Misc fixes and NES core update

* EmuFramework: Fix heap use after free when closing content from the menu
* GBA.emu: Prevent out of bounds SRAM writes
* NES.emu: Update core to FCEUX GIT 35218bd (2023.08.19), version 2.6.6

EmuFramework/src/gui/SystemActionsView.cc

@@ -243,7 +243,7 @@ SystemActionsView::SystemActionsView(ViewAttachParams attach, bool customMenu):
 			pushAndShowModal(makeView<YesNoAlertView>("Really close current content?",
 				YesNoAlertView::Delegates
 				{
-					.onYes = [this] { app().closeSystem(); } // pops any System Actions views in the stack
+					.onYes = [this] { app().closeSystem(); return false; } // pops any System Actions views in the stack
 				}), e);
 		}
 	}

GBA.emu/src/vbam/gba/Sram.cpp

@@ -16,6 +16,11 @@ void sramDelayedWrite(uint32_t address, uint8_t byte)
 
 void sramWrite(uint32_t address, uint8_t byte)
 {
+    if((address & 0xFFFF) >= flashSaveMemory.size())
+    {
+    	log("out of bounds SRAM write @ 0x%X data:0x%X SRAM Size:0x%X", address, byte, flashSaveMemory.size());
+      return;
+    }
     flashSaveMemory[address & 0xFFFF] = byte;
     systemSaveUpdateCounter = SYSTEM_SAVE_UPDATED;
 }

NES.emu/src/fceu/boards/coolgirl.cpp

@@ -16,11 +16,11 @@
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-* 
-* Very complicated homebrew multicart mapper with. 
-* The code is so obscured and weird because it's ported from Verilog CPLD source code: 
+*
+* Very complicated homebrew multicart mapper with.
+* The code is so obscured and weird because it's ported from Verilog CPLD source code:
 * https://github.com/ClusterM/coolgirl-famicom-multicart/blob/master/CoolGirl_mappers.vh
-* 
+*
 * Range: $5000-$5FFF
 *
 * Mask: $5007
@@ -107,8 +107,8 @@ const int CFI_CHIP = 0x13;
 
 static int CHR_SIZE = 0;
 static uint32 WRAM_SIZE = 0;
-static uint8 *WRAM = NULL;
-static uint8 *SAVE_FLASH = NULL;
+static uint8* WRAM = NULL;
+static uint8* SAVE_FLASH = NULL;
 static uint8* CFI;
 
 static uint8 sram_enabled = 0;
@@ -507,9 +507,8 @@ static DECLFW(COOLGIRL_Flash_Write) {
 			uint32 sector_address = sector * FLASH_SECTOR_SIZE;
 			for (uint32 i = sector_address; i < sector_address + FLASH_SECTOR_SIZE; i++)
 				SAVE_FLASH[i % SAVE_FLASH_SIZE] = 0xFF;
-			FCEU_printf("Flash sector #%d is erased: 0x%08x - 0x%08x.\n", sector, sector_address, sector_address + FLASH_SECTOR_SIZE - 1);
 			flash_state = 0;
-		}	
+		}
 
 		// write byte
 		if ((flash_state == 4) &&
@@ -555,7 +554,6 @@ static DECLFW(COOLGIRL_WRITE) {
 
 	if (A >= 0x5000 && A < 0x6000 && !lockout)
 	{
-		//FCEU_printf("Write: %02x => %04x\n", V, A);
 		switch (A & 7)
 		{
 		case 0:
@@ -571,7 +569,6 @@ static DECLFW(COOLGIRL_WRITE) {
 			// {chr_mask[18], prg_mask[20:14]} = cpu_data_in[7:0];
 			SET_BITS(chr_mask, "18", V, "7");
 			SET_BITS(prg_mask, "20:14", V, "6:0");
-			//FCEU_printf("REG_prg_mask: %02x\n", REG_prg_mask);
 			break;
 		case 3:
 			// {prg_mode[2:0], chr_bank_a[7:3]} = cpu_data_in[7:0];
@@ -884,7 +881,7 @@ static DECLFW(COOLGIRL_WRITE) {
 		if (mapper == 0b000100)
 		{
 			// prg_bank_a[5:1] = cpu_data_in[4:0];
-			SET_BITS(chr_bank_a, "5:1", V, "4:0");
+			SET_BITS(prg_bank_a, "5:1", V, "4:0");
 			// mirroring = { 1'b0, ~cpu_data_in[7]};
 			mirroring = get_bits(V, "7") ^ 1;
 		}
@@ -1174,7 +1171,6 @@ static DECLFW(COOLGIRL_WRITE) {
 
