VxWorks任务挂死实战分析

背景描述

操作系统:VxWorks 5.5

CPU:MIPS32 74Kc内核CPU

现象描述:联调代码时发现应用层代码调用以下接口函数必现任务挂死,检查代码发现入参均合法,代码逻辑没问题,未发现异常。

/******************************************************************************
 * FunctionName : switch_port_qconfig_set
 * Author        : justin
 * CreateDate    : 20210606
 * Description    : set port cosq qcofnig cell
 * InputParam    : int unit
 *           int ponno, PON口号,取值范围0~15
 *                int cosq, 0~7 for UNI ports
 *                int port_guarantee_cells, THDO_QCONFIG_CELL[Q_MIN_CELL]
 *                int q_shared_alpha, THDO_QCONFIG_CELL[Q_SHARED_ALPHA_CELL]
 * OutputParam    : NA
 * ReturnValue    : 0 - ok; <0 - error; 
 * Relation        : NA
 * OtherInfo    : NA
******************************************************************************/
int switch_port_qconfig_set(int unit, int ponno, int cosq, int port_guarantee_cells, int q_shared_alpha)
{
    int switchport = 0;/*参数初始化*/
    int cpu_cosq_num = NUM_CPU_COSQ_MAX;
    int port_cosq_num = 0;
    int thdo_qconfig_cell_queue_no = 0;
    uint32 thdo_qconfig_cell_entry = 0;

    /* 检查入参 */
    if (port_guarantee_cells < THDO_QCONFIG_CELLS_MIN)
    {
        return RV_ERROR;
    }

    /* 限定最大值 */
    if (port_guarantee_cells > THDO_QCONFIG_CELLS_MAX)
    {
        port_guarantee_cells = THDO_QCONFIG_CELLS_MAX;
    }

    /* alpha值取值范围为0~9 */
    if ((q_shared_alpha < THDO_QCONFIG_ALPHA_MIN) || (q_shared_alpha > THDO_QCONFIG_ALPHA_MAX))
    {
        return RV_ERROR;
    }

    /* 只支持配置UNI端口 */
    if ((ponno < linecard_pon_port_begin()) || (ponno > linecard_pon_port_end()))
    {
        return RV_ERROR;
    }

    switchport = switch_oldport_to_newport(ponno);

    /* 获取端口COSQ队列数 */
    BCM_IF_ERROR_RETURN(bcm_cosq_config_get(unit, &port_cosq_num));

    /* 计算指定端口指定COS队列的序号 */
    thdo_qconfig_cell_queue_no = cpu_cosq_num + (switchport - 1) * port_cosq_num + cosq;

    BCM_IF_ERROR_RETURN(READ_MMU_THDO_QCONFIG_CELLm(unit, MEM_BLOCK_ANY, thdo_qconfig_cell_queue_no, &thdo_qconfig_cell_entry));

    /* 保存默认配置 */
    if (0 == g_switch_pon_qconfig[ponno][cosq].flag)
    {
        g_switch_pon_qconfig[ponno][cosq].q_min_cell = soc_mem_field32_get(unit, MMU_THDO_QCONFIG_CELLm,
            &thdo_qconfig_cell_entry, Q_MIN_CELLf);
        g_switch_pon_qconfig[ponno][cosq].q_shared_alpha = soc_mem_field32_get(unit, MMU_THDO_QCONFIG_CELLm,
            &thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf);
        g_switch_pon_qconfig[ponno][cosq].flag = 1;
    }

    /* 支持PON口恢复默认配置 */
    if ((THDO_QCONFIG_CELLS_MIN == port_guarantee_cells) && (THDO_QCONFIG_ALPHA_MIN == q_shared_alpha)
        && (1 == g_switch_pon_qconfig[ponno][cosq].flag))
    {
        soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,
            &thdo_qconfig_cell_entry, Q_MIN_CELLf, g_switch_pon_qconfig[ponno][cosq].q_min_cell);
        soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,
            &thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf, g_switch_pon_qconfig[ponno][cosq].q_shared_alpha);
    }
    else if ((THDO_QCONFIG_CELLS_MIN != port_guarantee_cells) && (THDO_QCONFIG_ALPHA_MIN != q_shared_alpha))
    {
        soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,
            &thdo_qconfig_cell_entry, Q_MIN_CELLf, port_guarantee_cells);
        soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,
            &thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf, q_shared_alpha);
    }

    BCM_IF_ERROR_RETURN(WRITE_MMU_THDO_QCONFIG_CELLm(unit, MEM_BLOCK_ANY, thdo_qconfig_cell_queue_no, &thdo_qconfig_cell_entry));

    return RV_OK;

}

根本原因

1、bcopy()拷贝越界导致

2、调试过程中发现,交换SDK库文件指定-O2编译选项,此时r30寄存器被当作通用寄存器s8使用;而其他模块使用默认的-O0编译选项,此时r30寄存器被当作fp(frame pointer)指针使用。当应用程序调用使用s8寄存器的交换SDK接口函数时,可能出现s8寄存器值被改写,导致触发非法地址访问的情况。

分析过程

既然代码走查没有发现问题,只能使出洪荒之力,通过反汇编定位分析了。

首先,通过i命令查看系统任务状态,发现挂死任务为cmd_process任务。

-> i

  NAME        ENTRY       TID    PRI   STATUS      PC       SP     ERRNO  DELAY
---------- ------------ -------- --- ---------- -------- -------- ------- -----
tExcTask   ^@excTask      87d80cb0   0 PEND       80a6f360 87d80b90   3006b     0
tLogTask   logTask      87d7e120   0 PEND       80a6f360 87d7e008       0     0
tShell     shell        87a93670   1 READY      8025707c 87a93288       0     0
tWdbTask   wdbTask      87ab28e0   3 PEND       8015b4cc 87ab2650  3d0002     0
tAioIoTask1aioIoTask    87d8f3f0  50 PEND       8015b4cc 87d8f358       0     0
tAioIoTask0aioIoTask    87d88180  50 PEND       8015b4cc 87d880e8       0     0
tNetTask   netTask      87bf2860  50 PEND       8015b4cc 87bf27d0       0     0
cmd_processMsgProcessTa 4c31d5a0  80 SUSPEND    8016a354 4c31d328  3d0004     0
value = 0 = 0x0

然后,通过ti命令查看任务详情。

-> ti 0x4c31d5a0
^@
  NAME        ENTRY       TID    PRI   STATUS      PC       SP     ERRNO  DELAY
---------- ------------ -------- --- ---------- -------- -------- ------- -----
cmd_processMsgProcessTa 4c31d5a0  80 SUSPEND    8016a354 4c31d328  3d0004     0

stack: base 0x4c31d5a0  end 0x4c3185a0  size 20464  high 7760   margin 12704

options: 0xc
VX_DEALLOC_STACK    VX_FP_TASK          

VxWorks Events
--------------
Events Pended on    : Not Pended
Received Events     : 0x0
Options             : N/A

$0    =        0   t0    =        0   s0    =        0   t8    =        0
at    =        1   t1    =        1   s1    =        0   t9    =       50
v0    = 4c31d374   t2    =        4   s2    =        0   k0    = 813a3fb8
v1    =        c   t3    =        0   s3    =        0   k1    =        0
a0    =       35   t4    =        0   s4    =        0   gp    = 813a1640
a1    = 4c31d370   t5    =       20   s5    =        0   sp    = 4c31d328
a2    =        4   t6    =      6c8   s6    =        0   s8    = 4c31d328
a3    = 80ad31f0   t7    =        0   s7    =        0   ra    = 80159e30
divlo =       38   divhi =        0   sr    = 1000fc01   pc    = 8016a354
value = 0 = 0x0

通过tt命令查看挂死前任务调用轨迹。

-> tt 0x4c31d5a0
^@8015bee4 vxTaskEntry    +c  : MsgProcessTask (0, 0, 0, 0)
80c58e9c MsgProcessTask +1bc: GeponProcGswCmd (87aa5760, 0, eeeeeeee, eeeeeeee)
80c5a670 GeponProcGswCmd+748: compare_and_exec_cmd (87aa5760, 87aa57b5, 300eeee, eeeeeeee)
80c5a93c compare_and_exec_cmd+2ac: olt_config_set_pon_cosq__config (87aa585d, a8, b1, 0)
80ad31e8 olt_config_set_pon_cosq__config+73c: switch_port_qconfig_set (0, 0, 0, 1)
8016c6c4 excStub        +120: unaligned_load_handler (4, 4c31d388, 4c31d3b0, c)
80159e28 unaligned_load_handler+238: bcopy (4, 4c31d388, 4c31d3b0, 80ad31f0)
value = 0 = 0x0

此时,sp为0x4c31d328,ra为0x80159e30,pc为0x8016a354。打印sp指向的栈数据。

-> d 0x4c31d328,200,4
4c31d320:                    00000004 4c31d388   *            L1..*
4c31d330:  4c31d3b0 80ad31f0 00000000 4c31d34c   *L1....1.....L1.L*
4c31d340:  4c31d368 00000000 80ad31f0 80ad31f4   *L1.h......1...1.*
4c31d350:  00000001 00000035 8fc20034 00000000   *.......5...4....*
4c31d360:  0000001e 00000002 00000000 00000000   *................*
4c31d370:  00000000 00000001 00000001 00000003   *................*
4c31d380:  00000001 8016c6cc 00000004 4c31d388   *............L1..*
4c31d390:  4c31d3b0 0000000c 00002cd0 00000010   *L1........,.....*
4c31d3a0:  4c31d438 00000000 00000035 00000000   *L1.8.......5....*
4c31d3b0:  1000fc03 80ad31f0 00000038 00000000   *......1....8....*
4c31d3c0:  00000000 00031000 00000000 00000000   *................*
4c31d3d0:  80ec45d0 80ec45e4 000000aa 00000000   *..E...E.........*
4c31d3e0:  1000fc01 1000fc00 00000004 00000000   *................*
4c31d3f0:  00000000 00000020 000006c8 00000000   *....... ........*
4c31d400:  00000000 00000000 00000000 00000000   *................*
4c31d410:  00000000 00000000 00000000 00000000   *................*
4c31d420:  00000000 00000050 00000002 00000000   *.......P........*
4c31d430:  813a1640 4c31d448 00000001 80ad31f0   *.:.@L1.H......1.*
4c31d440:  00000001 80ad31f0 00000000 00000000   *......1.........*
4c31d450:  00000000 00000001 00000001 00000000   *................*
4c31d460:  039f5799 00000000 000d0001 00000014   *..W.............*
4c31d470:  00070007 00070000 00000008 00000000   *................*
4c31d480:  00000007 00000000 00000001 00010001   *................*
4c31d490:  00010001 00020002 00020003 00030003   *................*
4c31d4a0:  00040004 00040005 00050005 00060006   *................*
4c31d4b0:  00060007 00070007 4c31d4c0 80c5a944   *........L1.....D*
4c31d4c0:  87aa585d 000000a8 000000b1 00000000   *..X]............*
4c31d4d0:  00000000 00000000 00a84083 87aa5760   *..........@...W`*
4c31d4e0:  4d3e8110 4d3e80e0 00000000 00000000   *M>..M>..........*
4c31d4f0:  039fd500 80c5a268 4c31d500 80c5a678   *.......hL1.....x*
4c31d500:  87aa5760 87aa57b5 0300eeee eeeeeeee   *..W`..W.........*
4c31d510:  4c31d518 eeeeeeee eeeeeeee eeeeeeee   *L1..............*
4c31d520:  0000be49 00f800a8 4083eeee 87aa57b5   *...I....@.....W.*
4c31d530:  87aa5760 00000000 00000000 f8000000   *..W`............*
4c31d540:  00000055 00000000 4c31d550 80c58ea4   *...U....L1.P....*
4c31d550:  87aa5760 00000000 eeeeeeee eeeeeeee   *..W`............*
4c31d560:  80c57ca0 87aa5760 00000e10 eeeeeeee   *..|...W`........*
4c31d570:  00000000 8015beec 00000000 00000000   *................*
4c31d580:  00000000 00000000 00000000 00000000   *................*
4c31d590:  00000000 00000000 00000000 00000000   *................*
4c31d5a0:  00000000 00000000 00000050 00000000   *...........P....*
4c31d5b0:  4c392520 4c74e3f0 0000c119 00000000   *L9% Lt..........*
4c31d5c0:  4c318350 4c3200b0 8015bc10 1000fc01   *L1.PL2..........*
4c31d5d0:  813a503c 4c3185a0 0000000c 00000001   *.:P<L1..........*
4c31d5e0:  00000050 00000050 00000000 00000000   *...P...P........*
4c31d5f0:  00000000 00000000 00000000 87aa5d28   *..............](*
4c31d600:  00000000 00000000 00000000 00000000   *................*
4c31d610:  8101de84 80c58ce0 4c31d5a0 4c3185b0   *........L1..L1..*
4c31d620:  4c3185a0 003d0004 00000000 00000000   *L1...=..........*
4c31d630:  4c318540 00000000 00000000 87aa78e0   *L1.@..........x.*
4c31d640:  00000000 00000000                     *................*
value = 21 = 0x15

