Respawn freeze with an ASM code?

[Bully@Wiiplaza]

Hi,
I tried to make a "Freefly" code for Twilight Prinzess.

Here´s the assembly (hope it´s self-explanatory)

[spoiler]Address: 80F3BAA4
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16[/spoiler]
the code works for one axis so far, but if I fall down from the map, it crashes the game.
The crash breakpoint breaks on the exact same address and shows the original instruction, even though, my code was writing a branch to it...
r31 (source register) does never change on XBP when I don´t change rooms or fall down.

[spoiler]  CR:88000088  XER:20000000  CTR:8001F5D4 DSIS:00000000
DAR:00000000 SRR0:7F0C6E24 SRR1:10009032   LR:80F3B6C8
 r0:00002C2C   r1:805371C8   r2:8052A180   r3:8043B408
 r4:811D3404   r5:000000A2   r6:000000AB   r7:000000A3
 r8:804A136C   r9:00000002  r10:0011C26C  r11:805371F8
r12:8001F5D4  r13:80525EA0  r14:00002000  r15:80000000
r16:41A00000  r17:80431940  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:803E17C0
r24:803E17D4  r25:80433958  r26:803E1930  r27:810D838C
r28:810D7D40  r29:80440000  r30:811D33E0  r31:804A136C

 f0:3F800000   f1:3F3CF126   f2:3F3962ED   f3:3C638E39
 f4:3F303E43   f5:00000000   f6:00000000   f7:00000000
 f8:00000000   f9:00000000  f10:00000000  f11:00000000
f12:00000000  f13:00000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:3F800000  f29:BF800000  f30:59800004  f31:00000000

80F3BAA4: C01F04D0 lfs f0, 1232 (r31)[/spoiler]

But r31 is legit. Why does it crash, although I implemented a stack frame?
Btw. I used gecko.net 0.66.7

[Deathwolf]

Your original instruction is the stack frame? Your are not using any branch instruction?

stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
b _NOTZLEFT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
-----------   # what about your original instruction?


Try to compare 2 things without any branch instruction... That won't work.

cmpwi r18,0x0040
bne- END1
li r0,63
stw r0, 0 (r3)

END1:
cmpwi r18,0x0080
bne- END
li r0,63
stw r0, 0 (r3)

END:
stw r5,0 (r3)

Now you only can compare one thing and not 2. That's because of the branch instruction.

[Bully@Wiiplaza]

Your original instruction is the stack frame? Your are not using any branch instruction?

stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
b _NOTZLEFT not needed...
fsubs f0, f0, f22
stfs f0, 1232 (r31)
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
-----------   # what about your original instruction?

the code works with *both* compares.

[Deathwolf]

WTF is that? could you explain me why you are branching not to the original instruction?

stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31)         # this is not needed here since you can't edit fx "registers"
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
b _NOTZLEFT

_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
lfs f0,1232(r31)   

[Bully@Wiiplaza]

why?
Because I want to load the value into f0 and THEN do something with it (add/sub float registers)

[Deathwolf]

stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002     # Yeah this is right, compare with 2002 and then sub from f0.
bne- _NOTZRIGHT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
b _NOTZLEFT # if not pressed, DO NOTHING. (original instruction)

_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)

_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
lfs f0,1232(r31) # original instruction

[Bully@Wiiplaza]

that would disable the second activator, if the first is not pressed...

I rewrote it, but didn´t test yet (including all 3 coordinates with increase/decrease).
Code for Legend of Zelda TP PAL.

[spoiler]Addy:80F3BAA4

stwu r1,-16(r1)
stw r11,8(r1)

lis r15, 0x8000 # load RAM Address first 16bit
lis r16, 0x41A0 # Load value 41A0000 into r16
lis r17, 0x4300 # Load value 4300000 into r17
stw r16, 0x1600 (r15) # Store r16 to RAM (80001600)
stw r17, 0x1604 (r15) # Store r17 to RAM (80001604)

lfs f20, 1232 (r31) # Load X coordinate into f20
lfs f21, 1236 (r31) # Load Y coordinate into f21
lfs f22, 1240 (r31) # Load Z coordinate into f22
lfs f23, 0x1600 (r15) # Load value from address 80001600 into f23
lfs f24, 0x1604 (r15) # Load value from address 80001604 into f24

