Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
03114 Crash/Freeze Critical (emulator) Always Apr 21, 2009, 22:45 Nov 10, 2016, 17:51
Tester MrBadAxe View Status Public Platform MAME (Official Binary)
Assigned To Resolution Open OS
Status [?] Confirmed Driver jaguar.cpp
Version 0.129 Fixed in Version Build Normal
Summary 03114: area51: Crash at high-score screen
Description Occurs at Enter Initials screen.

If you attempt to move the lightgun cursor to the top level of letters (A-K) MAME crashes.
Steps To Reproduce * Die with a high score. On a fresh NVRAM, lowest high score is Note: 11000 points; this amount can be achieved within the first two levels.
* Once at Enter Initials screen, attempt to move cursor to top level of letters.
Additional Information cojag.c merged into jaguar.c in 0.142u2

Occurs regardless of whether controlled by keyboard or mouse.
Originally discovered in Kronn Hunter secret gameplay mode, later duplicated in normal gameplay mode.
Regression Version
Affected Sets / Systems area51
Attached Files
child of 03840Closed area51mx: Mame quits without any error message 
User avatar
Senior Tester
May 10, 2010, 12:36
Unfortunately I didn't ran a build with a fixed stack walk, but it's very easy to reproduce.

Exception at EIP=00459025 (?blitter_09800009_000020_000020@@YAXPAVrunning_machin
While attempting to read memory at 0CA918E2
EAX=013FFBCD EBX=7EFDE000 ECX=00000000 EDX=0A292148
ESI=0012E360 EDI=0012E314 EBP=0012E314 ESP=0012DF6C
User avatar
Senior Tester
May 10, 2010, 12:57
Crash is happening if you move the mouse cursor into the upper right area of the screen you enter your high score at. Here's the backtrace from VS2010:

>	vmamevs10d.exe!blitter_09800009_000020_000020(running_machine * machine=0x00238d78, unsigned int command=159384073, unsigned int a1flags=16928, unsigned int a2flags=24096)  Line 343 + 0x205 bytes	C++
 	vmamevs10d.exe!blitter_run(running_machine * machine=0x00238d78)  Line 514 + 0x1d bytes	C++
 	vmamevs10d.exe!jaguar_blitter_w(const _address_space * space=0x08a38728, unsigned int offset=14, unsigned int data=159384073, unsigned int mem_mask=4294967295)  Line 614 + 0xc bytes	C++
 	vmamevs10d.exe!write_dword_generic(const _address_space * space=0x08a38728, unsigned int byteaddress=82846264, unsigned int data=159384073, unsigned int mem_mask=4294967295)  Line 716 + 0x1f bytes	C++
 	vmamevs10d.exe!memory_write_dword_32be(const _address_space * space=0x08a38728, unsigned int address=2767200824, unsigned int data=159384073)  Line 4669 + 0x13 bytes	C++
 	vmamevs10d.exe!cpu_execute_r3000(running_device * device=0x0023a6a0, int cycles=1122)  Line 858 + 0x3d bytes	C++
 	vmamevs10d.exe!cpuexec_timeslice(running_machine * machine=0x00238d78)  Line 328 + 0x17 bytes	C++
 	vmamevs10d.exe!mame_execute(_core_options * options=0x07dc34a0)  Line 320 + 0x9 bytes	C++
 	vmamevs10d.exe!cli_execute(int argc=7, char * * argv=0x07dc3448, const _options_entry * osd_options=0x035240b0)  Line 177 + 0x9 bytes	C++
 	vmamevs10d.exe!utf8_main(int argc=7, char * * argv=0x07dc3448)  Line 318 + 0x12 bytes	C++
 	vmamevs10d.exe!wmain(int argc=7, wchar_t * * argv=0x07dc36b0)  Line 82 + 0xd bytes	C++
 	vmamevs10d.exe!__tmainCRTStartup()  Line 278 + 0x19 bytes	C
 	vmamevs10d.exe!wmainCRTStartup()  Line 189	C

The line it crashes at looks like this

				dstdata = READ_PIXEL(adest, adestflags);

And the variables involved look like this:

		adest_base_mem	0x0a332148	void *
		adest_pitch	0	int
		adest_width	320	int
		adest_x	11796480	int
		adest_y	-262144	int
		COMMAND	8	int
		adestflags	32	unsigned int
User avatar
Senior Tester
May 10, 2010, 13:07
yeah, the Jaguar blitter code is *nasty*

Kale has been looking at it a bit, and .. ouch, the way it's been programmed means it can trash over memory as much as it likes, including romspace!

Any bugs there don't surprise me.
User avatar
Nov 10, 2016, 17:51
Repro in 0.179.