[uClinux-dev] kernel crashs with scheduler run queue corrupted when doing malloc

Bin Liu liubinw at gmail.com
Fri Nov 2 09:30:46 EST 2007 

Hi,
I am running linux-2.4.17 on coldfire-5272 custom board,
the tool chain is m68k-elf-tools-20030314 downloaded from
http://www.uclinux.org/ports/coldfire/source.html.
with uClibc 0.9.19.

since I was getting node crashs when allocating memory,
I made a very simple test program as below:

#define M_ARRAY_LENGTH     10

int main()

{
   char *p[M_ARRAY_LENGTH];
   int i,mlength;
   for(i=0;i<M_ARRAY_LENGTH;++i)
   {
      mlength = (i+1) * (0x10000);
      p[i] = (char *)malloc(mlength);
   }

   for(i=0;i<M_ARRAY_LENGTH;++i)free((void *)p[i]);
}

when running this application, it crashs the system consistently with the

print outs as below:(when i=4, trying to allocate 320k memory)

bad frame format: 00000000
PC: [<40008f94>]
SR: 2700  SP: 40db1f6c  a2: 40330000
d0: 00000010    d1: ffffffff    d2: 00000000    d3: 40357290
d4: 00000000    d5: 400d8f38    a0: ffffffc4    a1: 00000000
Process myapp (pid: 37, stackpage=40db1000)
Frame format=4 Stack from 40db1fa8:
        00000000 40d36774 403bffac 403bfda0 40d646e4 40d7ff38 00000000
40d7fe94
        400066cc 40d7feac 00000021 00000000 00000000 40d36774 00000000
00000002
        40d646e4 40b00000 0000005a 00000000 40800000 40d373d2
Call Trace:
        [<400066cc>]
Code: c0a8 0028 662e 4aa8 0028 661e 2228 0020 6722 b6a8

Interesting thing is when I ran the same program with a bdm
debugger(singlestep) connected,
it ran just fine, the board has enough memory(16M total with around 10M
free).

removed the debugger, with some print text added, found the crash point is
after uClibc/libc/stdlib/malloc/malloc.c: malloc_from_heap() calls mmap()
system
call, inside the kernel, linux-2.4.x/arch/m68knommu/kernel/sys_m68k.c:
old_mmap()
succesfully allocated memory (320k) and returned, then it goes to
linux-2.4.x/kernel/schedule(),
and the crash point happens in this couple lines:
 list_for_each(tmp, &runqueue_head) {
  p = list_entry(tmp, struct task_struct, run_list);   <------ this is the
corrupted pointer: a0=ffffffc4
  if (can_schedule(p, this_cpu)) {
   int weight = goodness(p, this_cpu, prev->active_mm);
   if (weight > c)
    c = weight, next = p;
  }
 }

the task pointer p is corrupted.first of all, the task queue pointer "tmp"
gets the NULL(0) value,
if I add a line just before getting the p pointer like this: if(!tmp) break;

then the crash point goes somewhere else, it seems the system is just not
right at this point.

any idea what could be wrong to my system, what is the difference between
connecting to
BDM debugger and not connectiong?
Thanks a lot,
Bin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.uclinux.org/pipermail/uclinux-dev/attachments/20071102/93473d91/attachment.html

More information about the uClinux-dev mailing list