powerpc汇编指令分析
1基础知识
ØVxworks shell命令
i
b&bh&bdall
c
ti&tt
cret:执行到子函数返回,返回后的结果可以在r3寄存器里看到。先b断住子函数,然后用cret taskid,查看r3就知道了子函数返回的结果。
e l1_print_bit_number,2,0,printf,”abcd\n”:当执行到l1_print_bit_number函数时,执行printf(“abcd\n”)。
b l1_print_bit_number,0,2,0:当执行l1_print_bit_number函数2次后,即第3次断点生效。
Ø基本指令
stwu r1,-48(r1) :1) [r1-48]<-r1; 2) r1= r1-48
sth r0,8(r31): lower 16bits of r0, save to [r31+8]
lwz r9,8(r31): load [r31+8]'s 32bits to r9
mr r31, r1: r1->r31 migrate register
mtlr r0: migrate r0 to lr register
Ø条件指令
CR(Condition Register)一共32位,从低位到高位被分成 CR0-CR7八段,每段四位。每个四位的CRn从低到高分别是:LT(小于标志)、GT(大于)、EQ(等于)和SO(溢出)比较指令或条件跳转指令均可指明具体操作哪个 CRn,由此可以同时判断多个条件。整数计算默认更改CR0,浮点数计算默认更改CR1。
指令的语法格式:
bcctr BO, BI(LK=0)
bcctrl BO, BI(LK=1)
BO字段常用操作码:
BO=00100 如果条件成立(CR[BI]==0)则发生跳转
BO=01100 如果条件不成立(CR[BI]==1)则发生跳转
BO=10100 直接跳转
如果LK=1,则转移指令下一条指令的有效地址存放到连接寄存器。
如果减量计数器(BO[2]=0),指令格式无效,则转移到目标地址。
bcctrl 0x14,0:1)跳转到ctr(0x15a083c)处。2)lr =(cur pc + 4), 其中0x14 = 0001 0100
2汇编代码
Ø真实环境里的代码分析
-> l l1_print_comment_line,200
l1_print_comment_line:
0x9a403c 9421ffd0 stwu r1,-48(r1) // 1) [r1-48]<-r1; 2) r1= r1-48
0x9a4040 7c0802a6 mfspr r0,LR
0x9a4044 90010034 stw r0,52(r1)❶ //存储调用者的LR值,后面的❷处执行 后,r0就是这里存储进去的值。
0x9a4048 93e1002c stw r31,44(r1)
0x9a404c 7c3f0b78 or r31,r1,r1// r31=r1
0x9a4050 907f0018 stw r3,24(r31)
0x9a4054 38000000 li r0,0x0 # 0
0x9a4058 901f0008 stw r0,8(r31)
0x9a405c 38000000 li r0,0x0 # 0
0x9a4060 901f0008 stw r0,8(r31)
0x9a4064 4800002c b 0x9a4090 # 0x009a4090
0x9a4068 3d200205 lis r9,0x205 # 517
0x9a406c 38691f60 addi r3,r9,0x1f60 # 8032
0x9a4070 3d20015a lis r9,0x15a # 346
0x9a4074 3929083c addi r9,r9,0x83c # 2108
0x9a4078 7d2903a6 mtspr CTR,r9
0x9a407c 4cc63182 crxor crb6,crb6,crb6
0x9a4080 4e800421 bcctrl 0x14,0 //1)跳转到ctr(0x15a083c)处。2)lr =(0x9a4080+4) =0x9a4084
0x9a4084 813f0008 lwz r9,8(r31)
0x9a4088 38090001 addi r0,r9,0x1 # 1
0x9a408c 901f0008 stw r0,8(r31)
0x9a4090 801f0008 lwz r0,8(r31)
0x9a4094 813f0018 lwz r9,24(r31)
0x9a4098 7f804800 cmp crf7,0,r0,r9
0x9a409c 419cffcc bc 0xc,28, 0x9a4068 # 0x009a4068
0x9a40a0 3d200205 lis r9,0x205 # 517
0x9a40a4 38691f64 addi r3,r9,0x1f64 # 8036
0x9a40a8 3d20015a lis r9,0x15a # 346
0x9a40ac 3929083c addi r9,r9,0x83c # 2108
0x9a40b0 7d2903a6 mtspr CTR,r9
0x9a40b4 4cc63182 crxor crb6,crb6,crb6
0x9a40b8 4e800421 bcctrl 0x14,0//1)跳转到ctr(0x15a083c)处。2)lr =(0x9a40b8+4) =0x9a40bc
0x9a40bc 81610000 lwz r11,0(r1) ❷
0x9a40c0 800b0004 lwz r0,4(r11) //r0 =调用者调用地方的下一条指令地址,就是❶处存储的值。
0x9a40c4 7c0803a6 mtspr LR,r0 //1) lr =r0
0x9a40c8 83ebfffc lwz r31,-4(r11)
0x9a40cc 7d615b78 or r1,r11,r11
0x9a40d0 4e800020 blr //返回到 lr 寄存器里的地址
l1_print_spaces:
0x9a40d4 9421ffd0 stwu r1,-48(r1)
0x9a40d8 7c0802a6 mfspr r0,LR
0x9a40dc 90010034 stw r0,52(r1)
0x9a40e0 93e1002c stw r31,44(r1)
0x9a40e4 7c3f0b78 or r31,r1,r1
0x9a40e8 907f0018 stw r3,24(r31)
0x9a40ec 38000000 li r0,0x0 # 0
0x9a40f0 901f0008 stw r0,8(r31)
0x9a40f4 38000000 li r0,0x0 # 0
0x9a40f8 901f0008 stw r0,8(r31)
0x9a40fc 4800002c b 0x9a4128 # 0x009a4128
0x9a4100 3d200205 lis r9,0x205 # 517
0x9a4104 38691f68 addi r3,r9,0x1f68 # 8040
0x9a4108 3d20015a lis r9,0x15a # 346
0x9a410c 3929083c addi r9,r9,0x83c # 2108
0x9a4110 7d2903a6 mtspr CTR,r9
0x9a4114 4cc63182 crxor crb6,crb6,crb6
0x9a4118 4e800421 bcctrl 0x14,0
0x9a411c 813f0008 lwz r9,8(r31)
0x9a4120 38090001 addi r0,r9,0x1 # 1
0x9a4124 901f0008 stw r0,8(r31)
0x9a4128 801f0008 lwz r0,8(r31)
0x9a412c 813f0018 lwz r9,24(r31)
0x9a4130 7f804800 cmp crf7,0,r0,r9
0x9a4134 419cffcc bc 0xc,28, 0x9a4100 # 0x009a4100
0x9a4138 81610000 lwz r11,0(r1)
0x9a413c 800b0004 lwz r0,4(r11)
0x9a4140 7c0803a6 mtspr LR,r0
0x9a4144 83ebfffc lwz r31,-4(r11)
0x9a4148 7d615b78 or r1,r11,r11
0x9a414c 4e800020 blr
l1_print_bit_number:
0x9a4150 9421ffd0 stwu r1,-48(r1)
0x9a4154 7c0802a6 mfspr r0,LR
0x9a4158 90010034 stw r0,52(r1)
0x9a415c 93e1002c stw r31,44(r1)
0x9a4160 7c3f0b78 or r31,r1,r1
0x9a4164 907f0018 stw r3,24(r31)
0x9a4168 909f001c stw r4,28(r31)
0x9a416c 38000000 li r0,0x0 # 0
0x9a4170 901f0008 stw r0,8(r31)
0x9a4174 801f0018 lwz r0,24(r31)
