VxWorks任务挂死实战分析
背景描述
操作系统:VxWorks 5.5
CPU:MIPS32 74Kc内核CPU
现象描述:联调代码时发现应用层代码调用以下接口函数必现任务挂死,检查代码发现入参均合法,代码逻辑没问题,未发现异常。
/****************************************************************************** * FunctionName : switch_port_qconfig_set * Author : justin * CreateDate : 20210606 * Description : set port cosq qcofnig cell * InputParam : int unit * int ponno, PON口号,取值范围0~15 * int cosq, 0~7 for UNI ports * int port_guarantee_cells, THDO_QCONFIG_CELL[Q_MIN_CELL] * int q_shared_alpha, THDO_QCONFIG_CELL[Q_SHARED_ALPHA_CELL] * OutputParam : NA * ReturnValue : 0 - ok; <0 - error; * Relation : NA * OtherInfo : NA ******************************************************************************/ int switch_port_qconfig_set(int unit, int ponno, int cosq, int port_guarantee_cells, int q_shared_alpha) { int switchport = 0;/*参数初始化*/ int cpu_cosq_num = NUM_CPU_COSQ_MAX; int port_cosq_num = 0; int thdo_qconfig_cell_queue_no = 0; uint32 thdo_qconfig_cell_entry = 0; /* 检查入参 */ if (port_guarantee_cells < THDO_QCONFIG_CELLS_MIN) { return RV_ERROR; } /* 限定最大值 */ if (port_guarantee_cells > THDO_QCONFIG_CELLS_MAX) { port_guarantee_cells = THDO_QCONFIG_CELLS_MAX; } /* alpha值取值范围为0~9 */ if ((q_shared_alpha < THDO_QCONFIG_ALPHA_MIN) || (q_shared_alpha > THDO_QCONFIG_ALPHA_MAX)) { return RV_ERROR; } /* 只支持配置UNI端口 */ if ((ponno < linecard_pon_port_begin()) || (ponno > linecard_pon_port_end())) { return RV_ERROR; } switchport = switch_oldport_to_newport(ponno); /* 获取端口COSQ队列数 */ BCM_IF_ERROR_RETURN(bcm_cosq_config_get(unit, &port_cosq_num)); /* 计算指定端口指定COS队列的序号 */ thdo_qconfig_cell_queue_no = cpu_cosq_num + (switchport - 1) * port_cosq_num + cosq; BCM_IF_ERROR_RETURN(READ_MMU_THDO_QCONFIG_CELLm(unit, MEM_BLOCK_ANY, thdo_qconfig_cell_queue_no, &thdo_qconfig_cell_entry)); /* 保存默认配置 */ if (0 == g_switch_pon_qconfig[ponno][cosq].flag) { g_switch_pon_qconfig[ponno][cosq].q_min_cell = soc_mem_field32_get(unit, MMU_THDO_QCONFIG_CELLm, &thdo_qconfig_cell_entry, Q_MIN_CELLf); g_switch_pon_qconfig[ponno][cosq].q_shared_alpha = soc_mem_field32_get(unit, MMU_THDO_QCONFIG_CELLm, &thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf); g_switch_pon_qconfig[ponno][cosq].flag = 1; } /* 支持PON口恢复默认配置 */ if ((THDO_QCONFIG_CELLS_MIN == port_guarantee_cells) && (THDO_QCONFIG_ALPHA_MIN == q_shared_alpha) && (1 == g_switch_pon_qconfig[ponno][cosq].flag)) { soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm, &thdo_qconfig_cell_entry, Q_MIN_CELLf, g_switch_pon_qconfig[ponno][cosq].q_min_cell); soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm, &thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf, g_switch_pon_qconfig[ponno][cosq].q_shared_alpha); } else if ((THDO_QCONFIG_CELLS_MIN != port_guarantee_cells) && (THDO_QCONFIG_ALPHA_MIN != q_shared_alpha)) { soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm, &thdo_qconfig_cell_entry, Q_MIN_CELLf, port_guarantee_cells); soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm, &thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf, q_shared_alpha); } BCM_IF_ERROR_RETURN(WRITE_MMU_THDO_QCONFIG_CELLm(unit, MEM_BLOCK_ANY, thdo_qconfig_cell_queue_no, &thdo_qconfig_cell_entry)); return RV_OK; }
根本原因
1、bcopy()拷贝越界导致
2、调试过程中发现,交换SDK库文件指定-O2编译选项,此时r30寄存器被当作通用寄存器s8使用;而其他模块使用默认的-O0编译选项,此时r30寄存器被当作fp(frame pointer)指针使用。当应用程序调用使用s8寄存器的交换SDK接口函数时,可能出现s8寄存器值被改写,导致触发非法地址访问的情况。
分析过程
既然代码走查没有发现问题,只能使出洪荒之力,通过反汇编定位分析了。
首先,通过i命令查看系统任务状态,发现挂死任务为cmd_process任务。
-> i NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY ---------- ------------ -------- --- ---------- -------- -------- ------- ----- tExcTask ^@excTask 87d80cb0 0 PEND 80a6f360 87d80b90 3006b 0 tLogTask logTask 87d7e120 0 PEND 80a6f360 87d7e008 0 0 tShell shell 87a93670 1 READY 8025707c 87a93288 0 0 tWdbTask wdbTask 87ab28e0 3 PEND 8015b4cc 87ab2650 3d0002 0 tAioIoTask1aioIoTask 87d8f3f0 50 PEND 8015b4cc 87d8f358 0 0 tAioIoTask0aioIoTask 87d88180 50 PEND 8015b4cc 87d880e8 0 0 tNetTask netTask 87bf2860 50 PEND 8015b4cc 87bf27d0 0 0 cmd_processMsgProcessTa 4c31d5a0 80 SUSPEND 8016a354 4c31d328 3d0004 0 value = 0 = 0x0
然后,通过ti命令查看任务详情。
-> ti 0x4c31d5a0 ^@ NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY ---------- ------------ -------- --- ---------- -------- -------- ------- ----- cmd_processMsgProcessTa 4c31d5a0 80 SUSPEND 8016a354 4c31d328 3d0004 0 stack: base 0x4c31d5a0 end 0x4c3185a0 size 20464 high 7760 margin 12704 options: 0xc VX_DEALLOC_STACK VX_FP_TASK VxWorks Events -------------- Events Pended on : Not Pended Received Events : 0x0 Options : N/A $0 = 0 t0 = 0 s0 = 0 t8 = 0 at = 1 t1 = 1 s1 = 0 t9 = 50 v0 = 4c31d374 t2 = 4 s2 = 0 k0 = 813a3fb8 v1 = c t3 = 0 s3 = 0 k1 = 0 a0 = 35 t4 = 0 s4 = 0 gp = 813a1640 a1 = 4c31d370 t5 = 20 s5 = 0 sp = 4c31d328 a2 = 4 t6 = 6c8 s6 = 0 s8 = 4c31d328 a3 = 80ad31f0 t7 = 0 s7 = 0 ra = 80159e30 divlo = 38 divhi = 0 sr = 1000fc01 pc = 8016a354 value = 0 = 0x0
通过tt命令查看挂死前任务调用轨迹。
-> tt 0x4c31d5a0 ^@8015bee4 vxTaskEntry +c : MsgProcessTask (0, 0, 0, 0) 80c58e9c MsgProcessTask +1bc: GeponProcGswCmd (87aa5760, 0, eeeeeeee, eeeeeeee) 80c5a670 GeponProcGswCmd+748: compare_and_exec_cmd (87aa5760, 87aa57b5, 300eeee, eeeeeeee) 80c5a93c compare_and_exec_cmd+2ac: olt_config_set_pon_cosq__config (87aa585d, a8, b1, 0) 80ad31e8 olt_config_set_pon_cosq__config+73c: switch_port_qconfig_set (0, 0, 0, 1) 8016c6c4 excStub +120: unaligned_load_handler (4, 4c31d388, 4c31d3b0, c) 80159e28 unaligned_load_handler+238: bcopy (4, 4c31d388, 4c31d3b0, 80ad31f0) value = 0 = 0x0
此时,sp为0x4c31d328,ra为0x80159e30,pc为0x8016a354。打印sp指向的栈数据。
-> d 0x4c31d328,200,4 4c31d320: 00000004 4c31d388 * L1..* 4c31d330: 4c31d3b0 80ad31f0 00000000 4c31d34c *L1....1.....L1.L* 4c31d340: 4c31d368 00000000 80ad31f0 80ad31f4 *L1.h......1...1.* 4c31d350: 00000001 00000035 8fc20034 00000000 *.......5...4....* 4c31d360: 0000001e 00000002 00000000 00000000 *................* 4c31d370: 00000000 00000001 00000001 00000003 *................* 4c31d380: 00000001 8016c6cc 00000004 4c31d388 *............L1..* 4c31d390: 4c31d3b0 0000000c 00002cd0 00000010 *L1........,.....* 4c31d3a0: 4c31d438 00000000 00000035 00000000 *L1.8.......5....* 4c31d3b0: 1000fc03 80ad31f0 00000038 00000000 *......1....8....* 4c31d3c0: 00000000 00031000 00000000 00000000 *................* 4c31d3d0: 80ec45d0 80ec45e4 000000aa 00000000 *..E...E.........* 4c31d3e0: 1000fc01 1000fc00 00000004 00000000 *................* 4c31d3f0: 00000000 00000020 000006c8 00000000 *....... ........* 4c31d400: 00000000 00000000 00000000 00000000 *................* 4c31d410: 00000000 00000000 00000000 00000000 *................* 4c31d420: 00000000 00000050 00000002 00000000 *.......P........* 4c31d430: 813a1640 4c31d448 00000001 80ad31f0 *.:.@L1.H......1.