Crash during resolution change in Windows XP with Banshee #470
Comments
|
Here are log lines before crash: banshee_crash_crop.txt. Rectangle fill command starts with correct address |
|
To improve probability of reproduction, same method as in #405 can be used: Hack to make crashes appear more frequentlydiff --git a/bochs/iodev/display/banshee.cc b/bochs/iodev/display/banshee.cc
index 9da498f97..5a3e87ed8 100644
--- a/bochs/iodev/display/banshee.cc
+++ b/bochs/iodev/display/banshee.cc
@@ -2481,6 +2481,7 @@ void bx_banshee_c::blt_rectangle_fill()
dy = BLT.dst_y;
w = BLT.dst_w;
h = BLT.dst_h;
+ volatile int z = 0; for (; z < 1000000; z++) {}
BX_DEBUG(("Rectangle fill: %d x %d ROP0 %02X", w, h, BLT.rop[0]));
if (!blt_apply_clipwindow(NULL, NULL, &dx, &dy, &w, &h)) {
BLT.busy = 0; Not sure if my formula is correct, but I see no crashes with such change: diff --git a/bochs/iodev/display/banshee.cc b/bochs/iodev/display/banshee.cc
index 9da498f97..1197679d9 100644
--- a/bochs/iodev/display/banshee.cc
+++ b/bochs/iodev/display/banshee.cc
@@ -2471,6 +2471,7 @@ Bit32u bx_banshee_c::blt_yuv_conversion(Bit8u *ptr, Bit16u xc, Bit16u yc,
void bx_banshee_c::blt_rectangle_fill()
{
Bit32u dpitch = BLT.dst_pitch;
+ Bit32u dbase = BLT.dst_base;
Bit8u dpxsize = (BLT.dst_fmt > 1) ? (BLT.dst_fmt - 1) : 1;
Bit8u *dst_ptr, *dst_ptr1;
Bit8u colorkey_en = BLT.reg[blt_commandExtra] & 3;
@@ -2486,8 +2487,13 @@ void bx_banshee_c::blt_rectangle_fill()
BLT.busy = 0;
return;
}
+ if (dbase + (dy + h - 1) * dpitch + (dx + w - 1) * dpxsize > v->fbi.mask) {
+ BX_ERROR(("skip address wrap during blt_rectangle_fill()"));
+ BLT.busy = 0;
+ return;
+ }
BX_LOCK(render_mutex);
- dst_ptr = &v->fbi.ram[BLT.dst_base + dy * dpitch + dx * dpxsize];
+ dst_ptr = &v->fbi.ram[dbase + dy * dpitch + dx * dpxsize];
for (y = 0; y < h; y++) {
dst_ptr1 = dst_ptr;
for (x = 0; x < w; x++) { |
|
I don't know if this is related or not: the Cirrus card has double-buffered BitBLT registers. With real hardware you can start a command and immediately after that you can prepare the next command. Since Bochs doesn't use threads in the Cirrus emulation, it doesn't matter that the double buffered registers are not implemented. I don't know whether or not the Banshee / Voodoo3 cards are similar. You could try to change dst_base to dst_base[2] and write to index 0, copy index 0 to index 1 at BitBLT start and use index 1 in the execution methods. |
|
I thought about double buffering as well. |
…wrap. This is a temporary fix for issue #470.
|
I think real hardware simply continues at video memory address 0 in case of an address wrap. Since most of the Bochs graphics code uses pointers for optimization, implementing address wrap in this code would cause a slowdown. I have now applied your code to skip rectangle fill in case of an address wrap. |
I suspect there may be important data at lower addresses, like cursor for example.
Thanks. So what to do next? I think it's ok to close this issue because crash is fixed. |
When resolution is changed in Windows XP with Banshee, crash have chance to appear.
This crash appears frequently enough to be annoying, but not frequently enough to have precise reproduction steps.
It happens inside of
bx_banshee_c::blt_rectangle_fillfunction, duringrop_fnexecution:Bochs/bochs/iodev/display/banshee.cc
Line 2497 in 700bd7f
When
dst_base=0x00f69c00,dst_w=0x0280anddst_h=0x0fff, access outside offbi.rambounds occurs (0x0280*0x0fff* 2 +0x00f69c00=0x01469700, which is larger than array size0x01000000).I don't know why exactly driver tries to clear memory outside of 16 MB, maybe because of some bug, but I think
bx_banshee_c::blt_rectangle_fillneeds check preventing such crash no matter what reason causes such behaviour.Version: 700bd7f
The text was updated successfully, but these errors were encountered: