Post Reply 
Another bug hidden for over 40 years ... ?
12-14-2023, 07:48 AM (This post was last modified: 12-14-2023 07:52 AM by ThomasF.)
Post: #1
Another bug hidden for over 40 years ... ?
Hi all,

While working on the Blinky emulation, I have once again started to read the VASM listings, not only for the mainframe, but also the printers and time module.

To be compatible with other printers, the Blinky ROM must maintain all global entry points used.
Not only is there a entry point jump table in the end of the module, but there are also direct entry points into the ROM code, e.g. from the Time module (82182A) into the printer ROM, so these addresses must be kept between the printers (82143, the IL printer 82162 and the Blinky 82242 IR module).

When I was reading the Timer VASM looking for calls to the printer I found what I consider is a new bug (at least I can't remember any notes about it), but I have problems verifying this with real hardware since I'm lacking the 82182 Timer module myself.

In the Timer VASM the following code snippet was found, it is in the code for the function ALMCAT, printing any alarms on the printer. This code prints the time & date, the reset interval, and then calls the printer to check status and report any errors (BECHK).

Code:
 73 40           1 GOSUB TMSG        PRINT ALARM TIME & DATE
 73 41           0                   *TIMER ROM: TM2, @0431
 74 42        1340 DISOFF            TURN DISPLAY OFF
 75 43         510 S6= 1             (P+2) OK TO PRINT
 76 44           1 GOSUB INTVAL      DISPLAY RESET INTERVAL
 76 45           0                   *TIMER ROM: TM2, @1234
 77 46          53 GOTO ACT135 ( 53) (P+1) NO RESET INTERVAL
 78 47           1 GOSUB TMSG        (P+2) PRINT RESET INTERVAL
 78 50           0                   *TIMER ROM: TM2, @0431
 79 51           1 GOSUB WAITK6      WAIT 0.6 SECONDS
 79 52           0                   *TIMER ROM: TM2, @0420
 80 53 ACT135  615 CON @615          GOSUB TO BECHK & PECHK
 81 54        1474 CON @1474         *ILPRINTER: PL0, @1737
 82                                  (DISPLAY ANY PRTR ERRORS)
In normal cases, when the code calls a global entry point, the actual label is used, and the linker fills in the address for the subroutine call (like the GOSUB's above), but in this case there is no label so the address is entered manually (line 80 and 81 above).
This should result in a call to 01737 (octal) in quad 0 of the printer ROM (PL0, @1737 corresponding to 0x63DF).

And at the corresponding place in the printer (82162 in this case) it says:

Code:
************************************************************************
* OUTPCT IS CALLED BY TIMER ROM ALSO. *
* USES ONLY A, C, N, S[7:0], S9 AND +2 SUBROUTINE LEVELS. *
************************************************************************
 1028 1735 OUTPCT    1 GOSUB EOLL    SEND EOLL LEFT-JUSTIFIED
 1028 1736           0               *ILPRINTER: PL1, @1756
 1029 1737           1 GOSUB BECHK   WAIT FOR PRINTER
 1029 1740           0               *ILPRINTER: PL0, @1743

Notice that the address 1737 does not have a label, like OUTPCT two lines above.
This corresponds to address 0x63DD (OUTPCT) and 0x63DF (OUTPCT + 2).

This confused me, since the opcode in the Timer ROM (615,1474) which is 0x18D,0x33C and corresponds to "?NC XQ CF63" - since this is not in the printer ROM at page 6 - but could be 0x63CF if read backwards ... !?!?

Code:
 0615 -> 0 110 001 101 -> 0110 0011 01 --> 6 3 Opcode class 1
 1474 -> 1 100 111 100 -> 1100 1111 00 --> C F (00 -> ?NC XQ)

The comment says that we should call 1737 in printer rom 0 (PL0) = 0x6000 + 0x0000 + 0x3DF = 0x63DF - (this is the correct address to OUTPCT + 2 which calls the routine BECHK.
0x63CF is close to 0x63DF but not right - and absolutely not backwards ...

And all other calls to e.g. OUTPCT are using the normal linkage using the global label, with an empty instruction for the linker to resolve it, but this one is handcoded - and obviously very wrong ...

