From: Helge Deller <deller@gmx.de>
To: John David Anglin <dave@hiauly1.hia.nrc.ca>
Cc: Carlos O'Donell <carlos@systemhalted.org>,
dave.anglin@nrc-cnrc.gc.ca, linux-parisc@vger.kernel.org
Subject: Re: Random memory corruption with 64-bit SMP 2.6.30-rc4
Date: Tue, 05 May 2009 09:26:50 +0200 [thread overview]
Message-ID: <49FFEA3A.4080902@gmx.de> (raw)
In-Reply-To: <20090505021307.181C64EE8@hiauly1.hia.nrc.ca>
John David Anglin wrote:
>> Could you run the entire build with LD_BIND_NOW=3D1 set? Does it crash
>> anywhere else?
>
> Got a lot further but bash SEGV'd again:
>
> Program terminated with signal 11, Segmentation fault.
> [New process 14746]
> #0 0x00035ba4 in close_fd_bitmap ()
> (gdb) bt
> #0 0x00035ba4 in close_fd_bitmap ()
> #1 0x00039d08 in ?? ()
> #2 0x000373b8 in execute_command_internal ()
> #3 0x00036d3c in ?? ()
> #4 0x000382a4 in execute_command_internal ()
> #5 0x00073a68 in parse_and_execute ()
> #6 0x0004d840 in command_substitute ()
> #7 0x00051e14 in ?? ()
> #8 0x00053320 in ?? ()
> #9 0x00056fa8 in expand_string_assignment ()
> #10 0x00050f44 in ?? ()
> #11 0x000512fc in ?? ()
> #12 0x00053278 in ?? ()
> #13 0x0003a0a4 in ?? ()
> #14 0x000373b8 in execute_command_internal ()
> #15 0x00038638 in execute_command ()
> #16 0x00038310 in execute_command_internal ()
> #17 0x00073a68 in parse_and_execute ()
> #18 0x00025a1c in ?? ()
> #19 0x000269a8 in main ()
>
> Restarting, and it crashed again:
>
> Core was generated by `/bin/sh ./libtool --tag=CXX --mode=compile /home/dave/gnu/gcc/objdir/./gcc/xgcc'.
> Program terminated with signal 11, Segmentation fault.
> [New process 32486]
> #0 0x00000000 in ?? ()
> (gdb) bt
> #0 0x00000000 in ?? ()
> #1 0x000ab3dc in ?? ()
> #2 0x0006e930 in sh_xmalloc ()
> #3 0x0004995c in stop_pipeline ()
> #4 0x00037cec in execute_command_internal ()
> #5 0x00038638 in execute_command ()
> #6 0x00038310 in execute_command_internal ()
> #7 0x00037a60 in execute_command_internal ()
> #8 0x00038638 in execute_command ()
> #9 0x000374c4 in execute_command_internal ()
> #10 0x00037a60 in execute_command_internal ()
> #11 0x00037a60 in execute_command_internal ()
> #12 0x000395f8 in ?? ()
> #13 0x0003a85c in ?? ()
> #14 0x000373b8 in execute_command_internal ()
> #15 0x00038638 in execute_command ()
> #16 0x00038310 in execute_command_internal ()
> #17 0x00037a60 in execute_command_internal ()
> #18 0x00038638 in execute_command ()
> #19 0x000374c4 in execute_command_internal ()
> #20 0x00037a60 in execute_command_internal ()
> #21 0x00038638 in execute_command ()
> #22 0x00038310 in execute_command_internal ()
> ---Type <return> to continue, or q <return> to quit---
> #23 0x00037a60 in execute_command_internal ()
> #24 0x000395f8 in ?? ()
> #25 0x0003a85c in ?? ()
> #26 0x000373b8 in execute_command_internal ()
> #27 0x00038638 in execute_command ()
> #28 0x000374c4 in execute_command_internal ()
> #29 0x00037a60 in execute_command_internal ()
> #30 0x00038638 in execute_command ()
> #31 0x000374c4 in execute_command_internal ()
> #32 0x00038638 in execute_command ()
> #33 0x000279c8 in reader_loop ()
> #34 0x0002751c in main For this(gdb) frame 1
> #1 0x000ab3dc in ()
> (gdb) disass 0x000ab3cc 0x000ab3ec
> Dump of assembler code from 0xab3cc to 0xab3ec:
> 0x000ab3cc: stw ret0,1c8(r8)
> 0x000ab3d0: copy r5,r26
> 0x000ab3d4: b,l 0x798d0,rp
> 0x000ab3d8: ldi df,r25
> 0x000ab3dc: b,l 0xab188,r0
> 0x000ab3e0: copy r3,ret0
> 0x000ab3e4: ldi -21,ret0
> 0x000ab3e8: stb ret0,0(r22)
> End of assembler dump
> (gdb) p/x $rp
> $1 = 0xab3df
> (gdb) disass 0x798d0 0x798e0
> Dump of assembler code from 0x798d0 to 0x798e0:
> 0x000798d0: addil L%5000,dp,r1
> 0x000798d4: ldw 524(r1),r21
> 0x000798d8: bv r0(r21)
> 0x000798dc: ldw 528(r1),r19
> End of assembler dump.
> (gdb) p/x $dp
> $2 = 0xca1c8
> (gdb) p/x $r1
> $3 = 0xcf1c8
> (gdb) p/x $r21
> $4 = 0x0
> (gdb) p/x $r1+0x524
> $5 = 0xcf6ec
> (gdb) x/x 0xcf6ec
> 0xcf6ec: 0x40488250
> (gdb) disass 0x40488250
> Dump of assembler code for function *__GI_memset:
> 0x40488250 <*__GI_memset+0>: cmpib,>>= 7,r24,0x404882f8 <*__GI_memset+168>
> 0x40488254 <*__GI_memset+4>: copy r26,r22
> 0x40488258 <*__GI_memset+8>: extrw,u r25,31,8,r31
> ...
Could it be, that always r21 and r22 are involved?
Maybe we don't restore them correctly after some syscalls like fork / getpwnam...?
Esp. the comment for r21-r22 in arch/parisc/kernel/entry.S:1708 seems interesting:
/* Register saving semantics for system calls:
%r1 clobbered by system call macro in userspace
%r2 saved in PT_REGS by gateway page
%r3 - %r18 preserved by C code (saved by signal code)
%r19 - %r20 saved in PT_REGS by gateway page
%r21 - %r22 non-standard syscall args
stored in kernel stack by gateway page
%r23 - %r26 arg3-arg0, saved in PT_REGS by gateway page
%r27 - %r30 saved in PT_REGS by gateway page
%r31 syscall return pointer
*/
Helge
next prev parent reply other threads:[~2009-05-05 7:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-03 18:25 Random memory corruption with 64-bit SMP 2.6.30-rc4 John David Anglin
2009-05-04 16:45 ` Carlos O'Donell
2009-05-05 2:13 ` John David Anglin
2009-05-05 7:26 ` Helge Deller [this message]
2009-05-05 13:50 ` John David Anglin
2009-05-06 1:51 ` John David Anglin
2009-05-06 16:23 ` John David Anglin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49FFEA3A.4080902@gmx.de \
--to=deller@gmx.de \
--cc=carlos@systemhalted.org \
--cc=dave.anglin@nrc-cnrc.gc.ca \
--cc=dave@hiauly1.hia.nrc.ca \
--cc=linux-parisc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.