From 67ff767f95d7953256157a64388caeda38a29a0f Mon Sep 17 00:00:00 2001
From: nattthebear <goyuken@gmail.com>
Date: Sat, 10 Jun 2017 19:51:59 -0400
Subject: [PATCH] libsnes:  recreate the emu cothread at the end of init, to
 avoid pointer poison that was breaking xor state consistency.  Big todo:  all
 init functionality really needs to happen from the main thread, as there are
 many syscalls that reenter managed in that code, and reentering managed from
 a cothread stack is a Bad Thing

---
 .../Consoles/Nintendo/SNES/LibsnesApi.cs      |  11 ++++++---
 output64/dll/libco.so                         | Bin 6670 -> 6670 bytes
 waterbox/libco/amd64.c                        |  23 ++++++++++++++++--
 waterbox/libco/libco.so                       | Bin 6670 -> 6670 bytes
 .../bsnes/target-libsnes/libsnes_pwrap.cpp    |   8 +++++-
 5 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/BizHawk.Emulation.Cores/Consoles/Nintendo/SNES/LibsnesApi.cs b/BizHawk.Emulation.Cores/Consoles/Nintendo/SNES/LibsnesApi.cs
index 741b8044d0..62ae3c73a7 100644
--- a/BizHawk.Emulation.Cores/Consoles/Nintendo/SNES/LibsnesApi.cs
+++ b/BizHawk.Emulation.Cores/Consoles/Nintendo/SNES/LibsnesApi.cs
@@ -349,9 +349,14 @@ namespace BizHawk.Emulation.Cores.Nintendo.SNES
 
 		public void Seal()
 		{
-			_core.SetBuffer(0, null, 0);
-			_core.SetBuffer(1, null, 0);
-			_core.SetBuffer(2, null, 0);
+			/* Cothreads can very easily acquire "pointer poison"; because their stack and even registers
+			 * are part of state, any poisoned pointer that's used even temporarily might be persisted longer
+			 * than needed.  Most of the libsnes core cothreads handle internal matters only and aren't very
+			 * vulnerable to pointer poison, but the main boss cothread is used heavily during init, when
+			 * many syscalls happen and many kinds of poison can end up on the stack.  so here, we call
+			 * _core.DllInit() again, which recreates that cothread, zeroing out all of the memory first,
+			 * as well as zeroing out the comm struct. */
+			_core.DllInit();
 			_exe.Seal();
 			_sealed = true;
 		}
diff --git a/output64/dll/libco.so b/output64/dll/libco.so
index 1a4cad5b7146d2bf62184c92fc5c37c3f0369789..6313c2ff1d9c1d8c92e44b6c94050bc63b7bc420 100644
GIT binary patch
delta 674
zcmZ{gL1@!Z7{|YtHnVkWmX@W4T5Sgt0!mHi6zZvwp>M3R>JG9Eq#z9*oK{!Z4uVQ1
zEY{StISGOV4_<{_#!kW3yX+!k2m>#U?$Cn=g+ct1#-k5De&73l|M$J`z2;1F#@q^z
zhSVpm*QL-$fwcAu#IXdj$d)?*Qfu;bG*_=~)B&Jkwa9xc=9vW|SudD%;@E$f6iF9M
zfRYhA&HzwD==+ErA(ZX&*2VC>XE%+vzyN4J2Gp46U18@9I$t_e|6IRDb&+ZgUr$jZ
zcH4DbO1e~E8&G}zH`V$))t7my^`w=%-SNyOPT}3b79JsVcKR_u|3lvCe^*sC_piQ4
zwWDmQp$zi7)L0tKX+;Oy?72e8ySBkz_Mq=!*X#;)4^)#jgu|L&N_g${*uJ-O56oay
ztT_86b)^Yln(n#l0dqdbGexim>{rr`$kAeA>Y+Db*)BxBg)ZcSZG|7o#emNPLVT#p
zNPBXmN7~%|Ti#ED!ttAo!iidFmMby~Cpi(7uEIrnbE8;JW8j~|1IKl9NYAe^vz%Pz
zcr<l+ls;iR#kz={Z;&=Go&AL}Uqd+#ki$r0E+Z+%R1IxAq@6f(f@OeAgKTFLKZ!Lq
zA&q!`Ic{H_*d^?C2VZB!lc$so%)GVL@d0MQcL9egz<+(#Qt}eF9$u}ku2ua<L&tuV
Ryh9>5<`|wX+fk8a{sIB>vYG$@

delta 574
zcmZXRL1+^}6o%hyvgsymwwsW|wXG(F79x~3!Coo|S*bWeKqd4fv=uQlm$bz|dut^X
zTx#NO=3-CXgGX<3DV_?6ck!S|FALsG59zIfFn!bP%?FQf-h2Q2Gt9IX+l$V-@CX37
z@5`YdXW*VK5s#%wMWr4<&Yhl&&Np7|Hc*jcE;%MAtf)L8GwhABLp=UhnIKa|2cX=F
z|H}f<R=R(U_&LHlG1)@+<=*|)5hwu7-ves@5^4Scg>O$AH&MMNgrKBL?bkS~T+(LW
zptebyz5MglZgo7nEIrl7n+RKduno}X^iZuy2jK_v!}J{-U^|Joq;`B#R>F6J$gyYY
z*NJ)?z;VRvkk$F|>;b9)stzwiz7h5`RO)DjC?sd<vTg7s?PqB2A~7u2jUh_`_XGL?
z2S`30>yeJW@o-%lSh{hbSi0E^E$b!4is>eHx|Xi>9*s(WOnf#dp9&E}%1B{;!lc+U
z`HM(}bd3CMAEm|?faD*{DO?YbS^~dh3lIH5I>}pM+()qRiCY+DW2t;Z>IVkDm-<fB
tj~=?RMCL|u16MM3y=%aJz+naO-<;JlclqbcihQA*hMr?6HF(ril`DiflPCZH

diff --git a/waterbox/libco/amd64.c b/waterbox/libco/amd64.c
index 5f5a6cf8ff..a673917680 100644
--- a/waterbox/libco/amd64.c
+++ b/waterbox/libco/amd64.c
@@ -18,6 +18,25 @@ extern "C" {
 static long long co_active_buffer[64];
 static cothread_t co_active_handle = 0;
 
+static void* smalloc(size_t size)
+{
+  char* ret = malloc(size + 16);
+  if (ret)
+  {
+    *(size_t*)ret = size;
+    return ret + 16;
+  }
+  return NULL;
+}
+
+static void sfree(void* ptr)
+{
+  char* original = (char*)ptr - 16;
+  size_t size = *(size_t*)original + 16;
+  memset(original, 0, size);
+  free(original);
+}
+
 extern void co_swap(cothread_t, cothread_t);
 
 static void crash() {
@@ -39,7 +58,7 @@ cothread_t co_create(unsigned int size, void (*entrypoint)(void)) {
   size += 512;  /* allocate additional space for storage */
   size &= ~15;  /* align stack to 16-byte boundary */
 
-  if(handle = (cothread_t)malloc(size)) {
+  if(handle = (cothread_t)smalloc(size)) {
     long long *p = (long long*)((char*)handle + size);  /* seek to top of stack */
     *--p = (long long)crash;                            /* crash if entrypoint returns */
     *--p = (long long)entrypoint;                       /* start of function */
@@ -50,7 +69,7 @@ cothread_t co_create(unsigned int size, void (*entrypoint)(void)) {
 }
 