* 4c31d440: 00000001 80ad31f0 00000000 00000000 *......1.........* 4c31d450: 00000000 00000001 00000001 00000000 *................* 4c31d460: 039f5799 00000000 000d0001 00000014 *..W.............* 4c31d470: 00070007 00070000 00000008 00000000 *................* 4c31d480: 00000007 00000000 00000001 00010001 *................* 4c31d490: 00010001 00020002 00020003 00030003 *................* 4c31d4a0: 00040004 00040005 00050005 00060006 *................* 4c31d4b0: 00060007 00070007 4c31d4c0 80c5a944 *........L1.....D* 4c31d4c0: 87aa585d 000000a8 000000b1 00000000 *..X]............* 4c31d4d0: 00000000 00000000 00a84083 87aa5760 *..........@...W`* 4c31d4e0: 4d3e8110 4d3e80e0 00000000 00000000 *M>..M>..........* 4c31d4f0: 039fd500 80c5a268 4c31d500 80c5a678 *.......hL1.....x* 4c31d500: 87aa5760 87aa57b5 0300eeee eeeeeeee *..W`..W.........* 4c31d510: 4c31d518 eeeeeeee eeeeeeee eeeeeeee *L1..............* 4c31d520: 0000be49 00f800a8 4083eeee 87aa57b5 *...I....@.....W.* 4c31d530: 87aa5760 00000000 00000000 f8000000 *..W`............* 4c31d540: 00000055 00000000 4c31d550 80c58ea4 *...U....L1.P....* 4c31d550: 87aa5760 00000000 eeeeeeee eeeeeeee *..W`............* 4c31d560: 80c57ca0 87aa5760 00000e10 eeeeeeee *..|...W`........* 4c31d570: 00000000 8015beec 00000000 00000000 *................* 4c31d580: 00000000 00000000 00000000 00000000 *................* 4c31d590: 00000000 00000000 00000000 00000000 *................* 4c31d5a0: 00000000 00000000 00000050 00000000 *...........P....* 4c31d5b0: 4c392520 4c74e3f0 0000c119 00000000 *L9% Lt..........* 4c31d5c0: 4c318350 4c3200b0 8015bc10 1000fc01 *L1.PL2..........* 4c31d5d0: 813a503c 4c3185a0 0000000c 00000001 *.:P<L1..........* 4c31d5e0: 00000050 00000050 00000000 00000000 *...P...P........* 4c31d5f0: 00000000 00000000 00000000 87aa5d28 *..............](* 4c31d600: 00000000 00000000 00000000 00000000 *................* 4c31d610: 8101de84 80c58ce0 4c31d5a0 4c3185b0 *........L1..L1..* 4c31d620: 4c3185a0 003d0004 00000000 00000000 *L1...=..........* 4c31d630: 4c318540 00000000 00000000 87aa78e0 *L1.@..........x.* 4c31d640: 00000000 00000000 *................* value = 21 = 0x15
找到pc所在函数并反汇编。
-> 0x8016a354 value = -2146000044 = 0x8016a354^@ = bcopy + 0xc4 -> l bcopy,50 ^@ bcopy: 0x8016a290 00a41023 subu v0,a1,a0 0x8016a294 18400003 blez v0,0x8016a2a4 0x8016a298 0046082a slt at,v0,a2 0x8016a29c 14200040 bnez at,0x8016a3a0 0x8016a2a0 00a01025 move v0,a1 0x8016a2a4 28c1000a slti at,a2,10 0x8016a2a8 14200024 bnez at,0x8016a33c 0x8016a2ac 00a61021 addu v0,a1,a2 0x8016a2b0 00a47026 xor t6,a1,a0 0x8016a2b4 31cf0003 andi t7,t6,0x3 0x8016a2b8 15e00021 bnez t7,0x8016a340 0x8016a2bc 00a2082b sltu at,a1,v0 0x8016a2c0 30b80003 andi t8,a1,0x3 0x8016a2c4 13000008 beqz t8,0x8016a2e8 0x8016a2c8 00801825 move v1,a0 0x8016a2cc 90990000 lbu t9,0(a0) 0x8016a2d0 24a50001 addiu a1,a1,1 0x8016a2d4 30a80003 andi t0,a1,0x3 0x8016a2d8 24840001 addiu a0,a0,1 0x8016a2dc 1500fffb bnez t0,0x801aa2cc 0x8016a2e0 a0b9ffff sb t9,65535(a1) 0x8016a2e4 00801825 move v1,a0 0x8016a2e8 00a06025 move t4,a1 0x8016a2ec 2447fffc addiu a3,v0,65532 0x8016a2f0 8c690000 lw t1,0(v1) 0x8016a2f4 258c0004 addiu t4,t4,4 0x8016a2f8 00ec082b sltu at,a3,t4 0x8016a2fc 24630004 addiu v1,v1,4 0x8016a300 1020fffb beqz at,0x801aa2f0 0x8016a304 ad89fffc sw t1,65532(t4) 0x8016a308 01802825 move a1,t4 0x8016a30c 00602025 move a0,v1 0x8016a310 00a2082b sltu at,a1,v0 0x8016a314 10200063 beqz at,0x8016a4a4 0x8016a318 00000000 nop 0x8016a31c 24a50001 addiu a1,a1,1 0x8016a320 908a0000 lbu t2,0(a0) 0x8016a324 00a2082b sltu at,a1,v0 0x8016a328 24840001 addiu a0,a0,1 0x8016a32c 1420fffb bnez at,0x801aa31c 0x8016a330 a0aaffff sb t2,65535(a1) 0x8016a334 03e00008 jr ra 0x8016a338 00000000 nop 0x8016a33c 00a2082b sltu at,a1,v0 0x8016a340 10200058 beqz at,0x8016a4a4 0x8016a344 00000000 nop 0x8016a348 2cc80004 sltiu t0,a2,4 0x8016a34c 1408000c bne zero,t0,0x8016a380 0x8016a350 00064882 srl t1,a2,2 0x8016a354 88880000 lwl t0,0(a0) /* 挂死指令,将a0+0内存地址值加载到t0寄存器,此时a0为0x35,十进制53 */ value = -2146000040 = 0x8016a358 = bcopy + 0xc8
查看bcopy函数的反汇编代码,发现该函数入口没有压栈通用寄存器(局部变量)和ra返回地址的操作,说明bcopy函数为叶子函数。
此时,推导出上一级函数的sp为0x4c31d328,pc为当前函数的ra,即80159e30。找到pc所在函数并反汇编。
-> 0x80159e30 value = -2146066896 = 0x80159e30^@ = unaligned_load_handler + 0x240 -> l unaligned_load_handler,300 ^@ unaligned_load_handler: 0x80159bf0 27bdffa0 addiu sp,sp,65440(-96) //上一级函数sp = sp + 96,为0x4c31d388 0x80159bf4 afbf005c sw ra,92(sp) //ra位于当前sp + 92,即0x4c31d384地址处,其值为0x8016c6cc 0x80159bf8 afbe0058 sw s8,88(sp) //压栈s8到sp+88 0x80159bfc 03a0f025 move s8,sp //s8 = sp,s8用作frame pointer 0x80159c00 afc40060 sw a0,96(s8) 0x80159c04 afc50064 sw a1,100(s8) 0x80159c08 afc60068 sw a2,104(s8) 0x80159c0c 8fc20064 lw v0,100(s8) 0x80159c10 8c42002c lw v0,44(v0) 0x80159c14 afc20020 sw v0,32(s8) 0x80159c18 8fc20064 lw v0,100(s8) 0x80159c1c 8c420014 lw v0,20(v0) 0x80159c20 000217c2 srl v0,v0,31 0x80159c24 afc20034 sw v0,52(s8) 0x80159c28 8fc20064 lw v0,100(s8) 0x80159c2c 8fc30020 lw v1,32(s8) 0x80159c30 8c42002c lw v0,44(v0) 0x80159c34 10620003 beq v1,v0,0x80159c44 0x80159c38 00000000 nop 0x80159c3c 080567b7 j 0x80159edc 0x80159c40 00000000 nop 0x80159c44 8fc20064 lw v0,100(s8) 0x80159c48 8c42002c lw v0,44(v0) 0x80159c4c 30420003 andi v0,v0,0x3 0x80159c50 10400003 beqz v0,0x80159c60 0x80159c54 00000000 nop 0x80159c58 080567b7 j 0x80159edc 0x80159c5c 00000000 nop 0x80159c60 8fc20034 lw v0,52(s8) 0x80159c64 afa20010 sw v0,16(sp) 0x80159c68 27c20024 addiu v0,s8,36 0x80159c6c afa20014 sw v0,20(sp) 0x80159c70 27c20040 addiu v0,s8,64 0x80159c74 afa20018 sw v0,24(sp) 0x80159c78 8fc40060 lw a0,96(s8) 0x80159c7c 8fc50064 lw a1,100(s8) 0x80159c80 8fc60068 lw a2,104(s8) 0x80159c84 8fc70020 lw a3,32(s8) 0x80159c88 0c056544 jal 0x80159510 0x80159c8c 00000000 nop 0x80159c90 10400003 beqz v0,0x80159ca0 0x80159c94 00000000 nop 0x80159c98 080567b7 j 0x80159edc 0x80159c9c 00000000 nop 0x80159ca0 8fc20034 lw v0,52(s8) 0x80159ca4 10400004 beqz v0,0x80159cb8 0x80159ca8 00000000 nop 0x80159cac 8fc20020 lw v0,32(s8) 0x80159cb0 24420004 addiu v0,v0,4 0x80159cb4 afc20020 sw v0,32(s8) 0x80159cb8 27c20030 addiu v0,s8,48 0x80159cbc 8fc40020 lw a0,32(s8) 0x80159cc0 00402825 move a1,v0 0x80159cc4 24060004 li a2,4 0x80159cc8 0c05a8a4 jal bcopy 0x80159ccc 00000000 nop 0x80159cd0 8fc20030 lw v0,48(s8) 0x80159cd4 00021542 srl v0,v0,21 0x80159cd8 3042001f andi v0,v0,0x1f 0x80159cdc afc20038 sw v0,56(s8) 0x80159ce0 8fc20030 lw v0,48(s8) 0x80159ce4 00021402 srl v0,v0,16 0x80159ce8 3042001f andi v0,v0,0x1f 0x80159cec afc2003c sw v0,60(s8) 0x80159cf0 8fc20038 lw v0,56(s8) 0x80159cf4 1040000a beqz v0,0x80159d20 0x80159cf8 00000000 nop 0x80159cfc 8fc30064 lw v1,100(s8) 0x80159d00 8fc20038 lw v0,56(s8) 