MSVC C++ ABI Member Function Pointers

21 September, 2021

This is a detailed discussion of MSVC C++ ABI pointers to member functions, including some of the trade-offs they make. The format of pointers to member functions in C++ is implementation-defined, and a lot of incomplete and misleading information about this topic found around the web. There’s a popular article at Code Project that provides a reasonable overview of a several implementations of pointers to member functions, but not all the details are accurate. Raymond Chen has a very incomplete and somewhat misleading blog post. As far as I know, there is no publicly available formal specification for the MSVC C++ ABI.

In this article, MSVC C++ ABI with default options is assumed unless stated otherwise. Some of the values assumed to be int may actually be long int or int32_t, but without access to an LP32 or LP64 target using the MSVC C++ ABI it’s impossible to confirm one way or the other. This description is mainly based on the behaviour of MSVC 19.29 for x86-64 and AArch64. The usual disclaimers about implementation-defined behaviour apply: depending on this behaviour produces code that is not portable, details may change at any time, and the accuracy is limited by my understanding.

Read the rest of this entry »

Posted in C, Development, Technology | No comments »

Lifting a jinx?

13 August, 2019

The past decade has seen a substantial increase in rail freight in Australia. Capital investment like the Southern Sydney Freight Line and conversion of the Victorian North East line to 1435 mm standard gauge is paying off. Allied Pinnacle has a siding just south of Kensington station, and Southern Shorthaul Railroad (SSR) currently has the contract to deliver their wheat. SSR uses a pair of S class “bulldog nose” locomotives from the 1950s coupled back-to-back to operate this service. Right now they’re using S302 and S317, but they were using S312 earlier in the year.

S302 is named after the pioneer Edward Henty. Here it is at Kensington, in orange and grey livery:

S302 at Kensington

S317 was the last S class locomotive to be delivered, and was named after Sir John Monash. S317 has been involved in two major accidents: it was rebuilt after a head-on collision with X33 in 1967, and collided with the read of the Spirit of Progress at Barnawartha in 1982 killing the crew. Here it is at Kensington:

S317 at Kensington

Wait! What’s that below the cab window? It doesn’t have the old Sir John Monash nameplate any more. It seems to be named Jenny Molloy now! Who’s Jenny Molloy? Whoever she is, she definitely isn’t as well-known as Sir John Monash. She does have the same initials, though. Here’s a view of the nose:

S317 at Kensington

Interesting paintwork inside the horns, too. If anyone knows more about the renaming of S317 or who Jenny Molloy is, I’d love to hear about it. Did the old name have too many bad connotations? Was the new name intentionally selected to have the same initials? Does the new name lift a jinx?

Posted in Uncategorized | 1 comment »

The Q Factor

20 March, 2018

QSound logo screenIf you spent much time in video game arcades ’90s, you’re sure to have seen the QSound logo proudly displayed during the attract loop of games running on Capcom’s CPS-2 and ZN-1/ZN-1 hardware platforms, and heard the distinctive jingle. But What exactly is QSound? What does it actually do? Capcom was definitely keen to promote its inclusion, but did it really give an edge in any area besides marketing? Was it worth the licensing fees they undoubtedly paid, and the precious attract loop time they spent announcing it?

As implemented in Capcom’s arcade systems, QSound technology is provided by a digital signal processor (DSP) running an internal program that implements a sixteen-channel sample player/mixer. It produces 16-bit stereo output at just over 24 kHz. It supports 16-bit samples, but Capcom only ever used it with 8-bit sample ROMs. In addition to playing and mixing the channels, it applies “spatialisation” effects, intended to give the impression of a more expansive virtual sound stage. I know what you’re thinking: everything I’ve said so far sounds like marketing material, but what do the effects actually do, and does it actually work?

Read the rest of this entry »

Posted in Technology | No comments »

TPG FTTB Settings

24 January, 2018

In case anyone else wants to configure third-party equipment for a TPG fibre-to-the-building service, here are the details. Below the fold are screenshots of the settings entered in the web-based configuration UI of an AVM FRITZ!Box. Note that the SIP password is not the same as your account password, and you’ll need to obtain this somehow. TPG doesn’t make this easy, but it is possible.

