Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
06123 Crash/Freeze Critical (emulator) Sometimes Jan 6, 2016, 23:20 Jan 16, 2016, 00:50
Tester SailorSat View Status Public Platform MAME (Official Binary)
Assigned To Resolution Open OS Windows Vista/7/8 (64-bit)
Status [?] Acknowledged Driver model1.cpp
Version 0.169 Fixed in Version Build 64-bit
Summary 06123: vr: If running in linked mode, coining up may crash the emulation
Description I tried to run a virtua racing network for some time now (actualy even since I first did the comm boards), however there is a pretty high chance that when coining up, one of the games will simply crash.

Other games like WingWar work fine, so I assume the problem is not network related.
Steps To Reproduce Set up a linked game (I confirmed that with 2, 4 and 8 units).
Coin up the game.
Additional Information -----------------------------------------------------
Exception at EIP=0000000000C2C2CC (model1_state::push_object(unsigned int, unsig
ned int, unsigned int)+0x09ec): ACCESS VIOLATION
While attempting to read memory at 0000000223B70042
-----------------------------------------------------
RAX=0000000023BF0040 RBX=00000000175B37E0 RCX=0000000000000000 RDX=00000000FFFC0001
RSI=0000000023D80078 RDI=00000000003F26E7 RBP=00000000002296B0 RSP=0000000000229630
 R8=000007FFFFFDE000 R9=00000000FFFFFFFF R10=0000000023D80040 R11=0000000000000000
R12=000000001D350040 R13=0000000023D8005C R14=0000000000000003 R15=0000000013361200
-----------------------------------------------------
Stack crawl:
  0000000000229720: 0000000000C2C2CC (model1_state::push_object(unsigned int, unsigned int, unsigned int)+0x09ec)
  0000000000229840: 0000000000C2D30E (model1_state::tgp_render(bitmap_rgb32&, rectangle const&)+0x05fe)
  00000000002298E0: 0000000000C2DAB4 (model1_state::screen_update_model1(screen_device&, bitmap_rgb32&, rectangle const&)+0x0204)
  0000000000229930: 000000000248D61C (screen_device::update_partial(int)+0x011c)
  00000000002299B0: 00000000025813B6 (video_manager::finish_screen_updates()+0x0066)
  0000000000229A30: 0000000002583416 (video_manager::frame_update(bool)+0x01c6)
  0000000000229AA0: 000000000248E8F7 (screen_device::device_timer(emu_timer&, unsigned int, int, void*)+0x0327)
  0000000000229B40: 00000000024B2349 (device_scheduler::timeslice()+0x0179)
  0000000000229BA0: 00000000024BF548 (running_machine::run(bool)+0x0198)
  000000000022F690: 0000000002595AE9 (machine_manager::execute()+0x0219)
  000000000022F840: 000000000255430B (cli_frontend::execute(int, char**)+0x0d9b)
  000000000022FDF0: 0000000001491664 (utf8_main(int, char**)+0x0174)
  000000000022FE50: 0000000002904CCE (wmain+0x007e)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 0000000077285A4D (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 00000000774BB831 (RtlUserThreadStart+0x0021)
Flags
Regression Version
Affected Sets / Systems vr
Attached Files
 
Relationships
There are no relationsihp linked to this issue.
Notes
10
User avatar
No.12331
SailorSat
Senior Tester
Jan 6, 2016, 23:29
Another two stack traces:

