add downloaded fex bug-reports HEAD main

1 files changed, 34 insertions, 0 deletions

diff --git a/results/scraper/fex/3498 b/results/scraper/fex/3498
new file mode 100644
index 000000000..4228d6e88
--- /dev/null
+++ b/results/scraper/fex/3498
@@ -0,0 +1,34 @@
+Memcpy optimization crashing Sonic Mania movie player
+https://github.com/FEX-Emu/FEX/blob/7dcacfe9909488365035fff2606db20c363d1576/FEXCore/Source/Interface/Core/JIT/Arm64/MemoryOps.cpp#L2149

+

+This inner loop is causing Sonic Mania to crash for some reason. It's seemingly not crashing in the memcpy implementation itself but somewhere else because of this.

+

+To reproduce:

+- Run Sonic Mania

+- Wait on the title screen for the attract movie to start playing

+- See it crash before the `1,2,3,K` elevator symbols appear on screen.

+

+Current testing:

+- It's memcpy specifically, but the same bug likely exists in the memset since the implementations are similar.

+- It's specifically the forward direction memcpy and not in the inline path

+   - Tested by dropping the old implementation in and bisecting the code paths

+

+The crash appears from the code doing an indirect fetch and then dereferencing a nullptr. This happens at RIP block `0x5fa25d` inside of SonicMania.exe but since the executable is obfuscated it's a bit harder to see what that code block is.

+

+```asm

+   0x005fa25d:  mov    ecx,0x20

+   0x005fa262:  sub    ecx,edi

+   0x005fa264:  shr    eax,cl

+   0x005fa266:  mov    ebx,DWORD PTR [ebx+eax*4+0x4]

+   0x005fa26a:  movzx  ecx,BYTE PTR [ebx+0x2] ; <---- This instruction specifically. ebx is zero.

+   0x005fa26e:  shl    DWORD PTR [esi],cl

+   0x005fa270:  sub    DWORD PTR [esi+0xc],ecx

+   0x005fa273:  mov    al,BYTE PTR [ebx]

+   0x005fa275:  test   al,al

+   0x005fa277:  jne    0x5fa240

+   0x005fa279:  pop    edi

+   0x005fa27a:  movzx  eax,BYTE PTR [ebx+0x1]

+   0x005fa27e:  pop    esi

+   0x005fa27f:  pop    ebx

+   0x005fa280:  ret

+   ```