0x80159d04 00021080 sll v0,v0,2 0x80159d08 24420038 addiu v0,v0,56 0x80159d0c 00621021 addu v0,v1,v0 0x80159d10 8c420000 lw v0,0(v0) 0x80159d14 afc2004c sw v0,76(s8) 0x80159d18 08056749 j 0x80159d24 0x80159d1c 00000000 nop 0x80159d20 afc0004c sw zero,76(s8) 0x80159d24 8fc2004c lw v0,76(s8) 0x80159d28 afc20028 sw v0,40(s8) 0x80159d2c 8fc30028 lw v1,40(s8) 0x80159d30 afc30050 sw v1,80(s8) 0x80159d34 8fc20038 lw v0,56(s8) 0x80159d38 1040000c beqz v0,0x80159d6c 0x80159d3c 00000000 nop 0x80159d40 8fc30064 lw v1,100(s8) 0x80159d44 8fc20038 lw v0,56(s8) 0x80159d48 00021080 sll v0,v0,2 0x80159d4c 24420038 addiu v0,v0,56 0x80159d50 00621021 addu v0,v1,v0 0x80159d54 8c420000 lw v0,0(v0) 0x80159d58 8fc30050 lw v1,80(s8) 0x80159d5c 1462005f bne v1,v0,0x80159edc 0x80159d60 00000000 nop 0x80159d64 0805675e j 0x80159d78 0x80159d68 00000000 nop 0x80159d6c 8fc20050 lw v0,80(s8) 0x80159d70 1440005a bnez v0,0x80159edc 0x80159d74 00000000 nop 0x80159d78 87c30032 lh v1,50(s8) 0x80159d7c 8fc20028 lw v0,40(s8) 0x80159d80 00431021 addu v0,v0,v1 0x80159d84 afc2002c sw v0,44(s8) 0x80159d88 8fc20030 lw v0,48(s8) 0x80159d8c 00021682 srl v0,v0,26 0x80159d90 3042003f andi v0,v0,0x3f 0x80159d94 2442ffe0 addiu v0,v0,65504 0x80159d98 afc20054 sw v0,84(s8) 0x80159d9c 8fc30054 lw v1,84(s8) 0x80159da0 2c620018 sltiu v0,v1,24 0x80159da4 1040004d beqz v0,0x80159edc 0x80159da8 00000000 nop 0x80159dac 8fc20054 lw v0,84(s8) 0x80159db0 00021880 sll v1,v0,2 0x80159db4 3c0280c7 lui v0,0x80c7 0x80159db8 2442e4a0 addiu v0,v0,58528 0x80159dbc 00621021 addu v0,v1,v0 0x80159dc0 8c420000 lw v0,0(v0) 0x80159dc4 00400008 jr v0 0x80159dc8 00000000 nop 0x80159dcc 27c20044 addiu v0,s8,68 0x80159dd0 8fc4002c lw a0,44(s8) 0x80159dd4 00402825 move a1,v0 0x80159dd8 24060002 li a2,2 0x80159ddc 0c05a8a4 jal bcopy 0x80159de0 00000000 nop 0x80159de4 00000000 nop 0x80159de8 8fc2003c lw v0,60(s8) 0x80159dec 1040002e beqz v0,0x80159ea8 0x80159df0 00000000 nop 0x80159df4 8fc30064 lw v1,100(s8) 0x80159df8 8fc2003c lw v0,60(s8) 0x80159dfc 00021080 sll v0,v0,2 0x80159e00 24420038 addiu v0,v0,56 0x80159e04 00621821 addu v1,v1,v0 0x80159e08 87c20044 lh v0,68(s8) 0x80159e0c ac620000 sw v0,0(v1) 0x80159e10 080567aa j 0x80159ea8 0x80159e14 00000000 nop 0x80159e18 27c20048 addiu v0,s8,72 0x80159e1c 8fc4002c lw a0,44(s8) 0x80159e20 00402825 move a1,v0 0x80159e24 24060004 li a2,4 0x80159e28 0c05a8a4 jal bcopy 0x80159e2c 00000000 nop 0x80159e30 00000000 nop 0x80159e34 8fc2003c lw v0,60(s8) 0x80159e38 1040001b beqz v0,0x80159ea8 0x80159e3c 00000000 nop 0x80159e40 8fc30064 lw v1,100(s8) 0x80159e44 8fc2003c lw v0,60(s8) 0x80159e48 00021080 sll v0,v0,2 0x80159e4c 24420038 addiu v0,v0,56 0x80159e50 00621821 addu v1,v1,v0 0x80159e54 8fc20048 lw v0,72(s8) 0x80159e58 ac620000 sw v0,0(v1) 0x80159e5c 080567aa j 0x80159ea8 0x80159e60 00000000 nop 0x80159e64 27c20044 addiu v0,s8,68 0x80159e68 8fc4002c lw a0,44(s8) 0x80159e6c 00402825 move a1,v0 0x80159e70 24060002 li a2,2 0x80159e74 0c05a8a4 jal bcopy 0x80159e78 00000000 nop 0x80159e7c 00000000 nop 0x80159e80 8fc2003c lw v0,60(s8) 0x80159e84 10400008 beqz v0,0x80159ea8 0x80159e88 00000000 nop 0x80159e8c 8fc30064 lw v1,100(s8) 0x80159e90 8fc2003c lw v0,60(s8) 0x80159e94 00021080 sll v0,v0,2 0x80159e98 24420038 addiu v0,v0,56 0x80159e9c 00621821 addu v1,v1,v0 0x80159ea0 97c20044 lhu v0,68(s8) 0x80159ea4 ac620000 sw v0,0(v1) 0x80159ea8 8fc20040 lw v0,64(s8) 0x80159eac 10400006 beqz v0,0x80159ec8 0x80159eb0 00000000 nop 0x80159eb4 8fc30064 lw v1,100(s8) 0x80159eb8 8fc20064 lw v0,100(s8) 0x80159ebc 8c42002c lw v0,44(v0) 0x80159ec0 24420008 addiu v0,v0,8 0x80159ec4 ac6200b4 sw v0,180(v1) 0x80159ec8 8fc30064 lw v1,100(s8) 0x80159ecc 8fc20024 lw v0,36(s8) 0x80159ed0 ac62002c sw v0,44(v1) 0x80159ed4 080567bc j 0x80159ef0 0x80159ed8 00000000 nop 0x80159edc 8fc40060 lw a0,96(s8) 0x80159ee0 8fc50064 lw a1,100(s8) 0x80159ee4 8fc60068 lw a2,104(s8) 0x80159ee8 0c05ac45 jal excExcHandle 0x80159eec 00000000 nop 0x80159ef0 03c0e825 move sp,s8 0x80159ef4 8fbf005c lw ra,92(sp) 0x80159ef8 8fbe0058 lw s8,88(sp) 0x80159efc 27bd0060 addiu sp,sp,96 0x80159f00 03e00008 jr ra 0x80159f04 00000000 nop
根据unaligned_load_handler函数入口的压栈操作,推导出上一级函数的sp为0x4c31d388,pc为0x8016c6cc。找到pc所在函数并反汇编。
-> 0x8016c6cc value = -2145990964 = 0x8016c6cc^@ = excStub + 0x128 -> -> l excStub,200 ^@ excStub: 0x8016c5a4 afbdffec sw sp,65516(sp) //触发异常处理的函数的sp压栈在sp-20,即0x4c31d434地址处0x4c31d448 0x8016c5a8 27bdff40 addiu sp,sp,65344(-192) //上一级函数sp = sp + 192,为0x4c31d448 0x8016c5ac afa1003c sw at,60(sp) 0x8016c5b0 afa20040 sw v0,64(sp) 0x8016c5b4 401b4000 mfc0 k1,badvaddr 0x8016c5b8 00000000 nop 0x8016c5bc 401a7000 mfc0 k0,epc 0x8016c5c0 00000000 nop 0x8016c5c4 00000040 ssnop 0x8016c5c8 00000040 ssnop 0x8016c5cc afbb0020 sw k1,32(sp) //BADVADDR压栈在sp+32,即0x4c31d3a8地址处,其值为0x00000035 0x8016c5d0 afba002c sw k0,44(sp) //EPC压栈在sp+44,即0x4c31d3b4地址处,其值为0x80ad31f0 0x8016c5d4 40026800 mfc0 v0,cause 0x8016c5d8 00000000 nop 0x8016c5dc 401b6000 mfc0 k1,sr 0x8016c5e0 00000000 nop 0x8016c5e4 00000040 ssnop 0x8016c5e8 00000040 ssnop 0x8016c5ec afa20014 sw v0,20(sp) //Cause压栈在sp+20 0x8016c5f0 3042007c andi v0,v0,0x7c 0x8016c5f4 afbb0028 sw k1,40(sp) 0x8016c5f8 409b6000 mtc0 k1,sr 0x8016c5fc 2401fffd li at,65533 0x8016c600 0361d824 and k1,k1,at 0x8016c604 409b6000 mtc0 k1,sr 0x8016c608 00000040 ssnop 0x8016c60c 00000040 ssnop 0x8016c610 00000040 ssnop 0x8016c614 00000040 ssnop 0x8016c618 00000000 nop 0x8016c61c 00000812 mflo at 0x8016c620 00000000 nop 0x8016c624 afa10030 sw at,48(sp) 0x8016c628 00000000 nop 0x8016c62c 00000810 mfhi at 0x8016c630 00000000 nop 0x8016c634 afa10034 sw at,52(sp) 0x8016c638 afa00038 sw zero,56(sp) 0x8016c63c afa000a4 sw zero,164(sp) 0x8016c640 afa30044 sw v1,68(sp) 0x8016c644 afa40048 sw a0,72(sp) //压栈异常处理前函数的入参a0到sp+72,即0x4c31d3d0,其值为0x80ec45d0 0x8016c648 afa5004c sw a1,76(sp) //压栈异常处理前函数的入参a1到sp+76,即0x4c31d3d4,其值为0x80ec45e4 0x8016c64c afa60050 sw a2,80(sp) //压栈异常处理前函数的入参a2到sp+80,即0x4c31d3d8,其值为0x000000aa 0x8016c650 afa70054 sw a3,84(sp) //压栈异常处理前函数的入参a3到sp+84,即0x4c31d3dc,其值为0x00000000 0x8016c654 afa80058 sw t0,88(sp) //1000fc01 0x8016c658 afa9005c sw t1,92(sp) //1000fc00 0x8016c65c afaa0060 sw t2,96(sp) //00000004 0x8016c660 afab0064 sw t3,100(sp) 0x8016c664 afac0068 sw t4,104(sp) 0x8016c668 afad006c sw t5,108(sp) 0x8016c66c afae0070 sw t6,112(sp) 0x8016c670 afaf0074 sw t7,116(sp) 0x8016c674 afb80098 sw t8,152(sp) 0x8016c678 afb9009c sw t9,156(sp) 0x8016c67c afb00078 sw s0,120(sp) 0x8016c680 afb1007c sw s1,124(sp) 0x8016c684 afb20080 sw s2,128(sp) 0x8016c688 afb30084 sw s3,132(sp) 0x8016c68c afb40088 sw s4,136(sp) 0x8016c690 afb5008c sw s5,140(sp) 0x8016c694 afb60090 sw s6,144(sp) 0x8016c698 afb70094 sw s7,148(sp) 0x8016c69c afbe00b0 sw