 		// Mapper #1 - MMC1
 		/*
-		r0 - load register
 		flag0 - 16KB of SRAM (SOROM)
 		*/
 		if (mapper == 0b010000)
@@ -1228,7 +1224,7 @@ static DECLFW(COOLGIRL_WRITE) {
 						SET_BITS(chr_bank_e, "6:2", mmc1_load_register, "5:1");
 						break;
 					case 0b11: // 2'b11
-						// prg_bank_a[4:1] = r0[4:1];
+						// prg_bank_a[4:1] = mmc1_load_register[4:1];
 						SET_BITS(prg_bank_a, "4:1", mmc1_load_register, "4:1");
 						// sram_enabled = ~mmc1_load_register[5];
 						sram_enabled = get_bits(mmc1_load_register, "5") ^ 1;
@@ -1395,9 +1391,6 @@ static DECLFW(COOLGIRL_WRITE) {
 		}
 
 		// Mapper #112
-		/*
-		r0[2:0] - internal register
-		*/
 		if (mapper == 0b010101)
 		{
 			switch (get_bits(A, "14:13"))
@@ -1462,6 +1455,7 @@ static DECLFW(COOLGIRL_WRITE) {
 			case 0b1100: // 4'b1100: if (flags[0]) mirroring = {1'b0, cpu_data_in[6]};	// $E000, mirroring, for mapper #48
 				if (flags & 1) // 48
 					mirroring = get_bits(V, "6"); // mirroring = cpu_data_in[6];
+				break;
 			case 0b1000: // 4'b1000: irq_scanline_latch = ~cpu_data_in; // $C000, IRQ latch
 				mmc3_irq_latch = set_bits(mmc3_irq_latch, "7:0", get_bits(V, "7:0") ^ 0b11111111);
 				break;
@@ -1811,7 +1805,7 @@ static DECLFW(COOLGIRL_WRITE) {
 							SET_BITS(chr_bank_c, "8:1", V, "7:0"); break; // 3'b001: chr_bank_c[8:1] <= cpu_data_in[7:0];
 						case 0b110:
 							SET_BITS(chr_bank_e, "8:1", V, "7:0"); break; // 3'b110: chr_bank_e[8:1] <= cpu_data_in[7:0];
-						case 0b111: 
+						case 0b111:
 							SET_BITS(chr_bank_g, "8:1", V, "7:0"); break; // 3'b111: chr_bank_g[8:1] <= cpu_data_in[7:0];
 						}
 					}
@@ -1961,32 +1955,19 @@ static void COOLGIRL_CpuCounter(int a) {
 		// Mapper #23 - VRC4
 		if (vrc4_irq_control & 2) // if (ENABLE_MAPPER_021_022_023_025 & ENABLE_VRC4_INTERRUPTS & (vrc4_irq_control[1]))
 		{
-			// Cycle mode without prescaler is not used by any games? It's missed in fceux source code.
-			if (vrc4_irq_control & 4) // if (vrc4_irq_control[2]) // cycle mode
+			vrc4_irq_prescaler++; // vrc4_irq_prescaler = vrc4_irq_prescaler + 1'b1; // count prescaler
+			// if ((vrc4_irq_prescaler_counter[1] == 0 && vrc4_irq_prescaler == 114)
+			//   || (vrc4_irq_prescaler_counter[1] == 1 && vrc4_irq_prescaler == 113)) // 114, 114, 113
+			if ((!(vrc4_irq_prescaler_counter & 2) && vrc4_irq_prescaler == 114) || ((vrc4_irq_prescaler_counter & 2) && vrc4_irq_prescaler == 113))
 			{
-				FCEU_PrintError("Cycle IRQ mode is not supported, please report to Cluster");
-				vrc4_irq_value++; // {carry, vrc4_irq_value[7:0]} = vrc4_irq_value[7:0] + 1'b1; // just count IRQ value
-				if (vrc4_irq_value == 0) // if (carry)
+				vrc4_irq_prescaler = 0; // vrc4_irq_prescaler = 0;
+				vrc4_irq_prescaler_counter++; // vrc4_irq_prescaler_counter = vrc4_irq_prescaler_counter + 1'b1;
+				if (vrc4_irq_prescaler_counter == 0b11) vrc4_irq_prescaler_counter = 0; // if (vrc4_irq_prescaler_counter == 2'b11) vrc4_irq_prescaler_counter =  2'b00;
+				vrc4_irq_value++; // {carry, vrc4_irq_value[7:0]} = vrc4_irq_value[7:0] + 1'b1;
+				if (vrc4_irq_value == 0) // f (carry)
 				{
-					X6502_IRQBegin(FCEU_IQEXT); // vrc4_irq_out = 1;					
-					vrc4_irq_value = vrc4_irq_latch; // vrc4_irq_value[7:0] = vrc4_irq_latch[7:0];
-				}
-			}
-			else {
-				vrc4_irq_prescaler++; // vrc4_irq_prescaler = vrc4_irq_prescaler + 1'b1; // count prescaler
-				// if ((vrc4_irq_prescaler_counter[1] == 0 && vrc4_irq_prescaler == 114)
-				//   || (vrc4_irq_prescaler_counter[1] == 1 && vrc4_irq_prescaler == 113)) // 114, 114, 113
-				if ((!(vrc4_irq_prescaler_counter & 2) && vrc4_irq_prescaler == 114) || ((vrc4_irq_prescaler_counter & 2) && vrc4_irq_prescaler == 113))
-				{
-					vrc4_irq_prescaler = 0; // vrc4_irq_prescaler = 0;
-					vrc4_irq_prescaler_counter++; // vrc4_irq_prescaler_counter = vrc4_irq_prescaler_counter + 1'b1;
-					if (vrc4_irq_prescaler_counter == 0b11) vrc4_irq_prescaler_counter = 0; // if (vrc4_irq_prescaler_counter == 2'b11) vrc4_irq_prescaler_counter =  2'b00;
-					vrc4_irq_value++; // {carry, vrc4_irq_value[7:0]} = vrc4_irq_value[7:0] + 1'b1;
-					if (vrc4_irq_value == 0) // f (carry)
-					{
-						X6502_IRQBegin(FCEU_IQEXT);
-						vrc4_irq_value = vrc4_irq_latch; // irq_cpu_value[7:0] = vrc4_irq_latch[7:0];
-					}
+					X6502_IRQBegin(FCEU_IQEXT);
+					vrc4_irq_value = vrc4_irq_latch; // irq_cpu_value[7:0] = vrc4_irq_latch[7:0];
 				}
 			}
 		}
@@ -2252,7 +2233,7 @@ static void COOLGIRL_Restore(int version) {
 
