We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 5034 - Replugging in a controller crashes on macOS in SDL 2.0.12

Summary: Replugging in a controller crashes on macOS in SDL 2.0.12

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	joystick (show other bugs)
Version:	2.0.10
Hardware:	All Mac OS X (All)

Importance:	P2 critical
Assignee:	David Ludwig
QA Contact:	Sam Lantinga

URL:
Keywords:

Duplicates (2):	5035 5150 (view as bug list)
Depends on:
Blocks:

Reported:	2020-03-15 18:18 UTC by RustyM
Modified:	2020-06-12 16:44 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
davidl crash run with ASAN, 1 (324.86 KB, text/plain) 2020-03-16 22:00 UTC, David Ludwig	Details
Fix #1, based against SDL 2.0.12 (rather than SDL HG's current) (1.78 KB, patch) 2020-03-16 23:28 UTC, David Ludwig	Details \| Diff
Fix #1, new version of src/joystick/darwin/SDL_sysjoystick.c (33.42 KB, text/x-csrc) 2020-03-17 00:00 UTC, David Ludwig	Details
Fix #2, based against SDL 2.0.13 (4.22 KB, patch) 2020-03-17 21:42 UTC, David Ludwig	Details \| Diff
Fix #2, based against SDL 2.0.12, .zip of changed files (10.20 KB, application/zip) 2020-03-17 22:03 UTC, David Ludwig	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description RustyM 2020-03-15 18:18:33 UTC

In the SDL 2.0.12 release, unplugging and then replugging in a controller on macOS will crash. Replugging in a controller seems to lead to a FreeDevice() call that will then crash:

File: joystick/darwin/SDL_sysjoystick.c
Function: static recDevice *FreeDevice(recDevice *removeDevice)
On line 130: IOHIDDeviceUnscheduleFromRunLoop(removeDevice->deviceRef, CFRunLoopGetCurrent(), SDL_JOYSTICK_RUNLOOP_MODE);
Causes: Thread 1: EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)

This can be reproduced in testgamecontroller by starting the test program with a controller plugged in, removing it, and then plugging it back in. Another way to cause it: remove a controller, then plug in a different game controller.

I've seen this happen on macOS 10.12.6 and 10.14.6. Also on the 2.0.12 release and the latest tip (changeset 13625). Issue seen with multiple controller types, including PS4 and Switch Pro controllers.

Comment 1 RustyM 2020-03-16 13:24:30 UTC

*** Bug 5035 has been marked as a duplicate of this bug. ***

Comment 2 Sam Lantinga 2020-03-16 19:13:15 UTC

David, can you fix this ASAP? It looks like it might be a regression caused by your recent changes.

Comment 3 David Ludwig 2020-03-16 21:25:08 UTC

Yup, I'll start looking at this, tonight.

Comment 4 David Ludwig 2020-03-16 21:57:54 UTC

I've been able to get testgamecontroller to crash on macOS 10.15.3, however it does not occur reliably and for me, usually takes a few dozen disconnect and reconnect attempts to get it to happen.  The stack trace looks different for me, than what was reported.

I'll attach output from a crashed run of a Debug build, with a debugger attached and with Address Sanitizer turned on.  The ASAN output is at the end.

Comment 5 David Ludwig 2020-03-16 22:00:16 UTC

Created attachment 4260 [details]
davidl crash run with ASAN, 1

A crash run from macOS 10.15.3, as built with Xcode 11.3.1 as a Debug build with Address Sanitizer turned on.  This took several disconnect and reconnect attempts to get the bug to reproduce.

Comment 6 David Ludwig 2020-03-16 22:01:54 UTC

RustyM, or anyone else, can you confirm if this occurs reliably, 100% of the time?

To note, my attempts have been using SDL 2.0.12, as downloaded from http://libsdl.org/release/SDL2-2.0.12.zip

Comment 7 David Ludwig 2020-03-16 22:13:21 UTC

I have a better looking crash repro happening now.  More to come...

