08951: zx81: Several tapes cause MAME to crash

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
08951	Crash/Freeze	Critical (emulator)	Always	Nov 5, 2024, 14:48	6 days ago

Tester	Robbbert	View Status	Public	Platform	MAME (Self-compiled)
Assigned To	holub	Resolution	Fixed	OS	Windows 11/10 (64-bit)
Status [?]	Resolved			Driver	sinclair/zx.cpp
Version	0.271	Fixed in Version	0.281GIT	Build	64-bit
		Fixed in Git Commit	aa0651b	Github Pull Request #	#14137

Summary	08951: zx81: Several tapes cause MAME to crash
Description	While testing my loose software, it was noted that several tapes cause MAME to crash as soon as the emulation is started.
Steps To Reproduce	Enter this line, using the supplied file, and substituting your path. mame zx81 -cass "e:\data\sinclair\zx81\nw\(crash)grimm.p" It will immediately crash, before the screen can appear.
Additional Information	I do not know if these tapes are meant for this system, however even if that's the case, a crash should not occur. A number of examples have been included. C:\MAME>mame zx81 -cass "e:\data\sinclair\zx81\nw\(crash)grimm.p" Warning: layout view 'Keyboard Layout' contains deprecated cpanel element Warning: layout view 'Keyboard_Only' contains deprecated cpanel element Warning: layout view 'Keyboard Layout' contains deprecated cpanel element Warning: layout view 'Keyboard_Only' contains deprecated cpanel element ----------------------------------------------------- Exception at EIP=00007ff7cd67c758 (zx_state::~zx_state()+0x0188): ACCESS VIOLATION While attempting to write memory at 000001c6643aa000 ----------------------------------------------------- RAX=0000000000000000 RBX=000001c662f9e040 RCX=000001c6643a9ff8 RDX=000001c6643a9ff8 RSI=000001c662bab1cc RDI=000001c6643a9ff8 RBP=000001c662bab1d3 RSP=000000902d0f8db8 R8=0000000000000004 R9=0000000000000002 R10=0000000000000000 R11=0000000000000000 R12=00007ff7db63d888 R13=000001c662b468d0 R14=000001c662f9e040 R15=0000000000000000 ----------------------------------------------------- Stack crawl: 000000902d0f8db0: 00007ff7cd67c758 (zx_state::~zx_state()+0x0188) 000000902d0f8e00: 00007ff7cd67cd36 (zx81_cassette_fill_wave(short, int, unsigned char)+0x0166) 000000902d0f8f80: 00007ff7cdea41b8 (cassette_image::legacy_construct(cassette_image::LegacyWaveFiller const)+0x0328) 000000902d0f9010: 00007ff7cdea193c (cassette_image::open_choices(std::unique_ptr<util::random_read_write, std::default_delete<util::random_read_write> >&&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, cassette_image::Format const const, int, std::unique_ptr<cassette_image, std::default_delete<cassette_image> >&)+0x010c) 000000902d0f9120: 00007ff7cac69f22 (cassette_image_device::internal_load(bool)+0x00c2) 000000902d0f9190: 00007ff7cac6a5e5 (non-virtual thunk to cassette_image_device::call_load[abi:cxx11]()+0x0035) 000000902d0f9240: 00007ff7caca363e (device_image_interface::finish_load[abi:cxx11]()+0x026e) 000000902d0f9360: 00007ff7cdc9b6fb (image_manager::postdevice_init()+0x017b) 000000902d0f9390: 00007ff7d50950c2 (luaopen_lfs+0x2709222) 000000902d0f94d0: 00007ff7ca9a3dc8 (device_t::start()+0x0698) 000000902d0f9620: 00007ff7cab36d9a (running_machine::start_all_devices()+0x014a) 000000902d0f9740: 00007ff7cab3ae31 (running_machine::start()+0x0a91) 000000902d0f98c0: 00007ff7cab3e3dc (running_machine::run(bool)+0x00cc) 000000902d0feee0: 00007ff7cdc6d15c (mame_machine_manager::execute()+0x024c) 000000902d0ff2d0: 00007ff7d195d49a (cli_frontend::start_execution(mame_machine_manager, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&)+0x03ea) 000000902d0ff5e0: 00007ff7d195daca (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x007a) 000000902d0ff640: 00007ff7cdc67f07 (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0027) 000000902d0ffa10: 00007ff7d35e6141 (luaopen_lfs+0xc5a2a1) 000000902d0ffa60: 00007ff7c6de12ee (__tmainCRTStartup+0x016e) 000000902d0ffa90: 00007ff7c6de1406 (mainCRTStartup+0x0016) 000000902d0ffac0: 00007ffd2c997374 (BaseThreadInitThunk+0x0014) 000000902d0ffb40: 00007ffd2cadcc91 (RtlUserThreadStart+0x0021)
Github Commit

Flags
Regression Version
Affected Sets / Systems	zx81

Attached Files	ZX81 crashers.zip (41,425 bytes) Nov 5, 2024, 14:48 Uploaded by Robbbert
Attached Files	(crash)VIDEO-IN.zip (1,935 bytes) 8 days ago Uploaded by Robbbert

