sarah
/
nesfuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

debugging pipe entry issue

This commit is contained in:
Theron Spiegl 2020-01-05 21:22:03 -06:00
parent b8a6befb61
commit a32a6b8eea
6 changed files with 20723 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16352
SMBDIS.ASM Normal file
View File

File diff suppressed because it is too large Load Diff

3076
dump Normal file
View File

File diff suppressed because it is too large Load Diff

2
src/cartridge/mappers.rs
View File

@ -9,7 +9,7 @@ pub fn nrom_cpu(cpu: &mut crate::cpu::Cpu, address: usize, writing: bool) -> Opt
match address {
0x8000..=0xBFFF => Some(&mut cpu.prg_rom[0][address % 0x4000]),
0xC000..=0xFFFF => Some(&mut cpu.prg_rom[l - 1][address % 0x4000]),
_ => panic!("bad cpu address passed to nrom mapper"),
_ => panic!("bad cpu address passed to nrom mapper: 0x{:04x}", address),
}
}

56
src/cpu/mod.rs
View File

@ -176,11 +176,20 @@ impl Cpu {
let address = address_func(self);
// debugging
// assert!(self.memory_at(0xAD79, 141) == UNDERGROUND_LEVEL.to_vec() && self.memory_at(0xA133, 45) == UNDERGROUND_ENEMIES.to_vec());
let pc = self.PC;
if address == 0x06d6 { // if we're doing something with the WarpZoneControl global
println!("===========================\n0x{:04x} {:?}", address, mode);
// if address == 0x06D6 {
// // let mem = self.memory_at(0xAD79, 141);
// // println!("memory at 0xAD79: {:02X?}", mem);
// println!("===========================\n0x{:04X} {:?}", address, mode);
// if self.more == 0 {
// self.more += 24;
// }
// }
if pc == 0xB1E5 {
println!("===========================");
if self.more == 0 {
self.more += 10;
self.more += 24;
}
}
if self.more > 0 {
@ -194,11 +203,11 @@ impl Cpu {
pc, self.read(pc), operands, OPCODE_DISPLAY_NAMES[opcode],
self.A, self.X, self.Y, self.P, self.S,
);
let mut zpg = Vec::<u8>::new();
for i in 0..32 {
zpg.push(self.read(i));
}
print!(" zpg: {:x?}", zpg);
// let mut zpg = Vec::<u8>::new();
// for i in 0..32 {
// zpg.push(self.read(i));
// }
// print!(" zpg: {:x?}", zpg);
print!("\n");
self.more -= 1;
}
@ -212,8 +221,16 @@ impl Cpu {
self.clock - clock
}
pub fn memory_at(&mut self, address: usize, amount: usize) -> Vec<u8> {
let mut ret = vec![];
for i in 0..amount {
ret.push(self.read(address+i));
}
ret
}
// memory interface
fn read(&mut self, address: usize) -> u8 {
pub fn read(&mut self, address: usize) -> u8 {
let val = match address {
0x0000..=0x1FFF => self.mem[address % 0x0800],
0x2000..=0x3FFF => self.read_ppu_reg(address % 8),
@ -232,6 +249,9 @@ impl Cpu {
// memory interface
fn write(&mut self, address: usize, val: u8) {
// if address == 0x06D6 {
// println!("writing 0x{:02X} to 0x{:04X}", val, address);
// }
match address {
0x0000..=0x1FFF => self.mem[address % 0x0800] = val,
0x2000..=0x3FFF => self.write_ppu_reg(address % 8, val),
@ -353,3 +373,21 @@ const OPCODE_DISPLAY_NAMES: [&str; 256] = [
"BEQ", "SBC", "BAD", "ISC", "NOP", "SBC", "INC", "ISC",
"SED", "SBC", "NOP", "ISC", "NOP", "SBC", "INC", "ISC",
];
// const UNDERGROUND_LEVEL: [u8; 141] = [
// 0x48, 0x01, 0x0e, 0x01, 0x00, 0x5a, 0x3e, 0x06, 0x45, 0x46, 0x47, 0x46, 0x53, 0x44, 0xae, 0x01,
// 0xdf, 0x4a, 0x4d, 0xc7, 0x0e, 0x81, 0x00, 0x5a, 0x2e, 0x04, 0x37, 0x28, 0x3a, 0x48, 0x46, 0x47,
// 0xc7, 0x07, 0xce, 0x0f, 0xdf, 0x4a, 0x4d, 0xc7, 0x0e, 0x81, 0x00, 0x5a, 0x33, 0x53, 0x43, 0x51,
// 0x46, 0x40, 0x47, 0x50, 0x53, 0x04, 0x55, 0x40, 0x56, 0x50, 0x62, 0x43, 0x64, 0x40, 0x65, 0x50,
// 0x71, 0x41, 0x73, 0x51, 0x83, 0x51, 0x94, 0x40, 0x95, 0x50, 0xa3, 0x50, 0xa5, 0x40, 0xa6, 0x50,
// 0xb3, 0x51, 0xb6, 0x40, 0xb7, 0x50, 0xc3, 0x53, 0xdf, 0x4a, 0x4d, 0xc7, 0x0e, 0x81, 0x00, 0x5a,
// 0x2e, 0x02, 0x36, 0x47, 0x37, 0x52, 0x3a, 0x49, 0x47, 0x25, 0xa7, 0x52, 0xd7, 0x04, 0xdf, 0x4a,
// 0x4d, 0xc7, 0x0e, 0x81, 0x00, 0x5a, 0x3e, 0x02, 0x44, 0x51, 0x53, 0x44, 0x54, 0x44, 0x55, 0x24,
// 0xa1, 0x54, 0xae, 0x01, 0xb4, 0x21, 0xdf, 0x4a, 0xe5, 0x07, 0x4d, 0xc7, 0xfd,
// ];
// const UNDERGROUND_ENEMIES: [u8; 45] = [
// 0x1e, 0xa5, 0x0a, 0x2e, 0x28, 0x27, 0x2e, 0x33, 0xc7, 0x0f, 0x03, 0x1e, 0x40, 0x07, 0x2e, 0x30,
// 0xe7, 0x0f, 0x05, 0x1e, 0x24, 0x44, 0x0f, 0x07, 0x1e, 0x22, 0x6a, 0x2e, 0x23, 0xab, 0x0f, 0x09,
// 0x1e, 0x41, 0x68, 0x1e, 0x2a, 0x8a, 0x2e, 0x23, 0xa2, 0x2e, 0x32, 0xea, 0xff,
// ];

