, b_flags)if (!(a_flags & MV_WII_ONLY) && (b_flags & MV_WII_ONLY
)) continue; if (!(a_flags & MV_FAKE_VMEM) && (b_flags
& MV_FAKE_VMEM)) continue; \

168

if (!(a_flags & MV_WII_ONLY) && (b_flags & MV_WII_ONLY)) \

169

continue; \

170

if (!(a_flags & MV_FAKE_VMEM) && (b_flags & MV_FAKE_VMEM)) \

171

continue; \

172

173

174

static bool Memory_TryBase(u8 *base, const MemoryView *views, int num_views, u32 flags, MemArena *arena) {

175

// OK, we know where to find free space. Now grab it!

176

// We just mimic the popular BAT setup.

177

u32 position = 0;

178

u32 last_position = 0;

179

180

// Zero all the pointers to be sure.

181

for (int i = 0; i < num_views; i++)

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

←

Loop condition is false. Execution continues on line 189

→

182

{

183

if (views[i].out_ptr_low)

Taking false branch

Taking false branch

Assuming pointer value is null

→

←

Taking false branch

→

184

*views[i].out_ptr_low = 0;

185

if (views[i].out_ptr)

Taking true branch

Taking true branch

Taking false branch

186

*views[i].out_ptr = 0;

187

}

188

189

int i;

190

for (i = 0; i < num_views; i++)

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

←

Loop condition is true. Entering loop body

→

191

{

192

SKIP(flags, views[i].flags)if (!(flags & MV_WII_ONLY) && (views[i].flags &
MV_WII_ONLY)) continue; if (!(flags & MV_FAKE_VMEM) &&
(views[i].flags & MV_FAKE_VMEM)) continue;;

193

if (views[i].flags & MV_MIRROR_PREVIOUS) {

Taking true branch

Taking true branch

Taking false branch

194

position = last_position;

195

} else {

196

*(views[i].out_ptr_low) = (u8*)arena->CreateView(position, views[i].size);

←

Dereference of null pointer (loaded from field 'out_ptr_low')

197

if (!*views[i].out_ptr_low)

198

goto bail;

199

}

200

#ifdef _M_X641

201

*views[i].out_ptr = (u8*)arena->CreateView(

202

position, views[i].size, base + views[i].virtual_address);

203

#else

204

if (views[i].flags & MV_MIRROR_PREVIOUS) {

205

// No need to create multiple identical views.

206

*views[i].out_ptr = *views[i - 1].out_ptr;

207

} else {

208

*views[i].out_ptr = (u8*)arena->CreateView(

209

position, views[i].size, base + (views[i].virtual_address & 0x3FFFFFFF));

210

if (!*views[i].out_ptr)

211

goto bail;

212

}

213

#endif

214

last_position = position;

215

position += views[i].size;

216

}

217

218

return true;

219

220

bail:

221

// Argh! ERROR! Free what we grabbed so far so we can try again.

222

MemoryMap_Shutdown(views, i+1, flags, arena);

223

return false;

224

}

225

226

u8 *MemoryMap_Setup(const MemoryView *views, int num_views, u32 flags, MemArena *arena)

227

{

228

u32 total_mem = 0;

229

int base_attempts = 0;

230

231

for (int i = 0; i < num_views; i++)

Assuming 'i' is < 'num_views'

→

←

Loop condition is true. Entering loop body

→

←

Assuming 'i' is < 'num_views'

→

←

Loop condition is true. Entering loop body

→

←

Assuming 'i' is < 'num_views'

→

←

Loop condition is true. Entering loop body

→

←

Assuming 'i' is >= 'num_views'

→

←

Loop condition is false. Execution continues on line 238

→

232

{

233

SKIP(flags, views[i].flags)if (!(flags & MV_WII_ONLY) && (views[i].flags &
MV_WII_ONLY)) continue; if (!(flags & MV_FAKE_VMEM) &&
(views[i].flags & MV_FAKE_VMEM)) continue;;

234

if ((views[i].flags & MV_MIRROR_PREVIOUS) == 0)

Taking false branch

Taking false branch

Taking true branch

235

total_mem += views[i].size;

236

}

237

// Grab some pagefile backed memory out of the void ...

238

arena->GrabLowMemSpace(total_mem);

239

240

// Now, create views in high memory where there's plenty of space.

241

#ifdef _M_X641

242

u8 *base = MemArena::Find4GBBase();

243

// This really shouldn't fail - in 64-bit, there will always be enough

244

// address space.

245

if (!Memory_TryBase(base, views, num_views, flags, arena))

←

Calling 'Memory_TryBase'

→

246

{

247

PanicAlert("MemoryMap_Setup: Failed finding a memory base.")MsgAlert(false, WARNING, "MemoryMap_Setup: Failed finding a memory base."
);

248

exit(0);

249

return 0;

250

}

251

#else

252

#ifdef _WIN32

253

// Try a whole range of possible bases. Return once we got a valid one.

254

u32 max_base_addr = 0x7FFF0000 - 0x31000000;

255

u8 *base = NULL__null;

256

257

for (u32 base_addr = 0x40000; base_addr < max_base_addr; base_addr += 0x40000)

258

{

259

base_attempts++;

260

base = (u8 *)base_addr;

261

if (Memory_TryBase(base, views, num_views, flags, arena))

262

{

263

INFO_LOG(MEMMAP, "Found valid memory base at %p after %i tries.", base, base_attempts)do { { if (LogTypes::LINFO <= 3) GenericLog(LogTypes::LINFO
, LogTypes::MEMMAP, "/home/anal/dolphin-emu/Source/Core/Common/Src/MemArena.cpp"
, 263, "Found valid memory base at %p after %i tries.", base,
base_attempts); } } while (0);

264

base_attempts = 0;

265

break;

266

}

267

268

}

269

#else

270

// Linux32 is fine with the x64 method, although limited to 32-bit with no automirrors.

271

u8 *base = MemArena::Find4GBBase();

272

if (!Memory_TryBase(base, views, num_views, flags, arena))

273

{

274

PanicAlert("MemoryMap_Setup: Failed finding a memory base.")MsgAlert(false, WARNING, "MemoryMap_Setup: Failed finding a memory base."
);

275

exit(0);

276

return 0;

277

}

278

#endif

279

280

#endif

281

if (base_attempts)

282

PanicAlert("No possible memory base pointer found!")MsgAlert(false, WARNING, "No possible memory base pointer found!"
);

283

return base;

284

}

285

286

void MemoryMap_Shutdown(const MemoryView *views, int num_views, u32 flags, MemArena *arena)

287

{

288

std::set<void*> freeset;

289

for (int i = 0; i < num_views; i++)

290

{

291

const MemoryView* view = &views[i];

292

u8** outptrs[2] = {view->out_ptr_low, view->out_ptr};

293

for (int j = 0; j < 2; j++)

294

{

295

u8** outptr = outptrs[j];

296

if (outptr && *outptr && !freeset.count(*outptr))

297

{

298

arena->ReleaseView(*outptr, view->size);

299

freeset.insert(*outptr);

300

*outptr = NULL__null;

301

}

302

}

303

}

304

}