Viewing Issue Advanced Details
Jump to Notes ]
thomson/thomson.cpp
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05160 Crash/Freeze Critical (emulator) Always Feb 13, 2013, 15:33 May 22, 2013, 20:52
Tester Firewave View Status Public Platform MESS (Self-compiled)
Assigned To wilbert Resolution Fixed OS
Status [?] Resolved Driver
thomson/thomson.cpp
Version 0.148u1 Fixed in Version 0.149 Build Debug
Fixed in Git Commit Github Pull Request #
Summary MESS-specific 05160: to8, to8d: Access Violation with "-ramsize 262144 -cart 6809ass2"
Description 
-----------------------------------------------------
Exception at EIP=00000001407D6744 (+0x407d6744): ACCESS VIOLATION
While attempting to read memory at 00000000044D4000
-----------------------------------------------------
RAX=00000000044D4000 RBX=0000000000000000 RCX=0000000000040000 RDX=0000000000000000
RSI=0000000003E48858 RDI=0000000000136620 RBP=0000000000000000 RSP=00000000001365F0
 R8=0000000000000055  R9=00000000000000FF R10=FEFEFEFEFEFEFEFF R11=8080808080808080
R12=0000000000000000 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000
-----------------------------------------------------
Stack crawl:
  0000000000136620: 00000001407D6744 (to8_data_lo_w+0x0084, s:\svn\mame\src\mess\video\thomson.c:1304)
  0000000000136650: 00000001413F3424 (handler_entry_write::write_stub_legacy+0x0054, s:\svn\mame\src\emu\memory.c:5341)
  00000000001366A0: 000000014140179A (delegate_mfp::method_stub<handler_entry_write,void,address_space & __ptr64,unsigned int,unsigned char,unsigned char>+0x006a, s:\svn\mame\src\emu\delegate.h:338)
  00000000001366E0: 000000013FB327A6 (delegate_base<void,address_space & __ptr64,unsigned int,unsigned char,unsigned char,_noparam>::operator()+0x0056, s:\svn\mame\src\emu\delegate.h:543)
  0000000000136720: 000000014146B7D9 (handler_entry_write::write8+0x0059, s:\svn\mame\src\emu\memory.c:490)
  0000000000136770: 000000014146F4E3 (address_space_specific<unsigned char,1,0>::write_native+0x00d3, s:\svn\mame\src\emu\memory.c:1131)
  00000000001367A0: 000000014146BA92 (address_space_specific<unsigned char,1,0>::write_byte+0x0042, s:\svn\mame\src\emu\memory.c:1403)
  00000000001367D0: 0000000140C2FE64 (m6809_base_device::sta_ix+0x00d4, s:\svn\mame\src\emu\cpu\m680909ops.c:1815)
  0000000000136800: 0000000140C156A7 (m6809_base_device::execute_run+0x0167, s:\svn\mame\src\emu\cpu\m6809\m6809.c:755)
  0000000000136830: 0000000141558811 (device_execute_interface::run+0x0031, s:\svn\mame\src\emu\diexec.h:216)
  0000000000136950: 00000001415552E2 (device_scheduler::timeslice+0x0432, s:\svn\mame\src\emu\schedule.c:489)
  0000000000136EC0: 000000014157054C (running_machine::run+0x034c, s:\svn\mame\src\emu\machine.c:396)
  000000000013D640: 00000001413E40C8 (mame_execute+0x01f8, s:\svn\mame\src\emu\mame.c:190)
  000000000013F560: 000000014152293F (cli_frontend::execute+0x0a2f, s:\svn\mame\src\emu\clifront.c:258)
  000000000013FA50: 0000000141B44AAB (utf8_main+0x017b, s:\svn\mame\src\osd\windows\winmain.c:493)
  000000000013FA90: 0000000141B406E0 (wmain+0x00b0, s:\svn\mame\src\osd\windows\main.c:82)
  000000000013FAE0: 0000000141ADFC8C (__tmainCRTStartup+0x00ec, f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0.c:241)
  000000000013FB10: 0000000141ADFDCE (wmainCRTStartup+0x000e, f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0.c:164)
  000000000013FB40: 0000000076CE652D (BaseThreadInitThunk+0x000d)
  000000000013FB90: 000000007728C521 (RtlUserThreadStart+0x0021)
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems to8, to8d
Attached Files
  
Relationships
There are no relationship linked to this issue.