Comment 8 David Ludwig 2020-03-16 22:15:09 UTC

One addendum: my previous ASAN run ended up being from a Release build, not a Debug build (after I turned on Release in the Xcode scheme for testgamecontroller).  Apologies for any confusion here.

My current callstack does show something in FreeDevice.  I'll post a more up-to-date log in a moment.

Comment 9 David Ludwig 2020-03-16 22:16:05 UTC

New ASAN output, which is much shorter this time around (enough to not mandate use of a separate Attachment):

2020-03-16 18:12:33.985765-0400 testgamecontroller[43619:2034200] Metal GPU Frame Capture Enabled
2020-03-16 18:12:33.986605-0400 testgamecontroller[43619:2034200] Metal API Validation Enabled
2020-03-16 18:12:34.023368-0400 testgamecontroller[43619:2034697] flock failed to lock maps file: errno = 35
2020-03-16 18:12:34.024011-0400 testgamecontroller[43619:2034697] flock failed to lock maps file: errno = 35
2020-03-16 18:12:34.163693-0400 testgamecontroller[43619:2034200] INFO: XBox One Controller 0: Xbox Wireless Controller (guid 030000005e040000e002000003090000, VID 0x045e, PID 0x02e0, player index = 0)
2020-03-16 18:12:34.163807-0400 testgamecontroller[43619:2034200] INFO: There are 1 game controller(s) attached (1 joystick(s))
2020-03-16 18:12:34.163886-0400 testgamecontroller[43619:2034200] INFO: Attempting to open device 0, guid 030000005e040000e002000003090000
2020-03-16 18:12:34.205583-0400 testgamecontroller[43619:2034200] INFO: Watching controller Xbox Wireless Controller
2020-03-16 18:12:34.612008-0400 testgamecontroller[43619:2034200] INFO: Controller axis lefttrigger changed to 16938
2020-03-16 18:12:47.340364-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002d7
2020-03-16 18:12:47.340542-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.340628-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.340734-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.340865-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.340947-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341013-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341114-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341180-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341251-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341314-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341386-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341478-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341549-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.341623-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.344625-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.344702-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.344785-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.344855-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.344904-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.344953-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.345001-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.345051-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.345110-0400 testgamecontroller[43619:2034200] [default] IOConnectCallMethod(kIOHIDLibUserClientDeviceIsValid):e00002c2
2020-03-16 18:12:47.347149-0400 testgamecontroller[43619:2034200] INFO: Controller axis lefttrigger changed to 0
=================================================================
==43619==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300004b7c8 at pc 0x000100527250 bp 0x7ffeefbfdf10 sp 0x7ffeefbfdf08
READ of size 4 at 0x61300004b7c8 thread T0
2020-03-16 18:12:47.524879-0400 atos[43686:2034974] examining /Users/USER/Library/Developer/Xcode/DerivedData/SDLTest-bgblfozqddwzedafjijjfidhibiw/Build/Products/Debug/testgamecontroller [43619]
    #0 0x10052724f in DARWIN_JoystickRumble SDL_sysjoystick.c:894
    #1 0x10053fe38 in SDL_JoystickRumble_REAL SDL_joystick.c:776
    #2 0x1001cd0c4 in SDL_GameControllerRumble_REAL SDL_gamecontroller.c:1944
    #3 0x1003c97ea in SDL_GameControllerRumble SDL_dynapi_procs.h:723
    #4 0x100002878 in loop testgamecontroller.c:157
    #5 0x100002e08 in WatchGameController testgamecontroller.c:239
    #6 0x1000040ab in main testgamecontroller.c:355
    #7 0x100001703 in start (testgamecontroller:x86_64+0x100001703)