Internet connection

Modulation: VDSL2 17a (ITU G.993.2)
VPI: 1
VCI: 32
Encapsulation: PPPoE
Authentication: PAP
Username: your TPG username optionally followed by “”
Password: doesn’t matter – it isn’t actually verified (you can use your account password)

Phone service connection

Connection type: PVC
802.1q PCP tag:
(PBit or 802.1p traffic class)
5 (VO, voice with < 10 ms latency/jitter)
VPI: 1
VCI: 32
Encapsulation: routed bridge encapsulation
IPv4 configuration: DHCP

SIP connection settings

Registrar server:

Proxy server:

STUN server: none (disabled)

Connection type: SIP trunk

Telephone number: your telephone number including area code (ten digits)

Username: your telephone number including area code (ten digits)

Password: your SIP password (16 characters including uppercase and lowercase letters and digits)

Voice codecs: G.711 and G.729

Read the rest of this entry »

Posted in Internet, Technology | 12 comments »

TPG: Just Don’t

20 January, 2018

Due to persistent issues with line quality, I switched an Internet connection from Internode ADSL2+ to TPG fibre to the building (FTTB). Although the connection quality is better, just about everything else about TPG is worse. I strongly recommend avoiding TPG. Problems include:

  • Error-prone signup process
  • Supplied modem/router is heavily compromised
  • Phone service is tied to compromised modem/router
  • No IPv6 support
  • Support staff very inconsistent
  • Good support staff hobbled by policy

My Internode connection had become very slow and unstable in hot, dry weather. Strangely it was fine in the rain, and even during flooding. It almost seemed like something needed to be damp to maintain an electrical connection. There’s no way to actually get these kinds of issues resolved, as the ISP and last mile provider will blame each other and the in-building wiring, and charge extortionate rates for technicians to be called out without actually solving the issues. The only other option I have for last mile is TPG. I’d been switching to Telstra LTE on bad days, and to be fair it’s actually not too bad at the moment. It seems to be pretty fast and stable, but I imagine that will get worse as more people start to use the network. But using LTE comes with a number of imitations, and it’s supposed to be my backup, not my day-to-day Internet connection.

Sadly, it seems that Internode may be going downhill since being acquired by TPG. After iiNet acquired Internode, they were allowed to operate independently for the most part. The call centre in Adelaide remained open, Internode continued to offer the same kinds of perks as before, including Usenet servers, Steam content mirrors, native IPv6 connectivity, and more. However, TPG has consolidated iiNet and Internode support and seems to be phasing out Internode perks. They’ve even started selling TPG nbn™ HFC (DOCSIS cable) under the Internode brand name, providing the same IPv4-only connection and obfuscated SIP phone service.

With the consolidation in the Australian ISP sector, there’s a big reduction in competition. TPG has merged with or acquired Soul, AAPT, Chariot, iiNet, Internode, TransACT, WestNet, PIPE, Westnet, and more. There doesn’t seem to be a good alternative at the moment. There may be an opportunity for an upstart ISP that understands what made “premium” ISPs like Internode successful in the first place.

Read the rest of this entry »

Posted in Internet, Technology | 2 comments »

Going Old-School

8 July, 2017

For lulz, I decided to rewrite MAME’s Intel 4004 CPU core and add support for most 4040 features. The new CPU core operates at the bus cycle level, and exposes most useful signals. It also uses lots of address spaces for all the different kinds of memory and I/O it supports (thanks OG). Some CPU core bugs were fixed along the way – notably intra-page jumps on page boundaries were broken.

One nice benefit we get from this is being able to hook up the I/O for the Bally/Nutting solid-state Flicker pinball prototype (supposedly the first microprocessor-controlled pinball machine) how the hardware actually worked. I also hooked up the playfield lamp matrix as outputs and the operator adjustments as machine configuration while I was at it. We need a proper thermal model of a lamp with PWM dimming support before that part can be declared perfect. (It previously used a hack, pulling the low bits of RC out of the CPU using the state interface. This worked due to a quirk of the game program, and there was no way to implement it properly without the 4004 CM-RAM signals being exposed.)

Possibly more interestingly, we can now emulate the Intel INTELLEC® 4/MOD 40 development system. There seem to be very few surviving examples of this system, but fortunately we’ve got monitor PROM dumps, and there’s some information floating around the web. It has interesting debugging features on the front panel. There’s a scanned manual, but the schematics are very poor quality. However, with some idea of how it works, it’s possible to work out what all the chips are supposed to be. That’s the fun part. Turning it into MAME code isn’t as much fun, but it’s doable.

The front panel looks like this:

That requires clickable artwork for the switches and outputs for the LEDs to get a usable experience (writing the MAME XML layout really isn’t fun). There’s a simple monitor in PROM, designed to be used with an ASCII teleprinter with paper tape reader and punch (e.g. a Teletype Model 33 ASR). MAME’s RS-232 video terminal will have to do as a substitute for that.

