Emulator Issues #10610
closed
PowerPC JIT: Crash with stw instructions with negative offsets at 0
0%
Description
Game Name?
N/A
Game ID? (right click the game in the game list, properties, info tab)
N/A
MD5 Hash? (right click the game in the game list, properties, info tab, MD5 Hash: Compute)
N/A
What's the problem? Describe what went wrong.
There appears to be a bug in the PowerPC Jit whenever an stw instruction attempts to store a value to a negative offset at 0.
example instruction:
stw r0, -0x6F18(r13)
with r0 = 0x80000000 and r13 = 0x00000000
What steps will reproduce the problem?
Start dolphin in debug mode
Make sure you are using the JIT in your settings
Boot up any old game and after a few seconds pause emulation
Change the next instruction to be executed to 0x900d90e8
Step once so you are now on the stw instruction
Change register r0 to 0x80000000 and register r13 to 0x00000000
Click Play
Dolphin should crash
Is the issue present in the latest development version? For future reference, please also write down the version number of the latest development version.
Tested on latest git (91dac03c45aa3b0e5877cfa3557c5174fdf637e6)
Is the issue present in the latest stable version?
Unchecked (no ubuntu builds)
If the issue isn't present in the latest stable version, which is the first broken version? (You can find the first broken version by bisecting. Windows users can use the tool https://forums.dolphin-emu.org/Thread-green-notice-development-thread-unofficial-dolphin-bisection-tool-for-finding-broken-builds and anyone who is building Dolphin on their own can use git bisect.)
Will update if it turns out this is a regression.
If your issue is a graphical issue, please attach screenshots and record a three frame fifolog of the issue if possible. Screenshots showing what it is supposed to look like from either console or older builds of Dolphin will help too. For more information on how to use the fifoplayer, please check here: https://wiki.dolphin-emu.org/index.php?title=FifoPlayer
[Attach any fifologs if possible, write a description of fifologs and screenshots here to assist people unfamiliar with the game.]
What are your PC specifications? (CPU, GPU, Operating System, more)
Ubuntu 17.10
Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
NVIDIA GeForce GTX 660 (drivers 387.12)
Is there anything else that can help developers narrow down the issue? (e.g. logs, screenshots,
configuration files, savefiles, savestates)
Example gdb inspection of coredump
(gdb) set disassembly-flavor intel
(gdb) disas 0x00007f213ea38a00,0x00007f213ea38b00
Dump of assembler code from 0x7f213ea38a00 to 0x7f213ea38b00:
0x00007f213ea38a00: add BYTE PTR [rax],al
0x00007f213ea38a02: movq rax,xmm6
0x00007f213ea38a07: mov edx,r12d
0x00007f213ea38a0a: movbe QWORD PTR [rbx+rdx1+0x170],rax
0x00007f213ea38a14: lea r13d,[r12+0x178]
0x00007f213ea38a1c: mov DWORD PTR [rbp-0x70],r13d
0x00007f213ea38a20: mov edi,0x13e0200e
0x00007f213ea38a25: movabs rax,0x5608451d61ac
0x00007f213ea38a2f: call rax
0x00007f213ea38a31: mov rax,QWORD PTR [rbp+0x60]
0x00007f213ea38a35: mov edx,DWORD PTR [rbp-0x74]
0x00007f213ea38a38: movbe QWORD PTR [rbx+rdx1+0x180],rax
0x00007f213ea38a42: mov DWORD PTR [rbp-0x74],0x0
0x00007f213ea38a49: mov eax,DWORD PTR [rbp+0x2c0]
0x00007f213ea38a4f: and eax,0xfffffffc