0x61300004b7c8 is located 8 bytes inside of 384-byte region [0x61300004b7c0,0x61300004b940)
freed by thread T0 here:
    #0 0x10099b94d in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6194d)
    #1 0x1005dcc48 in SDL_free_REAL SDL_malloc.c:5431
    #2 0x10052ac74 in FreeDevice SDL_sysjoystick.c:154
    #3 0x10052693a in DARWIN_JoystickDetect SDL_sysjoystick.c:724
    #4 0x100543d89 in SDL_JoystickUpdate_REAL SDL_joystick.c:1299
    #5 0x1004a7594 in SDL_PumpEvents_REAL SDL_events.c:688
    #6 0x1004a7614 in SDL_WaitEventTimeout_REAL SDL_events.c:725
    #7 0x1004a75d6 in SDL_PollEvent_REAL SDL_events.c:707
    #8 0x1003c13a3 in SDL_PollEvent SDL_dynapi_procs.h:153
    #9 0x100001930 in loop testgamecontroller.c:109
    #10 0x100002e08 in WatchGameController testgamecontroller.c:239
    #11 0x1000040ab in main testgamecontroller.c:355
    #12 0x100001703 in start (testgamecontroller:x86_64+0x100001703)

previously allocated by thread T0 here:
    #0 0x10099bcd7 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x61cd7)
    #1 0x1005dcb66 in SDL_calloc_REAL SDL_malloc.c:5403
    #2 0x100528e23 in JoystickDeviceWasAddedCallback SDL_sysjoystick.c:556
    #3 0x7fff333afa8f in __IOHIDManagerDeviceApplier (IOKit:x86_64+0x3ca8f)
    #4 0x7fff305ba8c8 in __CFSetApplyFunction_block_invoke (CoreFoundation:x86_64h+0x4c8c8)
    #5 0x7fff305ba755 in CFBasicHashApply (CoreFoundation:x86_64h+0x4c755)
    #6 0x7fff305ba689 in CFSetApplyFunction (CoreFoundation:x86_64h+0x4c689)
    #7 0x7fff333ae4fa in __ApplyToDevices (IOKit:x86_64+0x3b4fa)
    #8 0x7fff333afce2 in __IOHIDManagerInitialEnumCallback (IOKit:x86_64+0x3cce2)
    #9 0x7fff305f2b20 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation:x86_64h+0x84b20)
    #10 0x7fff305f2abf in __CFRunLoopDoSource0 (CoreFoundation:x86_64h+0x84abf)
    #11 0x7fff305f28d3 in __CFRunLoopDoSources0 (CoreFoundation:x86_64h+0x848d3)
    #12 0x7fff305f173f in __CFRunLoopRun (CoreFoundation:x86_64h+0x8373f)
    #13 0x7fff305f0bd2 in CFRunLoopRunSpecific (CoreFoundation:x86_64h+0x82bd2)
    #14 0x100528d93 in ConfigHIDManager SDL_sysjoystick.c:619
    #15 0x10052874e in CreateHIDManager SDL_sysjoystick.c:679
    #16 0x100526790 in DARWIN_JoystickInit SDL_sysjoystick.c:695
    #17 0x10053b5f9 in SDL_JoystickInit SDL_joystick.c:224
    #18 0x100680625 in SDL_InitSubSystem_REAL SDL.c:234
    #19 0x100680ad2 in SDL_Init_REAL SDL.c:291
    #20 0x1003c09b6 in SDL_Init SDL_dynapi_procs.h:85
    #21 0x10000326a in main testgamecontroller.c:265
    #22 0x100001703 in start (testgamecontroller:x86_64+0x100001703)

