Paint crashes when using Brush tool

I think this is a longstanding bug, but it seems to have got worse for me recently. When using the Brush tool (the one that paints with a sprite), sometimes Paint crashes. It used to give an error message and exit, saving the spritefile in !Scrap, but now it just freezes the computer, requiring a reset. I’m not sure exactly what circumstances cause the crash, but it happens about 50% of the time I try to use the Brush, and takes effect once I click on the OK button in the tool window. I’m using RPCEmu and 5.21 (July), which is otherwise pretty stable for me.

As there’s no error message displayed, it’s hard to give any helpful info for a bug ticket. Any advice on how I can get more information on what’s happening?

IIRC when you close RPCEmu it writes the current CPU registers to the log file. If the OS is completely stuck, those registers should hopefully be pointing at the code it’s stuck in, so would be very useful in tracking down the problem.

Predictably enough, it was hard to reproduce the error when I wanted to!

Used the Brush tool a bit, which after a while prompted this error:

Unrecoverable Internal Error (Illegal Window Handle).

after which, Paint quit.

Ran it again and used the Brush, which produced this error:

Internal Error, no stack for trap handler:
Internal Error: abort on data transfer at &FAFF3394,
pc = FC13FA5C: registers at 201095E0

Closing the error box resulted in more errors, including SWI &205110 not known, and everything got very unstable.

I haven’t been able to provoke a full freeze again, but I’ll keep working as I normally do and check the RPCEmu log when one comes along.

A *modules listing or the build date of your ROM would be helpful too, so that we can work out where those addresses are.

Here’s the modules output:

*modules
No. Position Workspace Name
  1 FC01ED84 00000000  UtilityModule
  2 FC040A80 20000014  Podule
  3 FC042A00 200006F4  FileSwitch
  4 FC04FA78 20001BB4  ResourceFS
  5 FC050760 20001BF4  TerritoryManager
  6 FC052C7C 00000000  Messages
  7 FC102E18 20001CF4  MessageTrans
  8 FC104208 20003AB4  UK
  9 FC105E08 20004234  WindowManager
 10 FC121458 2010AD54  TaskManager
 11 FC1253A8 00000000  Desktop
 12 FC126010 00000000  SharedCLibrary
 13 FC15A2A4 20009954  VIDC20Video
 14 FC15B2F8 200099B4  Mouse
 15 FC15B6EC 200099F4  PS2Driver
 16 FC15C7DC 00000000  ADFSFiler
 17 FC160D4C 00000000  BASIC
 18 FC170850 00000000  BASIC64
 19 FC17E65C 20009AB4  BASICTrans
 20 FC17F434 2000A114  BufferManager
 21 FC1806B0 200FADF4  ColourTrans
 22 FC1848B8 2000A134  Debugger
 23 FC189950 2000A3D4  DeviceFS
 24 FC18BE50 20100694  DisplayManager
 25 FC18DBA0 2000A514  DMAManager
 26 FC190B14 2000A934  DragASprite
 27 FC191C8C 00000000  DragAnObject
 28 FC1921B8 2000A974  Draw
 29 FC1955E0 2000B3B4  FileCore%ADFS
    FC1955E0 00000000  FileCore%Base
 30 FC1A89F4 2000AAB4  ADFS
 31 FC1B0CD0 2010D874  Filer
 32 FC1B9E18 2005F154  FilerSWIs
 33 FC1BA114 2005F254  FSLock
 34 FC1BB2BC 2005F5B4  FontManager
 35 FC1CB7E4 20060494  FPEmulator
 36 FC1D2FE0 200605F4  Free
 37 FC1D47DC 20060F54  Hourglass
 38 FC1D5258 20061054  IIC
 39 FC1D590C 20061094  International
 40 FC1DBBEC 200610B4  InternationalKeyboard
 41 FC1EEBCC 20061114  InverseTable
 42 FC1F5F4C 00000000  NetFiler
 43 FC1FA274 20061534  NetStatus
 44 FC1FA5D0 00000000  Obey
 45 FC1FAF70 20061554  ParallelDeviceDriver
 46 FC1FC804 200617F4  Pinboard
 47 FC202444 200624D4  PipeFS
 48 FC2038E4 00000000  RAMFSFiler
 49 FC2047C0 20110B34  ResourceFiler
 50 FC204F8C 00000000  ROMFonts
 51 FC258FBC 200037D4  RTCAdjust
 52 FC2598C8 20003774  ScreenBlanker
 53 FC25A230 20062534  ScrSaver
 54 FC25AB08 20003714  SerialDeviceDriver
 55 FC25BC80 20003674  SerialDeviceSupport
 56 FC25C360 20003634  SerialMouse
 57 FC25C9E0 00000000  ShellCLI
 58 FC25D050 200639B4  SoundDMA
 59 FC25ED38 20063AF4  SoundChannels
 60 FC2605C0 20065CB4  SoundScheduler
 61 FC260EBC 20067CD4  SpriteExtend
 62 FC2741A8 00000000  SpriteUtils
 63 FC274798 20003554  Squash
 64 FC276168 00000000  SuperSample
 65 FC276A8C 2006AA74  SystemDevices
 66 FC2778C8 200035F4  TaskWindow
 67 FC279F88 00000000  WindowUtils
 68 FC279FF0 2006ABB4  FilterManager
 69 FC27B474 2006AC54  WaveSynth
 70 FC27BF60 2006B354  StringLib
 71 FC27CA34 2006BB74  Percussion
 72 FC27D5F8 2006C494  SharedSound
 73 FC27F244 00000000  Filer_Action
 74 FC286524 2006D534  DOSFS
 75 FC2920B0 2006E8B4  ColourPicker
 76 FC29FF28 20074714  ScreenModes
 77 FC2A20E4 20075994  DrawFile
 78 FC2A7B1C 200775B4  BootCommands
 79 FC2AA350 00000000  AUNMsgs
 80 FC2B1AF8 20063954  MbufManager
 81 FC2B4354 200C1C34  Internet
 82 FC2D7420 200C5F54  Resolver
 83 FC2F6E48 200C9174  MimeMap
 84 FC2F8064 200CA554  LanManFS
 85 FC30D348 200D54B4  DHCP
 86 FC3120DC 20109454  !Edit
 87 FC314BC0 00000000  !Draw
 88 FC33E88C 00000000  !Paint
 89 FC354DB8 00000000  !Alarm
 90 FC362288 00000000  !Chars
 91 FC363204 00000000  !Help
 92 FC365A7C 200D69D4  TinyStubs
 93 FC3675B4 200D7D34  Toolbox
 94 FC36C13C 200D9174  Window
 95 FC37A404 200DACB4  ToolAction
 96 FC37BB14 200DBE14  Menu
 97 FC37FBB0 200DD2F4  Iconbar
 98 FC382564 200DE7B4  ColourDbox
 99 FC385424 200DFB94  ColourMenu
100 FC388118 200E1214  DCS
101 FC38A4A8 200E2614  FileInfo
102 FC38CFDC 200E3B14  FontDbox
103 FC390D6C 200E5154  FontMenu
104 FC393660 200E6634  PrintDbox
105 FC397368 200E7B54  ProgInfo
106 FC39A490 200E9074  SaveAs
107 FC39DDE8 200EA6D4  Scale
108 FC3A03E4 200EBA94  TextGadgets
109 FC3AA1C4 200ED5F4  CDFSDriver
110 FC3AB6B0 00000000  CDFSSoftATAPI
111 FC3AD1E8 200EE234  CDFS
112 FC3B1208 00000000  CDFSFiler
113 FC3B3E6C 00000101  UnSqueezeAIF
114 200F9994 00000000  RPCEmuHostFS
115 200F9D34 200FA134  RPCEmuHostFSFiler
116 20102B54 201052D4  EtherRPCEm
117 201385B4 20138854  StrongTask