If you get bleeding edge MAME (i.e. built from source no more than a day or so old), you can try it out in emulation. Did you ever wonder how developers may have debugged 4004 code in the mid to late ’70s? Well even if you didn’t, now you can find out.

The front panel looks like this in emulation (without the explanatory labels), and by default MAME shows the video terminal below this:

All those LEDs are functional, and all those switches are clickable and visually reflect their current state.

So how would you actually use it in practice? That’s where this brief instruction manual on the MAMEdev wiki comes in. It’s complete with examples of how some of the monitor commands and front panel debugging features can be used. It’s marked NOT_WORKING in MAME for now because you need to manually set up the terminal the first time you use it, and I haven’t finished implementing the universal slots and storage cards. But you can do all the things described on that page.

Does anyone care? Probably not. Will anyone actually even try this system out in MAME? Probably not (apart from Robbbbbbbert). But this is another example of something that you can only do in MAME, and how completely unrelated systems can both benefit from emulating the same chip properly. It also gets rid of one previously unavoidable hack, and gets us one step closer to feature parity with EmuAllSystems.

Posted in MAME, Technology | 1 comment »

Attacking the Weak

13 February, 2017

ShouTime dumped the incredibly rare game Omega (Nihon System). It’s a ball-and-paddle game running on similar hardware to Sega’s Gigas. These games use an NEC MC-8123 CPU module containing a Z80 core, decryption circuitry, and an 8 KiB encryption key in battery-backed RAM. When fetching a byte from ROM or RAM, the CPU chooses a byte from the encryption key based on twelve of the address bits and whether it’s an M1 (opcode fetch) cycle or not. This byte from the encryption key controls what permutation (if any) is applied to the byte the CPU fetches. This encryption scheme could have been brutal, requiring extensive analysis of a working CPU module to crack, if it weren’t for a fatal flaw: Sega used a simple linear congruential generator algorithm to create 8 KiB keys from 24-bit seeds. That means there are less than seventeen million encryption keys to test. Seventeen million might sound like a lot, but it’s far less than the total possible number of keys, and definitely small enough to apply a known plaintext attack in a reasonable amount of time.

So how do we go about attacking it? First we have to make an assumption about what the game program is going to be doing. Given that the hardware looks pretty similar to Gigas and Free Kick, I guessed that one of the first things the program would do is write a zero somewhere to disable the non-maskable interrupt generator disable maskable interrupts. So I wrote a program to find candidate seeds (no, I won’t show you the source code for this program – it’s embarrassingly ugly and hacky, not something I could ever be proud of):

  • Start with first possible 24-bit seed value
  • Generate 8 KiB key using algorithm known to be used by Sega
  • Decrypt first few bytes of program ROM using this key
  • If it looks like Z80 code to store zero somewhere and disable interrupts, log the seed
  • Repeat for next possible seed value until we run out of values to try

This ran in just a few minutes on an i7 notebook, and narrowed down the millions of possible seed values to just five candidates: 36DF3D, 6F45E0, 7909D0, 861226, and BE78C9 (in hexadecimal notation). Now I could have tried these in order, but it looked like Sega had made another misstep: besides using a predictable algorithm to generate the key, they also used a predictable seed value to feed this algorithm. The candidate seeds value 861226 looks like a date in year-month-day format. It turns out this seed generates the correct key to decrypt the game program, so I guess we know what someone at Sega was doing the day after Christmas in 1986.

Brian Troha hooked up the peripheral emulation, and the game will be playable in MAME 0.183 (due for release on 22 February). Colours aren’t quite right as we don’t have dumps of the palette PROMs yet, but we expect to resolve this in a future release. Thanks to ShouTime and everyone else involved in preserving this very rare piece of arcade history.

Posted in MAME, Technology | 3 comments »

My PAL with the LASERs

15 December, 2015

Back in the distant past, MAME started cataloguing programmable logic devices (PLDs) in addition to ROMs. This was met with considerable hostility from certain segments of the community, as it was seen as forcing them to obtain files they saw as unnecessary for emulation in order to run their precious games. However PLDs are programmable devices, and it’s important to preserve them. So far though, the PLD dumps have mainly been used by PCB owners looking to repair their games. The haven’t been used by MAME for emulation. However, PLDs are key to the operation of many arcade games, performing functions like address decoding and video mixing.