0x9a4178 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a417c 409d007c bc 0x4,29, 0x9a41f8 # 0x009a41f8
0x9a4180 813f0018 lwz r9,24(r31)
0x9a4184 3809ffff addi r0,r9,0xffff # -1
0x9a4188 901f0008 stw r0,8(r31)
0x9a418c 48000044 b 0x9a41d0 # 0x009a41d0
0x9a4190 3d200205 lis r9,0x205 # 517
0x9a4194 38691f6c addi r3,r9,0x1f6c # 8044
0x9a4198 809f0008 lwz r4,8(r31)
0x9a419c 3d20015a lis r9,0x15a # 346
0x9a41a0 3929083c addi r9,r9,0x83c # 2108
0x9a41a4 7d2903a6 mtspr CTR,r9
0x9a41a8 4cc63182 crxor crb6,crb6,crb6
0x9a41ac 4e800421 bcctrl 0x14,0
0x9a41b0 807f001c lwz r3,28(r31)
0x9a41b4 3d20009a lis r9,0x9a # 154
0x9a41b8 392940d4 addi r9,r9,0x40d4 # 16596
0x9a41bc 7d2903a6 mtspr CTR,r9
0x9a41c0 4e800421 bcctrl 0x14,0
0x9a41c4 813f0008 lwz r9,8(r31)
0x9a41c8 3809ffff addi r0,r9,0xffff # -1
0x9a41cc 901f0008 stw r0,8(r31)
0x9a41d0 801f0008 lwz r0,8(r31)
0x9a41d4 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a41d8 409cffb8 bc 0x4,28, 0x9a4190 # 0x009a4190
0x9a41dc 3d200205 lis r9,0x205 # 517
0x9a41e0 38691f64 addi r3,r9,0x1f64 # 8036
0x9a41e4 3d20015a lis r9,0x15a # 346
0x9a41e8 3929083c addi r9,r9,0x83c # 2108
0x9a41ec 7d2903a6 mtspr CTR,r9
0x9a41f0 4cc63182 crxor crb6,crb6,crb6
0x9a41f4 4e800421 bcctrl 0x14,0
0x9a41f8 81610000 lwz r11,0(r1)
0x9a41fc 800b0004 lwz r0,4(r11)
0x9a4200 7c0803a6 mtspr LR,r0
0x9a4204 83ebfffc lwz r31,-4(r11)
0x9a4208 7d615b78 or r1,r11,r11
0x9a420c 4e800020 blr
l1_print_bit_val:
0x9a4210 9421ffc0 stwu r1,-64(r1)
0x9a4214 7c0802a6 mfspr r0,LR
0x9a4218 90010044 stw r0,68(r1)
0x9a421c 93e1003c stw r31,60(r1)
0x9a4220 7c3f0b78 or r31,r1,r1
0x9a4224 907f0018 stw r3,24(r31)
0x9a4228 909f001c stw r4,28(r31)
0x9a422c 90bf0020 stw r5,32(r31)
0x9a4230 38000000 li r0,0x0 # 0
0x9a4234 901f000c stw r0,12(r31)
0x9a4238 38000000 li r0,0x0 # 0
0x9a423c 901f0008 stw r0,8(r31)
0x9a4240 801f001c lwz r0,28(r31)
0x9a4244 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a4248 409d0090 bc 0x4,29, 0x9a42d8 # 0x009a42d8
0x9a424c 813f001c lwz r9,28(r31)
0x9a4250 3809ffff addi r0,r9,0xffff # -1
0x9a4254 901f000c stw r0,12(r31)
0x9a4258 48000058 b 0x9a42b0 # 0x009a42b0
0x9a425c 813f0018 lwz r9,24(r31)
0x9a4260 801f000c lwz r0,12(r31)
0x9a4264 7d200630 sraw r0,r9,r0
0x9a4268 540007fe rlwinm r0,r0,0,31,31
0x9a426c 901f0008 stw r0,8(r31)
0x9a4270 3d200205 lis r9,0x205 # 517
0x9a4274 38691f6c addi r3,r9,0x1f6c # 8044
0x9a4278 809f0008 lwz r4,8(r31)
0x9a427c 3d20015a lis r9,0x15a # 346
0x9a4280 3929083c addi r9,r9,0x83c # 2108
0x9a4284 7d2903a6 mtspr CTR,r9
0x9a4288 4cc63182 crxor crb6,crb6,crb6
0x9a428c 4e800421 bcctrl 0x14,0
0x9a4290 807f0020 lwz r3,32(r31)
0x9a4294 3d20009a lis r9,0x9a # 154
0x9a4298 392940d4 addi r9,r9,0x40d4 # 16596
0x9a429c 7d2903a6 mtspr CTR,r9
0x9a42a0 4e800421 bcctrl 0x14,0
0x9a42a4 813f000c lwz r9,12(r31)
0x9a42a8 3809ffff addi r0,r9,0xffff # -1
0x9a42ac 901f000c stw r0,12(r31)
0x9a42b0 801f000c lwz r0,12(r31)
0x9a42b4 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a42b8 409cffa4 bc 0x4,28, 0x9a425c # 0x009a425c
0x9a42bc 3d200205 lis r9,0x205 # 517
0x9a42c0 38691f64 addi r3,r9,0x1f64 # 8036
0x9a42c4 3d20015a lis r9,0x15a # 346
0x9a42c8 3929083c addi r9,r9,0x83c # 2108
0x9a42cc 7d2903a6 mtspr CTR,r9
0x9a42d0 4cc63182 crxor crb6,crb6,crb6
0x9a42d4 4e800421 bcctrl 0x14,0
0x9a42d8 81610000 lwz r11,0(r1)
0x9a42dc 800b0004 lwz r0,4(r11)
0x9a42e0 7c0803a6 mtspr LR,r0
0x9a42e4 83ebfffc lwz r31,-4(r11)
0x9a42e8 7d615b78 or r1,r11,r11
0x9a42ec 4e800020 blr
l1_print_bit:
0x9a42f0 9421ffe0 stwu r1,-32(r1)
0x9a42f4 7c0802a6 mfspr r0,LR
0x9a42f8 90010024 stw r0,36(r1)
0x9a42fc 93e1001c stw r31,28(r1)
0x9a4300 7c3f0b78 or r31,r1,r1
0x9a4304 907f0008 stw r3,8(r31)
0x9a4308 38600080 li r3,0x80 # 128
0x9a430c 3d20009a lis r9,0x9a # 154
0x9a4310 3929403c addi r9,r9,0x403c # 16444
0x9a4314 7d2903a6 mtspr CTR,r9
0x9a4318 4e800421 bcctrl 0x14,0
0x9a431c 38600020 li r3,0x20 # 32
0x9a4320 38800002 li r4,0x2 # 2
0x9a4324 3d20009a lis r9,0x9a # 154
0x9a4328 39294150 addi r9,r9,0x4150 # 16720
0x9a432c 7d2903a6 mtspr CTR,r9
0x9a4330 4e800421 bcctrl 0x14,0
0x9a4334 38600080 li r3,0x80 # 128
0x9a4338 3d20009a lis r9,0x9a # 154
0x9a433c 3929403c addi r9,r9,0x403c # 16444
0x9a4340 7d2903a6 mtspr CTR,r9
0x9a4344 4e800421 bcctrl 0x14,0
0x9a4348 807f0008 lwz r3,8(r31)
0x9a434c 38800020 li r4,0x20 # 32
0x9a4350 38a00002 li r5,0x2 # 2
0x9a4354 3d20009a lis r9,0x9a # 154
0x9a4358 39294210 addi r9,r9,0x4210 # 16912
value = 0 = 0x0
-> l l1_print_comment_line,250
l1_print_comment_line:
0x9a403c 9421ffd0 stwu r1,-48(r1)
0x9a4040 7c0802a6 mfspr r0,LR
0x9a4044 90010034 stw r0,52(r1)
0x9a4048 93e1002c stw r31,44(r1)
0x9a404c 7c3f0b78 or r31,r1,r1
0x9a4050 907f0018 stw r3,24(r31)
0x9a4054 38000000 li r0,0x0 # 0
0x9a4058 901f0008 stw r0,8(r31)
0x9a405c 38000000 li r0,0x0 # 0
0x9a4060 901f0008 stw r0,8(r31)
0x9a4064 4800002c b 0x9a4090 # 0x009a4090
0x9a4068 3d200205 lis r9,0x205 # 517
0x9a406c 38691f60 addi r3,r9,0x1f60 # 8032
0x9a4070 3d20015a lis r9,0x15a # 346
0x9a4074 3929083c addi r9,r9,0x83c # 2108
0x9a4078 7d2903a6 mtspr CTR,r9
0x9a407c 4cc63182 crxor crb6,crb6,crb6
0x9a4080 4e800421 bcctrl 0x14,0
0x9a4084 813f0008 lwz r9,8(r31)
0x9a4088 38090001 addi r0,r9,0x1 # 1
0x9a408c 901f0008 stw r0,8(r31)
0x9a4090 801f0008 lwz r0,8(r31)
0x9a4094 813f0018 lwz r9,24(r31)
0x9a4098 7f804800 cmp crf7,0,r0,r9
0x9a409c 419cffcc bc 0xc,28, 0x9a4068 # 0x009a4068
0x9a40a0 3d200205 lis r9,0x205 # 517
0x9a40a4 38691f64 addi r3,r9,0x1f64 # 8036
0x9a40a8 3d20015a lis r9,0x15a # 346
0x9a40ac 3929083c addi r9,r9,0x83c # 2108
0x9a40b0 7d2903a6 mtspr CTR,r9
0x9a40b4 4cc63182 crxor crb6,crb6,crb6
0x9a40b8 4e800421 bcctrl 0x14,0
0x9a40bc 81610000 lwz r11,0(r1)
0x9a40c0 800b0004 lwz r0,4(r11)
0x9a40c4 7c0803a6 mtspr LR,r0
0x9a40c8 83ebfffc lwz r31,-4(r11)
0x9a40cc 7d615b78 or r1,r11,r11
0x9a40d0 4e800020 blr
l1_print_spaces:
0x9a40d4 9421ffd0 stwu r1,-48(r1)
0x9a40d8 7c0802a6 mfspr r0,LR
0x9a40dc 90010034 stw r0,52(r1)
0x9a40e0 93e1002c stw r31,44(r1)
0x9a40e4 7c3f0b78 or r31,r1,r1
0x9a40e8 907f0018 stw r3,24(r31)
0x9a40ec 38000000 li r0,0x0 # 0
0x9a40f0 901f0008 stw r0,8(r31)
0x9a40f4 38000000 li r0,0x0 # 0
0x9a40f8 901f0008 stw r0,8(r31)
0x9a40fc 4800002c b 0x9a4128 # 0x009a4128
0x9a4100 3d200205 lis r9,0x205 # 517
0x9a4104 38691f68 addi r3,r9,0x1f68 # 8040
0x9a4108 3d20015a lis r9,0x15a # 346
0x9a410c 3929083c addi r9,r9,0x83c # 2108
0x9a4110 7d2903a6 mtspr CTR,r9
0x9a4114 4cc63182 crxor crb6,crb6,crb6
0x9a4118 4e800421 bcctrl 0x14,0
0x9a411c 813f0008 lwz r9,8(r31)
0x9a4120 38090001 addi r0,r9,0x1 # 1
0x9a4124 901f0008 stw r0,8(r31)
0x9a4128 801f0008 lwz r0,8(r31)
0x9a412c 813f0018 lwz r9,24(r31)
0x9a4130 7f804800 cmp crf7,0,r0,r9
0x9a4134 419cffcc bc 0xc,28, 0x9a4100 # 0x009a4100
0x9a4138 81610000 lwz r11,0(r1)
0x9a413c 800b0004 lwz r0,4(r11)
0x9a4140 7c0803a6 mtspr LR,r0
0x9a4144 83ebfffc lwz r31,-4(r11)
0x9a4148 7d615b78 or r1,r11,r11
0x9a414c 4e800020 blr
l1_print_bit_number:
0x9a4150 9421ffd0 stwu r1,-48(r1)
0x9a4154 7c0802a6 mfspr r0,LR
0x9a4158 90010034 stw r0,52(r1)
0x9a415c 93e1002c stw r31,44(r1)
0x9a4160 7c3f0b78 or r31,r1,r1
0x9a4164 907f0018 stw r3,24(r31)
0x9a4168 909f001c stw r4,28(r31)
0x9a416c 38000000 li r0,0x0 # 0
0x9a4170 901f0008 stw r0,8(r31)
0x9a4174 801f0018 lwz r0,24(r31)
0x9a4178 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a417c 409d007c bc 0x4,29, 0x9a41f8 # 0x009a41f8
0x9a4180 813f0018 lwz r9,24(r31)
0x9a4184 3809ffff addi r0,r9,0xffff # -1
0x9a4188 901f0008 stw r0,8(r31)
0x9a418c 48000044 b 0x9a41d0 # 0x009a41d0
0x9a4190 3d200205 lis r9,0x205 # 517
0x9a4194 38691f6c addi r3,r9,0x1f6c # 8044
0x9a4198 809f0008 lwz r4,8(r31)
0x9a419c 3d20015a lis r9,0x15a # 346
0x9a41a0 3929083c addi r9,r9,0x83c # 2108
0x9a41a4 7d2903a6 mtspr CTR,r9
0x9a41a8 4cc63182 crxor crb6,crb6,crb6
0x9a41ac 4e800421 bcctrl 0x14,0
0x9a41b0 807f001c lwz r3,28(r31)
0x9a41b4 3d20009a lis r9,0x9a # 154
0x9a41b8 392940d4 addi r9,r9,0x40d4 # 16596
0x9a41bc 7d2903a6 mtspr CTR,r9
0x9a41c0 4e800421 bcctrl 0x14,0
0x9a41c4 813f0008 lwz r9,8(r31)
0x9a41c8 3809ffff addi r0,r9,0xffff # -1
