09339: esp250c: MAME crashes when machine is started under certain circumstances

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
09339	Crash/Freeze	Critical (emulator)	Always	1 day ago	1 day ago

Tester	NekoEd	View Status	Public	Platform	MAME (Official Binary)
Assigned To	Duke	Resolution	Fixed	OS	Windows (x64)
Status [?]	Resolved			Driver	esprit/esp250c.cpp
Version	0.283	Fixed in Version	0.284GIT	Build	x64
		Fixed in Git Commit	2d94605	Github Pull Request #

Summary	09339: esp250c: MAME crashes when machine is started under certain circumstances
Description	Attempting to launch machine 250C will cause MAME (Windows/x64) to crash with an ACCESS VIOLATION if launched from the built-in UI. It will NOT crash if launched directly from the command line. (This bug is not present on a self-compiled binary on macOS/ARM64.)
Steps To Reproduce	1. Start MAME with no machine argument to launch the built-in UI 2. Attempt to start machine 250C 3. After a delay with no output, MAME will crash
Additional Information	----------------------------------------------------- Exception at EIP=00007ff7d3eae3a3 ((anonymous namespace)::esp250c_state::screen_update(screen_device&, bitmap_rgb32&, rectangle const&)+0x00b3): ACCESS VIOLATION While attempting to read memory at 0000029ab7f1c095 ----------------------------------------------------- RAX=0000029ab79c1640 RBX=0000009bd36f96d8 RCX=0000000000000055 RDX=000000000055aa55 RSI=0000009bd36f96dc RDI=0000000000000009 RBP=0000000000000002 RSP=0000009bd36f9660 R8=0000000000550000 R9=0000029ab7278b80 R10=0000029aa0f1d320 R11=0000029ab746c670 R12=0000000000000001 R13=0000000000000000 R14=00000000ff000000 R15=0000029ab83b1040 ----------------------------------------------------- Stack crawl: 0000009bd36f9720: 00007ff7d3eae3a3 ((anonymous namespace)::esp250c_state::screen_update(screen_device&, bitmap_rgb32&, rectangle const&)+0x00b3) 0000009bd36f97c0: 00007ff7d71a71d0 (screen_device::update_partial(int)+0x0370) 0000009bd36f9820: 00007ff7da8478aa (video_manager::finish_screen_updates()+0x00ca) 0000009bd36f98b0: 00007ff7da849798 (video_manager::frame_update(bool)+0x01f8) 0000009bd36f9920: 00007ff7d71a42c3 (screen_device::vblank_begin(int)+0x0233) 0000009bd36f9990: 00007ff7d727172b (device_scheduler::timeslice()+0x014b) 0000009bd36f9ae0: 00007ff7d726e86f (running_machine::run(bool)+0x01bf) 0000009bd36ff0f0: 00007ff7da771e6b (mame_machine_manager::execute()+0x020b) 0000009bd36ff4d0: 00007ff7de92fb39 (cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&)+0x03c9) 0000009bd36ff780: 00007ff7de9300ed (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x004d) 0000009bd36ff7e0: 00007ff7da76c549 (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0029) 0000009bd36ffbb0: 00007ff7e076a5dc (luaopen_lfs+0x1063b2c) 0000009bd36ffc80: 00007ff7d30113b1 (__tmainCRTStartup+0x0231) 0000009bd36ffcb0: 00007ff7d30114e6 (mainCRTStartup+0x0016) 0000009bd36ffce0: 00007ffc1228e8d7 (BaseThreadInitThunk+0x0017) 0000009bd36ffd30: 00007ffc13b4c53c (RtlUserThreadStart+0x002c)
Github Commit

Flags
Regression Version
Affected Sets / Systems	esp250c

Attached Files

No.23950 hap Developer 1 day ago	It crashes here from cmdline after a couple of times SHIFT+F3 (to hard reset). uint32_t addr = get_u24le(&m_vram[y * 3]); // gets a 24 bit address, though m_vram is a 16 bit array uint8_t code = m_vram[addr++]; // dangerous // arrray out of bounds, when testing RAM I guess (filling it with 0x55/0xaa) uint8_t code = m_vram[addr++ & 0xffff]; if (addr >= 0x10000) printf("%X\n", addr); 55AA7F 55AA80 55AA81 55AA82 55AA83 55AA84 55AA85 55AA86 55AA87 55AA88 55AA89 etc.
No.23951 hap Developer 1 day ago	Easy fix is changing uint32_t addr to uint16_t addr, but I'll leave it up to Dirk.

No.23950

hap

Developer

1 day ago

It crashes here from cmdline after a couple of times SHIFT+F3 (to hard reset).

uint32_t addr = get_u24le(&m_vram[y * 3]); // gets a 24 bit address, though m_vram is a 16 bit array
uint8_t code = m_vram[addr++]; // dangerous

// arrray out of bounds, when testing RAM I guess (filling it with 0x55/0xaa)
uint8_t code = m_vram[addr++ & 0xffff];
if (addr >= 0x10000) printf("%X\n", addr);

55AA7F
55AA80
55AA81
55AA82
55AA83
55AA84
55AA85
55AA86
55AA87
55AA88
55AA89
etc.

No.23951

hap

Developer

1 day ago

Easy fix is changing uint32_t addr to uint16_t addr, but I'll leave it up to Dirk.