Frame 0x80000001 Crash

1. A very simple glitch:
2.  
3. [Global Context]+0x2E8 / NTSC 1.0 Address 8011F578 stores a signed 4 byte value that stores the number of frames actually rendered on screen (pausing lags this counter a bit).
4.  
5. At 800A11F4, the game begins checking the state of this frame counter by loading it into register A0.
6. Later on at 800A1210, the game checks if the frame counter is greater than or equal to 0.
7.  
8. When the frame counter is >= 0, A0 is set to the least significant bit of the frame counter, and is passed into a function so that it can be used to look up the address to draw the next frame at.
9.  
10. When the frame counter overflows, A0 will be set to the least significant bit of the frame counter. If A0 is 1, it is set to -1, causing the frame buffer address lookup to fail to find a valid address (in testing, the variable read in was address 0000 0000).
11.  
12. Thus, with a bad framebuffer set, the game crashes. Amusingly, the game wouldn't crash if it weren't for the check to test for overflow.
13.  
14.  
15. Edit: What's likely happening in the source itself is that the programmer used the modulo operator in order to flip between frame buffers:
16.  
17. int bufferIndex = frames % 2;
18.  
19. However, the modulo operation in C (ISO 1999, older C standards are implementation dependent but most likely adhere to ISO 1999) keeps the sign of the dividend, meaning that once the frame counter overflows into the negative, odd numbers return a negative index.