32x crashes on launch with recent dynarec changes

[justinweiss]

I filed this in the libretro fork (libretro#135), and it was recommended that I also raise this here.

It looks like the most recent few batches of dynarec changes have been causing crashes on 3DS, and possibly Vita and OpenDingux as well. Here's what I've been able to discover:

• 8d2a03b will run games, minus some random svcBackdoor crashes that [3DS] Fix random dynarec crashes and enable for 3dsx builds libretro/picodrive#136 should fix.
• In 90c7dbc, loading a 32x game will quit to the home menu with the message, "host register 1 is locked", but will not crash the system. This is after a large batch of commits on July 4.
• In 5f95cd4, following another batch of dynarec commits, the core will crash when launching a rom.

Unfortunately I have not been able to bisect closer than that, because many of the intermediate commits won't build for me for 3DS without changes. Happy to help with symbols or lookups if necessary.

The crash happens because some code changes pc to point to the first element of blink_free, which is 0. I don't think blink_free should ever be executable code, so that seems incorrect. I haven't been able to find stack breadcrumbs or break anywhere close to the crash. The best clue I have is that it crashes sometime after hitting this block of code, where the registers look very similar to what they look like when it crashes:

   0x5f21a0 <tcache_default+416>:       ldrne   r2, [r11, #64]  ; 0x40
   0x5f21a4 <tcache_default+420>:       and     r1, r2, #1016   ; 0x3f8
   0x5f21a8 <tcache_default+424>:       add     r1, r11, r1
   0x5f21ac <tcache_default+428>:       strne   r2, [r1, #312]  ; 0x138
   0x5f21b0 <tcache_default+432>:       strne   r0, [r1, #316]  ; 0x13c
   0x5f21b4 <tcache_default+436>:       bxne    r0
   0x5f21b8 <tcache_default+440>:       mov     r0, r11
   0x5f21bc <tcache_default+444>:       ldr     r1, [r11, #120] ; 0x78
=> 0x5f21c0 <tcache_default+448>:       bl      0x3e0d3c <sh2_translate>

Here is the full crash dump:

Processor: Arm11 (core 0)
Exception type: prefetch abort
Fault status: Permission - Page
Current process: 3dsx_app (0004001000021100)

Register dump:

r0             00947000            r1             084f1ef8
r2             00000002            r3             00000000
r4             00503460            r5             000003f3
r6             00501ce0            r7             00501c00
r8             00000000            r9             00000000
r10            004f20f0            r11            00503460
r12            00000204            sp             0ffffe30
lr             00000000            pc             00967000

cpsr           000f0010            dfsr           000008ff
ifsr           0000000f            far            fbf7ffe6
fpexc          40000700            fpinst         eef47ac7
fpinst2        eef47ac7

Code dump:

  966fd4:       00000000        andeq   r0, r0, r0
  966fd8:       00000000        andeq   r0, r0, r0
  966fdc:       00000000        andeq   r0, r0, r0
  966fe0:       00000000        andeq   r0, r0, r0
  966fe4:       00000000        andeq   r0, r0, r0
  966fe8:       00000000        andeq   r0, r0, r0
  966fec:       00000000        andeq   r0, r0, r0
  966ff0:       00000000        andeq   r0, r0, r0
  966ff4:       00000000        andeq   r0, r0, r0
  966ff8:       00000000        andeq   r0, r0, r0
  966ffc:       00000000        andeq   r0, r0, r0
  967000:       00000000        andeq   r0, r0, r0


Stack dump:

