#GP fault in Pinball Illusions

A general protection fault happens during the Pinball Illusions' intro.

screenshot_0042

note to self: hdd-47-800_16_62-DOS622-VGA-test.img in dir illusion

This is what I'm getting in UniPCemu with the current commit:

547

It's some MOV instruction, apparently.

Getting closer after the latest ModR/M fix in UniPCemu. The intro loads and starts playing(very slowly), the first part of the animation including the horizontal stretching and shrinking, then nothing changes anymore with the big arrow pointing upwards block on the screen(the I in the block font)), animation freezes from that point onwards. The music continues, though.

Eventually skipped it by pressing space, which gave another loading screen, then this:

548-pinball illusions error after the intro

It seems to be at the point those 3D donuts part of the opening starts(no 3D donuts have been shown on the screen yet, though).

Seems quite close to your example?

Although CS=0x32C and EIP is different.

It seems the most recent modr/m and protection invalidation improvements somehow makes Pinball Illusions hang after the first loading screen?

No faults are triggered, it just hangs, not continuing on to the video.

Windows 3.0 behaviour remains unchanged, although with a different second page fault linear address.

Edit: Hmmm... it still runs before the two commits I've last made: one fixing clearing of segments during (interrupt) return to a lower privilege level not to clear the segment present bit/access rights(depending on which of the two of RETF or IRET). The other one is a fix for (E)BP/(E)SP on index(SIB) to default to DS instead of SS. Edit: Whoops, seems to be just a problem with configuration of the Sound Blaster when starting the app(like wrong base address or interrupt selected, propably the latter by pressing enter too fast). I get a fault on a MOVSW write to ES offset 1FA0 with 16-bit address size. It's just a plain opcode A5 without any prefixes. It's operating in 16-bit protected mode, according to CS's descriptor. ES contains 0014.

Does your case reach this location without errors?

I've made a big log of the problem that's occurring: https://www.dropbox.com/s/7rzmxql2pw8ufo4/debugger_pinballillusions_crash.7z?dl=0

I see some POP ES rights somewhere before the invalid MOVSW, which pops an code descriptor value into ES that's causing said fault. That ones overwriting it with the same value it contained already. Looking somewhere further up, another value was in ES, but it was overwritten to said code segment for some odd reason(before the RETFD).

Looking at the log, I see: The line starting with 05:59:57:26.08992 is the fault that's triggered by the MOVSW instruction to the invalid ES(=Code segment) descriptor. Searching up for ES not being 0014, I find:

RAM(r):0001F22A=14(); Physical(r):0001F22A=14(); Paged(r):0001F22A=14(); RAM(r):0001F22B=00( ); Physical(r):0001F22B=00( ); Paged(r):0001F22B=00( ) Reading from RAM(r): 0001A990=AF (?) Reading from physical memory(r): 0001A990=AF (?) Reading from paged memory(r): 0001A990=AF (?) Reading from RAM(r): 0001A991=8A (?) Reading from physical memory(r): 0001A991=8A (?) Reading from paged memory(r): 0001A991=8A (?) Reading from RAM(r): 0001A992=C0 (?) Reading from physical memory(r): 0001A992=C0 (?) Reading from paged memory(r): 0001A992=C0 (?) Reading from RAM(r): 0001A993=4B (K) Reading from physical memory(r): 0001A993=4B (K) Reading from paged memory(r): 0001A993=4B (K) Reading from RAM(r): 0001A994=10 () Reading from physical memory(r): 0001A994=10 () Reading from paged memory(r): 0001A994=10 () Reading from RAM(r): 0001A995=9B (?) Reading from physical memory(r): 0001A995=9B (?) Reading from paged memory(r): 0001A995=9B (?) Reading from RAM(r): 0001A996=44 (D) Reading from physical memory(r): 0001A996=44 (D) Reading from paged memory(r): 0001A996=44 (D) Reading from RAM(r): 0001A997=00 ( ) Reading from physical memory(r): 0001A997=00 ( ) Reading from paged memory(r): 0001A997=00 ( ) 000c:00000eb4 07 pop es RAM(r):00028003=00( ); Physical(r):00028003=00( ); Paged(r):00028003=00( ); RAM(r):00028002=02(); Physical(r):00028002=02(); Paged(r):00028002=02(); RAM(r):00028001=70(p); Physical(r):00028001=70(p); Paged(r):00028001=70(p); RAM(r):00028000=23(#); Physical(r):00028000=23(#); Paged(r):00028000=23(#); RAM(r):0002706B=00( ); Physical(r):0002706B=00( ); Paged(r):0002706B=00( ); RAM(r):0002706A=01(); Physical(r):0002706A=01(); Paged(r):0002706A=01(); RAM(r):00027069=A0(?); Physical(r):00027069=A0(?); Paged(r):00027069=A0(?); RAM(r):00027068=67(g); Physical(r):00027068=67(g); Paged(r):00027068=67(g) Registers: EAX: 000000d1 EBX: 000032f8 ECX: 00000000 EDX: 00000001 ESP: 00001fba EBP: 2aac0000 ESI: 00001822 EDI: 00000c11 CS: 000c DS: 0004 ES: 0034 FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00000eb4 EFLAGS: 00003213 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff

So it's popping the wrong ES value from a stack? So ES was 0034 before.