找到pc所在函数并反汇编。

-> 0x8016a354
value = -2146000044 = 0x8016a354^@ = bcopy + 0xc4
-> l bcopy,50
^@                      bcopy:
0x8016a290  00a41023    subu            v0,a1,a0
0x8016a294  18400003    blez            v0,0x8016a2a4
0x8016a298  0046082a    slt             at,v0,a2
0x8016a29c  14200040    bnez            at,0x8016a3a0
0x8016a2a0  00a01025    move            v0,a1
0x8016a2a4  28c1000a    slti            at,a2,10
0x8016a2a8  14200024    bnez            at,0x8016a33c
0x8016a2ac  00a61021    addu            v0,a1,a2
0x8016a2b0  00a47026    xor             t6,a1,a0
0x8016a2b4  31cf0003    andi            t7,t6,0x3
0x8016a2b8  15e00021    bnez            t7,0x8016a340
0x8016a2bc  00a2082b    sltu            at,a1,v0
0x8016a2c0  30b80003    andi            t8,a1,0x3
0x8016a2c4  13000008    beqz            t8,0x8016a2e8
0x8016a2c8  00801825    move            v1,a0
0x8016a2cc  90990000    lbu             t9,0(a0)
0x8016a2d0  24a50001    addiu           a1,a1,1
0x8016a2d4  30a80003    andi            t0,a1,0x3
0x8016a2d8  24840001    addiu           a0,a0,1
0x8016a2dc  1500fffb    bnez            t0,0x801aa2cc
0x8016a2e0  a0b9ffff    sb              t9,65535(a1)
0x8016a2e4  00801825    move            v1,a0
0x8016a2e8  00a06025    move            t4,a1
0x8016a2ec  2447fffc    addiu           a3,v0,65532
0x8016a2f0  8c690000    lw              t1,0(v1)
0x8016a2f4  258c0004    addiu           t4,t4,4
0x8016a2f8  00ec082b    sltu            at,a3,t4
0x8016a2fc  24630004    addiu           v1,v1,4
0x8016a300  1020fffb    beqz            at,0x801aa2f0
0x8016a304  ad89fffc    sw              t1,65532(t4)
0x8016a308  01802825    move            a1,t4
0x8016a30c  00602025    move            a0,v1
0x8016a310  00a2082b    sltu            at,a1,v0
0x8016a314  10200063    beqz            at,0x8016a4a4
0x8016a318  00000000    nop     
0x8016a31c  24a50001    addiu           a1,a1,1
0x8016a320  908a0000    lbu             t2,0(a0)
0x8016a324  00a2082b    sltu            at,a1,v0
0x8016a328  24840001    addiu           a0,a0,1
0x8016a32c  1420fffb    bnez            at,0x801aa31c
0x8016a330  a0aaffff    sb              t2,65535(a1)
0x8016a334  03e00008    jr              ra
0x8016a338  00000000    nop     
0x8016a33c  00a2082b    sltu            at,a1,v0
0x8016a340  10200058    beqz            at,0x8016a4a4
0x8016a344  00000000    nop     
0x8016a348  2cc80004    sltiu           t0,a2,4
0x8016a34c  1408000c    bne             zero,t0,0x8016a380
0x8016a350  00064882    srl             t1,a2,2
0x8016a354  88880000    lwl             t0,0(a0)                /* 挂死指令,将a0+0内存地址值加载到t0寄存器,此时a0为0x35,十进制53 */
value = -2146000040 = 0x8016a358 = bcopy + 0xc8

查看bcopy函数的反汇编代码,发现该函数入口没有压栈通用寄存器(局部变量)和ra返回地址的操作,说明bcopy函数为叶子函数。

此时,推导出上一级函数的sp为0x4c31d328,pc为当前函数的ra,即80159e30。找到pc所在函数并反汇编。

-> 0x80159e30
value = -2146066896 = 0x80159e30^@ = unaligned_load_handler + 0x240

-> l unaligned_load_handler,300
^@                      unaligned_load_handler:
0x80159bf0  27bdffa0    addiu           sp,sp,65440(-96)     //上一级函数sp = sp + 96,为‭‬0x‭4c31d388‬
0x80159bf4  afbf005c    sw              ra,92(sp)            //ra位于当前sp + 92,即0x‭4c31d384地址处,其值为‬0x8016c6cc
0x80159bf8  afbe0058    sw              s8,88(sp)            //压栈s8到sp+88
0x80159bfc  03a0f025    move            s8,sp                //s8 = sp,s8用作frame pointer
0x80159c00  afc40060    sw              a0,96(s8)
0x80159c04  afc50064    sw              a1,100(s8)
0x80159c08  afc60068    sw              a2,104(s8)
0x80159c0c  8fc20064    lw              v0,100(s8)
0x80159c10  8c42002c    lw              v0,44(v0)
0x80159c14  afc20020    sw              v0,32(s8)
0x80159c18  8fc20064    lw              v0,100(s8)
0x80159c1c  8c420014    lw              v0,20(v0)
0x80159c20  000217c2    srl             v0,v0,31
0x80159c24  afc20034    sw              v0,52(s8)
0x80159c28  8fc20064    lw              v0,100(s8)
0x80159c2c  8fc30020    lw              v1,32(s8)
0x80159c30  8c42002c    lw              v0,44(v0)
0x80159c34  10620003    beq             v1,v0,0x80159c44
0x80159c38  00000000    nop     
0x80159c3c  080567b7    j               0x80159edc
0x80159c40  00000000    nop     
0x80159c44  8fc20064    lw              v0,100(s8)
0x80159c48  8c42002c    lw              v0,44(v0)
0x80159c4c  30420003    andi            v0,v0,0x3
0x80159c50  10400003    beqz            v0,0x80159c60
0x80159c54  00000000    nop     
0x80159c58  080567b7    j               0x80159edc
0x80159c5c  00000000    nop     
0x80159c60  8fc20034    lw              v0,52(s8)
0x80159c64  afa20010    sw              v0,16(sp)
0x80159c68  27c20024    addiu           v0,s8,36
0x80159c6c  afa20014    sw              v0,20(sp)
0x80159c70  27c20040    addiu           v0,s8,64
0x80159c74  afa20018    sw              v0,24(sp)
0x80159c78  8fc40060    lw              a0,96(s8)
0x80159c7c  8fc50064    lw              a1,100(s8)
0x80159c80  8fc60068    lw              a2,104(s8)
0x80159c84  8fc70020    lw              a3,32(s8)
0x80159c88  0c056544    jal             0x80159510
0x80159c8c  00000000    nop     
0x80159c90  10400003    beqz            v0,0x80159ca0
0x80159c94  00000000    nop     
0x80159c98  080567b7    j               0x80159edc
0x80159c9c  00000000    nop     
0x80159ca0  8fc20034    lw              v0,52(s8)
0x80159ca4  10400004    beqz            v0,0x80159cb8
0x80159ca8  00000000    nop     
0x80159cac  8fc20020    lw              v0,32(s8)
0x80159cb0  24420004    addiu           v0,v0,4
0x80159cb4  afc20020    sw              v0,32(s8)
0x80159cb8  27c20030    addiu           v0,s8,48
0x80159cbc  8fc40020    lw              a0,32(s8)
0x80159cc0  00402825    move            a1,v0
0x80159cc4  24060004    li              a2,4
0x80159cc8  0c05a8a4    jal             bcopy
0x80159ccc  00000000    nop     
0x80159cd0  8fc20030    lw              v0,48(s8)
0x80159cd4  00021542    srl             v0,v0,21
0x80159cd8  3042001f    andi            v0,v0,0x1f
0x80159cdc  afc20038    sw              v0,56(s8)
0x80159ce0  8fc20030    lw              v0,48(s8)
0x80159ce4  00021402    srl             v0,v0,16
0x80159ce8  3042001f    andi            v0,v0,0x1f
0x80159cec  afc2003c    sw              v0,60(s8)
0x80159cf0  8fc20038    lw              v0,56(s8)
0x80159cf4  1040000a    beqz            v0,0x80159d20
0x80159cf8  00000000    nop     
0x80159cfc  8fc30064    lw              v1,100(s8)
0x80159d00  8fc20038    lw              v0,56(s8)
0x80159d04  00021080    sll             v0,v0,2
0x80159d08  24420038    addiu           v0,v0,56
0x80159d0c  00621021    addu            v0,v1,v0
0x80159d10  8c420000    lw              v0,0(v0)
0x80159d14  afc2004c    sw              v0,76(s8)
0x80159d18  08056749    j               0x80159d24
0x80159d1c  00000000    nop     
0x80159d20  afc0004c    sw              zero,76(s8)
0x80159d24  8fc2004c    lw              v0,76(s8)
0x80159d28  afc20028    sw              v0,40(s8)
0x80159d2c  8fc30028    lw              v1,40(s8)
0x80159d30  afc30050    sw              v1,80(s8)
0x80159d34  8fc20038    lw              v0,56(s8)
0x80159d38  1040000c    beqz            v0,0x80159d6c
0x80159d3c  00000000    nop     
0x80159d40  8fc30064    lw              v1,100(s8)
0x80159d44  8fc20038    lw              v0,56(s8)
0x80159d48  00021080    sll             v0,v0,2
0x80159d4c  24420038    addiu           v0,v0,56
0x80159d50  00621021    addu            v0,v1,v0
0x80159d54  8c420000    lw              v0,0(v0)
0x80159d58  8fc30050    lw              v1,80(s8)
0x80159d5c  1462005f    bne             v1,v0,0x80159edc
0x80159d60  00000000    nop     
0x80159d64  0805675e    j               0x80159d78
0x80159d68  00000000    nop     
0x80159d6c  8fc20050    lw              v0,80(s8)
0x80159d70  1440005a    bnez            v0,0x80159edc
0x80159d74  00000000    nop     
0x80159d78  87c30032    lh              v1,50(s8)
0x80159d7c  8fc20028    lw              v0,40(s8)
0x80159d80  00431021    addu            v0,v0,v1
0x80159d84  afc2002c    sw              v0,44(s8)
0x80159d88  8fc20030    lw              v0,48(s8)
0x80159d8c  00021682    srl             v0,v0,26
0x80159d90  3042003f    andi            v0,v0,0x3f
0x80159d94  2442ffe0    addiu           v0,v0,65504
0x80159d98  afc20054    sw              v0,84(s8)
0x80159d9c  8fc30054    lw              v1,84(s8)
0x80159da0  2c620018    sltiu           v0,v1,24
0x80159da4  1040004d    beqz            v0,0x80159edc
0x80159da8  00000000    nop     
0x80159dac  8fc20054    lw              v0,84(s8)
0x80159db0  00021880    sll             v1,v0,2
0x80159db4  3c0280c7    lui             v0,0x80c7
0x80159db8  2442e4a0    addiu           v0,v0,58528
0x80159dbc  00621021    addu            v0,v1,v0
0x80159dc0  8c420000    lw              v0,0(v0)
0x80159dc4  00400008    jr              v0
0x80159dc8  00000000    nop     
0x80159dcc  27c20044    addiu           v0,s8,68
0x80159dd0  8fc4002c    lw              a0,44(s8)
0x80159dd4  00402825    move            a1,v0
0x80159dd8  24060002    li              a2,2
0x80159ddc  0c05a8a4    jal             bcopy
0x80159de0  00000000    nop     
0x80159de4  00000000    nop     
0x80159de8  8fc2003c    lw              v0,60(s8)
0x80159dec  1040002e    beqz            v0,0x80159ea8
0x80159df0  00000000    nop     
0x80159df4  8fc30064    lw              v1,100(s8)
0x80159df8  8fc2003c    lw              v0,60(s8)
0x80159dfc  00021080    sll             v0,v0,2
0x80159e00  24420038    addiu           v0,v0,56
0x80159e04  00621821    addu            v1,v1,v0
0x80159e08  87c20044    lh              v0,68(s8)
0x80159e0c  ac620000    sw              v0,0(v1)
0x80159e10  080567aa    j               0x80159ea8
0x80159e14  00000000    nop     
0x80159e18  27c20048    addiu           v0,s8,72
0x80159e1c  8fc4002c    lw              a0,44(s8)
0x80159e20  00402825    move            a1,v0
0x80159e24  24060004    li              a2,4
0x80159e28  0c05a8a4    jal             bcopy
0x80159e2c  00000000    nop     
0x80159e30  00000000    nop     
0x80159e34  8fc2003c    lw              v0,60(s8)
0x80159e38  1040001b    beqz            v0,0x80159ea8
0x80159e3c  00000000    nop     
0x80159e40  8fc30064    lw              v1,100(s8)
0x80159e44  8fc2003c    lw              v0,60(s8)
0x80159e48  00021080    sll             v0,v0,2
0x80159e4c  24420038    addiu           v0,v0,56
0x80159e50  00621821    addu            v1,v1,v0
0x80159e54  8fc20048    lw              v0,72(s8)
0x80159e58  ac620000    sw              v0,0(v1)
0x80159e5c  080567aa    j               0x80159ea8
0x80159e60  00000000    nop     
0x80159e64  27c20044    addiu           v0,s8,68
0x80159e68  8fc4002c    lw              a0,44(s8)
0x80159e6c  00402825    move            a1,v0
0x80159e70  24060002    li              a2,2
0x80159e74  0c05a8a4    jal             bcopy
0x80159e78  00000000    nop     
0x80159e7c  00000000    nop     
0x80159e80  8fc2003c    lw              v0,60(s8)
0x80159e84  10400008    beqz            v0,0x80159ea8
0x80159e88  00000000    nop     
0x80159e8c  8fc30064    lw              v1,100(s8)
0x80159e90  8fc2003c    lw              v0,60(s8)
0x80159e94  00021080    sll             v0,v0,2
0x80159e98  24420038    addiu           v0,v0,56
0x80159e9c  00621821    addu            v1,v1,v0
0x80159ea0  97c20044    lhu             v0,68(s8)
0x80159ea4  ac620000    sw              v0,0(v1)
0x80159ea8  8fc20040    lw              v0,64(s8)
0x80159eac  10400006    beqz            v0,0x80159ec8
0x80159eb0  00000000    nop     
0x80159eb4  8fc30064    lw              v1,100(s8)
0x80159eb8  8fc20064    lw              v0,100(s8)
0x80159ebc  8c42002c    lw              v0,44(v0)
0x80159ec0  24420008    addiu           v0,v0,8
0x80159ec4  ac6200b4    sw              v0,180(v1)
0x80159ec8  8fc30064    lw              v1,100(s8)
0x80159ecc  8fc20024    lw              v0,36(s8)
0x80159ed0  ac62002c    sw              v0,44(v1)
0x80159ed4  080567bc    j               0x80159ef0
0x80159ed8  00000000    nop     
0x80159edc  8fc40060    lw              a0,96(s8)
0x80159ee0  8fc50064    lw              a1,100(s8)
0x80159ee4  8fc60068    lw              a2,104(s8)
0x80159ee8  0c05ac45    jal             excExcHandle
0x80159eec  00000000    nop     
0x80159ef0  03c0e825    move            sp,s8
0x80159ef4  8fbf005c    lw              ra,92(sp)
0x80159ef8  8fbe0058    lw              s8,88(sp)
0x80159efc  27bd0060    addiu           sp,sp,96
0x80159f00  03e00008    jr              ra
0x80159f04  00000000    nop

