mame crashes in dasm_read_imm_16 when running HP9000/330

[ghost]

Hi,

i'm seeing the following mame crash when running mame with -debug:

Thread 1 "hp9k_3xx64" received signal SIGSEGV, Segmentation fault.
0x0000555555e5acb0 in dasm_read_imm_16 (advance=2) at ../../../../../src/devices/cpu/m68000/m68kdasm.cpp:257
257 result = (g_rawop[g_cpu_pc + 0 - g_rawbasepc] << 8) |
(gdb) bt
#0 0x0000555555e5acb0 in dasm_read_imm_16 (advance=2) at ../../../../../src/devices/cpu/m68000/m68kdasm.cpp:257
#1 0x0000555555e65690 in m68k_disassemble (stream=..., pc=35271, cpu_type=5) at ../../../../../src/devices/cpu/m68000/m68kdasm.cpp:3875
#2 0x0000555555e6573b in m68k_disassemble_raw (stream=..., pc=35271, opdata=0x7ffffffff000 <error: Cannot access memory at address 0x7ffffffff000>,
argdata=0x7ffffffff400 <error: Cannot access memory at address 0x7ffffffff400>, cpu_type=5) at ../../../../../src/devices/cpu/m68000/m68kdasm.cpp:3901
#3 0x0000555555ab3866 in cpu_disassemble_dasm_m68020 (device=0x555556fd6930, stream=..., pc=35271, oprom=0x7ffffffff000 <error: Cannot access memory at address 0x7ffffffff000>,
opram=0x7ffffffff400 <error: Cannot access memory at address 0x7ffffffff400>, options=0) at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:2153
#4 0x0000555555ab3d2e in m68020pmmu_device::disasm_disassemble (this=0x555556fd6930, stream=..., pc=35271,
oprom=0x7ffffffff000 <error: Cannot access memory at address 0x7ffffffff000>, opram=0x7ffffffff400 <error: Cannot access memory at address 0x7ffffffff400>, options=0)
at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:2200
#5 0x0000555555bee409 in device_disasm_interface::disassemble (this=0x555556fd8d08, stream=..., pc=35271,
oprom=0x7ffffffff000 <error: Cannot access memory at address 0x7ffffffff000>, opram=0x7ffffffff400 <error: Cannot access memory at address 0x7ffffffff400>, options=0)
at ../../../../../src/emu/didisasm.cpp:75
#6 0x0000555555bc2eaa in debug_view_disasm::find_pc_backwards (this=0x55555b194170, targetpc=4294967295, numinstrs=3) at ../../../../../src/emu/debug/dvdisasm.cpp:276
#7 0x0000555555bc40e8 in debug_view_disasm::view_update (this=0x55555b194170) at ../../../../../src/emu/debug/dvdisasm.cpp:522
#8 0x0000555555bbd98b in debug_view::end_update (this=0x55555b194170) at ../../../../../src/emu/debug/debugvw.cpp:116
#9 0x0000555555bbe69c in debug_view::force_update (this=0x55555b194170) at ../../../../../src/emu/debug/debugvw.h:176
#10 0x0000555555bbe2a1 in debug_view_manager::update_all (this=0x5555594c1b00, type=DVT_NONE) at ../../../../../src/emu/debug/debugvw.cpp:411
#11 0x0000555555ba9607 in device_debug::instruction_hook (this=0x555559993240, curpc=4294967295) at ../../../../../src/emu/debug/debugcpu.cpp:1844
#12 0x0000555555bd905e in debugger_instruction_hook (device=0x555556fd6930, curpc=4294967295) at ../../../../../src/emu/debugger.cpp:35
#13 0x0000555555ab78a1 in m68000_base_device::cpu_execute (this=0x555556fd6930) at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:804
#14 0x0000555555ab5592 in m68000_base_device::execute_run (this=0x555556fd6930) at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:2440
#15 0x0000555555d8d2f9 in device_execute_interface::run (this=0x555556fd6c90) at ../../../../../src/emu/diexec.h:190
#16 0x0000555555d8bfcd in device_scheduler::timeslice (this=0x7fffffffd5f8) at ../../../../../src/emu/schedule.cpp:485
#17 0x0000555555d359a7 in running_machine::run (this=0x7fffffff6fb0, quiet=false) at ../../../../../src/emu/machine.cpp:358
#18 0x00005555557164d2 in mame_machine_manager::execute (this=0x555556f5d510) at ../../../../../src/frontend/mame/mame.cpp:233
#19 0x00005555557b0be8 in cli_frontend::start_execution (this=0x7fffffffdfa0, manager=0x555556f5d510, args=std::vector of length 1, capacity 9 = {...})
at ../../../../../src/frontend/mame/clifront.cpp:244
#20 0x00005555557b0d3b in cli_frontend::execute (this=0x7fffffffdfa0, args=std::vector of length 1, capacity 9 = {...}) at ../../../../../src/frontend/mame/clifront.cpp:260
#21 0x0000555555716dd3 in emulator_info::start_frontend (options=..., osd=..., args=std::vector of length 1, capacity 9 = {...}) at ../../../../../src/frontend/mame/mame.cpp:332
#22 0x00005555556192b6 in main (argc=9, argv=0x7fffffffe6b8) at ../../../../../src/osd/sdl/sdlmain.cpp:219