The build date from the Switcher is 09-July-13.

I just tried the latest !Paint 2.15 and the most recent OMAP4 ROM.

I just get an abort. Takes a while for it to happen.

*where
Address &FC137878 is at offset &000021A8 in module SharedCLibrary

That’s one of the oldest bugs in RISC OS. I remember it happening in RO2 days.

That’s one of the oldest bugs in RISC OS. I remember it happening in RO2 days.

Is it being kept for nostalgic reasons or is the fix an extremely difficult one?

I just tried the latest !Paint 2.15 and the most recent OMAP4 ROM.

I just get an abort. Takes a while for it to happen.

*where
Address &FC137878 is at offset &000021A8 in module SharedCLibrary

Although I’ve had a few different exceptions whilst using the brush, I don’t think I’ve had one at an address in SharedCLibrary.

I tried to work out what code is at the above address last year.

I needed to find what version of the SharedCLibrary (CLib) module was current on Aug 21, 2013.

I consulted this CVS history.

I’m still not sure if it’s version 5-75 or 5-77.

Possibly this may have it in the HardDisc4 image: https://web.archive.org/web/20130729053646/http://www.riscosopen.org/content/downloads/other-zipfiles

I downloaded that from July 2013 and have copied CLib.

It says SharedCLibrary 5.77 (24 Mar 2013).

In that CLib I downloaded, the line at offset &000021A8 is surrounded by undefined instructions so I’m not sure code is even supposed to be there! So at this point I don’t know if I’m looking at a different version of CLib to what Chris Grandsen was running or if an error elsewhere caused a branch to the wrong address (in which case I wouldn’t have enough information to track that down).

I also tried RMLoading the above version of SharedCLibrary and using the brush tool a lot, but I couldn’t reproduce the crash.

Please, if anyone else is still getting exceptions when using the brush, post them here with the address and ideally the output of:

*where
*showregs
*memoryi pc -40 +80
*modules

Thanks.

In that CLib I downloaded, the line at offset &000021A8 is surrounded by undefined instructions so I’m not sure code is even supposed to be there!

Maybe it’s relocation stuff? Load the module, rip it from memory using Zap/StrongEd, and see if what’s there is any different.

rip it from memory using Zap/StrongEd

I didn’t know StrongEd could do that. I only really use it as a hex editor for files on disc. I just downloaded StrongHelp and had a look at StrongEd’s help, and I still don’t know how to do that.

How do I do that Rick?

I used to have a tool called RMSave that could save a Module to a file, but I assumed that would just be structured the same as any original module file.

I don’t really know anything about the internals of modules yet. I assumed the relocation stuff just meant the base address could change, so I thought if I read the base address of the module with “*modules” and then added &000021A8 to that, that “*memoryi” on the result would give me the right line of code.

How do I do that Rick?

No idea. But I’ve yet to see a feature of Zap that Fred doesn’t come along and say “StrongEd does that too”.

Sorry it isn’t helpful, all my kit is currently turned off because of the weather conditions. I’ve been marathoning The Witcher, which means standing outside in the rain at the edge of the field (good 4G) to download the episodes two by two.
[nice world building, but the highly non linear story can be a PITA to keep track of!]

but I assumed that would just be structured the same as any original module file.

I may be wrong, but I think C modules are a little more complicated. I have certainly encountered branches that went to gibberish places, which made sense after the module was actually loaded.

No idea. But I’ve yet to see a feature of Zap that Fred doesn’t come along and say “StrongEd does that too”.

:-))

Yes, StrongED can grab applications & modules from memory too but the feature is a bit hidden in pre-4.70 versions. Click with the right mouse button on StrongED’s iconbar icon to open the Modes menu. In that menu choose the Dump mode. This will open a dialogue box that allows you to grab various bits of memory.

