Re: Wild Pointer!!!! ( some more info )

Re: Wild Pointer!!!! ( some more info )

[Paul Mackerras]

Kalyan writes:

>           I recently ported the linux kernel v 2.4.11-pre5  to MDPPro (
>   MPC860T processor ) board..the kernel dies with an Oops and everytime at a
>   different place.... i have taken the code from bitkeeper

The linuxppc_2_4 tree or the linuxppc_2_4_devel tree?  Have you made
local changes?  If so what are they?

>   Call backtrace:
>   C0014538 C0012314 C00121D4 C0011E14 C0003FAC C00026E0 C0003CF0
>   C0003D04 C0002270 C00FC744 C0002138

Have you looked up these addresses in System.map?  That could be
enlightening.

Paul.

** Sent via the linuxppc-dev mail list. See http://lists.linuxppc.org/

Re: Wild Pointer!!!! ( some more info )

[Wolfgang Denk]

In message <15316.1504.603255.831736@cargo.ozlabs.ibm.com> you wrote:
>
> >           I recently ported the linux kernel v 2.4.11-pre5  to MDPPro (
> >   MPC860T processor ) board..the kernel dies with an Oops and everytime at a
> >   different place.... i have taken the code from bitkeeper
>
> The linuxppc_2_4 tree or the linuxppc_2_4_devel tree?  Have you made
> local changes?  If so what are they?

I see similar effects from linuxppc_2_4_devel (CS 1.592); I've traced
a few of them down;  they  are  "strange"  -  usually  it's  a  store
operation into a normal variable in BSS.

One example - this is on a custom MPC823-E system; I,m running  older
kernel versions on it without problems.

...
Linux version 2.4.13-pre5 (wd@denx.denx.de) (gcc version 2.95.3 20010315 (release/MontaVista)) #1 Mon Oct 22 15:05:53 MEST 2001
...
lcd823.c[667] call register_framebuffer()
fbmem.c[719]: register_framebuffer ENTER
fbmem.c[728]: register FB#0 max=32 [struct @ c0188900]
Oops: kernel access of bad area, sig: 11
NIP: C00ADC80 XER: C000247F LR: C00ADC7C SP: C0235F30 REGS: c0235e80 TRAP: 0300    Not tainted
MSR: 00009032 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
DAR: C0188900, DSISR: 82000000
TASK = c0234000[1] 'swapper' Last syscall: 120
last math 00000000 last altivec 00000000
GPR00: C00ADC7C C0235F30 C0234000 00000039 00001032 00000001 00000030 00000039
GPR08: FFFFFFFF C0160000 00000654 C0235E60 C02281D0 00000000 00FE0A00 007FFF00
GPR16: FFFFFFFF 00FD9DCC 00000000 00F9F3F8 00000001 00F9F7C0 00F9F3F8 00FE1564
GPR24: C0130000 C0130000 C018D8E8 00000000 C0130000 C0188900 C0130000 00000000
Call backtrace:
C00ADC7C C015EE84 C015CE34 C01597E4 C015471C C015476C C00022B4
C0004BD4

...
Reading symbols from System.map
C00ADC7C C015EE84 C015CE34 C01597E4 C015471C C015476C C00022B4
C0004BD4
0xc00adc7c -- 0xc00adbbc + 0x00c0   register_framebuffer
0xc015ee84 -- 0xc015ed20 + 0x0164   lcd823_init
0xc015ce34 -- 0xc015cd50 + 0x00e4   fbmem_init
0xc01597e4 -- 0xc0159798 + 0x004c   chr_dev_init
0xc015471c -- 0xc01546f4 + 0x0028   do_initcalls
0xc015476c -- 0xc0154744 + 0x0028   do_basic_setup
0xc00022b4 -- 0xc00022a0 + 0x0014   init
0xc0004bd4 -- 0xc0004ba8 + 0x002c   kernel_thread

-> grep registered_fb System.map
...
c0166498 B num_registered_fb
c0188900 B registered_fb



>From "drivers/video/fbmem.c":
    319
    320 struct fb_info *registered_fb[FB_MAX];
    321 int num_registered_fb;
    322 extern int fbcon_softback_size;
    ...
    727         fb_info->node = MKDEV(FB_MAJOR, i);
    728 printk("%s[%d]: register FB#%d max=%d [struct @ %p]\n",__FILE__,__LINE__,i,FB_MAX,&registered_fb[i]);
    729
    730         registered_fb[i] = fb_info;
    731
    732 printk("%s[%d]\n",__FILE__,__LINE__);
    ...

As you can see it crashes when trying to store the info pointer  into
registered_fb[0]  (line  #  730)  -  the debug messages and the crash
(with DAR pointing to C0188900 = address of registered_fb) are clean,
but I don't know (yet) WHY this happens.

