HLE CD_read: honour D0 bit 31 (re-seek only) + mirror data into cart space

JoeMatt · JoeMatt · commit 8c3a1f9ffb5b · 2026-04-22T17:48:31.000-04:00
Two related fixes for boot stubs that issue multiple CD_read calls:

1. Re-seek (D0 bit 31 set) is now a no-op transfer.  Per
   docs/cd-bios-calling-convention.md, bit 31 means "skip hardware
   init, just re-seek; the GPU data area is already configured by
   the prior call."  We were treating these as full reads, computing
   byteCount from A0/A1 (which hold stale or garbage values in
   re-seek mode) and falling back to a default \$5BC00 transfer that
   stomped the boot stub's just-loaded code/data with raw audio
   sectors.  Hover Strike previously crashed to PC=\$FFFFFFFF at
   frame 86 because its 4th and 5th CD_reads (D0=\$80657374,
   \$80F652B9) overwrote 750KB of memory; with this fix it now runs
   to a clean wait loop at \$065B36 with 19 unique PCs.

2. Loaded data is now mirrored into cart space at the same offset.
   On real Jaguar CD hardware the CD cart's onboard buffer maps into
   cart space (\$800000-\$DFFFFF); some boot stubs scan cart-space
   addresses (e.g. BrainDead 13 reads A0=\$00851644) for the universal
   "ATRI" header.  Cart space is otherwise empty in HLE mode, so the
   mirror is harmless when not needed.

Test diagnostic upgrade: when the run barely moves we also dump 32
bytes of the current memory at A0/A1 (using the libretro core's
jagMemSpace[] symbol so cart space is visible), so the wait loop's
read target shows up alongside the PC bytes.

Result: 4 PASS / 5 FAIL.  Hover Strike no longer crashes (now a
wait-loop FAIL); other failures unchanged for now.

Made-with: Cursor
diff --git a/src/jagcd_hle.c b/src/jagcd_hle.c
@@ -214,11 +214,30 @@ static void HLEHandleCDRead(void)
    uint8_t pat[4];
    uint32_t scanLBA, scanOff;
    bool foundSentinel;
+   bool reseekOnly = (d0 & 0x80000000u) != 0;
 
    lba = ((uint32_t)min * 60 + sec) * 75 + frm;
    if (lba >= 150)
       lba -= 150;
 
+   /* Per docs/cd-bios-calling-convention.md:
+    *   "Bit 31: if set, skip hardware init, just re-seek (GPU data area
+    *    already configured by prior call)."
+    *
+    * Real BIOS treats bit-31 calls as DSA seek-only — the destination,
+    * end address, and sentinel are already in place from the prior
+    * non-bit-31 CD_read.  We have no continuous streaming, so the prior
+    * call already wrote all data; a re-seek is a no-op for HLE.  The
+    * critical thing is to NOT compute byteCount from A0/A1 (which hold
+    * stale or garbage values in re-seek mode) and stomp memory. */
+   if (reseekOnly)
+   {
+      HLE_LOG("CD_read: re-seek only (D0 bit31 set, D0=$%08X) — "
+              "skipping data transfer\n", d0);
+      hle_read_pending = false;
+      return;
+   }
+
    destAddr  = a0;
    byteCount = (a1 > a0 && a1 < 0x200000) ? (a1 - a0) : 0;
 
@@ -438,6 +457,19 @@ static void HLEHandleCDRead(void)
       for (i = 0; i < copyLen && (dst + i) < 0x200000; i++)
          jaguarMainRAM[dst + i] = sectorBuf[copyStart + i];
 
+      /* Mirror the same data into cart space at the same offset.
+       * Some boot stubs (e.g. BrainDead 13) scan cart-space addresses
+       * like $00851644 looking for the universal "ATRI" header.  On real
+       * Jaguar CD hardware, the CD cart's onboard buffer is mapped into
+       * cart space; in HLE we mirror the loaded data so direct cart-space
+       * scans hit the same payload.  Cart space is otherwise empty in HLE
+       * mode, so this overlay is harmless. */
+      {
+         uint32_t cartDst = dst + 0x800000;
+         for (i = 0; i < copyLen && (cartDst + i) < 0xE00000; i++)
+            jaguarMainROM[cartDst - 0x800000 + i] = sectorBuf[copyStart + i];
+      }
+
       bytesWritten += copyLen;
       s++;
    }
diff --git a/test/test_cd_hle_boot.c b/test/test_cd_hle_boot.c
@@ -251,6 +251,34 @@ static void cd_run_one_disc(const char *path, unsigned frames,
                 fprintf(stderr, " %s=$%08X", regs[i].name,
                         C.m68k_get_reg(NULL, regs[i].id));
             fprintf(stderr, "\n");
+
+            /* Dump 64 bytes at the current A0 (and A1) target.  Use the
+             * core's jagMemSpace[] symbol so we can see cart space
+             * ($800000+) and not just main RAM. */
+            uint8_t *space = (uint8_t *)dlsym(C.handle, "jagMemSpace");
+            uint32_t a0 = C.m68k_get_reg(NULL, 8);
+            uint32_t a1 = C.m68k_get_reg(NULL, 9);
+            if (space) {
+                if (a0 < 0xE00000) {
+                    fprintf(stderr, "    [A0-MEM $%06X]", a0);
+                    for (uint32_t k = 0; k < 32 && a0 + k < 0xE00000; k++)
+                        fprintf(stderr, " %02X", space[a0 + k]);
+                    fprintf(stderr, "\n");
+                }
+                if (a1 < 0xE00000) {
+                    fprintf(stderr, "    [A1-MEM $%06X]", a1);
+                    for (uint32_t k = 0; k < 32 && a1 + k < 0xE00000; k++)
+                        fprintf(stderr, " %02X", space[a1 + k]);
+                    fprintf(stderr, "\n");
+                }
+            } else if (ram) {
+                if (a0 < 0x200000) {
+                    fprintf(stderr, "    [A0-RAM $%06X]", a0);
+                    for (uint32_t k = 0; k < 32 && a0 + k < 0x200000; k++)
+                        fprintf(stderr, " %02X", ram[a0 + k]);
+                    fprintf(stderr, "\n");
+                }
+            }
         }
     }
 