SUMMARY: AddressSanitizer: heap-use-after-free SDL_sysjoystick.c:894 in DARWIN_JoystickRumble
Shadow bytes around the buggy address:
  0x1c26000096a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c26000096b0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c26000096c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c26000096d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c26000096e0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x1c26000096f0: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
  0x1c2600009700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2600009710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2600009720: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x1c2600009730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2600009740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
2020-03-16 18:12:48.744901-0400 testgamecontroller[43619:2034200] =================================================================
2020-03-16 18:12:48.745028-0400 testgamecontroller[43619:2034200] ==43619==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300004b7c8 at pc 0x000100527250 bp 0x7ffeefbfdf10 sp 0x7ffeefbfdf08
2020-03-16 18:12:48.745081-0400 testgamecontroller[43619:2034200] READ of size 4 at 0x61300004b7c8 thread T0
2020-03-16 18:12:48.745136-0400 testgamecontroller[43619:2034200]     #0 0x10052724f in DARWIN_JoystickRumble SDL_sysjoystick.c:894
2020-03-16 18:12:48.745176-0400 testgamecontroller[43619:2034200]     #1 0x10053fe38 in SDL_JoystickRumble_REAL SDL_joystick.c:776
2020-03-16 18:12:48.745215-0400 testgamecontroller[43619:2034200]     #2 0x1001cd0c4 in SDL_GameControllerRumble_REAL SDL_gamecontroller.c:1944
2020-03-16 18:12:48.745250-0400 testgamecontroller[43619:2034200]     #3 0x1003c97ea in SDL_GameControllerRumble SDL_dynapi_procs.h:723
2020-03-16 18:12:48.745291-0400 testgamecontroller[43619:2034200]     #4 0x100002878 in loop testgamecontroller.c:157
2020-03-16 18:12:48.745324-0400 testgamecontroller[43619:2034200]     #5 0x100002e08 in WatchGameController testgamecontroller.c:239
2020-03-16 18:12:48.745359-0400 testgamecontroller[43619:2034200]     #6 0x1000040ab in main testgamecontroller.c:355
2020-03-16 18:12:48.745393-0400 testgamecontroller[43619:2034200]     #7 0x100001703 in start (testgamecontroller:x86_64+0x100001703)
2020-03-16 18:12:48.745426-0400 testgamecontroller[43619:2034200] 
2020-03-16 18:12:48.745477-0400 testgamecontroller[43619:2034200] 0x61300004b7c8 is located 8 bytes inside of 384-byte region [0x61300004b7c0,0x61300004b940)
2020-03-16 18:12:48.745511-0400 testgamecontroller[43619:2034200] freed by thread T0 here:
2020-03-16 18:12:48.745546-0400 testgamecontroller[43619:2034200]     #0 0x10099b94d in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6194d)
2020-03-16 18:12:48.745581-0400 testgamecontroller[43619:2034200]     #1 0x1005dcc48 in SDL_free_REAL SDL_malloc.c:5431
2020-03-16 18:12:48.745618-0400 testgamecontroller[43619:2034200]     #2 0x10052ac74 in FreeDevice SDL_sysjoystick.c:154
2020-03-16 18:12:48.745648-0400 testgamecontroller[43619:2034200]     #3 0x10052693a in DARWIN_JoystickDetect SDL_sysjoystick.c:724
2020-03-16 18:12:48.745694-0400 testgamecontroller[43619:2034200]     #4 0x100543d89 in SDL_JoystickUpdate_REAL SDL_joystick.c:1299
2020-03-16 18:12:48.745728-0400 testgamecontroller[43619:2034200]     #5 0x1004a7594 in SDL_PumpEvents_REAL SDL_events.c:688
2020-03-16 18:12:48.745761-0400 testgamecontroller[43619:2034200]     #6 0x1004a7614 in SDL_WaitEventTimeout_REAL SDL_events.c:725
2020-03-16 18:12:48.745793-0400 testgamecontroller[43619:2034200]     #7 0x1004a75d6 in SDL_PollEvent_REAL SDL_events.c:707
2020-03-16 18:12:48.745825-0400 testgamecontroller[43619:2034200]     #8 0x1003c13a3 in SDL_PollEvent SDL_dynapi_procs.h:153