0x00007f213ea38a52: mov DWORD PTR [rbp+0x0],eax
0x00007f213ea38a55: sub DWORD PTR [rbp+0x54],0x59
0x00007f213ea38a59: jmp 0x7f213fd4c048
0x00007f213ea38a5e: int3
0x00007f213ea38a5f: int3
0x00007f213ea38a60: jg 0x7f213ea38a6e
0x00007f213ea38a62: mov DWORD PTR [rbp+0x0],0x801fbeb0
0x00007f213ea38a69: jmp 0x7f213fd4c124
0x00007f213ea38a6e: mov DWORD PTR [rbp+0x0],0x801fbeb0
0x00007f213ea38a75: mov r12d,DWORD PTR [rbp-0x8]
0x00007f213ea38a79: movbe r13d,DWORD PTR [rbx+r121+0x0]
0x00007f213ea38a80: mov r14d,DWORD PTR [rbp-0x74]
0x00007f213ea38a84: mov r15d,r14d
0x00007f213ea38a87: movsxd rax,r15d
0x00007f213ea38a8a: mov QWORD PTR [rbp+0x8],rax
0x00007f213ea38a8e: mov DWORD PTR [rbp-0x4],r15d
0x00007f213ea38a92: mov r15d,DWORD PTR [rbp-0x4c]
=> 0x00007f213ea38a96: movbe DWORD PTR [rbx+r151-0x6f18],r13d
0x00007f213ea38aa0: cmp DWORD PTR [rbp+0x8],0x0
0x00007f213ea38aa4: je 0x7f213ea38abe
0x00007f213ea38aaa: mov DWORD PTR [rbp-0x80],r13d
0x00007f213ea38aae: sub DWORD PTR [rbp+0x54],0x4
0x00007f213ea38ab2: mov DWORD PTR [rbp+0x0],0x801fbf20
0x00007f213ea38ab9: jmp 0x7f213ea46918
0x00007f213ea38abe: movbe r13d,DWORD PTR [rbx+r121+0x20]
0x00007f213ea38ac5: movsxd rax,r13d
0x00007f213ea38ac8: sub rax,0x1
0x00007f213ea38acc: mov QWORD PTR [rbp+0x8],rax
0x00007f213ea38ad0: jne 0x7f213ea38aea
0x00007f213ea38ad6: mov DWORD PTR [rbp-0x80],r13d
0x00007f213ea38ada: sub DWORD PTR [rbp+0x54],0x7
0x00007f213ea38ade: mov DWORD PTR [rbp+0x0],0x801fbf14
0x00007f213ea38ae5: jmp 0x7f213ea48468
0x00007f213ea38aea: movbe r14d,DWORD PTR [rbx+r121+0x4]
0x00007f213ea38af1: mov DWORD PTR [rbp+0x2c0],0x801fbed4
0x00007f213ea38afb: mov r15d,DWORD PTR [rbp-0x7c]
0x00007f213ea38aff: mov esi,r14d
End of assembler dump.
(gdb) info reg
rax 0x2 2
rbx 0x7f1f38000000 139772060237824
rcx 0x801fbeb0 2149564080
rdx 0x30801fbeb0 208307994288
rsi 0x3f800000 1065353216
rdi 0x7f2117ff9828 139780113274920
rbp 0x5608462c7aa0 0x5608462c7aa0 PowerPC::ppcState+128
rsp 0x7f2117ff9890 0x7f2117ff9890
r8 0x1cb 459
r9 0x5608459bef62 94593527574370
r10 0x560848581cc0 94593573461184
r11 0x0 0
r12 0x916eb460 2439951456
r13 0x80b1bc68 2159131752
r14 0x2 2
r15 0x0 0
rip 0x7f213ea38a96 0x7f213ea38a96
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
And here is the PPC vs x86 output from dolphin of the same crash point
PPC:
801fbeb0 lwz r0, 0 (r30)
801fbeb4 mr. r31, r3
801fbeb8 stw r0, -0x6F18 (r13)
801fbebc bne- ->0x801FBF20
801fbec0 lwz r0, 0x0020 (r30)
801fbec4 cmpwi r0, 1
801fbec8 beq- ->0x801FBF14
801fbecc lwz r3, 0x0004 (r30)
801fbed0 bl ->0x80063090
80063090 mr r5, sp
80063094 mr sp, r3
80063098 mr r3, r5
8006309c blr
801fbed4 lwz r0, 0x0020 (r30)
801fbed8 cmpwi r0, 0
801fbedc bne- ->0x801FBF00
801fbee0 li r0, 1
801fbee4 stw r0, 0x0020 (r30)
801fbee8 lwz r3, 0x0018 (r30)
801fbeec mr r4, r30
801fbef0 lwz r12, 0 (r3)
801fbef4 lwz r12, 0x0008 (r12)
801fbef8 mtctr r12
801fbefc bctrl
25 estimated cycles
Num instr: PPC: 24 x86: 72 (blowup: 200%)
Num bytes: PPC: 96 x86: 370 (blowup: 285%)
x86:
0x7f45c9cd2958 jg 12
0x7f45c9cd295a mov dword ptr [rbp], 2149564080
0x7f45c9cd2961 jmp 20088766
0x7f45c9cd2966 mov dword ptr [rbp], 2149564080
0x7f45c9cd296d mov r12d, dword ptr [rbp - 8]
0x7f45c9cd2971 movbe r13d, dword ptr [rbx + r12]
0x7f45c9cd2978 mov r14d, dword ptr [rbp - 116]
0x7f45c9cd297c mov r15d, r14d
0x7f45c9cd297f movsxd rax, r15d
0x7f45c9cd2982 mov qword ptr [rbp + 8], rax
0x7f45c9cd2986 mov dword ptr [rbp - 4], r15d
0x7f45c9cd298a mov dword ptr [rbp - 128], r13d
0x7f45c9cd298e mov dword ptr [rbp], 2149564088
0x7f45c9cd2995 movabs rax, 94753535764279
0x7f45c9cd299f call rax
0x7f45c9cd29a1 movabs rax, 94753552743568
0x7f45c9cd29ab test dword ptr [rax], 4294967295
0x7f45c9cd29b1 je 16
0x7f45c9cd29b3 sub dword ptr [rbp + 84], 3
0x7f45c9cd29b7 mov dword ptr [rbp], 2149564088
0x7f45c9cd29be jmp 20088453
0x7f45c9cd29c3 mov r12d, dword ptr [rbp - 128]
0x7f45c9cd29c7 mov r13d, dword ptr [rbp - 76]
0x7f45c9cd29cb movbe dword ptr [rbx + r13 - 28440], r12d
0x7f45c9cd29d5 cmp dword ptr [rbp + 8], 0
0x7f45c9cd29d9 je 16
0x7f45c9cd29df sub dword ptr [rbp + 84], 4
0x7f45c9cd29e3 mov dword ptr [rbp], 2149564192
0x7f45c9cd29ea jmp 20088409
0x7f45c9cd29ef mov r13d, dword ptr [rbp - 8]
0x7f45c9cd29f3 movbe r12d, dword ptr [rbx + r13 + 32]
0x7f45c9cd29fa movsxd rax, r12d
0x7f45c9cd29fd sub rax, 1
0x7f45c9cd2a01 mov qword ptr [rbp + 8], rax
0x7f45c9cd2a05 jne 20
0x7f45c9cd2a0b mov dword ptr [rbp - 128], r12d
0x7f45c9cd2a0f sub dword ptr [rbp + 84], 7
0x7f45c9cd2a13 mov dword ptr [rbp], 2149564180
0x7f45c9cd2a1a jmp 20088361
0x7f45c9cd2a1f movbe r14d, dword ptr [rbx + r13 + 4]
0x7f45c9cd2a26 mov dword ptr [rbp + 704], 2149564116
0x7f45c9cd2a30 mov r15d, dword ptr [rbp - 124]
0x7f45c9cd2a34 mov esi, r14d
0x7f45c9cd2a37 mov dword ptr [rbp - 124], esi
0x7f45c9cd2a3a mov r14d, r15d
0x7f45c9cd2a3d mov dword ptr [rbp - 108], r15d
0x7f45c9cd2a41 movbe r12d, dword ptr [rbx + r13 + 32]
0x7f45c9cd2a48 movsxd rax, r12d
0x7f45c9cd2a4b mov qword ptr [rbp + 8], rax
0x7f45c9cd2a4f test rax, rax
0x7f45c9cd2a52 je 24
0x7f45c9cd2a58 mov dword ptr [rbp - 128], r12d
0x7f45c9cd2a5c mov dword ptr [rbp - 116], r14d
0x7f45c9cd2a60 sub dword ptr [rbp + 84], 16
0x7f45c9cd2a64 mov dword ptr [rbp], 2149564160
0x7f45c9cd2a6b jmp 20088280
0x7f45c9cd2a70 mov dword ptr [rbx + r13 + 32], 16777216
0x7f45c9cd2a79 mov dword ptr [rbp - 128], 1
0x7f45c9cd2a80 movbe r14d, dword ptr [rbx + r13 + 24]
0x7f45c9cd2a87 mov r12d, r13d
0x7f45c9cd2a8a mov dword ptr [rbp - 112], r12d
0x7f45c9cd2a8e movbe r12d, dword ptr [rbx + r14]
0x7f45c9cd2a95 mov dword ptr [rbp - 116], r14d
0x7f45c9cd2a99 movbe r12d, dword ptr [rbx + r12 + 8]
0x7f45c9cd2aa0 mov dword ptr [rbp + 708], r12d
0x7f45c9cd2aa7 mov dword ptr [rbp - 80], r12d
0x7f45c9cd2aab mov eax, dword ptr [rbp + 708]
0x7f45c9cd2ab1 mov dword ptr [rbp + 704], 2149564160
0x7f45c9cd2abb and eax, -4
0x7f45c9cd2abe mov dword ptr [rbp], eax
0x7f45c9cd2ac1 sub dword ptr [rbp + 84], 25
0x7f45c9cd2ac5 jmp 20088190
Updated by JMC4789 almost 6 years ago
- Status changed from New to Working as intended
Please enable Full MMU Emulation. If it's still broken feel free to update.
Updated by Fullmetal5 almost 6 years ago
JMC4789 wrote:
Please enable Full MMU Emulation. If it's still broken feel free to update.
Just rechecked on latest git (51410b767247f3080f79ec0eed51ce49a1bf29e5) and the issue still crashes dolphin even with MMU enabled.
I actually don't have any game on had to test so I just use the Wii Menu which doesn't have a setting for MMU so I just set bMMU = true everywhere and recompiled.
I think that should force it on in the menu. (If for some reason that doesn't then please let me know.)