retroarch: gate retroarch_fail longjmp on init-in-progress

 flag

retroarch_fail unconditionally longjmps into
global->error_sjlj_context. The author's comment acknowledges
the constraint - 'we cannot longjmp unless we're in
retroarch_main_init()' - but the code longjmps regardless,
and the constraint is not enforced anywhere.

retroarch_fail's callers include drivers_init's per-driver
find_*_driver failure paths (find_audio_driver,
find_video_driver, find_input_driver, find_camera_driver, etc.
at retroarch.c:1668-1700) and the bluetooth/wifi
RARCH_*_CTL_INIT handlers reached from the same drivers_init
path. drivers_init runs not just from retroarch_main_init's
single CMD_EVENT_CORE_INIT (where the setjmp is live) but also
from command_event_reinit -> video_driver_reinit_context for
every CMD_EVENT_REINIT - fullscreen toggle, HDR mode change,
video driver swap, AV info change, etc.

When retroarch_fail fires from a reinit-time drivers_init, the
longjmp lands in error_sjlj_context, which points to stack
memory that was unwound when retroarch_main_init returned.
Behavior is undefined: typically a crash, sometimes silent
corruption.

This is a cold path - drivers don't usually vanish at runtime -
but the retroarch_fail calls in drivers_init exist precisely
because the code thinks they can fail, and the failure handling
assumes initialization-time semantics that no longer hold.

Add GLOB_FLG_INIT_IN_PROGRESS to global flags. Set it after the
setjmp succeeds in retroarch_main_init, clear it on every exit
(both success and the error: label). Gate retroarch_fail's
longjmp on the flag; if clear, log and return.

The non-longjmp return path means the caller (drivers_init)
sees the subsystem fail to init but isn't unwound. Driver init
code already NULL-checks its own driver pointers downstream of
find_*_driver calls (e.g. video_st->current_video gets NULL'd
on find_video_driver failure and downstream rendering checks
for it), so a 'driver missing' state is survivable - the user
ends up in a degraded but not-crashed state. Initialization-time
failures still propagate via the existing setjmp path.

Author: LibretroAdmin

retroarch.c

@@ -8081,6 +8081,12 @@ bool retroarch_main_init(int argc, char *argv[])
       goto error;
    }
 
+   /* Mark error_sjlj_context as live. retroarch_fail checks this
+    * before longjmp'ing; reinit-time driver_init failures that
+    * reach retroarch_fail outside this function will log and
+    * return rather than landing in a stale jmp_buf. */
+   global->flags |= GLOB_FLG_INIT_IN_PROGRESS;
+
    global->flags |= GLOB_FLG_ERR_ON_INIT;
 
    /* Have to initialise non-file logging once at the start... */
@@ -8425,11 +8431,13 @@ bool retroarch_main_init(int argc, char *argv[])
    game_ai_init();
 #endif
 
+   global->flags &= ~GLOB_FLG_INIT_IN_PROGRESS;
    return true;
 
 error:
    command_event(CMD_EVENT_CORE_DEINIT, NULL);
    runloop_state_get_ptr()->flags            &= ~RUNLOOP_FLAG_IS_INITED;
+   global->flags &= ~GLOB_FLG_INIT_IN_PROGRESS;
 
    return false;
 }
@@ -8840,12 +8848,29 @@ size_t retroarch_get_capabilities(enum rarch_capabilities type,
 void retroarch_fail(int err_code, const char *err)
 {
    global_t *global                = global_get_ptr();
-   /* We cannot longjmp unless we're in retroarch_main_init().
-    * If not, something went very wrong, and we should
-    * just exit right away. */
    strlcpy(global->error_string, err,
          sizeof(global->error_string));
-   longjmp(global->error_sjlj_context, err_code);
+
+   /* Only longjmp if retroarch_main_init's setjmp is still live.
+    * Outside that scope (e.g. when drivers_init runs from
+    * command_event_reinit for a fullscreen toggle, video driver
+    * swap, or any other CMD_EVENT_REINIT path) the
+    * error_sjlj_context jmp_buf points into stack memory that
+    * was unwound long ago. Jumping there is undefined behavior;
+    * on most platforms it crashes or silently corrupts state.
+    *
+    * Driver init failures during reinit are not recoverable in
+    * this function (we don't have a clean rollback path for the
+    * partial reinit), but they're survivable - the prior driver
+    * state is gone but we can leave the user in the menu rather
+    * than crashing. The caller (drivers_init) will see the
+    * subsystem fail to init and that subsystem's downstream code
+    * is expected to NULL-check its driver pointers. */
+   if (global->flags & GLOB_FLG_INIT_IN_PROGRESS)
+      longjmp(global->error_sjlj_context, err_code);
+
+   RARCH_ERR("[Core] retroarch_fail outside retroarch_main_init: %s\n",
+         err);
 }
 
 /* Called on close content, checks if we need to also exit retroarch */

retroarch_types.h

@@ -254,7 +254,16 @@ enum global_flags
 {
    GLOB_FLG_ERR_ON_INIT          = (1 << 0),
    GLOB_FLG_LAUNCHED_FROM_CLI    = (1 << 1),
-   GLOB_FLG_CLI_LOAD_MENU_ON_ERR = (1 << 2)
+   GLOB_FLG_CLI_LOAD_MENU_ON_ERR = (1 << 2),
+   /* Set on entry to retroarch_main_init (right after its setjmp
+    * is established) and cleared on every exit. retroarch_fail
+    * checks this flag before longjmp'ing - the error_sjlj_context
+    * jmp_buf is only valid while retroarch_main_init is on the
+    * stack; calling retroarch_fail from any other context (e.g.
+    * a reinit-time drivers_init invoked via command_event_reinit)
+    * with the flag clear means the longjmp would land in stale
+    * stack memory. */
+   GLOB_FLG_INIT_IN_PROGRESS     = (1 << 3)
 };
 
 typedef struct global