 #define ExState(var, varname) AddExState(&var, sizeof(var), 0, varname)
 
-void COOLGIRL_Init(CartInfo *info) {
+void COOLGIRL_Init(CartInfo* info) {
 	CHR_SIZE = info->vram_size ? info->vram_size /* NES 2.0 */ : 256 * 1024 /* UNIF, fixed */;
 
 	WRAM_SIZE = info->ines2 ? (info->wram_size + info->battery_wram_size) : (32 * 1024);
@@ -2263,7 +2244,7 @@ void COOLGIRL_Init(CartInfo *info) {
 		AddExState(WRAM, 32 * 1024, 0, "SRAM");
 		if (info->battery)
 		{
-			info->addSaveGameBuf( WRAM, 32 * 1024);
+			info->addSaveGameBuf(WRAM, 32 * 1024);
 		}
 	}
 
@@ -2272,7 +2253,7 @@ void COOLGIRL_Init(CartInfo *info) {
 		SAVE_FLASH = (uint8*)FCEU_gmalloc(SAVE_FLASH_SIZE);
 		SetupCartPRGMapping(FLASH_CHIP, SAVE_FLASH, SAVE_FLASH_SIZE, 1);
 		AddExState(SAVE_FLASH, SAVE_FLASH_SIZE, 0, "SAVF");
-		info->addSaveGameBuf( SAVE_FLASH, SAVE_FLASH_SIZE );
+		info->addSaveGameBuf(SAVE_FLASH, SAVE_FLASH_SIZE);
 	}
 
 	CFI = (uint8*)FCEU_gmalloc(sizeof(cfi_data) * 2);

NES.emu/src/fceu/fceu.cpp

@@ -36,6 +36,7 @@
 #include "unif.h"
 #include "cheat.h"
 #include "palette.h"
+#include "profiler.h"
 #include "state.h"
 #include "movie.h"
 #include "video.h"
@@ -716,6 +717,7 @@ extern unsigned int frameAdvHoldTimer;
 #if 0
 ///Skip may be passed in, if FRAMESKIP is #defined, to cause this to emulate more than one frame
 void FCEUI_Emulate(uint8 **pXBuf, int32 **SoundBuf, int32 *SoundBufSize, int skip) {
+	FCEU_PROFILE_FUNC(prof, "Emulate Single Frame");
 	//skip initiates frame skip if 1, or frame skip and sound skip if 2
 	FCEU_MAYBE_UNUSED int r;
 	int ssize;

NES.emu/src/fceu/fceulua.h

@@ -21,9 +21,6 @@ enum LuaMemHookType
 	LUAMEMHOOK_WRITE,
 	LUAMEMHOOK_READ,
 	LUAMEMHOOK_EXEC,
-	LUAMEMHOOK_WRITE_SUB,
-	LUAMEMHOOK_READ_SUB,
-	LUAMEMHOOK_EXEC_SUB,
 
 	LUAMEMHOOK_COUNT
 };

