Random crashes in Pokémon Gold when using fast-forward and OneDrive

[oleombruni]

I'm on a Windows 10 21H1 PC, AMD Ryzen 5 3500U CPU, Vega 8 GPU. I'm using the x64 mGBA binary downloaded from mgba.io. These are my settings:

• Audio driver: SDL, buffer: 1536 samples, sample rate: 44100 Hz, both audio and fast-forward audio muted
• Display driver: OpenGL, skip 0 frames, FPS Target native
• Audio sync ON, video sync OFF, lock aspect ratio ON, force integer scaling ON, bilinear filter OFF, interframe blending OFF
• Enhancements: video renderer OpenGL, high resolution scale 4x

I'm playing a Pokémon Gold rom patched with Universal Pokémon Randomizer ZX. The original rom was dumped by me from the 3DS Virtual Console release.

The game crashes in random places when playing the rom with fast forward. It occurs within a short time from the start, either by loading a battery save or a savestate. There's no error message; the emulator simply closes itself when this happens. The crash is usually preceded by some stuttering a few seconds before. There's nothing on the logs, except for this message: [GAME ERROR] GB I/O: Writing to unknown register FF1F:00 (or register FF15:00). No crashes occur if I don't use fast forward (or, at the very least, it doesn't crash as fast: I played over an hour without problems). No crashes occur when using the unmodified rom, either with or without fast forward (again, not within ~1hr of play).

This may actually be a regression. I used the very same modified rom about one year ago, with mGBA 0.8.3 and 0.8.4 without problems. I redownloaded 0.8.4 right now to check, and it doesn't crash.

[endrift]

Please try using a dev build. This has probably already been fixed.

[oleombruni]

I can confirm that this doesn't occur in mGBA 0.10-7105-c21780282.

[endrift]

Then it will be fixed when 0.9.3 comes out sometime soon as well.

[oleombruni]

Gotcha, sorry for the useless report!

[oleombruni]

Hey, unfortunately after a bit it started to crash again in mGBA 0.10-7105-c21780282. After the first crash in a very long time (more than 2 hours of play), it now crashes regularly like before. As before, it seems that playing at regular speed doesn't provoke any error.

[endrift]

Are you using a game controller? And I'm assuming this is a hang, not actually a crash.

[oleombruni]

No, my laptop's embedded keyboard. When the issue happens, the emulator window closes itself with no warning or error code. I can provide you with the battery save or savestate and IPS patch for the rom, if it would be of any help.

[endrift]

Oh, that's very strange. Can you see if anything shows up in the Windows Event Viewer when it happens? I have a custom filter for crashes I can get to you in a bit.

[oleombruni]

Yes, I found something in the Event Viewer:

Level Date and Time Source Event ID Task Category

Error 03/09/2021 17:56:13 Application Error 1000 (100)

"Faulting application name: mGBA.exe, version: 0.10.0.0, time stamp: 0x00000000 Faulting module name: msvcrt.dll, version: 7.0.19041.546, time stamp: 0x564f9f39 Exception code: 0xc0000005 Fault offset: 0x0000000000074580 Faulting process id: 0x44b4 Faulting application start time: 0x01d7a0dbeeba3809 Faulting application path: C:\Users\myuser\Downloads\mGBA-build-latest-win64\mGBA-build-2021-08-29-win64-7105-c21780282928eda63fe9ca998bddd3edea6b6384\mGBA.exe Faulting module path: C:\WINDOWS\System32\msvcrt.dll Report Id: b9ad3e0e-4c8b-47eb-b295-bb26c09bb63c Faulting package full name: Faulting package-relative application ID: "

[endrift]

Yep, that's a crash alright. Wonder if it's possible to get a minidump, since that alone tells me it's crashing in a library function that mGBA calls, not which (though I may be able to figure that out from this) or where in mGBA it's crashing.

E] It's a memcpy. Which is a function that's used all over. It seems I'll need a minidump for more info.

[oleombruni]

Here's a freshly-made minidump: mGBA.exe.10112.dmp.zip

[endrift]

It looks like this happens when mGBA is trying to write to a memory-backed "file", but that's all I can get out. The IPS and a save file would be great, and also if you could upload the bug report zip file (generated under "report bug" in the file menu). Also, are you using mGBA's built-in patching or an external patching tool to generate a .gb file?

[oleombruni]

I'll post IPS, save and bug report zip in a minute. Just a quick thing: could it be OneDrive's fault? I realized that my rom folder is inside a folder that's sync'ed with OneDrive. (This is actually on purpose, to have my saves synchronized between my desktop and laptop.)

[oleombruni]

As for the game: the modified ROM I'm using has been generated using the Universal Pokémon Randomizer ZX tool, which outputs a ready-to-use .gb file according to the desired randomization options. (I didn't actually randomize anything, just select "Change impossible evolutions" to get rid of trade evolutions and the "Fastest text" misc option.) I've created the IPS file from the generated ROM using Lunar IPS.

mgba_issue.zip

[endrift]

Does it crash on an unmodified Gold ROM in OneDrive, or just the randomized one? This issue is utterly baffling to me as it looks like the memcpy is trying to read from an invalid address, but the only addresses that should be passed in on the line in question would be allocated shortly beforehand and more or less be guaranteed to be valid.

According to the minidump, this is the line that calls the function that winds up invoking memcpy and crashing: https://github.com/mgba-emu/mgba/blob/master/src/core/serialize.c#L105

That line should only get hit twice per frame, once to serialize the RTC value, and once to serialize the savedata. Both of those should be guaranteed to be valid memory.

How big is the save file in question? Does the crash still happen if rewinding is disabled?

[oleombruni]

I've been doing some tests and, well, you may be onto something here. The modified and unmodified ROMs behave the same when under the same conditions, so at least it's not a problem caused by the Randomizer. They both crash when placed in OneDrive AND rewinding is enabled. No crashes occur in any other condition (i.e. OneDrive and no rewinding/no OneDrive and rewinding/neither of them).

I'm sorry for coming up with such a strange scenario hahaha