 根据unaligned_load_handler函数入口的压栈操作,推导出上一级函数的sp为‭‬0x‭4c31d388,pc为0x8016c6cc。找到pc所在函数并反汇编。

-> 0x8016c6cc
value = -2145990964 = 0x8016c6cc^@ = excStub + 0x128
->
-> l excStub,200
^@                      excStub:
0x8016c5a4  afbdffec    sw              sp,65516(sp)            //触发异常处理的函数的sp压栈在sp-20,即0x‭4c31d434地址处‬0x4c31d448
0x8016c5a8  27bdff40    addiu           sp,sp,65344(-192)        //上一级函数sp = sp + 192,为0x‭4c31d448‬
0x8016c5ac  afa1003c    sw              at,60(sp)
0x8016c5b0  afa20040    sw              v0,64(sp)
0x8016c5b4  401b4000    mfc0            k1,badvaddr
0x8016c5b8  00000000    nop     
0x8016c5bc  401a7000    mfc0            k0,epc
0x8016c5c0  00000000    nop     
0x8016c5c4  00000040    ssnop   
0x8016c5c8  00000040    ssnop   
0x8016c5cc  afbb0020    sw              k1,32(sp)                //BADVADDR压栈在sp+32,即0x‭4c31d3a8地址处,其值为0x00000035
0x8016c5d0  afba002c    sw              k0,44(sp)                //EPC压栈在sp+44,‭即0x4c31d3b4地址处,其值为‬0x80ad31f0
0x8016c5d4  40026800    mfc0            v0,cause
0x8016c5d8  00000000    nop     
0x8016c5dc  401b6000    mfc0            k1,sr
0x8016c5e0  00000000    nop     
0x8016c5e4  00000040    ssnop   
0x8016c5e8  00000040    ssnop   
0x8016c5ec  afa20014    sw              v0,20(sp)                //Cause压栈在sp+20
0x8016c5f0  3042007c    andi            v0,v0,0x7c
0x8016c5f4  afbb0028    sw              k1,40(sp)
0x8016c5f8  409b6000    mtc0            k1,sr
0x8016c5fc  2401fffd    li              at,65533
0x8016c600  0361d824    and             k1,k1,at
0x8016c604  409b6000    mtc0            k1,sr
0x8016c608  00000040    ssnop   
0x8016c60c  00000040    ssnop   
0x8016c610  00000040    ssnop   
0x8016c614  00000040    ssnop   
0x8016c618  00000000    nop     
0x8016c61c  00000812    mflo            at
0x8016c620  00000000    nop     
0x8016c624  afa10030    sw              at,48(sp)
0x8016c628  00000000    nop     
0x8016c62c  00000810    mfhi            at
0x8016c630  00000000    nop     
0x8016c634  afa10034    sw              at,52(sp)
0x8016c638  afa00038    sw              zero,56(sp)
0x8016c63c  afa000a4    sw              zero,164(sp)
0x8016c640  afa30044    sw              v1,68(sp)
0x8016c644  afa40048    sw              a0,72(sp)                //压栈异常处理前函数的入参a0到sp+72,即‭0x4c31d3d0,其值为‬0x80ec45d0
0x8016c648  afa5004c    sw              a1,76(sp)                //压栈异常处理前函数的入参a1到sp+76,即‭0x4c31d3d4,其值为‬0x80ec45e4
0x8016c64c  afa60050    sw              a2,80(sp)                //压栈异常处理前函数的入参a2到sp+80,即‭0x4c31d3d8,其值为0x000000aa
0x8016c650  afa70054    sw              a3,84(sp)                //压栈异常处理前函数的入参a3到sp+84,即‭0x4c31d3dc,其值为‬0x00000000
0x8016c654  afa80058    sw              t0,88(sp)                //1000fc01
0x8016c658  afa9005c    sw              t1,92(sp)                //1000fc00
0x8016c65c  afaa0060    sw              t2,96(sp)                //00000004
0x8016c660  afab0064    sw              t3,100(sp)
0x8016c664  afac0068    sw              t4,104(sp)
0x8016c668  afad006c    sw              t5,108(sp)
0x8016c66c  afae0070    sw              t6,112(sp)
0x8016c670  afaf0074    sw              t7,116(sp)
0x8016c674  afb80098    sw              t8,152(sp)
0x8016c678  afb9009c    sw              t9,156(sp)
0x8016c67c  afb00078    sw              s0,120(sp)
0x8016c680  afb1007c    sw              s1,124(sp)
0x8016c684  afb20080    sw              s2,128(sp)
0x8016c688  afb30084    sw              s3,132(sp)
0x8016c68c  afb40088    sw              s4,136(sp)
0x8016c690  afb5008c    sw              s5,140(sp)
0x8016c694  afb60090    sw              s6,144(sp)
0x8016c698  afb70094    sw              s7,148(sp)
0x8016c69c  afbe00b0    sw              s8,176(sp)                //s8压栈在sp + 176,即0x‭4c31d438地址处,其值为0x0000001
0x8016c6a0  afbc00a8    sw              gp,168(sp)
0x8016c6a4  afbf00b4    sw              ra,180(sp)                // ra位于sp + 180,即0x‭4c31d43c地址处,其值为‬0x80ad31f0
0x8016c6a8  00022082    srl             a0,v0,2
0x8016c6ac  03a02825    move            a1,sp
0x8016c6b0  27a60028    addiu           a2,sp,40
0x8016c6b4  3c088101    lui             t0,0x8101
0x8016c6b8  2508e610    addiu           t0,t0,58896
0x8016c6bc  00481021    addu            v0,v0,t0
0x8016c6c0  8c420000    lw              v0,0(v0)
0x8016c6c4  0040f809    jalr            v0
0x8016c6c8  00000000    nop     
0x8016c6cc  8fa20040    lw              v0,64(sp)
0x8016c6d0  8fa30044    lw              v1,68(sp)
0x8016c6d4  8fa40048    lw              a0,72(sp)
0x8016c6d8  8fa5004c    lw              a1,76(sp)
0x8016c6dc  8fa60050    lw              a2,80(sp)
0x8016c6e0  8fa70054    lw              a3,84(sp)
0x8016c6e4  8fa80058    lw              t0,88(sp)
0x8016c6e8  8fa9005c    lw              t1,92(sp)
0x8016c6ec  8faa0060    lw              t2,96(sp)
0x8016c6f0  8fab0064    lw              t3,100(sp)
0x8016c6f4  8fac0068    lw              t4,104(sp)
0x8016c6f8  8fad006c    lw              t5,108(sp)
0x8016c6fc  8fae0070    lw              t6,112(sp)
0x8016c700  8faf0074    lw              t7,116(sp)
0x8016c704  8fb00078    lw              s0,120(sp)
0x8016c708  8fb1007c    lw              s1,124(sp)
0x8016c70c  8fb20080    lw              s2,128(sp)
0x8016c710  8fb30084    lw              s3,132(sp)
0x8016c714  8fb40088    lw              s4,136(sp)
0x8016c718  8fb5008c    lw              s5,140(sp)
0x8016c71c  8fb60090    lw              s6,144(sp)
0x8016c720  8fb70094    lw              s7,148(sp)
0x8016c724  8fbe00b0    lw              s8,176(sp)
0x8016c728  8fbc00a8    lw              gp,168(sp)
0x8016c72c  8fbf00b4    lw              ra,180(sp)
0x8016c730  8fb90030    lw              t9,48(sp)
0x8016c734  00000000    nop     
0x8016c738  03200013    mtlo            t9
0x8016c73c  00000000    nop     
0x8016c740  8fb90034    lw              t9,52(sp)
0x8016c744  00000000    nop     
0x8016c748  03200011    mthi            t9
0x8016c74c  00000000    nop     
0x8016c750  34190001    liu             t9,0x1
0x8016c754  40996000    mtc0            t9,sr
0x8016c758  00000040    ssnop   
0x8016c75c  00000040    ssnop   
0x8016c760  00000040    ssnop   
0x8016c764  00000040    ssnop   
0x8016c768  8fb90028    lw              t9,40(sp)
0x8016c76c  37390002    ori             t9,t9,0x2
0x8016c770  40996000    mtc0            t9,sr
0x8016c774  00000040    ssnop   
0x8016c778  00000040    ssnop   
0x8016c77c  00000040    ssnop   
0x8016c780  00000040    ssnop   
0x8016c784  8fa1003c    lw              at,60(sp)
0x8016c788  8fb80098    lw              t8,152(sp)
0x8016c78c  8fb9009c    lw              t9,156(sp)
0x8016c790  8fbb002c    lw              k1,44(sp)
0x8016c794  27bd00c0    addiu           sp,sp,192
0x8016c798  409b7000    mtc0            k1,epc
0x8016c79c  00000040    ssnop   
0x8016c7a0  00000040    ssnop   
0x8016c7a4  00000040    ssnop   
0x8016c7a8  00000040    ssnop   
0x8016c7ac  42000018    eret

 excStub为异常处理函数,从反汇编指令可以看到,该环境下异常处理函数没有单独的栈空间,而是使用触发异常的函数的栈空间。从反汇编代码和栈数据中,推导出CP0协处理器寄存器BadVaddr值为0x00000035(与bcopy中访问的非法地址一致),EPC寄存器值为‬0x80ad31f0。上一级函数sp为0x‭4c31d448‬,ra为0x80ad31f0,与EPC保持一致。找到epc所在函数并反汇编。