2020-03-16 18:12:48.745855-0400 testgamecontroller[43619:2034200]     #9 0x100001930 in loop testgamecontroller.c:109
2020-03-16 18:12:48.745891-0400 testgamecontroller[43619:2034200]     #10 0x100002e08 in WatchGameController testgamecontroller.c:239
2020-03-16 18:12:48.745924-0400 testgamecontroller[43619:2034200]     #11 0x1000040ab in main testgamecontroller.c:355
2020-03-16 18:12:48.745958-0400 testgamecontroller[43619:2034200]     #12 0x100001703 in start (testgamecontroller:x86_64+0x100001703)
2020-03-16 18:12:48.745991-0400 testgamecontroller[43619:2034200] 
2020-03-16 18:12:48.746028-0400 testgamecontroller[43619:2034200] previously allocated by thread T0 here:
2020-03-16 18:12:48.746063-0400 testgamecontroller[43619:2034200]     #0 0x10099bcd7 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x61cd7)
2020-03-16 18:12:48.746095-0400 testgamecontroller[43619:2034200]     #1 0x1005dcb66 in SDL_calloc_REAL SDL_malloc.c:5403
2020-03-16 18:12:48.746125-0400 testgamecontroller[43619:2034200]     #2 0x100528e23 in JoystickDeviceWasAddedCallback SDL_sysjoystick.c:556
2020-03-16 18:12:48.746171-0400 testgamecontroller[43619:2034200]     #3 0x7fff333afa8f in __IOHIDManagerDeviceApplier (IOKit:x86_64+0x3ca8f)
2020-03-16 18:12:48.746214-0400 testgamecontroller[43619:2034200]     #4 0x7fff305ba8c8 in __CFSetApplyFunction_block_invoke (CoreFoundation:x86_64h+0x4c8c8)
2020-03-16 18:12:48.746245-0400 testgamecontroller[43619:2034200]     #5 0x7fff305ba755 in CFBasicHashApply (CoreFoundation:x86_64h+0x4c755)
2020-03-16 18:12:48.746280-0400 testgamecontroller[43619:2034200]     #6 0x7fff305ba689 in CFSetApplyFunction (CoreFoundation:x86_64h+0x4c689)
2020-03-16 18:12:48.746315-0400 testgamecontroller[43619:2034200]     #7 0x7fff333ae4fa in __ApplyToDevices (IOKit:x86_64+0x3b4fa)
2020-03-16 18:12:48.746350-0400 testgamecontroller[43619:2034200]     #8 0x7fff333afce2 in __IOHIDManagerInitialEnumCallback (IOKit:x86_64+0x3cce2)
2020-03-16 18:12:48.746381-0400 testgamecontroller[43619:2034200]     #9 0x7fff305f2b20 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation:x86_64h+0x84b20)
2020-03-16 18:12:48.746434-0400 testgamecontroller[43619:2034200]     #10 0x7fff305f2abf in __CFRunLoopDoSource0 (CoreFoundation:x86_64h+0x84abf)
2020-03-16 18:12:48.746466-0400 testgamecontroller[43619:2034200]     #11 0x7fff305f28d3 in __CFRunLoopDoSources0 (CoreFoundation:x86_64h+0x848d3)
2020-03-16 18:12:48.746505-0400 testgamecontroller[43619:2034200]     #12 0x7fff305f173f in __CFRunLoopRun (CoreFoundation:x86_64h+0x8373f)
2020-03-16 18:12:48.746541-0400 testgamecontroller[43619:2034200]     #13 0x7fff305f0bd2 in CFRunLoopRunSpecific (CoreFoundation:x86_64h+0x82bd2)
2020-03-16 18:12:48.746572-0400 testgamecontroller[43619:2034200]     #14 0x100528d93 in ConfigHIDManager SDL_sysjoystick.c:619
2020-03-16 18:12:48.746604-0400 testgamecontroller[43619:2034200]     #15 0x10052874e in CreateHIDManager SDL_sysjoystick.c:679
2020-03-16 18:12:48.746652-0400 testgamecontroller[43619:2034200]     #16 0x100526790 in DARWIN_JoystickInit SDL_sysjoystick.c:695
2020-03-16 18:12:48.746686-0400 testgamecontroller[43619:2034200]     #17 0x10053b5f9 in SDL_JoystickInit SDL_joystick.c:224
2020-03-16 18:12:48.746716-0400 testgamecontroller[43619:2034200]     #18 0x100680625 in SDL_InitSubSystem_REAL SDL.c:234
2020-03-16 18:12:48.746750-0400 testgamecontroller[43619:2034200]     #19 0x100680ad2 in SDL_Init_REAL SDL.c:291
2020-03-16 18:12:48.746782-0400 testgamecontroller[43619:2034200]     #20 0x1003c09b6 in SDL_Init SDL_dynapi_procs.h:85
2020-03-16 18:12:48.746844-0400 testgamecontroller[43619:2034200]     #21 0x10000326a in main testgamecontroller.c:265
2020-03-16 18:12:48.746879-0400 testgamecontroller[43619:2034200]     #22 0x100001703 in start (testgamecontroller:x86_64+0x100001703)
2020-03-16 18:12:48.746928-0400 testgamecontroller[43619:2034200] 