Searching up, that value is indeed pushed: Paged(w):0001F22A=14(); Paged(w):0001F22B=00( ); Physical(w):0001F22A=14(); RAM(w):0001F22A=14(); Physical(w):0001F22B=00( ); RAM(w):0001F22B=00( ) 000c:00000e70 06 push es Registers: EAX: 00000006 EBX: 00000000 ECX: 00000000 EDX: 00000fc0 ESP: 00001fbe EBP: 00001284 ESI: 00001251 EDI: 000017ef CS: 000c DS: 001c ES: 0014 FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00000e70 EFLAGS: 00003293 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItSz0A0p1C

Searching up even further, I see: RAM(r):0001F22E=14(); Physical(r):0001F22E=14(); Paged(r):0001F22E=14(); RAM(r):0001F22F=00( ); Physical(r):0001F22F=00( ); Paged(r):0001F22F=00( ) Reading from RAM(r): 0001A990=AF (?) Reading from physical memory(r): 0001A990=AF (?) Reading from paged memory(r): 0001A990=AF (?) Reading from RAM(r): 0001A991=8A (?) Reading from physical memory(r): 0001A991=8A (?) Reading from paged memory(r): 0001A991=8A (?) Reading from RAM(r): 0001A992=C0 (?) Reading from physical memory(r): 0001A992=C0 (?) Reading from paged memory(r): 0001A992=C0 (?) Reading from RAM(r): 0001A993=4B (K) Reading from physical memory(r): 0001A993=4B (K) Reading from paged memory(r): 0001A993=4B (K) Reading from RAM(r): 0001A994=10 () Reading from physical memory(r): 0001A994=10 () Reading from paged memory(r): 0001A994=10 () Reading from RAM(r): 0001A995=9B (?) Reading from physical memory(r): 0001A995=9B (?) Reading from paged memory(r): 0001A995=9B (?) Reading from RAM(r): 0001A996=44 (D) Reading from physical memory(r): 0001A996=44 (D) Reading from paged memory(r): 0001A996=44 (D) Reading from RAM(r): 0001A997=00 ( ) Reading from physical memory(r): 0001A997=00 ( ) Reading from paged memory(r): 0001A997=00 ( ) 000c:00000eb4 07 pop es Registers: EAX: 00000801 EBX: 0000ffff ECX: 00000226 EDX: 0000000a ESP: 00001fbe EBP: 2aac022c ESI: 000015a2 EDI: 00000ad1 CS: 000c DS: 0004 ES: 000c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00000eb4 EFLAGS: 00003256 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0A0P1c

Hmmmm.... So address 1F22E originally contained the 0014 value that's incorrectly in ES(from SS(0058):1FBE)...