lis r14, 0x8043 # Load first 16 bit of button activator
lhz r14, 0x3AF6 (r14) # Load value from address 80433AF6 into r14


cmpwi r14, 0x2002 # compare if Z and D-PAD RIGHT is pressed
bne- _NOZRIGHT # if not...
fsubs f20, f20, f23 # sub f23 from f20 and store back to f20
stfs f20, 1232 (r31) # update X coordinate
_NOZRIGHT: # skip operation

cmpwi r14, 0x2001 # compare if Z and D-PAD LEFT is pressed
bne- _NOZLEFT # if not...
fadds f20, f20, f23 # add f23 to f20 and store back to f20
stfs f20, 1232 (r31) # update X coordinate
_NOZLEFT: # skip operation


cmpwi r14, 0x2008
bne- _NOZUP
fsubs f21, f21, f24
stfs f21, 1236 (r31)
_NOZUP:

cmpwi r14, 0x2004
bne- _NOZDOWN
fadds f21, f21, f24
stfs f21, 1236 (r31)
_NOZDOWN:


cmpwi r14, 0x108
bne- _NO2UP
fsubs f22, f22, f23
stfs f22, 1240 (r31)
_NO2UP:

cmpwi r14, 0x104
bne- _NO2DOWN
fadds f22, f22, f23
stfs f22, 1240 (r31)
_NO2DOWN:

lwz r11,8(r1)
addi r1,r1,16

lfs f0,1232(r31) # original instruction[/spoiler]

[Deathwolf]

stwu r1,-16(r1)
stw r11,8(r1)

lis r15, 0x8000
lis r16, 0x4100
lis r17, 0x4300
stw r16, 0x1600 (r15)
stw r17, 0x1604 (r15)

lfs f20, 1232 (r31)
lfs f21, 1236 (r31)
lfs f22, 1240 (r31)
lfs f23, 0x1600 (r15)
lfs f24, 0x1604 (r15)

lis r14, 0x8043
lhz r14, 0x3AF6 (r14)


cmpwi r14, 0x2002
bne- _NOZRIGHT
fsubs f20, f20, f23
stfs f20, 1232 (r31)
b ORIGINAL

_NOZRIGHT:
cmpwi r14, 0x2001
bne- _NOZLEFT
fadds f20, f20, f23
stfs f20, 1232 (r31)
b ORIGINAL

_NOZLEFT:
cmpwi r14, 0x2008
bne- _NOZUP
fsubs f21, f21, f24
stfs f21, 1236 (r31)
b ORIGINAL

_NOZUP:
cmpwi r14, 0x2004
bne- _NOZDOWN
fadds f21, f21, f24
stfs f21, 1236 (r31)
b ORIGINAL

_NOZDOWN:
cmpwi r14, 0x108
bne- _NO2UP
fsubs f22, f22, f23
stfs f22, 1240 (r31)
b ORIGINAL

_NO2UP:
cmpwi r14, 0x104
bne- ORIGINAL
fadds f22, f22, f23
stfs f22, 1240 (r31)

ORIGINAL:
lwz r11,8(r1)
addi r1,r1,16

lfs f0,1232(r31)

assembled:

C2000000 00000018
9421FFF0 91610008
3DE08000 3E004100
3E204300 920F1600
922F1604 C29F04D0
C2BF04D4 C2DF04D8
C2EF1600 C30F1604
3DC08043 A1CE3AF6
2C0E2002 40820010
EE94B828 D29F04D0
48000064 2C0E2001
40820010 EE94B82A
D29F04D0 48000050
2C0E2008 40820010
EEB5C028 D2BF04D4
4800003C 2C0E2004
40820010 EEB5C02A
D2BF04D4 48000028
2C0E0108 40820010
EED6B828 D2DF04D8
48000014 2C0E0104
4082000C EED6B82A
D2DF04D8 81610008
38210010 C01F04D0
60000000 00000000

[Deathwolf]

A Pm from dcx2:

You're a lot closer.