So, my interpretation of this is that if ALMCAT is executed with a printer attached, it would fail if there is some module in page C (port 3) at the same time!

This has been confirmed by Mike using his powerful NutEM/PC emulator, but since I don't have a timer module myself I can't verify this on real hardware.
The HP-41CX also has the Timer module, but this code is updated and corrected, and works when tested.

Could someone who owns a 82182 Timer module check if the following is a correct description of the error?
With timer module and a printer attached, but port 3 empty:

1. Enter some alarm, e.g.:
Code:
     [ALPHA] TEST [ALPHA]
     .15 [ENTER^]
     0 [ENTER^]
     11 [XEQ] XYZALM
2. Set the printer in TRACE mode
3. [XEQ] ALMCAT

This should result in that the alarm is printed, and this works since port 3 is empty so the call to 0xCF63 just returns and execution continues without any problem.

If we now insert a module in port 3, we probably introduce code at address 0xCF63 (we have tested this with a PPC-ROM in port 3), and execute ALMCAT again.

But be warned that this might result in a "MEMORY LOST", since my interpretation is that we would start executing code at 0xCF63 which might result in a corrupt state leading to "MEMORY LOST".

Someone made some mistakes when writing this code back in the days, first the wrong address was used (0x63CF (01717) instead of 0x63DF (01737)), but also swapped the two instructions, resulting in a call to 0xCF63.
This caused no harm as long as port 3 was empty (or if e.g. the Time module, a printer or HPIL was inserted there since they all are hardwired to other pages).
Nor is the call to BECHK really needed, there might be timing issues if a lot of alarms or big load on the printer before calling ALMCAT, but BECHK just wait for output to be printed and then checks for any errors (so normally just returns).

Even if the system is over 40 years old, it still amazes me with all bits and pieces that are still to be uncovered and understood so many years after the introduction!

Would be great if anyone could confirm this using a real 41C/CV, a printer and the 82182 Time module!

Have a nice Xmas season and a great New Year!

Cheers,
Thomas

[35/45/55/65/67/97/80 21/25/29C 31E/32E/33E|C/34C/38E 41C|CV|CX 71B 10C/11C/12C/15C|CE/16C 32S|SII/42S 28C|S 48GX/49G/50G 35S 41X]
Find all posts by this user
Quote this message in a reply
12-14-2023, 08:28 AM
Post: #2
RE: Another bug hidden for over 40 years ... ?
(12-14-2023 07:48 AM)ThomasF Wrote:  So, my interpretation of this is that if ALMCAT is executed with a printer attached, it would fail if there is some module in page C (port 3) at the same time!

It seems correct.

Referring to the Time Module Owners Manual Addendum, May 1982 (that is, only 4 months after the Owners Manual):
When printing the alarm catalog, port 3 of the calculator should be empty or contain one of the following accessories only: the HP 82143A Printer, the HP 82160A HP-IL Module, or the time module. Improper operation may occur if another module or accessory is plugged into this port while the Alarm Catalog is being printed.

The Addendum can be found on the HP-41 archive site.

So definitively not hidden for over 40 years, just little known or forgotten ...
Anyway, thanks for the details and explanations about this bug !

J-F
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2023, 09:05 AM
Post: #3
RE: Another bug hidden for over 40 years ... ?
(12-14-2023 08:28 AM)J-F Garnier Wrote:  So definitively not hidden for over 40 years, just little known or forgotten ...

Thanks for the reference J-F!
Never seen or at least dropped from my memory (which is worst?) - but good to know that my conclusion was spot on ... Wink

Cheers,
Thomas

[35/45/55/65/67/97/80 21/25/29C 31E/32E/33E|C/34C/38E 41C|CV|CX 71B 10C/11C/12C/15C|CE/16C 32S|SII/42S 28C|S 48GX/49G/50G 35S 41X]
Find all posts by this user
Quote this message in a reply
12-14-2023, 06:54 PM
Post: #4
RE: Another bug hidden for over 40 years ... ?
This addendum is already incorporated into page 93 of my scan of the manual here:

https://literature.hpcalc.org/items/472

However, because it is probably easily missed, I have added it as a separate download here (plus now it should come up more easily on searches for the part number):

https://literature.hpcalc.org/items/2532
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2023, 07:40 PM
Post: #5
RE: Another bug hidden for over 40 years ... ?
(12-14-2023 06:54 PM)Eric Rechlin Wrote:  I have added it as a separate download here (plus now it should come up more easily on searches for the part number):
https://literature.hpcalc.org/items/2532

Great, with the part number and print date now.

