Speed Devil ARM crash

[Senryoku]

44ef3f2accdc8b678c94637824176b4a380026fd Tries to write to an address suspiciously similar to ASCII...

AICA write8 from ARM: 0x4147457C = 0x00000053
PC: 00008018
LR: 00008008
SP: 0000AFEC
R0: 00000000   R8: 00000000
R1: 00000053   R9: 00000041
R2: 00000000   R10: 0001238C
R3: 00004A94   R11: 41474553
R4: 0000000C   R12: 00011898
R5: 00000000   R13: 0000AFEC
R6: 00000000   R14: 00008008
R7: 0000000F   R15: 00008020
   [00007FD8] E51FC840 ldr r12,[pc, #-0x840]
   [00007FDC] E51F7840 ldr r7,[pc, #-0x840]
   [00007FE0] E2008007 and r8,r0,#007
   [00007FE4] E02CC798 mla r12, r8, r7, r12
   [00007FE8] E3A07002 mov r7,#002
   [00007FEC] E92D4000 stmdb sp!, {lr}
   [00007FF0] E3A06000 mov r6,#000
   [00007FF4] E5DC1000 ldrb r1,[r12]
   [00007FF8] E3110001 tst r1,#001
   [00007FFC] 0A000002 beq 0x10
   [00008000] EB000049 bl 0x12c
   [00008004] EB000002 bl 0x10
   [00008008] EAFFFFF9 b 0xffffffec
   [0000800C] EB00000D bl 0x3c
   [00008010] EAFFFFF7 b 0xffffffe4
   [00008014] E5DC1024 ldrb r1,[r12, #0x24]
 > [00008018] E5CB1029 strb r1,[r11, #0x29]
   [0000801C] E5CC1020 strb r1,[r12, #0x20]
   [00008020] E5DC1028 ldrb r1,[r12, #0x28]
thread 42892 panic: AICA write8 from ARM out of bounds address
H:\Source\Deecy\src\aica.zig:760:13: 0xae1b7c in write8_from_arm (Deecy.exe.obj)
            @panic("AICA write8 from ARM out of bounds address");
            ^
H:\Source\Deecy\src\dreamcast.zig:448:27: 0xa7ced6 in tick_peripherals (Deecy.exe.obj)
        try self.tick_aica(cycles);
                          ^
H:\Source\Deecy\src\main.zig:218:50: 0xad6f5b in main (Deecy.exe.obj)
                        cycles += try dc.tick_jit();
                                                 ^
H:\Software\zig\0.13.0-dev.351+64ef45eb0\files\lib\std\start.zig:497:75: 0xade15d in main (Deecy.exe.obj)
    return callMainWithArgs(@as(usize, @intCast(c_argc)), @as([*][*:0]u8, @ptrCast(c_argv)), envp);
                                                                          ^
H:\Software\zig\0.13.0-dev.351+64ef45eb0\files\lib\libc\mingw\crt\crtexe.c:267:0: 0xba9660 in __tmainCRTStartup (crt2.obj)
    mainret = _tmain (argc, argv, envp);

H:\Software\zig\0.13.0-dev.351+64ef45eb0\files\lib\libc\mingw\crt\crtexe.c:188:0: 0xba96b5 in mainCRTStartup (crt2.obj)
  ret = __tmainCRTStartup ();

???:?:?: 0x7ff9e1221ed6 in ??? (KERNEL32.DLL)
???:?:?: 0x7ff9e233a95b in ??? (ntdll.dll)
run
└─ run Deecy failure

Filename: Speed Devils v1.004 (1999)(Ubi Soft)(NTSC)(US)[!].gdi

[Senryoku]

Here's a more complete trace. SpeedDevilsARMCrash_2.txt (full: arm_trace.txt.gz)

I don't see anything wrong with it.

The boot ROM fills this part of AICA RAM (around 0001238C) with 'SEGA'

The game itself loads a more recent version of the same program:

[Senryoku]

Added a workaround ignoring these bogus read/writes in e1e44ab. Seems to continue just fine now.

Still don't know if this is an error in the arm program or in the emulator.

[Senryoku]

Reicast sees the exact same issue, it just mask the address to fit the expected address space. I don't if I should ignore them or 'redirect' them, but it does seems like a software issue.

OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578
OOB Write! 4147457C
OOB Write! 41474577
OOB Read! 41474573
OOB Write! 41474573
OOB Write! 41474578