s8,176(sp) //s8压栈在sp + 176,即0x4c31d438地址处,其值为0x0000001 0x8016c6a0 afbc00a8 sw gp,168(sp) 0x8016c6a4 afbf00b4 sw ra,180(sp) // ra位于sp + 180,即0x4c31d43c地址处,其值为0x80ad31f0 0x8016c6a8 00022082 srl a0,v0,2 0x8016c6ac 03a02825 move a1,sp 0x8016c6b0 27a60028 addiu a2,sp,40 0x8016c6b4 3c088101 lui t0,0x8101 0x8016c6b8 2508e610 addiu t0,t0,58896 0x8016c6bc 00481021 addu v0,v0,t0 0x8016c6c0 8c420000 lw v0,0(v0) 0x8016c6c4 0040f809 jalr v0 0x8016c6c8 00000000 nop 0x8016c6cc 8fa20040 lw v0,64(sp) 0x8016c6d0 8fa30044 lw v1,68(sp) 0x8016c6d4 8fa40048 lw a0,72(sp) 0x8016c6d8 8fa5004c lw a1,76(sp) 0x8016c6dc 8fa60050 lw a2,80(sp) 0x8016c6e0 8fa70054 lw a3,84(sp) 0x8016c6e4 8fa80058 lw t0,88(sp) 0x8016c6e8 8fa9005c lw t1,92(sp) 0x8016c6ec 8faa0060 lw t2,96(sp) 0x8016c6f0 8fab0064 lw t3,100(sp) 0x8016c6f4 8fac0068 lw t4,104(sp) 0x8016c6f8 8fad006c lw t5,108(sp) 0x8016c6fc 8fae0070 lw t6,112(sp) 0x8016c700 8faf0074 lw t7,116(sp) 0x8016c704 8fb00078 lw s0,120(sp) 0x8016c708 8fb1007c lw s1,124(sp) 0x8016c70c 8fb20080 lw s2,128(sp) 0x8016c710 8fb30084 lw s3,132(sp) 0x8016c714 8fb40088 lw s4,136(sp) 0x8016c718 8fb5008c lw s5,140(sp) 0x8016c71c 8fb60090 lw s6,144(sp) 0x8016c720 8fb70094 lw s7,148(sp) 0x8016c724 8fbe00b0 lw s8,176(sp) 0x8016c728 8fbc00a8 lw gp,168(sp) 0x8016c72c 8fbf00b4 lw ra,180(sp) 0x8016c730 8fb90030 lw t9,48(sp) 0x8016c734 00000000 nop 0x8016c738 03200013 mtlo t9 0x8016c73c 00000000 nop 0x8016c740 8fb90034 lw t9,52(sp) 0x8016c744 00000000 nop 0x8016c748 03200011 mthi t9 0x8016c74c 00000000 nop 0x8016c750 34190001 liu t9,0x1 0x8016c754 40996000 mtc0 t9,sr 0x8016c758 00000040 ssnop 0x8016c75c 00000040 ssnop 0x8016c760 00000040 ssnop 0x8016c764 00000040 ssnop 0x8016c768 8fb90028 lw t9,40(sp) 0x8016c76c 37390002 ori t9,t9,0x2 0x8016c770 40996000 mtc0 t9,sr 0x8016c774 00000040 ssnop 0x8016c778 00000040 ssnop 0x8016c77c 00000040 ssnop 0x8016c780 00000040 ssnop 0x8016c784 8fa1003c lw at,60(sp) 0x8016c788 8fb80098 lw t8,152(sp) 0x8016c78c 8fb9009c lw t9,156(sp) 0x8016c790 8fbb002c lw k1,44(sp) 0x8016c794 27bd00c0 addiu sp,sp,192 0x8016c798 409b7000 mtc0 k1,epc 0x8016c79c 00000040 ssnop 0x8016c7a0 00000040 ssnop 0x8016c7a4 00000040 ssnop 0x8016c7a8 00000040 ssnop 0x8016c7ac 42000018 eret
excStub为异常处理函数,从反汇编指令可以看到,该环境下异常处理函数没有单独的栈空间,而是使用触发异常的函数的栈空间。从反汇编代码和栈数据中,推导出CP0协处理器寄存器BadVaddr值为0x00000035(与bcopy中访问的非法地址一致),EPC寄存器值为0x80ad31f0。上一级函数sp为0x4c31d448,ra为0x80ad31f0,与EPC保持一致。找到epc所在函数并反汇编。
-> 0x80ad31f0 value = -2136133136 = 0x80ad31f0^@ = olt_config_set_pon_cosq__config + 0x744 -> -> l olt_config_set_pon_cosq__config olt_config_set_pon_cosq__config: 0x80ad2aac 27bdff88 addiu sp,sp,65416(-120) //上一级函数sp为sp+120为0x4c31d4c0 0x80ad2ab0 afbf0074 sw ra,116(sp) //ra压栈到sp+116 0x80ad2ab4 afbe0070 sw s8,112(sp) //s8压栈到sp+112 0x80ad2ab8 03a0f025 move s8,sp //s8 = sp, s8作为frame pointer 0x80ad2abc afc40078 sw a0,120(s8) 0x80ad2ac0 afc5007c sw a1,124(s8) 0x80ad2ac4 00c01025 move v0,a2 0x80ad2ac8 a7c20018 sh v0,24(s8) 0x80ad2acc afc0001c sw zero,28(s8) 0x80ad2ad0 a7c00020 sh zero,32(s8) 0x80ad2ad4 a7c00022 sh zero,34(s8) 0x80ad2ad8 a7c00024 sh zero,36(s8) 0x80ad2adc a7c00026 sh zero,38(s8) 0x80ad2ae0 a7c00028 sh zero,40(s8) 0x80ad2ae4 a7c0002a sh zero,42(s8) 0x80ad2ae8 a7c0002c sh zero,44(s8) 0x80ad2aec afc00030 sw zero,48(s8) 0x80ad2af0 afc00034 sw zero,52(s8) 0x80ad2af4 afc00038 sw zero,56(s8) 0x80ad2af8 8fc20078 lw v0,120(s8) 0x80ad2afc 10400006 beqz v0,0x80ad2b18 0x80ad2b00 00000000 nop 0x80ad2b04 8fc2007c lw v0,124(s8) 0x80ad2b08 18400003 blez v0,0x80ad2b18 0x80ad2b0c 00000000 nop 0x80ad2b10 082b4ad0 j 0x80ad2b40 0x80ad2b14 00000000 nop 0x80ad2b18 3c0480f2 lui a0,0x80f2 0x80ad2b1c 248460f0 addiu a0,a0,24816 0x80ad2b20 3c0580f2 lui a1,0x80f2 0x80ad2b24 24a56a3c addiu a1,a1,27196 0x80ad2b28 24061f65 li a2,8037 0x80ad2b2c 0c086611 jal printf 0x80ad2b30 00000000 nop 0x80ad2b34 2402ffff li v0,65535 0x80ad2b38 082b4c8b j 0x80ad322c 0x80ad2b3c 00000000 nop 0x80ad2b40 8fc20078 lw v0,120(s8) 0x80ad2b44 94420000 lhu v0,0(v0) 0x80ad2b48 a7c20020 sh v0,32(s8) 0x80ad2b4c 8fc20078 lw v0,120(s8) 0x80ad2b50 24420002 addiu v0,v0,2 0x80ad2b54 afc20078 sw v0,120(s8) 0x80ad2b58 0c05a86e jal GetSlotNo 0x80ad2b5c 00000000 nop 0x80ad2b60 00402025 move a0,v0 0x80ad2b64 0c2f2a70 jal toOuterSlot 0x80ad2b68 00000000 nop 0x80ad2b6c 00401825 move v1,v0 0x80ad2b70 97c20020 lhu v0,32(s8) 0x80ad2b74 10430013 beq v0,v1,0x80ad2bc4 0x80ad2b78 00000000 nop 0x80ad2b7c 0c05a86e jal GetSlotNo 0x80ad2b80 00000000 nop 0x80ad2b84 00402025 move a0,v0 0x80ad2b88 0c2f2a70 jal toOuterSlot 0x80ad2b8c 00000000 nop 0x80ad2b90 97c30020 lhu v1,32(s8) 0x80ad2b94 afa20010 sw v0,16(sp) 0x80ad2b98 3c0480f2 lui a0,0x80f2 0x80ad2b9c 24846a5c addiu a0,a0,27228 0x80ad2ba0 3c0580f2 lui a1,0x80f2 0x80ad2ba4 24a56a3c addiu a1,a1,27196 0x80ad2ba8 24061f70 li a2,8048 0x80ad2bac 00603825 move a3,v1 0x80ad2bb0 0c086611 jal printf 0x80ad2bb4 00000000 nop 0x80ad2bb8 2402fffd li v0,65533 0x80ad2bbc 082b4c8b j 0x80ad322c 0x80ad2bc0 00000000 nop 0x80ad2bc4 8fc20078 lw v0,120(s8) 0x80ad2bc8 94420000 lhu v0,0(v0) 0x80ad2bcc a7c20022 sh v0,34(s8) 0x80ad2bd0 8fc20078 lw v0,120(s8) 0x80ad2bd4 24420002 addiu v0,v0,2 0x80ad2bd8 afc20078 sw v0,120(s8) 0x80ad2bdc 97c30022 lhu v1,34(s8) 0x80ad2be0 3402ffff liu v0,0xffff 0x80ad2be4 10620018 beq v1,v0,0x80ad2c48 0x80ad2be8 00000000 nop 0x80ad2bec 97c20022 lhu v0,34(s8) 0x80ad2bf0 10400009 beqz v0,0x80ad2c18 0x80ad2bf4 00000000 nop 0x80ad2bf8 97c20022 lhu v0,34(s8) 0x80ad2bfc 3c038131 lui v1,0x8131 0x80ad2c00 8c638b3c lw v1,35644(v1) 0x80ad2c04 0062102a slt v0,v1,v0 0x80ad2c08 14400003 bnez v0,0x80ad2c18 0x80ad2c0c 00000000 nop 0x80ad2c10 082b4b12 j 0x80ad2c48 0x80ad2c14 00000000 nop 0x80ad2c18 97c20022 lhu v0,34(s8) 0x80ad2c1c 3c0480f2 lui a0,0x80f2 0x80ad2c20 24846a88 addiu a0,a0,27272 0x80ad2c24 3c0580f2 lui a1,0x80f2 0x80ad2c28 24a56a3c addiu a1,a1,27196 0x80ad2c2c 24061f7c li a2,8060 0x80ad2c30 00403825 move a3,v0 0x80ad2c34 0c086611 jal printf 0x80ad2c38 00000000 nop 0x80ad2c3c 2402fffd li v0,65533 0x80ad2c40 082b4c8b j 0x80ad322c 0x80ad2c44 00000000 nop 0x80ad2c48 8fc20078 lw v0,120(s8) 0x80ad2c4c 24420010 addiu v0,v0,16 0x80ad2c50 afc20078 sw v0,120(s8) 0x80ad2c54 8fc20078 lw v0,120(s8) 0x80ad2c58 94420000 lhu v0,0(v0) 0x80ad2c5c a7c20026 sh v0,38(s8) 0x80ad2c60 8fc20078 lw v0,120(s8) 0x80ad2c64 24420002 addiu v0,v0,2 0x80ad2c68 afc20078 sw v0,120(s8) 0x80ad2c6c 97c20026 lhu v0,38(s8) 0x80ad2c70 10400017 beqz v0,0x80ad2cd0 0x80ad2c74 00000000 nop 0x80ad2c78 97c20026 lhu v0,38(s8) 0x80ad2c7c 2c420008 sltiu v0,v0,8 0x80ad2c80 14400007 bnez v0,0x80ad2ca0 0x80ad2c84 00000000 nop 0x80ad2c88 97c20026 lhu v0,38(s8) 0x80ad2c8c 2c42001c sltiu v0,v0,28 0x80ad2c90 10400003 beqz v0,0x80ad2ca0 0x80ad2c94 00000000 nop 