MEGA65: MAP opcode behaviour change #427

lgblgblgb · lgblgblgb · commit 40f279274d3d · 2025-02-21T00:05:41.000+01:00
As it turned out mega65-core modified the exact behaviour of the MAP opcode in hypervisor mode back in 2022 with this commit: MEGA65/mega65-core@34a930b See mega65-core issue: MEGA65/mega65-core#635 Though Xemu still used the old behaviour which can be problematic. So this is the intended fix to handle the problem. Thanks @gurcei to discover / report this anomaly.
diff --git a/targets/mega65/hypervisor.c b/targets/mega65/hypervisor.c
@@ -164,12 +164,18 @@ void hypervisor_enter ( int trapno )
 	//D6XX_registers[0x53] = 0;				// GS $D653 - Hypervisor DMAgic source MB      - *UNUSED*
 	//D6XX_registers[0x54] = 0;				// GS $D654 - Hypervisor DMAgic destination MB - *UNUSED*
 	dma_get_list_addr_as_bytes(D6XX_registers + 0x55);	// GS $D655-$D658 - Hypervisor DMAGic list address bits 27-0
+	if (map_megabyte_low == 0xFF00000) {	// !! map_megabyte_low uses << 20 ...
+		// According to the VHDL: Make sure that a naughty person can't trick the hypervisor into modifying
+		// itself, by having the Hypervisor address space mapped in the bottom 32KB of address space.
+		map_megabyte_low = 0;
+		DEBUGPRINT("HYPERVISOR: warning, low-MB would be mapped to $FF, countermeasure initiaited" NL);
+	}
 	// Now entering into hypervisor mode: we use memory_reconfigure() to set all the stuff needed + setting up "in_hypervisor" value as well
 	memory_reconfigure(
 		0,					// D030 ROM banking turning off
 		VIC4_IOMODE,				// VIC4 I/O mode to be used (on MEGA65, in hypervisor mode it's always the case! the handler in vic4.c ensures, we cannot even modify this)
 		0x3F, 0x35,				// set CPU I/O port DDR+DATA: all-RAM + I/O config
-		map_megabyte_low, map_offset_low,	// low mapping is left as-is
+		map_megabyte_low, map_offset_low,	// low mapping is left as-is (however for map_megabyte_low, see the "if" above)
 		0xFFU << 20, 0xF0000U,			// high mapping though is being modified
 		(map_mask & 0xFU) | 0x30U,		// mapping: 0011XXXX (it seems low region map mask is not changed by hypervisor entry)
 		true					// this will sets in_hypervisor to TRUE!!!!
diff --git a/targets/mega65/memory_mapper.c b/targets/mega65/memory_mapper.c
@@ -1,6 +1,6 @@
 /* A work-in-progess MEGA65 (Commodore 65 clone origins) emulator
    Part of the Xemu project, please visit: https://github.com/lgblgblgb/xemu
-   Copyright (C)2017-2024 LGB (Gábor Lénárt) <lgblgblgb@gmail.com>
+   Copyright (C)2017-2025 LGB (Gábor Lénárt) <lgblgblgb@gmail.com>
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -343,7 +343,7 @@ static const struct mem_map_st *mem_map_hints[MEM_HINT_SLOTS];
 // * Every areas (other than the first) must start on address which is the previous one's last one PLUS 1
 // * The first entry must start at address 0
 // * The last entry must be $10000000 - $FFFFFFFF with type MEM_SLOT_TYPE_IMPOSSIBLE as a safe-guard
-static struct mem_map_st mem_map[] = {
+static const struct mem_map_st mem_map[] = {
 	{ 0x00000000U, 0x0001F7FFU, MEM_SLOT_TYPE_MAIN_RAM	}, // OLD memory model used 0-FF as "ZP" to handle CPU I/O port. But now it's VIRTUAL and only exists in CPU's view not in mem-map!
 	{ 0x0001F800U, 0x0001FFFFU, MEM_SLOT_TYPE_SHARED_RAM	}, // "shared" area, 2K of coulour RAM [C65 legacy], b/c of performance, we must distribute between both of normal and colour RAM
 	{ 0x00020000U, 0x0003FFFFU, MEM_SLOT_TYPE_ROM		}, // though it's called ROM, it can be normal RAM, if "ROM write protection" is off
@@ -800,24 +800,28 @@ void cpu65_do_aug_callback ( void )
 	| MAP   | MAP   | MAP   | MAP   | UPPER | UPPER | UPPER | UPPER | Z
 	| BLK7  | BLK6  | BLK5  | BLK4  | OFF19 | OFF18 | OFF17 | OFF16 |
 	+-------+-------+-------+-------+-------+-------+-------+-------+
-	-- C65GS extension: Set the MegaByte register for low and high mobies
-	-- so that we can address all 256MB of RAM.
-	if reg_x = x"0f" then
-		reg_mb_low <= reg_a;
-	end if;
-	if reg_z = x"0f" then
-		reg_mb_high <= reg_y;
-	end if; */
+	*/
 	cpu65.cpu_inhibit_interrupts = 1;	// disable interrupts till the next "EOM" (ie: NOP) opcode
 	DEBUG("CPU: MAP opcode, input A=$%02X X=$%02X Y=$%02X Z=$%02X" NL, cpu65.a, cpu65.x, cpu65.y, cpu65.z);
-	map_offset_low	= (cpu65.a <<   8) | ((cpu65.x & 15) << 16);	// offset of lower half (blocks 0-3)
-	map_offset_high	= (cpu65.y <<   8) | ((cpu65.z & 15) << 16);	// offset of higher half (blocks 4-7)
-	map_mask	= (cpu65.z & 0xF0) | ( cpu65.x >> 4);		// "is mapped" mask for blocks (1 bit for each)
-	// M65 specific "MB" (megabyte) selector "mode":
-	if (cpu65.x == 0x0F)
+	if (cpu65.x == 0x0F) {
 		map_megabyte_low  = (int)cpu65.a << 20;
-	if (cpu65.z == 0x0F)
+	} else {
+		map_offset_low	= (cpu65.a << 8) | ((cpu65.x & 15) << 16);	// offset of lower half (blocks 0-3)
+		map_mask	= (map_mask & 0xF0) | (cpu65.x >> 4);		// "is mapped" mask for the lower half
+	}
+	if (cpu65.z == 0x0F) {
 		map_megabyte_high = (int)cpu65.y << 20;
+		if (in_hypervisor) {
+			DEBUG("MEM: warning, altering MB selection for upper 32K memory mapping in hypervisor mode at PC=$%04X" NL, cpu65.pc);
+		}
+	} else {
+		if (!in_hypervisor) {
+			map_offset_high	= (cpu65.y << 8) | ((cpu65.z & 15) << 16);	// offset of higher half (blocks 4-7)
+			map_mask	= (map_mask & 0x0F) | (cpu65.z & 0xF0);		// "is mapped" mask for the upper half
+		} else {
+			DEBUG("MEM: avoiding to alter upper 32K memory mapping in hypervisor mode at PC=$%04X" NL, cpu65.pc);
+		}
+	}
 	DEBUG("MEM: applying new memory configuration because of MAP CPU opcode" NL);
 	DEBUG("LOW -OFFSET = $%03X, MB = $%02X" NL, map_offset_low , map_megabyte_low  >> 20);
 	DEBUG("HIGH-OFFSET = $%03X, MB = $%02X" NL, map_offset_high, map_megabyte_high >> 20);