Notes
7
User avatar
No.09362
Firewave
Senior Tester
Feb 13, 2013, 15:35
 to8d crashes without stack trace

>	vmess64d.exe!to8_data_lo_w(address_space & space, unsigned int offset, unsigned char data, unsigned char mem_mask) Line 1304	C++
 	vmess64d.exe!handler_entry_write::write_stub_legacy(address_space & space, unsigned int offset, unsigned char data, unsigned char mask) Line 5341	C++
 	vmess64d.exe!delegate_mfp::method_stub<handler_entry_write,void,address_space & __ptr64,unsigned int,unsigned char,unsigned char>(delegate_generic_class * object, address_space & p1, unsigned int p2, unsigned char p3, unsigned char p4) Line 338	C++
 	vmess64d.exe!delegate_base<void,address_space & __ptr64,unsigned int,unsigned char,unsigned char,_noparam>::operator()(address_space & p1, unsigned int p2, unsigned char p3, unsigned char p4) Line 543	C++
 	vmess64d.exe!handler_entry_write::write8(address_space & space, unsigned int offset, unsigned char data, unsigned char mask) Line 490	C++
 	vmess64d.exe!address_space_specific<unsigned char,1,0>::write_native(unsigned int offset, unsigned char data) Line 1131	C++
 	vmess64d.exe!address_space_specific<unsigned char,1,0>::write_byte(unsigned int address, unsigned char data) Line 1403	C++
 	vmess64d.exe!m6809_base_device::sta_ix() Line 1815	C++
 	vmess64d.exe!m6809_base_device::execute_run() Line 755	C++
 	vmess64d.exe!device_execute_interface::run() Line 216	C++
 	vmess64d.exe!device_scheduler::timeslice() Line 489	C++
 	vmess64d.exe!running_machine::run(bool firstrun) Line 396	C++
 	vmess64d.exe!mame_execute(emu_options & options, osd_interface & osd) Line 190	C++
 	vmess64d.exe!cli_frontend::execute(int argc, char * * argv) Line 258	C++
 	vmess64d.exe!utf8_main(int argc, char * * argv) Line 493	C++
 	vmess64d.exe!wmain(int argc, wchar_t * * argv) Line 82	C++
 	vmess64d.exe!__tmainCRTStartup() Line 241	C
 	vmess64d.exe!wmainCRTStartup() Line 164	C
 	kernel32.dll!BaseThreadInitThunk()	Unknown
 	ntdll.dll!RtlUserThreadStart()	Unknown
User avatar
No.09373
Tafoid
Administrator
Feb 14, 2013, 11:58
 I don't get anything other than a hang on exit, which I need to ctrl-c out of command-box. I presume it would print some crawl otherwise.
User avatar
No.09421
Firewave
Senior Tester
Mar 9, 2013, 15:01
 
==48984== Invalid write of size 8
==48984==    at 0x1FA8423: resource_pool::remove(void*) (emualloc.c:361)
==48984==    by 0x205F406: simple_list<save_manager::state_entry>::remove(save_manager::state_entry&) (emutempl.h:234)
==48984==    by 0x205F2E5: simple_list<save_manager::state_entry>::reset() (emutempl.h:80)
==48984==    by 0x205F2A5: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F274: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F1CA: save_manager::~save_manager() (save.h:121)
==48984==    by 0x205B594: save_manager::~save_manager() (save.h:121)
==48984==    by 0x2057815: running_machine::~running_machine() (machine.c:211)
==48984==    by 0x2055C4E: mame_execute(emu_options&, osd_interface&) (mame.c:204)
==48984==    by 0x1F3E150: cli_frontend::execute(int, char**) (clifront.c:255)
==48984==    by 0x179D9B2: main (sdlmain.c:371)
==48984==  Address 0x8ddeef0 is 16 bytes inside a block of size 64 free'd
==48984==    at 0x670B7A6: free (vg_replace_malloc.c:446)
==48984==    by 0x2644534: osd_free (sdlos_unix.c:115)
==48984==    by 0x1FA7ADB: free_file_line(void*, char const*, int) (emualloc.c:214)
==48984==    by 0x20DDF4F: resource_pool_object<save_manager::state_entry>::~resource_pool_object() (emualloc.h:131)
==48984==    by 0x1FA8497: resource_pool::remove(void*) (emualloc.c:372)
==48984==    by 0x205F406: simple_list<save_manager::state_entry>::remove(save_manager::state_entry&) (emutempl.h:234)
==48984==    by 0x205F2E5: simple_list<save_manager::state_entry>::reset() (emutempl.h:80)
==48984==    by 0x205F2A5: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F274: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F1CA: save_manager::~save_manager() (save.h:121)