0x9a41cc 901f0008 stw r0,8(r31)
0x9a41d0 801f0008 lwz r0,8(r31)
0x9a41d4 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a41d8 409cffb8 bc 0x4,28, 0x9a4190 # 0x009a4190
0x9a41dc 3d200205 lis r9,0x205 # 517
0x9a41e0 38691f64 addi r3,r9,0x1f64 # 8036
0x9a41e4 3d20015a lis r9,0x15a # 346
0x9a41e8 3929083c addi r9,r9,0x83c # 2108
0x9a41ec 7d2903a6 mtspr CTR,r9
0x9a41f0 4cc63182 crxor crb6,crb6,crb6
0x9a41f4 4e800421 bcctrl 0x14,0
0x9a41f8 81610000 lwz r11,0(r1)
0x9a41fc 800b0004 lwz r0,4(r11)
0x9a4200 7c0803a6 mtspr LR,r0
0x9a4204 83ebfffc lwz r31,-4(r11)
0x9a4208 7d615b78 or r1,r11,r11
0x9a420c 4e800020 blr
l1_print_bit_val:
0x9a4210 9421ffc0 stwu r1,-64(r1)
0x9a4214 7c0802a6 mfspr r0,LR
0x9a4218 90010044 stw r0,68(r1)
0x9a421c 93e1003c stw r31,60(r1)
0x9a4220 7c3f0b78 or r31,r1,r1
0x9a4224 907f0018 stw r3,24(r31)
0x9a4228 909f001c stw r4,28(r31)
0x9a422c 90bf0020 stw r5,32(r31)
0x9a4230 38000000 li r0,0x0 # 0
0x9a4234 901f000c stw r0,12(r31)
0x9a4238 38000000 li r0,0x0 # 0
0x9a423c 901f0008 stw r0,8(r31)
0x9a4240 801f001c lwz r0,28(r31)
0x9a4244 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a4248 409d0090 bc 0x4,29, 0x9a42d8 # 0x009a42d8
0x9a424c 813f001c lwz r9,28(r31)
0x9a4250 3809ffff addi r0,r9,0xffff # -1
0x9a4254 901f000c stw r0,12(r31)
0x9a4258 48000058 b 0x9a42b0 # 0x009a42b0
0x9a425c 813f0018 lwz r9,24(r31)
0x9a4260 801f000c lwz r0,12(r31)
0x9a4264 7d200630 sraw r0,r9,r0
0x9a4268 540007fe rlwinm r0,r0,0,31,31
0x9a426c 901f0008 stw r0,8(r31)
0x9a4270 3d200205 lis r9,0x205 # 517
0x9a4274 38691f6c addi r3,r9,0x1f6c # 8044
0x9a4278 809f0008 lwz r4,8(r31)
0x9a427c 3d20015a lis r9,0x15a # 346
0x9a4280 3929083c addi r9,r9,0x83c # 2108
0x9a4284 7d2903a6 mtspr CTR,r9
0x9a4288 4cc63182 crxor crb6,crb6,crb6
0x9a428c 4e800421 bcctrl 0x14,0
0x9a4290 807f0020 lwz r3,32(r31)
0x9a4294 3d20009a lis r9,0x9a # 154
0x9a4298 392940d4 addi r9,r9,0x40d4 # 16596
0x9a429c 7d2903a6 mtspr CTR,r9
0x9a42a0 4e800421 bcctrl 0x14,0
0x9a42a4 813f000c lwz r9,12(r31)
0x9a42a8 3809ffff addi r0,r9,0xffff # -1
0x9a42ac 901f000c stw r0,12(r31)
0x9a42b0 801f000c lwz r0,12(r31)
0x9a42b4 2f800000 cmpi crf7,0,r0,0x0 # 0
0x9a42b8 409cffa4 bc 0x4,28, 0x9a425c # 0x009a425c
0x9a42bc 3d200205 lis r9,0x205 # 517
0x9a42c0 38691f64 addi r3,r9,0x1f64 # 8036
0x9a42c4 3d20015a lis r9,0x15a # 346
0x9a42c8 3929083c addi r9,r9,0x83c # 2108
0x9a42cc 7d2903a6 mtspr CTR,r9
0x9a42d0 4cc63182 crxor crb6,crb6,crb6
0x9a42d4 4e800421 bcctrl 0x14,0
0x9a42d8 81610000 lwz r11,0(r1)
0x9a42dc 800b0004 lwz r0,4(r11)
0x9a42e0 7c0803a6 mtspr LR,r0
0x9a42e4 83ebfffc lwz r31,-4(r11)
0x9a42e8 7d615b78 or r1,r11,r11
0x9a42ec 4e800020 blr
l1_print_bit:
0x9a42f0 9421ffe0 stwu r1,-32(r1)
0x9a42f4 7c0802a6 mfspr r0,LR
0x9a42f8 90010024 stw r0,36(r1)
0x9a42fc 93e1001c stw r31,28(r1)
0x9a4300 7c3f0b78 or r31,r1,r1
0x9a4304 907f0008 stw r3,8(r31)
0x9a4308 38600080 li r3,0x80 # 128
0x9a430c 3d20009a lis r9,0x9a # 154
0x9a4310 3929403c addi r9,r9,0x403c # 16444
0x9a4314 7d2903a6 mtspr CTR,r9
0x9a4318 4e800421 bcctrl 0x14,0
0x9a431c 38600020 li r3,0x20 # 32
0x9a4320 38800002 li r4,0x2 # 2
0x9a4324 3d20009a lis r9,0x9a # 154
0x9a4328 39294150 addi r9,r9,0x4150 # 16720
0x9a432c 7d2903a6 mtspr CTR,r9
0x9a4330 4e800421 bcctrl 0x14,0
0x9a4334 38600080 li r3,0x80 # 128
0x9a4338 3d20009a lis r9,0x9a # 154
0x9a433c 3929403c addi r9,r9,0x403c # 16444
0x9a4340 7d2903a6 mtspr CTR,r9
0x9a4344 4e800421 bcctrl 0x14,0
0x9a4348 807f0008 lwz r3,8(r31)
0x9a434c 38800020 li r4,0x20 # 32
0x9a4350 38a00002 li r5,0x2 # 2
0x9a4354 3d20009a lis r9,0x9a # 154
0x9a4358 39294210 addi r9,r9,0x4210 # 16912
0x9a435c 7d2903a6 mtspr CTR,r9
0x9a4360 4e800421 bcctrl 0x14,0
0x9a4364 81610000 lwz r11,0(r1)
0x9a4368 800b0004 lwz r0,4(r11)
0x9a436c 7c0803a6 mtspr LR,r0
0x9a4370 83ebfffc lwz r31,-4(r11)
0x9a4374 7d615b78 or r1,r11,r11
0x9a4378 4e800020 blr
hch_sem_init:
0x9a437c 9421ffd0 stwu r1,-48(r1)
Ø使用objdumpppc
使用objdumpppc工具dump出来汇编代码
F:\WindRiver\gnu\4.1.2-vxworks-6.6\x86-win32\bin>objdumpppc -s -S -d F:\qr\DOLPHIN_V2.0\l2card\objs\NPT1200\DHFE_12\ch_fpga\dbg_hch.o>dbg_hch.S
void l1_print_comment_line(eint32 col)
{
28: 94 21 ff e0 stwu r1,-32(r1)
2c: 7c 08 02 a6 mflr r0
30: 93 e1 00 1c stw r31,28(r1)
34: 90 01 00 24 stw r0,36(r1)
38: 7c 3f 0b 78 mr r31,r1
3c: 90 7f 00 08 stw r3,8(r31)
eint32 i = 0;
40: 38 00 00 00 li r0,0
44: 90 1f 00 0c stw r0,12(r31)
for (i = 0; i < col; i++)
48: 38 00 00 00 li r0,0
4c: 90 1f 00 0c stw r0,12(r31)
50: 80 1f 00 0c lwz r0,12(r31)
54: 81 3f 00 08 lwz r9,8(r31)
58: 7f 80 48 00 cmpw cr7,r0,r9
5c: 40 9c 00 20 bge- cr7,7c <l1_print_comment_line+0x54>
{
printf("=");
60: 3d 20 00 00 lis r9,0
64: 38 69 00 00 addi r3,r9,0
68: 48 00 00 01 bl 68 <l1_print_comment_line+0x40>
6c: 81 3f 00 0c lwz r9,12(r31)
70: 38 09 00 01 addi r0,r9,1
74: 90 1f 00 0c stw r0,12(r31)
78: 4b ff ff d8 b 50 <l1_print_comment_line+0x28>
}
printf("\n");
7c: 3d 20 00 00 lis r9,0
80: 38 69 00 04 addi r3,r9,4
84: 48 00 00 01 bl 84 <l1_print_comment_line+0x5c>
}
88: 81 61 00 00 lwz r11,0(r1)
8c: 80 0b 00 04 lwz r0,4(r11)
90: 7c 08 03 a6 mtlr r0
94: 83 eb ff fc lwz r31,-4(r11)
98: 7d 61 5b 78 mr r1,r11
9c: 4e 80 00 20 blr
000000a0 <l1_print_spaces>:
void l1_print_spaces(eint32 col)
{
a0: 94 21 ff e0 stwu r1,-32(r1)
a4: 7c 08 02 a6 mflr r0
a8: 93 e1 00 1c stw r31,28(r1)
ac: 90 01 00 24 stw r0,36(r1)
b0: 7c 3f 0b 78 mr r31,r1
b4: 90 7f 00 08 stw r3,8(r31)
eint32 i = 0;
b8: 38 00 00 00 li r0,0
bc: 90 1f 00 0c stw r0,12(r31)
for (i = 0; i < col; i++)
c0: 38 00 00 00 li r0,0
c4: 90 1f 00 0c stw r0,12(r31)
c8: 80 1f 00 0c lwz r0,12(r31)
cc: 81 3f 00 08 lwz r9,8(r31)
d0: 7f 80 48 00 cmpw cr7,r0,r9
d4: 40 9c 00 20 bge- cr7,f4 <l1_print_spaces+0x54>
{
printf(" ");
d8: 3d 20 00 00 lis r9,0
dc: 38 69 00 08 addi r3,r9,8
e0: 48 00 00 01 bl e0 <l1_print_spaces+0x40>
e4: 81 3f 00 0c lwz r9,12(r31)
e8: 38 09 00 01 addi r0,r9,1
ec: 90 1f 00 0c stw r0,12(r31)
f0: 4b ff ff d8 b c8 <l1_print_spaces+0x28>
}
}
f4: 81 61 00 00 lwz r11,0(r1)
f8: 80 0b 00 04 lwz r0,4(r11)
fc: 7c 08 03 a6 mtlr r0
100: 83 eb ff fc lwz r31,-4(r11)
104: 7d 61 5b 78 mr r1,r11
108: 4e 80 00 20 blr
0000010c <l1_print_bit_number>:
void l1_print_bit_number(eint32 data_width, eint32 interval_space_num)
{
10c: 94 21 ff d0 stwu r1,-48(r1)
110: 7c 08 02 a6 mflr r0
114: 93 e1 00 2c stw r31,44(r1)
118: 90 01 00 34 stw r0,52(r1)
11c: 7c 3f 0b 78 mr r31,r1
120: 90 7f 00 08 stw r3,8(r31)
124: 90 9f 00 0c stw r4,12(r31)
eint32 i = 0;
128: 38 00 00 00 li r0,0
12c: 90 1f 00 10 stw r0,16(r31)
if (data_width <= 0)
130: 80 1f 00 08 lwz r0,8(r31)
134: 2f 80 00 00 cmpwi cr7,r0,0
138: 41 9d 00 08 bgt- cr7,140 <l1_print_bit_number+0x34>
return;
13c: 48 00 00 54 b 190 <l1_print_bit_number+0x84>
for (i = (data_width - 1); i >= 0; i--)
140: 81 3f 00 08 lwz r9,8(r31)
144: 38 09 ff ff addi r0,r9,-1
148: 90 1f 00 10 stw r0,16(r31)
14c: 80 1f 00 10 lwz r0,16(r31)
150: 2f 80 00 00 cmpwi cr7,r0,0
154: 41 9c 00 30 blt- cr7,184 <l1_print_bit_number+0x78>
{
printf("%2d", i);
158: 3d 20 00 00 lis r9,0
15c: 38 69 00 0c addi r3,r9,12
160: 80 9f 00 10 lwz r4,16(r31)
164: 4c c6 31 82 crclr 4*cr1+eq
168: 48 00 00 01 bl 168 <l1_print_bit_number+0x5c>
l1_print_spaces(interval_space_num);
16c: 80 7f 00 0c lwz r3,12(r31)
170: 48 00 00 01 bl 170 <l1_print_bit_number+0x64>
174: 81 3f 00 10 lwz r9,16(r31)
178: 38 09 ff ff addi r0,r9,-1
17c: 90 1f 00 10 stw r0,16(r31)
180: 4b ff ff cc b 14c <l1_print_bit_number+0x40>
}
printf("\n");
184: 3d 20 00 00 lis r9,0
188: 38 69 00 04 addi r3,r9,4
18c: 48 00 00 01 bl 18c <l1_print_bit_number+0x80>
}
190: 81 61 00 00 lwz r11,0(r1)
194: 80 0b 00 04 lwz r0,4(r11)
198: 7c 08 03 a6 mtlr r0
19c: 83 eb ff fc lwz r31,-4(r11)
1a0: 7d 61 5b 78 mr r1,r11
1a4: 4e 80 00 20 blr
000001a8 <l1_print_bit_val>:
void l1_print_bit_val(eint32 data, eint32 data_width, eint32 interval_space_num)
{
1a8: 94 21 ff d0 stwu r1,-48(r1)
1ac: 7c 08 02 a6 mflr r0
1b0: 93 e1 00 2c stw r31,44(r1)
1b4: 90 01 00 34 stw r0,52(r1)
1b8: 7c 3f 0b 78 mr r31,r1
1bc: 90 7f 00 08 stw r3,8(r31)
1c0: 90 9f 00 0c stw r4,12(r31)