Looking even further up, I seem to find the cause of the invalid 0014h value that's in ES: RAM(p):00172756=00( ); Physical(p):00172756=00( ); Paged(p):00172756=00( ); RAM(p):00172757=66(f); Physical(p):00172757=66(f); Paged(p):00172757=66(f); RAM(p):00172758=8C(?); Physical(p):00172758=8C(?); Paged(p):00172758=8C(?); RAM(p):00172759=C8(?); Physical(p):00172759=C8(?); Paged(p):00172759=C8(?) RAM(p):0017275A=8E(?); Physical(p):0017275A=8E(?); Paged(p):0017275A=8E(?); RAM(p):0017275B=C0(?); Physical(p):0017275B=C0(?); Paged(p):0017275B=C0(?); RAM(p):0017275C=B8(?); Physical(p):0017275C=B8(?); Paged(p):0017275C=B8(?); RAM(p):0017275D=0E(); Physical(p):0017275D=0E(); Paged(p):0017275D=0E() RAM(p):0017275E=00( ); Physical(p):0017275E=00( ); Paged(p):0017275E=00( ); RAM(p):0017275F=00( ); Physical(p):0017275F=00( ); Paged(p):0017275F=00( ); RAM(p):00172760=00( ); Physical(p):00172760=00( ); Paged(p):00172760=00( ); RAM(p):00172761=2E(.); Physical(p):00172761=2E(.); Paged(p):00172761=2E(.) 0014:00004b92 BA 61 4B 00 00 mov edx,00004b61 RAM(p):00172762=FF(?); Physical(p):00172762=FF(?); Paged(p):00172762=FF(?); RAM(p):00172763=1D(); Physical(p):00172763=1D(); Paged(p):00172763=1D(); RAM(p):00172764=E4(?); Physical(p):00172764=E4(?); Paged(p):00172764=E4(?); RAM(p):00172765=A9(?); Physical(p):00172765=A9(?); Paged(p):00172765=A9(?) Registers: EAX: 000000de EBX: 00004b92 ECX: 00000000 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00005279 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004b92 EFLAGS: 00003212 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0A0p1c 0014:00004b97 66 8C C8 mov ax,cs RAM(p):00172766=00( ); Physical(p):00172766=00( ); Paged(p):00172766=00( ); RAM(p):00172767=00( ); Physical(p):00172767=00( ); Paged(p):00172767=00( ); RAM(p):00172768=B9(?); Physical(p):00172768=B9(?); Paged(p):00172768=B9(?); RAM(p):00172769=99(?); Physical(p):00172769=99(?); Paged(p):00172769=99(?) Registers: EAX: 000000de EBX: 00004b92 ECX: 00000000 EDX: 00004b61 ESP: 00001fee EBP: 00000000 ESI: 00005279 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004b97 EFLAGS: 00003212 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0A0p1c Reading from RAM(r): 0001A990=AF (?) Reading from physical memory(r): 0001A990=AF (?) Reading from paged memory(r): 0001A990=AF (?) Reading from RAM(r): 0001A991=8A (?) Reading from physical memory(r): 0001A991=8A (?) Reading from paged memory(r): 0001A991=8A (?) Reading from RAM(r): 0001A992=C0 (?) Reading from physical memory(r): 0001A992=C0 (?) Reading from paged memory(r): 0001A992=C0 (?) Reading from RAM(r): 0001A993=4B (K) Reading from physical memory(r): 0001A993=4B (K) Reading from paged memory(r): 0001A993=4B (K) Reading from RAM(r): 0001A994=10 () Reading from physical memory(r): 0001A994=10 () Reading from paged memory(r): 0001A994=10 () Reading from RAM(r): 0001A995=9B (?) Reading from physical memory(r): 0001A995=9B (?) Reading from paged memory(r): 0001A995=9B (?) Reading from RAM(r): 0001A996=44 (D) Reading from physical memory(r): 0001A996=44 (D) Reading from paged memory(r): 0001A996=44 (D) Reading from RAM(r): 0001A997=00 ( ) Reading from physical memory(r): 0001A997=00 ( ) Reading from paged memory(r): 0001A997=00 ( ) 0014:00004b9a 8E C0 mov es,ax Registers: EAX: 00000014 EBX: 00004b92 ECX: 00000000 EDX: 00004b61 ESP: 00001fee EBP: 00000000 ESI: 00005279 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004b9a