Matter of fact, the HP-41 archive site also included the addendum within the manual, but an addendum with an earlier print date of 02/82 (otherwise similar).
This means the bug was identified very soon after the time module introduction.

I have my original French manual with the corresponding addendum in French too, bought in 1983. At the time I was a bit discontented to get such an expensive module with a bug.
That may be the reason why I remembered there was an addendum about a bug (but I didn't remember what it was precisely before checking).

J-F
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2023, 10:18 PM
Post: #6
RE: Another bug hidden for over 40 years ... ?
Did they fix it in CX Time?
Find all posts by this user
Quote this message in a reply
12-15-2023, 02:32 AM
Post: #7
RE: Another bug hidden for over 40 years ... ?
(12-14-2023 10:18 PM)brouhaha Wrote:  Did they fix it in CX Time?

Yes, in Thomas's long post above, he noted "The HP-41CX also has the Timer module, but this code is updated and corrected, and works when tested."

--Bob Prosperi
Find all posts by this user
Quote this message in a reply
12-15-2023, 07:37 AM (This post was last modified: 12-15-2023 07:39 AM by ThomasF.)
Post: #8
RE: Another bug hidden for over 40 years ... ?
(12-14-2023 10:18 PM)brouhaha Wrote:  Did they fix it in CX Time?

Hi Eric,

Yes, as mentioned, later versions work, and to verify I had a quick look into a later version of the Timer ROM (TIME-3A), and there the label ACT135 from TIME-1C and the failing call is removed all together.

First of all because it was wrong, then probably also because it was not a global entry point and since the call was not needed.
The call to wait for the printer is also explicitly called when OUTPCT (paper advance) is called at the beginning of each loop i.e. for each new alarm to be printed.

Code snippet from ALMCAT (starting at 0x5806) in TIME-3A:
Code:
        ...
        01b4  GOSUB 6DB3  IAUALL  Ok to print?
        007b  JNC     +15 ACT140  (P+1) Don't print
        0375  
        018c  GOSUB 63DD  OUTPCT  (P+2) Send paper advance
        02e0  DISOFF
        0065  
        0164  GOSUB 5919  TMSG    Print alarm time & date
        02e0  DISOFF              Turn display off
        0148  S6=     1           (P+2) Ok to print
        0271  
        0168  GOSUB 5AAC          Display reset interval
        002b  JNC     +5 ACT140   (P+1) No reset interval
        0065  
        0164  GOSUB 5919  TMSG    (P+2) Print reset interval
        0041  
        0164  GOSUB 5910  WAITK6  Waity 0.6 seconds
#
# This is were the failing call (wait for printer) was inserted in TIME-1C ROM - now removed
#
# ACT135  615 CON @615          GOSUB TO BECHK & PECHK
#        1474 CON @1474         *ILPRINTER: PL0, @1737
#
ACT140  02e0  DISOFF              Turn display off
        0245  
        0144  GOSUB 5191  DSAMS0  Show 1st 12 char of alm msg
        00eb  JNC +27 ACT175      (P+1) No message
        00b0  C=N
        0268  REGN=C 9            Save message reg in reg 9
        02cd  
        01b4  GOSUB 6DB3  IAUALL  Ok to print?
        002b  JNC +5  ACT150      (P+1) Don't print
        02e5  
        01ac  GOSUB 6BB9  PRTLCD  (P+2) Print content of LCD
        ...

