Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
02085 Crash/Freeze Critical (emulator) Always Aug 3, 2008, 23:50 13 days ago
Tester Smitdogg View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Open OS
Status [?] Confirmed Driver namcos21.cpp
Version 0.126u3 Fixed in Version Build 64-bit
Summary 02085: solvalou: Solvalou crashes during the first level.
Description It crashes (exits) part of the way through the first level. Verified to happen on more than one machine. It happens on 126u2 and u3. I don't know how far back it goes or if it's 64-bit specific.

Exception at EIP=0065E56B: ACCESS VIOLATION
While attempting to read memory at 0886F040
EAX=04870040 EBX=03FFF000 ECX=00000000 EDX=03FFF000
ESI=00001FE8 EDI=000009DE EBP=0022FBE8 ESP=0022FB80
Steps To Reproduce
Additional Information
Regression Version
Affected Sets / Systems solvalou
Attached Files
has duplicate 05947Closed solvalou: missing polygons during gameplay. 
User avatar
Aug 4, 2008, 01:53
Confirmed crash on 32-bit. Will attempt a symbols build crash if needed later. It runs painfully slow on my CPU and it takes a while to get to crash point :)

User avatar
Aug 4, 2008, 07:55
it's very slow on my macbook as well... and with my disappointment, when I finally reached the crash point, it only prompted out

Program exited with code 01.

and 'No stack' when I ask for a backtrace. I'm using a debug build with symbols of SDLMAME.
User avatar
Senior Tester
Aug 4, 2008, 15:29
edited on: Aug 4, 2008, 17:25
Try to set a breakpoint at the compiler-internal exit() or abort(). It should give you a usable backtrace.

User avatar
Senior Tester
Jan 2, 2009, 02:39
Here is a backtrace from 0.128u7:

Program received signal SIGSEGV, Segmentation fault.
[Switching to thread 2348.0x90c]
0x0066036f in TransferDspData (machine=0xad51efc)
    at src/mame/drivers/namcos21.c:504
TransmitWordToSlave( namcos21_dspram16[addr+i] );
(gdb) bt full
#0 0x0066036f in TransferDspData (machine=0xad51efc)
    at src/mame/drivers/namcos21.c:504
        primWords = 11015
        subAddr = 4264
        len = 65535
        masterAddr = 3481
        i = 30089
        old = 2677
        code = 54966
        addr = 2679
        mode = 32768
#1 0x006606ec in dspram16_w (space=0x14451750, offset=2651, data=35420,
    mem_mask=65535) at src/mame/drivers/namcos21.c:608
No locals.
#2 0x009b4de3 in write_word_generic (space=0x14451750, byteaddress=70838,
    data=35420, mem_mask=65535) at src/emu/memory.c:554
        handler = (const handler_data *) 0x14491d80
        byteoffset = 5302
        entry = 72
#3 0x009b6e04 in memory_write_word_16be (space=0x14451750, address=70838,
    data=35420) at src/emu/memory.c:3996
No locals.
#4 0x00f88e61 in M_WRTRAM (cpustate=0x15a01724, addr=35419, data=35420)
    at src/emu/cpu/tms32025/tms32025.c:349
        ram = (UINT16 *) 0x0
#5 0x00f88d98 in PUTDATA (cpustate=0x15a01724, data=35420)
    at src/emu/cpu/tms32025/tms32025.c:531
No locals.
#6 0x00f8b3d9 in sacl (cpustate=0x15a01724)
    at src/emu/cpu/tms32025/tms32025.c:1342
No locals.
#7 0x00f8d446 in cpu_execute_tms32025 (device=0xae01f77, cycles=2000)
    at src/emu/cpu/tms32025/tms32025.c:2010
        cpustate = (tms32025_state *) 0x15a01724
#8 0x009d9e71 in cpu_execute (device=0xae01f77, cycles=2000)
    at src/emu/cpuintrf.h:557
        classheader = (cpu_class_header *) 0x15a03fd8
#9 0x009d95a7 in cpuexec_timeslice (machine=0xad51efc)
    at src/emu/cpuexec.c:276
        delta = {seconds = 0, attoseconds = 83333333333000}
        classdata = (cpu_class_data *) 0x15a027a8
        call_debugger = 0
        global = (cpuexec_private *) 0x15841efc
        target = {seconds = 84, attoseconds = 89104123654575334}
        base = {seconds = 84, attoseconds = 89020790321242334}
        cpu = (const device_config *) 0xae01f77
        ran = 44
#10 0x009c765d in mame_execute (options=0x8061e58) at src/emu/mame.c:360
        settingsloaded = 0
        driver = (const game_driver *) 0x19da9b0
        machine = (running_machine *) 0xad51efc
        mame = (mame_private *) 0xad61f68
        cb = (callback_item *) 0x8061e58
        gamename = (astring *) 0xad51f00
        exit_pending = 0
        error = 0
        firstgame = 0
        firstrun = 0
#11 0x00bdb66c in cli_execute (argc=7, argv=0x7fb1fe4, osd_options=0x21ae990)
    at src/emu/clifront.c:171
        options = (core_options *) 0x8061e58
        gamename = (astring *) 0x8041f00
        exename = (astring *) 0x8051f00
        gamename_option = 0x8091f08 "solvalou"
        driver = (const game_driver *) 0x19da9b0
        result = -1
#12 0x009618b8 in utf8_main (argc=7, argv=0x7fb1fe4)
    at src/osd/windows/winmain.c:257
        ext = 0x28e86b8 ".map"
#13 0x0123f599 in main (argc=7, a_argv=0x64527f0) at src/osd/windows/main.c:72
        i = 7
        rc = 2293624
        utf8_argv = (char **) 0x7fb1fe4
        argv = (TCHAR **) 0x64528f0
        wenviron = (WCHAR **) 0x64550e8
        startupinfo = -1
User avatar
Jan 5, 2011, 00:42
Ok, reason is simple, namcos21.c has many, many cases that can cause an array to be accessed out of bounds. Adding (hacking) masks everywhere (eg. value = array[offset & arraysize-1]) would fix this crash, but since it's an unexpected overflow, the game would probably mess up at that point anyway.