EFLAGS: 00003212 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0A0p1c 0014:00004b9c B8 0E 00 00 00 mov eax,0000000e RAM(p):0017276A=19(); Physical(p):0017276A=19(); Paged(p):0017276A=19(); RAM(p):0017276B=00( ); Physical(p):0017276B=00( ); Paged(p):0017276B=00( ); RAM(p):0017276C=00( ); Physical(p):0017276C=00( ); Paged(p):0017276C=00( ); RAM(p):0017276D=BA(?); Physical(p):0017276D=BA(?); Paged(p):0017276D=BA(?) Registers: EAX: 00000014 EBX: 00004b92 ECX: 00000000 EDX: 00004b61 ESP: 00001fee EBP: 00000000 ESI: 00005279 EDI: 000072a4 CS: 0014 DS: 001c ES: 0014 FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004b9c EFLAGS: 00003212 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0A0p1c RAM(r):00028003=00( ); Physical(r):00028003=00( ); Paged(r):00028003=00( ); RAM(r):00028002=02(); Physical(r):00028002=02(); Paged(r):00028002=02(); RAM(r):00028001=70(p); Physical(r):00028001=70(p); Paged(r):00028001=70(p); RAM(r):00028000=23(#); Physical(r):00028000=23(#); Paged(r):00028000=23(#); RAM(r):0002743F=00( ); Physical(r):0002743F=00( ); Paged(r):0002743F=00( ); RAM(r):0002743E=16(); Physical(r):0002743E=16(); Paged(r):0002743E=16(); RAM(r):0002743D=C0(?); Physical(r):0002743D=C0(?); Paged(r):0002743D=C0(?); RAM(r):0002743C=67(g); Physical(r):0002743C=67(g); Paged(r):0002743C=67(g); RAM(r):0016C5A4=00( ); Physical(r):0016C5A4=00( ); Paged(r):0016C5A4=00( ); RAM(r):0016C5A5=00( ); Physical(r):0016C5A5=00( ); Paged(r):0016C5A5=00( ); RAM(r):0016C5A6=00( ); Physical(r):0016C5A6=00( ); Paged(r):0016C5A6=00( ); RAM(r):0016C5A7=00( ); Physical(r):0016C5A7=00( ); Paged(r):0016C5A7=00( ) RAM(p):0017276E=6F(o); Physical(p):0017276E=6F(o); Paged(p):0017276E=6F(o); RAM(p):0017276F=4B(K); Physical(p):0017276F=4B(K); Paged(p):0017276F=4B(K); RAM(p):00172770=00( ); Physical(p):00172770=00( ); Paged(p):00172770=00( ); RAM(p):00172771=00( ); Physical(p):00172771=00( ); Paged(p):00172771=00( ) RAM(p):00172772=66(f); Physical(p):00172772=66(f); Paged(p):00172772=66(f); RAM(p):00172773=8C(?); Physical(p):00172773=8C(?); Paged(p):00172773=8C(?); RAM(p):00172774=C8(?); Physical(p):00172774=C8(?); Paged(p):00172774=C8(?); RAM(p):00172775=8E(?); Physical(p):00172775=8E(?); Paged(p):00172775=8E(?) RAM(r):0016C5A8=0C(); Physical(r):0016C5A8=0C(); Paged(r):0016C5A8=0C(); RAM(r):0016C5A9=00( ); Physical(r):0016C5A9=00( ); Paged(r):0016C5A9=00( ) Reading from RAM(r): 0001A988=82 (?) Reading from physical memory(r): 0001A988=82 (?) Reading from paged memory(r): 0001A988=82 (?) Reading from RAM(r): 0001A989=3E (>) Reading from physical memory(r): 0001A989=3E (>) Reading from paged memory(r): 0001A989=3E (>) Reading from RAM(r): 0001A98A=80 (?) Reading from physical memory(r): 0001A98A=80 (?) Reading from paged memory(r): 0001A98A=80 (?) Reading from RAM(r): 0001A98B=D6 (?) Reading from physical memory(r): 0001A98B=D6 (?) Reading from paged memory(r): 0001A98B=D6 (?) Reading from RAM(r): 0001A98C=14 () Reading from physical memory(r): 0001A98C=14 () Reading from paged memory(r): 0001A98C=14 () Reading from RAM(r): 0001A98D=9B (?) Reading from physical memory(r): 0001A98D=9B (?) Reading from paged memory(r): 0001A98D=9B (?) Reading from RAM(r): 0001A98E=40 (@) Reading from physical memory(r): 0001A98E=40 (@) Reading from paged memory(r): 0001A98E=40 (@) Reading from RAM(r): 0001A98F=00 ( ) Reading from physical memory(r): 0001A98F=00 ( ) Reading from paged memory(r): 0001A98F=00 ( )

