Thanks for the test, nanopico. And thanks to the other people who have checked in.
Well, I made a mistake here. The function at the start of the Expansion Bus Manager is not crashing. Actually, the crash happens just after that function returns, when moving the stack.
BSR.L CompBootStackOld
MOVE.L A0,SP
SUBA.W #BootStackSize,A0
_SetApplLimit
This is the second time that StartInit moves the stack and sizes the system heap zone (in earlier ROM versions it was done only once). The CompBootStack function got split into two cases. This is my interpretation of that function:
;________________________________________________________________________________________
;
; Routine: CompBootStack 5fa
;
; Inputs: none
;
; Outputs: A0 - location of stack pointer at boot time
;
; Trashes: D0
;
; Function: computes the boot time stack pointer = sysZone + (BufPtr-sysZone)/2 - space for QD
;________________________________________________________________________________________
CompBootStack
btst #$06,$240B
beq.s CompBootStackOld
move.l #$007EFFE0,A0 ; 8 M - 64 K - 32 b
rts
CompBootStackOld
move.l BufPtr,d0 ; get top useable memory
move.l sysZone,a0 ; get start system heap
sub.l a0,d0 ; get (top useable - sys heap start)
lsr.l #1,d0 ; divide by two
add.l a0,d0 ; get sys heap + (top - sysHeap)/2
sub.w #BootGlobalsSize,d0 ; leave room for QuickDraw stuff.
andi.w #$FFF0,d0 ; force it to be even <SM81>
move.l d0,a0
rts
Here are two new ROMs to probe the crash site. The first just spams the NK log. The second does the same, while calling CompBootStack instead of CompBootStackOld. Both of these files have their COMPATIBLE field set properly, so you might find them a bit easier to run. Here is some reference output from QEMU with 1.75 GB RAM:
Reset system - Into the 68K fire: 0002d032 6806c9e8
*68k: BufPtr = 5fffc000
*68k: sysZone = 00002800
*68k: About to call CompBootStackOld...
...which returned 2ffff000
*68k: Now moving stack to there (eek)...
...which didnt crash.
*68k: Now calling SetApplLimit...
...which returned successfully.
*68k: Pushing on with InterC_2560 (no more log messages)