This driver could really use a cleanup/update, too bad that Stroff isn't active lately.
User avatar
Senior Tester
Jan 5, 2011, 14:32
Most of the Namco stuff could do with a cleanup/update to be honest, and I doubt Stoff would be your man for doing that.

He was very, very good at figuring things out, and making them work, but yeah, his code also tended to be very dirty and unsafe in places. Not as bad as Acho-code, it was readable, and he didn't start hacking core functions, but in some places just as problematic.

I'd say if you want to clean it up, or at least make it safe, then go for it. I'm sure the more recent developments plus the likes of the C++ support we have now could be used to clean up a lot of the places where he's tried to fit multiple hardware emulations into a single file with 100000 defines in order to avoid duplicating code as well. To properly convert all the Namco stuff into video devices is going to be a considerable amount of work.
User avatar
Senior Tester
Mar 15, 2012, 15:08
I've adjusted the severity to Critical (MAME) as the game crashes MAME, not just itself.

Reproduced 2012-03-15 in SDLMAME64 0.145u4, game exited partway through first level with no error indication, but definitely an abnormal exit (no closeout information is displayed, it just punts back to the shell.)
User avatar
May 15, 2014, 20:57
in 153 mame just quits without any error reaching the same point in first level. Finally it can played at 100% on 4670k
User avatar
Senior Tester
Jan 3, 2015, 20:05
==5217==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310004717fe at pc 0x00000324f26a bp 0x7fffc1f02600 sp 0x7fffc1f025f8
READ of size 2 at 0x6310004717fe thread T0
    #0 0x324f269 in namcos21_state::transfer_dsp_data() /home/notroot/trunk/src/mame/drivers/namcos21.c:466:33
    #1 0x324ff2a in namcos21_state::dspram16_w(address_space&, unsigned int, unsigned short, unsigned short) /home/notroot/trunk/src/mame/drivers/namcos21.c:567:4
    #2 0x8175e1e in delegate_base<void, address_space&, unsigned int, unsigned short, unsigned short, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(address_space&, unsigned int, unsigned short, unsigned short) const /home/notroot/trunk/src/lib/util/delegate.h:653:88
    #3 0x8175e1e in handler_entry_write::write16(address_space&, unsigned int, unsigned short, unsigned short) const /home/notroot/trunk/src/emu/memory.c:421
    #4 0x8175e1e in address_space_specific<unsigned short, (endianness_t)1, false>::write_native(unsigned int, unsigned short) /home/notroot/trunk/src/emu/memory.c:1142
    #5 0x817503b in address_space_specific<unsigned short, (endianness_t)1, false>::write_word(unsigned int, unsigned short) /home/notroot/trunk/src/emu/memory.c:1427:72
    #6 0x6efd21d in tms32025_device::M_WRTRAM(unsigned int, unsigned short) /home/notroot/trunk/src/emu/cpu/tms32025/tms32025.c:308:7
    #7 0x6efd21d in tms32025_device::PUTDATA(unsigned short) /home/notroot/trunk/src/emu/cpu/tms32025/tms32025.c:485
    #8 0x6eee8f4 in tms32025_device::sacl() /home/notroot/trunk/src/emu/cpu/tms32025/tms32025.c:1287:2
    #9 0x6efa5b4 in tms32025_device::execute_run() /home/notroot/trunk/src/emu/cpu/tms32025/tms32025.c:2066:4
    #10 0x6efb96f in non-virtual thunk to tms32025_device::execute_run() /home/notroot/trunk/src/emu/cpu/tms32025/tms32025.c:2133:1
    #11 0x81f345a in device_execute_interface::run() /home/notroot/trunk/src/emu/diexec.h:191:15
    #12 0x81f345a in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:476
    #13 0x8112c98 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:391:5
    #14 0x810b03a in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:216:11
    #15 0x7f3df3e in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:244:15
    #16 0x576f669 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:345:9
    #17 0x7f3ebfd31ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #18 0x11479ac in _start (/home/notroot/trunk/mame64d+0x11479ac)

0x6310004717ff is located 0 bytes to the right of 69631-byte region [0x631000460800,0x6310004717ff)
allocated by thread T0 here:
    #0 0x112a33b in __interceptor_malloc /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/
    #1 0x89746a8 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/sdl/sdlos_unix.c:108:9
    #2 0x84d703a in malloc_file_line(unsigned long, char const*, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25
    #3 0x7a34c43 in operator new[](unsigned long, char const*, int) /home/notroot/trunk/src/lib/util/corealloc.h:72:125
    #4 0x7a34c43 in dynamic_array<unsigned char>::expand_internal(int) /home/notroot/trunk/src/lib/util/coretmpl.h:115
    #5 0x7a34c43 in dynamic_array<unsigned char>::resize(int) /home/notroot/trunk/src/lib/util/coretmpl.h:94
    #6 0x7a34c43 in dynamic_array<unsigned char>::resize_and_clear(int, unsigned char) /home/notroot/trunk/src/lib/util/coretmpl.h:99
    #7 0x814da2e in memory_block::memory_block(address_space&, unsigned int, unsigned int, void*) /home/notroot/trunk/src/emu/memory.c:3857:4
    #8 0x8127aef in address_space::allocate_memory() /home/notroot/trunk/src/emu/memory.c:2069:25
    #9 0x8124557 in memory_manager::initialize() /home/notroot/trunk/src/emu/memory.c:1544:3
    #10 0x810f189 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:250:2
    #11 0x81129cc in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:345:3
    #12 0x810b03a in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:216:11
    #13 0x7f3df3e in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:244:15
    #14 0x576f669 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:345:9
    #15 0x7f3ebfd31ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/notroot/trunk/src/mame/drivers/namcos21.c:466 namcos21_state::transfer_dsp_data()
Shadow bytes around the buggy address:
  0x0c62800862a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800862b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800862c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800862d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800862e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c62800862f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x0c6280086300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280086310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280086320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280086330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280086340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  ASan internal: fe
User avatar
13 days ago
As of 0.198, Kale has demoted this and Cybersled to not working. He added notes describing the issue.