So it bases ES on CS in that code for some odd reason?

That 66 8C C8 mov ax,cs seems suspicious... Since the operand size is 32-bits, it gets degraded to 16-bits, but still... Maybe a modr/m error?

Right before it it's a loop that reads and substracts 8-bit numbers from an array in memory?

RAM(r):00028003=00( ); Physical(r):00028003=00( ); Paged(r):00028003=00( ); RAM(r):00028002=02(); Physical(r):00028002=02(); Paged(r):00028002=02(); RAM(r):00028001=70(p); Physical(r):00028001=70(p); Paged(r):00028001=70(p); RAM(r):00028000=23(#); Physical(r):00028000=23(#); Paged(r):00028000=23(#); RAM(r):00027427=00( ); Physical(r):00027427=00( ); Paged(r):00027427=00( ); RAM(r):00027426=17(); Physical(r):00027426=17(); Paged(r):00027426=17(); RAM(r):00027425=20( ); Physical(r):00027425=20( ); Paged(r):00027425=20( ); RAM(r):00027424=67(g); Physical(r):00027424=67(g); Paged(r):00027424=67(g); RAM(p):00172A9A=B9(?); Physical(p):00172A9A=B9(?); Paged(p):00172A9A=B9(?); RAM(p):00172A9B=59(Y); Physical(p):00172A9B=59(Y); Paged(p):00172A9B=59(Y); RAM(p):00172A9C=03(); Physical(p):00172A9C=03(); Paged(p):00172A9C=03(); RAM(p):00172A9D=00( ); Physical(p):00172A9D=00( ); Paged(p):00172A9D=00( ) RAM(p):00172A9E=00( ); Physical(p):00172A9E=00( ); Paged(p):00172A9E=00( ); RAM(p):00172A9F=BE(?); Physical(p):00172A9F=BE(?); Paged(p):00172A9F=BE(?); RAM(p):00172AA0=20( ); Physical(p):00172AA0=20( ); Paged(p):00172AA0=20( ); RAM(p):00172AA1=4F(O); Physical(p):00172AA1=4F(O); Paged(p):00172AA1=4F(O) 0014:00004eda B9 59 03 00 00 mov ecx,00000359 Registers: EAX: 00000810 EBX: 000072a4 ECX: 00000008 EDX: 000003c5 ESP: 00001ff2 EBP: 00000000 ESI: 0000031a EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004eda EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c RAM(p):00172AA2=00( ); Physical(p):00172AA2=00( ); Paged(p):00172AA2=00( ); RAM(p):00172AA3=00( ); Physical(p):00172AA3=00( ); Paged(p):00172AA3=00( ); RAM(p):00172AA4=8B(?); Physical(p):00172AA4=8B(?); Paged(p):00172AA4=8B(?); RAM(p):00172AA5=1D(); Physical(p):00172AA5=1D(); Paged(p):00172AA5=1D() 0014:00004edf BE 20 4F 00 00 mov esi,00004f20 RAM(p):00172AA6=E7(?); Physical(p):00172AA6=E7(?); Paged(p):00172AA6=E7(?); RAM(p):00172AA7=1F(); Physical(p):00172AA7=1F(); Paged(p):00172AA7=1F(); RAM(p):00172AA8=00( ); Physical(p):00172AA8=00( ); Paged(p):00172AA8=00( ); RAM(p):00172AA9=00( ); Physical(p):00172AA9=00( ); Paged(p):00172AA9=00( ) Registers: EAX: 00000810 EBX: 000072a4 ECX: 00000359 EDX: 000003c5 ESP: 00001ff2 EBP: 00000000 ESI: 0000031a EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004edf EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c RAM(p):00172AAA=E8(?); Physical(p):00172AAA=E8(?); Paged(p):00172AAA=E8(?); RAM(p):00172AAB=DF(?); Physical(p):00172AAB=DF(?); Paged(p):00172AAB=DF(?); RAM(p):00172AAC=FC(?); Physical(p):00172AAC=FC(?); Paged(p):00172AAC=FC(?); RAM(p):00172AAD=FF(?); Physical(p):00172AAD=FF(?); Paged(p):00172AAD=FF(?) RAM(r):00028003=00( ); Physical(r):00028003=00( ); Paged(r):00028003=00( ); RAM(r):00028002=02(); Physical(r):00028002=02(); Paged(r):00028002=02(); RAM(r):00028001=70(p); Physical(r):00028001=70(p); Paged(r):00028001=70(p); RAM(r):00028000=23(#); Physical(r):00028000=23(#); Paged(r):00028000=23(#); RAM(r):0002741B=00( ); Physical(r):0002741B=00( ); Paged(r):0002741B=00( ); RAM(r):0002741A=17(); Physical(r):0002741A=17(); Paged(r):0002741A=17(); RAM(r):00027419=50(P); Physical(r):00027419=50(P); Paged(r):00027419=50(P); RAM(r):00027418=67(g); Physical(r):00027418=67(g); Paged(r):00027418=67(g); RAM(r):00175BA7=02(); Physical(r):00175BA7=02(); Paged(r):00175BA7=02() RAM(r):00175BA8=9C(?); Physical(r):00175BA8=9C(?); Paged(r):00175BA8=9C(?); RAM(r):00175BA9=01(); Physical(r):00175BA9=01(); Paged(r):00175BA9=01(); RAM(r):00175BAA=00( ); Physical(r):00175BAA=00( ); Paged(r):00175BAA=00( ) 