Jasper demo crashes out PCSX2

[benderscruffy]

PCSX2 version: GIT v1.5.0-dev-625-g87867be CPU options: EE/IOP defaults, VUs defaults Plugins used: GSdx GIT, SPU2-X GIT

here is the source http://lukasz.dk/files/jaspersrc.zip

after the first credits when it goes to start the demo the emulator crashes out

just google Jasper PS2 Demo (PD).

[willkuer]

Tried playing with ee clamping/rounding modes and ee timing hack?

[Catarax]

More info about the crash :

[ssakash]

I rather doubt that it's related to the crash. Does it crash instantly after the SYSCALL message ?

[MrCK1]

Took a quick look at this, don't get the GS messages. The crash is related to the GIF Unit. Could be useful for debugging games in the future; so here's half of the assert callstack.

c:\users\chris\documents\github\pcsx2\pcsx2\Gif_Unit.h(263) : assertion failed:
    Function:  Gif_Path::CopyGSPacketData
    Thread:    EE Core
    Condition: curSize+size<=buffSize
    Message:   Gif Path Buffer Overflow!

[00] pxOnAssert                                   \documents\github\pcsx2\common\src\utilities\exceptions.cpp:134
[01] pxOnAssert                                   \documents\github\pcsx2\common\src\utilities\exceptions.cpp:129
[02] Gif_Path::CopyGSPacketData                   \documents\github\pcsx2\pcsx2\gif_unit.h:263
[03] Gif_Unit::TransferGSPacketData               \documents\github\pcsx2\pcsx2\gif_unit.h:526
[04] GIF_Fifo::read                               \documents\github\pcsx2\pcsx2\gif.cpp:124
[05] gifInterrupt                                 \documents\github\pcsx2\pcsx2\gif.cpp:197
[06] TESTINT                                      \documents\github\pcsx2\pcsx2\r5900.cpp:264
[07] _cpuTestInterrupts                           \documents\github\pcsx2\pcsx2\r5900.cpp:283
[08] _cpuEventTest_Shared                         \documents\github\pcsx2\pcsx2\r5900.cpp:399
[09] recEventTest                                 \documents\github\pcsx2\pcsx2\x86\ix86-32\ir5900-32.cpp:338
[10] eeRecDispatchers                            
[11] recExecute                                   \documents\github\pcsx2\pcsx2\x86\ix86-32\ir5900-32.cpp:690

[F0bes]

Just debugged an issue with a library in the SDK that does this exact thing. It ends up sending a GIFTag (or complete junk) with a crazy high NLOOP, making the GIF expect a lot more than it's going to receive. Because of this, I believe the GIF is holding every transfer that happens in it's buffer, with the intent to kick it to the GS once it received the insane amount of QW it was accidentally told it would receive.

I'm not familiar enough with this code, but the suspect might be the packet realignment, going off of the log right before the crash

Swapping to PATH 3
PATH 3 New tag State 3 FLG 1 EOP 0 NLOOP 1
PATH 3 not enough data, available 1926784 wanted 4889360
GIF_TRANS_DMA - [path=3][size=524176]
Swapping to PATH 3
PATH 3 New tag State 3 FLG 1 EOP 0 NLOOP 1
PATH 3 not enough data, available 2450960 wanted 4889360
GIF_TRANS_DMA - [path=3][size=128]
Swapping to PATH 3
PATH 3 New tag State 3 FLG 1 EOP 0 NLOOP 1
PATH 3 not enough data, available 2451088 wanted 4889360
GIF_TRANS_DMA - [path=3][size=96]
Swapping to PATH 3
PATH 3 New tag State 3 FLG 1 EOP 0 NLOOP 1
PATH 3 not enough data, available 2451184 wanted 4889360
GIF_TRANS_DMA - [path=3][size=307072]
CopyGSPacketData: Realigning packet!
Path Buffer: Realigning packet!
Realign Packet [9416960]
/home/ty/pcsx2/pcsx2/./Gif_Unit.h:322: assertion failed in function void Gif_Path::CopyGSPacketData(u8 *, u32, bool): Gif Path Buffer Overflow!

