[PR #3989] [MERGED] Fix address space wrapping in `Rasterizer::IsMapped` causing incorrect return #3850

New issue

Closed

opened 2026-02-27 22:05:12 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 22:05:12 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/shadps4-emu/shadPS4/pull/3989
Author: @Dasaav-dsv
Created: 2/2/2026
Status: ✅ Merged
Merged: 2/2/2026
Merged by: @georgemoralis

Base: main ← Head: fix/mapped-address-wrapping

📝 Commits (1)

b128022 Prevent Rasterizer::IsMapped from returning true for memory ranges that wrap the address space

📊 Changes

1 file changed (+4 additions, -0 deletions)

View changed files

📝 src/video_core/renderer_vulkan/vk_rasterizer.cpp (+4 -0)

📄 Description

This PR adds a simple overflow check.

Explanation:
If addr + size overflow (and wrap), boost::icl::contains won't return an expected result for an interval where the left side is greater than the right side. This can cause an address size pair like 0xffffffffffffffff⁩⁩, 8 to be reported as mapped and causing an OOB access down the line when the page table is indexed with the address high bits. This would normally lead to a crash anyway, but with the wrapping bug present it will instead crash the shadPS4 liverpool thread, which is annoying for debugging.

How could this happen?
When a non-canonical memory address is accessed, an access violation is raised. However, instead of the address itself, ExceptionInformation[1] may be set to 0xffffffffffffffff instead in the exception handler. I can't really find a source where this is documented (so trust me ™).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/shadps4-emu/shadPS4/pull/3989 **Author:** [@Dasaav-dsv](https://github.com/Dasaav-dsv) **Created:** 2/2/2026 **Status:** ✅ Merged **Merged:** 2/2/2026 **Merged by:** [@georgemoralis](https://github.com/georgemoralis) **Base:** `main` ← **Head:** `fix/mapped-address-wrapping` --- ### 📝 Commits (1) - [`b128022`](https://github.com/shadps4-emu/shadPS4/commit/b128022ef7e4c053427592e6aa5e1687770decb3) Prevent `Rasterizer::IsMapped` from returning `true` for memory ranges that wrap the address space ### 📊 Changes **1 file changed** (+4 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `src/video_core/renderer_vulkan/vk_rasterizer.cpp` (+4 -0) </details> ### 📄 Description This PR adds a simple overflow check. Explanation: If `addr + size` overflow (and wrap), `boost::icl::contains` won't return an expected result for an interval where the left side is greater than the right side. This can cause an address size pair like `0xffffffffffffffff⁩⁩, 8` to be reported as mapped and causing an OOB access down the line when the page table is indexed with the address high bits. This would normally lead to a crash anyway, but with the wrapping bug present it will instead crash the shadPS4 liverpool thread, which is annoying for debugging. How could this happen? When a non-[canonical](https://stackoverflow.com/a/25852609) memory address is accessed, an access violation is raised. However, instead of the address itself, `ExceptionInformation[1]` may be set to `0xffffffffffffffff` instead in the exception handler. I can't really find a source where this is documented (so trust me ™). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>