00111: gunbird2: crashes during the 4th level boss fight (North Pole) when using Vampiro.

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
00111	Crash/Freeze	Critical (emulator)	Have not tried	Jan 22, 2008, 06:32	Jan 12, 2010, 15:09

Tester	Karasu	View Status	Public	Platform
Assigned To		Resolution	Fixed	OS
Status [?]	Resolved			Driver	psikyo/psikyosh.cpp
Version	0.63	Fixed in Version	0.136u1	Build
		Fixed in Git Commit		Github Pull Request #

Summary	00111: gunbird2: crashes during the 4th level boss fight (North Pole) when using Vampiro.
Description	gunbird2 crashes during the 4th level boss fight (North Pole) when using Vampiro. Note that this doesn't happen on all PC's, only half the testers can reproduce it, any random crashes in PsikyoSH are likely to be sound overflows. Program received signal SIGSEGV, Segmentation fault. 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 261 sample = rombase[slot->s tartaddr + (slot->stepptr>>16)]<<8; (gdb) bt #0 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 #1 0x004bd1b0 in stream_generate_samples (stream=0x3ef548, samples=735) at src/sound/streams.c:562 #2 0x004bd0d8 in stream_generate_samples (stream=0x3ef8b0, samples=735) at src/sound/streams.c:539 #3 0x004bcff8 in stream_consume_output (stream=0x3ef8b0, outputnum=0, samples=735) at src/sound/streams.c:478 #4 0x004a1417 in sound_frame_update () at src/sndintrf.c:1168 #5 0x00487c39 in updatescreen () at src/mame.c:1364 #6 0x00436767 in cpu_vblankcallback (param=0) at src/cpuexec.c:1961 #7 0x004ad932 in mame_timer_set_global_time (newbase= {seconds = 509, subseconds = 466666666666646288}) at src/timer.c:404 #8 0x00434c03 in cpu_timeslice () at src/cpuexec.c:1093 #9 0x00433a91 in cpu_run () at src/cpuexec.c:477 #10 0x00486a43 in run_machine_core () at src/mame.c:598 #11 0x004868e2 in run_machine () at src/mame.c:529 #12 0x004865f9 in run_game (game=4980) at src/mame.c:361 #13 0x008c1143 in main (argc=3, argv=0x3e26d0) at src/windows/winmain.c:211 #14 0x004011e7 in _end__ () #15 0x00401238 in mainCRTStartup () #16 0x7c816d4f in _libwinmm_a_iname () (gdb) I think this should be useful to Mr. Belmont, because the crash is caused by ymf278b sound chip core. Also Reip said us that the program reads outside the sound region and crashes and he would like to know if what is done in the same driver for s1945ii and s1945iii could be applied to this game too. I mean the following ROM_RELOAD commented in source: ROM_REGION( 0x800000, REGION_SOUND1, 0 ) /* Samples / ROM_LOAD( "sound.u9", 0x000000, 0x400000, CRC(f19796ab) SHA1 (b978f0550ebd675e8ce9d9edcfcc3f6214e49e8b) ) ROM_RELOAD ( 0x400000, 0x400000 ) / 0x400000 - 0x7fffff allocated but left blank, it randomly reads from here on the Iron Casket level causing a crash otherwise, not sure why, bug in the sound emulation? */ I wonder if also s1945 sound loop bug and tengai062gre could be fixed in a similar way.
Steps To Reproduce
Additional Information	Gunbird2 backtrace from Layne (0.102u1) C:\>cd MAMESRC C:\MAMESRC>path=C:\mingw\bin;%PATH% C:\MAMESRC>gdb mame GNU gdb 5.2.1 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-mingw32"... (gdb) run gunbird2 -window Starting program: C:\MAMESRC/mame.exe gunbird2 -window Program received signal SIGSEGV, Segmentation fault. 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 261 sample = rombase[slot->s tartaddr + (slot->stepptr>>16)]<<8; (gdb) bt #0 0x0088d099 in ymf278b_pcm_update (param=0x3ede78, inputs=0x0, outputs=0x3ef5d8, length=735) at src/sound/ymf278b.c:261 #1 0x004bd1b0 in stream_generate_samples (stream=0x3ef548, samples=735) at src/sound/streams.c:562 #2 0x004bd0d8 in stream_generate_samples (stream=0x3ef8b0, samples=735) at src/sound/streams.c:539 #3 0x004bcff8 in stream_consume_output (stream=0x3ef8b0, outputnum=0, samples=735) at src/sound/streams.c:478 #4 0x004a1417 in sound_frame_update () at src/sndintrf.c:1168 #5 0x00487c39 in updatescreen () at src/mame.c:1364 #6 0x00436767 in cpu_vblankcallback (param=0) at src/cpuexec.c:1961 #7 0x004ad932 in mame_timer_set_global_time (newbase= {seconds = 1486, subseconds = 16666666666607226}) at src/timer.c:404 #8 0x00434c03 in cpu_timeslice () at src/cpuexec.c:1093 #9 0x00433a91 in cpu_run () at src/cpuexec.c:477 #10 0x00486a43 in run_machine_core () at src/mame.c:598 #11 0x004868e2 in run_machine () at src/mame.c:529 #12 0x004865f9 in run_game (game=4980) at src/mame.c:361 #13 0x008c1143 in main (argc=3, argv=0x3e26d0) at src/windows/winmain.c:211 #14 0x004011e7 in _end__ () #15 0x00401238 in mainCRTStartup () #16 0x7c816d4f in _libwinmm_a_iname () (gdb) print slot = (YMF278BSlot *) 0x3ee2ec (gdb)
Github Commit