Here is also an updated call stack

AbortWithMessage(const char * msg) (/home/ty/pcsx2/common/Misc.cpp:100)
pxOnAssertFail(const char * file, int line, const char * func, const char * msg) (/home/ty/pcsx2/common/Exceptions.cpp:141)
Gif_Path::CopyGSPacketData(Gif_Path * this, u8 * pMem, u32 size, bool aligned) (/home/ty/pcsx2/pcsx2/Gif_Unit.h:322)
Gif_Unit::TransferGSPacketData(Gif_Unit * this, GIF_TRANSFER_TYPE tranType, u8 * pMem, u32 size, bool aligned) (/home/ty/pcsx2/pcsx2/Gif_Unit.h:683)
WRITERING_DMA(u32 * pMem, u32 qwc) (/home/ty/pcsx2/pcsx2/Gif.cpp:349)
GIFchain() (/home/ty/pcsx2/pcsx2/Gif.cpp:368)
GIFdma() (/home/ty/pcsx2/pcsx2/Gif.cpp:476)
gifInterrupt() (/home/ty/pcsx2/pcsx2/Gif.cpp:300)
dmaGIF() (/home/ty/pcsx2/pcsx2/Gif.cpp:505)
DmaExec(void (*)(void) func, u32 mem, u32 value) (/home/ty/pcsx2/pcsx2/Dmac.cpp:289)
dmacWrite32<10u>(u32 mem, mem32_t & value) (/home/ty/pcsx2/pcsx2/Dmac.cpp:411)
_hwWrite32<10u>(u32 mem, u32 value) (/home/ty/pcsx2/pcsx2/HwWrite.cpp:139)
hwWrite32<10u>(u32 mem, u32 value) (/home/ty/pcsx2/pcsx2/HwWrite.cpp:281)
m_IndirectDispatchers (Unknown Source:0)
[Unknown/Just-In-Time compiled code] (Unknown Source:0)
recExecute() (/home/ty/pcsx2/pcsx2/x86/ix86-32/iR5900-32.cpp:763)

[F0bes]

Here's the ELF as well Jasper.elf.zip

[Goatman13]

I don't know where to start. This seems to be some kind of elf reader bug, or maybe some weird kernel bug? For sure it is one of weirdest bugs i have researched in pcsx2. So what's going on? Program gets misaligned at some point during ELF loading. But not whole program. Misalignment starts somewhere between 0x40FE90 and 0x410340 of EE memory and goes up to 0x1FFFFFF. That probably explain why gif packet is misaligned at some point.

Here is screenshot from pcsx2 with breakpoint set at entry point of elf, which mean that program itself wasn't able to do anything yet. Check memory section.

Here are 2 screenshots of tools used to debugging which load elf same way as machine that elf coming from, so memory offset should match:

Like you can see there is 4 bytes difference that starts at 0x41034C. Everything before that address match between pcsx2 and those 2 apps. I was surprised that demo goes that far with bug like this, because it is running code itself in corrupted area. But then i realized that every single function above corrupted offset is doing `movz $t0 $zero, $zero' first to clear t0 (example at 0xD243A0 opcode is 4 bytes earlier than it should). Since later code load something to t0 this allowed to run without that t0 clear. At least to point when corrupted data started to be problem.

[refractionpcsx2]

What the hell, how does nothing else get affected by this??? also wtf.

[Goatman13]

Yeah. I complete don't understand how that happen. I could understand if whole elf get loaded with offset, or different segment, etc. But this just happen at "random" point in elf with single segment.

[refractionpcsx2]

If we weren't manually loading it, I'd say maybe it's a SIF/IOP bug somewhere, but this is a homebrew ELF, which means we're directly injecting it in to EE memory, how the heck is it getting offset? :/

[refractionpcsx2]

Kind of a side note, but I also tried this on Dobiestation and it crashed at the same point as PCSX2, also with a GIF packet problem.

[refractionpcsx2]

So I dumped the memory on my PS2 when the demo was running, and (with the 0x100000 offset) I checked, and the memory matches PCSX2.. (The demo had already started btw, downloading ee mem is slowwwwwwwwwww)

[Goatman13]

Interesting. Well, hardware test show that is correct, then it is correct. I loaded that elf into Play! emulator just see how that one handle it. Result is opposite to pcsx2/real hw, and match ps2dis/IDA/Ghidra. Demo don't even reach point where it hang on other emulators.

This is not really related to the issue now, but what kind of weird elf file is that? Difference always starts at the same point, and absolute jumps to address above 0x410350 seems to always point to wrong address on real HW/PCSX2.

[refractionpcsx2]

Yeah I have no clue why that's happening! I guess there must be some sort of self modification going on, I mean this area seems to be some sort of pointers or state information? I dunno.... I'm not really familiar with the Jasper source.

