[OpenBIOS] Possible MMU translation bug?

Mark Cave-Ayland mark.cave-ayland at siriusit.co.uk
Thu Apr 15 23:14:44 CEST 2010


Hi all,

So far Milax crashes a few seconds into executing the OpenSolaris kernel 
and I'm wondering if the bug is related to not preserving registers in 
the MMU routines. The instruction causing the crash is the following:

0x0000000001047444:  ldx  [ %g7 + 0xa8 ], %o2

Given that there were several instances of this exact instruction in 
previous nearby blocks of code, I used the qemu debugging output to see 
what was happening in this particular case. Comments are denoted with a ^.


IN:
0x0000000001050860:  call  0x1050ee8
0x0000000001050864:  add  %fp, 0x7a7, %o0

^ Looks like a standard branch. %g7 is currently set to 0x180e000

--------------
IN: mmu_translate
0x00000000ffd0a788:  save  %sp, -224, %sp
0x00000000ffd0a78c:  call  0xffd0a830
0x00000000ffd0a790:  nop

^ Hmmm. But we've now invoked mmu_translate in OpenBIOS?

--------------
IN: mmu_translate
0x00000000ffd0a794:  mov  %o0, %g1
0x00000000ffd0a798:  stx  %g1, [ %fp + 0x7df ]
0x00000000ffd0a79c:  add  %fp, 0x7d7, %g1
0x00000000ffd0a7a0:  ldx  [ %fp + 0x7df ], %o0
0x00000000ffd0a7a4:  mov  %g1, %o1
0x00000000ffd0a7a8:  call  0xffd1e134
0x00000000ffd0a7ac:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e134:  save  %sp, -240, %sp
0x00000000ffd1e138:  stx  %i0, [ %fp + 0x87f ]
0x00000000ffd1e13c:  stx  %i1, [ %fp + 0x887 ]
0x00000000ffd1e140:  call  0xffd0e37c
0x00000000ffd1e144:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e148:  mov  %o0, %g1
0x00000000ffd1e14c:  stx  %g1, [ %fp + 0x7d7 ]
0x00000000ffd1e150:  ldx  [ %fp + 0x7d7 ], %g1
0x00000000ffd1e154:  ldx  [ %g1 + 0x28 ], %g1
0x00000000ffd1e158:  stx  %g1, [ %fp + 0x7df ]
0x00000000ffd1e15c:  b  %xcc, 0xffd1e1d8
0x00000000ffd1e160:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e1d8:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e1dc:  brz  %g1, 0xffd1e1fc
0x00000000ffd1e1e0:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e1e4:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e1e8:  ldx  [ %g1 + 8 ], %g2
0x00000000ffd1e1ec:  ldx  [ %fp + 0x87f ], %g1
0x00000000ffd1e1f0:  cmp  %g2, %g1
0x00000000ffd1e1f4:  bleu  %xcc, 0xffd1e164
0x00000000ffd1e1f8:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e164:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e168:  ldx  [ %g1 + 8 ], %g2
0x00000000ffd1e16c:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e170:  ldx  [ %g1 + 0x10 ], %g1
0x00000000ffd1e174:  add  %g2, %g1, %g1
0x00000000ffd1e178:  add  %g1, -1, %g2
0x00000000ffd1e17c:  ldx  [ %fp + 0x87f ], %g1
0x00000000ffd1e180:  cmp  %g2, %g1
0x00000000ffd1e184:  bcs  %xcc, 0xffd1e1cc
0x00000000ffd1e188:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e1cc:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e1d0:  ldx  [ %g1 ], %g1
0x00000000ffd1e1d4:  stx  %g1, [ %fp + 0x7df ]
0x00000000ffd1e1d8:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e1dc:  brz  %g1, 0xffd1e1fc
0x00000000ffd1e1e0:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e18c:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e190:  ldx  [ %g1 + 8 ], %g2
0x00000000ffd1e194:  ldx  [ %fp + 0x87f ], %g1
0x00000000ffd1e198:  sub  %g1, %g2, %g1
0x00000000ffd1e19c:  stx  %g1, [ %fp + 0x7e7 ]
0x00000000ffd1e1a0:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e1a4:  ldx  [ %g1 + 0x20 ], %g2
0x00000000ffd1e1a8:  ldx  [ %fp + 0x887 ], %g1
0x00000000ffd1e1ac:  stx  %g2, [ %g1 ]
0x00000000ffd1e1b0:  ldx  [ %fp + 0x7df ], %g1
0x00000000ffd1e1b4:  ldx  [ %g1 + 0x18 ], %g2
0x00000000ffd1e1b8:  ldx  [ %fp + 0x7e7 ], %g1
0x00000000ffd1e1bc:  add  %g2, %g1, %g1
0x00000000ffd1e1c0:  stx  %g1, [ %fp + 0x7c7 ]
0x00000000ffd1e1c4:  b  %xcc, 0xffd1e204
0x00000000ffd1e1c8:  nop