Cheers,
Thomas

[35/45/55/65/67/97/80 21/25/29C 31E/32E/33E|C/34C/38E 41C|CV|CX 71B 10C/11C/12C/15C|CE/16C 32S|SII/42S 28C|S 48GX/49G/50G 35S 41X]
Find all posts by this user
Quote this message in a reply
12-15-2023, 08:12 AM (This post was last modified: 12-15-2023 08:14 AM by J-F Garnier.)
Post: #9
RE: Another bug hidden for over 40 years ... ?
(12-15-2023 07:37 AM)ThomasF Wrote:  I had a quick look into a later version of the Timer ROM (TIME-3A), and there the label ACT135 from TIME-1C and the failing call is removed all together.

TIME 3A ?
The "official" known time ROMs are the TIME 1C (time module for the CV) and the TIME 2C (embedded time ROM in the CX).
This TIME 3A is for sure not from HP, and not from the same era.

J-F
Visit this user's website Find all posts by this user
Quote this message in a reply
12-15-2023, 08:37 AM (This post was last modified: 12-15-2023 08:56 AM by ThomasF.)
Post: #10
RE: Another bug hidden for over 40 years ... ?
(12-15-2023 08:12 AM)J-F Garnier Wrote:  This TIME 3A is for sure not from HP, and not from the same era.

Hi J-F,

Thanks for your correction!

I found the TIME-3A.ROM, but maybe this is something completely different ... it looked very much like time Time Module when I disassembled the ALMCAT function in it. I just assumed it was a ROM-dump from a later version of Time module or CX.
(There is a lot of ROMs floating around - but very little documentation about them ...)

Edit: The TIME-3A ROM was found found on the 41CL page (https://www.systemyde.com/zip/rom_files_231126.zip), so maybe an updated ROM to suit the CL.

I'm sorry if this is something else, and I will trace and disassemble my good old CX when I get home.

Cheers,
Thomas

[35/45/55/65/67/97/80 21/25/29C 31E/32E/33E|C/34C/38E 41C|CV|CX 71B 10C/11C/12C/15C|CE/16C 32S|SII/42S 28C|S 48GX/49G/50G 35S 41X]
Find all posts by this user
Quote this message in a reply
12-15-2023, 09:54 AM
Post: #11
RE: Another bug hidden for over 40 years ... ?
TIME-3A (or -3B) is definitely the HP41-CL version, it has the extra functions at the end of the FAT

Regards, Meindert
Find all posts by this user
Quote this message in a reply
12-15-2023, 11:55 AM
Post: #12
RE: Another bug hidden for over 40 years ... ?
Hi again,

Sorry for the confusion regarding the ROM version of the Time module!

I have now checked with a "-TIME 2C" ROM in a HP41CX, and the dumped code section in the original post is identical to the one in this CX.
The code section correspond to address 0x581C to 0x5836 in both ROM's.

So the original post is still valid, and at least in respect to the ALMCAT function, both TIME 2C and 3A are identical (but with additional functions added in the 3A version as Meindert mentioned).

Cheers,
Thomas

[35/45/55/65/67/97/80 21/25/29C 31E/32E/33E|C/34C/38E 41C|CV|CX 71B 10C/11C/12C/15C|CE/16C 32S|SII/42S 28C|S 48GX/49G/50G 35S 41X]
Find all posts by this user
Quote this message in a reply
12-19-2023, 10:14 AM
Post: #13
RE: Another bug hidden for over 40 years ... ?
(12-14-2023 06:54 PM)Eric Rechlin Wrote:  This addendum is already incorporated into page 93 of my scan of the manual here:

https://literature.hpcalc.org/items/472

However, because it is probably easily missed, I have added it as a separate download here (plus now it should come up more easily on searches for the part number):

https://literature.hpcalc.org/items/2532

In the same way, there is an addendum for the Extended Function/Memory module 1B (for the CV).
Probably many of us are using physical or emulated 41CX with embedded XF-2D for which the addendum is no more relevant,
but my CV has still a XF-1B module in it, and it seems the corrected version 1C is somehow rare - even a powerful user/collector doesn't have it Smile

The addendum is available on the hp41 archive site.
The most notable and annoying bug is :
"After a file in extended memory is purged, there is no working file.
[...] you should always define a working file before executing functions that operate on it;
otherwise, all files in extended memory will be lost".


J-F
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 2 Guest(s)