0x80ad2c98 082b4b34 j 0x80ad2cd0 0x80ad2c9c 00000000 nop 0x80ad2ca0 97c20026 lhu v0,38(s8) 0x80ad2ca4 3c0480f2 lui a0,0x80f2 0x80ad2ca8 24846aa8 addiu a0,a0,27304 0x80ad2cac 3c0580f2 lui a1,0x80f2 0x80ad2cb0 24a56a3c addiu a1,a1,27196 0x80ad2cb4 24061f8a li a2,8074 0x80ad2cb8 00403825 move a3,v0 0x80ad2cbc 0c086611 jal printf 0x80ad2cc0 00000000 nop 0x80ad2cc4 2402fffd li v0,65533 0x80ad2cc8 082b4c8b j 0x80ad322c 0x80ad2ccc 00000000 nop 0x80ad2cd0 8fc20078 lw v0,120(s8) 0x80ad2cd4 2442000e addiu v0,v0,14 0x80ad2cd8 afc20078 sw v0,120(s8) 0x80ad2cdc 8fc20078 lw v0,120(s8) 0x80ad2ce0 8c420000 lw v0,0(v0) 0x80ad2ce4 afc20030 sw v0,48(s8) 0x80ad2ce8 8fc20078 lw v0,120(s8) 0x80ad2cec 24420004 addiu v0,v0,4 0x80ad2cf0 afc20078 sw v0,120(s8) 0x80ad2cf4 8fc30030 lw v1,48(s8) 0x80ad2cf8 24020008 li v0,8 0x80ad2cfc 1062000c beq v1,v0,0x80ad2d30 0x80ad2d00 00000000 nop 0x80ad2d04 3c0480f2 lui a0,0x80f2 0x80ad2d08 24846acc addiu a0,a0,27340 0x80ad2d0c 3c0580f2 lui a1,0x80f2 0x80ad2d10 24a56a3c addiu a1,a1,27196 0x80ad2d14 24061f96 li a2,8086 0x80ad2d18 8fc70030 lw a3,48(s8) 0x80ad2d1c 0c086611 jal printf 0x80ad2d20 00000000 nop 0x80ad2d24 2402fffe li v0,65534 0x80ad2d28 082b4c8b j 0x80ad322c 0x80ad2d2c 00000000 nop 0x80ad2d30 27c20040 addiu v0,s8,64 0x80ad2d34 00402025 move a0,v0 0x80ad2d38 00002825 move a1,zero 0x80ad2d3c 24060030 li a2,48 0x80ad2d40 0c0851d7 jal memset 0x80ad2d44 00000000 nop 0x80ad2d48 afc00034 sw zero,52(s8) 0x80ad2d4c 8fc20034 lw v0,52(s8) 0x80ad2d50 8fc30030 lw v1,48(s8) 0x80ad2d54 0043102b sltu v0,v0,v1 0x80ad2d58 14400003 bnez v0,0x80ad2d68 0x80ad2d5c 00000000 nop 0x80ad2d60 082b4bc9 j 0x80ad2f24 0x80ad2d64 00000000 nop 0x80ad2d68 8fc20078 lw v0,120(s8) 0x80ad2d6c 94420000 lhu v0,0(v0) 0x80ad2d70 a7c2002c sh v0,44(s8) 0x80ad2d74 8fc20078 lw v0,120(s8) 0x80ad2d78 24420002 addiu v0,v0,2 0x80ad2d7c afc20078 sw v0,120(s8) 0x80ad2d80 97c2002c lhu v0,44(s8) 0x80ad2d84 2c420008 sltiu v0,v0,8 0x80ad2d88 1440000d bnez v0,0x80ad2dc0 0x80ad2d8c 00000000 nop 0x80ad2d90 97c2002c lhu v0,44(s8) 0x80ad2d94 3c0480f2 lui a0,0x80f2 0x80ad2d98 24846aec addiu a0,a0,27372 0x80ad2d9c 3c0580f2 lui a1,0x80f2 0x80ad2da0 24a56a3c addiu a1,a1,27196 0x80ad2da4 24061fa5 li a2,8101 0x80ad2da8 00403825 move a3,v0 0x80ad2dac 0c086611 jal printf 0x80ad2db0 00000000 nop 0x80ad2db4 2402fffe li v0,65534 0x80ad2db8 082b4c8b j 0x80ad322c 0x80ad2dbc 00000000 nop 0x80ad2dc0 97c3002c lhu v1,44(s8) 0x80ad2dc4 8fc20034 lw v0,52(s8) 0x80ad2dc8 10620005 beq v1,v0,0x80ad2de0 value = -2136134196 = 0x80ad2dcc = olt_config_set_pon_cosq__config + 0x320 -> l ^@0x80ad2dcc 00000000 nop 0x80ad2dd0 97c2002c lhu v0,44(s8) 0x80ad2dd4 afc20038 sw v0,56(s8) 0x80ad2dd8 082b4b7a j 0x80ad2de8 0x80ad2ddc 00000000 nop 0x80ad2de0 8fc20034 lw v0,52(s8) 0x80ad2de4 afc20038 sw v0,56(s8) 0x80ad2de8 8fc20078 lw v0,120(s8) 0x80ad2dec 94420000 lhu v0,0(v0) 0x80ad2df0 a7c20028 sh v0,40(s8) 0x80ad2df4 8fc20078 lw v0,120(s8) 0x80ad2df8 24420002 addiu v0,v0,2 0x80ad2dfc afc20078 sw v0,120(s8) 0x80ad2e00 97c2002c lhu v0,44(s8) 0x80ad2e04 2c421001 sltiu v0,v0,4097 0x80ad2e08 1440000d bnez v0,0x80ad2e40 0x80ad2e0c 00000000 nop 0x80ad2e10 97c20028 lhu v0,40(s8) 0x80ad2e14 3c0480f2 lui a0,0x80f2 0x80ad2e18 24846b04 addiu a0,a0,27396 0x80ad2e1c 3c0580f2 lui a1,0x80f2 0x80ad2e20 24a56a3c addiu a1,a1,27196 0x80ad2e24 24061fb8 li a2,8120 0x80ad2e28 00403825 move a3,v0 0x80ad2e2c 0c086611 jal printf 0x80ad2e30 00000000 nop 0x80ad2e34 2402fffe li v0,65534 0x80ad2e38 082b4c8b j 0x80ad322c 0x80ad2e3c 00000000 nop 0x80ad2e40 8fc20078 lw v0,120(s8) 0x80ad2e44 94420000 lhu v0,0(v0) 0x80ad2e48 a7c2002a sh v0,42(s8) 0x80ad2e4c 8fc20078 lw v0,120(s8) 0x80ad2e50 24420002 addiu v0,v0,2 0x80ad2e54 afc20078 sw v0,120(s8) 0x80ad2e58 97c2002a lhu v0,42(s8) 0x80ad2e5c 2c42000a sltiu v0,v0,10 0x80ad2e60 1440000d bnez v0,0x80ad2e98 0x80ad2e64 00000000 nop 0x80ad2e68 97c2002a lhu v0,42(s8) 0x80ad2e6c 3c0480f2 lui a0,0x80f2 0x80ad2e70 24846b20 addiu a0,a0,27424 0x80ad2e74 3c0580f2 lui a1,0x80f2 0x80ad2e78 24a56a3c addiu a1,a1,27196 0x80ad2e7c 24061fc2 li a2,8130 0x80ad2e80 00403825 move a3,v0 0x80ad2e84 0c086611 jal printf 0x80ad2e88 00000000 nop 0x80ad2e8c 2402fffe li v0,65534 0x80ad2e90 082b4c8b j 0x80ad322c 0x80ad2e94 00000000 nop 0x80ad2e98 8fc20078 lw v0,120(s8) 0x80ad2e9c 2442000a addiu v0,v0,10 0x80ad2ea0 afc20078 sw v0,120(s8) 0x80ad2ea4 8fc30038 lw v1,56(s8) 0x80ad2ea8 00601025 move v0,v1 0x80ad2eac 00021040 sll v0,v0,1 0x80ad2eb0 00431021 addu v0,v0,v1 0x80ad2eb4 00021840 sll v1,v0,1 0x80ad2eb8 27c20040 addiu v0,s8,64 0x80ad2ebc 00431821 addu v1,v0,v1 0x80ad2ec0 97c2002c lhu v0,44(s8) 0x80ad2ec4 a4620000 sh v0,0(v1) 0x80ad2ec8 8fc30038 lw v1,56(s8) 0x80ad2ecc 00601025 move v0,v1 0x80ad2ed0 00021040 sll v0,v0,1 0x80ad2ed4 00431021 addu v0,v0,v1 0x80ad2ed8 00021840 sll v1,v0,1 0x80ad2edc 27c20044 addiu v0,s8,68 0x80ad2ee0 00431821 addu v1,v0,v1 0x80ad2ee4 97c2002a lhu v0,42(s8) 0x80ad2ee8 a4620000 sh v0,0(v1) 0x80ad2eec 8fc30038 lw v1,56(s8) 0x80ad2ef0 00601025 move v0,v1 0x80ad2ef4 00021040 sll v0,v0,1 0x80ad2ef8 00431021 addu v0,v0,v1 0x80ad2efc 00021840 sll v1,v0,1 0x80ad2f00 27c20042 addiu v0,s8,66 0x80ad2f04 00431821 addu v1,v0,v1 0x80ad2f08 97c20028 lhu v0,40(s8) 0x80ad2f0c a4620000 sh v0,0(v1) 0x80ad2f10 8fc20034 lw v0,52(s8) 0x80ad2f14 24420001 addiu v0,v0,1 0x80ad2f18 afc20034 sw v0,52(s8) 0x80ad2f1c 082b4b53 j 0x80ad2d4c 0x80ad2f20 00000000 nop 0x80ad2f24 97c30022 lhu v1,34(s8) 0x80ad2f28 3402ffff liu v0,0xffff 0x80ad2f2c 14620066 bne v1,v0,0x80ad30c8 0x80ad2f30 00000000 nop 0x80ad2f34 24020001 li v0,1 0x80ad2f38 a7c20024 sh v0,36(s8) 0x80ad2f3c 97c20024 lhu v0,36(s8) 0x80ad2f40 3c038131 lui v1,0x8131 0x80ad2f44 8c638b3c lw v1,35644(v1) 0x80ad2f48 0062102a slt v0,v1,v0 0x80ad2f4c 10400003 beqz v0,0x80ad2f5c 0x80ad2f50 00000000 nop 0x80ad2f54 082b4c8a j 0x80ad3228 0x80ad2f58 00000000 nop 0x80ad2f5c 97c30024 lhu v1,36(s8) 0x80ad2f60 97c20026 lhu v0,38(s8) 0x80ad2f64 000210c0 sll v0,v0,3 0x80ad2f68 3042ffff andi v0,v0,0xffff 0x80ad2f6c 00602025 move a0,v1 0x80ad2f70 00402825 move a1,v0 0x80ad2f74 0c2b4a03 jal cfg_mod_set_olt_port_frame_gap 0x80ad2f78 00000000 nop 0x80ad2f7c afc00034 sw zero,52(s8) 0x80ad2f80 8fc20034 lw v0,52(s8) 0x80ad2f84 8fc30030 lw v1,48(s8) 0x80ad2f88 0043102b sltu v0,v0,v1 0x80ad2f8c 1440000f bnez v0,0x80ad2fcc 0x80ad2f90 00000000 nop 0x80ad2f94 97c20024 lhu v0,36(s8) 0x80ad2f98 2443ffff addiu v1,v0,65535 0x80ad2f9c 97c20026 lhu v0,38(s8) 0x80ad2fa0 000210c0 sll v0,v0,3 0x80ad2fa4 00002025 move a0,zero 0x80ad2fa8 00602825 move a1,v1 0x80ad2fac 00403025 move a2,v0 0x80ad2fb0 0c22be64 jal linecard_set_port_gap 0x80ad2fb4 00000000 nop 0x80ad2fb8 97c20024 lhu v0,36(s8) 0x80ad2fbc 24420001 addiu v0,v0,1 0x80ad2fc0 