- --
Viewing Issue Advanced Details
ID | Category [?] | Severity [?] | Reproducibility | Date Submitted | Last Update |
---|---|---|---|---|---|
00111 | Crash/Freeze | Critical (emulator) | Have not tried | Jan 22, 2008, 06:32 | Jan 12, 2010, 15:09 |
Tester | Karasu | View Status | Public | Platform | |
Assigned To | Resolution | Fixed | OS | ||
Status [?] | Resolved | Driver | |||
Version | 0.63 | Fixed in Version | 0.136u1 | Build | |
Fixed in Git Commit | Github Pull Request # | ||||
Summary | 00111: gunbird2: crashes during the 4th level boss fight (North Pole) when using Vampiro. | ||||
Description |
gunbird2 crashes during the 4th level boss fight (North Pole) when using Vampiro. Note that this doesn't happen on all PC's, only half the testers can reproduce it, any random crashes in PsikyoSH are likely to be sound overflows.Program received signal SIGSEGV, Segmentation fault. 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 261 sample = rombase[slot->s tartaddr + (slot->stepptr>>16)]<<8; (gdb) bt #0 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 #1 0x004bd1b0 in stream_generate_samples (stream=0x3ef548, samples=735) at src/sound/streams.c:562 #2 0x004bd0d8 in stream_generate_samples (stream=0x3ef8b0, samples=735) at src/sound/streams.c:539 #3 0x004bcff8 in stream_consume_output (stream=0x3ef8b0, outputnum=0, samples=735) at src/sound/streams.c:478 #4 0x004a1417 in sound_frame_update () at src/sndintrf.c:1168 #5 0x00487c39 in updatescreen () at src/mame.c:1364 #6 0x00436767 in cpu_vblankcallback (param=0) at src/cpuexec.c:1961 #7 0x004ad932 in mame_timer_set_global_time (newbase= {seconds = 509, subseconds = 466666666666646288}) at src/timer.c:404 #8 0x00434c03 in cpu_timeslice () at src/cpuexec.c:1093 #9 0x00433a91 in cpu_run () at src/cpuexec.c:477 #10 0x00486a43 in run_machine_core () at src/mame.c:598 #11 0x004868e2 in run_machine () at src/mame.c:529 #12 0x004865f9 in run_game (game=4980) at src/mame.c:361 #13 0x008c1143 in main (argc=3, argv=0x3e26d0) at src/windows/winmain.c:211 #14 0x004011e7 in _end__ () #15 0x00401238 in mainCRTStartup () #16 0x7c816d4f in _libwinmm_a_iname () (gdb)I think this should be useful to Mr. Belmont, because the crash is caused by ymf278b sound chip core. Also Reip said us that the program reads outside the sound region and crashes and he would like to know if what is done in the same driver for s1945ii and s1945iii could be applied to this game too. I mean the following ROM_RELOAD commented in source: ROM_REGION( 0x800000, REGION_SOUND1, 0 ) /* Samples */ ROM_LOAD( "sound.u9", 0x000000, 0x400000, CRC(f19796ab) SHA1 (b978f0550ebd675e8ce9d9edcfcc3f6214e49e8b) ) ROM_RELOAD ( 0x400000, 0x400000 ) /* 0x400000 - 0x7fffff allocated but left blank, it randomly reads from here on the Iron Casket level causing a crash otherwise, not sure why, bug in the sound emulation? */I wonder if also s1945 sound loop bug and tengai062gre could be fixed in a similar way. |
||||
Steps To Reproduce | |||||
Additional Information |
Gunbird2 backtrace from Layne (0.102u1)C:\>cd MAMESRC C:\MAMESRC>path=C:\mingw\bin;%PATH% C:\MAMESRC>gdb mame GNU gdb 5.2.1 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-mingw32"... (gdb) run gunbird2 -window Starting program: C:\MAMESRC/mame.exe gunbird2 -window Program received signal SIGSEGV, Segmentation fault. 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 261 sample = rombase[slot->s tartaddr + (slot->stepptr>>16)]<<8; (gdb) bt #0 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 #1 0x004bd1b0 in stream_generate_samples (stream=0x3ef548, samples=735) at src/sound/streams.c:562 #2 0x004bd0d8 in stream_generate_samples (stream=0x3ef8b0, samples=735) at src/sound/streams.c:539 #3 0x004bcff8 in stream_consume_output (stream=0x3ef8b0, outputnum=0, samples=735) at src/sound/streams.c:478 #4 0x004a1417 in sound_frame_update () at src/sndintrf.c:1168 #5 0x00487c39 in updatescreen () at src/mame.c:1364 #6 0x00436767 in cpu_vblankcallback (param=0) at src/cpuexec.c:1961 #7 0x004ad932 in mame_timer_set_global_time (newbase= {seconds = 1486, subseconds = 16666666666607226}) at src/timer.c:404 #8 0x00434c03 in cpu_timeslice () at src/cpuexec.c:1093 #9 0x00433a91 in cpu_run () at src/cpuexec.c:477 #10 0x00486a43 in run_machine_core () at src/mame.c:598 #11 0x004868e2 in run_machine () at src/mame.c:529 #12 0x004865f9 in run_game (game=4980) at src/mame.c:361 #13 0x008c1143 in main (argc=3, argv=0x3e26d0) at src/windows/winmain.c:211 #14 0x004011e7 in _end__ () #15 0x00401238 in mainCRTStartup () #16 0x7c816d4f in _libwinmm_a_iname () (gdb) print slot = (YMF278BSlot *) 0x3ee2ec (gdb) |
||||
Github Commit | |||||
Flags | Verified with Code | ||||
