[uClinux-dev] Fwd: NET+Lx, compiler bug, stability problem

박 찬택 urinara1 at hotmail.com
Thu Nov 15 08:25:48 EST 2001


>I'm sorry for resending this mail because all tabs were broken.
>---------------------------------------------------------------------------------

>Dear uClinux users.
>
>I'm using NET+Lx and porting some device driver.
>I found stack corruption on exception handler.
>I think it is due to the compiler's bug.
>I traced the code with arm-elf-gdb and JEENI.
>The function 'ixj_timeout' is invoked periodically by kernel's timer 
service.
>And IRQ occurs by on-chip ethernet module.
>(I think this is also related to stability problem of NET+Lx,
>AKA, running 'ps(process status)' command with flood pinging)
>
>When the function 'ixj_read_frame' is called, board parameter is
>copied to r0 (line #4771 of ixj.s).
>And within 'ixj_read_frame', r0 is copied to stack area (#15800).
>If IRQ occurs before adjusting (#15807) the stack pointer, ISR will
>use same stack area which is being used now.
>Therefore, pre-stored value in the stack is corrupted.
>So, I think the stack pointer, sp, must be adjusted before copying
>data to stack.
>(The last one (ixj.s2) was generated by Aplio's compiler. It seems
>all right)
>However, I don't know about the compiler, arm-uclinux-gcc.
>Please help me.
>
>
>===== ixj.c 
=====================================================================
>1235      static void ixj_timeout(unsigned long ptr)
>1236      {
>1237          int board;
>...
>1311                      if (IsRxReady(board)) {
>1312                          ixj_read_frame(board);
>1313                      }
>...
>1476      }
>...
>3135      static void ixj_read_frame(int board)
>3136      {
>3137          int cnt, dly;
>...
>3140          if (j->read_buffer) {
>=================================================================================

>
>===== ixj.s 
=====================================================================
>4769          .stabn 68,0,1312,.LM739-ixj_timeout
>4770      .LM739:
>4771          mov      r0, r7                   <****** 'board' parameter
>4772          bl       ixj_read_frame
>...
>15787         .align   2
>15788     .stabs "ixj_read_frame:f(0,19)",36,0,3136,ixj_read_frame
>15789     .stabs "board:p(0,1)",160,0,3135,-44
>15790         .type    ixj_read_frame,function
>15791     ixj_read_frame:
>15792         .stabn 68,0,3136,.LM2744-ixj_read_frame
>15793     .LM2744:
>15794         @ args = 0, pretend = 0, frame = 36
>15795         @ frame_needed = 1, current_function_anonymous_args = 0
>15796     .LBB220:
>15797         mov      ip, sp                   <****** 'sp'=0x1edd74
>15798         stmdb    sp!, {r4, r5, r6, r7, r8, r9, sl, fp, ip, lr, pc}
>              <****** after 'stmdb', 'sp'=0x1edd48
>15799         sub      fp, ip, #4
>15800         str      r0, [fp, #-44]           <****** 
0x1edd70-44=0x1edd44('board')
>15801         .stabn 68,0,3138,.LM2745-ixj_read_frame
>15802     .LM2745:
>15803         mov      r0, r0, asl #2           <****** STACK HAS BEEN 
CORRUPTED
>15804         ldr      r1, [fp, #-44]           <****** STACK HAS BEEN 
CORRUPTED
>                                                        if IRQ occurred
>15805         .stabn 68,0,3136,.LM2746-ixj_read_frame
>15806     .LM2746:
>15807         sub      sp, sp, #36               <****** WRONG POSITION
>...
>15838         str      r3, [fp, #-60]
>15839         mov      ip, r1
>15840         str      r4, [fp, #-52]
>15841         str      lr, [fp, #-56]
>=================================================================================

>
>===== entry-armv.S 
==============================================================
>271       #define S_FRAME_SIZE             72
>...
>276       #define S_SP               52
>...
>376       vector_IRQ:     @
>377                       @ save mode specific registers
>378                       @
>379                       ldr       r13, LCirq
>380                       sub       lr, lr, #4
>381                       str       lr, [r13]     @ save lr_IRQ
>382                       mrs       lr, spsr
>383                       str       lr, [r13, #4] @ save spsr_IRQ
>384                       @
>385                       @ now branch to the relevent MODE handling 
routine
>386                       @
>387                       mrs       sp, cpsr       @ switch to SVC mode
>388                       bic       sp, sp, #31
>389                       orr       sp, sp, #0x13
>390                       msr       spsr, sp
>391                       and       lr, lr, #15
>392                       cmp       lr, #4
>393                       addlts    pc, pc, lr, lsl #2              @ 
Changes mode and branches
>                          <****** AFTER 'addlts', 'sp'=0x1edd48, WHY?
>394                       b         __irq_invalid    @  4 - 15
>395                       b         __irq_usr        @  0  (USR_26 / 
USR_32)
>396                       b         __irq_invalid    @  1  (FIQ_26 / 
FIQ_32)
>397                       b         __irq_invalid    @  2  (IRQ_26 / 
IRQ_32)
>398                       b         __irq_svc        @  3  (SVC_26 / 
SVC_32)
>...
>877      __irq_svc:       sub       sp, sp, #S_FRAME_SIZE
>878                       stmia     sp, {r0 - r12}   @ save r0 - r12
>879                       mov       r6, lr
>880                       mov       fp, #0
>881                       ldr       r7, [pc, #LCirq - . - 8]
>882                       ldmia     r7, {r7 - r9}
>883                       add       r5, sp, #S_FRAME_SIZE
>884                       add       r4, sp, #S_SP
>885                       stmia     r4, {r5, r6, r7, r8, r9}              
@ save sp_SVC, lr_SVC, pc, cpsr, old_ro
>                          <****** AFTER 'stmia', 0x1edd44('board') HAS 
BEEN OVERLAPPED BY 'r9'
>=================================================================================

>
>
>===== ixj.s2 
====================================================================
>              .align     2
>.stabs "ixj_read_frame:f(0,20)",36,0,3136,ixj_read_frame
>.stabs "board:p(0,1)",160,0,3135,28
>              .type      ixj_read_frame,function
>ixj_read_frame:
>              .stabn 68,0,3136,.LM2531-ixj_read_frame
>.LM2531:
>              @ args = 0, pretend = 0, frame = 32
>              @ frame_needed = 0, current_function_anonymous_args = 0
>.LBB205:
>              stmfd      sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
>              .stabn 68,0,3138,.LM2532-ixj_read_frame
>.LM2532:
>              mov        r1, r0, asl #2
>              add        r3, r1, r0
>              add        r3, r3, r3, asl #5
>              .stabn 68,0,3136,.LM2533-ixj_read_frame
>.LM2533:
>              sub        sp, sp, #32                 <****** RIGHT 
POSITION
>              .stabn 68,0,3138,.LM2534-ixj_read_frame
>.LM2534:
>              add        r3, r0, r3, asl #1
>              ldr        r2, .L1345
>              .stabn 68,0,3136,.LM2535-ixj_read_frame
>.LM2535:
>              str        r0, [sp, #28]               <****** pushing data 
to stack
>=================================================================================

>
>
>
>
>CT Park,
>
>Best regards
>


_________________________________________________________________
MSN Explorer가 있으면 Hotmail 사용이 훨씬 편리해 집니다. 지금 
http://explorer.msn.co.kr/ 에서 무료로 다운로드하세요.

This message resent by the uclinux-dev at uclinux.org list server http://www.uClinux.org/



More information about the uClinux-dev mailing list