No.22518 holub Tester Dec 3, 2024, 17:24	see: https://mametesters.org/view.php?id=8952#bugnotes
No.23648 holub Tester 8 days ago	fixed in https://github.com/mamedev/mame/pull/14134
No.23650 JimCarlTay Tester 8 days ago	Pull request #14134 merged as commit 571feba.
No.23655 Robbbert Moderator 8 days ago	Tested this, 2 still crash, the remainder loaded but do not run. Maybe they weren't really ZX81 programs. The crashing programs are called H.P and VIDEO-IN.P In a further test, H.P didn't crash but produced a message: Block requests 22239 bytes, but only 8161 available, and I got a white screen. VIDEO-IN.P crashed though, here's the dump C:\MAME>mame zx81 -cass e:\data\sinclair\zx81\nw\(crash)video-in.p Warning: layout view 'Keyboard Layout' contains deprecated cpanel element Warning: layout view 'Keyboard_Only' contains deprecated cpanel element Warning: layout view 'Keyboard Layout' contains deprecated cpanel element Warning: layout view 'Keyboard_Only' contains deprecated cpanel element ----------------------------------------------------- Exception at EIP=00007ff7189a4fd8 (zx81_cassette_calculate_size_in_samples(unsigned char const, int)+0x0038): ACCESS VIOLATION While attempting to read memory at 00000156121ee000 ----------------------------------------------------- RAX=0000000000002413 RBX=0000000000000000 RCX=00000156121ee000 RDX=0000000000000000 RSI=00000156121eb0c0 RDI=00007ff7189a4fa0 RBP=0000000000000bc0 RSP=00000010efcf8da0 R8=0000000000000000 R9=00000156121eeb70 R10=0000000000000000 R11=0000000000000bc0 R12=0000000000000bc0 R13=00000010efcf8e58 R14=000001561214b1f0 R15=00007ff724f08f40 ----------------------------------------------------- Stack crawl: 00000010efcf8da0: 00007ff7189a4fd8 (zx81_cassette_calculate_size_in_samples(unsigned char const, int)+0x0038) 00000010efcf8ea0: 00007ff7191b5726 (cassette_image::legacy_construct(cassette_image::LegacyWaveFiller const)+0x00f6) 00000010efcf8f30: 00007ff7191b38ac (cassette_image::open_choices(std::unique_ptr<util::random_read_write, std::default_delete<util::random_read_write> >&&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, cassette_image::Format const const, int, std::unique_ptr<cassette_image, std::default_delete<cassette_image> >&)+0x010c) 00000010efcf9040: 00007ff715ceb342 (cassette_image_device::internal_load(bool)+0x00c2) 00000010efcf90b0: 00007ff715ceb9e5 (non-virtual thunk to cassette_image_device::call_load[abi:cxx11]()+0x0035) 00000010efcf9160: 00007ff715edf37e (device_image_interface::finish_load[abi:cxx11]()+0x026e) 00000010efcf9280: 00007ff718fa850b (image_manager::postdevice_init()+0x017b) 00000010efcf92b0: 00007ff720924062 (luaopen_lfs+0x2a66b42) 00000010efcf93f0: 00007ff715a27ee0 (device_t::start()+0x0660) 00000010efcf9540: 00007ff715bbbb3a (running_machine::start_all_devices()+0x014a) 00000010efcf9660: 00007ff715bbfb49 (running_machine::start()+0x0a89) 00000010efcf97e0: 00007ff715bc316c (running_machine::run(bool)+0x00cc) 00000010efcfee00: 00007ff718f7983c (mame_machine_manager::execute()+0x024c) 00000010efcff1f0: 00007ff71ce2675a (cli_frontend::start_execution(mame_machine_manager, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&)+0x03ea) 00000010efcff500: 00007ff71ce26d8a (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x007a) 00000010efcff560: 00007ff718f745d7 (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0027) 00000010efcff930: 00007ff71ec08621 (luaopen_lfs+0xd4b101) 00000010efcff980: 00007ff711d912ee (__tmainCRTStartup+0x016e) 00000010efcff9b0: 00007ff711d91406 (mainCRTStartup+0x0016) 00000010efcff9e0: 00007ffd06277374 (BaseThreadInitThunk+0x0014) 00000010efcffa60: 00007ffd063bcc91 (RtlUserThreadStart+0x0021) File attached. It's probably just a rubbish program, but still, it shouldn't crash.
No.23656 holub Tester 8 days ago	@Robbbert: Are you sure about "VIDEO-IN.P"? You don't have warning in your log which is suspicious. Here I have: ~/workspace/mame (master) » ./mamed zx81 -cass \(crash\)VIDEO-IN.P [LUA] emu.register_start is deprecated - please use emu.add_machine_reset_notifier Block requests 15024 bytes, but only 3008 available
No.23657 holub Tester 8 days ago	I think I know what happens to yours. Let's do strict data check: https://github.com/mamedev/mame/pull/14137
No.23658 Robbbert Moderator 8 days ago	The windows build has an unfortunate habit of not displaying error messages, especially things that cause fatal errors. This leads to machines that simply drop out for no apparent reason. I'm hoping that the devs can fix this one day.
No.23659 holub Tester 8 days ago	I'm refering to one which you have in the other examples "Block requests 15024 bytes, but only 3008 available". But seams like Windows guards access violation better than Linux - that's why I missed this in my first attempt. Now it must be clearly reported as "wrong image" without ability to load it regardless.
No.23660 JimCarlTay Tester 7 days ago	Pull request #14137 merged as commit aa0651b.
No.23662 Robbbert Moderator 7 days ago	Thanks for having another look. I will check it when I get back home in a day or so, and if good I will resolve this report.
No.23669 Robbbert Moderator 6 days ago	Tested, both H.P and VIDEO-IN.P were reported as invalid images, and so are rejected before they can cause a problem. So, all good.