 void co_delete(cothread_t handle) {
-  free(handle);
+  sfree(handle);
 }
 
 void co_switch(cothread_t handle) {
diff --git a/waterbox/libco/libco.so b/waterbox/libco/libco.so
index 1a4cad5b7146d2bf62184c92fc5c37c3f0369789..6313c2ff1d9c1d8c92e44b6c94050bc63b7bc420 100644
GIT binary patch
delta 674
zcmZ{gL1@!Z7{|YtHnVkWmX@W4T5Sgt0!mHi6zZvwp>M3R>JG9Eq#z9*oK{!Z4uVQ1
zEY{StISGOV4_<{_#!kW3yX+!k2m>#U?$Cn=g+ct1#-k5De&73l|M$J`z2;1F#@q^z
zhSVpm*QL-$fwcAu#IXdj$d)?*Qfu;bG*_=~)B&Jkwa9xc=9vW|SudD%;@E$f6iF9M
zfRYhA&HzwD==+ErA(ZX&*2VC>XE%+vzyN4J2Gp46U18@9I$t_e|6IRDb&+ZgUr$jZ
zcH4DbO1e~E8&G}zH`V$))t7my^`w=%-SNyOPT}3b79JsVcKR_u|3lvCe^*sC_piQ4
zwWDmQp$zi7)L0tKX+;Oy?72e8ySBkz_Mq=!*X#;)4^)#jgu|L&N_g${*uJ-O56oay
ztT_86b)^Yln(n#l0dqdbGexim>{rr`$kAeA>Y+Db*)BxBg)ZcSZG|7o#emNPLVT#p
zNPBXmN7~%|Ti#ED!ttAo!iidFmMby~Cpi(7uEIrnbE8;JW8j~|1IKl9NYAe^vz%Pz
zcr<l+ls;iR#kz={Z;&=Go&AL}Uqd+#ki$r0E+Z+%R1IxAq@6f(f@OeAgKTFLKZ!Lq
zA&q!`Ic{H_*d^?C2VZB!lc$so%)GVL@d0MQcL9egz<+(#Qt}eF9$u}ku2ua<L&tuV
Ryh9>5<`|wX+fk8a{sIB>vYG$@

delta 574
zcmZXRL1+^}6o%hyvgsymwwsW|wXG(F79x~3!Coo|S*bWeKqd4fv=uQlm$bz|dut^X
zTx#NO=3-CXgGX<3DV_?6ck!S|FALsG59zIfFn!bP%?FQf-h2Q2Gt9IX+l$V-@CX37
z@5`YdXW*VK5s#%wMWr4<&Yhl&&Np7|Hc*jcE;%MAtf)L8GwhABLp=UhnIKa|2cX=F
z|H}f<R=R(U_&LHlG1)@+<=*|)5hwu7-ves@5^4Scg>O$AH&MMNgrKBL?bkS~T+(LW
zptebyz5MglZgo7nEIrl7n+RKduno}X^iZuy2jK_v!}J{-U^|Joq;`B#R>F6J$gyYY
z*NJ)?z;VRvkk$F|>;b9)stzwiz7h5`RO)DjC?sd<vTg7s?PqB2A~7u2jUh_`_XGL?
z2S`30>yeJW@o-%lSh{hbSi0E^E$b!4is>eHx|Xi>9*s(WOnf#dp9&E}%1B{;!lc+U
z`HM(}bd3CMAEm|?faD*{DO?YbS^~dh3lIH5I>}pM+()qRiCY+DW2t;Z>IVkDm-<fB
tj~=?RMCL|u16MM3y=%aJz+naO-<;JlclqbcihQA*hMr?6HF(ril`DiflPCZH

diff --git a/waterbox/libsnes/bsnes/target-libsnes/libsnes_pwrap.cpp b/waterbox/libsnes/bsnes/target-libsnes/libsnes_pwrap.cpp
index 237b789ecc..ce8f837bd2 100644
--- a/waterbox/libsnes/bsnes/target-libsnes/libsnes_pwrap.cpp
+++ b/waterbox/libsnes/bsnes/target-libsnes/libsnes_pwrap.cpp
@@ -613,10 +613,16 @@ EXPORT void* DllInit()
 	T(privbuf, 232);
 	#undef T
 
-	memset(&comm,0,sizeof(comm));
+	memset(&comm, 0, sizeof(comm));
 
 	//make a coroutine thread to run the emulation in. we'll switch back to this cothread when communicating with the frontend
 	co_control = co_active();
+	if (co_emu)
+	{
+		// if this was called again, that's OK; delete the old emuthread
+		co_delete(co_emu);
+		co_emu = nullptr;
+	}
 	co_emu = co_create(65536 * sizeof(void*), new_emuthread);
 
 	return &comm;