Version
trunk/main
Host OS Type
Windows
Host OS name + version
Windows 10 19045.6456
Host Architecture
x86
Guest OS Type
other
Guest Architecture
x86
Guest OS name + version
Custom OS SnOS 1.1
Component
Other
What happened?
Calling VBE 2.0 PMI SetDisplayStartOffset will crash on any OS.
The function saved 5 registers but only restores 2. That's 12 bytes of stack imbalance. retn returns to the completely wrong address.
debuglog.txt
All the VGA CRTC register I/O (ports 0x1CE/0x1CF) executes properly. The display start address is set. Then it reaches the epilogue. The function only restores 2 out of 5 saved registers.
0x106: pop edi ESP d0070308 => d007030c
0x107: pop esi ESP d007030c => d0070310
??? where is pop edx/pop ecx/pop eax?
At 0x108 the bytes are 00 59 58, which disassembles as:
0x108: 00 59 58 add byte [ecx+58h], bl
At 0x10F:
The retn reads a saved register value as the return address.
The actual return address (0x11A) is still sitting at (in my specific test case) d007031c, 12 bytes deeper. The retn jumped to offset 0: the start of the ROM image.
How can we reproduce this?
Calling VBE 2.0 PMI SetDisplayStartOffset with the following registers:
eax=00004f07 ebx=d0000000 ecx=00006400 edx=00000000 esi=00000000 edi=d000363c (in my case). Most importantly BL = 0, all other registers don't really matter to reproduce this.
Did you upload all of your necessary log files, screenshots, etc.?
Version
trunk/main
Host OS Type
Windows
Host OS name + version
Windows 10 19045.6456
Host Architecture
x86
Guest OS Type
other
Guest Architecture
x86
Guest OS name + version
Custom OS SnOS 1.1
Component
Other
What happened?
Calling VBE 2.0 PMI SetDisplayStartOffset will crash on any OS.
The function saved 5 registers but only restores 2. That's 12 bytes of stack imbalance. retn returns to the completely wrong address.
debuglog.txt
All the VGA CRTC register I/O (ports 0x1CE/0x1CF) executes properly. The display start address is set. Then it reaches the epilogue. The function only restores 2 out of 5 saved registers.
At 0x108 the bytes are 00 59 58, which disassembles as:
At 0x10F:
The retn reads a saved register value as the return address.
The actual return address (0x11A) is still sitting at (in my specific test case) d007031c, 12 bytes deeper. The retn jumped to offset 0: the start of the ROM image.
How can we reproduce this?
Calling VBE 2.0 PMI SetDisplayStartOffset with the following registers:
eax=00004f07 ebx=d0000000 ecx=00006400 edx=00000000 esi=00000000 edi=d000363c (in my case). Most importantly BL = 0, all other registers don't really matter to reproduce this.
Did you upload all of your necessary log files, screenshots, etc.?