a7c20024 sh v0,36(s8) 0x80ad2fc4 082b4bcf j 0x80ad2f3c 0x80ad2fc8 00000000 nop 0x80ad2fcc 97c40024 lhu a0,36(s8) 0x80ad2fd0 8fc30034 lw v1,52(s8) 0x80ad2fd4 00601025 move v0,v1 0x80ad2fd8 00021040 sll v0,v0,1 0x80ad2fdc 00431021 addu v0,v0,v1 0x80ad2fe0 00021840 sll v1,v0,1 0x80ad2fe4 27c20040 addiu v0,s8,64 0x80ad2fe8 00431021 addu v0,v0,v1 0x80ad2fec 94450000 lhu a1,0(v0) 0x80ad2ff0 8fc30034 lw v1,52(s8) 0x80ad2ff4 00601025 move v0,v1 0x80ad2ff8 00021040 sll v0,v0,1 0x80ad2ffc 00431021 addu v0,v0,v1 0x80ad3000 00021840 sll v1,v0,1 0x80ad3004 27c20042 addiu v0,s8,66 0x80ad3008 00431021 addu v0,v0,v1 0x80ad300c 94460000 lhu a2,0(v0) 0x80ad3010 8fc30034 lw v1,52(s8) 0x80ad3014 00601025 move v0,v1 0x80ad3018 00021040 sll v0,v0,1 0x80ad301c 00431021 addu v0,v0,v1 0x80ad3020 00021840 sll v1,v0,1 0x80ad3024 27c20044 addiu v0,s8,68 0x80ad3028 00431021 addu v0,v0,v1 0x80ad302c 94420000 lhu v0,0(v0) 0x80ad3030 00403825 move a3,v0 0x80ad3034 0c2b4909 jal cfg_mod_set_olt_port_cosq_para 0x80ad3038 00000000 nop 0x80ad303c 97c20024 lhu v0,36(s8) 0x80ad3040 2445ffff addiu a1,v0,65535 0x80ad3044 8fc30034 lw v1,52(s8) 0x80ad3048 00601025 move v0,v1 0x80ad304c 00021040 sll v0,v0,1 0x80ad3050 00431021 addu v0,v0,v1 0x80ad3054 00021840 sll v1,v0,1 0x80ad3058 27c20040 addiu v0,s8,64 0x80ad305c 00431021 addu v0,v0,v1 0x80ad3060 94460000 lhu a2,0(v0) 0x80ad3064 8fc30034 lw v1,52(s8) 0x80ad3068 00601025 move v0,v1 0x80ad306c 00021040 sll v0,v0,1 0x80ad3070 00431021 addu v0,v0,v1 0x80ad3074 00021840 sll v1,v0,1 0x80ad3078 27c20042 addiu v0,s8,66 0x80ad307c 00431021 addu v0,v0,v1 0x80ad3080 94470000 lhu a3,0(v0) 0x80ad3084 8fc30034 lw v1,52(s8) 0x80ad3088 00601025 move v0,v1 0x80ad308c 00021040 sll v0,v0,1 0x80ad3090 00431021 addu v0,v0,v1 0x80ad3094 00021840 sll v1,v0,1 0x80ad3098 27c20044 addiu v0,s8,68 0x80ad309c 00431021 addu v0,v0,v1 0x80ad30a0 94420000 lhu v0,0(v0) 0x80ad30a4 afa20010 sw v0,16(sp) 0x80ad30a8 00002025 move a0,zero 0x80ad30ac 0c22bf3f jal switch_port_qconfig_set 0x80ad30b0 00000000 nop 0x80ad30b4 8fc20034 lw v0,52(s8) 0x80ad30b8 24420001 addiu v0,v0,1 0x80ad30bc afc20034 sw v0,52(s8) 0x80ad30c0 082b4be0 j 0x80ad2f80 0x80ad30c4 00000000 nop 0x80ad30c8 97c30022 lhu v1,34(s8) 0x80ad30cc 97c20026 lhu v0,38(s8) 0x80ad30d0 000210c0 sll v0,v0,3 0x80ad30d4 3042ffff andi v0,v0,0xffff 0x80ad30d8 00602025 move a0,v1 0x80ad30dc 00402825 move a1,v0 0x80ad30e0 0c2b4a03 jal cfg_mod_set_olt_port_frame_gap 0x80ad30e4 00000000 nop 0x80ad30e8 afc00034 sw zero,52(s8) value = -2136133396 = 0x80ad30ec = olt_config_set_pon_cosq__config + 0x640 -> -> l ^@0x80ad30ec 8fc20034 lw v0,52(s8) 0x80ad30f0 8fc30030 lw v1,48(s8) 0x80ad30f4 0043102b sltu v0,v0,v1 0x80ad30f8 14400003 bnez v0,0x80ad3108 0x80ad30fc 00000000 nop 0x80ad3100 082b4c81 j 0x80ad3204 0x80ad3104 00000000 nop 0x80ad3108 97c40022 lhu a0,34(s8) 0x80ad310c 8fc30034 lw v1,52(s8) 0x80ad3110 00601025 move v0,v1 0x80ad3114 00021040 sll v0,v0,1 0x80ad3118 00431021 addu v0,v0,v1 0x80ad311c 00021840 sll v1,v0,1 0x80ad3120 27c20040 addiu v0,s8,64 0x80ad3124 00431021 addu v0,v0,v1 0x80ad3128 94450000 lhu a1,0(v0) 0x80ad312c 8fc30034 lw v1,52(s8) 0x80ad3130 00601025 move v0,v1 0x80ad3134 00021040 sll v0,v0,1 0x80ad3138 00431021 addu v0,v0,v1 0x80ad313c 00021840 sll v1,v0,1 0x80ad3140 27c20042 addiu v0,s8,66 0x80ad3144 00431021 addu v0,v0,v1 0x80ad3148 94460000 lhu a2,0(v0) 0x80ad314c 8fc30034 lw v1,52(s8) 0x80ad3150 00601025 move v0,v1 0x80ad3154 00021040 sll v0,v0,1 0x80ad3158 00431021 addu v0,v0,v1 0x80ad315c 00021840 sll v1,v0,1 0x80ad3160 27c20044 addiu v0,s8,68 0x80ad3164 00431021 addu v0,v0,v1 0x80ad3168 94420000 lhu v0,0(v0) 0x80ad316c 00403825 move a3,v0 0x80ad3170 0c2b4909 jal cfg_mod_set_olt_port_cosq_para 0x80ad3174 00000000 nop 0x80ad3178 97c20022 lhu v0,34(s8) 0x80ad317c 2445ffff addiu a1,v0,65535 0x80ad3180 8fc30034 lw v1,52(s8) 0x80ad3184 00601025 move v0,v1 0x80ad3188 00021040 sll v0,v0,1 0x80ad318c 00431021 addu v0,v0,v1 0x80ad3190 00021840 sll v1,v0,1 0x80ad3194 27c20040 addiu v0,s8,64 0x80ad3198 00431021 addu v0,v0,v1 0x80ad319c 94460000 lhu a2,0(v0) 0x80ad31a0 8fc30034 lw v1,52(s8) 0x80ad31a4 00601025 move v0,v1 0x80ad31a8 00021040 sll v0,v0,1 0x80ad31ac 00431021 addu v0,v0,v1 0x80ad31b0 00021840 sll v1,v0,1 0x80ad31b4 27c20042 addiu v0,s8,66 0x80ad31b8 00431021 addu v0,v0,v1 0x80ad31bc 94470000 lhu a3,0(v0) 0x80ad31c0 8fc30034 lw v1,52(s8) 0x80ad31c4 00601025 move v0,v1 0x80ad31c8 00021040 sll v0,v0,1 0x80ad31cc 00431021 addu v0,v0,v1 0x80ad31d0 00021840 sll v1,v0,1 0x80ad31d4 27c20044 addiu v0,s8,68 0x80ad31d8 00431021 addu v0,v0,v1 0x80ad31dc 94420000 lhu v0,0(v0) 0x80ad31e0 afa20010 sw v0,16(sp) 0x80ad31e4 00002025 move a0,zero 0x80ad31e8 0c22bf3f jal switch_port_qconfig_set 0x80ad31ec 00000000 nop 0x80ad31f0 8fc20034 lw v0,52(s8) //触发异常的指令,将s8+52的值加载到v0 //推导s8压栈到0x4c31d440,值为1,s8+52为0x35,与BADVADDR异常地址一致 0x80ad31f4 24420001 addiu v0,v0,1 0x80ad31f8 afc20034 sw v0,52(s8) 0x80ad31fc 082b4c3b j 0x80ad30ec 0x80ad3200 00000000 nop 0x80ad3204 97c20022 lhu v0,34(s8) 0x80ad3208 2443ffff addiu v1,v0,65535 0x80ad320c 97c20026 lhu v0,38(s8) 0x80ad3210 000210c0 sll v0,v0,3 0x80ad3214 00002025 move a0,zero 0x80ad3218 00602825 move a1,v1 0x80ad321c 00403025 move a2,v0 0x80ad3220 0c22be64 jal linecard_set_port_gap 0x80ad3224 00000000 nop 0x80ad3228 00001025 move v0,zero 0x80ad322c 03c0e825 move sp,s8 0x80ad3230 8fbf0074 lw ra,116(sp) 0x80ad3234 8fbe0070 lw s8,112(sp) 0x80ad3238 27bd0078 addiu sp,sp,120 0x80ad323c 03e00008 jr ra 0x80ad3240 00000000 nop 0x80ad3244 00000000 nop 0x80ad3248 00000000 nop 0x80ad324c 00000000 nop
触发异常的指令行为switch_port_qconfig_set函数返回的第一条指令,尝试从s8+52取值,而是s8在olt_config_set_pon_cosq__config函数中是被作为frame pointer使用的,其值为sp,但是从栈数据中看s8值为1,有理由怀疑s8的值在switch_port_qconfig_set调用过程中被改写。
反汇编switch_port_qconfig_set函数,函数入口压栈s8到sp+48,即0x4c31d440地址处,其值为1。
