Viewing Issue Advanced Details
Jump to Notes ]
apple/apple2.cpp
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
07974 Crash/Freeze Critical (emulator) Random May 9, 2021, 11:21 Dec 6, 2022, 16:05
Tester Anamon View Status Public Platform MAME (Official Binary)
Assigned To hap Resolution Fixed OS Windows 10 (64-bit)
Status [?] Resolved Driver
apple/apple2.cpp
Version 0.231 Fixed in Version 0.251 Build 64-bit
Fixed in Git Commit 9a61f0b Github Pull Request #
Summary MESS-specific 07974: apple2: Memory access violation in floppy device sound emulation
Description At certain points during floppy access while emulating the Apple II, MAME crashes with a memory read access violation in a method related to floppy drive sound emulation.

I have encountered this crash several times already, in two different games. Since it affects the floppy drive sound, I assume other systems than apple2 could potentially be affected, but since the crash happens only intermittently and I've mostly been emulating the Apple II recently, this is where I encountered the bug.

I have added the post-crash console output to the end of this description.

The two games I have so far encountered this bug in were Karateka and Hi-Res Adventure #0: Mission Asteroid. I played both of these games from disk images in the .WOZ format, which have been loaded into a diskiing drive in slot 6. The command line I use for my basic Apple II emulation configuration, which so far I have encountered the crashes in, is (triple quotes because I use PowerShell):

.\mame apple2 -sl0 """""" -sl4 """""" -sl6:diskiing:1 """"""

i.e. I remove the default language card from slot 0 and Mockingboard from slot 4 (which I don't think should have any impact on the crash), and I remove the default second floppy drive from the Disk II NG controller in slot 6. So far I could not determine if the crash also happens in the default configuration, with two floppy drives.

Full device configuration is as follows:

Driver apple2 (Apple ][):
   <root>                         Apple ][
     a2bus                        Apple II Bus
     a2common                     Apple II Common Components @ 14.31 MHz
     a2video                      Apple II video @ 14.31 MHz
     ay3600                       AY-5-3600 Keyboard Encoder
     cass_list                    Software List
     flop525_clean                Software List
     flop525_misc                 Software List
     flop525_orig                 Software List
     gameio                       Apple II Game I/O Connector
     inhbank                      Address Map Bank
     maincpu                      MOS Technology 6502 @ 1.02 MHz
     mono                         Speaker
     ram                          RAM
     repttmr                      Timer
     scantimer                    Timer
     screen                       Video Screen @ 14.30 MHz
     sl0                          Apple II Slot @ 7.15 MHz
     sl1                          Apple II Slot @ 7.15 MHz
     sl2                          Apple II Slot @ 7.15 MHz
     sl3                          Apple II Slot @ 7.15 MHz
     sl4                          Apple II Slot @ 7.15 MHz
     sl5                          Apple II Slot @ 7.15 MHz
     sl6                          Apple II Slot @ 7.15 MHz
       diskiing                   Apple Disk II NG controller (16-sector) @ 7.15 MHz
         0                        Floppy drive connector abstraction
           525                    5.25" single density floppy drive
             floppysound          Floppy sound @ 44.10 kHz
             flopsndout           Speaker
         1                        Floppy drive connector abstraction
         wozfdc                   Apple Disk II floppy controller @ 2.04 MHz
           phaselatch             Fairchild 9334 Addressable Latch
     sl7                          Apple II Slot @ 7.15 MHz
     softlatch                    Fairchild 9334 Addressable Latch
     speaker                      Filtered 1-bit DAC
     tape                         Cassette

And here is the post-crash console output with stack trace:

-----------------------------------------------------
Exception at EIP=0000000144c25894 (floppy_sound_device::sound_stream_update(sound_stream&, std::vector<read_stream_view, std::allocator<read_stream_view> > const&, std::vector<write_stream_view, std::allocator<write_stream_view> >&)+0x0064): ACCESS VIOLATION
While attempting to read memory at 000000000aa0fd54
-----------------------------------------------------
RAX=000000000aa0c850 RBX=0000000000001a83 RCX=000000000310e270 RDX=0000000000001a82
RSI=000000000a9f2820 RDI=0000000000149020 RBP=0000000000148ed8 RSP=0000000000148ed8
 R8=000000000a9f6280  R9=0000000000000000 R10=0000000000000004 R11=000000000000113a
R12=000000000000053b R13=0000000000000001 R14=000000000000053b R15=00000000030ae708
-----------------------------------------------------
Stack crawl:
  0000000000148ee0: 0000000144c25894 (floppy_sound_device::sound_stream_update(sound_stream&, std::vector<read_stream_view, std::allocator<read_stream_view> > const&, std::vector<write_stream_view, std::allocator<write_stream_view> >&)+0x0064)
  0000000000148fd0: 0000000143f057f3 (sound_stream::update_view(attotime, attotime, unsigned int)+0x0543)
  0000000000149080: 0000000143f051f7 (sound_stream_input::update(attotime, attotime)+0x00c7)
  0000000000149170: 0000000143f056e8 (sound_stream::update_view(attotime, attotime, unsigned int)+0x0438)
  0000000000149220: 0000000143f051f7 (sound_stream_input::update(attotime, attotime)+0x00c7)
  0000000000149310: 0000000143f056e8 (sound_stream::update_view(attotime, attotime, unsigned int)+0x0438)
  0000000000149400: 0000000143db0f42 (speaker_device::mix(float*, float*, attotime, attotime, int, bool)+0x0092)
  0000000000149510: 0000000143f05b21 (sound_manager::update(void*, int)+0x0171)
  0000000000149590: 0000000143c792d3 (device_scheduler::timeslice()+0x0163)
  00000000001496f0: 0000000143e9c828 (running_machine::run(bool)+0x0198)
  000000000014f340: 00000001472718d0 (mame_machine_manager::execute()+0x01f0)
  000000000014f720: 000000014a094877 (cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&)+0x0397)
  000000000014f9e0: 000000014a094e33 (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0053)
  000000000014fa40: 000000014726ee0c (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x002c)
  000000000014fe20: 000000014b05807f (main+0x017f)
  000000000014fef0: 00000001400013c1 (__tmainCRTStartup+0x0231)
  000000000014ff20: 00000001400014f6 (mainCRTStartup+0x0016)
  000000000014ff50: 00007ff985537c24 (BaseThreadInitThunk+0x0014)
  000000000014ffd0: 00007ff98640d721 (RtlUserThreadStart+0x0021)
Steps To Reproduce 1. Start Apple II emulation with Disk II NG Controller and a 5.25" SD drive
2. Load .WOZ image of Karateka (CRC32 579992FD) into drive
3. Play game

The crash happens at random times during floppy access. Most recently, it happened after the game tried to load more data after a cutscene in the final level (dungeons). However, it has also happened earlier in the game, and at other times I have also been able to play the game to completion without a crash.
Additional Information I will continue trying to gather more information, by checking for reproducibility of the crash with the default apple2 device configuration, and other machines using floppy drives with sound emulation.
Github Commit
Flags
Regression Version
Affected Sets / Systems apple2
Attached Files
  
Relationships
There are no relationship linked to this issue.
Notes
11
User avatar
No.18845
Tafoid
Administrator
May 14, 2021, 23:43
 Acknowledged until some concrete reproduction parameters can be determined.
User avatar
No.20915
Firewave
Senior Tester
Dec 5, 2022, 14:38
 I tried to reproduce this but I have no idea how to load/run the disk. Simply selecting it in the file manager and resetting the system does nothing.
User avatar
No.20917
Anamon
Tester
Dec 5, 2022, 15:05
edited on: Dec 5, 2022, 15:06
 The original Apple II doesn't auto-boot floppies. You can run software like this, for example:

mame apple2 -sl0 "" -sl4 "" -flop1 diskimage.woz
(I tend to empty some of the default slots to exclude superfluous hardware getting in the way).

