Subject: kern/17149: userland program make sparc64 fall over
To: None <gnats-bugs@gnats.netbsd.org>
From: None <lha@stacken.kth.se>
List: netbsd-bugs
Date: 06/03/2002 02:40:13
>Number: 17149
>Category: kern
>Synopsis: userland program make sparc64 fall over
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jun 02 17:42:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Love
>Release: NetBSD 1.5ZC
>Organization:
>Environment:
System: NetBSD nutcracker.stacken.kth.se 1.5ZC NetBSD 1.5ZC (NUTCRACKER) #18: Wed May 29 13:16:51 CEST 2002 lha@nutcracker.stacken.kth.se:/usr/src/sys/arch/i386/compile/NUTCRACKER i386
Architecture: i386
Machine: i386
>Description:
arla is a afs implementation that uses a package called lwp
for context switching. since I got/stole/borrowed a UltraSparc
I thought I should try it out.
Now we didn't support the sparcv6 for netbsd (just linux and
solaris), so it should be a simple hack to make it support
netbsd too.
The code we inherited did wrong, for example, it alligns the stack to
the wrong boundery (linux program never noticed since they ran in 32
bit mode, at least when it tried it 2 years ago). Now I'm a losy
assembler programmer and did wrong, and to wrongs doesn't to one
right.
So,
# pwd
/sources/arla-obj
# cd lwp
# ./testlwp
usage: ./testlwp cmd ...
Where cmd is one of:
pc Producer Consumer test
sleep Sleeptest
selectconsumer Select consumer
selectproducer (special case, just print a string on stdout repeatally)
cancel Test iomgr cancel
deadlock-write deadlockdetection
deadlock-read deadlockdetection
deadlock-read2 deadlockdetection
overrun-stack over run the stack
underrun-stack under run the stack
version Print version
Use several of these tests together to test their interopability
# ./testlwp pc
starting LWkdb breakpoint at 10086bc
1 tt=30 tstate=4411080405 tpc=0x1001498 tnpc=0x100149c
2 tt=30 tstate=82000603 tpc=0x1298d30 tnpc=0x1298d34
Stopped in pid 272 (testlwp) at winfixspill+0x1c8: nop
db> trace
end(trap type 0x34: pc=100ab30 npc=100ab34 pstate=800016<PEF,PRIV,IE>
kernel trap 34: mem address not aligned
Type 'go' to resume
ok go
Faulted in DDB; continuing...
db> reboot 100
syncing disks... P support
startin9 g I8 OMGR support
3 done
Frame pointer is at 0x1c08e01
Call traceback:
12b9ba4(0, 1, 1819400, 180c800, 1839e00, 180c800, 1c08ec1) fp = 1c08ec1
1136c34(100, 0, 1839de0, 1839c00, 13413e0, 187a800, 1c08f81) fp = 1c08f81
1136890(10086c0, 0, ffffffffffffffff, 1c09920, 1136bec, 187a960, 1c09051) fp = 1c09051
11363c8(180c9a8, 0, 1, f, f005b2f8, 0, 1c091b1) fp = 1c091b1
113ad24(10086c0, 10086c0, 187a800, 90d5c20, 1298d30, 1298d34, 1c09291) fp = 1c09291
12c47c4(0, 0, 0, 0, 30, 1298d34, 1c09361) fp = 1c09361
12c1c9c(101, 1c09e20, 90d5e6b, 0, 4002d, 0, 1c09421) fp = 1c09421
1008e40(1c09e20, 101, 10086bc, 140414, 1066f8, 0, 1c09571) fp = 1c09571
107248(18050e8, 6, 7, 0, 1093c0, 2095a0, 1c09751) fp = 1c09751
40203654(40210000, 2d0, 2d0, 3c, 0, 0, 40230a2f) fp = 40230a2f
dumping to dev 7,9 offset 262253
dump starting dump, blkno 262256
panic: dma0: cannot allocate DVMA address
kdb breakpoint at 12c4954
Stopped in pid 272 (testlwp) at cpu_Debugger+0x4: nop
The interesting functions are savecontext() and return returnto(),
but its not there the crash is going to happen, it happens later.
(gdb) file testlwp
Reading symbols from testlwp...done.
(gdb) disas savecontext
Dump of assembler code for function savecontext:
0x105b00 <savecontext>: save %sp, -192, %sp
0x105b04 <savecontext+4>: ta 3
0x105b08 <savecontext+8>: sethi %hi(0), %l0
0x105b0c <savecontext+12>: mov %l0, %l0 ! 0x0
0x105b10 <savecontext+16>: sethi %hi(0x209400), %g1
0x105b14 <savecontext+20>: or %g1, 0x1b0, %g1 ! 0x2095b0 <PRE_Block>
0x105b18 <savecontext+24>: sllx %l0, 0x20, %l0
0x105b1c <savecontext+28>: or %l0, %g1, %l0
0x105b20 <savecontext+32>: mov 1, %l1
0x105b24 <savecontext+36>: stb %l1, [ %l0 ]
0x105b28 <savecontext+40>: stx %fp, [ %i1 ]
0x105b2c <savecontext+44>: stx %g1, [ %i1 + 8 ]
0x105b30 <savecontext+48>: stx %g2, [ %i1 + 0x10 ]
0x105b34 <savecontext+52>: stx %g3, [ %i1 + 0x18 ]
0x105b38 <savecontext+56>: stx %g4, [ %i1 + 0x20 ]
0x105b3c <savecontext+60>: stx %g5, [ %i1 + 0x28 ]
0x105b40 <savecontext+64>: stx %g6, [ %i1 + 0x30 ]
0x105b44 <savecontext+68>: stx %g7, [ %i1 + 0x38 ]
0x105b48 <savecontext+72>: rd %y, %g1
0x105b4c <savecontext+76>: stx %g1, [ %i1 + 0x40 ]
0x105b50 <savecontext+80>: cmp %i2, 0
0x105b54 <savecontext+84>: be,a 0x105b70 <L1>
0x105b58 <savecontext+88>: nop
0x105b5c <savecontext+92>: restore
0x105b60 <savecontext+96>: add %o2, 7, %o2
0x105b64 <savecontext+100>: and %o2, -8, %o2
0x105b68 <savecontext+104>: call %o0
0x105b6c <savecontext+108>: sub %o2, 0xc1, %sp
End of assembler dump.