Regression Version | |||||
Affected Sets / Systems | gunbird2 | ||||
Attached Files
|
|||||
Relationships
There are no relationship linked to this issue. |
Notes
18
No.01317
robiza Developer
Jun 18, 2008, 18:24
|
someone can check if this bug is present in the last version of mame? |
---|---|
No.01318
Layne Tester
Jun 18, 2008, 20:49
|
Yes, it still crash, just verified now in MAME 0.125u6. |
No.01451
robiza Developer
Jun 30, 2008, 13:12
|
can someone try to remove the 3 if statement and verify if the bug is present? in my personal build the bug seems fixed static READ32_HANDLER( gunbird2_speedup_r ) { /* PC : 06028972: MOV.L @R14,R3 // r14 is 604000c on this one PC : 06028974: MOV.L @($D4,PC),R1 PC : 06028976: ADD #$01,R3 PC : 06028978: MOV.L R3,@R14 PC : 0602897A: MOV.L @R1,R2 PC : 0602897C: TST R2,R2 PC : 0602897E: BT $06028972 */ if (activecpu_get_pc()==0x06028974) cpu_spinuntil_int(); if (activecpu_get_pc()==0x06028E64) cpu_spinuntil_int(); if (activecpu_get_pc()==0x06028BE6) cpu_spinuntil_int(); return psh_ram[0x04000C/4]; } |
No.01454
Haze Senior Tester
Jun 30, 2008, 15:10
|
it's not related to the speedups, the sound core reads past the end of memory. it doesn't reliably reproduce anyway, I've not seen it for years, and even then, only ever in strikers 1945 II, not gunbird. |
No.01456
robiza Developer
Jun 30, 2008, 17:39
|
with current mame the bug is present; sometimes the bug appear at the start of 5th level, sometime in the boss stage of the 4th level the use of cpu_spinuntil_int(), i think, in some circumstances, can modify the natural sync of the stream of data sound; the bug appear to me very similar to toaplan2 sound bug (in toaplan2 the cause of bug was the abuse of cpu_yield) if i'm wrong we can use the same hack used in 1945ii |
No.01457
Haze Senior Tester
Jun 30, 2008, 18:02
|
I kmow there was an old bug in MAME that sometimes caused invalid values to be passed to the sound cores... it was worked around for Streets Of Rage 2 in HazeMD, I wonder if it's been reintroduced. As I said, I've not seen it crash for years, so.. you're on your own.. The other option would to simply make the sound core 'safe' so that even if it does get passed invalid offsets, it won't crash. |
No.01859
Layne Tester
Jul 31, 2008, 17:57
|
Just tested for 250 consecutive times in MAME 0.126u3, finally it's fixed and crash doesn't more happens! |
No.01866
Haze Senior Tester
Jul 31, 2008, 21:10
|
well it was a timing thing.. which only occured on certain machines, because of freak conditions.. so I guess any change is liable to make it appear 'fixed'... I never saw it, so it's hard to really say |
No.01868
Tafoid Administrator
Jul 31, 2008, 21:22
|
I'll confirm this at this time. We don't have a confirmed fix version, but I'll put 0.126u3. |
No.01871
robiza Developer
Jul 31, 2008, 21:50
edited on: Aug 1, 2008, 07:00 |
126u2 is the fixed version |
No.02815
Layne Tester
Oct 13, 2008, 21:05
|
Bug needs to be re-opened, crash is still present into 0.127u8. I can repro it easily. |
No.02817
Haze Senior Tester
Oct 13, 2008, 21:12
edited on: Oct 13, 2008, 21:13 |
I told you.. it's never been fixed, although it never reproduces here. It's some combination of odd conditions that causes the sound core to crash, probably requesting invalid samples, it's always out of bounds reads, probably due to mame making bad requests. |
No.02841
Tafoid Administrator
Oct 14, 2008, 14:13
|
Reopened by Robiza |
No.02843
Smitdogg Senior Tester
Oct 14, 2008, 17:07
|
Whoever can reproduce it, try to make an inp and attach it. I tried and it doesn't crash on my PC. |
No.02844
Haze Senior Tester
Oct 14, 2008, 17:53
|
the inp will probably get cut off due to the crash, before it crashes, thus not reproducing it.... reminds me a lot of the Streets of Rage 2 bug where MAME would request a completely invalid # of samples for no apparent reason at all. |
No.02845
Layne Tester
Oct 14, 2008, 20:17
|
I agree with Haze, it's impossible to reproduce the crash using a savestate, I've tried a lot of times. It's really hard to get a backtrace too, but luckily we have at least this proof. |
No.05491
Tourniquet Developer
Jan 11, 2010, 18:58
|
I have a reasonable looking fix for this. ymf278b core appears to have an overrun for the first sample (j=0), if this is the last sample in the rom then it can overrun the mem region. Mailed R.Belmont to confirm fix looks reasonable. |
No.05497
Tourniquet Developer
Jan 12, 2010, 15:07
|
Fixed in r7982. If it still occurs it will now happen in s1945ii, s1945iii, gunbird2, dragnblz, and most of the other psikyosh games since the workarounds were removed. Still very random and hard to reproduce - also evades state saves. |