In StrongED 4.70 it’s been added to the iconbar menu to make it easier to find:
Iconbar menu > Create file > Grab memory...

That worked great, thanks Fred!

I just tried the latest !Paint 2.15 and the most recent OMAP4 ROM.

I just get an abort. Takes a while for it to happen.

*where
Address &FC137878 is at offset &000021A8 in module SharedCLibrary

Offset +&21A8 comes to address 20243BDC in the below routine in the SharedCLibrary (still assuming I grabbed the same version of CLib that Chris had):

20243AF4 : E1A0C00D : .À á : MOV     R12,R13
20243AF8 : E92DDBF0 : ðÛ-é : STMDB   R13!,{R4-R9,R11,R12,R14,PC}
20243AFC : E59F3390 : 3Ÿå : LDR     R3,&20243E94
20243B00 : E51A621C : .b.å : LDR     R6,[R10,#-540]
20243B04 : E1A04000 : .@ á : MOV     R4,R0
20243B08 : E3A00000 : .. ã : MOV     R0,#0
20243B0C : E0867003 : .p†à : ADD     R7,R6,R3
20243B10 : E1072090 :  .á : SWP     R2,R0,[R7]
20243B14 : E24CB004 : .°Lâ : SUB     R11,R12,#4
20243B18 : E24DD010 : .ÐMâ : SUB     R13,R13,#&10       ; =16
20243B1C : E3A08000 : .€ ã : MOV     R8,#0
20243B20 : E3520000 : ..Rã : CMP     R2,#0
20243B24 : 1A000008 : .... : BNE     &20243B4C
20243B28 : E3A09000 : . ã : MOV     R9,#0
20243B2C : E1A03007 : .0 á : MOV     R3,R7
20243B30 : E3A02006 : .  ã : MOV     R2,#6
20243B34 : E3A01003 : .. ã : MOV     R1,#3
20243B38 : E3A00033 : 3. ã : MOV     R0,#&33            ; ="3"
20243B3C : EB0047B3 : ³G.ë : BL      &20255A10
20243B40 : E1071099 : ™..á : SWP     R1,R9,[R7]
20243B44 : E3510000 : ..Qã : CMP     R1,#0
20243B48 : 0AFFFFF7 : ÷ÿÿ. : BEQ     &20243B2C
20243B4C : E51F0490 : ..å : LDR     R0,&202436C4
20243B50 : E51A121C : ...å : LDR     R1,[R10,#-540]
20243B54 : E7D63000 : .0Öç : LDRB    R3,[R6,R0]
20243B58 : E240006C : l.@â : SUB     R0,R0,#&6C         ; ="l"
20243B5C : E0805001 : .Pۈ : ADD     R5,R0,R1
20243B60 : E3530000 : ..Sã : CMP     R3,#0
20243B64 : 0A000006 : .... : BEQ     &20243B84
20243B68 : EBFFFFC8 : Èÿÿë : BL      &20243A90
20243B6C : E3500000 : ..Pã : CMP     R0,#0
20243B70 : 0A000003 : .... : BEQ     &20243B84
20243B74 : E3A00001 : .. ã : MOV     R0,#1
20243B78 : E5A500C8 : È.¥å : STR     R0,[R5,#200]!
20243B7C : E3E00001 : ..àã : MVN     R0,#1
20243B80 : EA0000C2 : Â..ê : B       &20243E90
20243B84 : E1A04104 : .A á : MOV     R4,R4,LSL #2
20243B88 : E3540101 : ..Tã : CMP     R4,#&40000000
20243B8C : 23A00001 : .. # : MOVCS   R0,#1
20243B90 : 25A500C8 : È.¥% : STRCS   R0,[R5,#200]!
20243B94 : 23E00000 : ..à# : MVNCS   R0,#0
20243B98 : 2A0000BC : Œ..* : BCS     &20243E90
20243B9C : E3540000 : ..Tã : CMP     R4,#0
20243BA0 : 03A04004 : .@ . : MOVEQ   R4,#4
20243BA4 : E3540C02 : ..Tã : CMP     R4,#&0200          ; =512
20243BA8 : 8A000003 : ...Š : BHI     &20243BBC
20243BAC : E5953008 : .0•å : LDR     R3,[R5,#8]
20243BB0 : E3530000 : ..Sã : CMP     R3,#0
20243BB4 : 13A07001 : .p . : MOVNE   R7,#1
20243BB8 : 1A000000 : .... : BNE     &20243BC0
20243BBC : E3A07000 : .p ã : MOV     R7,#0
20243BC0 : E2841A01 : ..„â : ADD     R1,R4,#&1000       ; =4096
20243BC4 : E58D1008 : ..å : STR     R1,[R13,#8]
20243BC8 : E51F139C : œ..å : LDR     R1,&20243834
20243BCC : E1A03124 : $1 á : MOV     R3,R4,LSR #2
20243BD0 : E58D300C : .0å : STR     R3,[R13,#12]
20243BD4 : E0816006 : .`à : ADD     R6,R1,R6
20243BD8 : E354003F : ?.Tã : CMP     R4,#&3F            ; ="?"
20243BDC : 8A000012 : ...Š : BHI     &20243C2C
20243BE0 : E5953070 : p0•å : LDR     R3,[R5,#112]
20243BE4 : E3530000 : ..Sã : CMP     R3,#0
20243BE8 : 0A00000F : .... : BEQ     &20243C2C
20243BEC : E59D300C : .0å : LDR     R3,[R13,#12]
20243BF0 : E7961103 : ..–ç : LDR     R1,[R6,R3,LSL #2]
20243BF4 : E3510000 : ..Qã : CMP     R1,#0
20243BF8 : 0A000008 : .... : BEQ     &20243C20
20243BFC : E51F03CC : Ì..å : LDR     R0,&20243838
20243C00 : E5912000 : . ‘å : LDR     R2,[R1,#0]
20243C04 : E1520000 : ..Rá : CMP     R2,R0
20243C08 : 1AFFFFD9 : Ùÿÿ. : BNE     &20243B74