Flags	Verified with Code
Regression Version
Affected Sets / Systems	gunbird2

Attached Files

No.01317 robiza Developer Jun 18, 2008, 18:24	someone can check if this bug is present in the last version of mame?
No.01318 Layne Tester Jun 18, 2008, 20:49	Yes, it still crash, just verified now in MAME 0.125u6.
No.01451 robiza Developer Jun 30, 2008, 13:12	can someone try to remove the 3 if statement and verify if the bug is present? in my personal build the bug seems fixed static READ32_HANDLER( gunbird2_speedup_r ) { /* PC : 06028972: MOV.L @R14,R3 // r14 is 604000c on this one PC : 06028974: MOV.L @($D4,PC),R1 PC : 06028976: ADD #$01,R3 PC : 06028978: MOV.L R3,@R14 PC : 0602897A: MOV.L @R1,R2 PC : 0602897C: TST R2,R2 PC : 0602897E: BT $06028972 */ if (activecpu_get_pc()==0x06028974) cpu_spinuntil_int(); if (activecpu_get_pc()==0x06028E64) cpu_spinuntil_int(); if (activecpu_get_pc()==0x06028BE6) cpu_spinuntil_int(); return psh_ram[0x04000C/4]; }
No.01454 Haze Senior Tester Jun 30, 2008, 15:10	it's not related to the speedups, the sound core reads past the end of memory. it doesn't reliably reproduce anyway, I've not seen it for years, and even then, only ever in strikers 1945 II, not gunbird.
No.01456 robiza Developer Jun 30, 2008, 17:39	with current mame the bug is present; sometimes the bug appear at the start of 5th level, sometime in the boss stage of the 4th level the use of cpu_spinuntil_int(), i think, in some circumstances, can modify the natural sync of the stream of data sound; the bug appear to me very similar to toaplan2 sound bug (in toaplan2 the cause of bug was the abuse of cpu_yield) if i'm wrong we can use the same hack used in 1945ii
No.01457 Haze Senior Tester Jun 30, 2008, 18:02	I kmow there was an old bug in MAME that sometimes caused invalid values to be passed to the sound cores... it was worked around for Streets Of Rage 2 in HazeMD, I wonder if it's been reintroduced. As I said, I've not seen it crash for years, so.. you're on your own.. The other option would to simply make the sound core 'safe' so that even if it does get passed invalid offsets, it won't crash.
No.01859 Layne Tester Jul 31, 2008, 17:57	Just tested for 250 consecutive times in MAME 0.126u3, finally it's fixed and crash doesn't more happens!
No.01866 Haze Senior Tester Jul 31, 2008, 21:10	well it was a timing thing.. which only occured on certain machines, because of freak conditions.. so I guess any change is liable to make it appear 'fixed'... I never saw it, so it's hard to really say
No.01868 Tafoid Administrator Jul 31, 2008, 21:22	I'll confirm this at this time. We don't have a confirmed fix version, but I'll put 0.126u3.
No.01871 robiza Developer Jul 31, 2008, 21:50 edited on: Aug 1, 2008, 07:00	126u2 is the fixed version
No.02815 Layne Tester Oct 13, 2008, 21:05	Bug needs to be re-opened, crash is still present into 0.127u8. I can repro it easily.
No.02817 Haze Senior Tester Oct 13, 2008, 21:12 edited on: Oct 13, 2008, 21:13	I told you.. it's never been fixed, although it never reproduces here. It's some combination of odd conditions that causes the sound core to crash, probably requesting invalid samples, it's always out of bounds reads, probably due to mame making bad requests.
No.02841 Tafoid Administrator Oct 14, 2008, 14:13	Reopened by Robiza
No.02843 Smitdogg Senior Tester Oct 14, 2008, 17:07	Whoever can reproduce it, try to make an inp and attach it. I tried and it doesn't crash on my PC.
No.02844 Haze Senior Tester Oct 14, 2008, 17:53	the inp will probably get cut off due to the crash, before it crashes, thus not reproducing it.... reminds me a lot of the Streets of Rage 2 bug where MAME would request a completely invalid # of samples for no apparent reason at all.
No.02845 Layne Tester Oct 14, 2008, 20:17	I agree with Haze, it's impossible to reproduce the crash using a savestate, I've tried a lot of times. It's really hard to get a backtrace too, but luckily we have at least this proof.
No.05491 Tourniquet Developer Jan 11, 2010, 18:58	I have a reasonable looking fix for this. ymf278b core appears to have an overrun for the first sample (j=0), if this is the last sample in the rom then it can overrun the mem region. Mailed R.Belmont to confirm fix looks reasonable.
No.05497 Tourniquet Developer Jan 12, 2010, 15:07	Fixed in r7982. If it still occurs it will now happen in s1945ii, s1945iii, gunbird2, dragnblz, and most of the other psikyosh games since the workarounds were removed. Still very random and hard to reproduce - also evades state saves.