1c4: 90 bf 00 10 stw r5,16(r31)
eint32 i = 0;
1c8: 38 00 00 00 li r0,0
1cc: 90 1f 00 14 stw r0,20(r31)
eint32 bit_val = 0;
1d0: 38 00 00 00 li r0,0
1d4: 90 1f 00 18 stw r0,24(r31)
if (data_width <= 0)
1d8: 80 1f 00 0c lwz r0,12(r31)
1dc: 2f 80 00 00 cmpwi cr7,r0,0
1e0: 41 9d 00 08 bgt- cr7,1e8 <l1_print_bit_val+0x40>
return;
1e4: 48 00 00 68 b 24c <l1_print_bit_val+0xa4>
for (i = (data_width - 1); i >= 0; i--)
1e8: 81 3f 00 0c lwz r9,12(r31)
1ec: 38 09 ff ff addi r0,r9,-1
1f0: 90 1f 00 14 stw r0,20(r31)
1f4: 80 1f 00 14 lwz r0,20(r31)
1f8: 2f 80 00 00 cmpwi cr7,r0,0
1fc: 41 9c 00 44 blt- cr7,240 <l1_print_bit_val+0x98>
{
bit_val = (data>>i)&0x1;
200: 81 3f 00 08 lwz r9,8(r31)
204: 80 1f 00 14 lwz r0,20(r31)
208: 7d 20 06 30 sraw r0,r9,r0
20c: 54 00 07 fe clrlwi r0,r0,31
210: 90 1f 00 18 stw r0,24(r31)
printf("%2d", bit_val);
214: 3d 20 00 00 lis r9,0
218: 38 69 00 0c addi r3,r9,12
21c: 80 9f 00 18 lwz r4,24(r31)
220: 4c c6 31 82 crclr 4*cr1+eq
224: 48 00 00 01 bl 224 <l1_print_bit_val+0x7c>
l1_print_spaces(interval_space_num);
228: 80 7f 00 10 lwz r3,16(r31)
22c: 48 00 00 01 bl 22c <l1_print_bit_val+0x84>
230: 81 3f 00 14 lwz r9,20(r31)
234: 38 09 ff ff addi r0,r9,-1
238: 90 1f 00 14 stw r0,20(r31)
23c: 4b ff ff b8 b 1f4 <l1_print_bit_val+0x4c>
}
printf("\n");
240: 3d 20 00 00 lis r9,0
244: 38 69 00 04 addi r3,r9,4
248: 48 00 00 01 bl 248 <l1_print_bit_val+0xa0>
}
24c: 81 61 00 00 lwz r11,0(r1)
250: 80 0b 00 04 lwz r0,4(r11)
254: 7c 08 03 a6 mtlr r0
258: 83 eb ff fc lwz r31,-4(r11)
25c: 7d 61 5b 78 mr r1,r11
260: 4e 80 00 20 blr
00000264 <l1_print_bit>:
/*
l1_print_bit(3):
======================
31 ... 3 2 1 0
======================
0 0 0 0 1 1
*/
void l1_print_bit(eint32 data)
{
264: 94 21 ff e0 stwu r1,-32(r1)
268: 7c 08 02 a6 mflr r0
26c: 93 e1 00 1c stw r31,28(r1)
270: 90 01 00 24 stw r0,36(r1)
274: 7c 3f 0b 78 mr r31,r1
278: 90 7f 00 08 stw r3,8(r31)
#define L1_PRINT_DATA_WIDTH (32)
#define L1_PRINT_BITVAL_WIDTH (2)
#define L1_PRINT_BITVAL_INTERVAL (2)
l1_print_comment_line(L1_PRINT_DATA_WIDTH * L1_PRINT_BITVAL_WIDTH * L1_PRINT_BITVAL_INTERVAL);
27c: 38 60 00 80 li r3,128
280: 48 00 00 01 bl 280 <l1_print_bit+0x1c>
l1_print_bit_number(L1_PRINT_DATA_WIDTH, L1_PRINT_BITVAL_INTERVAL);
284: 38 60 00 20 li r3,32
288: 38 80 00 02 li r4,2
28c: 48 00 00 01 bl 28c <l1_print_bit+0x28>
l1_print_comment_line(L1_PRINT_DATA_WIDTH * L1_PRINT_BITVAL_WIDTH * L1_PRINT_BITVAL_INTERVAL);
290: 38 60 00 80 li r3,128
294: 48 00 00 01 bl 294 <l1_print_bit+0x30>
l1_print_bit_val(data, L1_PRINT_DATA_WIDTH, L1_PRINT_BITVAL_INTERVAL);
298: 80 7f 00 08 lwz r3,8(r31)
29c: 38 80 00 20 li r4,32
2a0: 38 a0 00 02 li r5,2
2a4: 48 00 00 01 bl 2a4 <l1_print_bit+0x40>
#undef L1_PRINT_DATA_WIDTH
#undef L1_PRINT_BITVAL_WIDTH
#undef L1_PRINT_BITVAL_INTERVAL
//extern eint32 fpkt_tester_drv_debug_init(eint32 slot);
//fpkt_tester_drv_debug_init(0);
}
2a8: 81 61 00 00 lwz r11,0(r1)
2ac: 80 0b 00 04 lwz r0,4(r11)
2b0: 7c 08 03 a6 mtlr r0
2b4: 83 eb ff fc lwz r31,-4(r11)
2b8: 7d 61 5b 78 mr r1,r11
2bc: 4e 80 00 20 blr
3调用栈分析
Sp地址存储的是上一级调用的栈指针。
Sp+4地址存储的是上一级调用的指令地址(LR)。
4堆栈破坏
Ø局部变量过大导致stack越界
下面的文章转载自:http://blog.csdn.net/qingfengtsing/article/details/7020677(设置vxWorks硬件断点调试)
In VxWorks 5.5 shell, we could use the following tool to set hardware breakpoint:
-> bh address, access, task, count, quiet
access: 0 - instruction,
1 - read/write data,
2 - read data,
3 - write data
For example, if you want to monitor the data write to the address 0x27b5600, you could use:
-> bh 0x27b5600, 3, 0, 0, 0
When any tasks try to write data to the address 0x27b5600, it will break and the related task will be suspended.
Here is an example on how to debug stack overflow using the hardware breakpoint. It is related to an IPv6 CR, which is good for demonstration.
---------------------
1. Background
---------------------
In IPv6, when an interface is configured with a new address, the switch would send out a NS message to determine if the given address has been used by another switch.