-> 0x80ad31f0
value = -2136133136 = 0x80ad31f0^@ = olt_config_set_pon_cosq__config + 0x744
-> 
-> l olt_config_set_pon_cosq__config
olt_config_set_pon_cosq__config:
0x80ad2aac  27bdff88    addiu           sp,sp,65416(-120)        //上一级函数sp为sp+120为0x‭4c31d4c0‬
0x80ad2ab0  afbf0074    sw              ra,116(sp)                //ra压栈到sp+116
0x80ad2ab4  afbe0070    sw              s8,112(sp)                //s8压栈到sp+112
0x80ad2ab8  03a0f025    move            s8,sp                    //s8 = sp, s8作为frame pointer
0x80ad2abc  afc40078    sw              a0,120(s8)
0x80ad2ac0  afc5007c    sw              a1,124(s8)
0x80ad2ac4  00c01025    move            v0,a2
0x80ad2ac8  a7c20018    sh              v0,24(s8)
0x80ad2acc  afc0001c    sw              zero,28(s8)
0x80ad2ad0  a7c00020    sh              zero,32(s8)
0x80ad2ad4  a7c00022    sh              zero,34(s8)
0x80ad2ad8  a7c00024    sh              zero,36(s8)
0x80ad2adc  a7c00026    sh              zero,38(s8)
0x80ad2ae0  a7c00028    sh              zero,40(s8)
0x80ad2ae4  a7c0002a    sh              zero,42(s8)
0x80ad2ae8  a7c0002c    sh              zero,44(s8)
0x80ad2aec  afc00030    sw              zero,48(s8)
0x80ad2af0  afc00034    sw              zero,52(s8)
0x80ad2af4  afc00038    sw              zero,56(s8)
0x80ad2af8  8fc20078    lw              v0,120(s8)
0x80ad2afc  10400006    beqz            v0,0x80ad2b18
0x80ad2b00  00000000    nop     
0x80ad2b04  8fc2007c    lw              v0,124(s8)
0x80ad2b08  18400003    blez            v0,0x80ad2b18
0x80ad2b0c  00000000    nop     
0x80ad2b10  082b4ad0    j               0x80ad2b40
0x80ad2b14  00000000    nop     
0x80ad2b18  3c0480f2    lui             a0,0x80f2
0x80ad2b1c  248460f0    addiu           a0,a0,24816
0x80ad2b20  3c0580f2    lui             a1,0x80f2
0x80ad2b24  24a56a3c    addiu           a1,a1,27196
0x80ad2b28  24061f65    li              a2,8037
0x80ad2b2c  0c086611    jal             printf
0x80ad2b30  00000000    nop     
0x80ad2b34  2402ffff    li              v0,65535
0x80ad2b38  082b4c8b    j               0x80ad322c
0x80ad2b3c  00000000    nop     
0x80ad2b40  8fc20078    lw              v0,120(s8)
0x80ad2b44  94420000    lhu             v0,0(v0)
0x80ad2b48  a7c20020    sh              v0,32(s8)
0x80ad2b4c  8fc20078    lw              v0,120(s8)
0x80ad2b50  24420002    addiu           v0,v0,2
0x80ad2b54  afc20078    sw              v0,120(s8)
0x80ad2b58  0c05a86e    jal             GetSlotNo
0x80ad2b5c  00000000    nop     
0x80ad2b60  00402025    move            a0,v0
0x80ad2b64  0c2f2a70    jal             toOuterSlot
0x80ad2b68  00000000    nop     
0x80ad2b6c  00401825    move            v1,v0
0x80ad2b70  97c20020    lhu             v0,32(s8)
0x80ad2b74  10430013    beq             v0,v1,0x80ad2bc4
0x80ad2b78  00000000    nop     
0x80ad2b7c  0c05a86e    jal             GetSlotNo
0x80ad2b80  00000000    nop     
0x80ad2b84  00402025    move            a0,v0
0x80ad2b88  0c2f2a70    jal             toOuterSlot
0x80ad2b8c  00000000    nop     
0x80ad2b90  97c30020    lhu             v1,32(s8)
0x80ad2b94  afa20010    sw              v0,16(sp)
0x80ad2b98  3c0480f2    lui             a0,0x80f2
0x80ad2b9c  24846a5c    addiu           a0,a0,27228
0x80ad2ba0  3c0580f2    lui             a1,0x80f2
0x80ad2ba4  24a56a3c    addiu           a1,a1,27196
0x80ad2ba8  24061f70    li              a2,8048
0x80ad2bac  00603825    move            a3,v1
0x80ad2bb0  0c086611    jal             printf
0x80ad2bb4  00000000    nop     
0x80ad2bb8  2402fffd    li              v0,65533
0x80ad2bbc  082b4c8b    j               0x80ad322c
0x80ad2bc0  00000000    nop     
0x80ad2bc4  8fc20078    lw              v0,120(s8)
0x80ad2bc8  94420000    lhu             v0,0(v0)
0x80ad2bcc  a7c20022    sh              v0,34(s8)
0x80ad2bd0  8fc20078    lw              v0,120(s8)
0x80ad2bd4  24420002    addiu           v0,v0,2
0x80ad2bd8  afc20078    sw              v0,120(s8)
0x80ad2bdc  97c30022    lhu             v1,34(s8)
0x80ad2be0  3402ffff    liu             v0,0xffff
0x80ad2be4  10620018    beq             v1,v0,0x80ad2c48
0x80ad2be8  00000000    nop     
0x80ad2bec  97c20022    lhu             v0,34(s8)
0x80ad2bf0  10400009    beqz            v0,0x80ad2c18
0x80ad2bf4  00000000    nop     
0x80ad2bf8  97c20022    lhu             v0,34(s8)
0x80ad2bfc  3c038131    lui             v1,0x8131
0x80ad2c00  8c638b3c    lw              v1,35644(v1)
0x80ad2c04  0062102a    slt             v0,v1,v0
0x80ad2c08  14400003    bnez            v0,0x80ad2c18
0x80ad2c0c  00000000    nop     
0x80ad2c10  082b4b12    j               0x80ad2c48
0x80ad2c14  00000000    nop     
0x80ad2c18  97c20022    lhu             v0,34(s8)
0x80ad2c1c  3c0480f2    lui             a0,0x80f2
0x80ad2c20  24846a88    addiu           a0,a0,27272
0x80ad2c24  3c0580f2    lui             a1,0x80f2
0x80ad2c28  24a56a3c    addiu           a1,a1,27196
0x80ad2c2c  24061f7c    li              a2,8060
0x80ad2c30  00403825    move            a3,v0
0x80ad2c34  0c086611    jal             printf
0x80ad2c38  00000000    nop     
0x80ad2c3c  2402fffd    li              v0,65533
0x80ad2c40  082b4c8b    j               0x80ad322c
0x80ad2c44  00000000    nop     
0x80ad2c48  8fc20078    lw              v0,120(s8)
0x80ad2c4c  24420010    addiu           v0,v0,16
0x80ad2c50  afc20078    sw              v0,120(s8)
0x80ad2c54  8fc20078    lw              v0,120(s8)
0x80ad2c58  94420000    lhu             v0,0(v0)
0x80ad2c5c  a7c20026    sh              v0,38(s8)
0x80ad2c60  8fc20078    lw              v0,120(s8)
0x80ad2c64  24420002    addiu           v0,v0,2
0x80ad2c68  afc20078    sw              v0,120(s8)
0x80ad2c6c  97c20026    lhu             v0,38(s8)
0x80ad2c70  10400017    beqz            v0,0x80ad2cd0
0x80ad2c74  00000000    nop     
0x80ad2c78  97c20026    lhu             v0,38(s8)
0x80ad2c7c  2c420008    sltiu           v0,v0,8
0x80ad2c80  14400007    bnez            v0,0x80ad2ca0
0x80ad2c84  00000000    nop     
0x80ad2c88  97c20026    lhu             v0,38(s8)
0x80ad2c8c  2c42001c    sltiu           v0,v0,28
0x80ad2c90  10400003    beqz            v0,0x80ad2ca0
0x80ad2c94  00000000    nop     
0x80ad2c98  082b4b34    j               0x80ad2cd0
0x80ad2c9c  00000000    nop     
0x80ad2ca0  97c20026    lhu             v0,38(s8)
0x80ad2ca4  3c0480f2    lui             a0,0x80f2
0x80ad2ca8  24846aa8    addiu           a0,a0,27304
0x80ad2cac  3c0580f2    lui             a1,0x80f2
0x80ad2cb0  24a56a3c    addiu           a1,a1,27196
0x80ad2cb4  24061f8a    li              a2,8074
0x80ad2cb8  00403825    move            a3,v0
0x80ad2cbc  0c086611    jal             printf
0x80ad2cc0  00000000    nop     
0x80ad2cc4  2402fffd    li              v0,65533
0x80ad2cc8  082b4c8b    j               0x80ad322c
0x80ad2ccc  00000000    nop     
0x80ad2cd0  8fc20078    lw              v0,120(s8)
0x80ad2cd4  2442000e    addiu           v0,v0,14
0x80ad2cd8  afc20078    sw              v0,120(s8)
0x80ad2cdc  8fc20078    lw              v0,120(s8)
0x80ad2ce0  8c420000    lw              v0,0(v0)
0x80ad2ce4  afc20030    sw              v0,48(s8)
0x80ad2ce8  8fc20078    lw              v0,120(s8)
0x80ad2cec  24420004    addiu           v0,v0,4
0x80ad2cf0  afc20078    sw              v0,120(s8)
0x80ad2cf4  8fc30030    lw              v1,48(s8)
0x80ad2cf8  24020008    li              v0,8
0x80ad2cfc  1062000c    beq             v1,v0,0x80ad2d30
0x80ad2d00  00000000    nop     
0x80ad2d04  3c0480f2    lui             a0,0x80f2
0x80ad2d08  24846acc    addiu           a0,a0,27340
0x80ad2d0c  3c0580f2    lui             a1,0x80f2
0x80ad2d10  24a56a3c    addiu           a1,a1,27196
0x80ad2d14  24061f96    li              a2,8086
0x80ad2d18  8fc70030    lw              a3,48(s8)
0x80ad2d1c  0c086611    jal             printf
0x80ad2d20  00000000    nop     
0x80ad2d24  2402fffe    li              v0,65534
0x80ad2d28  082b4c8b    j               0x80ad322c
0x80ad2d2c  00000000    nop     
0x80ad2d30  27c20040    addiu           v0,s8,64
