starred/shadPS4
1
0
Fork 0
mirror of https://github.com/shadps4-emu/shadPS4.git synced 2026-04-26 08:15:59 +03:00
Code Issues 120 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #321] Crash in Shader::Gcn::CFG::EmitBlocks(), out of bounds list access #49

New issue
Closed
opened 2026-02-27 21:04:19 +03:00 by kerem · 6 comments
kerem commented 2026-02-27 21:04:19 +03:00
Owner
Copy link

Originally created by @xezrunner on GitHub (Jul 24, 2024).
Original GitHub issue: https://github.com/shadps4-emu/shadPS4/issues/321

github.com/shadps4-emu/shadPS4@1d6a42c39a/src/shader_recompiler/frontend/control_flow_graph.cpp (L105-L108)

On line 107, the end_index for accessing inst_list goes beyond (/is equal) to the size of inst_list during the startup procedure of Amplitude as it's attempting to start a scene in the engine (Forge Engine game, could be the same case for Rock Band 4, Fuser and other Harmonix titles on the PS4).

It appears to be processing label 61 out of 63 total. The code mentions the last label being special, but I'm not sure how or why that would be the case.

image

I wasn't able to work around this or figure out how to troubleshoot this further.

Originally created by @xezrunner on GitHub (Jul 24, 2024). Original GitHub issue: https://github.com/shadps4-emu/shadPS4/issues/321 https://github.com/shadps4-emu/shadPS4/blob/1d6a42c39a9c96bdebc5984482199ed1c9167477/src/shader_recompiler/frontend/control_flow_graph.cpp#L105-L108 On **line 107**, the `end_index` for accessing `inst_list` goes beyond (/is equal) to the size of `inst_list` during the startup procedure of Amplitude as it's attempting to start a scene in the engine (Forge Engine game, could be the same case for Rock Band 4, Fuser and other Harmonix titles on the PS4). It appears to be processing label 61 out of 63 total. The code mentions the last label being special, but I'm not sure how or why that would be the case. ![image](https://github.com/user-attachments/assets/f2adf4d5-0466-43d4-9492-19fb1cf33a97) I wasn't able to work around this or figure out how to troubleshoot this further.
kerem closed this issue 2026-02-27 21:04:19 +03:00
kerem commented 2026-02-27 21:04:20 +03:00
Author
Owner
Copy link

@Sailanarmo commented on GitHub (Aug 15, 2024):

This entire for block has a bug in it. The reason is because you call for std::next. Once you’ve reached the end of your container std::next isn’t going to be able to grab anything other than junk.

If the last spot in the container is special, either copy all the elements - 1 and iterate over that or keep a count that if the index is the size - 1 to return. I’m currently on mobile or I would suggest a better fix. If I have time tonight I’ll hop on and make a suggestion.

<!-- gh-comment-id:2292418620 --> @Sailanarmo commented on GitHub (Aug 15, 2024): This entire for block has a bug in it. The reason is because you call for `std::next`. Once you’ve reached the end of your container `std::next` isn’t going to be able to grab anything other than junk. If the last spot in the container is special, either copy all the elements - 1 and iterate over that or keep a count that if the index is the size - 1 to return. I’m currently on mobile or I would suggest a better fix. If I have time tonight I’ll hop on and make a suggestion.
kerem commented 2026-02-27 21:04:20 +03:00
Author
Owner
Copy link

@xezrunner commented on GitHub (Aug 17, 2024):

Currently, Amplitude no longer crashes at this point, but it could also be something else having been broken earlier in the boot process.

This entire for block has a bug in it. The reason is because you call for std::next. Once you’ve reached the end of your container std::next isn’t going to be able to grab anything other than junk.

I'll leave this issue open then, in case this is something that requires attention regardless of game boot status.

<!-- gh-comment-id:2294943119 --> @xezrunner commented on GitHub (Aug 17, 2024): Currently, Amplitude no longer crashes at this point, but it could also be something else having been broken earlier in the boot process. > This entire for block has a bug in it. The reason is because you call for std::next. Once you’ve reached the end of your container std::next isn’t going to be able to grab anything other than junk. I'll leave this issue open then, in case this is something that requires attention regardless of game boot status.
kerem commented 2026-02-27 21:04:20 +03:00
Author
Owner
Copy link

@xezrunner commented on GitHub (Aug 20, 2024):

The root issue causing this should be fixed with https://github.com/shadps4-emu/shadPS4/pull/497, definitely for Amplitude (2016) CUSA02480.

Leaving this open in case the above comment related to the for loop having a bug in it still applies.

<!-- gh-comment-id:2299924770 --> @xezrunner commented on GitHub (Aug 20, 2024): The root issue causing this should be fixed with https://github.com/shadps4-emu/shadPS4/pull/497, definitely for Amplitude (2016) `CUSA02480`. Leaving this open in case the above comment related to the for loop having a bug in it still applies.
kerem commented 2026-02-27 21:04:20 +03:00
Author
Owner
Copy link

@Hermiten commented on GitHub (Oct 4, 2024):

Can I have an update on this one ? Is it still revelant ?

<!-- gh-comment-id:2393131878 --> @Hermiten commented on GitHub (Oct 4, 2024): Can I have an update on this one ? Is it still revelant ?
kerem commented 2026-02-27 21:04:20 +03:00
Author
Owner
Copy link

@xezrunner commented on GitHub (Oct 4, 2024):

Can I have an update on this one ? Is it still revelant ?

I believe this isn't relevant anymore. The root issue was fixed elsewhere, this part of the function now behaves fine.

The for loop issue mentioned above is probably an intentional choice, as I have noticed during debugging that many iterators use a special "end" element that denotes the end of iteration.
I could be wrong though. @Sailanarmo do you have any additional input on it?

<!-- gh-comment-id:2393456530 --> @xezrunner commented on GitHub (Oct 4, 2024): > Can I have an update on this one ? Is it still revelant ? I believe this isn't relevant anymore. The root issue was fixed elsewhere, this part of the function now behaves fine. The `for` loop issue mentioned above is probably an intentional choice, as I have noticed during debugging that many iterators use a special "end" element that denotes the end of iteration. I could be wrong though. @Sailanarmo do you have any additional input on it?
kerem commented 2026-02-27 21:04:20 +03:00
Author
Owner
Copy link

@Sailanarmo commented on GitHub (Oct 4, 2024):

@xezrunner I would go ahead and close this.

<!-- gh-comment-id:2394352923 --> @Sailanarmo commented on GitHub (Oct 4, 2024): @xezrunner I would go ahead and close this.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
trophies_and_saves
user_and_settings
0.15.1branch_part6
Pre-release-shadPS4-2026-04-25-a762f70df3fc23185540f88724b261b065e5d979
v.0.15.0
Pre-release-shadPS4-2026-02-26-19d2027105679d751328357d7c85cd83a84c9758
v.0.14.0
v.0.13.0
v.0.12.5
v.0.12.0
v.0.11.0
v.0.10.0
v.0.9.0
v.0.8.0
v.0.7.0
v.0.6.0
v.0.5.0
v.0.4.0
v.0.3.0
v.0.2.0
0.1.0
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
Bloodborne

   
bug

   
contributor wanted

   
documentation

   
enhancement

   
frontend

   
good first issue

   
help wanted

   
linux

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
release

   
verification progress
No labels
Bloodborne
bug
contributor wanted
documentation
enhancement
frontend
good first issue
help wanted
linux
pull-request
question
release
verification progress
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/shadPS4#49
No description provided.