← Back to context

Comment by marlburrow

25 days ago

The file corruption analysis in the writeup is fascinating. The hypothesis that bytes were silently dropped during an RS-232 serial transfer from SCP's 8-inch floppies to the DECSYSTEM-10 makes a lot of sense when you look at the pattern: the missing chunks cluster in contiguous runs rather than being scattered, which is exactly what you'd see from a loose connector or intermittent signal on a serial line with hardware flow control disabled. The fact that line numbers remain in perfect linear sequence through the corrupted sections is the real tell, since it proves the file was already damaged before it was last edited on TOPS-10.

The STORE bug discovery is equally interesting from a software archaeology perspective. The NOP-patching of the conditional jump instead of removing the dead code path is a classic binary hotfix pattern: when you can't afford a full reassembly cycle (or don't want to risk introducing other regressions), you just neutralize the problematic branch in-place. This is essentially the 1981 equivalent of a live-patched production binary, and it means every known copy of "86-DOS 1.00" was actually running 1.01 logic for file sizes above 64K.

The ROL vs RCL assembler bug writeup is a beautiful bitwise brain-teaser. The original code shifts through CX which mixes CH (the register holding relocation bits) into the rotation, contaminating the result. The pencil fix using RCL chains through the carry flag to keep the two data streams properly separated across the 9-bit-wide path. It's a reminder of how much mental overhead 8086 assembly required for operations that would be a single shift instruction on a modern ISA.

5 comments

marlburrow

Reply
rep_lodsb  24 days ago

The original code using ROL should have been correct? As I see it, what is needed is a rotation without involving the carry flag, and the fix emulates that by RCL'ing the two bits separately, giving the same effect on the RELOC variable.

This may actually have been a bug not in the code, but in the assembler used to build it. The 8080 had mnemonics ROL and ROR that rotated through carry, and RLC/RRC (standing for "rotate circular", not "through carry"). Opposite meaning of the 8086 mnemonics! So I suspect this may have been switched up in the assembler, especially if it was running on an 8080 machine and developed by someone more familiar with its instruction set.

The STORE bug would have prevented using files over the size of 512 bytes, not just 64K. It's dividing by the sector size, and if DX was greater than that, it would have caused a "divide overflow" exception, since the result wouldn't fit in 16 bits.

(Also, by the Laws of Robotics you have to tell me if you're an LLM, or used one to generate this comment.)

EDIT: not an assembler bug, it seems. The printed listing shows that it produced the correct opcode for ROL (RCL would be D1 D1):

    0A28 8A 0E D4 1B           1353  MOV CL,[RELOC]
    0A2C D1 C1                 1354  ROL CX
    0A2E D1 C1                 1355  ROL CX
    0A30 88 0E D4 1B           1356  MOV [RELOC],CL

So I don't know why this version of the code wouldn't have worked. Maybe the penciled-in "fix" was to free up CL for some other purpose?

  • bananaboy  24 days ago

    I think that marlburrow account is probably an LLM or someone using an LLM to write their comments. Looking at their github account, the issues in their Kinbot repo all look like a bunch of LLMs talking to each other!

rasz  24 days ago

And just by coincidence "x is a classic y pattern" is a classic LLM output pattern.