2020-03-16 18:12:48.746960-0400 testgamecontroller[43619:2034200] SUMMARY: AddressSanitizer: heap-use-after-free SDL_sysjoystick.c:894 in DARWIN_JoystickRumble
2020-03-16 18:12:48.747021-0400 testgamecontroller[43619:2034200] Shadow bytes around the buggy address:
2020-03-16 18:12:48.747052-0400 testgamecontroller[43619:2034200]   0x1c26000096a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2020-03-16 18:12:48.747102-0400 testgamecontroller[43619:2034200]   0x1c26000096b0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
2020-03-16 18:12:48.747137-0400 testgamecontroller[43619:2034200]   0x1c26000096c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2020-03-16 18:12:48.747174-0400 testgamecontroller[43619:2034200]   0x1c26000096d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2020-03-16 18:12:48.747213-0400 testgamecontroller[43619:2034200]   0x1c26000096e0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
2020-03-16 18:12:48.747246-0400 testgamecontroller[43619:2034200] =>0x1c26000096f0: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
2020-03-16 18:12:48.747282-0400 testgamecontroller[43619:2034200]   0x1c2600009700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2020-03-16 18:12:48.747316-0400 testgamecontroller[43619:2034200]   0x1c2600009710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2020-03-16 18:12:48.747352-0400 testgamecontroller[43619:2034200]   0x1c2600009720: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
2020-03-16 18:12:48.747383-0400 testgamecontroller[43619:2034200]   0x1c2600009730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2020-03-16 18:12:48.747416-0400 testgamecontroller[43619:2034200]   0x1c2600009740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2020-03-16 18:12:48.747452-0400 testgamecontroller[43619:2034200] Shadow byte legend (one shadow byte represents 8 application bytes):
2020-03-16 18:12:48.747494-0400 testgamecontroller[43619:2034200]   Addressable:           00
2020-03-16 18:12:48.747529-0400 testgamecontroller[43619:2034200]   Partially addressable: 01 02 03 04 05 06 07
2020-03-16 18:12:48.747566-0400 testgamecontroller[43619:2034200]   Heap left redzone:       fa
2020-03-16 18:12:48.747598-0400 testgamecontroller[43619:2034200]   Freed heap region:       fd
2020-03-16 18:12:48.747632-0400 testgamecontroller[43619:2034200]   Stack left redzone:      f1
2020-03-16 18:12:48.747676-0400 testgamecontroller[43619:2034200]   Stack mid redzone:       f2
2020-03-16 18:12:48.747733-0400 testgamecontroller[43619:2034200]   Stack right redzone:     f3
2020-03-16 18:12:48.747827-0400 testgamecontroller[43619:2034200]   Stack after return:      f5
2020-03-16 18:12:48.747903-0400 testgamecontroller[43619:2034200]   Stack use after scope:   f8
2020-03-16 18:12:48.747947-0400 testgamecontroller[43619:2034200]   Global redzone:          f9
2020-03-16 18:12:48.747983-0400 testgamecontroller[43619:2034200]   Global init order:       f6
2020-03-16 18:12:48.748019-0400 testgamecontroller[43619:2034200]   Poisoned by user:        f7
2020-03-16 18:12:48.748053-0400 testgamecontroller[43619:2034200]   Container overflow:      fc
2020-03-16 18:12:48.748127-0400 testgamecontroller[43619:2034200]   Array cookie:            ac
2020-03-16 18:12:48.748185-0400 testgamecontroller[43619:2034200]   Intra object redzone:    bb
2020-03-16 18:12:48.748248-0400 testgamecontroller[43619:2034200]   ASan internal:           fe
2020-03-16 18:12:48.748310-0400 testgamecontroller[43619:2034200]   Left alloca redzone:     ca
2020-03-16 18:12:48.748354-0400 testgamecontroller[43619:2034200]   Right alloca redzone:    cb
2020-03-16 18:12:48.748390-0400 testgamecontroller[43619:2034200]   Shadow gap:              cc
==43619==ABORTING
AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.
(Recorded stack frame)