-> l switch_port_qconfig_set,500 ^@ switch_port_qconfig_set: 0x808afcfc 27bdffc8 addiu sp,sp,65480(-56) //调用时sp为0x4c31d448,当前函数sp为sp-56为0x4c31d410 0x808afd00 afbf0034 sw ra,52(sp) 0x808afd04 afbe0030 sw s8,48(sp) //s8压栈到sp+48,即0x4c31d440地址处 0x808afd08 03a0f025 move s8,sp 0x808afd0c afc40038 sw a0,56(s8) 0x808afd10 afc5003c sw a1,60(s8) 0x808afd14 afc60040 sw a2,64(s8) 0x808afd18 afc70044 sw a3,68(s8) 0x808afd1c afc00018 sw zero,24(s8) 0x808afd20 24020030 li v0,48 0x808afd24 afc2001c sw v0,28(s8) 0x808afd28 afc00020 sw zero,32(s8) 0x808afd2c afc00024 sw zero,36(s8) 0x808afd30 afc00028 sw zero,40(s8) 0x808afd34 8fc20044 lw v0,68(s8) 0x808afd38 04410004 bgez v0,0x808afd4c 0x808afd3c 00000000 nop 0x808afd40 2402ffff li v0,65535 0x808afd44 0822c05f j 0x808b017c 0x808afd48 00000000 nop 0x808afd4c 8fc20044 lw v0,68(s8) 0x808afd50 28421001 slti v0,v0,4097 0x808afd54 14400003 bnez v0,0x808afd64 0x808afd58 00000000 nop 0x808afd5c 24021000 li v0,4096 0x808afd60 afc20044 sw v0,68(s8) 0x808afd64 8fc20048 lw v0,72(s8) 0x808afd68 04400007 bltz v0,0x808afd88 0x808afd6c 00000000 nop 0x808afd70 8fc20048 lw v0,72(s8) 0x808afd74 2842000a slti v0,v0,10 0x808afd78 10400003 beqz v0,0x808afd88 0x808afd7c 00000000 nop 0x808afd80 0822bf65 j 0x808afd94 0x808afd84 00000000 nop 0x808afd88 2402ffff li v0,65535 0x808afd8c 0822c05f j 0x808b017c 0x808afd90 00000000 nop 0x808afd94 0c22d29a jal linecard_pon_port_begin 0x808afd98 00000000 nop 0x808afd9c 8fc3003c lw v1,60(s8) 0x808afda0 0062102a slt v0,v1,v0 0x808afda4 14400009 bnez v0,0x808afdcc 0x808afda8 00000000 nop 0x808afdac 0c22d2a3 jal linecard_pon_port_end 0x808afdb0 00000000 nop 0x808afdb4 8fc3003c lw v1,60(s8) 0x808afdb8 0043102a slt v0,v0,v1 0x808afdbc 14400003 bnez v0,0x808afdcc 0x808afdc0 00000000 nop 0x808afdc4 0822bf76 j 0x808afdd8 0x808afdc8 00000000 nop 0x808afdcc 2402ffff li v0,65535 0x808afdd0 0822c05f j 0x808b017c 0x808afdd4 00000000 nop 0x808afdd8 8fc4003c lw a0,60(s8) 0x808afddc 0c226f4b jal switch_oldport_to_newport 0x808afde0 00000000 nop 0x808afde4 afc20018 sw v0,24(s8) 0x808afde8 27c20020 addiu v0,s8,32 0x808afdec 8fc40038 lw a0,56(s8) 0x808afdf0 00402825 move a1,v0 0x808afdf4 0c0d1366 jal bcm_cosq_config_get 0x808afdf8 00000000 nop 0x808afdfc afc2002c sw v0,44(s8) 0x808afe00 8fc2002c lw v0,44(s8) 0x808afe04 04410004 bgez v0,0x808afe18 0x808afe08 00000000 nop 0x808afe0c 8fc2002c lw v0,44(s8) 0x808afe10 0822c05f j 0x808b017c 0x808afe14 00000000 nop 0x808afe18 8fc20018 lw v0,24(s8) 0x808afe1c 2443ffff addiu v1,v0,65535 0x808afe20 8fc20020 lw v0,32(s8) 0x808afe24 00620018 mult v1,v0 0x808afe28 00001812 mflo v1 0x808afe2c 8fc2001c lw v0,28(s8) 0x808afe30 00621821 addu v1,v1,v0 0x808afe34 8fc20040 lw v0,64(s8) 0x808afe38 00621021 addu v0,v1,v0 0x808afe3c afc20024 sw v0,36(s8) 0x808afe40 27c20028 addiu v0,s8,40 0x808afe44 afa20010 sw v0,16(sp) 0x808afe48 8fc40038 lw a0,56(s8) 0x808afe4c 2405059a li a1,1434 0x808afe50 2406ffff li a2,65535 0x808afe54 8fc70024 lw a3,36(s8) 0x808afe58 0c130314 jal soc_mem_read 0x808afe5c 00000000 nop 0x808afe60 afc2002c sw v0,44(s8) 0x808afe64 8fc2002c lw v0,44(s8) 0x808afe68 04410004 bgez v0,0x808afe7c 0x808afe6c 00000000 nop 0x808afe70 8fc2002c lw v0,44(s8) 0x808afe74 0822c05f j 0x808b017c 0x808afe78 00000000 nop 0x808afe7c 8fc30040 lw v1,64(s8) 0x808afe80 00601025 move v0,v1 0x808afe84 00021040 sll v0,v0,1 0x808afe88 00431021 addu v0,v0,v1 0x808afe8c 00022080 sll a0,v0,2 0x808afe90 8fc3003c lw v1,60(s8) 0x808afe94 00601025 move v0,v1 0x808afe98 00021040 sll v0,v0,1 0x808afe9c 00431021 addu v0,v0,v1 0x808afea0 00021140 sll v0,v0,5 0x808afea4 00821821 addu v1,a0,v0 0x808afea8 3c02822b lui v0,0x822b 0x808afeac 24428a4c addiu v0,v0,35404 0x808afeb0 00431021 addu v0,v0,v1 0x808afeb4 8c420000 lw v0,0(v0) 0x808afeb8 14400040 bnez v0,0x808affbc 0x808afebc 00000000 nop 0x808afec0 27c20028 addiu v0,s8,40 0x808afec4 8fc40038 lw a0,56(s8) 0x808afec8 2405059a li a1,1434 0x808afecc 00403025 move a2,v0 0x808afed0 240740df li a3,16607 0x808afed4 0c1282ea jal soc_mem_field32_get 0x808afed8 00000000 nop 0x808afedc 00402825 move a1,v0 0x808afee0 8fc30040 lw v1,64(s8) 0x808afee4 00601025 move v0,v1 0x808afee8 00021040 sll v0,v0,1 0x808afeec 00431021 addu v0,v0,v1 0x808afef0 00022080 sll a0,v0,2 0x808afef4 8fc3003c lw v1,60(s8) 0x808afef8 00601025 move v0,v1 0x808afefc 00021040 sll v0,v0,1 0x808aff00 00431021 addu v0,v0,v1 0x808aff04 00021140 sll v0,v0,5 0x808aff08 00821821 addu v1,a0,v0 0x808aff0c 3c02822b lui v0,0x822b 0x808aff10 24428a50 addiu v0,v0,35408 0x808aff14 00431021 addu v0,v0,v1 0x808aff18 ac450000 sw a1,0(v0) 0x808aff1c 27c20028 addiu v0,s8,40 0x808aff20 8fc40038 lw a0,56(s8) 0x808aff24 2405059a li a1,1434 0x808aff28 00403025 move a2,v0 0x808aff2c 24074106 li a3,16646 0x808aff30 0c1282ea jal soc_mem_field32_get 0x808aff34 00000000 nop 0x808aff38 00402825 move a1,v0 0x808aff3c 8fc30040 lw v1,64(s8) 0x808aff40 00601025 move v0,v1 0x808aff44 00021040 sll v0,v0,1 0x808aff48 00431021 addu v0,v0,v1 0x808aff4c 00022080 sll a0,v0,2 0x808aff50 8fc3003c lw v1,60(s8) 0x808aff54 00601025 move v0,v1 0x808aff58 00021040 sll v0,v0,1 0x808aff5c 00431021 addu v0,v0,v1 0x808aff60 00021140 sll v0,v0,5 0x808aff64 00821021 addu v0,a0,v0 0x808aff68 24430008 addiu v1,v0,8 0x808aff6c 3c02822b lui v0,0x822b 0x808aff70 24428a4c addiu v0,v0,35404 0x808aff74 00431021 addu v0,v0,v1 0x808aff78 ac450000 sw a1,0(v0) 0x808aff7c 8fc30040 lw v1,64(s8) 0x808aff80 00601025 move v0,v1 0x808aff84 00021040 sll v0,v0,1 0x808aff88 00431021 addu v0,v0,v1 0x808aff8c 00022080 sll a0,v0,2 0x808aff90 8fc3003c lw v1,60(s8) 0x808aff94 00601025 move v0,v1 0x808aff98 00021040 sll v0,v0,1 0x808aff9c 00431021 addu v0,v0,v1 0x808affa0 00021140 sll v0,v0,5 0x808affa4 00821821 addu v1,a0,v0 0x808affa8 3c02822b lui v0,0x822b 0x808affac 24428a4c addiu v0,v0,35404 0x808affb0 00431821 addu v1,v0,v1 0x808affb4 24020001 li v0,1 0x808affb8 ac620000 sw v0,0(v1) 0x808affbc 8fc20044 lw v0,68(s8) 0x808affc0 14400045 bnez v0,0x808b00d8 0x808affc4 00000000 nop 0x808affc8 8fc20048 lw v0,72(s8) 0x808affcc 14400042 bnez v0,0x808b00d8 0x808affd0 00000000 nop 0x808affd4 8fc30040 lw v1,64(s8) 0x808affd8 00601025 move v0,v1 0x808affdc 00021040 sll v0,v0,1 0x808affe0 00431021 addu v0,v0,v1 0x808affe4 00022080 sll a0,v0,2 0x808affe8 8fc3003c lw v1,60(s8) 0x808affec 00601025 move v0,v1 0x808afff0 00021040 sll v0,v0,1 0x808afff4 00431021 addu v0,v0,v1 0x808afff8 00021140 sll v0,v0,5 0x808afffc 00821821 addu v1,a0,v0 0x808b0000 3c02822b lui v0,0x822b 0x808b0004 24428a4c addiu v0,v0,35404 0x808b0008 00431021 addu v0,v0,v1 0x808b000c 8c430000 lw v1,0(v0) 0x808b0010 24020001 li v0,1 0x808b0014 14620030 bne v1,v0,0x808b00d8 0x808b0018 00000000 nop 0x808b001c 27c60028 addiu a2,s8,40 0x808b0020 8fc30040 lw v1,64(s8) 0x808b0024 00601025 move v0,v1 0x808b0028 00021040 sll v0,v0,1 0x808b002c 00431021 addu v0,v0,v1 0x808b0030 00022080 sll a0,v0,2 0x808b0034 8fc3003c lw v1,60(s8) 0x808b0038 00601025 move v0,v1 0x808b003c 00021040 sll v0,v0,1 0x808b0040 00431021 addu v0,v0,v1 0x808b0044 00021140 sll v0,v0,5 0x808b0048 00821821 addu v1,a0,v0 0x808b004c 3c02822b lui v0,0x822b 0x808b0050 24428a50 addiu v0,v0,35408 0x808b0054 00431021 addu v0,v0,v1 0x808b0058 8c420000 lw v0,0(v0) 0x808b005c afa20010 sw v0,16(sp) 0x808b0060 8fc40038 lw a0,56(s8) 0x808b0064 2405059a li a1,1434 0x808b0068 240740df li a3,16607 0x808b006c 0c128311 jal soc_mem_field32_set 0x808b0070 00000000 nop 0x808b0074 27c60028 addiu a2,s8,40 0x808b0078 8fc30040 lw v1,64(s8) 0x808b007c 00601025 move v0,v1 0x808b0080 00021040 sll v0,v0,1 0x808b0084 00431021 addu v0,v0,v1 0x808b0088 00022080 