Viewing Issue Advanced Details
Jump to Notes ]
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05732 Crash/Freeze Critical (emulator) Always Oct 15, 2014, 11:32 Dec 9, 2018, 05:45
Tester furrykef View Status Public Platform MAME (Official Binary)
Assigned To AJR Resolution Fixed OS Windows Vista/7/8 (64-bit)
Status [?] Resolved Driver
Version 0.155 Fixed in Version 0.205 Build 64-bit
Fixed in Git Commit Github Pull Request #
Summary 05732: All games using MCS-48: Crash when trying to set watchpoint with wpd in mcs-48 games
Description After following the reproduction steps, MAME crashes with this error:

-----------------------------------------------------
Exception at EIP=0000000001075252 (mcs48_cpu_device::mov_r6_a()+0x0012): ACCESS VIOLATION
While attempting to write memory at 0000000000000006
-----------------------------------------------------
RAX=0000000000000000 RBX=0000000006541EE0 RCX=0000000006541EE0 RDX=0000000000000000
RSI=0000000005293BC0 RDI=00000000002286AC RBP=0000000000228670 RSP=0000000000228670
 R8=00000000000000FE  R9=0000000000000000 R10=0000000000000006 R11=0000000000000246
R12=000000000000005B R13=000000000FD92FD0 R14=000000000617B980 R15=000000000022F310
-----------------------------------------------------
Stack crawl:
  0000000000228670: 0000000001075252 (mcs48_cpu_device::mov_r6_a()+0x0012)
  00000000002286E0: 000000000107E93D (mcs48_cpu_device::execute_run()+0x009d)
  0000000000228780: 0000000001A0DE9F (device_scheduler::timeslice()+0x035f)
  00000000002287E0: 0000000001A8BCA9 (running_machine::run(bool)+0x0149)
  000000000022F420: 0000000001A9E68A (machine_manager::execute()+0x022a)
  000000000022F610: 0000000001B24B40 (cli_frontend::execute(int, char**)+0x0b60)
  000000000022FDF0: 0000000000FB2C18 (utf8_main(int, char**)+0x01a8)
  000000000022FE50: 0000000001E0F5FE (wmain+0x007e)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 00000000778A59ED (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 00000000779DC541 (RtlUserThreadStart+0x0021)
Steps To Reproduce Launch MAME with "mame64 -debug dkong" or "mame64 -debug mario"

Before execution begins, input the following two commands:
    focus soundcpu [in mario, use "focus audiocpu" instead]
    wpd 1f,1,w

Then press F5 to resume execution. MAME will crash with the error message given in the description. (dkong was used for the message in the description.) You can also step through the program with F11 instead of F5, and it should eventually crash. In dkong, it will crash on the first "sel rb1" instruction. In mario, it will crash on the first instruction (nop).
Additional Information Backtrace:
#0 0x000000000209eaa2 in mcs48_cpu_device::mov_r6_a (this=0x3f469360)
    at src/emu/cpu/mcs48/mcs48.c:747
No locals.
#1 0x00000000020a17bc in mcs48_cpu_device::execute_run (this=0x3f469360)
    at src/emu/cpu/mcs48/mcs48.c:1169
        opcode = 174
        curcycles = 1
#2 0x0000000003db2642 in device_execute_interface::run (this=0x3f469810)
    at src/emu/diexec.h:187
No locals.
#3 0x0000000002c59587 in device_scheduler::timeslice (this=0x22e4b8)
    at src/emu/schedule.c:478
        ran = 599
        delta = {seconds = 0, attoseconds = 1499999999998464, static never = {
            seconds = 1000000000, attoseconds = 0,
            static never = <same as static member of an already seen type>,
            static zero = {seconds = 0, attoseconds = 0,
              static never = <same as static member of an already seen type>,
              static zero = <same as static member of an already seen type>}}, static zero = <same as static member of an already seen type>}
        delta = 1499999999993856
        exec = 0x3f469810
        target = {seconds = 0, attoseconds = 1499999999993856,
          static never = {seconds = 1000000000, attoseconds = 0,
            static never = <same as static member of an already seen type>,
            static zero = {seconds = 0, attoseconds = 0,
              static never = <same as static member of an already seen type>,
              static zero = <same as static member of an already seen type>}}, static zero = <same as static member of an already seen type>}
        call_debugger = true
#4 0x0000000002cfdafd in running_machine::run (this=0x227a20, firstrun=true)
    at src/emu/machine.c:382
        settingsloaded = true
        error = 0
#5 0x0000000000000000 in ?? ()
Github Commit
Flags
Regression Version 0.149
Affected Sets / Systems All games using MCS-48
Attached Files
  
Relationships
There are no relationship linked to this issue.
Notes
6
User avatar
No.11075
Robbbert
Senior Tester
Oct 15, 2014, 11:37
 Confirmed dkong.
User avatar
No.11078
Tafoid
Administrator
Oct 15, 2014, 16:20
 Research of this nails down the timeframe to commits done on May 28, 2013. (r23208-r23236)
User avatar
No.11081
furrykef
Tester
Oct 15, 2014, 19:54
edited on: Oct 15, 2014, 19:55
 I've figured out what is almost certainly causing it. I'd bet anything that get_write_ptr (which was modified on the date Tafoid mentioned) is returning NULL in mcs48_cpu_device::update_regptr. That would certainly explain trying to access memory locations like 0000000000000006.

Unfortunately, I don't know enough about MAME's architecture to know what to do about it.
User avatar
No.11082
furrykef
Tester
Oct 15, 2014, 20:08
 Just tried it in MAME 0.148, since Tafoid noted it doesn't crash in that version. Indeed it doesn't crash, but the wpd command given doesn't work either. The debugger will claim the watchpoint has been set, but it will never trigger, even when the value at data memory location 1f is clearly being updated.
User avatar
No.15882
MetalGod
Senior Tester
Dec 8, 2018, 14:30
edited on: Dec 8, 2018, 17:32
 This has been fixed since mame 0.200
I've tested with dkong and mario
User avatar
No.15888
AJR
Developer
Dec 9, 2018, 04:33
 I've tested this and it's not fixed. The whole get_write_ptr approach seems entirely unsafe.