0014:00004ee4 8B 1D E7 1F 00 00 mov ebx,dword ds:[00001fe7] RAM(p):00172AAE=FF(?); Physical(p):00172AAE=FF(?); Paged(p):00172AAE=FF(?); RAM(p):00172AAF=B9(?); Physical(p):00172AAF=B9(?); Paged(p):00172AAF=B9(?); RAM(p):00172AB0=FF(?); Physical(p):00172AB0=FF(?); Paged(p):00172AB0=FF(?); RAM(p):00172AB1=3A(:); Physical(p):00172AB1=3A(:); Paged(p):00172AB1=3A(:) Registers: EAX: 00000810 EBX: 000072a4 ECX: 00000359 EDX: 000003c5 ESP: 00001ff2 EBP: 00000000 ESI: 00004f20 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004ee4 EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c Paged(w):0001F25E=EF(?); Paged(w):0001F25F=4E(N); Physical(w):0001F25E=EF(?); RAM(w):0001F25E=EF(?); Physical(w):0001F25F=4E(N); RAM(w):0001F25F=4E(N) Paged(w):0001F260=00( ); Physical(w):0001F260=00( ); RAM(w):0001F260=00( ); Paged(w):0001F261=00( ); Physical(w):0001F261=00( ); RAM(w):0001F261=00( ) 0014:00004eea E8 DF FC FF FF calld 00004bce RAM(p):0017278E=33(3); Physical(p):0017278E=33(3); Paged(p):0017278E=33(3); RAM(p):0017278F=C0(?); Physical(p):0017278F=C0(?); Paged(p):0017278F=C0(?); RAM(p):00172790=AC(?); Physical(p):00172790=AC(?); Paged(p):00172790=AC(?); RAM(p):00172791=2B(+); Physical(p):00172791=2B(+); Paged(p):00172791=2B(+) Registers: EAX: 00000810 EBX: 00019c02 ECX: 00000359 EDX: 000003c5 ESP: 00001ff2 EBP: 00000000 ESI: 00004f20 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004eea EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c RAM(p):00172792=D8(?); Physical(p):00172792=D8(?); Paged(p):00172792=D8(?); RAM(p):00172793=E2(?); Physical(p):00172793=E2(?); Paged(p):00172793=E2(?); RAM(p):00172794=FB(?); Physical(p):00172794=FB(?); Paged(p):00172794=FB(?); RAM(p):00172795=FF(?); Physical(p):00172795=FF(?); Paged(p):00172795=FF(?) RAM(p):00172796=E3(?); Physical(p):00172796=E3(?); Paged(p):00172796=E3(?); RAM(p):00172797=66(f); Physical(p):00172797=66(f); Paged(p):00172797=66(f); RAM(p):00172798=8C(?); Physical(p):00172798=8C(?); Paged(p):00172798=8C(?); RAM(p):00172799=D8(?); Physical(p):00172799=D8(?); Paged(p):00172799=D8(?) RAM(p):0017279A=8E(?); Physical(p):0017279A=8E(?); Paged(p):0017279A=8E(?); RAM(p):0017279B=C0(?); Physical(p):0017279B=C0(?); Paged(p):0017279B=C0(?); RAM(p):0017279C=66(f); Physical(p):0017279C=66(f); Paged(p):0017279C=66(f); RAM(p):0017279D=A3(?); Physical(p):0017279D=A3(?); Paged(p):0017279D=A3(?) 0014:00004bce 33 C0 xor eax,eax Registers: EAX: 00000810 EBX: 00019c02 ECX: 00000359 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00004f20 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004bce EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c RAM(r):00172AE0=80(?); Physical(r):00172AE0=80(?); Paged(r):00172AE0=80(?) 0014:00004bd0 AC lodsb Registers: EAX: 00000000 EBX: 00019c02 ECX: 00000359 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00004f20 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004bd0 EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c 0014:00004bd1 2B D8 sub ebx,eax RAM(p):0017279E=FD(?); Physical(p):0017279E=FD(?); Paged(p):0017279E=FD(?); RAM(p):0017279F=11(); Physical(p):0017279F=11(); Paged(p):0017279F=11(); RAM(p):001727A0=00( ); Physical(p):001727A0=00( ); Paged(p):001727A0=00( ); RAM(p):001727A1=00( ); Physical(p):001727A1=00( ); Paged(p):001727A1=00( ) Registers: EAX: 00000080 EBX: 00019c02 