Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
06894 Crash/Freeze Critical (emulator) Always Feb 27, 2018, 20:43 Mar 14, 2018, 23:23
Tester Tafoid View Status Public Platform MAME (Official Binary)
Assigned To Resolution Fixed OS Windows Vista/7/8 (64-bit)
Status [?] Resolved Driver taito_f3.cpp
Version 0.195 Fixed in Version 0.196 Build 64-bit
Summary 06894: ridingf, ringrage and clones: Exception after logo is displayed
Description

-----------------------------------------------------
Exception at EIP=00000000024d79ee (es5510_device::host_w(address_space&, unsigned int, unsigned char, unsigned char)+0x041e): ACCESS VIOLATION
While attempting to write memory at 000000000f53aae0
-----------------------------------------------------
RAX=0000000000008001 RBX=00000000187db980 RCX=000000000f140040 RDX=000000001841a720
RSI=00000000000000ff RDI=00000000000000ff RBP=0000000000228150 RSP=0000000000228130
 R8=000000000000000f R9=00000000001fbf00 R10=000000000f140040 R11=000000000000001e
R12=000000001841a720 R13=000000000000000f R14=0000000000001f1f R15=000000000a70d370
-----------------------------------------------------
Stack crawl:
  0000000000228130: 00000000024d79ee (es5510_device::host_w(address_space&, unsigned int, unsigned char, unsigned char)+0x041e)
  00000000002281a0: 00000000051caff4 (delegate_base<void, address_space&, unsigned int, unsigned char, unsigned char>::operator()(address_space&, unsigned int, unsigned char, unsigned char) const+0x0054)
  0000000000228210: 00000000035a2f4c (handler_entry_write::write_stub_16(address_space&, unsigned int, unsigned short, unsigned short)+0x018c)
  0000000000228260: 00000000051cb0b6 (delegate_base<void, address_space&, unsigned int, unsigned short, unsigned short>::operator()(address_space&, unsigned int, unsigned short, unsigned short) const+0x0056)
  00000000002282a0: 0000000004a1f624 (address_space_specific<unsigned short, (endianness_t)1, 0, true>::write_native(unsigned int, unsigned short, unsigned short)+0x00a4)
  00000000002282d0: 0000000004a1f118 (address_space_specific<unsigned short, (endianness_t)1, 0, true>::write_word(unsigned int, unsigned short, unsigned short)+0x0018)
  0000000000228300: 000000000279ad6f (m68000_base_device::m68000_write_byte(unsigned int, unsigned char)+0x003f)
  0000000000228340: 00000000051cb15a (delegate_base<void, unsigned int, unsigned char>::operator()(unsigned int, unsigned char) const+0x003a)
  0000000000228390: 0000000002805be5 (m68000_base_device::m68k_op_move_8_di_pi7()+0x0095)
  0000000000228460: 000000000279d579 (m68000_base_device::execute_run()+0x0189)
  0000000000228510: 000000000363bc48 (device_scheduler::timeslice()+0x0288)
  00000000002285b0: 00000000035f7eb8 (running_machine::run(bool)+0x0118)
  000000000022f210: 0000000001e9b44a (mame_machine_manager::execute()+0x020a)
  000000000022f4c0: 0000000001f094e4 (cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&)+0x03f4)
  000000000022f630: 0000000001f099a5 (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0045)
  000000000022f690: 0000000001e993fa (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x002a)
  000000000022fe50: 00000000070a102d (main+0x016d)
  000000000022ff20: 00000000004013f7 (__tmainCRTStartup+0x0247)
  000000000022ff50: 000000000040152b (mainCRTStartup+0x001b)
  000000000022ff80: 00000000776d59cd (BaseThreadInitThunk+0x000d)
  000000000022ffd0: 000000007790a561 (RtlUserThreadStart+0x0021)
Steps To Reproduce
Additional Information If it doesn't crash normally, it will almost certainly when you unthrottle emulation or use Fast Forward

Fallout from the following commits:
https://github.com/mamedev/mame/commit/4aa6f2a3429868945510181c1415885d97852ca8
https://github.com/mamedev/mame/commit/35d46f44df59aefadfccc5f0767e11355a33b4e1
Flags
Regression Version 0.195
Affected Sets / Systems ridingf, ringrage and clones
Attached Files
 
Relationships
There are no relationsihp linked to this issue.
Notes
4
User avatar
No.14791
Robbbert
Developer
Feb 27, 2018, 22:49
The problem is a buffer overflow in the new ES5510 device.

The array "dram" is size 0x100000, but it tries to write much data to 0x1Fxxxx, at which point it crashes.

I don't know if "dram" needs to doubled in size, or if the reads & writes need to be masked.
User avatar
No.14836
Robbbert
Developer
Mar 14, 2018, 22:52
This seems to be fixed now? Can someone confirm?
User avatar
No.14837
Tafoid
Administrator
Mar 14, 2018, 23:23
Seems to be.. Suspect fixing revision is this:
https://github.com/mamedev/mame/commit/25472091b626bd01ef47f11389a4b2ebe0fc0008
User avatar
No.14838
Tafoid
Administrator
Mar 14, 2018, 23:23
Fixed by cam900