-----------------------------------------------------
Exception at EIP=0000000000C2C2CC (model1_state::push_object(unsigned int, unsigned int, unsigned int)+0x09ec): ACCESS VIOLATION
While attempting to read memory at 0000000223B80042
-----------------------------------------------------
RAX=0000000023C00040 RBX=000000001758EE10 RCX=0000000000000000 RDX=00000000FFFC0001
RSI=0000000023D90078 RDI=00000000003F26E7 RBP=00000000002296B0 RSP=0000000000229630
 R8=000007FFFFFDD000 R9=00000000FFFFFFFF R10=0000000023D90040 R11=0000000000000000
R12=000000001D360040 R13=0000000023D9005C R14=0000000000000003 R15=00000000132F1840
-----------------------------------------------------
Stack crawl:
  0000000000229720: 0000000000C2C2CC (model1_state::push_object(unsigned int, unsigned int, unsigned int)+0x09ec)
  0000000000229840: 0000000000C2D30E (model1_state::tgp_render(bitmap_rgb32&, rectangle const&)+0x05fe)
  00000000002298E0: 0000000000C2DAB4 (model1_state::screen_update_model1(screen_device&, bitmap_rgb32&, rectangle const&)+0x0204)
  0000000000229930: 000000000248D61C (screen_device::update_partial(int)+0x011c)
  00000000002299B0: 00000000025813B6 (video_manager::finish_screen_updates()+0x0066)
  0000000000229A30: 0000000002583416 (video_manager::frame_update(bool)+0x01c6)
  0000000000229AA0: 000000000248E8F7 (screen_device::device_timer(emu_timer&, unsigned int, int, void*)+0x0327)
  0000000000229B40: 00000000024B2349 (device_scheduler::timeslice()+0x0179)
  0000000000229BA0: 00000000024BF548 (running_machine::run(bool)+0x0198)
  000000000022F690: 0000000002595AE9 (machine_manager::execute()+0x0219)
  000000000022F840: 000000000255430B (cli_frontend::execute(int, char**)+0x0d9b)
  000000000022FDF0: 0000000001491664 (utf8_main(int, char**)+0x0174)
  000000000022FE50: 0000000002904CCE (wmain+0x007e)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 0000000077285A4D (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 00000000774BB831 (RtlUserThreadStart+0x0021)




-----------------------------------------------------
Exception at EIP=0000000000C2C2CC (model1_state::push_object(unsigned int, unsigned int, unsigned int)+0x09ec): ACCESS VIOLATION
While attempting to read memory at 0000000223B90042
-----------------------------------------------------
RAX=0000000023C10040 RBX=000000001769ECB0 RCX=0000000000000000 RDX=00000000FFFC0001
RSI=0000000023DA0078 RDI=00000000003F26E7 RBP=00000000002296B0 RSP=0000000000229630
 R8=000007FFFFFDD000 R9=00000000FFFFFFFF R10=0000000023DA0040 R11=0000000000000000
R12=000000001D370040 R13=0000000023DA005C R14=0000000000000003 R15=0000000013381840
-----------------------------------------------------
Stack crawl:
  0000000000229720: 0000000000C2C2CC (model1_state::push_object(unsigned int, unsigned int, unsigned int)+0x09ec)
  0000000000229840: 0000000000C2D30E (model1_state::tgp_render(bitmap_rgb32&, rectangle const&)+0x05fe)
  00000000002298E0: 0000000000C2DAB4 (model1_state::screen_update_model1(screen_device&, bitmap_rgb32&, rectangle const&)+0x0204)
  0000000000229930: 000000000248D61C (screen_device::update_partial(int)+0x011c)
  00000000002299B0: 00000000025813B6 (video_manager::finish_screen_updates()+0x0066)
  0000000000229A30: 0000000002583416 (video_manager::frame_update(bool)+0x01c6)
  0000000000229AA0: 000000000248E8F7 (screen_device::device_timer(emu_timer&, unsigned int, int, void*)+0x0327)
  0000000000229B40: 00000000024B2349 (device_scheduler::timeslice()+0x0179)
  0000000000229BA0: 00000000024BF548 (running_machine::run(bool)+0x0198)
  000000000022F690: 0000000002595AE9 (machine_manager::execute()+0x0219)
  000000000022F840: 000000000255430B (cli_frontend::execute(int, char**)+0x0d9b)
  000000000022FDF0: 0000000001491664 (utf8_main(int, char**)+0x0174)
  000000000022FE50: 0000000002904CCE (wmain+0x007e)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 0000000077285A4D (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 00000000774BB831 (RtlUserThreadStart+0x0021)
User avatar
No.12337
NekoEd
Senior Tester
Jan 11, 2016, 17:48
Those stack traces are identical, right down to the function addresses and PC; the difference is the faulting read address, you'll notice that with each trace it increases by 0x10000. Whether or not this means anything, I'm not sure, but it's interesting to note. (Some of the registers are also different, but you kind of expect that.)
User avatar
No.12338
Haze
Senior Tester
Jan 11, 2016, 18:38
yeah, it's almost certainly pointing at the crash..

