Ticket #505 (Fixed)Tue Feb 23 11:08:59 UTC 2021

Titanium *ChannelVoice 8 1 overwrites RMA Heap

Details by Martin Avison (27):

It appears that on the Titanium only, using
*ChannelVoice 8 1
or
SYS “Sound_AttachVoice”,8,1
causes a block of RMA to have it’s length overwritten, causing a variety of machine problems, often machine lockups of tasks aborting (including Filer & Wimp).

This only seems to affect the Titanium, and channel 8, but for all voices.

The bug was first seen in a number of Meastro versions – see thread https://www.riscosopen.org/forum/forums/4/topic… for full details.

After failing to see from the SoundChannel source what the problem was (I think it disappears into DMAstuff, so I gave up) I did some (laborious) comparisons of memory blocks. My conclusion is that it is a typical out-by-one bug. The memory block just before the overwrite is 2,144 long. As channels 1-7 get allocated, the last 7 words of that block are populated, probably with an RMA address. When channel 8 gets allocated, the first word of the next block (which was a length of x20) is overwritten with the 8th address. This is the error trapped by *ReportHeap, and it causes anything else that traverses the RMA heap to fail.

I will try to attach evidence of these findings.