Comment 10 David Ludwig 2020-03-16 22:19:48 UTC

I can get this to reproduce fairly reliably.  For some reason, when I was using a CMake build (of SDL and testgamecontroller), it didn't reproduce.  Now that I am using Xcode to build, I'm able to get it to happen reliably.

Comment 11 RustyM 2020-03-16 22:22:12 UTC

Yes, it happens reliably on both my systems:

Mac Pro 2010, running macOS 10.12.6
Macbook Pro 2014, running macOS 10.14.6
		
I just now downloaded from that link, built in Xcode, passed argument 0 in Xcode (to load the 1 attached controller), and tested it. It crashes every time. Seen just now on an Switch Pro controller and a PS4 Controller.

Ahh, yes, I am building with Xcode 11.3.1 (and also was with 9.2 on my other machine).

Comment 12 David Ludwig 2020-03-16 23:24:08 UTC

I think I know what's happening, and am wrapping up a potential fix, now.

The Darwin/macOS joystick driver was freeing its joystick's hwdata field
without zeroing it out in any live instance of SDL_Joystick.

Comment 13 David Ludwig 2020-03-16 23:28:14 UTC

Created attachment 4261 [details]
Fix #1, based against SDL 2.0.12 (rather than SDL HG's current)

Here is a patch against SDL 2.0.12 that fixes the issue, at least for me.  If not, and if anyone else tries this, please post such here!

Comment 14 David Ludwig 2020-03-16 23:33:17 UTC

I've pushed my fix to SDL HG's default branch, which is currently a bit beyond SDL 2.0.12 (and is at 2.0.13, which I think might be a still-changing development version).  https://hg.libsdl.org/SDL/rev/ca87b62e4e17

Comment 15 David Ludwig 2020-03-16 23:36:59 UTC

Rusty, do you have the ability to apply patches?  If so, any chance that you could give my attached .patch file a shot?  If not, let me know, and I can try to get you the changes in some other way.

Comment 16 RustyM 2020-03-16 23:50:41 UTC

I haven't applied patches before, so if you could get me the changes another way I can more quickly test it.

Comment 17 David Ludwig 2020-03-17 00:00:42 UTC

Created attachment 4262 [details]
Fix #1, new version of src/joystick/darwin/SDL_sysjoystick.c

Hello Rusty,

This attachment is an updated version of one of SDL's .c files.  In theory, you should be able to drop it into the proper folder, rebuild, and you'll be good to go.

From within SDL 2.0.12's root directory (which contains folders like "include", "src", "test", etc.), this file should overwrite the one at the following path: src/joystick/darwin/SDL_sysjoystick.c

If this doesn't work for you, let me know and I can try something else.

Comment 18 RustyM 2020-03-17 00:11:06 UTC

Ok, got it. Looks like it's still crashing. Tried it on both my machines.