(gdb) disas returnto
Dump of assembler code for function returnto:
0x105b78 <returnto>: ta 3
0x105b7c <returnto+4>: ldx [ %o0 ], %g1
0x105b80 <returnto+8>: sub %g1, 0xc0, %fp
0x105b84 <returnto+12>: sub %fp, 0xc0, %sp
0x105b88 <returnto+16>: ldx [ %o0 + 0x40 ], %g1
0x105b8c <returnto+20>: mov %g1, %y
0x105b90 <returnto+24>: ldx [ %o0 + 8 ], %g1
0x105b94 <returnto+28>: ldx [ %o0 + 0x10 ], %g2
0x105b98 <returnto+32>: ldx [ %o0 + 0x18 ], %g3
0x105b9c <returnto+36>: ldx [ %o0 + 0x20 ], %g4
0x105ba0 <returnto+40>: ldx [ %o0 + 0x28 ], %g5
0x105ba4 <returnto+44>: ldx [ %o0 + 0x30 ], %g6
0x105ba8 <returnto+48>: ldx [ %o0 + 0x38 ], %g7
0x105bac <returnto+52>: sethi %hi(0), %l0
0x105bb0 <returnto+56>: mov %l0, %l0 ! 0x0
0x105bb4 <returnto+60>: sethi %hi(0x209400), %g1
0x105bb8 <returnto+64>: or %g1, 0x1b0, %g1 ! 0x2095b0 <PRE_Block>
0x105bbc <returnto+68>: sllx %l0, 0x20, %l0
0x105bc0 <returnto+72>: or %l0, %g1, %l0
0x105bc4 <returnto+76>: clr %l1
0x105bc8 <returnto+80>: stb %l1, [ %l0 ]
0x105bcc <returnto+84>: restore
0x105bd0 <returnto+88>: restore
0x105bd4 <returnto+92>: retl
0x105bd8 <returnto+96>: nop
End of assembler dump.
It started to crash when I changed
0x105b6c <savecontext+108>: sub %o2, 0xc0, %sp
to
0x105b6c <savecontext+108>: sub %o2, 0xc1, %sp
db> ps
PID PPID PGRP UID S FLAGS COMMAND WAIT
>218 216 218 0 7 0x5806 testlwp
216 210 216 0 3 0x4086 gdb wait
210 1 210 0 3 0x4086 csh pause
203 1 203 0 3 0x84 inetd pause
194 1 194 0 3 0x84 sshd select
132 1 132 0 3 0x84 mount_mfs mfsidl
102 1 102 0 2 0x84 syslogd
85 1 85 0 3 0x84 dhclient select
6 0 0 0 3 0x20204 aiodoned aiodone
5 0 0 0 3 0x20204 ioflush syncer
4 0 0 0 3 0x20204 reaper reaper
3 0 0 0 3 0x20204 pagedaemon pgdaemo
2 0 0 0 3 0x20204 scsibus0 sccomp
1 0 1 0 3 0x4084 init wait
0 -1 0 0 3 0x20204 swapper schedul
db> trace/t 0t218
trace: pid 218 at 0x92dd331
issignal(5, 5, 0, 9982008206, 0, 90d5de0) at issignal+0x198
trap(92dded0, 1874800, 105b08, 1899400, 0, 0) at trap+0x6e4
Lslowtrap_reenter(1, 2, 20, 22210b, ffffffffffffffff, 0) at Lslowtrap_reenter+0x
70
db> c
panic: winfault: double invalid window at 0x3ff, nsaved=7
kdb breakpoint at 12c4954
1 tt=30 tstate=4411080403 tpc=0x1001498 tnpc=0x100149c
2 tt=30 tstate=82000601 tpc=0x1298d30 tnpc=0x1298d34
Stopped in pid 218 (testlwp) at cpu_Debugger+0x4: nop
db> c
syncing disks...
SIR Reset
Watchdog Reset, Rebooting.
Resetting ...
I'll keep my build/source-tree for a couple of days (and after
that until I run out of diskspace).
>How-To-Repeat:
ftp http://www.e.kth.se/~lha/testlwp
chmod +x testlwp
./testlwp pc
>Fix:
Dunno
>Release-Note:
>Audit-Trail:
>Unformatted: