mame icon indicating copy to clipboard operation
mame copied to clipboard
verified publisher icon mamedev

MIPS3 recompiler crashes in 32-bit builds

Open cuavas opened this issue 2 years ago • 1 comments

MAME version

0.259 (mame0259-191-g12266741f1e)

System information

Windows 10 x86-64 version 20H2 Intel “Coffee Lake” CPU

INI configuration details

joystick                  1
joystick_deadzone         0.15
joystick_saturation       0.95
trackball_device          mouse
mouse_device              mouse
window                    1
maximize                  1

Emulated system/software

Systems with MIPS II CPUs (e.g. sf2049)

Incorrect behaviour

Debug builds will exit with the following message:

Assertion failed: base != nullptr, file ../../../../../src/devices/cpu/mips/mips3drc.cpp, line 1248

Release builds will crash with a segmentation fault (null pointer dereference.

Expected behaviour

The emulated system should run correctly.

Steps to reproduce

Start an affected system using a 32-bit build, e.g. mame -drc -nodebug sf2049

Additional details

Only 32-bit builds are affected, and only when using the recompiler (the affected systems will run with the -nodrc option, albeit slowly). Enabling the debugger also seems to allow the systems to run.

cuavas avatar Oct 22 '23 11:10 cuavas

I’m not sure what’s going on. This is the place where it’s blowing up: https://github.com/mamedev/mame/blob/mame0259/src/devices/cpu/mips/mips3drc.cpp#L1245

				if (!(curdesc->flags & OPFLAG_VIRTUAL_NOOP))
				{
					base = m_prptr(curdesc->physpc);
					assert(base != nullptr);
					low_bits = (curdesc->physpc & data_bits_mask) ^ m_dword_xor;
					UML_LOAD(block, I1, base, low_bits, SIZE_DWORD, SCALE_x1);     // load    i1,base,dword
					UML_ADD(block, I0, I0, I1);                         // add     i0,i0,i1
					sum += curdesc->opptr.l[0];

The call to m_prptr(curdesc->physpc) is somehow returning nullptr in 32-bit builds only.

You can see where it sets m_prptr here: https://github.com/mamedev/mame/blob/mame0259/src/devices/cpu/mips/mips3.cpp#L398

It sets it to a lambda depending on the CPU’s bus configuration. In the case of the little Endian RM7000 it will be using this branch:

			m_program->cache(m_cache64le);
			m_pr32 = delegate<u32 (offs_t)>(&memory_access<32, 3, 0, ENDIANNESS_LITTLE>::cache::read_dword, &m_cache64le);
			m_prptr = [this] (offs_t address) -> const void * { return m_cache64le.read_ptr(address); };

So it’s just calling read_ptr on a memory access cache (m_cache64le is a memory_access<32, 3, 0, ENDIANNESS_LITTLE>::cache).

It might be something going wrong in the memory system rather than a bug in the MIPS3 device emulation itself.

@galibert any ideas? I don’t see this being fixed before MAME 0.260 is released anyway.

cuavas avatar Oct 22 '23 12:10 cuavas