20243C0C : E5912008 : . ‘å : LDR     R2,[R1,#8]
20243C10 : E7862103 : .!†ç : STR     R2,[R6,R3,LSL #2]
20243C14 : E5913004 : .0‘å : LDR     R3,[R1,#4]
20243C18 : E3C32003 : . Ãã : BIC     R2,R3,#3
20243C1C : EA000024 : $..ê : B       &20243CB4
20243C20 : E2833001 : .0ĉ : ADD     R3,R3,#1
20243C24 : E3530010 : ..Sã : CMP     R3,#&10            ; =16
20243C28 : DAFFFFF0 : ðÿÿÚ : BLE     &20243BF0
20243C2C : E2083102 : .1.â : AND     R3,R8,#&80000000
20243C30 : E2081101 : ...â : AND     R1,R8,#&40000000
20243C34 : E88D000A : ..è : STMIA   R13,{R1,R3}
20243C38 : E3570000 : ..Wã : CMP     R7,#0
20243C3C : 05961000 : ..–. : LDREQ   R1,[R6,#0]
20243C40 : 15961044 : D.–. : LDRNE   R1,[R6,#68]
20243C44 : E3510000 : ..Qã : CMP     R1,#0
20243C48 : 0A00002F : /... : BEQ     &20243D0C
20243C4C : E51F341C : .4.å : LDR     R3,&20243838
20243C50 : E5912000 : . ‘å : LDR     R2,[R1,#0]
20243C54 : E1520003 : ..Rá : CMP     R2,R3
20243C58 : 1AFFFFC5 : Åÿÿ. : BNE     &20243B74
20243C5C : E5912004 : . ‘å : LDR     R2,[R1,#4]
20243C60 : E3C22003 : . Âã : BIC     R2,R2,#3
20243C64 : E1520004 : ..Rá : CMP     R2,R4
20243C68 : 3A000022 : "..: : BCC     &20243CF8
20243C6C : E0423004 : .0Bà : SUB     R3,R2,R4
20243C70 : E3530047 : G.Sã : CMP     R3,#&47            ; ="G"
20243C74 : 8A000013 : ...Š : BHI     &20243CC8
20243C78 : E5950074 : t.•å : LDR     R0,[R5,#116]
20243C7C : E1510000 : ..Qá : CMP     R1,R0
20243C80 : 03A00000 : .. . : MOVEQ   R0,#0
20243C84 : 05850074 : t.…. : STREQ   R0,[R5,#116]
20243C88 : E591000C : ..‘å : LDR     R0,[R1,#12]
20243C8C : E5913008 : .0‘å : LDR     R3,[R1,#8]
20243C90 : E3500000 : ..Pã : CMP     R0,#0
20243C94 : 15A03008 : .0 . : STRNE   R3,[R0,#8]!
20243C98 : 05863000 : .0†. : STREQ   R3,[R6,#0]
20243C9C : E5913008 : .0‘å : LDR     R3,[R1,#8]
20243CA0 : E3530000 : ..Sã : CMP     R3,#0
20243CA4 : 1591000C : ..‘. : LDRNE   R0,[R1,#12]
20243CA8 : 0591300C : .0‘. : LDREQ   R3,[R1,#12]
20243CAC : 15A3000C : ..£. : STRNE   R0,[R3,#12]!
20243CB0 : 05863044 : D0†. : STREQ   R3,[R6,#68]
20243CB4 : E3570000 : ..Wã : CMP     R7,#0
20243CB8 : 0A000066 : f... : BEQ     &20243E58
20243CBC : E284300C : .0„â : ADD     R3,R4,#&0C         ; =12
20243CC0 : E1530002 : ..Sá : CMP     R3,R2
20243CC4 : 2A000063 : c..* : BCS     &20243E58
20243CC8 : E5953014 : .0•å : LDR     R3,[R5,#20]
20243CCC : E1A00001 : .. á : MOV     R0,R1
20243CD0 : E3540C02 : ..Tã : CMP     R4,#&0200          ; =512
20243CD4 : E2433008 : .0Câ : SUB     R3,R3,#8
20243CD8 : E5853014 : .0…å : STR     R3,[R5,#20]
20243CDC : 8A000002 : ...Š : BHI     &20243CEC
20243CE0 : E5953008 : .0•å : LDR     R3,[R5,#8]
20243CE4 : E3530000 : ..Sã : CMP     R3,#0
20243CE8 : 1A00003D : =... : BNE     &20243DE4
20243CEC : E0803004 : .0ۈ : ADD     R3,R0,R4
20243CF0 : E2830008 : ..ĉ : ADD     R0,R3,#8
20243CF4 : EA00003C : <..ê : B       &20243DEC
20243CF8 : E3570000 : ..Wã : CMP     R7,#0
20243CFC : 05911008 : ..‘. : LDREQ   R1,[R1,#8]
20243D00 : 1591100C : ..‘. : LDRNE   R1,[R1,#12]
20243D04 : E3510000 : ..Qã : CMP     R1,#0
20243D08 : 1AFFFFD0 : Ðÿÿ. : BNE     &20243C50
20243D0C : E59D1004 : ..å : LDR     R1,[R13,#4]
20243D10 : E3510000 : ..Qã : CMP     R1,#0
20243D14 : 1A000010 : .... : BNE     &20243D5C
20243D18 : E59D1008 : ..å : LDR     R1,[R13,#8]
20243D1C : E5959014 : .•å : LDR     R9,[R5,#20]
20243D20 : E1510009 : ..Qá : CMP     R1,R9
20243D24 : 2A000004 : ...* : BCS     &20243D3C
20243D28 : E3A00006 : .. ã : MOV     R0,#6
20243D2C : E5951018 : ..•å : LDR     R1,[R5,#24]
20243D30 : EB004FB2 : ²O.ë : BL      &20257C00
20243D34 : E1500009 : ..Pá : CMP     R0,R9
20243D38 : 3A000002 : ...: : BCC     &20243D48
20243D3C : E59D1000 : ..å : LDR     R1,[R13,#0]
20243D40 : E3510000 : ..Qã : CMP     R1,#0
20243D44 : 0A000004 : .... : BEQ     &20243D5C
20243D48 : EBFFFE62 : bþÿë : BL      &202436D8
20243D4C : E3500000 : ..Pã : CMP     R0,#0
20243D50 : 1AFFFF87 : ‡ÿÿ. : BNE     &20243B74