I'm building in Xcode in debug mode. When the controller is plugged back in, it consistently crashes on line 131: IOHIDDeviceUnscheduleFromRunLoop(removeDevice->deviceRef, CFRunLoopGetCurrent(), SDL_JOYSTICK_RUNLOOP_MODE);

Comment 19 David Ludwig 2020-03-17 00:33:24 UTC

Is there any chance that you could try once more, but doing at least the following:

1. double-check and make sure you are cleaning build files.  From within Xcode, this is available under the menu bar -> Product -> Clean Build Folder

2. look at the file src/joystick/darwin/SDL_sysjoystick.c, make sure that Line 150 (which is in the function, FreeDevice) looks like the following:

/* clear out any reference to this recDevice that are being

3. try running with Address Sanitizer turned on.  This can be done by opening up the Xcode Scheme editor for testgamecontroller, going to its "Diagnostics" tab, making sure the checkbox next to "Address Sanitizer" is turned on, then closing the Scheme editor.  Once this is done, do another Clean Build Folder operation, followed by a build and a Run.  This should result in a *LOT* more debug info being printed out via the console window.

Comment 20 RustyM 2020-03-17 01:27:46 UTC

Yeap, I used Clean Build Folder before testing. Just did so again now. Still crashing.

Yes, line 150 says: /* clear out any reference to this recDevice that are being

Ok, haven’t used Address Sanitizer before. Hmm, running it doesn’t show me any extra debug info.

I recorded a video showing how I’m running the tests. If I'm doing something incorrectly, like with the Address Sanitizer, hopefully this clears it up: https://www.youtube.com/watch?v=GsH4VVal43A

In the video I used an Xbox One controller. I have the 360Controller drivers installed from https://github.com/360Controller/360Controller/releases. To make sure it didn’t make a difference, I tested with a Switch Pro controller just after the video, which also crashed the same way.

Comment 21 David Ludwig 2020-03-17 06:58:27 UTC

Thanks for the info and video, Rusty!

If you get a chance, could you could try reproducing this again using the more recent version of Xcode and macOS that you have (the MacBook Pro), again with Address Sanitizer turned on?  I'm not certain that it'll end up giving more info, but it might be worth a shot.

Comment 22 RustyM 2020-03-17 13:22:27 UTC

Ok, just tested on my MacBook Pro with Address Sanitizer turned on. No additional debug info is shown in the console.

MacBook Pro 2014
Xcode 11.3.1
macOS 10.14.6

Comment 23 David Ludwig 2020-03-17 21:42:29 UTC

Created attachment 4268 [details]
Fix #2, based against SDL 2.0.13

Here is a 2nd take at the fix.  It's posted as a .patch.

Randy, I'll post a new set of files to overwrite within SDL 2.0.12, for you to try out if you have another spare moment.  I set up a separate machine with macOS 10.14, and was finally able to get it to crash in the manner that you described.  I _think_ this'll fix it for you, but if not, please let me know, and thanks in-advance for all of your help on this!

Comment 24 David Ludwig 2020-03-17 22:03:22 UTC

Created attachment 4269 [details]
Fix #2, based against SDL 2.0.12, .zip of changed files

Randy, here is a .zip file with the changed files, as two files needed to be changed (rather than just one).  The two files inside the .zip should be placed in SDL 2.0.12's folder, src/joystick/darwin/, overwriting the two files that are already there.

Comment 25 RustyM 2020-03-17 23:04:05 UTC

Hi David,

Just tested on macOS 10.12.6 and 10.14.6 using the release source of SDL 2.0.12 and then adding your 2 changed files. I can confirm it works without crashing. Tested with Xbox One, PS4, and Switch Pro controllers. I also built the framework and tested in one of my own games: working without crashing here too. Well done!

Comment 26 David Ludwig 2020-03-17 23:49:31 UTC

Great!

I pushed the fix out to SDL HG, too.  https://hg.libsdl.org/SDL/rev/784ce9766fb9

Comment 27 David Ludwig 2020-03-18 00:17:50 UTC

Marking as Resolved Fixed, via https://hg.libsdl.org/SDL/rev/784ce9766fb9

Comment 28 Sam Lantinga 2020-06-12 16:44:42 UTC

*** Bug 5150 has been marked as a duplicate of this bug. ***

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.