On 08/27/2014 05:45 PM, Lin Ming wrote:
Hi list,
Board: Broadcom 963268
CPU model: Broadcom BMIPS4350 V8.0
Kernel: 2.6.30
Toolchain: uclibc-crosstools-gcc-4.4.2-1
I encountered an userspace application crash with epc reported zero.
I don't understand how epc register could be zero.
Any help is appreciated.
wps_monitor/1699: potentially unexpected fatal signal 11.
Cpu 1
$ 0 : 00000000 10008d00 00000004 0000000a
$ 4 : 0000000a 7f88a55c 00000000 00000001
$ 8 : 00000000 00000000 00000001 00000000
$12 : 00000001 00000000 00000008 12182430
$16 : 00438968 00000001 00409620 00000000
$20 : 00000000 00000000 00000000 00406404
$24 : 00000002 2aaecc00
$28 : 2ab39a70 7f88a4c0 7f88a4f0 0041a838
Disassemble the surrounding the address in $31
I am guessing that at 0x41a830, you have an indirect jump (JR
instruction) and that 'rs' contains a value of zero. So the EPC when
you get the SIGSEGV will be ... zero.
This is called a call through a NULL function pointer.
Hi : 00000000
Lo : 00000000
epc : 00000000 (null)
Tainted: P
ra : 0041a838 0x41a838
Status: 00008d13 USER EXL IE
Cause : 00000008
BadVA : 00000000
PrId : 0002a080 (Broadcom4350)
mips-linux-addr2line -e wps_monitor 0041a838
This shows "ra" address mapped to below line 328.
322 if (max_fd == -1) {
323 TUTRACE((TUTRACE_ERR, "wpsm_readData: no fd set!\n"));
324 return NULL;
325 }
326
327 /* Do select */
328 n = select(max_fd + 1, &fdvar, NULL, NULL, &timeout);
329 if (n <= 0) {
330 /*
331 * to avoid the select operation interferenced by
led lighting timer.
332 * this will be removed after led lighting timer
is replaced by wireless driver
333 */
334 if (n < 0 && errno != EINTR) {
335 TUTRACE((TUTRACE_ERR, "wpsm_readData:
select recv failed\n"));
336 }
337 goto out;
338 }
0000eac0 <__libc_select>:
eac0: 3c1c0006 lui gp,0x6
eac4: 279c1aa0 addiu gp,gp,6816
eac8: 0399e021 addu gp,gp,t9
eacc: 27bdffd8 addiu sp,sp,-40
ead0: afbe0020 sw s8,32(sp)
ead4: 03a0f021 move s8,sp
ead8: afbf0024 sw ra,36(sp)
eadc: afb0001c sw s0,28(sp)
eae0: afbc0010 sw gp,16(sp)
eae4: 27bdfff0 addiu sp,sp,-16
eae8: 8fc20038 lw v0,56(s8)
eaec: 27bdffe0 addiu sp,sp,-32
eaf0: afa20010 sw v0,16(sp)
eaf4: 2402102e li v0,4142
eaf8: 0000000c syscall
eafc: 27bd0020 addiu sp,sp,32
eb00: 10e00006 beqz a3,eb1c <__libc_select+0x5c>
eb04: 00408021 move s0,v0
eb08: 8f9988d0 lw t9,-30512(gp)
eb0c: 0320f809 jalr t9
eb10: 00000000 nop
eb14: ac500000 sw s0,0(v0)
eb18: 2402ffff li v0,-1
eb1c: 03c0e821 move sp,s8
eb20: 8fbf0024 lw ra,36(sp)
eb24: 8fbe0020 lw s8,32(sp)
eb28: 8fb0001c lw s0,28(sp)
eb2c: 03e00008 jr ra
eb30: 27bd0028 addiu sp,sp,40
Regards,
Ming