Then when you get the * prompt:
  • Press 6
  • Press Ctrl+P
  • Press Return


This will start booting from disk drive 1.
User avatar
No.20918
Tafoid
Administrator
Dec 5, 2022, 15:14
 I've always used another method to boot floppies on Apple II
  • Press CTRL+C
  • Press RETURN
  • Type PR#6+RETURN


That is the way I learned it anyway. Good to see multiple ways to do the same thing.
User avatar
No.20919
Anamon
Tester
Dec 5, 2022, 15:21
 Yes, this has actually the same effect :) it's redirecting output to port number 6 (where the floppy drive is). The method I mentioned does it from the monitor, where you end up after turning on the machine. Your method starts the BASIC interpreter, where the PR#6 command does the same thing.
User avatar
No.20920
Firewave
Senior Tester
Dec 5, 2022, 19:06
 Thanks a lot. From the original report it appeared like it should auto-load.

First I was not able to reproduce it but I did not have the "samplepath" configured properly causing it not to pick up the floppy sounds.

==24192==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500016da12 at pc 0x7f05c5f9337a bp 0x7ffffeca37d0 sp 0x7ffffeca37c8
READ of size 2 at 0x62500016da12 thread T0
    #0 0x7f05c5f93379 in floppy_sound_device::sound_stream_update(sound_stream&, std::vector<read_stream_view, std::allocator<read_stream_view> > const&, std::vector<write_stream_view, std::allocator<write_stream_view> >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/imagedev/floppy.cpp:1710:10
    #1 0x7f05c5f9344f in non-virtual thunk to floppy_sound_device::sound_stream_update(sound_stream&, std::vector<read_stream_view, std::allocator<read_stream_view> > const&, std::vector<write_stream_view, std::allocator<write_stream_view> >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/imagedev/floppy.cpp
    #2 0x7f05d1b7b8bd in util::detail::delegate_base<delegate_late_bind, void, sound_stream&, std::vector<read_stream_view, std::allocator<read_stream_view> > const&, std::vector<write_stream_view, std::allocator<write_stream_view> >&>::operator()(sound_stream&, std::vector<read_stream_view, std::allocator<read_stream_view> > const&, std::vector<write_stream_view, std::allocator<write_stream_view> >&) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11
    #3 0x7f05d1b6dc6e in sound_stream::update_view(attotime, attotime, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/sound.cpp:749:4
    #4 0x7f05d1b6c93f in sound_stream_input::update(attotime, attotime) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/sound.cpp:522:25
    #5 0x7f05d1b6d801 in sound_stream::update_view(attotime, attotime, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/sound.cpp:735:49
    #6 0x7f05d1b6c93f in sound_stream_input::update(attotime, attotime) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/sound.cpp:522:25
    #7 0x7f05d1b6d801 in sound_stream::update_view(attotime, attotime, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/sound.cpp:735:49
    #8 0x7f05d1b82c68 in speaker_device::mix(float*, float*, attotime, attotime, int, bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/speaker.cpp:70:42
    #9 0x7f05d1b76e9b in sound_manager::update(int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/sound.cpp:1503:11
    #10 0x7f05d1af30f4 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11
    #11 0x7f05d1af30f4 in device_scheduler::execute_timers() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:951:5
    #12 0x7f05d1aee038 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:505:2
    #13 0x7f05d198a8a7 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17
    #14 0x7f05c98510df in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19
    #15 0x7f05cac0a2f6 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22
    #16 0x7f05cac0de3f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3
    #17 0x7f05c9855ebf in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18
    #18 0x7f05d1c8057b in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9
    #19 0x7f0584417189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0x7f0584417244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #21 0x7f05ab322b00 in _start (/mnt/s/GitHub/mame/mame+0x25023b00) (BuildId: 454ad2a67ab8776e)

