1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
Memcpy optimization crashing Sonic Mania movie player
https://github.com/FEX-Emu/FEX/blob/7dcacfe9909488365035fff2606db20c363d1576/FEXCore/Source/Interface/Core/JIT/Arm64/MemoryOps.cpp#L2149
This inner loop is causing Sonic Mania to crash for some reason. It's seemingly not crashing in the memcpy implementation itself but somewhere else because of this.
To reproduce:
- Run Sonic Mania
- Wait on the title screen for the attract movie to start playing
- See it crash before the `1,2,3,K` elevator symbols appear on screen.
Current testing:
- It's memcpy specifically, but the same bug likely exists in the memset since the implementations are similar.
- It's specifically the forward direction memcpy and not in the inline path
- Tested by dropping the old implementation in and bisecting the code paths
The crash appears from the code doing an indirect fetch and then dereferencing a nullptr. This happens at RIP block `0x5fa25d` inside of SonicMania.exe but since the executable is obfuscated it's a bit harder to see what that code block is.
```asm
0x005fa25d: mov ecx,0x20
0x005fa262: sub ecx,edi
0x005fa264: shr eax,cl
0x005fa266: mov ebx,DWORD PTR [ebx+eax*4+0x4]
0x005fa26a: movzx ecx,BYTE PTR [ebx+0x2] ; <---- This instruction specifically. ebx is zero.
0x005fa26e: shl DWORD PTR [esi],cl
0x005fa270: sub DWORD PTR [esi+0xc],ecx
0x005fa273: mov al,BYTE PTR [ebx]
0x005fa275: test al,al
0x005fa277: jne 0x5fa240
0x005fa279: pop edi
0x005fa27a: movzx eax,BYTE PTR [ebx+0x1]
0x005fa27e: pop esi
0x005fa27f: pop ebx
0x005fa280: ret
```
|