48
src/main.rs
View File

@ -50,6 +50,28 @@ fn main() -> Result<(), String> {
let mut fps = 0;
let mut sps = 0;
// TODO: remove
// check for location of VerticalPipeEntry
// println!("verticalPipeEntry: {:02X?}", cpu.memory_at(0xB225, 512));
// why not just dump all memory?
// let mut mem = cpu.memory_at(0, 0x4020);
// let mut mem2 = cpu.memory_at(0x8000, 0xFFFF-0x8000);
// mem.append(&mut mem2);
// let mut line = 0;
// for i in 0..0x4020 {
// if i % 0x10 == 0 {
// print!("\n0x{:04X}: ", i);
// }
// print!("{:02X} ", mem[i]);
// }
// println!("\n=========================");
// for i in 0x8000..=0xFFFF {
// if i % 0x10 == 0 {
// print!("\n0x{:04X}: ", i);
// }
// print!("{:02X} ", mem[i-0x4020]);
// }
// PROFILER.lock().unwrap().start("./main.profile").unwrap();
'running: loop {
// step CPU: perform 1 cpu instruction, getting back number of clock cycles it took
@ -156,5 +178,29 @@ Is ParseRow0e a clue?
I think L_UndergroundArea3 is the data for the coin rooms. Need to verify that it's loaded properly.
It's at 0x2D89 in the ROM, so 0x2D79 without header. Which means it's in PRG ROM, because it's within the first 0x4000,
in the first PRG chunk/vec given to CPU by cartridge. Because it's NROM, that will be mapped starting at $8000,
so its position in memory should be 0x8000 + 0x2D79 = 0xAD79.
so its position in memory should be 0x8000 + 0x2D79 = 0xAD79.
L_UndergroundArea3 is indeed at 0xAD79 and correct in both good emulator and mine. So need to detect its use? Verified that
it's not changed, neither is E_UndergroundArea3 which is at $A133. WarpZoneControl is also set properly: 0 for a while, then
1 when running over exit in 2-1 to Warp Zone, then 4 once dropped down into the WarpZone. 0 when going into any coin rooms.
HandlePipeEntry queues VerticalPipeEntry:
sta GameEngineSubroutine ;set to run vertical pipe entry routine on next frame
Then it checks WarpZoneControl and branches to rts if :
lda WarpZoneControl ;check warp zone control
beq ExPipeE ;branch to leave if none found
[...]
ExPipeE: rts ;leave!!!
So the problem may be in VerticalPipeEntry. Need to hook it. It starts with lda #$01, so looking for lda in immediate mode, which is 0xA9
followed by jsr then followed by a two byte absolute address we don't know, so 0x20 ?? ??, then jsr another function, so same thing,
then ldy #$00, which is 0xA0 0x00... so now we can grep the rom file for its address and compare to good emulator.
grep -A10 "a9 *01 *20 *.. *.. *20 *.. *.. *a0"
000031f0 52 07 4c 13 b2 a9 01 20 00 b2 20 93 af a0 00 ad |R.L.... .. .....|
VerticalPipeEntry is at $31F5 in the ROM, so at $B205 in the running emulator. Now need to confirm that and then log starting there.
No, had to do a full memory dump to find out that it's at $B225... Anyway, can now hook there. But hook was wrong. And hooking for address == $06D6
shows the program counter at 0xB1EF, meaning I was right that the routine's address is 0xB1E5... So my dump was wrong? Or routines move around? Doesn't make sense.
Anyway, hook PC == $B1E5.
Ok, so, comparing logs with the good emulator down the WORKING pipe in 1-1 shows a divergence in behavior based on loading value 0x6E from $0755 into the accumulator,
and comparing that to 0x50. What's at $0755? Player_Pos_ForScroll.
*/

1200
verticalPipeEntryLog Normal file
View File

File diff suppressed because it is too large Load Diff