One such arcade board is Zaccaria’s Laser Battle, also released under license by Midway as Lazarian. This board uses complex video circuitry that was poorly understood. It includes:

  • TTL logic for generating two symmetrical area effects, or one area effect and one point effect
  • TTL logic for for generating an 8-colour background tilemap
  • Three Signetics S2636 Programmable Video Interfaces (PVIs), drawing four 4×4 monochrome sprites each
  • TTL logic for generating a single 32×32 4-colour sprite
  • A Signetics 82S101 16×48×8 Programmable Logic Array (PLA) for mixing the video layers and mapping colours

On top of this, they decided it was a good idea to use some clever logic to divide the master clock by four when feeding the Signetics S2621 Universal Sync Generator (USG) that generates video timings, but to divide it by three to generate the pixel clock feeding the rest of the video hardware. This lets them get one third more horizontal resolution than the Signetics chips are designed to work with. They need additional logic to line up the pixel clock with the end of horizontal blanking, because the number of pixels in a line isn’t divisible by three, and some more logic for delaying the start of the visible portion of each frame and cutting it off early because they wanted less vertical resolution than the Signetics chips are designed for. It uses an GRBGRBGR colour scheme where the most significant bits are are in the middle of the byte and the missing least significant blue bit effectively always, so it can’t produce black, only a dark blue Was this design effort worth it? I guess they must’ve made some money off the Midway license at least.

Anyway, this game has never worked properly in MAME. It’s always been missing the area and point effects, the colours have always been completely wrong, and the mixing between layers hasn’t properly either. And that’s done inside the PLA. The PLA has 48 internal logic variables, each of which can be programmed to recognise an arbitrary combination of levels on the 16 input line. Each of the internal variables can drive any combination of the eight output lines. The outputs can be configured to be inverting or non-inverting.

In theory this sounds like a job for a ROM, so why use a PLA instead? Well a ROM with 16 input bits and eight output bits would need 64kB of space. Such a ROM would likely have been prohibitively expensive when this game was produced. I mean, its program ROMs are only 2kB each, so there’s no way they’d be sourcing a ROM 32 times that size just for video mixing. The PLA maps the same number of inputs to the same number of outputs with just 1,928 bit of storage, or a little less than one of the program ROMs. It can’t produce absolutely any arbitrary input to output mapping, but it’s more than enough for this application. In fact, it turns out they didn’t even need to use all the space in the PLA.

Read the rest of the post if you want to know more about the process of decoding the PLA bitstream and examining its contents.

Read the rest of this entry »

Posted in Development, MAME, Technology | No comments »

Yet another reason to hate Google’s tentacles

5 September, 2015

It’s not secret I don’t like the way the web is succumbing to JavaScript bloat and sucking in scripts from third-party sites. But I now have another reason to hate it. A few sites are blocked from China, including most Google properties such as Google search, Google APIs and YouTube (and also Tagged, incidentally). If a site that isn’t blocked from China tries to load scripts from Google APIs, for example the minified jQuery script, I have to wait for the blocked request to time out before the page will display at all, and functionality may be broken if the page actually depends on jQuery for content display or navigation. Is it really that hard to host your own scripts? Do you really need to give Google even more data on our browsing habits? One good thing about China’s policies it they make it harder for fucking Google to track us over here.

Posted in Internet, Technology | 1 comment »

Make a real argument

22 September, 2014

The newspapers just love publishing stories about prostitution, because they know it sells. Amanda Goff aka Samantha X has been giving them plenty of fuel. Of course these stories all have comments left open, and it’s only a matter of time before a certain argument comes up in one form or another. Here’s an example of it, as found in a comment on a Fairfax newspaper site:

My argument against prostitution isn’t based on religion, conservative values or prudishness, but is more to do with the fact that, in essence, prostitutes are being bribed to have sex with someone they don’t actually want to have sex with. One wants sex and the other doesn’t. Some may protest that they do want the sex, but what if no money was involved? That’s right. The sex wouldn’t happen.

This “argument” is absolutely absurd. Do the people making it really not see the glaring flaw? How about we do a simple substitution:

My argument against garbage collection isn’t based on religion, conservative values or prudishness, but is more to do with the fact that, in essence, garbage collectors are being bribed to collect garbage they don’t actually want to collect. One wants garbage collected and the other doesn’t. Some may protest that they do want to collect garbage, but what if no money was involved? That’s right. The garbage wouldn’t be collected.

You can apply it to most occupations. If no money was involved, the roads wouldn’t be maintained, the supermarket shelves wouldn’t be stacked, the garbage wouldn’t be collected, nothing would be manufactured, and society as we know it wouldn’t exist. I’m not trying to make a case for or against prostitution, I’m just completely sick of seeing this absolutely stupid argument smugly parroted over and over again.

Posted in Politics | 1 comment »