[OpenBIOS] Faulty Qemu SPARC64 IDE emulation?

Mark Cave-Ayland mark.cave-ayland at siriusit.co.uk
Wed Dec 9 19:56:07 CET 2009


Nick Couchman wrote:

> Curiously the PC location for the error has changed - according to the output above, here's the gdb location:
> 
> (gdb) l *0x00000000ffd1bad0
> 0xffd1bad0 is in ob_ide_insw (./target/include/asm/io.h:165).
> 160	{
> 161		uint16_t *b = (uint16_t *) buf;
> 162	
> 163		while (ns > 0) {
> 164			*b++ = in_le16(port);
> 165			ns--;
> 166		}
> 167	}
> 168	
> 169	static inline void _outsw_ns(volatile uint16_t * port, const void *buf,
> 
> -Nick

Okay - I've just committed a "fix" for the missing alarm word since 
OpenBIOS wasn't removing the parameters from the stack as alarm should. 
Now I get slightly further with Milax, but I too am seeing a crash in 
the IDE inteface code trying to load a file. It seems that the crash 
manages to kill the Qemu instance too.

Here's a Forth debugger trace reading in the first sector of the CDROM 
from the beginning of the boot process which we know works:


: read  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 ffe0b9e8 0 0 0 0 0 
0 0 800 800 8000000 ffe6b200 )
00000000ffe28d28: >r  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 800 800 8000000 )
00000000ffe28d30: swap  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 )
00000000ffe28d38: r>  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe6b200 )
00000000ffe28d40: dup  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe6b200 ffe6b200 )
00000000ffe28d48: ihandle>phandle  ( ffffffffffffffff 1 0 
ffffffffffffffff 0 0 0 ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe6b200 
ffe2b600 )
00000000ffe28d50: (")  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe6b200 ffe2b600 ffe28d60 4 )
00000000ffe28d68: rot  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe6b200 ffe28d60 4 ffe2b600 )
00000000ffe28d70: find-method  ( ffffffffffffffff 1 0 ffffffffffffffff 0 
0 0 ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe6b200 ffe2b838 
ffffffffffffffff )
00000000ffe28d78: do?branch  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 
0 ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe6b200 ffe2b838 )
00000000ffe28d88: swap  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 800 8000000 800 ffe2b838 ffe6b200 )
00000000ffe28d90: call-package  ( ffffffffffffffff 1 0 ffffffffffffffff 
0 0 0 ffe0b9e8 0 0 0 0 0 0 0 800 800 )
00000000ffe28d98: dobranch  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 
0 ffe0b9e8 0 0 0 0 0 0 0 800 800 )
00000000ffe28db8: (semis)


And here's a Forth debugger trace trying to read in 
/platform/sun4u/boot_archive:


: read  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 ffe0b9e8 0 0 0 0 0 
0 0 0 0 51000000 554c800 554c800 554c800 554c800 554c800 51000000 ffe6b200 )
00000000ffe28d28: >r  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
554c800 51000000 )
00000000ffe28d30: swap  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 )
00000000ffe28d38: r>  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 ffe6b200 )
00000000ffe28d40: dup  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 ffe6b200 ffe6b200 )
00000000ffe28d48: ihandle>phandle  ( ffffffffffffffff 1 0 
ffffffffffffffff 0 0 0 ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 
554c800 554c800 554c800 51000000 554c800 ffe6b200 ffe2b600 )
00000000ffe28d50: (")  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 ffe6b200 ffe2b600 ffe28d60 4 )
00000000ffe28d68: rot  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 ffe6b200 ffe28d60 4 ffe2b600 )
00000000ffe28d70: find-method  ( ffffffffffffffff 1 0 ffffffffffffffff 0 
0 0 ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 ffe6b200 ffe2b838 ffffffffffffffff )
00000000ffe28d78: do?branch  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 
0 ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 ffe6b200 ffe2b838 )
00000000ffe28d88: swap  ( ffffffffffffffff 1 0 ffffffffffffffff 0 0 0 
ffe0b9e8 0 0 0 0 0 0 0 0 0 51000000 554c800 554c800 554c800 554c800 
51000000 554c800 ffe2b838 ffe6b200 )
00000000ffe28d90: call-package qemu: unsupported keyboard cmd=0x57
sSegmentation fault


In the case of reading the first sector of the Milax CDROM, 0x800 bytes 
are being read to memory at 0x8000000 which works fine. When trying to 
read in boot_archive then we see that 0x554c800 bytes are being read 
into memory at 0x51000000 and this is where the crash happens. I wonder 
if we're finding some kind of IDE I/O emulation bug for SPARC64 Qemu?

If you switch back to GDB and poke around where the segfault happens, 
can you see any values that look obviously broken at your end?


ATB,

Mark.

-- 
Mark Cave-Ayland - Senior Technical Architect
PostgreSQL - PostGIS
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk
t: +44 870 608 0063

Sirius Labs: http://www.siriusit.co.uk/labs



More information about the OpenBIOS mailing list