In other cases (without frambuffer driver) the kernel boots,  but  is
not stable; for instance:

...
INIT: version 2.78 booting
Activating swap...
Checking all file systems...
Parallelizing fsck version 1.19 (13-Jul-2000)
Oops: Kernel Mode Software FPU Emulation, sig: 8
NIP: C01370CC XER: 00000000 LR: C004C22C SP: C0D05EF0 REGS: c0d05e40 TRAP: 1000    Not tainted
MSR: 00009032 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
TASK = c0d04000[32] 'mount' Last syscall: 21
last math 00000000 last altivec 00000000
GPR00: 00000100 C0D05EF0 C0D04000 C0C9B000 10020FF4 00000000 C0C9BE8C 00000000
GPR08: 00000000 00000000 00000000 00000004 44000088 10026370 00000000 00000000
GPR16: 7FFFFC6C 7FFFFC68 10020000 00000000 00009032 00D05F40 00000000 C00026E8
GPR24: C0002460 10020110 7FFFFEB3 C0D05F18 C0C9B000 44000088 10020168 00001000
Call backtrace:
C004C1C8 C004C494 C00024BC FFFFFFFF 10002604 10003148 10003DD0
10004BA0 0FED9DBC 00000000
/etc/init.d/rcS: line 34:    32 Floating point exceptionmount -t devpts devpts /dev/pts -ogid=${TTYGRP},mode=${TTYMODE}
Mounting local filesystems...
not mounted anything
...
MontaVista Software's Hard Hat Linux 2.0

fast login: root
root@fast:~# mount -t devpts devpts /dev/pts
Oops: Kernel Mode Software FPU Emulation, sig: 8
NIP: C01370CC XER: 00000000 LR: C004C22C SP: C0AE3EF0 REGS: c0ae3e40 TRAP: 1000    Not tainted
MSR: 00009032 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
TASK = c0ae2000[78] 'mount' Last syscall: 21
last math 00000000 last altivec 00000000
GPR00: 00000100 C0AE3EF0 C0AE2000 C0ABF000 10020FFC 00000000 C0ABFE7C 00000000
GPR08: 00000000 00000000 00000000 00000004 44000080 10026370 00000000 00000000
GPR16: 7FFFFC5C 7FFFFC58 10020000 00000000 00009032 00AE3F40 00000000 C00026E8
GPR24: C0002460 10020140 7FFFFE97 C0AE3F18 C0ABF000 44000080 10020180 00001000
Call backtrace:
C004C1C8 C004C494 C00024BC FFFFFFFF 10002604 10003148 10003DD0
10004BA0 0FED9DBC 00000000
Floating point exception

-> backtrace
Reading symbols from System.map
C004C1C8 C004C494 C00024BC
0xc004c1c8 -- 0xc004c190 + 0x0038   copy_mount_options
0xc004c494 -- 0xc004c468 + 0x002c   sys_mount
0xc00024bc -- 0xc00024bc + 0x0000   ret_from_syscall_1

C004C1C8 C004C494 C00024BC
0xc004c1c8 -- 0xc004c190 + 0x0038   copy_mount_options
0xc004c494 -- 0xc004c468 + 0x002c   sys_mount
0xc00024bc -- 0xc00024bc + 0x0000   ret_from_syscall_1



Also, I notice other strange things, for  instance  that  GDB  is  no
longer able to read the kernel images:

-> ppc_8xx-gdb vmlinux
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=powerpc-hardhat-linux"...Segmentation fault (core dumped)

-> powerpc-linux-gdb vmlinux
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=powerpc-linux"...Segmentation fault (core dumped)

-> powerpc-linux-gdb.OLD vmlinux
GNU gdb 4.17.0.11 with Linux support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=powerpc-linux"...Segmentation fault (core dumped)


Hope this helps.

Wolfgang Denk

--
Software Engineering:  Embedded and Realtime Systems,  Embedded Linux
Phone: (+49)-8142-4596-87  Fax: (+49)-8142-4596-88  Email: wd@denx.de
Our management frequently gets lost in thought.   That's because it's
unfamiliar territory.

** Sent via the linuxppc-dev mail list. See http://lists.linuxppc.org/

Re: Wild Pointer!!!! ( some more info )

[Wolfgang Denk]

In message <20011022101239.K4933@cpe-24-221-152-185.az.sprintbbd.net> you wrote:
>
> > I see similar effects from linuxppc_2_4_devel (CS 1.592); I've traced
> > a few of them down;  they  are  "strange"  -  usually  it's  a  store
> > operation into a normal variable in BSS.
>
> Can you try 2_4 ?