20243D54 : E3888102 : .ˆã : ORR     R8,R8,#&80000000
20243D58 : EAFFFF9E : žÿÿê : B       &20243BD8
20243D5C : E24DD008 : .ÐMâ : SUB     R13,R13,#8
20243D60 : E1A0200D : .  á : MOV     R2,R13
20243D64 : E28D1004 : ..â : ADD     R1,R13,#4
20243D68 : E1A00004 : .. á : MOV     R0,R4
20243D6C : EBFFFEC1 : Áþÿë : BL      &20243878
20243D70 : E3700002 : ..pã : CMN     R0,#2
20243D74 : 0A00000A : .... : BEQ     &20243DA4
20243D78 : E3700001 : ..pã : CMN     R0,#1
20243D7C : 0A00000A : .... : BEQ     &20243DAC
20243D80 : E3500000 : ..Pã : CMP     R0,#0
20243D84 : 1A000014 : .... : BNE     &20243DDC
20243D88 : E59D0004 : ..å : LDR     R0,[R13,#4]
20243D8C : EBFFFEAA : ªþÿë : BL      &2024383C
20243D90 : E3500000 : ..Pã : CMP     R0,#0
20243D94 : 028DD008 : .Ѝ. : ADDEQ   R13,R13,#8
20243D98 : 0AFFFFA6 : Šÿÿ. : BEQ     &20243C38
20243D9C : E3A00001 : .. ã : MOV     R0,#1
20243DA0 : E5A500C8 : È.¥å : STR     R0,[R5,#200]!
20243DA4 : E3E00001 : ..àã : MVN     R0,#1
20243DA8 : EA000007 : ...ê : B       &20243DCC
20243DAC : E5951078 : x.•å : LDR     R1,[R5,#120]
20243DB0 : E3510000 : ..Qã : CMP     R1,#0
20243DB4 : 1A000006 : .... : BNE     &20243DD4
20243DB8 : E3180101 : ...ã : TST     R8,#&40000000
20243DBC : 0A000003 : .... : BEQ     &20243DD0
20243DC0 : E3A00001 : .. ã : MOV     R0,#1
20243DC4 : E5A500C8 : È.¥å : STR     R0,[R5,#200]!
20243DC8 : E3E00000 : ..àã : MVN     R0,#0
20243DCC : E91BABF0 : ð«.é : LDMDB   R11,{R4-R9,R11,R13,PC}
20243DD0 : E3888101 : .ˆã : ORR     R8,R8,#&40000000
20243DD4 : E3A00000 : .. ã : MOV     R0,#0
20243DD8 : E5850078 : x.…å : STR     R0,[R5,#120]
20243DDC : E28DD008 : .Ѝâ : ADD     R13,R13,#8
20243DE0 : EAFFFF7C : |ÿÿê : B       &20243BD8
20243DE4 : E0423004 : .0Bà : SUB     R3,R2,R4
20243DE8 : E0831001 : ..Ĉ : ADD     R1,R3,R1
20243DEC : E5814004 : .@å : STR     R4,[R1,#4]
20243DF0 : E2843008 : .0„â : ADD     R3,R4,#8
20243DF4 : E0424003 : .@Bà : SUB     R4,R2,R3
20243DF8 : E3842001 : . „ã : ORR     R2,R4,#1
20243DFC : E3570000 : ..Wã : CMP     R7,#0
20243E00 : E5802004 : . ی : STR     R2,[R0,#4]
20243E04 : 1A00000A : .... : BNE     &20243E34
20243E08 : E591200C : . ‘å : LDR     R2,[R1,#12]
20243E0C : E580200C : . ی : STR     R2,[R0,#12]
20243E10 : E5913008 : .0‘å : LDR     R3,[R1,#8]
20243E14 : E3520000 : ..Rã : CMP     R2,#0
20243E18 : E5803008 : .0ی : STR     R3,[R0,#8]
20243E1C : 15A20008 : ..¢. : STRNE   R0,[R2,#8]!
20243E20 : 05860000 : ..†. : STREQ   R0,[R6,#0]
20243E24 : E5902008 : . å : LDR     R2,[R0,#8]
20243E28 : E3520000 : ..Rã : CMP     R2,#0
20243E2C : 15A2000C : ..¢. : STRNE   R0,[R2,#12]!
20243E30 : 05860044 : D.†. : STREQ   R0,[R6,#68]
20243E34 : E51F2604 : .&.å : LDR     R2,&20243838
20243E38 : E354003F : ?.Tã : CMP     R4,#&3F            ; ="?"
20243E3C : E5802000 : . ی : STR     R2,[R0,#0]
20243E40 : 93A02001 : .  “ : MOVLS   R2,#1
20243E44 : 95852070 : p …• : STRLS   R2,[R5,#112]
20243E48 : 91A02124 : $! ‘ : MOVLS   R2,R4,LSR #2
20243E4C : 97963102 : .1–— : LDRLS   R3,[R6,R2,LSL #2]
20243E50 : 95803008 : .0ۥ : STRLS   R3,[R0,#8]
20243E54 : 97860102 : ..†— : STRLS   R0,[R6,R2,LSL #2]
20243E58 : E5912004 : . ‘å : LDR     R2,[R1,#4]
20243E5C : E51F062C : ,..å : LDR     R0,&20243838
20243E60 : E3C24003 : .@Âã : BIC     R4,R2,#3
20243E64 : E8810011 : ..è : STMIA   R1,{R0,R4}
20243E68 : E5952014 : . •å : LDR     R2,[R5,#20]
20243E6C : E2810008 : ..â : ADD     R0,R1,#8
20243E70 : E0423004 : .0Bà : SUB     R3,R2,R4
20243E74 : E5853014 : .0…å : STR     R3,[R5,#20]
20243E78 : E5B62044 : D ¶å : LDR     R2,[R6,#68]!
20243E7C : E5953074 : t0•å : LDR     R3,[R5,#116]
20243E80 : E1520003 : ..Rá : CMP     R2,R3
20243E84 : 85852074 : t …… : STRHI   R2,[R5,#116]
20243E88 : E3A02001 : .  ã : MOV     R2,#1
20243E8C : E5A520C8 : È ¥å : STR     R2,[R5,#200]!
20243E90 : E91BABF0 : ð«.é : LDMDB   R11,{R4-R9,R11,R13,PC}
20243E94 : 20258BD8 : ؋%  : Undefined instruction

The trouble is, there’s nothing obvious in that to identify what that routine is. No SWI calls, and I can’t find one routine in the sources that obviously uses most of those constants in the same sort of place.

The -540 near the start seems to be defined as SL_Lib_Offset in RISC_OSLib/s/h_stack so I can only guess this is some sort of memory management code for the stack for C functions.

I would have thought the instruction at the actual address where the abort happened should be pretty innocuous, “20243BDC BHI &20243C2C”, just a conditional branch to another line within the same routine.

The trouble is, there’s nothing obvious in that to identify what that routine is. No SWI calls, and I can’t find one routine in the sources that obviously uses most of those constants in the same sort of place.

The clues are there, they’re just hidden! Look at

20243B30 : E3A02006 : .  ã : MOV     R2,#6
20243B34 : E3A01003 : .. ã : MOV     R1,#3
20243B38 : E3A00033 : 3. ã : MOV     R0,#&33
20243B3C : EB0047B3 : ³G.ë : BL      &20255A10

Once you know that you’ll find the macro ACQUIREMUTEX which is only used in 3 places, and only _primitive_alloc() makes sense given the rest of the disassembly you gave.

Wow, OK. I did look at _primitive_alloc() because it was one of only a couple of places in RISC_OSLib with “+ 4096” but I didn’t think the logic exactly matched up. I guess it got optimised.

I think that means it crashed in malloc(). If it was actually a bug in malloc() I think we’d have bigger problems than occasional crashes in Paint. There aren’t many places that Paint itself calls malloc(). With brush selection it gets used to build a palette and hold translation tables. Of course it could also be a RISC_OSLib function that called it or the WIMP.

You also need to bear in mind that softloadable copies of modules typically won’t be binary identical to ROM versions. There are lots of ways in which the two can differ (different code generation from the compiler/assembler due to different CPU type targets, dynamic registration of files with ResourceFS, different versions of the C library stubs for ROM vs. softload, etc.)

So although the softload version places the crash site in malloc, in reality it may have been in one of the functions near malloc in the binary.

Ideally I’d need a dump of SharedCLibrary from that version of the OMAP4 ROM then. I haven’t got an OMAP. Given no-one else has reported a crash near that address, with the possible exception of nemo remembering it, I wonder if it’s a bit of a wild goose chase.

I certainly have no record of personally seeing Paint crash in SharedCLibrary. When it happened to Chris near the top of this thread, it looks like that address may have been past the end of the module and it happened when he tried to run Paint a second time after it already crashed.

Has anyone had Paint crash more recently whilst using the brush? Unless someone posts details of a new crash we might have to consider the possibility that this particular issue has gone away.

Please has anyone still got a copy of OMAP4Dev.5.21.zip from around August 2013?

Chris Gransden perhaps?

The file isn’t on archive.org. I’m hoping I can use something like ROMUnjoin to pull the image apart and extract the SharedCLibrary to find the exact location of the crash.

There’s one here from 4th August 2013.

Thank you.

*ROMUnjoin happily spat out all the modules from that OMAP4 ROM image and StrongEd found me offset &21A8 in that SharedCLibrary.

Funnily enough, it’s just a little further down in that same function, _primitive_alloc(), at a branch:

00002048 : E92DDBF0 : ðÛ-é : STMDB   R13!,{R4-R9,R11,R12,R14,PC}
0000204C : E59F3390 : 3Ÿå : LDR     R3,&000023E4
00002050 : E51A621C : .b.å : LDR     R6,[R10,#-540]
00002054 : E1A04000 : .@ á : MOV     R4,R0
00002058 : E3A00000 : .. ã : MOV     R0,#0
0000205C : E0867003 : .p†à : ADD     R7,R6,R3
00002060 : E1072090 :  .á : SWP     R2,R0,[R7]
00002064 : E24CB004 : .°Lâ : SUB     R11,R12,#4
00002068 : E24DD010 : .ÐMâ : SUB     R13,R13,#&10       ; =16
0000206C : E3A08000 : .€ ã : MOV     R8,#0
00002070 : E3520000 : ..Rã : CMP     R2,#0
00002074 : 1A000008 : .... : BNE     &0000209C
00002078 : E3A09000 : . ã : MOV     R9,#0
0000207C : E1A03007 : .0 á : MOV     R3,R7
00002080 : E3A02006 : .  ã : MOV     R2,#6
00002084 : E3A01003 : .. ã : MOV     R1,#3
00002088 : E3A00033 : 3. ã : MOV     R0,#&33            ; ="3"
0000208C : EB00473C : <G.ë : BL      &00013D84
00002090 : E1071099 : ™..á : SWP     R1,R9,[R7]
00002094 : E3510000 : ..Qã : CMP     R1,#0
00002098 : 0AFFFFF7 : ÷ÿÿ. : BEQ     &0000207C
0000209C : E51F0490 : ..å : LDR     R0,&00001C14
000020A0 : E51A121C : ...å : LDR     R1,[R10,#-540]
000020A4 : E7D63000 : .0Öç : LDRB    R3,[R6,R0]
000020A8 : E240006C : l.@â : SUB     R0,R0,#&6C         ; ="l"
000020AC : E0805001 : .Pۈ : ADD     R5,R0,R1
000020B0 : E3530000 : ..Sã : CMP     R3,#0
000020B4 : 0A000006 : .... : BEQ     &000020D4
000020B8 : EBFFFFC8 : Èÿÿë : BL      &00001FE0
000020BC : E3500000 : ..Pã : CMP     R0,#0
000020C0 : 0A000003 : .... : BEQ     &000020D4
000020C4 : E3A00001 : .. ã : MOV     R0,#1
000020C8 : E5A500C8 : È.¥å : STR     R0,[R5,#200]!
000020CC : E3E00001 : ..àã : MVN     R0,#1
000020D0 : EA0000C2 : Â..ê : B       &000023E0
000020D4 : E1A04104 : .A á : MOV     R4,R4,LSL #2
000020D8 : E3540101 : ..Tã : CMP     R4,#&40000000
000020DC : 23A00001 : .. # : MOVCS   R0,#1
000020E0 : 25A500C8 : È.¥% : STRCS   R0,[R5,#200]!
000020E4 : 23E00000 : ..à# : MVNCS   R0,#0
000020E8 : 2A0000BC : Œ..* : BCS     &000023E0
000020EC : E3540000 : ..Tã : CMP     R4,#0
000020F0 : 03A04004 : .@ . : MOVEQ   R4,#4
000020F4 : E3540C02 : ..Tã : CMP     R4,#&0200          ; =512
000020F8 : 8A000003 : ...Š : BHI     &0000210C
000020FC : E5953008 : .0•å : LDR     R3,[R5,#8]
00002100 : E3530000 : ..Sã : CMP     R3,#0
00002104 : 13A07001 : .p . : MOVNE   R7,#1
00002108 : 1A000000 : .... : BNE     &00002110
0000210C : E3A07000 : .p ã : MOV     R7,#0
00002110 : E2841A01 : ..„â : ADD     R1,R4,#&1000       ; =4096
00002114 : E58D1008 : ..å : STR     R1,[R13,#8]
00002118 : E51F139C : œ..å : LDR     R1,&00001D84
0000211C : E1A03124 : $1 á : MOV     R3,R4,LSR #2
00002120 : E58D300C : .0å : STR     R3,[R13,#12]
00002124 : E0816006 : .`à : ADD     R6,R1,R6
00002128 : E354003F : ?.Tã : CMP     R4,#&3F            ; ="?"
0000212C : 8A000012 : ...Š : BHI     &0000217C
00002130 : E5953070 : p0•å : LDR     R3,[R5,#112]
00002134 : E3530000 : ..Sã : CMP     R3,#0
00002138 : 0A00000F : .... : BEQ     &0000217C
0000213C : E59D300C : .0å : LDR     R3,[R13,#12]
00002140 : E7961103 : ..–ç : LDR     R1,[R6,R3,LSL #2]
00002144 : E3510000 : ..Qã : CMP     R1,#0
00002148 : 0A000008 : .... : BEQ     &00002170
0000214C : E51F03CC : Ì..å : LDR     R0,&00001D88
00002150 : E5912000 : . ‘å : LDR     R2,[R1,#0]
00002154 : E1520000 : ..Rá : CMP     R2,R0
00002158 : 1AFFFFD9 : Ùÿÿ. : BNE     &000020C4
0000215C : E5912008 : . ‘å : LDR     R2,[R1,#8]
00002160 : E7862103 : .!†ç : STR     R2,[R6,R3,LSL #2]
00002164 : E5913004 : .0‘å : LDR     R3,[R1,#4]
00002168 : E3C32003 : . Ãã : BIC     R2,R3,#3
0000216C : EA000024 : $..ê : B       &00002204
00002170 : E2833001 : .0ĉ : ADD     R3,R3,#1
00002174 : E3530010 : ..Sã : CMP     R3,#&10            ; =16
00002178 : DAFFFFF0 : ðÿÿÚ : BLE     &00002140
0000217C : E2083102 : .1.â : AND     R3,R8,#&80000000
00002180 : E2081101 : ...â : AND     R1,R8,#&40000000
00002184 : E88D000A : ..è : STMIA   R13,{R1,R3}
00002188 : E3570000 : ..Wã : CMP     R7,#0
0000218C : 05961000 : ..–. : LDREQ   R1,[R6,#0]
00002190 : 15961044 : D.–. : LDRNE   R1,[R6,#68]
00002194 : E3510000 : ..Qã : CMP     R1,#0
00002198 : 0A00002F : /... : BEQ     &0000225C
0000219C : E51F341C : .4.å : LDR     R3,&00001D88
000021A0 : E5912000 : . ‘å : LDR     R2,[R1,#0]
000021A4 : E1520003 : ..Rá : CMP     R2,R3
000021A8 : 1AFFFFC5 : Åÿÿ. : BNE     &000020C4
000021AC : E5912004 : . ‘å : LDR     R2,[R1,#4]
000021B0 : E3C22003 : . Âã : BIC     R2,R2,#3
000021B4 : E1520004 : ..Rá : CMP     R2,R4
000021B8 : 3A000022 : "..: : BCC     &00002248
000021BC : E0423004 : .0Bà : SUB     R3,R2,R4
000021C0 : E3530047 : G.Sã : CMP     R3,#&47            ; ="G"
000021C4 : 8A000013 : ...Š : BHI     &00002218
000021C8 : E5950074 : t.•å : LDR     R0,[R5,#116]
000021CC : E1510000 : ..Qá : CMP     R1,R0
000021D0 : 03A00000 : .. . : MOVEQ   R0,#0
000021D4 : 05850074 : t.…. : STREQ   R0,[R5,#116]
000021D8 : E591000C : ..‘å : LDR     R0,[R1,#12]
000021DC : E5913008 : .0‘å : LDR     R3,[R1,#8]
000021E0 : E3500000 : ..Pã : CMP     R0,#0
000021E4 : 15A03008 : .0 . : STRNE   R3,[R0,#8]!
000021E8 : 05863000 : .0†. : STREQ   R3,[R6,#0]
000021EC : E5913008 : .0‘å : LDR     R3,[R1,#8]
000021F0 : E3530000 : ..Sã : CMP     R3,#0
000021F4 : 1591000C : ..‘. : LDRNE   R0,[R1,#12]
000021F8 : 0591300C : .0‘. : LDREQ   R3,[R1,#12]
000021FC : 15A3000C : ..£. : STRNE   R0,[R3,#12]!
00002200 : 05863044 : D0†. : STREQ   R3,[R6,#68]
00002204 : E3570000 : ..Wã : CMP     R7,#0
00002208 : 0A000066 : f... : BEQ     &000023A8
0000220C : E284300C : .0„â : ADD     R3,R4,#&0C         ; =12
00002210 : E1530002 : ..Sá : CMP     R3,R2
00002214 : 2A000063 : c..* : BCS     &000023A8
00002218 : E5953014 : .0•å : LDR     R3,[R5,#20]
0000221C : E1A00001 : .. á : MOV     R0,R1
00002220 : E3540C02 : ..Tã : CMP     R4,#&0200          ; =512
00002224 : E2433008 : .0Câ : SUB     R3,R3,#8
00002228 : E5853014 : .0…å : STR     R3,[R5,#20]
0000222C : 8A000002 : ...Š : BHI     &0000223C
00002230 : E5953008 : .0•å : LDR     R3,[R5,#8]
00002234 : E3530000 : ..Sã : CMP     R3,#0
00002238 : 1A00003D : =... : BNE     &00002334
0000223C : E0803004 : .0ۈ : ADD     R3,R0,R4
00002240 : E2830008 : ..ĉ : ADD     R0,R3,#8
00002244 : EA00003C : <..ê : B       &0000233C
00002248 : E3570000 : ..Wã : CMP     R7,#0
0000224C : 05911008 : ..‘. : LDREQ   R1,[R1,#8]
00002250 : 1591100C : ..‘. : LDRNE   R1,[R1,#12]
00002254 : E3510000 : ..Qã : CMP     R1,#0
00002258 : 1AFFFFD0 : Ðÿÿ. : BNE     &000021A0