ECX: 00000359 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00004f21 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004bd1 EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c 0014:00004bd3 E2 FB loop 00004bd0 RAM(p):00172790=AC(?); Physical(p):00172790=AC(?); Paged(p):00172790=AC(?); RAM(p):00172791=2B(+); Physical(p):00172791=2B(+); Paged(p):00172791=2B(+); RAM(p):00172792=D8(?); Physical(p):00172792=D8(?); Paged(p):00172792=D8(?); RAM(p):00172793=E2(?); Physical(p):00172793=E2(?); Paged(p):00172793=E2(?) Registers: EAX: 00000080 EBX: 00019b82 ECX: 00000359 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00004f21 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004bd3 EFLAGS: 00003206 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0a0P1c RAM(p):00172794=FB(?); Physical(p):00172794=FB(?); Paged(p):00172794=FB(?); RAM(p):00172795=FF(?); Physical(p):00172795=FF(?); Paged(p):00172795=FF(?); RAM(p):00172796=E3(?); Physical(p):00172796=E3(?); Paged(p):00172796=E3(?); RAM(p):00172797=66(f); Physical(p):00172797=66(f); Paged(p):00172797=66(f) RAM(p):00172798=8C(?); Physical(p):00172798=8C(?); Paged(p):00172798=8C(?); RAM(p):00172799=D8(?); Physical(p):00172799=D8(?); Paged(p):00172799=D8(?); RAM(p):0017279A=8E(?); Physical(p):0017279A=8E(?); Paged(p):0017279A=8E(?); RAM(p):0017279B=C0(?); Physical(p):0017279B=C0(?); Paged(p):0017279B=C0(?) RAM(r):00172AE1=3D(=); Physical(r):00172AE1=3D(=); Paged(r):00172AE1=3D(=) 0014:00004bd0 AC lodsb RAM(p):0017279C=66(f); Physical(p):0017279C=66(f); Paged(p):0017279C=66(f); RAM(p):0017279D=A3(?); Physical(p):0017279D=A3(?); Paged(p):0017279D=A3(?); RAM(p):0017279E=FD(?); Physical(p):0017279E=FD(?); Paged(p):0017279E=FD(?); RAM(p):0017279F=11(); Physical(p):0017279F=11(); Paged(p):0017279F=11() Registers: EAX: 00000080 EBX: 00019b82 ECX: 00000358 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00004f21 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004bd0 EFLAGS: 00003206 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0a0P1c 0014:00004bd1 2B D8 sub ebx,eax Registers: EAX: 0000003d EBX: 00019b82 ECX: 00000358 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00004f22 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004bd1 EFLAGS: 00003206 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0a0P1c 0014:00004bd3 E2 FB loop 00004bd0 RAM(p):00172790=AC(?); Physical(p):00172790=AC(?); Paged(p):00172790=AC(?); RAM(p):00172791=2B(+); Physical(p):00172791=2B(+); Paged(p):00172791=2B(+); RAM(p):00172792=D8(?); Physical(p):00172792=D8(?); Paged(p):00172792=D8(?); RAM(p):00172793=E2(?); Physical(p):00172793=E2(?); Paged(p):00172793=E2(?) Registers: EAX: 0000003d EBX: 00019b45 ECX: 00000358 EDX: 000003c5 ESP: 00001fee EBP: 00000000 ESI: 00004f22 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004bd3 EFLAGS: 00003212 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsz0A0p1c RAM(p):00172794=FB(?); Physical(p):00172794=FB(?); Paged(p):00172794=FB(?); RAM(p):00172795=FF(?); Physical(p):00172795=FF(?); Paged(p):00172795=FF(?); RAM(p):00172796=E3(?); Physical(p):00172796=E3(?); Paged(p):00172796=E3(?); RAM(p):00172797=66(f); Physical(p):00172797=66(f); Paged(p):00172797=66(f) RAM(p):00172798=8C(?); Physical(p):00172798=8C(?); Paged(p):00172798=8C(?); RAM(p):00172799=D8(?); Physical(p):00172799=D8(?); Paged(p):00172799=D8(?); RAM(p):0017279A=8E(?); Physical(p):0017279A=8E(?); Paged(p):0017279A=8E(?); RAM(p):0017279B=C0(?); Physical(p):0017279B=C0(?); Paged(p):0017279B=C0(?) RAM(r):00172AE2=EA(?); Physical(r):00172AE2=EA(?); Paged(r):00172AE2=EA(?)