Did so, cs-1.438 to be precise. It's the same, at least for the  860P
board I tested it on:

...
root@vl:~# mount -t devpts devpts /dev/pts
Oops: Kernel Mode Software FPU Emulation, sig: 8
NIP: C01293FC XER: 00000000 LR: C004CFAC SP: C0AFDEF0 REGS: c0afde40 TRAP: 1000    Not tainted
MSR: 00009032 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
TASK = c0afc000[78] 'mount' Last syscall: 21
last math 00000000 last altivec 00000000
GPR00: 00000100 C0AFDEF0 C0AFC000 C0AD9000 10020FF4 00000000 C0AD9E7C 00000000
GPR08: 00000000 00000000 00000000 00000004 44000088 10026370 00000000 00000000
GPR16: 7FFFFC5C 7FFFFC58 10020000 00000000 00009032 00AFDF40 00000000 C00026E8
GPR24: C0002460 10020138 7FFFFE99 C0AFDF18 C0AD9000 44000088 10020178 00001000
Call backtrace:
C004CF48 C004D214 C00024BC FFFFFFFF 10002604 10003148 10003DD0
10004BA0 0FED9DBC 00000000
Floating point exception

0xc004cf48 -- 0xc004cf10 + 0x0038   copy_mount_options
0xc004d214 -- 0xc004d1e8 + 0x002c   sys_mount
0xc00024bc -- 0xc00024bc + 0x0000   ret_from_syscall_1

Exactly the same place.

But at least GDB can load the vmlinux file...

Wolfgang Denk

--
Software Engineering:  Embedded and Realtime Systems,  Embedded Linux
Phone: (+49)-8142-4596-87  Fax: (+49)-8142-4596-88  Email: wd@denx.de
One possible reason that things aren't going  according  to  plan  is
that there never was a plan in the first place.

** Sent via the linuxppc-dev mail list. See http://lists.linuxppc.org/

Re: Wild Pointer!!!! ( some more info )

[Kalyan]

hi ,
            after my failed attempts at 2.4.11 -pre 5 ...i decide to try
2.4.12.. ( from kernel.org.)...
            i still get random crashes... i am attaching one below...

Cruise> bootm
## Booting image at 00100000 ...
   Image Name:   kalyan
   Image Type:   PowerPC Linux Kernel Image (gzip compressed)
   Data Size:    541440 Bytes = 528 kB = 0 MB
   Load Address: 00000000
   Entry Point:  00000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
Linux version 2.4.12 (kalyand@rtlinux.cruise) (gcc version 2.95.3 20010315
(rele
ase)) #13 Sat Oct 27 13:01:59 IST 2001
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/nfs rw
nfsroot=192.168.200.244:/tftpboot/diskonch
ip nfsaddrs=192.168.200.36:192.168.200.244
Decrementer Frequency = 187500000/60
Calibrating delay loop... 49.66 BogoMIPS
Memory: 14668k available (1008k kernel code, 368k data, 56k init, 0k
highmem)
Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode-cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Starting kswapd
devfs: v0.119 (20011009) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x0
CPM UART driver version 0.03
ttyS00 at 0x0280 is a SMC
pty: 256 Unix98 ptys configured
block: 64 slots per queue, batch=8
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Oops: kernel access of bad area, sig: 11
NIP: 74757950 XER: 2000FF28 LR: C0012AD8 SP: C01FBDA0 REGS: c01fbcf0 TRAP:
0400
   Not tainted
MSR: 08209032 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
TASK = c01fa000[1] 'swapper' Last syscall: 120
last math 00000000 last altivec 00000000
GPR00: 74757953 C01FBDA0 C01FA000 00000000 00001032 00000001 00000000
C0004850
GPR08: 00000028 C0149B00 00000000 00000000 0000000D 1EE60200 00FFC700
007FFF65
GPR16: 00000000 00000001 007FFF00 FFFFFFFF 00001032 001FBE20 00000000
C0002980
GPR24: C0004038 00FFBAA4 C0133770 00000000 C0150000 00000001 00000000
C0149880
Call backtrace:
53545556 C0012998 C00125D8 C000424C C0002980 C000F7F4 C013AF8C
C013AC2C C013AC54 C01347D0 C0134818 C000255C C0004DF0
Kernel panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing
 <0>Rebooting in 180 seconds..


Heres a part of the system.map
c0012550 T do_softirq
c0012550 t Letext        ------------? i still do not understand this...how
come  two entries have the same address
c0012650 T raise_softirq
c00126d4 T open_softirq
c00126f0 T __tasklet_schedule
c0012784 T __tasklet_hi_schedule
c0012818 t tasklet_action
c00128f8 t tasklet_hi_action
c00129d8 T tasklet_init
c00129f4 T tasklet_kill



C0012998 ->falls in the range of tasklet_hi_action
what is interesting is the NIP...it is 74757950  ...and
how can this be possible???? can i supect stack problems here?????


thanx in advance
_kalyan.

Re: Wild Pointer!!!! ( some more info )

[Dan Malek]

Kalyan wrote:

> hi ,
>             after my failed attempts at 2.4.11 -pre 5 ...i decide to try
> 2.4.12.. ( from kernel.org.)...


What was the last kernel version that worked on this board?

> how can this be possible???? can i supect stack problems here?????

Anything is possible :-).  It could be an improperly initialized
data structure that contains an indirect function pointer, too.


	-- Dan