Ticket #505 (Fixed)Tue Feb 23 11:08:59 UTC 2021
Titanium *ChannelVoice 8 1 overwrites RMA Heap
Reported by: | Martin Avison (27) | Severity: | Major |
Part: | RISC OS: Module | Release: | |
Milestone: | Status | Fixed |
Details by Martin Avison (27):
It appears that on the Titanium only, using
*ChannelVoice 8 1
or
SYS “Sound_AttachVoice”,8,1
causes a block of RMA to have it’s length overwritten, causing a variety of machine problems, often machine lockups of tasks aborting (including Filer & Wimp).
This only seems to affect the Titanium, and channel 8, but for all voices.
The bug was first seen in a number of Meastro versions – see thread https://www.riscosopen.org/forum/forums/4/topic… for full details.
After failing to see from the SoundChannel source what the problem was (I think it disappears into DMAstuff, so I gave up) I did some (laborious) comparisons of memory blocks. My conclusion is that it is a typical out-by-one bug. The memory block just before the overwrite is 2,144 long. As channels 1-7 get allocated, the last 7 words of that block are populated, probably with an RMA address. When channel 8 gets allocated, the first word of the next block (which was a length of x20) is overwritten with the 8th address. This is the error trapped by *ReportHeap, and it causes anything else that traverses the RMA heap to fail.
I will try to attach evidence of these findings.
Changelog:
Modified by Martin Avison (27) Tue, February 23 2021 - 11:10:51 GMT
- Attachment added: ChanHeap.txt
Attached details of block being overwritten.
Modified by Jeffrey Lee (213) Wed, March 03 2021 - 14:42:16 GMT
- Status changed from Open to Fixed
Should be fixed with StringLib 1.20 & Percussion 1.19
https://gitlab.riscosopen.org/RiscOS/Sources/HW…
https://gitlab.riscosopen.org/RiscOS/Sources/HW…
Thanks for the heap dumps, Martin; that certainly saved some time on my end.