0x80ad2d34  00402025    move            a0,v0
0x80ad2d38  00002825    move            a1,zero
0x80ad2d3c  24060030    li              a2,48
0x80ad2d40  0c0851d7    jal             memset
0x80ad2d44  00000000    nop     
0x80ad2d48  afc00034    sw              zero,52(s8)
0x80ad2d4c  8fc20034    lw              v0,52(s8)
0x80ad2d50  8fc30030    lw              v1,48(s8)
0x80ad2d54  0043102b    sltu            v0,v0,v1
0x80ad2d58  14400003    bnez            v0,0x80ad2d68
0x80ad2d5c  00000000    nop     
0x80ad2d60  082b4bc9    j               0x80ad2f24
0x80ad2d64  00000000    nop     
0x80ad2d68  8fc20078    lw              v0,120(s8)
0x80ad2d6c  94420000    lhu             v0,0(v0)
0x80ad2d70  a7c2002c    sh              v0,44(s8)
0x80ad2d74  8fc20078    lw              v0,120(s8)
0x80ad2d78  24420002    addiu           v0,v0,2
0x80ad2d7c  afc20078    sw              v0,120(s8)
0x80ad2d80  97c2002c    lhu             v0,44(s8)
0x80ad2d84  2c420008    sltiu           v0,v0,8
0x80ad2d88  1440000d    bnez            v0,0x80ad2dc0
0x80ad2d8c  00000000    nop     
0x80ad2d90  97c2002c    lhu             v0,44(s8)
0x80ad2d94  3c0480f2    lui             a0,0x80f2
0x80ad2d98  24846aec    addiu           a0,a0,27372
0x80ad2d9c  3c0580f2    lui             a1,0x80f2
0x80ad2da0  24a56a3c    addiu           a1,a1,27196
0x80ad2da4  24061fa5    li              a2,8101
0x80ad2da8  00403825    move            a3,v0
0x80ad2dac  0c086611    jal             printf
0x80ad2db0  00000000    nop     
0x80ad2db4  2402fffe    li              v0,65534
0x80ad2db8  082b4c8b    j               0x80ad322c
0x80ad2dbc  00000000    nop     
0x80ad2dc0  97c3002c    lhu             v1,44(s8)
0x80ad2dc4  8fc20034    lw              v0,52(s8)
0x80ad2dc8  10620005    beq             v1,v0,0x80ad2de0
value = -2136134196 = 0x80ad2dcc = olt_config_set_pon_cosq__config + 0x320
-> l
^@0x80ad2dcc  00000000    nop     
0x80ad2dd0  97c2002c    lhu             v0,44(s8)
0x80ad2dd4  afc20038    sw              v0,56(s8)
0x80ad2dd8  082b4b7a    j               0x80ad2de8
0x80ad2ddc  00000000    nop     
0x80ad2de0  8fc20034    lw              v0,52(s8)
0x80ad2de4  afc20038    sw              v0,56(s8)
0x80ad2de8  8fc20078    lw              v0,120(s8)
0x80ad2dec  94420000    lhu             v0,0(v0)
0x80ad2df0  a7c20028    sh              v0,40(s8)
0x80ad2df4  8fc20078    lw              v0,120(s8)
0x80ad2df8  24420002    addiu           v0,v0,2
0x80ad2dfc  afc20078    sw              v0,120(s8)
0x80ad2e00  97c2002c    lhu             v0,44(s8)
0x80ad2e04  2c421001    sltiu           v0,v0,4097
0x80ad2e08  1440000d    bnez            v0,0x80ad2e40
0x80ad2e0c  00000000    nop     
0x80ad2e10  97c20028    lhu             v0,40(s8)
0x80ad2e14  3c0480f2    lui             a0,0x80f2
0x80ad2e18  24846b04    addiu           a0,a0,27396
0x80ad2e1c  3c0580f2    lui             a1,0x80f2
0x80ad2e20  24a56a3c    addiu           a1,a1,27196
0x80ad2e24  24061fb8    li              a2,8120
0x80ad2e28  00403825    move            a3,v0
0x80ad2e2c  0c086611    jal             printf
0x80ad2e30  00000000    nop     
0x80ad2e34  2402fffe    li              v0,65534
0x80ad2e38  082b4c8b    j               0x80ad322c
0x80ad2e3c  00000000    nop     
0x80ad2e40  8fc20078    lw              v0,120(s8)
0x80ad2e44  94420000    lhu             v0,0(v0)
0x80ad2e48  a7c2002a    sh              v0,42(s8)
0x80ad2e4c  8fc20078    lw              v0,120(s8)
0x80ad2e50  24420002    addiu           v0,v0,2
0x80ad2e54  afc20078    sw              v0,120(s8)
0x80ad2e58  97c2002a    lhu             v0,42(s8)
0x80ad2e5c  2c42000a    sltiu           v0,v0,10
0x80ad2e60  1440000d    bnez            v0,0x80ad2e98
0x80ad2e64  00000000    nop     
0x80ad2e68  97c2002a    lhu             v0,42(s8)
0x80ad2e6c  3c0480f2    lui             a0,0x80f2
0x80ad2e70  24846b20    addiu           a0,a0,27424
0x80ad2e74  3c0580f2    lui             a1,0x80f2
0x80ad2e78  24a56a3c    addiu           a1,a1,27196
0x80ad2e7c  24061fc2    li              a2,8130
0x80ad2e80  00403825    move            a3,v0
0x80ad2e84  0c086611    jal             printf
0x80ad2e88  00000000    nop     
0x80ad2e8c  2402fffe    li              v0,65534
0x80ad2e90  082b4c8b    j               0x80ad322c
0x80ad2e94  00000000    nop     
0x80ad2e98  8fc20078    lw              v0,120(s8)
0x80ad2e9c  2442000a    addiu           v0,v0,10
0x80ad2ea0  afc20078    sw              v0,120(s8)
0x80ad2ea4  8fc30038    lw              v1,56(s8)
0x80ad2ea8  00601025    move            v0,v1
0x80ad2eac  00021040    sll             v0,v0,1
0x80ad2eb0  00431021    addu            v0,v0,v1
0x80ad2eb4  00021840    sll             v1,v0,1
0x80ad2eb8  27c20040    addiu           v0,s8,64
0x80ad2ebc  00431821    addu            v1,v0,v1
0x80ad2ec0  97c2002c    lhu             v0,44(s8)
0x80ad2ec4  a4620000    sh              v0,0(v1)
0x80ad2ec8  8fc30038    lw              v1,56(s8)
0x80ad2ecc  00601025    move            v0,v1
0x80ad2ed0  00021040    sll             v0,v0,1
0x80ad2ed4  00431021    addu            v0,v0,v1
0x80ad2ed8  00021840    sll             v1,v0,1
0x80ad2edc  27c20044    addiu           v0,s8,68
0x80ad2ee0  00431821    addu            v1,v0,v1
0x80ad2ee4  97c2002a    lhu             v0,42(s8)
0x80ad2ee8  a4620000    sh              v0,0(v1)
0x80ad2eec  8fc30038    lw              v1,56(s8)
0x80ad2ef0  00601025    move            v0,v1
0x80ad2ef4  00021040    sll             v0,v0,1
0x80ad2ef8  00431021    addu            v0,v0,v1
0x80ad2efc  00021840    sll             v1,v0,1
0x80ad2f00  27c20042    addiu           v0,s8,66
0x80ad2f04  00431821    addu            v1,v0,v1
0x80ad2f08  97c20028    lhu             v0,40(s8)
0x80ad2f0c  a4620000    sh              v0,0(v1)
0x80ad2f10  8fc20034    lw              v0,52(s8)
0x80ad2f14  24420001    addiu           v0,v0,1
0x80ad2f18  afc20034    sw              v0,52(s8)
0x80ad2f1c  082b4b53    j               0x80ad2d4c
0x80ad2f20  00000000    nop     
0x80ad2f24  97c30022    lhu             v1,34(s8)
0x80ad2f28  3402ffff    liu             v0,0xffff
0x80ad2f2c  14620066    bne             v1,v0,0x80ad30c8
0x80ad2f30  00000000    nop     
0x80ad2f34  24020001    li              v0,1
0x80ad2f38  a7c20024    sh              v0,36(s8)
0x80ad2f3c  97c20024    lhu             v0,36(s8)
0x80ad2f40  3c038131    lui             v1,0x8131
0x80ad2f44  8c638b3c    lw              v1,35644(v1)
0x80ad2f48  0062102a    slt             v0,v1,v0
0x80ad2f4c  10400003    beqz            v0,0x80ad2f5c
0x80ad2f50  00000000    nop     
0x80ad2f54  082b4c8a    j               0x80ad3228
0x80ad2f58  00000000    nop     
0x80ad2f5c  97c30024    lhu             v1,36(s8)
0x80ad2f60  97c20026    lhu             v0,38(s8)
0x80ad2f64  000210c0    sll             v0,v0,3
0x80ad2f68  3042ffff    andi            v0,v0,0xffff
0x80ad2f6c  00602025    move            a0,v1
0x80ad2f70  00402825    move            a1,v0
0x80ad2f74  0c2b4a03    jal             cfg_mod_set_olt_port_frame_gap
0x80ad2f78  00000000    nop     
0x80ad2f7c  afc00034    sw              zero,52(s8)
0x80ad2f80  8fc20034    lw              v0,52(s8)
0x80ad2f84  8fc30030    lw              v1,48(s8)
0x80ad2f88  0043102b    sltu            v0,v0,v1
0x80ad2f8c  1440000f    bnez            v0,0x80ad2fcc
0x80ad2f90  00000000    nop     
0x80ad2f94  97c20024    lhu             v0,36(s8)
0x80ad2f98  2443ffff    addiu           v1,v0,65535
0x80ad2f9c  97c20026    lhu             v0,38(s8)
0x80ad2fa0  000210c0    sll             v0,v0,3
0x80ad2fa4  00002025    move            a0,zero
0x80ad2fa8  00602825    move            a1,v1
0x80ad2fac  00403025    move            a2,v0
0x80ad2fb0  0c22be64    jal             linecard_set_port_gap
0x80ad2fb4  00000000    nop     
0x80ad2fb8  97c20024    lhu             v0,36(s8)
0x80ad2fbc  24420001    addiu           v0,v0,1
0x80ad2fc0  a7c20024    sh              v0,36(s8)
0x80ad2fc4  082b4bcf    j               0x80ad2f3c