The eventual remainder of EBX is used as a JMP point(that GRP5 opcode) to jump to the code that creates the invalid ES segment selector by loading CS into ES(through AX)?

This seems to be the code that determines the starting point for determining the EBX to jump to said code: 0014:00004ee4 8B 1D E7 1F 00 00 mov ebx,dword ds:[00001fe7] RAM(p):00172AAE=FF(?); Physical(p):00172AAE=FF(?); Paged(p):00172AAE=FF(?); RAM(p):00172AAF=B9(?); Physical(p):00172AAF=B9(?); Paged(p):00172AAF=B9(?); RAM(p):00172AB0=FF(?); Physical(p):00172AB0=FF(?); Paged(p):00172AB0=FF(?); RAM(p):00172AB1=3A(:); Physical(p):00172AB1=3A(:); Paged(p):00172AB1=3A(:) Registers: EAX: 00000810 EBX: 000072a4 ECX: 00000359 EDX: 000003c5 ESP: 00001ff2 EBP: 00000000 ESI: 00004f20 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004ee4 EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c

Are those reads even correct? ....

I seem to see multiple reads to two addresses in there? That's very strange: RAM(p):00172AAA=E8(?); Physical(p):00172AAA=E8(?); Paged(p):00172AAA=E8(?); RAM(p):00172AAB=DF(?); Physical(p):00172AAB=DF(?); Paged(p):00172AAB=DF(?); RAM(p):00172AAC=FC(?); Physical(p):00172AAC=FC(?); Paged(p):00172AAC=FC(?); RAM(p):00172AAD=FF(?); Physical(p):00172AAD=FF(?); Paged(p):00172AAD=FF(?) RAM(r):00028003=00( ); Physical(r):00028003=00( ); Paged(r):00028003=00( ); RAM(r):00028002=02(); Physical(r):00028002=02(); Paged(r):00028002=02(); RAM(r):00028001=70(p); Physical(r):00028001=70(p); Paged(r):00028001=70(p); RAM(r):00028000=23(#); Physical(r):00028000=23(#); Paged(r):00028000=23(#); RAM(r):0002741B=00( ); Physical(r):0002741B=00( ); Paged(r):0002741B=00( ); RAM(r):0002741A=17(); Physical(r):0002741A=17(); Paged(r):0002741A=17(); RAM(r):00027419=50(P); Physical(r):00027419=50(P); Paged(r):00027419=50(P); RAM(r):00027418=67(g); Physical(r):00027418=67(g); Paged(r):00027418=67(g); RAM(r):00175BA7=02(); Physical(r):00175BA7=02(); Paged(r):00175BA7=02() RAM(r):00175BA8=9C(?); Physical(r):00175BA8=9C(?); Paged(r):00175BA8=9C(?); RAM(r):00175BA9=01(); Physical(r):00175BA9=01(); Paged(r):00175BA9=01(); RAM(r):00175BAA=00( ); Physical(r):00175BAA=00( ); Paged(r):00175BAA=00( ) 0014:00004ee4 8B 1D E7 1F 00 00 mov ebx,dword ds:[00001fe7] RAM(p):00172AAE=FF(?); Physical(p):00172AAE=FF(?); Paged(p):00172AAE=FF(?); RAM(p):00172AAF=B9(?); Physical(p):00172AAF=B9(?); Paged(p):00172AAF=B9(?); RAM(p):00172AB0=FF(?); Physical(p):00172AB0=FF(?); Paged(p):00172AB0=FF(?); RAM(p):00172AB1=3A(:); Physical(p):00172AB1=3A(:); Paged(p):00172AB1=3A(:) Registers: EAX: 00000810 EBX: 000072a4 ECX: 00000359 EDX: 000003c5 ESP: 00001ff2 EBP: 00000000 ESI: 00004f20 EDI: 000072a4 CS: 0014 DS: 001c ES: 001c FS: 0018 GS: 0080 SS: 0058 TR: 0070 LDTR: 0060 EIP: 00004ee4 EFLAGS: 00003246 CR0: 8000fff1 CR1: 00000000 CR2: 00000000 CR3: 00028000 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00000000 DR7: 00000000 GDTR: 000000019f2001ff IDTR: 00000001a15007ff FLAGSINFO: 00000000000000vr0n11odItsZ0a0P1c

It seems to be one at 28000h=027023 and one at 27418h and a few more... There's definitely something strange happening there, according to those read addresses...

Edit: OK. So that 28000h address is actually the paging that's being used. So 28000(PDE)=702302(PTE address)=>00027418(PTE)=175067(Linear address 175000). Then the actual read performed is: RAM(r):00175BA7=02(); Physical(r):00175BA7=02(); Paged(r):00175BA7=02() RAM(r):00175BA8=9C(?); Physical(r):00175BA8=9C(?); Paged(r):00175BA8=9C(?); RAM(r):00175BA9=01(); Physical(r):00175BA9=01(); Paged(r):00175BA9=01(); RAM(r):00175BAA=00( ); Physical(r):00175BAA=00( ); Paged(r):00175BAA=00( )

That seems to match the value loaded in EBX... Hmmm.... where does that value come from? Edit: Looking at the location that's references, it matches the code itself, so somewhere within the executionable code?

After the latest fix in using top-down segments and segmentation limits, I now see the BIU faulting on a invalid EIP address, before the earlier fault at C31 occurs?

Edit: I see the BIU internally blocking fetches(faulting because the limit is past offset 10EA+ on offset 10EB), with the CS base being 27E1A0. CS=0x31C at that moment.

When filtering said BIU internal faulting(converted to simple blocking fetches silently, since it isn't fetched by the EU directly for executing an instruction), the very first fault after that is the MOVSW faulting on it's destination address itself(the base of said operand).

Edit: Looking at the restored CS:EIP during exception handling, it seems to fault at 0324:00000C31? Does your code reach this point of execution?

556-pinball illusions error after the intro

Any idea what those numbers in white at the bottom mean? 000031E9 in my latest case? 000031F9 in your case?

Good news: with the more recent bugfixes(just now tested, bugfixes having been mainly looking at Bochs' code and adjusting my code accordingly), the Pinball Illusions movie no longer hangs or crashes into any protection fault! :D

Although, pressing the Escape key during the intro playing(played until the scrolling credits have rolled a few lines) does give me a black screen, instead of continuing on to the loading screen again for the second part.

With the even more recent bugfixes, it seems to run without problems, although slowly(still working on optimizing the emulator, demo running a 3MIPS 80386DX, in IPS cycle mode).

https://youtu.be/e_uzF5b8_UI

barotto / IBMulator

#GP fault in Pinball Illusions #32