1 files changed, 34 insertions, 0 deletions
diff --git a/results/scraper/fex/3498 b/results/scraper/fex/3498
new file mode 100644
index 000000000..4228d6e88
--- /dev/null
+++ b/results/scraper/fex/3498
@@ -0,0 +1,34 @@
+Memcpy optimization crashing Sonic Mania movie player
+https://github.com/FEX-Emu/FEX/blob/7dcacfe9909488365035fff2606db20c363d1576/FEXCore/Source/Interface/Core/JIT/Arm64/MemoryOps.cpp#L2149
+
+This inner loop is causing Sonic Mania to crash for some reason. It's seemingly not crashing in the memcpy implementation itself but somewhere else because of this.
+
+To reproduce:
+- Run Sonic Mania
+- Wait on the title screen for the attract movie to start playing
+- See it crash before the `1,2,3,K` elevator symbols appear on screen.
+
+Current testing:
+- It's memcpy specifically, but the same bug likely exists in the memset since the implementations are similar.
+- It's specifically the forward direction memcpy and not in the inline path
+   - Tested by dropping the old implementation in and bisecting the code paths
+
+The crash appears from the code doing an indirect fetch and then dereferencing a nullptr. This happens at RIP block `0x5fa25d` inside of SonicMania.exe but since the executable is obfuscated it's a bit harder to see what that code block is.
+
+```asm
+   0x005fa25d:  mov    ecx,0x20
+   0x005fa262:  sub    ecx,edi
+   0x005fa264:  shr    eax,cl
+   0x005fa266:  mov    ebx,DWORD PTR [ebx+eax*4+0x4]
+   0x005fa26a:  movzx  ecx,BYTE PTR [ebx+0x2] ; <---- This instruction specifically. ebx is zero.
+   0x005fa26e:  shl    DWORD PTR [esi],cl
+   0x005fa270:  sub    DWORD PTR [esi+0xc],ecx
+   0x005fa273:  mov    al,BYTE PTR [ebx]
+   0x005fa275:  test   al,al
+   0x005fa277:  jne    0x5fa240
+   0x005fa279:  pop    edi
+   0x005fa27a:  movzx  eax,BYTE PTR [ebx+0x1]
+   0x005fa27e:  pop    esi
+   0x005fa27f:  pop    ebx
+   0x005fa280:  ret
+   ```