0x80ad2fc8  00000000    nop     
0x80ad2fcc  97c40024    lhu             a0,36(s8)
0x80ad2fd0  8fc30034    lw              v1,52(s8)
0x80ad2fd4  00601025    move            v0,v1
0x80ad2fd8  00021040    sll             v0,v0,1
0x80ad2fdc  00431021    addu            v0,v0,v1
0x80ad2fe0  00021840    sll             v1,v0,1
0x80ad2fe4  27c20040    addiu           v0,s8,64
0x80ad2fe8  00431021    addu            v0,v0,v1
0x80ad2fec  94450000    lhu             a1,0(v0)
0x80ad2ff0  8fc30034    lw              v1,52(s8)
0x80ad2ff4  00601025    move            v0,v1
0x80ad2ff8  00021040    sll             v0,v0,1
0x80ad2ffc  00431021    addu            v0,v0,v1
0x80ad3000  00021840    sll             v1,v0,1
0x80ad3004  27c20042    addiu           v0,s8,66
0x80ad3008  00431021    addu            v0,v0,v1
0x80ad300c  94460000    lhu             a2,0(v0)
0x80ad3010  8fc30034    lw              v1,52(s8)
0x80ad3014  00601025    move            v0,v1
0x80ad3018  00021040    sll             v0,v0,1
0x80ad301c  00431021    addu            v0,v0,v1
0x80ad3020  00021840    sll             v1,v0,1
0x80ad3024  27c20044    addiu           v0,s8,68
0x80ad3028  00431021    addu            v0,v0,v1
0x80ad302c  94420000    lhu             v0,0(v0)
0x80ad3030  00403825    move            a3,v0
0x80ad3034  0c2b4909    jal             cfg_mod_set_olt_port_cosq_para
0x80ad3038  00000000    nop     
0x80ad303c  97c20024    lhu             v0,36(s8)
0x80ad3040  2445ffff    addiu           a1,v0,65535
0x80ad3044  8fc30034    lw              v1,52(s8)
0x80ad3048  00601025    move            v0,v1
0x80ad304c  00021040    sll             v0,v0,1
0x80ad3050  00431021    addu            v0,v0,v1
0x80ad3054  00021840    sll             v1,v0,1
0x80ad3058  27c20040    addiu           v0,s8,64
0x80ad305c  00431021    addu            v0,v0,v1
0x80ad3060  94460000    lhu             a2,0(v0)
0x80ad3064  8fc30034    lw              v1,52(s8)
0x80ad3068  00601025    move            v0,v1
0x80ad306c  00021040    sll             v0,v0,1
0x80ad3070  00431021    addu            v0,v0,v1
0x80ad3074  00021840    sll             v1,v0,1
0x80ad3078  27c20042    addiu           v0,s8,66
0x80ad307c  00431021    addu            v0,v0,v1
0x80ad3080  94470000    lhu             a3,0(v0)
0x80ad3084  8fc30034    lw              v1,52(s8)
0x80ad3088  00601025    move            v0,v1
0x80ad308c  00021040    sll             v0,v0,1
0x80ad3090  00431021    addu            v0,v0,v1
0x80ad3094  00021840    sll             v1,v0,1
0x80ad3098  27c20044    addiu           v0,s8,68
0x80ad309c  00431021    addu            v0,v0,v1
0x80ad30a0  94420000    lhu             v0,0(v0)
0x80ad30a4  afa20010    sw              v0,16(sp)
0x80ad30a8  00002025    move            a0,zero
0x80ad30ac  0c22bf3f    jal             switch_port_qconfig_set
0x80ad30b0  00000000    nop     
0x80ad30b4  8fc20034    lw              v0,52(s8)
0x80ad30b8  24420001    addiu           v0,v0,1
0x80ad30bc  afc20034    sw              v0,52(s8)
0x80ad30c0  082b4be0    j               0x80ad2f80
0x80ad30c4  00000000    nop     
0x80ad30c8  97c30022    lhu             v1,34(s8)
0x80ad30cc  97c20026    lhu             v0,38(s8)
0x80ad30d0  000210c0    sll             v0,v0,3
0x80ad30d4  3042ffff    andi            v0,v0,0xffff
0x80ad30d8  00602025    move            a0,v1
0x80ad30dc  00402825    move            a1,v0
0x80ad30e0  0c2b4a03    jal             cfg_mod_set_olt_port_frame_gap
0x80ad30e4  00000000    nop     
0x80ad30e8  afc00034    sw              zero,52(s8)
value = -2136133396 = 0x80ad30ec = olt_config_set_pon_cosq__config + 0x640
-> 
-> l
^@0x80ad30ec  8fc20034    lw            v0,52(s8)
0x80ad30f0  8fc30030    lw              v1,48(s8)
0x80ad30f4  0043102b    sltu            v0,v0,v1
0x80ad30f8  14400003    bnez            v0,0x80ad3108
0x80ad30fc  00000000    nop     
0x80ad3100  082b4c81    j               0x80ad3204
0x80ad3104  00000000    nop     
0x80ad3108  97c40022    lhu             a0,34(s8)
0x80ad310c  8fc30034    lw              v1,52(s8)
0x80ad3110  00601025    move            v0,v1
0x80ad3114  00021040    sll             v0,v0,1
0x80ad3118  00431021    addu            v0,v0,v1
0x80ad311c  00021840    sll             v1,v0,1
0x80ad3120  27c20040    addiu           v0,s8,64
0x80ad3124  00431021    addu            v0,v0,v1
0x80ad3128  94450000    lhu             a1,0(v0)
0x80ad312c  8fc30034    lw              v1,52(s8)
0x80ad3130  00601025    move            v0,v1
0x80ad3134  00021040    sll             v0,v0,1
0x80ad3138  00431021    addu            v0,v0,v1
0x80ad313c  00021840    sll             v1,v0,1
0x80ad3140  27c20042    addiu           v0,s8,66
0x80ad3144  00431021    addu            v0,v0,v1
0x80ad3148  94460000    lhu             a2,0(v0)
0x80ad314c  8fc30034    lw              v1,52(s8)
0x80ad3150  00601025    move            v0,v1
0x80ad3154  00021040    sll             v0,v0,1
0x80ad3158  00431021    addu            v0,v0,v1
0x80ad315c  00021840    sll             v1,v0,1
0x80ad3160  27c20044    addiu           v0,s8,68
0x80ad3164  00431021    addu            v0,v0,v1
0x80ad3168  94420000    lhu             v0,0(v0)
0x80ad316c  00403825    move            a3,v0
0x80ad3170  0c2b4909    jal             cfg_mod_set_olt_port_cosq_para
0x80ad3174  00000000    nop     
0x80ad3178  97c20022    lhu             v0,34(s8)
0x80ad317c  2445ffff    addiu           a1,v0,65535
0x80ad3180  8fc30034    lw              v1,52(s8)
0x80ad3184  00601025    move            v0,v1
0x80ad3188  00021040    sll             v0,v0,1
0x80ad318c  00431021    addu            v0,v0,v1
0x80ad3190  00021840    sll             v1,v0,1
0x80ad3194  27c20040    addiu           v0,s8,64
0x80ad3198  00431021    addu            v0,v0,v1
0x80ad319c  94460000    lhu             a2,0(v0)
0x80ad31a0  8fc30034    lw              v1,52(s8)
0x80ad31a4  00601025    move            v0,v1
0x80ad31a8  00021040    sll             v0,v0,1
0x80ad31ac  00431021    addu            v0,v0,v1
0x80ad31b0  00021840    sll             v1,v0,1
0x80ad31b4  27c20042    addiu           v0,s8,66
0x80ad31b8  00431021    addu            v0,v0,v1
0x80ad31bc  94470000    lhu             a3,0(v0)
0x80ad31c0  8fc30034    lw              v1,52(s8)
0x80ad31c4  00601025    move            v0,v1
0x80ad31c8  00021040    sll             v0,v0,1
0x80ad31cc  00431021    addu            v0,v0,v1
0x80ad31d0  00021840    sll             v1,v0,1
0x80ad31d4  27c20044    addiu           v0,s8,68
0x80ad31d8  00431021    addu            v0,v0,v1
0x80ad31dc  94420000    lhu             v0,0(v0)
0x80ad31e0  afa20010    sw              v0,16(sp)
0x80ad31e4  00002025    move            a0,zero
0x80ad31e8  0c22bf3f    jal             switch_port_qconfig_set
0x80ad31ec  00000000    nop     
0x80ad31f0  8fc20034    lw              v0,52(s8)    //触发异常的指令,将s8+52的值加载到v0
                                                     //推导s8压栈到0x4c31d440,值为1,s8+52为0x35,与BADVADDR异常地址一致
0x80ad31f4  24420001    addiu           v0,v0,1
0x80ad31f8  afc20034    sw              v0,52(s8)
0x80ad31fc  082b4c3b    j               0x80ad30ec
0x80ad3200  00000000    nop     
0x80ad3204  97c20022    lhu             v0,34(s8)
0x80ad3208  2443ffff    addiu           v1,v0,65535
0x80ad320c  97c20026    lhu             v0,38(s8)
0x80ad3210  000210c0    sll             v0,v0,3
0x80ad3214  00002025    move            a0,zero
0x80ad3218  00602825    move            a1,v1
0x80ad321c  00403025    move            a2,v0
0x80ad3220  0c22be64    jal             linecard_set_port_gap
0x80ad3224  00000000    nop     
0x80ad3228  00001025    move            v0,zero
0x80ad322c  03c0e825    move            sp,s8
0x80ad3230  8fbf0074    lw              ra,116(sp)
0x80ad3234  8fbe0070    lw              s8,112(sp)
0x80ad3238  27bd0078    addiu           sp,sp,120
0x80ad323c  03e00008    jr              ra
0x80ad3240  00000000    nop     
0x80ad3244  00000000    nop     
0x80ad3248  00000000    nop     
0x80ad324c  00000000    nop