NES.emu/src/fceu/lua-engine.cpp

@@ -26,7 +26,6 @@
 #include "debug.h"
 #include "debugsymboltable.h"
 #include "sound.h"
-#include "drawing.h"
 #include "state.h"
 #include "movie.h"
 #include "driver.h"
@@ -319,10 +318,6 @@ static const char* luaMemHookTypeStrings [] =
 	"MEMHOOK_WRITE",
 	"MEMHOOK_READ",
 	"MEMHOOK_EXEC",
-
-	"MEMHOOK_WRITE_SUB",
-	"MEMHOOK_READ_SUB",
-	"MEMHOOK_EXEC_SUB",
 };
 
 //make sure we have the right number of strings
@@ -2431,53 +2426,17 @@ static int memory_registerHook(lua_State* L, LuaMemHookType hookType, int defaul
 	return 0;
 }
 
-LuaMemHookType MatchHookTypeToCPU(lua_State* L, LuaMemHookType hookType)
-{
-	int cpuID = 0;
-
-	int cpunameIndex = 0;
-	if(lua_type(L,2) == LUA_TSTRING)
-		cpunameIndex = 2;
-	else if(lua_type(L,3) == LUA_TSTRING)
-		cpunameIndex = 3;
-
-	if(cpunameIndex)
-	{
-		const char* cpuName = lua_tostring(L, cpunameIndex);
-		if(!stricmp(cpuName, "sub"))
-			cpuID = 1;
-		lua_remove(L, cpunameIndex);
-	}
-
-	switch(cpuID)
-	{
-	case 0:
-		return hookType;
-
-	case 1:
-		switch(hookType)
-		{
-		case LUAMEMHOOK_WRITE: return LUAMEMHOOK_WRITE_SUB;
-		case LUAMEMHOOK_READ: return LUAMEMHOOK_READ_SUB;
-		case LUAMEMHOOK_EXEC: return LUAMEMHOOK_EXEC_SUB;
-		default: return hookType;
-		}
-	}
-	return hookType;
-}
-
 static int memory_registerwrite(lua_State *L)
 {
-	return memory_registerHook(L, MatchHookTypeToCPU(L,LUAMEMHOOK_WRITE), 1);
+	return memory_registerHook(L, LUAMEMHOOK_WRITE, 1);
 }
-FCEU_MAYBE_UNUSED
 static int memory_registerread(lua_State *L)
 {
-	return memory_registerHook(L, MatchHookTypeToCPU(L,LUAMEMHOOK_READ), 1);
+	return memory_registerHook(L, LUAMEMHOOK_READ, 1);
 }
 static int memory_registerexec(lua_State *L)
 {
-	return memory_registerHook(L, MatchHookTypeToCPU(L,LUAMEMHOOK_EXEC), 1);
+	return memory_registerHook(L, LUAMEMHOOK_EXEC, 1);
 }
 
 //adelikat: table pulled from GENS.  credz nitsuja!
@@ -6137,7 +6096,7 @@ static const struct luaL_reg memorylib [] = {
 
 	// memory hooks
 	{"registerwrite", memory_registerwrite},
-	//{"registerread", memory_registerread}, TODO
+	{"registerread", memory_registerread},
 	{"registerexec", memory_registerexec},
 	// alternate names
 	{"register", memory_registerwrite},

NES.emu/src/fceu/ppu.cpp

@@ -1736,10 +1736,17 @@ void FCEUPPU_Reset(void) {
 void FCEUPPU_Power(void) {
 	int x;
 
-	memset(NTARAM, 0x00, 0x800);
-	memset(PALRAM, 0x00, 0x20);
-	memset(UPALRAM, 0x00, 0x03);
-	memset(SPRAM, 0x00, 0x100);
+	// initialize PPU memory regions according to settings
+	FCEU_MemoryRand(NTARAM, 0x800, true);
+	FCEU_MemoryRand(PALRAM, 0x20, true);
+	FCEU_MemoryRand(SPRAM, 0x100, true);
+	// palettes can only store values up to $3F, and PALRAM X4/X8/XC are mirrors of X0 for rendering purposes (UPALRAM is used for $2007 readback)
+	for (x = 0; x < 0x20; ++x) PALRAM[x] &= 0x3F;
+	UPALRAM[0] = PALRAM[0x04];
+	UPALRAM[1] = PALRAM[0x08];
+	UPALRAM[2] = PALRAM[0x0C];
+	PALRAM[0x0C] = PALRAM[0x08] = PALRAM[0x04] = PALRAM[0x00];
+	PALRAM[0x1C] = PALRAM[0x18] = PALRAM[0x14] = PALRAM[0x10];
 	FCEUPPU_Reset();
 
 	for (x = 0x2000; x < 0x4000; x += 8) {