Tuesday, February 5, 2013

T32 Simulator

We use simulator to debug ramdumps

To view a memory as structure,
var.view (struct rcu_dynticks*)0xC162A228

To view core 1 register,
register /CORE 1

To view core 1 stack frame,
var.frame /core 1



Friday, February 1, 2013

Debugging an Oops..


<1>[  161.824645] Unable to handle kernel NULL pointer dereference at virtual address 00000132
<1>[  161.832702] pgd = dba48000
<1>[  161.835418] [00000132] *pgd=00000000
<0>[  161.839019] Internal error: Oops: 1 [#1] PREEMPT SMP ARM
<3>[  161.844329] kona_fb: die notifier invoked
<3>[  161.848327] kona_display_crash_image:355 image_idx=2
<3>[  161.854614] post_async:540 AXIPV has received the same buffer which is used
<3>[  161.861572] post_async:541 It is likely that we see display tearing
<3>[  161.867828] post_async:542 Preventing a potential lock-up by signalling
<4>[  161.874450] Modules linked in:
<4>[  161.877532] CPU: 1    Tainted: G        W     (3.4.5+ #1)
<4>[  161.882934] PC is at ttwu_stat+0x70/0x168
<4>[  161.886932] LR is at ttwu_stat+0x2c/0x168
<4>[  161.890930] pc : []    lr : []    psr: 200000d3
<4>[  161.890960] sp : dbb87e48  ip : 00000001  fp : dbb87e74
<4>[  161.902374] r10: 00000002  r9 : c162c000  r8 : 00000001
<4>[  161.907592] r7 : c093c000  r6 : 00000002  r5 : 00000000  r4 : 00000001
<4>[  161.914123] r3 : 00000002  r2 : dbb87e38  r1 : 00000130  r0 : 00000001
<4>[  161.920623] Flags: nzCv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment user
<4>[  161.927917] Control: 10c53c7d  Table: 9da4804a  DAC: 00000015

From System.map find out the address of ttwu_stat
------------------------
c007fe8c t ttwu_stat
------------------------

Now find the end of function (ttwu_stat+0x70/0x168) is
0xc007fe8c + 0x168 = 0xC007FFF4

Disassemble the code as follows,
arm-eabi-objdump -dS --start-address=0xc007fe8c --stop-address=0xC007FFF4 vmlinux



dumps/vmlinux:     file format elf32-littlearm


Disassembly of section .text:

c007fe8c :
BFD: Dwarf Error: mangled line number section.
c007fe8c:       e92d4ff0        push    {r4, r5, r6, r7, r8, r9, sl, fp, lr}
c007fe90:       e28db020        add     fp, sp, #32     ; 0x20
c007fe94:       e24dd00c        sub     sp, sp, #12     ; 0xc
c007fe98:       e1a06001        mov     r6, r1
c007fe9c:       e1a0a000        mov     sl, r0
c007fea0:       e50b2028        str     r2, [fp, #-40]
c007fea4:       eb06c42b        bl      c0230f58
c007fea8:       e59f213c        ldr     r2, [pc, #316]  ; c007ffec
c007feac:       e59f713c        ldr     r7, [pc, #316]  ; c007fff0
c007feb0:       e7929100        ldr     r9, [r2, r0, lsl #2]
c007feb4:       eb06c427        bl      c0230f58
c007feb8:       e0879009        add     r9, r7, r9
c007febc:       e1560000        cmp     r6, r0
c007fec0:       e1a08000        mov     r8, r0
c007fec4:       1a00000a        bne     c007fef4
c007fec8:       e5993548        ldr     r3, [r9, #1352]
c007fecc:       e3a0cf4a        mov     ip, #296        ; 0x128
c007fed0:       e3a00001        mov     r0, #1  ; 0x1
c007fed4:       e3a01000        mov     r1, #0  ; 0x0
c007fed8:       e2833001        add     r3, r3, #1      ; 0x1
c007fedc:       e5893548        str     r3, [r9, #1352]
c007fee0:       e18a20dc        ldrd    r2, [sl, ip]
c007fee4:       e0922000        adds    r2, r2, r0
c007fee8:       e0a33001        adc     r3, r3, r1
c007feec:       e18a20fc        strd    r2, [sl, ip]
c007fef0:       ea00001f        b       c007ff74
c007fef4:       e3a01e13        mov     r1, #304        ; 0x130
c007fef8:       e3a04001        mov     r4, #1  ; 0x1
c007fefc:       e18a20d1        ldrd    r2, [sl, r1]
c007ff00:       e3a05000        mov     r5, #0  ; 0x0
c007ff04:       e0922004        adds    r2, r2, r4
c007ff08:       e0a33005        adc     r3, r3, r5
c007ff0c:       e18a20f1        strd    r2, [sl, r1]
c007ff10:       eb00cfde        bl      c00b3e90 <__rcu_read_lock>
c007ff14:       e59f20d0        ldr     r2, [pc, #208]  ; c007ffec
c007ff18:       e3560000        cmp     r6, #0  ; 0x0
c007ff1c:       e3a01001        mov     r1, #1  ; 0x1
c007ff20:       e7923108        ldr     r3, [r2, r8, lsl #2]
c007ff24:       e286201f        add     r2, r6, #31     ; 0x1f
c007ff28:       a1a02006        movge   r2, r6
c007ff2c:       e206601f        and     r6, r6, #31     ; 0x1f
c007ff30:       e0877003        add     r7, r7, r3
c007ff34:       e1a022c2        asr     r2, r2, #5
c007ff38:       e1a06611        lsl     r6, r1, r6
c007ff3c:       e59734a8        ldr     r3, [r7, #1192]
c007ff40:       e1a02102        lsl     r2, r2, #2
c007ff44:       ea000007        b       c007ff68
c007ff48:       e0831002        add     r1, r3, r2
c007ff4c:       e59110f8        ldr     r1, [r1, #248]
c007ff50:       e1110006        tst     r1, r6
c007ff54:       159320dc        ldrne   r2, [r3, #220]
c007ff58:       12822001        addne   r2, r2, #1      ; 0x1
c007ff5c:       158320dc        strne   r2, [r3, #220]
c007ff60:       1a000002        bne     c007ff70
c007ff64:       e5933000        ldr     r3, [r3]
c007ff68:       e3530000        cmp     r3, #0  ; 0x0
c007ff6c:       1afffff5        bne     c007ff48
c007ff70:       eb00d511        bl      c00b53bc <__rcu_read_unlock>
c007ff74:       e51b3028        ldr     r3, [fp, #-40]
c007ff78:       e3130004        tst     r3, #4  ; 0x4
c007ff7c:       0a000006        beq     c007ff9c
c007ff80:       e3a0ce12        mov     ip, #288        ; 0x120
c007ff84:       e3a00001        mov     r0, #1  ; 0x1
c007ff88:       e18a20dc        ldrd    r2, [sl, ip]
c007ff8c:       e3a01000        mov     r1, #0  ; 0x0
c007ff90:       e0922000        adds    r2, r2, r0
c007ff94:       e0a33001        adc     r3, r3, r1
c007ff98:       e18a20fc        strd    r2, [sl, ip]
c007ff9c:       e5993544        ldr     r3, [r9, #1348]
c007ffa0:       e3a0ce11        mov     ip, #272        ; 0x110
c007ffa4:       e3a00001        mov     r0, #1  ; 0x1
c007ffa8:       e3a01000        mov     r1, #0  ; 0x0
c007ffac:       e2833001        add     r3, r3, #1      ; 0x1
c007ffb0:       e5893544        str     r3, [r9, #1348]
c007ffb4:       e18a20dc        ldrd    r2, [sl, ip]
c007ffb8:       e0922000        adds    r2, r2, r0
c007ffbc:       e0a33001        adc     r3, r3, r1
c007ffc0:       e18a20fc        strd    r2, [sl, ip]
c007ffc4:       e51b2028        ldr     r2, [fp, #-40]
c007ffc8:       e3120001        tst     r2, #1  ; 0x1
c007ffcc:       0a000004        beq     c007ffe4
c007ffd0:       e3a0cf46        mov     ip, #280        ; 0x118
c007ffd4:       e18a20dc        ldrd    r2, [sl, ip]
c007ffd8:       e0922000        adds    r2, r2, r0
c007ffdc:       e0a33001        adc     r3, r3, r1
c007ffe0:       e18a20fc        strd    r2, [sl, ip]
c007ffe4:       e24bd020        sub     sp, fp, #32     ; 0x20
c007ffe8:       e8bd8ff0        pop     {r4, r5, r6, r7, r8, r9, sl, fp, pc}
c007ffec:       c095e988        .word   0xc095e988
c007fff0:       c093c000        .word   0xc093c000


The PC is show in read above. So the instruction resulted in crash is,
c007fefc:       e18a20d1        ldrd    r2, [sl, r1]

i.e, reading a double word (ldrd) from address (s1(ie r10) and r1)
From the opps message r10 = 2 and r1 = 130. Both are highlighted in red.

so trying to load from address 132 which is an invalid address.

Possible mistakes,
Match the time stamp of ramdump and vmlinux first.
strings dumps/AP__0x82000000.hex | grep "Linux version"

strings dumps/vmlinux | grep "Linux version"

Both timestamps should match.