==48984==    by 0x205B594: save_manager::~save_manager() (save.h:121)
==48984==    by 0x2057815: running_machine::~running_machine() (machine.c:211)
==48984== 
==48984== Invalid write of size 8
==48984==    at 0x1FA845E: resource_pool::remove(void*) (emualloc.c:365)
==48984==    by 0x1FA80D5: resource_pool::clear() (emualloc.c:442)
==48984==    by 0x1FA8009: resource_pool::~resource_pool() (emualloc.c:273)
==48984==    by 0x20578E0: running_machine::~running_machine() (machine.c:211)
==48984==    by 0x2055C4E: mame_execute(emu_options&, osd_interface&) (mame.c:204)
==48984==    by 0x1F3E150: cli_frontend::execute(int, char**) (clifront.c:255)
==48984==    by 0x179D9B2: main (sdlmain.c:371)
==48984==  Address 0x8ddf0c2 is 50 bytes inside a block of size 112 free'd
==48984==    at 0x670B7A6: free (vg_replace_malloc.c:446)
==48984==    by 0x2644534: osd_free (sdlos_unix.c:115)
==48984==    by 0x1FA7ADB: free_file_line(void*, char const*, int) (emualloc.c:214)
==48984==    by 0x20DE039: resource_pool_object<save_manager::state_entry>::~resource_pool_object() (emualloc.h:131)
==48984==    by 0x20DDF04: resource_pool_object<save_manager::state_entry>::~resource_pool_object() (emualloc.h:247)
==48984==    by 0x20DDF27: resource_pool_object<save_manager::state_entry>::~resource_pool_object() (emualloc.h:247)
==48984==    by 0x1FA8497: resource_pool::remove(void*) (emualloc.c:372)
==48984==    by 0x205F406: simple_list<save_manager::state_entry>::remove(save_manager::state_entry&) (emutempl.h:234)
==48984==    by 0x205F2E5: simple_list<save_manager::state_entry>::reset() (emutempl.h:80)
==48984==    by 0x205F2A5: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F274: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F1CA: save_manager::~save_manager() (save.h:121)
==48984== 
==48984== Invalid read of size 8
==48984==    at 0x1FA80CA: resource_pool::clear() (emualloc.c:442)
==48984==    by 0x1FA8009: resource_pool::~resource_pool() (emualloc.c:273)
==48984==    by 0x20578E0: running_machine::~running_machine() (machine.c:211)
==48984==    by 0x2055C4E: mame_execute(emu_options&, osd_interface&) (mame.c:204)
==48984==    by 0x1F3E150: cli_frontend::execute(int, char**) (clifront.c:255)
==48984==    by 0x179D9B2: main (sdlmain.c:371)
==48984==  Address 0x8ddf0ca is 58 bytes inside a block of size 112 free'd
==48984==    at 0x670B7A6: free (vg_replace_malloc.c:446)
==48984==    by 0x2644534: osd_free (sdlos_unix.c:115)
==48984==    by 0x1FA7ADB: free_file_line(void*, char const*, int) (emualloc.c:214)
==48984==    by 0x20DE039: resource_pool_object<save_manager::state_entry>::~resource_pool_object() (emualloc.h:131)
==48984==    by 0x20DDF04: resource_pool_object<save_manager::state_entry>::~resource_pool_object() (emualloc.h:247)
==48984==    by 0x20DDF27: resource_pool_object<save_manager::state_entry>::~resource_pool_object() (emualloc.h:247)
==48984==    by 0x1FA8497: resource_pool::remove(void*) (emualloc.c:372)
==48984==    by 0x205F406: simple_list<save_manager::state_entry>::remove(save_manager::state_entry&) (emutempl.h:234)
==48984==    by 0x205F2E5: simple_list<save_manager::state_entry>::reset() (emutempl.h:80)
==48984==    by 0x205F2A5: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F274: simple_list<save_manager::state_entry>::~simple_list() (emutempl.h:68)
==48984==    by 0x205F1CA: save_manager::~save_manager() (save.h:121)
User avatar
No.09422
Firewave
Senior Tester
Mar 9, 2013, 15:07
 The problem is, that it tries to start accessing m_thom_vram at 0x42000, but it only has a size of 0x40000 since it is the RAM as specified via the options.
User avatar
No.09530
Firewave
Senior Tester
May 22, 2013, 18:44
 Also confirmed when running with ASAN. I think three compilers is enough to confirm this.
User avatar
No.09535
wilbert
Developer
May 22, 2013, 19:14
 Can you please check again against revision 23054?
User avatar
No.09536
Firewave
Senior Tester
May 22, 2013, 20:52
 Fixed in r23057.