Maybe you should look for the Jasper source, I believe it's out there, Koz you seem to have an idea what you're doing :)

[seta-san]

i believe i found the source in case anyone wants it. jaspersrc.zip

[refractionpcsx2]

Certainly looks like it is (I didn't compile this, just comparing text to my already compiled version)

[StillPlay2]

Related to this & also by the same developer; 3StarsII homebrew demo black screens with TLB Misses

[ 13.2792] TLB Miss, pc=0x80003800 addr=0x8 [load] [ 13.2793] TLB Miss, pc=0x80003800 addr=0x0 [load] [ 13.2798] TLB Miss, pc=0x80003800 addr=0x4 [load] [ 13.2804] TLB Miss, pc=0x80003800 addr=0x1a0 [load] [ 13.2810] TLB Miss, pc=0x80003800 addr=0x1a8 [load] [ 13.2816] TLB Miss, pc=0x80003800 addr=0x1b0 [load] [ 13.2822] TLB Miss, pc=0x80003800 addr=0x1b8 [load] [ 13.2840] TLB Miss, pc=0x80003800 addr=0x10 [load] [ 13.2846] TLB Miss, pc=0x80003800 addr=0x20 [load] [ 13.2853] TLB Miss, pc=0x80003800 addr=0x30 [load] [ 13.2858] TLB Miss, pc=0x80003800 addr=0x40 [load] [ 13.2863] TLB Miss, pc=0x80003800 addr=0x50 [load] [ 13.2869] TLB Miss, pc=0x80003800 addr=0x60 [load] [ 13.2875] TLB Miss, pc=0x80003800 addr=0x70 [load] [ 13.2881] TLB Miss, pc=0x80003800 addr=0x80 [load] [ 13.2887] TLB Miss, pc=0x80003800 addr=0x90 [load] [ 13.2893] TLB Miss, pc=0x80003800 addr=0xa0 [load] [ 13.2899] TLB Miss, pc=0x80003800 addr=0xb0 [load] [ 13.2904] TLB Miss, pc=0x80003800 addr=0xc0 [load] [ 13.2910] TLB Miss, pc=0x80003800 addr=0xd0 [load] [ 13.2916] TLB Miss, pc=0x80003800 addr=0xe0 [load] [ 13.2922] TLB Miss, pc=0x80003800 addr=0xf0 [load] [ 13.2927] TLB Miss, pc=0x80003800 addr=0x100 [load] [ 13.2933] TLB Miss, pc=0x80003800 addr=0x110 [load] [ 13.2939] TLB Miss, pc=0x80003800 addr=0x120 [load] [ 13.2944] TLB Miss, pc=0x80003800 addr=0x130 [load] [ 13.2951] TLB Miss, pc=0x80003800 addr=0x140 [load] [ 13.2958] TLB Miss, pc=0x80003800 addr=0x150 [load] [ 13.2963] TLB Miss, pc=0x80003800 addr=0x160 [load] [ 13.2969] TLB Miss, pc=0x80003800 addr=0x170 [load] [ 13.2975] TLB Miss, pc=0x80003800 addr=0x180 [load] [ 13.2981] TLB Miss, pc=0x80003800 addr=0x190 [load] [ 13.3010] TLB Miss, pc=0x80003800 addr=0x1c0 [load] [ 13.3016] TLB Miss, pc=0x80003800 addr=0x1e0 [load] [ 13.3022] TLB Miss, pc=0x80003800 addr=0x200 [load] [ 13.3028] TLB Miss, pc=0x80003800 addr=0x204 [load] [ 13.3034] TLB Miss, pc=0x80003800 addr=0x208 [load] [ 13.3040] TLB Miss, pc=0x80003800 addr=0x20c [load] [ 13.3046] TLB Miss, pc=0x80003800 addr=0x210 [load] [ 13.3054] TLB Miss, pc=0x80003800 addr=0x214 [load] [ 13.3060] TLB Miss, pc=0x80003800 addr=0x218 [load] [ 13.3065] TLB Miss, pc=0x80003800 addr=0x21c [load] [ 13.3069] TLB Miss, pc=0x80003800 addr=0x220 [load] [ 13.3074] TLB Miss, pc=0x80003800 addr=0x224 [load] [ 13.3079] TLB Miss, pc=0x80003800 addr=0x228 [load] [ 13.3085] TLB Miss, pc=0x80003800 addr=0x22c [load] [ 13.3090] TLB Miss, pc=0x80003800 addr=0x230 [load] [ 13.3096] TLB Miss, pc=0x80003800 addr=0x234 [load] [ 13.3101] TLB Miss, pc=0x80003800 addr=0x238 [load] [ 13.3107] TLB Miss, pc=0x80003800 addr=0x23c [load] [ 13.3116] # Syscall: undefined (0)

3starsII.zip The elf file.