0ffffe30:  60 34 50 00 f3 03 00 00  e0 1c 50 00 00 1c 50 00   |`4P.......P...P.|
0ffffe40:  60 34 50 00 d2 06 09 00  52 a0 00 00 80 66 08 00   |`4P.....R....f..|
0ffffe50:  00 00 00 00 4c 93 34 00  90 68 08 00 e0 2c 50 00   |....L.4..h...,P.|
0ffffe60:  e0 1c 50 00 b0 9c 2f 00  c0 36 00 00 d2 06 09 00   |..P.../..6......|
0ffffe70:  08 40 0d 06 20 00 00 00  d2 06 09 00 60 f3 4d 00   |.@.. .......`.M.|
0ffffe80:  00 bc 4b 00 29 22 00 00  00 1c 50 00 00 00 00 00   |..K.)"....P.....|
0ffffe90:  00 00 00 00 a8 c1 2f 00  62 07 00 02 76 01 00 00   |....../.b...v...|
0ffffea0:  b0 1f 40 00 60 f3 4d 00  29 22 00 00 1c 10 36 00   |..@.`.M.)"....6.|
0ffffeb0:  20 51 a1 00 58 c2 2f 00  a1 00 00 00 78 f1 31 00   | Q..X./.....x.1.|
0ffffec0:  60 f3 4d 00 a4 00 00 00  00 00 00 00 5a 00 00 00   |`.M.........Z...|
0ffffed0:  60 f3 4d 00 5c c1 4b 00  00 bc 4b 00 78 ab 2f 00   |`.M.\.K...K.x./.|
0ffffee0:  00 00 00 00 00 00 00 00  00 00 00 3f 01 00 3a 00   |...........?..:.|
0ffffef0:  88 b8 1d 00 00 00 00 00  00 00 00 00 0c 00 00 00   |................|
0fffff00:  d0 ab 4b 00 20 f9 3a 00  88 b8 1d 00 64 c1 4b 00   |..K. .:.....d.K.|
0fffff10:  01 00 00 00 5c c1 4b 00  96 8b 0d 00 64 d2 2d 00   |....\.K.....d.-.|
0fffff20:  a0 79 49 00 78 1b 36 00  30 ff ff 0f 00 00 00 00   |.yI.x.6.0.......|
0fffff30:  00 00 00 00 02 00 00 00  a0 79 49 00 01 00 00 00   |.........yI.....|
0fffff40:  ff ff ff ff 01 00 ff ff  a0 79 49 00 c0 24 00 08   |.........yI..$..|
0fffff50:  96 8b 0d 00 84 0c 2a 00  a0 b9 47 00 a0 29 4b 00   |......*...G..)K.|
0fffff60:  ff ff ff ff ff ff ff ff  01 00 ff ff 80 62 2d 00   |.............b-.|
0fffff70:  68 fb 44 00 98 86 7e fb  05 00 00 00 c0 e4 00 08   |h.D...~.........|
0fffff80:  00 00 00 00 00 00 00 00  94 f9 46 00 c0 24 00 08   |..........F..$..|
0fffff90:  96 8b 0d 00 a0 29 4b 00  02 00 00 00 00 00 00 00   |.....)K.........|
0fffffa0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   |................|
0fffffb0:  a0 89 49 00 a0 79 49 00  00 00 00 00 02 00 00 00   |..I..yI.........|
0fffffc0:  a0 24 00 08 a0 29 4b 00  00 00 00 00 20 6c 2d 00   |.$...)K..... l-.|
0fffffd0:  a0 24 00 08 00 00 00 00  1c 11 1b 00 02 00 00 00   |.$..............|
0fffffe0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   |................|
0ffffff0:  00 00 00 00 00 00 00 00  00 00 00 00 bc 05 10 00   |................|

[irixxxx]

I discovered a cut-and-paste error in the arm drc code, which may be related to this. However, it works fine on my arm9 caanoo.
could you please try this diff from my development branch

diff --git a/cpu/drc/emit_arm.c b/cpu/drc/emit_arm.c
--- a/cpu/drc/emit_arm.c
+++ b/cpu/drc/emit_arm.c
@@ -1247,7 +1247,7 @@ static inline void emith_pool_adjust(int tcache_offs, int move_offs)
 } while (0)
 
 #define host_instructions_updated(base, end, force) \
-       do { if (force) __builtin___clear_cache(base, end); } while (0)
+       do { if (force) emith_update_add(base, end); } while (0)
 
 #define host_arg2reg(rd, arg) \
        rd = arg

If it works with this, I'm cherrypicking this commit to my master ASAP. libretro can then cherrypick it from there.

