[uClinux-dev] NET+Lx, compiler bug, stability problem

박 찬택 urinara1 at hotmail.com
Thu Nov 15 07:18:08 EST 2001


Dear uClinux users.

I'm using NET+Lx and porting some device driver.
I found stack corruption on exception handler.
I think it is due to the compiler's bug.
I traced the code with arm-elf-gdb and JEENI.
The function 'ixj_timeout' is invoked periodically by kernel's timer 
service.
And IRQ occurs by on-chip ethernet module.
(I think this is also related to stability problem of NET+Lx,
AKA, running 'ps(process status)' command with flood pinging)

When the function 'ixj_read_frame' is called, board parameter is copied to 
r0 (line #4771 of ixj.s).
And within 'ixj_read_frame', r0 is copied to stack area (#15800).
If IRQ occurs before adjusting (#15807) the stack pointer, ISR will use 
same stack area which is being used now.
Therefore, pre-stored value (such as parameter 'board') in the stack is 
corrupted.
So, I think the stack pointer, sp, must be adjusted before copying data to 
stack.
(The last one (ixj.s2) was generated by Aplio's compiler. It seems all 
right)
However, I don't know about the compiler, arm-uclinux-gcc.
Please help me.

===== ixj.c 
=======================================================================
1235	static void ixj_timeout(unsigned long ptr)
1236	{
1237		int board;
...
1311				if (IsRxReady(board)) {
1312					ixj_read_frame(board);
1313				}
...
1476	}
...
3135	static void ixj_read_frame(int board)
3136	{
3137		int cnt, dly;
...
3140		if (j->read_buffer) {
=================================================================================


===== ixj.s 
=======================================================================
4769		.stabn 68,0,1312,.LM739-ixj_timeout
4770	.LM739:
4771		mov	r0, r7			<****** 'board' parameter
4772		bl	ixj_read_frame
...
15787		.align	2
15788	.stabs "ixj_read_frame:f(0,19)",36,0,3136,ixj_read_frame
15789	.stabs "board:p(0,1)",160,0,3135,-44
15790		.type	 ixj_read_frame,function
15791	ixj_read_frame:
15792		.stabn 68,0,3136,.LM2744-ixj_read_frame
15793	.LM2744:
15794		@ args = 0, pretend = 0, frame = 36
15795		@ frame_needed = 1, current_function_anonymous_args = 0
15796	.LBB220:
15797		mov	ip, sp			<****** 'sp'=0x1edd74
15798		stmdb	sp!, {r4, r5, r6, r7, r8, r9, sl, fp, ip, lr, pc}
		<****** after 'stmdb', 'sp'=0x1edd48
15799		sub	fp, ip, #4
15800		str	r0, [fp, #-44]		<****** 0x1edd70-44=0x1edd44('board')
15801		.stabn 68,0,3138,.LM2745-ixj_read_frame
15802	.LM2745:
15803		mov	r0, r0, asl #2		<****** STACK HAS BEEN CORRUPTED
15804		ldr	r1, [fp, #-44]		<****** STACK HAS BEEN CORRUPTED
							  if IRQ occurred
15805		.stabn 68,0,3136,.LM2746-ixj_read_frame
15806	.LM2746:
15807		sub	sp, sp, #36		<****** WRONG POSITION
...
15838		str	r3, [fp, #-60]
15839		mov	ip, r1
15840		str	r4, [fp, #-52]
15841		str	lr, [fp, #-56]
=================================================================================


===== entry-armv.S 
===============================================================
271	#define S_FRAME_SIZE	72
...
276	#define S_SP		52
...
376	vector_IRQ:	@
377			@ save mode specific registers
378			@
379			ldr	r13, LCirq
380			sub	lr, lr, #4
381			str	lr, [r13]			@ save lr_IRQ
382			mrs	lr, spsr
383			str	lr, [r13, #4]			@ save spsr_IRQ
384			@
385			@ now branch to the relevent MODE handling routine
386			@
387			mrs	sp, cpsr			@ switch to SVC mode
388			bic	sp, sp, #31
389			orr	sp, sp, #0x13
390			msr	spsr, sp
391			and	lr, lr, #15
392			cmp	lr, #4
393			addlts	pc, pc, lr, lsl #2		@ Changes mode and branches
			<****** AFTER 'addlts', 'sp'=0x1edd48, WHY?
394			b	__irq_invalid			@  4 - 15
395			b	__irq_usr			@  0  (USR_26 / USR_32)
396			b	__irq_invalid			@  1  (FIQ_26 / FIQ_32)
397			b	__irq_invalid			@  2  (IRQ_26 / IRQ_32)
398			b	__irq_svc			@  3  (SVC_26 / SVC_32)
...
877	__irq_svc:	sub	sp, sp, #S_FRAME_SIZE
878			stmia	sp, {r0 - r12}			@ save r0 - r12
879			mov	r6, lr
880			mov	fp, #0
881			ldr	r7, [pc, #LCirq - . - 8]
882			ldmia	r7, {r7 - r9}
883			add	r5, sp, #S_FRAME_SIZE
884			add	r4, sp, #S_SP
885			stmia	r4, {r5, r6, r7, r8, r9}	@ save sp_SVC, lr_SVC, pc, cpsr, 
old_ro
			<****** AFTER 'stmia', 0x1edd44('board') HAS BEEN OVERLAPPED BY 'r9'
=================================================================================



===== ixj.s2 
======================================================================
	.align	2
.stabs "ixj_read_frame:f(0,20)",36,0,3136,ixj_read_frame
.stabs "board:p(0,1)",160,0,3135,28
	.type	 ixj_read_frame,function
ixj_read_frame:
	.stabn 68,0,3136,.LM2531-ixj_read_frame
.LM2531:
	@ args = 0, pretend = 0, frame = 32
	@ frame_needed = 0, current_function_anonymous_args = 0
.LBB205:
	stmfd	sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
	.stabn 68,0,3138,.LM2532-ixj_read_frame
.LM2532:
	mov	r1, r0, asl #2
	add	r3, r1, r0
	add	r3, r3, r3, asl #5
	.stabn 68,0,3136,.LM2533-ixj_read_frame
.LM2533:
	sub	sp, sp, #32				<****** RIGHT POSITION
	.stabn 68,0,3138,.LM2534-ixj_read_frame
.LM2534:
	add	r3, r0, r3, asl #1
	ldr	r2, .L1345
	.stabn 68,0,3136,.LM2535-ixj_read_frame
.LM2535:
	str	r0, [sp, #28]				<****** pushing data to stack
=================================================================================




CT Park,

Best Regards.


_________________________________________________________________
MSN Explorer가 있으면 Hotmail 사용이 훨씬 편리해 집니다. 지금 
http://explorer.msn.co.kr/ 에서 무료로 다운로드하세요.

This message resent by the uclinux-dev at uclinux.org list server http://www.uClinux.org/



More information about the uClinux-dev mailing list