Subject: more MIPS memcpy bugs...
To: None <tech-toolchain@NetBSD.org>
From: Garrett D'Amore <garrett_damore@tadpole.com>
List: tech-toolchain
Date: 05/17/2006 23:43:04
I think even on gcc 3.x MIPS32 memcpy is probably busted.
I've got definite reports of breakage in certain application code
implicating memcpy and gcc 3.
I have also verified that the following code in ath_attach() breaks
terribly:
printf("sc_debug (%x) in attach is %x\n",
(uint32_t)&sc->sc_debug, sc->sc_debug);
cpu_Debugger();
memcpy(ifp->if_xname, sc->sc_dev.dv_xname, IFNAMSIZ);
ah = ath_hal_attach(devid, sc, sc->sc_st, ATH_BUSHANDLE2HAL(sc->sc_sh),
What happens is that at the point the printf is done, sc_debug contains
a real value (0x6000 in this case). The cpu_Debugger() call was
something I added to set a watch point. So I set a watchpoint on the
address of sc->sc_debug, and get a trap in the inlined assembly for
memcpy(). Here's a snapshot of my debug, including disassembly of the
generated MIPS code. I have not gone thru the assembly by hand yet to
try to figure out what it *thinks* its doing, at this point.
Adding -fno-builtin-memcpy to makeoptions didn't prevent the compiler
from inlining memcpy. If anyone has any advice, I'd love to hear it!
(This is kernel code, btw.)
ae1: Ethernet address 00:00:fc:fd:12:00
com0 at arbus0 addr 0x1c000000 interrupt 4 irq 4: ns16550a, working fifo
com0: console
ath0 at arbus0 addr 0x18000000 interrupt 0: Atheros 5312 WiSoC
ath_attach: devid 0x57
sc_debug (c0011f54) in attach is 6000
Stopped in pid 0.1 (swapper) at netbsd:cpu_Debugger+0x4: jr ra
bdslot: nop
db> bt
cpu_Debugger+4 (0,5,0,8) ra 80064eb0 sz 0
ath_attach+6c (0,5,0,8) ra 8016b96c sz 72
8016b858+114 (0,5,0,8) ra 800fdf4c sz 40
config_attach_loc+490 (c001df00,5,80225d88,80225d70) ra 800fd810 sz 72
config_found_sm_loc+5c (c001df00,5,80225d88,80225d70) ra 80166f74 sz 48
80166de4+190 (c001df00,5,80225d88,80225d70) ra 800fdf4c sz 80
config_attach_loc+490 (c001df80,5,0,0) ra 800fd810 sz 72
config_found_sm_loc+5c (c001df80,5,0,0) ra 800fd8a4 sz 48
config_found_ia+20 (c001df80,5,0,0) ra 80166370 sz 32
80166310+60 (c001df80,5,0,0) ra 800fdf4c sz 32
config_attach_loc+490 (0,5,0,0) ra 800fdfac sz 72
config_attach+1c (0,5,0,0) ra 800fd92c sz 32
config_rootfound+44 (0,5,0,0) ra 80163860 sz 32
cpu_configure+30 (0,5,0,0) ra 800fca30 sz 24
configure+4c (0,5,0,0) ra 800ce004 sz 24
main+104 (0,5,0,0) ra 80020090 sz 48
User-level: pid 0.1
db> x 0xc0011f54
0xc0011f54: 6000
db> watch c0011f54
db> c
trap: TLB modification in kernel mode
status=0x2, cause=0x30808004, epc=0x80064eb8, vaddr=0xc0011054
pid=0 cmd=swapper usp=0x0 ksp=0x80225bf0
Stopped in pid 0.1 (swapper) at netbsd:ath_attach+0x74: sw v0,20(s4)
db> bt
ath_attach+74 (57,5,0,8) ra 8016b96c sz 72