[justinweiss]

Awesome! That fixed the crash. Now I'm just seeing the other issue, where loading a 32x game will quit to the home menu with the message, "host register 1 is locked".

[irixxxx]

Is this with a certain rom or with every one? Justin Weiss <[email protected]> schrieb am Mi., 28. Okt. 2020, 02:54:

…

Awesome! That fixed the crash. Now I'm just seeing the other issue, where loading a 32x game will quit to the home menu with the message, "host register 1 is locked". — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#9 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHR2L4TVLASTP2R7UVDDVEDSM52VVANCNFSM4TAC3GFQ> .

[justinweiss]

I only have a couple, but it happens with both Star Wars Arcade and Virtua Fighter.

It looks like the host register problem started with the batch of commits from early July -- both games work with libretro@8d2a03b from June.

[irixxxx]

Could you possibly apply the diff I posted to libretro#135 and send me the result? It produces debug output from the drc which might help in analysing this.

[justinweiss]

Sure thing. Here are logs from Virtua Fighter and Star Wars Arcade. I had to override printf to log as much as I could, let me know if I missed anything.

retroarch_swa.log
retroarch_vf.log

[irixxxx]

OK... somehow the arm disassembly from the host_dasm function isn't there. Nevermind.
There might be a memory corruption. Could you change the printf in cpu/sh2/compiler.c:2103 to
printf("host register %d is locked i=%d\n", hr, i);
and send me the output?
And please point me to the toolchain you are using.

[justinweiss]

Sorry about that. The 3DS ties console output to the bottom screen, and I haven't figured out a way to redirect it to the log globally. Instead, I've been overriding printf to lprintf to redirect to the RA logs, but it looks like I missed a place. This should have more:

retroarch.log

I'm using the 3ds.tar.xz toolchain from https://github.com/libretro/libretro-toolchains, and point to it with this:

export DEVKITPRO=/path/to/libretro-toolchains/devkitpro
export DEVKITARM=$DEVKITPRO/devkitARM
export DEVKITPPC=$DEVKITPRO/devkitPPC
export CTRULIB=$DEVKITPRO/libctru

3DS is statically built. I get the .a with make -f Makefile.libretro platform=ctr -j 4 all and copy picodrive_libretro_ctr.a to the retroarch directory as libretro_ctr.a. Then I run:

LIBRETRO=picodrive make -f Makefile.ctr.salamander clean
LIBRETRO=picodrive make -f Makefile.ctr.salamander
LIBRETRO=picodrive make -f Makefile.ctr APP_USE_SVCHAX=1 clean
LIBRETRO=picodrive make -f Makefile.ctr APP_USE_SVCHAX=1

This will give retroarch_3ds.elf and retroarch_3ds.3dsx, the 3dsx can just be renamed and dragged into the RetroArch cores directory.

[irixxxx]

ok... I fear this might probably be going to take a while :-(

Could you please send me your ELF executable with debug symbols to my email address (its in the README) or upload it somewhere?
Could you put a breakpoint on exit() and hand me:

• the backtrace
• a printout of reg_map_host
• a printout of cache_regs

Use the Star Wars rom for this, please.

[irixxxx]

BTW it's most probably not a toolchain problem. I compiled an arm-linux sdl version with it, and that works fine using qemu-arm on ubuntu.

[irixxxx]

Should be fixed with 7082729 and fde25b4. Could you check this please?

[jdgleaver]

@irixxxx I don't know if justinweiss has already tested those commits, but I just complied them myself and can confirm that 32x content now runs fine on 3DS.

In addition, on the RG350M there is a small but noticeable performance improvement with the latest updates vs. your original fixes in the other issue thread.

This is wonderful. I cannot thank you enough for all your hard work on this!

[justinweiss]

Thanks @jdgleaver for trying them out! Sorry it took me so long -- things have been busy.

And thanks a ton @irixxxx for those fixes, 32x feels like something you can actually play and enjoy on the 3ds now. Such a big improvement.

[irixxxx]

Fixed. Thanks for the feedback, guys.