I’m not really sure what to make of this.

I’m not really sure what to make of this.

First, it’s probably the LDR two instructions earlier that is choking – perhaps knowing the values of the registers may help?

Secondly, it helps to not look for exact code matches, but to look for “something similar”. I started with the AND #&80000000 followed by an AND &#40000000. Don’t pay any mind to the actual registers, they may differ depending upon the whims of the compiler.

I found it looking in the prebuilt library that is linked into my ROM. So working backwards, I examined all the object files and found it again in “o.alloc”. The registers differed, but the code “pattern” was the same.
Like you, working backwards I found it in “_primitive_alloc()”.

Since I don’t have a damned clue how to mess around with the shared MakeFiles to get the compiler to spit assembly (parameter -S), I yanked it out, fired up CC, and built it manually.

By inserting a dummy printf() statement, and tracing it’s location in the output (isn’t debugging on RISC OS great?) I came up with this:

This is where the problem is:

        CMP      v1,#0
        BEQ      |L0006a8.J33._primitive_alloc|
        LDR      a3,[pc, #L0001e0-.-8]
|L0005dc.J32._primitive_alloc|
        LDR      a2,[v1]
        CMP      a2,a3
        BNE      |L0006f0.J64._primitive_alloc|

Which corresponds to this bit of source:

    while (block != NULL) {
      if (INVALID(block)) RELEASEANDRETURN(CORRUPT)
      actualSize = SIZE(block);

The CMP with zero is checking if the block is NULL.
If it is, we jump elsewhere.
The next part appears to be the part, specifically: if (INVALID(block)) which is defined in the header file as follows:

#ifdef BLOCKS_GUARDED
#define INVALID(block) (((BlockP)block)->guard != GUARDCONSTANT)
#else
#define INVALID(block) (0)
#endif

What we can see here is we’re loading something from a fixed location. My money is on GUARDCONSTANT. If I follow that, does it equal &3E694C3C? Yes. So now we know we’re using the guarded blocks version.

The next line, then, will be indirecting to try to find that guard word. We already loaded block for the non-NULL test, so that LDR will be going to find the ->guard part.
It’s there that it is failing.

As I’m working my way through this, I’m wondering if there might be a case of something corrupting one of your memory claims? Or possibly using a bogus (but non-NULL) reference?

Do you have any backtrace, to know where in Paint it is failing? (more specifically than “the brush tool”)? Do you have the value of any registers at the point of failure?

If it helps, I created a simple backtrace handler that dumps its output to file or screen (depending if file handle given). It’s a modified, tidied, and fixed ☺ version of the one in a later incarnation of DeskLib.
The code is here: http://heyrick.ddns.net/desklib/source/BackTrace/c/ricksimple