触发异常的指令行为switch_port_qconfig_set函数返回的第一条指令,尝试从s8+52取值,而是s8在olt_config_set_pon_cosq__config函数中是被作为frame pointer使用的,其值为sp,但是从栈数据中看s8值为1,有理由怀疑s8的值在switch_port_qconfig_set调用过程中被改写。

反汇编switch_port_qconfig_set函数,函数入口压栈s8到sp+48,即0x4c31d440地址处,其值为1。

-> l switch_port_qconfig_set,500
^@                      switch_port_qconfig_set:
0x808afcfc  27bdffc8    addiu           sp,sp,65480(-56)            //调用时sp为0x‭4c31d448,当前函数sp为‬sp-56为0x‭4c31d410
0x808afd00  afbf0034    sw              ra,52(sp)
0x808afd04  afbe0030    sw              s8,48(sp)                    //s8压栈到sp+48,即‭0x4c31d440地址处
0x808afd08  03a0f025    move            s8,sp
0x808afd0c  afc40038    sw              a0,56(s8)
0x808afd10  afc5003c    sw              a1,60(s8)
0x808afd14  afc60040    sw              a2,64(s8)
0x808afd18  afc70044    sw              a3,68(s8)
0x808afd1c  afc00018    sw              zero,24(s8)
0x808afd20  24020030    li              v0,48
0x808afd24  afc2001c    sw              v0,28(s8)
0x808afd28  afc00020    sw              zero,32(s8)
0x808afd2c  afc00024    sw              zero,36(s8)
0x808afd30  afc00028    sw              zero,40(s8)
0x808afd34  8fc20044    lw              v0,68(s8)
0x808afd38  04410004    bgez            v0,0x808afd4c
0x808afd3c  00000000    nop     
0x808afd40  2402ffff    li              v0,65535
0x808afd44  0822c05f    j               0x808b017c
0x808afd48  00000000    nop     
0x808afd4c  8fc20044    lw              v0,68(s8)
0x808afd50  28421001    slti            v0,v0,4097
0x808afd54  14400003    bnez            v0,0x808afd64
0x808afd58  00000000    nop     
0x808afd5c  24021000    li              v0,4096
0x808afd60  afc20044    sw              v0,68(s8)
0x808afd64  8fc20048    lw              v0,72(s8)
0x808afd68  04400007    bltz            v0,0x808afd88
0x808afd6c  00000000    nop     
0x808afd70  8fc20048    lw              v0,72(s8)
0x808afd74  2842000a    slti            v0,v0,10
0x808afd78  10400003    beqz            v0,0x808afd88
0x808afd7c  00000000    nop     
0x808afd80  0822bf65    j               0x808afd94
0x808afd84  00000000    nop     
0x808afd88  2402ffff    li              v0,65535
0x808afd8c  0822c05f    j               0x808b017c
0x808afd90  00000000    nop     
0x808afd94  0c22d29a    jal             linecard_pon_port_begin
0x808afd98  00000000    nop     
0x808afd9c  8fc3003c    lw              v1,60(s8)
0x808afda0  0062102a    slt             v0,v1,v0
0x808afda4  14400009    bnez            v0,0x808afdcc
0x808afda8  00000000    nop     
0x808afdac  0c22d2a3    jal             linecard_pon_port_end
0x808afdb0  00000000    nop     
0x808afdb4  8fc3003c    lw              v1,60(s8)
0x808afdb8  0043102a    slt             v0,v0,v1
0x808afdbc  14400003    bnez            v0,0x808afdcc
0x808afdc0  00000000    nop     
0x808afdc4  0822bf76    j               0x808afdd8
0x808afdc8  00000000    nop     
0x808afdcc  2402ffff    li              v0,65535
0x808afdd0  0822c05f    j               0x808b017c
0x808afdd4  00000000    nop     
0x808afdd8  8fc4003c    lw              a0,60(s8)
0x808afddc  0c226f4b    jal             switch_oldport_to_newport
0x808afde0  00000000    nop     
0x808afde4  afc20018    sw              v0,24(s8)
0x808afde8  27c20020    addiu           v0,s8,32
0x808afdec  8fc40038    lw              a0,56(s8)
0x808afdf0  00402825    move            a1,v0
0x808afdf4  0c0d1366    jal             bcm_cosq_config_get
0x808afdf8  00000000    nop     
0x808afdfc  afc2002c    sw              v0,44(s8)
0x808afe00  8fc2002c    lw              v0,44(s8)
0x808afe04  04410004    bgez            v0,0x808afe18
0x808afe08  00000000    nop     
0x808afe0c  8fc2002c    lw              v0,44(s8)
0x808afe10  0822c05f    j               0x808b017c
0x808afe14  00000000    nop     
0x808afe18  8fc20018    lw              v0,24(s8)
0x808afe1c  2443ffff    addiu           v1,v0,65535
0x808afe20  8fc20020    lw              v0,32(s8)
0x808afe24  00620018    mult            v1,v0
0x808afe28  00001812    mflo            v1
0x808afe2c  8fc2001c    lw              v0,28(s8)
0x808afe30  00621821    addu            v1,v1,v0
0x808afe34  8fc20040    lw              v0,64(s8)
0x808afe38  00621021    addu            v0,v1,v0
0x808afe3c  afc20024    sw              v0,36(s8)
0x808afe40  27c20028    addiu           v0,s8,40
0x808afe44  afa20010    sw              v0,16(sp)
0x808afe48  8fc40038    lw              a0,56(s8)
0x808afe4c  2405059a    li              a1,1434
0x808afe50  2406ffff    li              a2,65535
0x808afe54  8fc70024    lw              a3,36(s8)
0x808afe58  0c130314    jal             soc_mem_read
0x808afe5c  00000000    nop     
0x808afe60  afc2002c    sw              v0,44(s8)
0x808afe64  8fc2002c    lw              v0,44(s8)
0x808afe68  04410004    bgez            v0,0x808afe7c
0x808afe6c  00000000    nop     
0x808afe70  8fc2002c    lw              v0,44(s8)
0x808afe74  0822c05f    j               0x808b017c
0x808afe78  00000000    nop     
0x808afe7c  8fc30040    lw              v1,64(s8)
0x808afe80  00601025    move            v0,v1
0x808afe84  00021040    sll             v0,v0,1
0x808afe88  00431021    addu            v0,v0,v1
0x808afe8c  00022080    sll             a0,v0,2
0x808afe90  8fc3003c    lw              v1,60(s8)
0x808afe94  00601025    move            v0,v1
0x808afe98  00021040    sll             v0,v0,1
0x808afe9c  00431021    addu            v0,v0,v1
0x808afea0  00021140    sll             v0,v0,5
0x808afea4  00821821    addu            v1,a0,v0
0x808afea8  3c02822b    lui             v0,0x822b
0x808afeac  24428a4c    addiu           v0,v0,35404
0x808afeb0  00431021    addu            v0,v0,v1
0x808afeb4  8c420000    lw              v0,0(v0)
0x808afeb8  14400040    bnez            v0,0x808affbc
0x808afebc  00000000    nop     
0x808afec0  27c20028    addiu           v0,s8,40
0x808afec4  8fc40038    lw              a0,56(s8)
0x808afec8  2405059a    li              a1,1434
0x808afecc  00403025    move            a2,v0
0x808afed0  240740df    li              a3,16607
0x808afed4  0c1282ea    jal             soc_mem_field32_get
0x808afed8  00000000    nop     
0x808afedc  00402825    move            a1,v0
0x808afee0  8fc30040    lw              v1,64(s8)
0x808afee4  00601025    move            v0,v1
0x808afee8  00021040    sll             v0,v0,1
0x808afeec  00431021    addu            v0,v0,v1
0x808afef0  00022080    sll             a0,v0,2
0x808afef4  8fc3003c    lw              v1,60(s8)
0x808afef8  00601025    move            v0,v1
0x808afefc  00021040    sll             v0,v0,1
0x808aff00  00431021    addu            v0,v0,v1
0x808aff04  00021140    sll             v0,v0,5
0x808aff08  00821821    addu            v1,a0,v0
0x808aff0c  3c02822b    lui             v0,0x822b
0x808aff10  24428a50    addiu           v0,v0,35408
0x808aff14  00431021    addu            v0,v0,v1
0x808aff18  ac450000    sw              a1,0(v0)
0x808aff1c  27c20028    addiu           v0,s8,40
0x808aff20  8fc40038    lw              a0,56(s8)
0x808aff24  2405059a    li              a1,1434
0x808aff28  00403025    move            a2,v0
0x808aff2c  24074106    li              a3,16646
0x808aff30  0c1282ea    jal             soc_mem_field32_get
0x808aff34  00000000    nop     
0x808aff38  00402825    move            a1,v0
0x808aff3c  8fc30040    lw              v1,64(s8)
0x808aff40  00601025    move            v0,v1
0x808aff44  00021040    sll             v0,v0,1
0x808aff48  00431021    addu            v0,v0,v1
0x808aff4c  00022080    sll             a0,v0,2
0x808aff50  8fc3003c    lw              v1,60(s8)
0x808aff54  00601025    move            v0,v1
0x808aff58  00021040    sll             v0,v0,1
0x808aff5c  00431021    addu            v0,v0,v1
0x808aff60  00021140    sll             v0,v0,5
0x808aff64  00821021    addu            v0,a0,v0
0x808aff68  24430008    addiu           v1,v0,8
0x808aff6c  3c02822b    lui             v0,0x822b
0x808aff70  24428a4c    addiu           v0,v0,35404
0x808aff74  00431021    addu            v0,v0,v1
0x808aff78  ac450000    sw              a1,0(v0)
0x808aff7c  8fc30040    lw              v1,64(s8)
0x808aff80  00601025    move            v0,v1
0x808aff84  00021040    sll             v0,v0,1
0x808aff88  00431021    addu            v0,v0,v1
0x808aff8c  00022080    sll             a0,v0,2
0x808aff90  8fc3003c    lw              v1,60(s8)
0x808aff94  00601025    move            v0,v1
0x808aff98  00021040    sll             v0,v0,1
0x808aff9c  00431021    addu            v0,v0,v1
0x808affa0  00021140    sll             v0,v0,5
0x808affa4  00821821    addu            v1,a0,v0
0x808affa8  3c02822b    lui             v0,0x822b
0x808affac  24428a4c    addiu           v0,v0,35404
0x808affb0  00431821    addu            v1,v0,v1
0x808affb4  24020001    li              v0,1
0x808affb8  ac620000    sw              v0,0(v1)
0x808affbc  8fc20044    lw              v0,68(s8)
0x808affc0  14400045    bnez            v0,0x808b00d8
0x808affc4  00000000    nop     
0x808affc8  8fc20048    lw              v0,72(s8)
0x808affcc  14400042    bnez            v0,0x808b00d8
0x808affd0  00000000    nop     
0x808affd4  8fc30040    lw              v1,64(s8)
0x808affd8  00601025    move            v0,v1
0x808affdc  00021040    sll             v0,v0,1
0x808affe0  00431021    addu            v0,v0,v1
0x808affe4  00022080    sll             a0,v0,2
0x808affe8  8fc3003c    lw              v1,60(s8)
0x808affec  00601025    move            v0,v1
0x808afff0  00021040    sll             v0,v0,1
0x808afff4  00431021    addu            v0,v0,v1
0x808afff8  00021140    sll             v0,v0,5
0x808afffc  00821821    addu            v1,a0,v0
0x808b0000  3c02822b    lui             v0,0x822b
0x808b0004  24428a4c    addiu           v0,v0,35404
0x808b0008  00431021    addu            v0,v0,v1
0x808b000c  8c430000    lw              v1,0(v0)
0x808b0010  24020001    li              v0,1
0x808b0014  14620030    bne             v1,v0,0x808b00d8
0x808b0018  00000000    nop     
0x808b001c  27c60028    addiu           a2,s8,40
0x808b0020  8fc30040    lw              v1,64(s8)
0x808b0024  00601025    move            v0,v1
0x808b0028  00021040    sll             v0,v0,1
0x808b002c  00431021    addu            v0,v0,v1
0x808b0030  00022080    sll             a0,v0,2
0x808b0034  8fc3003c    lw              v1,60(s8)
0x808b0038  00601025    move            v0,v1
0x808b003c  00021040    sll             v0,v0,1
0x808b0040  00431021    addu            v0,v0,v1
0x808b0044  00021140    sll             v0,v0,5
0x808b0048  00821821    addu            v1,a0,v0
0x808b004c  3c02822b    lui             v0,0x822b
0x808b0050  24428a50    addiu           v0,v0,35408
0x808b0054  00431021    addu            v0,v0,v1
0x808b0058  8c420000    lw              v0,0(v0)
0x808b005c  afa20010    sw              v0,16(sp)
0x808b0060  8fc40038    lw              a0,56(s8)
0x808b0064  2405059a    li              a1,1434
0x808b0068  240740df    li              a3,16607
0x808b006c  0c128311    jal             soc_mem_field32_set
0x808b0070  00000000    nop     
0x808b0074  27c60028    addiu           a2,s8,40
0x808b0078  8fc30040    lw              v1,64(s8)
0x808b007c  00601025    move            v0,v1
0x808b0080  00021040    sll             v0,v0,1
0x808b0084  00431021    addu            v0,v0,v1
0x808b0088  00022080    sll             a0,v0,2
0x808b008c  8fc3003c    lw              v1,60(s8)
0x808b0090  00601025    move            v0,v1
0x808b0094  00021040    sll             v0,v0,1
0x808b0098  00431021    addu            v0,v0,v1
0x808b009c  00021140    sll             v0,v0,5
0x808b00a0  00821021    addu            v0,a0,v0
0x808b00a4  24430008    addiu           v1,v0,8
0x808b00a8  3c02822b    lui             v0,0x822b
0x808b00ac  24428a4c    addiu           v0,v0,35404
0x808b00b0  00431021    addu            v0,v0,v1
0x808b00b4  8c420000    lw              v0,0(v0)
0x808b00b8  afa20010    sw              v0,16(sp)
0x808b00bc  8fc40038    lw              a0,56(s8)
0x808b00c0  2405059a    li              a1,1434
0x808b00c4  24074106    li              a3,16646
0x808b00c8  0c128311    jal             soc_mem_field32_set
0x808b00cc  00000000    nop     
0x808b00d0  0822c04e    j               0x808b0138
0x808b00d4  00000000    nop     
0x808b00d8  8fc20044    lw              v0,68(s8)
0x808b00dc  10400016    beqz            v0,0x808b0138
0x808b00e0  00000000    nop     
0x808b00e4  8fc20048    lw              v0,72(s8)
0x808b00e8  10400013    beqz            v0,0x808b0138
0x808b00ec  00000000    nop     
0x808b00f0  27c30028    addiu           v1,s8,40
0x808b00f4  8fc20044    lw              v0,68(s8)
0x808b00f8  afa20010    sw              v0,16(sp)
0x808b00fc  8fc40038    lw              a0,56(s8)
0x808b0100  2405059a    li              a1,1434
0x808b0104  00603025    move            a2,v1
0x808b0108  240740df    li              a3,16607
0x808b010c  0c128311    jal             soc_mem_field32_set
0x808b0110  00000000    nop     
0x808b0114  27c30028    addiu           v1,s8,40
0x808b0118  8fc20048    lw              v0,72(s8)
0x808b011c  afa20010    sw              v0,16(sp)
0x808b0120  8fc40038    lw              a0,56(s8)
0x808b0124  2405059a    li              a1,1434
0x808b0128  00603025    move            a2,v1
0x808b012c  24074106    li              a3,16646
0x808b0130  0c128311    jal             soc_mem_field32_set
0x808b0134  00000000    nop     
0x808b0138  00000000    nop     
0x808b013c  27c20028    addiu           v0,s8,40
0x808b0140  afa20010    sw              v0,16(sp)
0x808b0144  8fc40038    lw              a0,56(s8)
0x808b0148  2405059a    li              a1,1434
0x808b014c  2406ffff    li              a2,65535
0x808b0150  8fc70024    lw              a3,36(s8)
0x808b0154  0c1306bb    jal             soc_mem_write
0x808b0158  00000000    nop     
0x808b015c  afc2002c    sw              v0,44(s8)
0x808b0160  8fc2002c    lw              v0,44(s8)
0x808b0164  04410004    bgez            v0,0x808b0178
0x808b0168  00000000    nop     
0x808b016c  8fc2002c    lw              v0,44(s8)
0x808b0170  0822c05f    j               0x808b017c
0x808b0174  00000000    nop     
0x808b0178  00001025    move            v0,zero
0x808b017c  03c0e825    move            sp,s8
0x808b0180  8fbf0034    lw              ra,52(sp)
0x808b0184  8fbe0030    lw              s8,48(sp)
0x808b0188  27bd0038    addiu           sp,sp,56
0x808b018c  03e00008    jr              ra
0x808b0190  00000000    nop

 为了证实上述猜测,在swith_port_qconfig_set函数调用前后设置断点,复现问题,打印调用前后的栈数据进行对比。

 

 0x4c31d440地址数据从0x4c31d448改写为1,且不是连续被改写,说明不是栈溢出导致。

 依次推导switch_port_qconfig_set函数中调用的函数,发现交换SDK接口函数中,并没有将s8寄存器用作frame pointer,而是当作通用寄存器使用。

-> l soc_mem_read,200 
soc_mem_read:
0x804c0c50  27bdff70    addiu           sp,sp,65392(-144)
0x804c0c54  afb20080    sw              s2,128(sp)
0x804c0c58  00809021    move            s2,a0
0x804c0c5c  00121080    sll             v0,s2,2
0x804c0c60  3c0381d5    lui             v1,0x81d5
0x804c0c64  00621821    addu            v1,v1,v0
0x804c0c68  8c633e30    lw              v1,15920(v1)
0x804c0c6c  afb40088    sw              s4,136(sp)    //交换SDK接口函数中使用sp压栈,而不是s8寄存器
0x804c0c70  afb1007c    sw              s1,124(sp)
0x804c0c74  afb00078    sw              s0,120(sp)
0x804c0c78  afbf008c    sw              ra,140(sp)
0x804c0c7c  afb30084    sw              s3,132(sp)
0x804c0c80  8c620010    lw              v0,16(v1)
0x804c0c84  00c08021    move            s0,a2
0x804c0c88  00e08821    move            s1,a3
0x804c0c8c  1440005e    bnez            v0,0x804c0e08
0x804c0c90  8fb400a0    lw              s4,160(sp)
0x804c0c94  8c620014    lw              v0,20(v1)
0x804c0c98  3c035000    lui             v1,0x5000
0x804c0c9c  00431024    and             v0,v0,v1
0x804c0ca0  10400059    beqz            v0,0x804c0e08
0x804c0ca4  24020111    li              v0,273
0x804c0ca8  54a20058    bnel            a1,v0,0x804c0e0c
0x804c0cac  02402021    move            a0,s2
0x804c0cb0  24050001    li              a1,1
0x804c0cb4  0c1a467c    jal             soc_trident_pipe_select
0x804c0cb8  24060001    li              a2,1
0x804c0cbc  27b30018    addiu           s3,sp,24
0x804c0cc0  02402021    move            a0,s2
0x804c0cc4  24050111    li              a1,273
0x804c0cc8  02003021    move            a2,s0
0x804c0ccc  02203821    move            a3,s1
0x804c0cd0  0c13002b    jal             _soc_mem_read

查阅资料发现MIPS32中r30寄存器既可以作为s8通用寄存器使用,也可以作为fp栈底指针寄存器使用。

 进一步排查发现上层代码编译选项为:-g -G 0 -mno-branch-likely -mips2 -EB -fno-builtin -DMIPSEB -DSOFT_FLOAT -msoft-float;交换库编译选项为:-O2 -c -fno-builtin -g -mips2 -msoft-float -o 0。当编译选项指定优化级别为-O2时,就会将r30寄存器作为通用寄存器s8使用,而不是fp栈底指针寄存器。该选项与GCC编译器的-fomit-frame-pointer作用类似。

到这里,似乎根本原因已经查明了,但是去掉-O2编译选项重新编译交换SDK库之后,任务挂死现象依旧,正所谓“猜中了开始,没有猜中结局”!!!怎么解,继续反汇编定位,通过单步调试发现更改s8压栈内容的指令:

-> s cmd_process   //单步执行cmd_process任务
^@value = 0 = 0x0
-> 
$0    =        0   t0    = 1000fc01   s0    =        0   t8    =        0
at    =        1   t1    =        1   s1    =        0   t9    =       50
v0    = 4c315fe4   t2    =        4   s2    =        0   k0    =        0
v1    = 4c315d88   t3    =        1   s3    =        0   k1    =        0
a0    = 4c315d7c   t4    = 4c315fe4   s4    =        0   gp    = 81789c20
a1    = 4c315fd8   t5    =        0   s5    =        0   sp    = 4c315d40
a2    =        c   t6    =      2a4   s6    =        0   s8    = 4c315fd8
a3    = 4c315fe0   t7    =        0   s7    =        0   ra    = 801f0ef8
divlo =       38   divhi =        0   sr    = 1000fc01   pc    = 80146b20
0x80146b20  1020fffb    beqz            at,0x80186b10 //下一条待执行指令,如果at寄存器值为0,则跳转到0x80186b10

查看s8压栈地址的数据,0x4c315fe0地址值为0x4c315fe8

d 0x4c315fb0,100,4
^@4c315fb0:  00000000 0000059a ffffffff 00000038   *...............8*
4c315fc0:  4c315fd8 00000050 00000002 00000030   *L1_....P.......0*
4c315fd0:  00000008 00000038 00240009 d0000930   *.......8.$.....0*
4c315fe0:  4c315fe8 80ebb650 00000000 00000000   *L1_....P........*
4c315ff0:  00000000 000000aa 00000007 4c316000   *............L1`.*
4c316000:  1d772ae9 00000000 000d0001 00000000   *.w*.............*
4c316010:  00000000 00070000 00000008 00000000   *................*
4c316020:  00000007 00000000 000000aa 00070001   *................*
4c316030:  00000000 00020000 00000003 00000000   *................*
4c316040:  00040000 00000005 00000000 00060000   *................*
4c316050:  00000007 00000000 4c316060 81042da4   *........L1``..-.*
4c316060:  87aa2bad 000000a8 000000b1 00000000   *..+.............*
4c316070:  00000000 00000000 00a84083 87aa2ab0   *..........@...*.*
4c316080:  4d3e8060 4d3e8030 00000000 00000000   *M>.`M>.0........*
4c316090:  1d7760a0 810426c8 4c3160a0 81042ad8   *.w`...&.L1`...*.*
4c3160a0:  87aa2ab0 87aa2b05 0300eeee eeeeeeee   *..*...+.........*
4c3160b0:  4c3160b8 eeeeeeee eeeeeeee eeeeeeee   *L1`.............*
4c3160c0:  000058e0 00f800a8 4083eeee 87aa2b05   *..X.....@.....+.*
4c3160d0:  87aa2ab0 00000000 00000000 f8000000   *..*.............*
4c3160e0:  00000055 00000000 4c3160f0 81041304   *...U....L1`.....*
4c3160f0:  87aa2ab0 00000000 eeeeeeee eeeeeeee   *..*.............*
4c316100:  81040100 87aa2ab0 00000e10 eeeeeeee   *......*.........*
4c316110:  00000000 8013870c 00000000 00000000   *................*
4c316120:  00000000 00000000 00000000 00000000   *................*
4c316130:  00000000 00000000 00000000 00000000   *................*
value = 21 = 0x15

继续单步执行

-> s cmd_process
^@value = 0 = 0x0
-> 
$0    =        0   t0    = 1000fc01   s0    =        0   t8    =        0
at    =        1   t1    =        1   s1    =        0   t9    =       50
v0    = 4c315fe4   t2    =        4   s2    =        0   k0    =        0
v1    = 4c315d88   t3    =        1   s3    =        0   k1    =        0
a0    = 4c315d7c   t4    = 4c315fe4   s4    =        0   gp    = 81789c20
a1    = 4c315fd8   t5    =        0   s5    =        0   sp    = 4c315d40
a2    =        c   t6    =      2a4   s6    =        0   s8    = 4c315fd8
a3    = 4c315fe0   t7    =        0   s7    =        0   ra    = 801f0ef8
divlo =       38   divhi =        0   sr    = 1000fc01   pc    = 80146b28
0x80146b28  01802825    move            a1,t4

查看栈数据,发现s8压栈地址值被改为1

d 0x4c315fb0,100,4
^@4c315fb0:  00000000 0000059a ffffffff 00000038   *...............8*
4c315fc0:  4c315fd8 00000050 00000002 00000030   *L1_....P.......0*
4c315fd0:  00000008 00000038 00240009 d0000930   *.......8.$.....0*
4c315fe0:  00000001 80ebb650 00000000 00000000   *.......P........*
4c315ff0:  00000000 000000aa 00000007 4c316000   *............L1`.*
4c316000:  1d772ae9 00000000 000d0001 00000000   *.w*.............*
4c316010:  00000000 00070000 00000008 00000000   *................*
4c316020:  00000007 00000000 000000aa 00070001   *................*
4c316030:  00000000 00020000 00000003 00000000   *................*
4c316040:  00040000 00000005 00000000 00060000   *................*
4c316050:  00000007 00000000 4c316060 81042da4   *........L1``..-.*
4c316060:  87aa2bad 000000a8 000000b1 00000000   *..+.............*
4c316070:  00000000 00000000 00a84083 87aa2ab0   *..........@...*.*
4c316080:  4d3e8060 4d3e8030 00000000 00000000   *M>.`M>.0........*
4c316090:  1d7760a0 810426c8 4c3160a0 81042ad8   *.w`...&.L1`...*.*
4c3160a0:  87aa2ab0 87aa2b05 0300eeee eeeeeeee   *..*...+.........*
4c3160b0:  4c3160b8 eeeeeeee eeeeeeee eeeeeeee   *L1`.............*
4c3160c0:  000058e0 00f800a8 4083eeee 87aa2b05   *..X.....@.....+.*
4c3160d0:  87aa2ab0 00000000 00000000 f8000000   *..*.............*
4c3160e0:  00000055 00000000 4c3160f0 81041304   *...U....L1`.....*
4c3160f0:  87aa2ab0 00000000 eeeeeeee eeeeeeee   *..*.............*
4c316100:  81040100 87aa2ab0 00000e10 eeeeeeee   *......*.........*
4c316110:  00000000 8013870c 00000000 00000000   *................*
4c316120:  00000000 00000000 00000000 00000000   *................*
4c316130:  00000000 00000000 00000000 00000000   *................*
value = 21 = 0x15

仔细查看上一条执行指令所在汇编代码,篡改s8压栈地址数据的指令为sw t1,-4(t4)

-> l 0x80146b20,10
^@0x80146b20  1020fffb    beqz          at,0x80186b10    //beqz分支指令,正常情况下要接一个nop指令,作为延迟槽
0x80146b24  ad89fffc    sw              t1,65532(t4)     //实际改写s8压栈地址的指令为这一条处于beqz延迟槽位置的指令,将t1寄存器值写入t4-1地址处,与实际现象相符
0x80146b28  01802825    move            a1,t4
0x80146b2c  00602025    move            a0,v1
0x80146b30  00a2082b    sltu            at,a1,v0
0x80146b34  10200063    beqz            at,0x80146cc4
0x80146b38  00000000    nop     
0x80146b3c  24a50001    addiu           a1,a1,1
0x80146b40  908a0000    lbu             t2,0(a0)
0x80146b44  00a2082b    sltu            at,a1,v0
value = -2146145464 = 0x80146b48 = bcopy + 0x98        //篡改位置位于bcopy()函数中

找到了篡改指令,那么,是bcopy()函数的bug吗?根据栈反推bcopy(s,d,l)的入参发现,l值为0xc,即12字节

4c3161e0:  00000000 00000000 00000000 00000000   *................*
4c3161f0:  00000000 00000000 00000001 00000002   *................*
4c316200:  00000000 eeeeeeee eeeeeeee 00000000   *................*
4c316210:  00000000 00000000 00000000 00000000   *................*
4c316220:  00000000 00000000 00000000 00000000   *................*
4c316230:  00000000 00000000 00000000 00000000   *................*
4c316240:  00000000 00000000 0000eeee eeeeeeee   *................*
4c316 50:  eeeeeeee eeeeeeee eeeeeeee eeeeeeee   *................*
4c316260:  eeeeeeee eeeeeeee 1000fc01 80146b08   *..............k.*
4c316270:  00000038 00000000 00000000 00000001   *...8............*
4c316280:  4c315fe4 4c315d7c 4c315d7c 4c315fd8   *L1_.L1]|L1]|L1_.*        //source, destine
4c316290:  0000000c 00000004 1000fc01 1000fc00   *................*        //length
4c3162a0:  00000004 00000001 00000000 00000000   *................*
4c3162b0:  000002a4 00000000 00000000 00000000   *................*
4c3162c0:  00000000 00000000 00000000 00000000   *................*
value = 21 = 0x15

而最开始代码中thdo_qconfig_cell_entry局部变量为uint32型变量,因此,该问题是bcopy()拷贝越界,修改为thdo_qconfig_cell_entry[SOC_MAX_MEM_WORDS]数组解决!

posted on 2021-07-26 23:47  者旨於陽  阅读(1481)  评论(0编辑  收藏  举报

导航