it might be that the actual game crashed because it's unhappy with something, and starts spamming invalid objects which crash our code tho.

still, MAME shouldn't actually crash even in that case, so it could do with making safer either way.
User avatar
No.12340
SailorSat
Senior Tester
Jan 11, 2016, 23:28
Looks like the object pointer gets out of bounds (and is never actually checked), thus the invalid memory access.

a simple check at the "next"-mark should be enough to prevent mame from crashing.

i wonder if the pointer should simply overflow - gonna add some debug messages there and try around
User avatar
No.12341
NekoEd
Senior Tester
Jan 12, 2016, 03:26
I'm going to acknowledge this. We haven't confirmed it, but I'll give you the benefit of the doubt for now. Let us know your progress on this and if you fix it.
User avatar
No.12342
SailorSat
Senior Tester
Jan 14, 2016, 09:18
Looks like the pointer itself is not the problem.
I added a debug message to "see" what gets called and notice some "strange" calls from time to time. (even if not linked)

m1video: push_object got called with tex_adr 0000, poly_adr 3c03aae7, size 0000)
m1video: push_object got called with tex_adr 000f, poly_adr 428c0000, size 428c0000)

as the rom area is 0x800000 in size and the ram area is 0x400000 - these sum up to 0xC00000, those calls seem weird.
User avatar
No.12343
SailorSat
Senior Tester
Jan 14, 2016, 13:47
Yeah, seems like the display lists have faulty data in them sometimes - I got a SEGFAULT on "code 6" with more than 65k light sources (limit in array is 32)
I'll add some simple sanity checks, and continue.
User avatar
No.12344
Haze
Senior Tester
Jan 14, 2016, 21:58
edited on: Jan 14, 2016, 21:58
I'm guessing the actual game program has crashed and is sending garbage, so will still be in an unusable state even when you patch everything up to be safe..

although safe code is better anyway :-)

User avatar
No.12345
SailorSat
Senior Tester
Jan 15, 2016, 07:41
Hm... it actually appears the list is simply missing an "end".

The problem appears to be the command parser itself.
There are actually two - "tgp_render" and "tgp_scan" - they both parse the list, but with one mayor difference.

tgp_render processes the "type" with "switch(type & 15) {" [line 1201]
tgp_scan processes the "type" with "switch(type) {" [line 1359]

if you change line 1201 from "switch(type & 15) {" to "switch(type) {" the code will bail out at the next command (whatever data is left in the list).
a quick "check" seems to fix all issues in virtua racing (rendering my checks obsolete).

there is one catch so far - swa stops showing the intro text, as it uses 0x41 commands to draw it. (that would have been handled like 0x01 commands before)
adding a "case 0x41: " right below the respective "case 1:" fixes that.

--

after both modifications VR logs an unknown type every now and then (usually one every 2 or 3 races - even in non-link mode), but otherwise works fine.

maybe there is an irq firing before VR finishes writing the list, dunno. the other games have not logged any unknown types so far.
User avatar
No.12348
SailorSat
Senior Tester
Jan 16, 2016, 00:50
After an intense (5 hours) nonstop 8 player action - I have 59 "unknown commands" in the logs - and not a single crash.
WingWar works fine too.

Did not test Virtua Fighter, and SWA is marked as non working anyway.