0x62500016da12 is located 3742 bytes to the right of 8820-byte region [0x62500016a900,0x62500016cb74)
allocated by thread T0 here:
    #0 0x7f05ab3e079d in operator new(unsigned long) (/mnt/s/GitHub/mame/mame+0x250e179d) (BuildId: 454ad2a67ab8776e)
    #1 0x7f05afc9e02c in allocate /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/new_allocator.h:137:27
    #2 0x7f05afc9e02c in std::allocator_traits<std::allocator<short> >::allocate(std::allocator<short>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/alloc_traits.h:464:20
    #3 0x7f05afc9d99e in _M_allocate /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/stl_vector.h:378:20
    #4 0x7f05afc9d99e in std::vector<short, std::allocator<short> >::_M_default_append(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/vector.tcc:650:34
    #5 0x7f05afc9b912 in std::vector<short, std::allocator<short> >::resize(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/stl_vector.h:1011:4
    #6 0x7f05c834f2a8 in samples_device::read_wav_sample(emu_file&, samples_device::sample_t&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/sound/samples.cpp:542:15
    #7 0x7f05c834deaa in samples_device::read_sample(emu_file&, samples_device::sample_t&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/sound/samples.cpp:395:10
    #8 0x7f05c834c534 in samples_device::load_samples() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/sound/samples.cpp:624:4
    #9 0x7f05c5f90e1d in floppy_sound_device::device_start() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/imagedev/floppy.cpp:1561:13
    #10 0x7f05caf7bfd0 in device_t::start() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/device.cpp:562:2
    #11 0x7f05d19896df in running_machine::start_all_devices() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:1013:13
    #12 0x7f05d19876b4 in running_machine::start() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:211:2
    #13 0x7f05d198a4dc in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:281:3
    #14 0x7f05c98510df in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19
    #15 0x7f05cac0a2f6 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22
    #16 0x7f05cac0de3f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3
    #17 0x7f05c9855ebf in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18
    #18 0x7f05d1c8057b in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9
    #19 0x7f0584417189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/imagedev/floppy.cpp:1710:10 in floppy_sound_device::sound_stream_update(sound_stream&, std::vector<read_stream_view, std::allocator<read_stream_view> > const&, std::vector<write_stream_view, std::allocator<write_stream_view> >&)
Shadow bytes around the buggy address:
  0x0c4a80025af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80025b40: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80025b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
User avatar
No.20921
Firewave
Senior Tester
Dec 5, 2022, 19:23
edited on: Dec 5, 2022, 19:28
 I see no obvious issue in the code. And since I have no idea how the audio streaming works I can only give a wild guess based on the implementation.

m_spin_playback_sample is used to select the current sample in floppy_sound_device::sound_stream_update(). m_spin_samplepos is used to keep track of the current position in that sample and is reset when the sample was completely streamed.

If it was not completely streamed (no idea if that is possible) and m_spin_playback_sample is changed before the next invocation of floppy_sound_device::sound_stream_update() it will select a different sample and start streaming that with a previous index on the not yet fully streamed sample which might have a different size.

I will do some printf debugging later on to see if my assumption is correct.
User avatar
No.20922
Firewave
Senior Tester
Dec 6, 2022, 12:06
edited on: Dec 6, 2022, 12:06
 Turns out my assumption was correct:
std::cout << sampindex << " " << idx << " " << sampleend << " " << m_spin_samplepos << std::endl;

771 3 8832 6281
0 4 4410 6282
User avatar
No.20924
hap
Developer
Dec 6, 2022, 15:19
 Line 1591 where it changes the sample, try adding m_spin_samplepos = 0;
User avatar
No.20925
Firewave
Senior Tester
Dec 6, 2022, 15:57
 Good catch (and quite obvious...). No repro with that change applied. Thanks.
User avatar
No.20926
hap
Developer
Dec 6, 2022, 16:04
 Alright, thanks for checking. Fix is applied.