If yes, the switch would get a response NA message, then it would give up the given address. This process is called DAD(duplicate address detection). DAD is performed for both IPv6 management interface and the other general IPv6 interfaces.
----------------
2. Problem
----------------
When the tester assigns the duplicate IPv6 management address on the different switches, she gets the following error message:
SW WARNING checkStack: task: 2 tid: 0x27699a8 name: tNetTask size: 9984 cur: 248 high: 9984 margin: 0
It means that the task tNetTask is overflow or is corrupted in the processing of the incoming DAD NA message.
----------------------
3. Investigation
----------------------
This issue might be caused by stack overflow or corruption, we need reproduce it and analyze the stack information.
Step (1): Make the related tasks breakable. Since the tNetTask is overflow in this case, we make it first.
In the shell, run the following command:
-> taskOptionsSet(tNetTask, 7, 5)
/*
STATUS taskOptionsSet
(
int tid, /* 任务ID */
int mask, /* 模式的比特掩码 */
int newOptions /* 待设置模式的比特掩码*/
)
*/
Step (2): Select the address to be monitored.
We need select an address in the stack of tNetTask as the one to be monitored.
In the shell, we could use the following command to get some general stack information of the task tNetTask.
-> ti tNetTask
---------------------------------------------------------------------------------------------------------------
NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY
------------- ----------- -------- ---- ------------ ------- -------- ------- -----
tNetTask netTask 2692518 50 READY 1423c0 2692420 0 0
stack: base 0x2692518 end 0x268fe08 size 9984 high 2344 margin 7640
options: 0x5
VX_SUPERVISOR_MODE VX_DEALLOC_STACK
VxWorks Events
--------------
Events Pended on : Not Pended
Received Events : 0x0
Options : N/A
r0 = 0 sp = 2692420 r2 = 0 r3 = 0
r4 = 0 r5 = 0 r6 = 0 r7 = 0
r8 = 0 r9 = 0 r10 = 0 r11 = 0
r12 = 0 r13 = 0 r14 = 0 r15 = 0
r16 = 0 r17 = 0 r18 = 0 r19 = 0
r20 = 0 r21 = 0 r22 = 0 r23 = 0
r24 = 0 r25 = 0 r26 = 0 r27 = 0
r28 = 0 r29 = ffffffff r30 = b030 r31 = 17e0700
msr = b030 lr = 0 ctr = 0 pc = 1423c0
cr = 20000043 xer = 0
value = 0 = 0x0
-------------------------------------------------------------------------------------------------------------
As we can see, the stack end address is 0x268fe08. Let us display the memory nearby this address.
-> d 0x268fe08, 20, 4
-------------------------------------------------------------------------------------------------
0268fe00: 744e6574 5461736b * tNetTask*
0268fe10: 00eeeeee eeeeeeee eeeeeeee eeeeeeee *................*
0268fe20: eeeeeeee eeeeeeee eeeeeeee eeeeeeee *................*
0268fe30: eeeeeeee eeeeeeee eeeeeeee eeeeeeee *................*
0268fe40: eeeeeeee eeeeeeee eeeeeeee eeeeeeee *................*
0268fe50: eeeeeeee eeeeeeee *................*
value = 21 = 0x15
--------------------------------------------------------------------------------------------------
As it is shown above, the tNetTask's name is saved at its stack end address(任务栈尾存储的是任务名称). Normally, it should not be changed except for stack overflow or corruption. Let us select this address as the one to be monitored.
-> bh 0x268fe08,3,0,0,0
Step (3): Reproduce the problem
When I reproduce the problem, it breaks by the hardware breakpoint with the following information:
------------------------------------------------------------------------------------------------------------------------------------------------
Break at 0x0268fe08: G_MacAddrCapacity+0x4933c0 Task: 0x2692518 (tNetÞ®/}DìWò¸°:Ú7ðPð)
------------------------------------------------------------------------------------------------------------------------------------------------
It is obviously that the address 0x268fe08 is corrupted by tNetTask itself. I could guess that the problem is not caused by the stack corruption. But I still need dump and analyze the satck information to confirm and to find out the reason for the stack overflow.