This happens on HP9000/330 (and probably all other 300 series). It happens only when i add the ROM Basic roms to the emulator. The assembly code that triggers this is:

ROM:0008056A 2A78 F898 movea.l (dword_FFFFF898).w,a5
ROM:0008056E 3B40 FFFE move.w d0,-2(a5)
ROM:00080572 46DF move (sp)+,sr
ROM:00080574 2E6D FFF6 movea.l -$A(a5),sp
ROM:00080578 4E75 rts

which clear the S bit in that case and updatss the stackpointer. The new stackpointer looks invalid (it's 0xeeee1111) but even in that case MAME shouldn't segfault.

I compiled mame with:

make SUBTARGET=hp9k_3xx SOURCES=src/mame/drivers/hp9k_3xx.cpp -j7 SYMBOLS=1 SYMLEVEL=2 OPT_FLAGS="-O0 -ggdb"

and run it with:

./hp9k_3xx64 -window -r 1024x768 hp9k330 -speed 100 -skip_gameinfo -debug
basic.diff.txt

[rb6502]

Hi, I wrote that driver, and it certainly shouldn't crash that way. Can you direct me to the BASIC ROMs so that I can reproduce the problem?

Cheers,
-RB

[ghost]

Hi, to make it simple i attached the rompack zip file i'm using - it contains both the v4 and v5 BASIC ROMs (the v4 are the ones that are crashing mame, the v5 version just hangs) Regards Sven

…

On 05/15/2017 04:25 AM, R. Belmont wrote: Hi, I wrote that driver, and it certainly shouldn't crash that way. Can you direct me to the BASIC ROMs so that I can reproduce the problem? Cheers, -RB — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2302 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADQigPoaFalhNQP3qoV8Ugf6RBZB1i6hks5r57exgaJpZM4NaLmb>.

[ghost]

Not sure where the attachement went, but you can also fetch it here:

http://stackframe.org/hp9k330.zip

[rb6502]

Hi, I took a look at this. I didn't get the crash, but I'm also not convinced that these BASIC ROMs are for this particular HP9000 subseries. Version 4 jumps through a pointer fetched from a RAM location which is only written to by the RAM test routine, and version 5 prints an error message and halts.

If you're sure these are from a 9000/3x0 machine, it might be worthwhile dumping the boot PROM from that machine also, as the version we have doesn't seem to interface with these BASICs properly.

[ghost]

Hi,

On 06/03/2017 08:42 PM, R. Belmont wrote: Hi, I took a look at this. I didn't get the crash, but I'm also not convinced that these BASIC ROMs aren't for this particular HP9000 subseries.

I've got the Images from Dominique (cc'ed), who built a replacement card for the original HP98603B Basic ROM card. (see http://www.hpmuseum.net/display_item.php?hw=1164). So i'm confident that the images should work.

Version 4 jumps through a pointer fetched from a RAM location which is only written to by the RAM test routine, and version 5 prints an error message and halts.

I did see the same, but i'm not sure what shoud be located at the unitialized pointer location. I was suspecting that it's some function table for I/O, which is not populated because MAME doesn't emulate any I/O stuff right now. But i never used a HP9000/300 and have no clue about the architecture, so it's just a wild guess. Regards Sven

[ghost]

As both BASIC 4 and BASIC 5 roms are booting now on /300, i think we can close this issue. Haven't seen the crash again.