--------------
IN: ofmem_translate
0x00000000ffd1e204:  ldx  [ %fp + 0x7c7 ], %g1
0x00000000ffd1e208:  mov  %g1, %i0
0x00000000ffd1e20c:  rett  %i7 + 8
0x00000000ffd1e210:  nop

--------------
IN: mmu_translate
0x00000000ffd0a7b0:  mov  %o0, %g1
0x00000000ffd0a7b4:  stx  %g1, [ %fp + 0x7e7 ]
0x00000000ffd0a7b8:  ldx  [ %fp + 0x7e7 ], %g1
0x00000000ffd0a7bc:  cmp  %g1, -1
0x00000000ffd0a7c0:  be  %xcc, 0xffd0a81c
0x00000000ffd0a7c4:  nop

--------------
IN: mmu_translate
0x00000000ffd0a7c8:  ldx  [ %fp + 0x7e7 ], %g2
0x00000000ffd0a7cc:  mov  -1, %g1
0x00000000ffd0a7d0:  srlx  %g1, 0x20, %g1
0x00000000ffd0a7d4:  and  %g2, %g1, %g1
0x00000000ffd0a7d8:  mov  %g1, %o0
0x00000000ffd0a7dc:  call  0xffd0a4f8
0x00000000ffd0a7e0:  nop

--------------
IN: mmu_translate
0x00000000ffd0a7e4:  ldx  [ %fp + 0x7e7 ], %g1
0x00000000ffd0a7e8:  srlx  %g1, 0x20, %g1
0x00000000ffd0a7ec:  mov  %g1, %o0
0x00000000ffd0a7f0:  call  0xffd0a4f8
0x00000000ffd0a7f4:  nop

--------------
IN: mmu_translate
0x00000000ffd0a7f8:  ldx  [ %fp + 0x7d7 ], %g1
0x00000000ffd0a7fc:  mov  %g1, %o0
0x00000000ffd0a800:  call  0xffd0a4f8
0x00000000ffd0a804:  nop

--------------
IN: mmu_translate
0x00000000ffd0a808:  mov  -1, %o0	! 0xffffffffffffffff
0x00000000ffd0a80c:  call  0xffd0a4f8
0x00000000ffd0a810:  nop

--------------
IN: mmu_translate
0x00000000ffd0a814:  b  %xcc, 0xffd0a828
0x00000000ffd0a818:  nop

--------------
IN: mmu_translate
0x00000000ffd0a828:  rett  %i7 + 8
0x00000000ffd0a82c:  nop

--------------
IN:
0x0000000001007d54:  restore  %o0, %g0, %o0

--------------
IN:
0x0000000001050868:  call  0x104cf7c
0x000000000105086c:  mov  %o0, %i5

^ Return from mmu_translate block. %g7 is now 0x4c23549c.

--------------
IN:
0x0000000001014c84:  sethi  %hi(0x181c800), %o5
0x0000000001014c88:  mov  %o7, %g1
0x0000000001014c8c:  ld  [ %o5 + 0x10 ], %o5
0x0000000001014c90:  sra  %o5, 0, %o0
0x0000000001014c94:  call  0x104743c
0x0000000001014c98:  mov  %g1, %o7

--------------
IN:
0x000000000104743c:  rdpr  %pil, %o1
0x0000000001047440:  wrpr  0xf, %pil
0x0000000001047444:  ldx  [ %g7 + 0xa8 ], %o2
0x0000000001047448:  ld  [ %o2 + 0x10c ], %o2
0x000000000104744c:  cmp  %o2, %o0
0x0000000001047450:  movl  %xcc, %o0, %o2
0x0000000001047454:  wrpr  %g0, %o2, %pil
0x0000000001047458:  retl
0x000000000104745c:  mov  %o1, %o0

Search PC...
Search PC...
Search PC...
Search PC...
Search PC...
Search PC...
Search PC...
Search PC...
Search PC...
--------------
IN:
0x000000000104743c:  rdpr  %pil, %o1
0x0000000001047440:  wrpr  0xf, %pil
0x0000000001047444:  ldx  [ %g7 + 0xa8 ], %o2

^ %g7 + 0xa8 = 0x4c235544 (throws alignment exception)


I'm wondering if the issue here is that the "call 0x1050ee8" instruction 
is causing an MMU fault which is calling OpenBIOS's mmu_translate via a 
trap. Since the mmu_translate function fails to preserve the global 
registers (compared to the CIF interface calls) then subsequent global 
register access is doomed to cause failure.


ATB,

Mark.

-- 
Mark Cave-Ayland - Senior Technical Architect
PostgreSQL - PostGIS
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk
t: +44 870 608 0063

Sirius Labs: http://www.siriusit.co.uk/labs



More information about the OpenBIOS mailing list