8016b858+114 (57,5,0,8) ra 800fdf4c sz 40
config_attach_loc+490 (c001df00,5,80225d88,80225d70) ra 800fd810 sz 72
config_found_sm_loc+5c (c001df00,5,80225d88,80225d70) ra 80166f74 sz 48
80166de4+190 (c001df00,5,80225d88,80225d70) ra 800fdf4c sz 80
config_attach_loc+490 (c001df80,5,0,0) ra 800fd810 sz 72
config_found_sm_loc+5c (c001df80,5,0,0) ra 800fd8a4 sz 48
config_found_ia+20 (c001df80,5,0,0) ra 80166370 sz 32
80166310+60 (c001df80,5,0,0) ra 800fdf4c sz 32
config_attach_loc+490 (0,5,0,0) ra 800fdfac sz 72
config_attach+1c (0,5,0,0) ra 800fd92c sz 32
config_rootfound+44 (0,5,0,0) ra 80163860 sz 32
cpu_configure+30 (0,5,0,0) ra 800fca30 sz 24
configure+4c (0,5,0,0) ra 800ce004 sz 24
main+104 (0,5,0,0) ra 80020090 sz 48
User-level: pid 0.1
db> x/i ath_attach,40
netbsd:ath_attach: addiu sp,sp,-72
netbsd:ath_attach+0x4: sw s5,60(sp)
netbsd:ath_attach+0x8: sw s4,56(sp)
netbsd:ath_attach+0xc: sw s3,52(sp)
netbsd:ath_attach+0x10: sw s0,40(sp)
netbsd:ath_attach+0x14: sw ra,64(sp)
netbsd:ath_attach+0x18: sw s2,48(sp)
netbsd:ath_attach+0x1c: sw s1,44(sp)
netbsd:ath_attach+0x20: lw v0,3924(a1)
netbsd:ath_attach+0x24: move s0,a1
netbsd:ath_attach+0x28: andi s5,a0,0xffff
netbsd:ath_attach+0x2c: addiu s4,a1,64
netbsd:ath_attach+0x30: beq v0,zero,<ath_attach+50> [addr:0x80064e94]
bdslot: addiu s3,a1,1144
netbsd:ath_attach+0x38: lui a0,0x801a
netbsd:ath_attach+0x3c: addiu a0,a0,-7580
netbsd:ath_attach+0x40: lui a1,0x801a
netbsd:ath_attach+0x44: addiu a1,a1,-7564
netbsd:ath_attach+0x48: jal printf [addr:0x80107ba0]
bdslot: move a2,s5
netbsd:ath_attach+0x50: lw a2,3924(s0)
netbsd:ath_attach+0x54: lui a0,0x801a
netbsd:ath_attach+0x58: addiu a0,a0,-7552
netbsd:ath_attach+0x5c: jal printf [addr:0x80107ba0]
bdslot: addiu a1,s0,3924
netbsd:ath_attach+0x64: jal cpu_Debugger [addr:0x801537c4]
bdslot: nop
netbsd:ath_attach+0x6c: lw v0,28(s0)
netbsd:ath_attach+0x70: move a0,s5
netbsd:ath_attach+0x74: sw v0,20(s4)
netbsd:ath_attach+0x78: lw v0,32(s0)
netbsd:ath_attach+0x7c: nop
netbsd:ath_attach+0x80: sw v0,24(s4)
netbsd:ath_attach+0x84: lw v0,36(s0)
netbsd:ath_attach+0x88: nop
netbsd:ath_attach+0x8c: sw v0,28(s4)
netbsd:ath_attach+0x90: lw v1,40(s0)
netbsd:ath_attach+0x94: addiu v0,sp,32
netbsd:ath_attach+0x98: sw v0,16(sp)
netbsd:ath_attach+0x9c: sw v1,32(s4)
netbsd:ath_attach+0xa0: lw a2,3944(s0)
netbsd:ath_attach+0xa4: lw a3,3948(s0)
netbsd:ath_attach+0xa8: jal ath_hal_attach [addr:0x8016c73c]
bdslot: move a1,s0
netbsd:ath_attach+0xb0: bne v0,zero,<ath_attach+d4> [addr:0x80064f18]
bdslot: move s2,v0
--
Garrett D'Amore, Principal Software Engineer
Tadpole Computer / Computing Technologies Division,
General Dynamics C4 Systems
http://www.tadpolecomputer.com/
Phone: 951 325-2134 Fax: 951 325-2191