Step (4): Dump and Analyze the stack of tNetTask
This time, we can not display the information of tNetTask using "ti tNetTask" as before, since the stack end part has been corrupted.
-> ti tNetTask
----------------------------------------
Undefined symbol: tNetTask
-----------------------------------------
We could try its TID. The TID of tNetTask is given in Step (4), 0x2692518. We could also get the TID using command "i".
-> ti 0x2692518
----------------------------------------------------------------------------------------------------------------------
NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY
---------- ------------ -------- --- ---------- -------- -------- ------- -----
tNetÞ®/}DnetTask 2692518 50 SUSPEND a0d08 268f8b0 0 0
stack: base 0x2692518 end 0x268fe08 size 9984 high 9984 margin 0
options: 0x5
VX_SUPERVISOR_MODE VX_DEALLOC_STACK
VxWorks Events
--------------
Events Pended on : Not Pended
Received Events : 0x0
Options : N/A
r0 = ba78c4 sp = 268f8b0 r2 = 0 r3 = 12be6e8
r4 = 268fe0c r5 = 412 r6 = 0 r7 = 3e07841c
r8 = 0 r9 = 1520000 r10 = 14c r11 = 0
r12 = 0 r13 = 0 r14 = 0 r15 = 0
r16 = 0 r17 = 0 r18 = 0 r19 = 124d1b8
r20 = 2690b40 r21 = 420 r22 = 124d1bc r23 = 2690e60
r24 = 0 r25 = 0 r26 = 2690d40 r27 = 4
r28 = 268f930 r29 = 268f930 r30 = 15235a8 r31 = 2690d60
msr = b030 lr = 107a04 ctr = 137 pc = a0d08
cr = 20842043 xer = 0
value = 0 = 0x0
----------------------------------------------------------------------------------------------------------------------
We can see that tNetTask is suspended by the hardware breakpoint. The sp register has the top stack frame address, it has the value 0x268f8b0, which is lower than the stack end address 0x268fe08. The stack grows from high address to low address.
VxWorks has a shell tool to do stack trace on task:
-> tt 0x2692518
--------------------------------------------------
trcStack aborted: error in top frame
--------------------------------------------------
In our case, It doesn't work since the overflow part of the stack might be corrupted by other tasks. I have to dump the call stack by myself.
-> d 0x268f8b0, 50, 4
--------------------------------------------------------------------------------------------------
0268f8b0: 0268f8d0 00000000 00000000 00000000 *.h..............*
0268f8c0: 00000000 0268f930 015235a8 02690d60 *.....h.0.R5..i.`*
0268f8d0: 0268f910 00ba78c4 00000000 00000000 *.h....x.........*
0268f8e0: 00000000 00000000 00000000 00000000 *................*
0268f8f0: 00000000 00000000 02690d40 02690e60 *[email protected].`*
0268f900: 0268f930 0268f920 02690d60 02690d60 *.h.0.h. .i.`.i.`*
0268f910: 026909a0 004ca2ec 00000000 00000000 *.i...L..........*
0268f920: 00000000 00000000 00000000 00000000 *................*
0268f930: 00000000 00000000 00000000 00000000 *................*
0268f940: 00000000 00000000 00000000 00000000 *................*
0268f950: 00000000 00000000 00000000 00000000 *................*
0268f960: 00000000 00000000 00000000 00000000 *................*
0268f970: 00000000 00000000 *................*
value = 21 = 0x15
--------------------------------------------------------------------------------------------------
The data at address 0x268f8b0 has the value 0x0268f8d0, which is the address of the next level stack frame(sp地址存储的是上一级调用函数的sp值). Let us analyze this stack frame:
-------------------------------------------------------------------------------------------------
0268f8d0: 0268f910 00ba78c4 00000000 00000000 *.h....x.........*
-------------------------------------------------------------------------------------------------
The data at address 0x0268f8d4 is the return address(sp+4地址存储的是上一级调用函数的调用时的指令地址). We could find the related function it belongs to.
-> lkAddr 0x00ba78c4
----------------------------------------------------------
0x00ba780c BF_set_key text
0x00ba7a30 BIO_new text
0x00ba7ac8 BIO_set text
0x00ba7b80 BIO_free text
0x00ba7c50 BIO_read text
0x00ba7d8c BIO_write text
0x00ba7efc BIO_puts text
0x00ba8014 BIO_gets text
0x00ba813c BIO_int_ctrl text
0x00ba8164 BIO_ptr_ctrl text
0x00ba81a0 BIO_ctrl text
0x00ba82b8 BIO_callback_ctrl text
value = 0 = 0x0
-----------------------------------------------------------
So, it belongs to the function BF_set_key. Using the similar method, we finally could get the whole call stack as follows:
-------------------------------------
vxTaskEntry()
netTask()
dec21x40RxIntHandle()
dec21x40Recv()
endRcvRtnCall()
muxReceive()
endEtherInputHookRtn()
rcip6InputSniffer()
ipv6ProcessFrame()
ifyDipRx()
processIngressPacket()
ifyRpcInProcLocalPkt()
v6ProcLocalPkt()
v6InnerProcLocalPtk()
v6NdRx()
v6procNbrAdv()
ifyDADComplete()
duReport()
bf_encrypt_NP_info()
BF_set_key()
------------------------------------
---------------------
4. Root Cause
---------------------
According to some investigation, the call stack itself has no errors. But when I look into the code of the function bf_encrypt_NP_info, I find it declares a huge local struct data as follows:
int bf_encrypt_NP_info(const unsigned char *inText, char *retText)
{
char iv[8];
int enc_data_length=0;
BF_KEY key;
…
}
typedef struct bf_key_st
{
BF_LONG P[BF_ROUNDS+2];
BF_LONG S[4*256]; --> 4*4*256 = 4096 bytes
} BF_KEY;
In Step (2), we could see that the stack size for tNetTask is only 9984, which is much less than that of tMainTask(81232). When the function bf_encrypt_NP_info is called, its local parameters run out of the free space of the stack, which makes it overflow.
Ø空指针
5参考文档
http://blog.csdn.net/skywind/article/details/6347684(PowerPC 汇编入门与优化)
http://www.docin.com/p-657169278.html(PowerPC栈帧分析)
http://blog.csdn.net/qingfengtsing/article/details/7020677(设置vxWorks硬件断点调试)
http://www.docin.com/p-64598445.html(基于MPC_VxWorks堆栈原理的BACKTRACE算法)