But it made me realize I made a mistake.  andi. should use beq-, but cmpwi should use bne-.


lis r12,0x8075
ori r12,r12,0x6102
lhz   r12,0(r12)
cmpwi r12,0x0200
bne- TEST_SECOND_ACTIVATOR
li r12,0x777
stw r12,48(r31)
b THE_END

TEST_SECOND_ACTIVATOR:
cmpwi r12,0x0100
bne- THE_END
li r12,0x888
stw r12,48(r31)

THE_END:

lwz   r3,48(r31)

[Bully@Wiiplaza]

code works, still freezes on respawn... :(

---

[spoiler]
lis r12,0x8075
ori r12,r12,0x6102
lhz   r12, 0x6102 (r12)
cmpwi r12,0x0200
bne- TEST_SECOND_ACTIVATOR
li r12,0x777
stw r12,48(r31)
b THE_END

TEST_SECOND_ACTIVATOR:
cmpwi r12,0x0100
bne- THE_END
li r12,0x888
stw r12,48(r31)

THE_END:

lwz   r3,48(r31)[/spoiler]

works, too.
I tested it out.
Don´t tell me something else :p

[Deathwolf]

I see. IDK why you need the b instruction xD I think I'm just spreading wrong information lol

[Bully@Wiiplaza]

back to my problem.
Latest code build I posted works.
If I go out of bounds (accidentally), it freezes and black screens before respawning.
During that time, coordinates move in memory.
I´m still curious, why it freezes... is there anything that fails in the code?
Remember that the crash breakpoint showed the same address with legit source register.
I only used free float and normal registers (using the stack frame)
Either the breakpoint triggered wrong or something odd happened. :-\
Shouldn´t it crash, if the source register is legit?

The ASM code follows the new position and writes there next time, that´s not an issue at all...

[dcx2]

[spoiler]  CR:88000088  XER:20000000  CTR:8001F5D4 DSIS:00000000
DAR:00000000 SRR0:7F0C6E24 SRR1:10009032   LR:80F3B6C8
  r0:00002C2C   r1:805371C8   r2:8052A180   r3:8043B408
  r4:811D3404   r5:000000A2   r6:000000AB   r7:000000A3
  r8:804A136C   r9:00000002  r10:0011C26C  r11:805371F8
r12:8001F5D4  r13:80525EA0  r14:00002000  r15:80000000
r16:41A00000  r17:80431940  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:803E17C0
r24:803E17D4  r25:80433958  r26:803E1930  r27:810D838C
r28:810D7D40  r29:80440000  r30:811D33E0  r31:804A136C

  f0:3F800000   f1:3F3CF126   f2:3F3962ED   f3:3C638E39
  f4:3F303E43   f5:00000000   f6:00000000   f7:00000000
  f8:00000000   f9:00000000  f10:00000000  f11:00000000
f12:00000000  f13:00000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:3F800000  f29:BF800000  f30:59800004  f31:00000000

[/spoiler]
But r31 is legit. Why does it crash, although I implemented a stack frame?

You're lucky you used 0.66.7.  The other builds would have crashed hard without generating a breakpoint.  This is because you have an ISI Exception EDIT: and 0.66.7 is the first build to automatically install ISI and Program exception handlers for the code handler.  Look at SRR0 - the instruction that the PPC wanted to fetch is at address 7F0C6E24.

[Bully@Wiiplaza]

ah that´s lucky. Otherwise we wouldn´t know what was going on there.
Well, but I´m still wondering why that invalid SRR0 address thing happens.
I just hooked one adress as usual and it worked quite fine... ???
Did I make a coding mistake or something like that?

[dcx2]

Usually it means you branched off into nowhere.  That's probably not directly your fault; the game probably wasn't able to deal with what you were doing.

There are only three ways to branch; relative, ctr, and lr.

ctr = 8001F5D4 so that's not it.  lr = 80F3B6C8 so that's not it, either.  80000000 - 7F0C6E24 = 00F391DC; conditional branches use 16-bit displacement operands and this is 24, so it must have been an unconditional branch.  This means you're looking for a "b 0x7F0C6E24" instruction somewhere.

The lr is probably as close as you can get to the offending instruction.  ISI exceptions show you where the CPU *wanted* to fetch from, but not where it is *right now* (which is why you were confused by the disassembly)  I would go to the LR and look around there.  Maybe you'll get lucky and see the offending branch a bit after the lr's address.  Maybe you'll have to double-click the bl just before the lr's address.  You could also try looking for the most recent LR save word on the stack, but that's pretty complicated.