在 2010-11-12五的 11:19 -0600,Scott Wood写道:
On Fri, 12 Nov 2010 20:45:18 +0800 terry gliumailenator@gmail.com wrote:
Dear Scott, I have disassemble the nand_base.o file,because i know the problem happened here.
Why not disassemble the whole u-boot?
Then you'll get malloc as well, and the addresses will be closer to what shows up in the dump.
Do you think it's useful for your analysis?
Can you disassemble malloc? That's where it actually crashed.
following is part of result that I disassemble the whole u-boot.
33f85f50 <nand_scan_tail>: 6487 33f85f50: e92d4070 push {r4, r5, r6, lr} 6488 33f85f54: e590509c ldr r5, [r0, #156] 6489 33f85f58: e595304c ldr r3, [r5, #76] 6490 33f85f5c: e3130701 tst r3, #262144 ; 0x40000 6491 33f85f60: e1a06000 mov r6, r0 6492 33f85f64: 1a000002 bne 33f85f74 <nand_scan_tail+0x24> 6493 33f85f68: e59f04ec ldr r0, [pc, #1260] ; 33f8645c <nand_scan_tail+0x 50c>// value seen below. 6494 33f85f6c: eb0026cc bl 33f8faa4 <malloc> 6495 33f85f70: e58500dc str r0, [r5, #220] 6496 33f85f74: e59510dc ldr r1, [r5, #220] 6497 33f85f78: e3510000 cmp r1, #0 ; 0x0 6498 33f85f7c: 03e0000b mvneq r0, #11 ; 0xb 6499 33f85f80: 08bd8070 popeq {r4, r5, r6, pc}
value of pc + 1260: 33f8645c: 0000128e .word 0x0000128e
and the following is part of malloc after disassembled, you can find the detailed content of malloc in the attachment malloc.dis file(I'm not sure which part could be useful,so I attached whole malloc).
61 33f8fb84: 9a000004 bls 33f8fb9c <malloc+0xf8> 62 33f8fb88: e59f352c ldr r3, [pc, #1324] ; 33f900bc <malloc +0x618> 63 33f8fb8c: e1520003 cmp r2, r3 64 33f8fb90: 91a0392a lsrls r3, sl, #18 65 33f8fb94: 83a0207e movhi r2, #126 ; 0x7e 66 33f8fb98: 9283207c addls r2, r3, #124 ; 0x7c 67 33f8fb9c: e59f3514 ldr r3, [pc, #1300] ; 33f900b8 <malloc +0x614> 68 33f8fba0: e0834182 add r4, r3, r2, lsl #3 69 33f8fba4: e594000c ldr r0, [r4, #12] 70 33f8fba8: ea000012 b 33f8fbf8 <malloc+0x154> 71 33f8fbac: e5903004 ldr r3, [r0, #4] 72 33f8fbb0: e3c33003 bic r3, r3, #3 ; 0x3 //it seems that exception occurs here 73 33f8fbb4: e06a1003 rsb r1, sl, r3 74 33f8fbb8: e351000f cmp r1, #15 ; 0xf 75 33f8fbbc: c2422001 subgt r2, r2, #1 ; 0x1 76 33f8fbc0: ca00000e bgt 33f8fc00 <malloc+0x15c> 77 33f8fbc4: e3510000 cmp r1, #0 ; 0x0 78 33f8fbc8: e590c00c ldr ip, [r0, #12] 79 33f8fbcc: ba000008 blt 33f8fbf4 <malloc+0x150> 80 33f8fbd0: e0803003 add r3, r0, r3 81 33f8fbd4: e5932004 ldr r2, [r3, #4] 82 33f8fbd8: e5901008 ldr r1, [r0, #8]
00001a4c <nand_scan_tail>: 1749 1a4c: e92d4070 push {r4, r5, r6, lr} 1750 1a50: e590509c ldr r5, [r0, #156] 1751 1a54: e595304c ldr r3, [r5, #76] 1752 1a58: e3130701 tst r3, #262144 ; 0x40000 1753 1a5c: e1a06000 mov r6, r0 1754 1a60: 1a000002 bne 1a70 <nand_scan_tail+0x24> 1755 1a64: e59f04ec ldr r0, [pc, #1260] ; 1f58 <nand_scan_tail +0x50c> 1756 1a68: ebfffffe bl 0 <malloc>
What's the value at PC+1260?
It's "1f58: 0000128e .word 0x0000128e"
by the way,I cann't find the prototype of malloc in the whole project,it seems that it is encapsulated in some libs.
It's in common/malloc.c. There's weird preprocessor renaming going on, so it's called mALLOc in that file, but it shows up as malloc in the binary.
Thanks very much for your carefully instruction.
-Scott