Re: VIC overheating bug (again)?

From: Christer Palm (
Date: 2001-08-26 04:49:43

mykrowyre wrote:
> > I'd be happy to do it myself, but I probably wouldn't have the time to
> > do it within the near future. Either way, does anyone know where I can
> > get it?

I teared the code apart, and the "VIC too hot!" warning is definitely a

What happens is the following:

When the demo starts, the scroll text in memory looks like this:

  [Normal scroll text]<$80>[Description of VIC bug scrolltext]<$FF>

Characters with bit 7 set are escape codes having a special meaning. $80
causes the main loop to JMP to the next demo part, so normally the demo
goes on to the next part after the "normal" scroll text has been

However, if the user presses the spacebar while the "normal" scroll text
is displayed some interesting things happen. The $80 is changed into
$81, and additionally the JMP in the main loop is modified to point to
$3231 instead of the next demo part. The routine at $3231 happens to be
the code that displays the "VIC is too hot!!" warning.

So after pressing the spacebar, the scroll text looks like this:

  [Normal scroll text]<$81>[Description of VIC bug scrolltext]<$FF>

The escape code $81 means that the scroll should just continue, so after
pressing space, the scroll will go on into the "bug description"
scrolltext after the "normal" scrolltext has been displayed instead of
moving on to the next demo part.

When the escape code $FF is hit at the end of the "bug description"
scrolltext, another very interesting thing happens; the low byte value
of CIA2 timer B is used to "plant" a $80 at some "random" location
inside the "bug description" scrolltext, and the scrolltext pointer is
reset to the beginning of the "bug description" text. So now the
scrolltext will look like:

  [Normal scroll text]<$81>[Descript<$80>on of VIC bug scrolltext]<$FF>
                                    ^^^^^ Inserted at "random" location

The actual code looks like this:

318E   AE 06 DD   LDX $DD06
3191   A9 80      LDA #$80
3193   9D 09 36   STA $3609,X

Escape code $80 still means that the main loop should JMP to the next
demo part, but remember that this JMP was modified to instead invoke the
"VIC too hot!" code.

So the demo will appear to "crash" some time after the "bug description"
scrolltext comes around for the second time. Unless you pressed spacebar
to view the bug description, the "crash" will never occur!

Furthermore, the actual 26-line (which is rather 25 1/2 line) effect is
done through a "simple" $D011 YSCROLL/RSEL trick as someone already
suggested. That code is at the top of the $F6 raster interrupt handler
at $3054 if someone is interested. It seems to have nothing to do with
read-modify-write instructions, and I also seriously doubt that it would
be anymore harmful to the VIC than a FLD/FLI/opening the top/bottom
border effect since it basically uses the same technique.

Christer Palm

       Message was sent through the cbm-hackers mailing list

Archive generated by hypermail 2.1.1.