sll a0,v0,2 0x808b008c 8fc3003c lw v1,60(s8) 0x808b0090 00601025 move v0,v1 0x808b0094 00021040 sll v0,v0,1 0x808b0098 00431021 addu v0,v0,v1 0x808b009c 00021140 sll v0,v0,5 0x808b00a0 00821021 addu v0,a0,v0 0x808b00a4 24430008 addiu v1,v0,8 0x808b00a8 3c02822b lui v0,0x822b 0x808b00ac 24428a4c addiu v0,v0,35404 0x808b00b0 00431021 addu v0,v0,v1 0x808b00b4 8c420000 lw v0,0(v0) 0x808b00b8 afa20010 sw v0,16(sp) 0x808b00bc 8fc40038 lw a0,56(s8) 0x808b00c0 2405059a li a1,1434 0x808b00c4 24074106 li a3,16646 0x808b00c8 0c128311 jal soc_mem_field32_set 0x808b00cc 00000000 nop 0x808b00d0 0822c04e j 0x808b0138 0x808b00d4 00000000 nop 0x808b00d8 8fc20044 lw v0,68(s8) 0x808b00dc 10400016 beqz v0,0x808b0138 0x808b00e0 00000000 nop 0x808b00e4 8fc20048 lw v0,72(s8) 0x808b00e8 10400013 beqz v0,0x808b0138 0x808b00ec 00000000 nop 0x808b00f0 27c30028 addiu v1,s8,40 0x808b00f4 8fc20044 lw v0,68(s8) 0x808b00f8 afa20010 sw v0,16(sp) 0x808b00fc 8fc40038 lw a0,56(s8) 0x808b0100 2405059a li a1,1434 0x808b0104 00603025 move a2,v1 0x808b0108 240740df li a3,16607 0x808b010c 0c128311 jal soc_mem_field32_set 0x808b0110 00000000 nop 0x808b0114 27c30028 addiu v1,s8,40 0x808b0118 8fc20048 lw v0,72(s8) 0x808b011c afa20010 sw v0,16(sp) 0x808b0120 8fc40038 lw a0,56(s8) 0x808b0124 2405059a li a1,1434 0x808b0128 00603025 move a2,v1 0x808b012c 24074106 li a3,16646 0x808b0130 0c128311 jal soc_mem_field32_set 0x808b0134 00000000 nop 0x808b0138 00000000 nop 0x808b013c 27c20028 addiu v0,s8,40 0x808b0140 afa20010 sw v0,16(sp) 0x808b0144 8fc40038 lw a0,56(s8) 0x808b0148 2405059a li a1,1434 0x808b014c 2406ffff li a2,65535 0x808b0150 8fc70024 lw a3,36(s8) 0x808b0154 0c1306bb jal soc_mem_write 0x808b0158 00000000 nop 0x808b015c afc2002c sw v0,44(s8) 0x808b0160 8fc2002c lw v0,44(s8) 0x808b0164 04410004 bgez v0,0x808b0178 0x808b0168 00000000 nop 0x808b016c 8fc2002c lw v0,44(s8) 0x808b0170 0822c05f j 0x808b017c 0x808b0174 00000000 nop 0x808b0178 00001025 move v0,zero 0x808b017c 03c0e825 move sp,s8 0x808b0180 8fbf0034 lw ra,52(sp) 0x808b0184 8fbe0030 lw s8,48(sp) 0x808b0188 27bd0038 addiu sp,sp,56 0x808b018c 03e00008 jr ra 0x808b0190 00000000 nop
为了证实上述猜测,在swith_port_qconfig_set函数调用前后设置断点,复现问题,打印调用前后的栈数据进行对比。
0x4c31d440地址数据从0x4c31d448改写为1,且不是连续被改写,说明不是栈溢出导致。
依次推导switch_port_qconfig_set函数中调用的函数,发现交换SDK接口函数中,并没有将s8寄存器用作frame pointer,而是当作通用寄存器使用。
-> l soc_mem_read,200 soc_mem_read: 0x804c0c50 27bdff70 addiu sp,sp,65392(-144) 0x804c0c54 afb20080 sw s2,128(sp) 0x804c0c58 00809021 move s2,a0 0x804c0c5c 00121080 sll v0,s2,2 0x804c0c60 3c0381d5 lui v1,0x81d5 0x804c0c64 00621821 addu v1,v1,v0 0x804c0c68 8c633e30 lw v1,15920(v1) 0x804c0c6c afb40088 sw s4,136(sp) //交换SDK接口函数中使用sp压栈,而不是s8寄存器 0x804c0c70 afb1007c sw s1,124(sp) 0x804c0c74 afb00078 sw s0,120(sp) 0x804c0c78 afbf008c sw ra,140(sp) 0x804c0c7c afb30084 sw s3,132(sp) 0x804c0c80 8c620010 lw v0,16(v1) 0x804c0c84 00c08021 move s0,a2 0x804c0c88 00e08821 move s1,a3 0x804c0c8c 1440005e bnez v0,0x804c0e08 0x804c0c90 8fb400a0 lw s4,160(sp) 0x804c0c94 8c620014 lw v0,20(v1) 0x804c0c98 3c035000 lui v1,0x5000 0x804c0c9c 00431024 and v0,v0,v1 0x804c0ca0 10400059 beqz v0,0x804c0e08 0x804c0ca4 24020111 li v0,273 0x804c0ca8 54a20058 bnel a1,v0,0x804c0e0c 0x804c0cac 02402021 move a0,s2 0x804c0cb0 24050001 li a1,1 0x804c0cb4 0c1a467c jal soc_trident_pipe_select 0x804c0cb8 24060001 li a2,1 0x804c0cbc 27b30018 addiu s3,sp,24 0x804c0cc0 02402021 move a0,s2 0x804c0cc4 24050111 li a1,273 0x804c0cc8 02003021 move a2,s0 0x804c0ccc 02203821 move a3,s1 0x804c0cd0 0c13002b jal _soc_mem_read
查阅资料发现MIPS32中r30寄存器既可以作为s8通用寄存器使用,也可以作为fp栈底指针寄存器使用。
进一步排查发现上层代码编译选项为:-g -G 0 -mno-branch-likely -mips2 -EB -fno-builtin -DMIPSEB -DSOFT_FLOAT -msoft-float;交换库编译选项为:-O2 -c -fno-builtin -g -mips2 -msoft-float -o 0。当编译选项指定优化级别为-O2时,就会将r30寄存器作为通用寄存器s8使用,而不是fp栈底指针寄存器。该选项与GCC编译器的-fomit-frame-pointer作用类似。
到这里,似乎根本原因已经查明了,但是去掉-O2编译选项重新编译交换SDK库之后,任务挂死现象依旧,正所谓“猜中了开始,没有猜中结局”!!!怎么解,继续反汇编定位,通过单步调试发现更改s8压栈内容的指令:
-> s cmd_process //单步执行cmd_process任务 ^@value = 0 = 0x0 -> $0 = 0 t0 = 1000fc01 s0 = 0 t8 = 0 at = 1 t1 = 1 s1 = 0 t9 = 50 v0 = 4c315fe4 t2 = 4 s2 = 0 k0 = 0 v1 = 4c315d88 t3 = 1 s3 = 0 k1 = 0 a0 = 4c315d7c t4 = 4c315fe4 s4 = 0 gp = 81789c20 a1 = 4c315fd8 t5 = 0 s5 = 0 sp = 4c315d40 a2 = c t6 = 2a4 s6 = 0 s8 = 4c315fd8 a3 = 4c315fe0 t7 = 0 s7 = 0 ra = 801f0ef8 divlo = 38 divhi = 0 sr = 1000fc01 pc = 80146b20 0x80146b20 1020fffb beqz at,0x80186b10 //下一条待执行指令,如果at寄存器值为0,则跳转到0x80186b10
查看s8压栈地址的数据,0x4c315fe0地址值为0x4c315fe8
d 0x4c315fb0,100,4 ^@4c315fb0: 00000000 0000059a ffffffff 00000038 *...............8* 4c315fc0: 4c315fd8 00000050 00000002 00000030 *L1_....P.......0* 4c315fd0: 00000008 00000038 00240009 d0000930 *.......8.$.....0* 4c315fe0: 4c315fe8 80ebb650 00000000 00000000 *L1_....P........* 4c315ff0: 00000000 000000aa 00000007 4c316000 *............L1`.* 4c316000: 1d772ae9 00000000 000d0001 00000000 *.w*.............* 4c316010: 00000000 00070000 00000008 00000000 *................* 4c316020: 00000007 00000000 000000aa 00070001 *................* 4c316030: 00000000 00020000 00000003 00000000 *................* 4c316040: 00040000 00000005 00000000 00060000 *................* 4c316050: 00000007 00000000 4c316060 81042da4 *........L1``..-.* 4c316060: 87aa2bad 000000a8 000000b1 00000000 *..+.............* 4c316070: 00000000 00000000 00a84083 87aa2ab0 *..........@...*.* 4c316080: 4d3e8060 4d3e8030 00000000 00000000 *M>.`M>.0........* 4c316090: 1d7760a0 810426c8 4c3160a0 81042ad8 *.w`...&.L1`...*.* 4c3160a0: 87aa2ab0 87aa2b05 0300eeee eeeeeeee *..*...+.........* 4c3160b0: 4c3160b8 eeeeeeee eeeeeeee eeeeeeee *L1`.............* 4c3160c0: 000058e0 00f800a8 4083eeee 87aa2b05 *..X.....@.....+.* 4c3160d0: 87aa2ab0 00000000 00000000 f8000000 *..*.............* 4c3160e0: 00000055 00000000 4c3160f0 81041304 *...U....L1`.....* 4c3160f0: 87aa2ab0 00000000 eeeeeeee eeeeeeee *..*.............* 4c316100: 81040100 87aa2ab0 00000e10 eeeeeeee *......*.........* 4c316110: 00000000 8013870c 00000000 00000000 *................* 4c316120: 00000000 00000000 00000000 00000000 *................* 4c316130: 00000000 00000000 00000000 00000000 *................* value = 21 = 0x15
继续单步执行
-> s cmd_process ^@value = 0 = 0x0 -> $0 = 0 t0 = 1000fc01 s0 = 0 t8 = 0 at = 1 t1 = 1 s1 = 0 t9 = 50 v0 = 4c315fe4 t2 = 4 s2 = 0 k0 = 0 v1 = 4c315d88 t3 = 1 s3 = 0 k1 = 0 a0 = 4c315d7c t4 = 4c315fe4 s4 = 0 gp = 81789c20 a1 = 4c315fd8 t5 = 0 s5 = 0 sp = 4c315d40 a2 = c t6 = 2a4 s6 = 0 s8 = 4c315fd8 a3 = 4c315fe0 t7 = 0 s7 = 0 ra = 801f0ef8 divlo = 38 divhi = 0 sr = 1000fc01 pc = 80146b28 0x80146b28 01802825 move a1,t4
查看栈数据,发现s8压栈地址值被改为1
d 0x4c315fb0,100,4 ^@4c315fb0: 00000000 0000059a ffffffff 00000038 *...............8* 4c315fc0: 4c315fd8 00000050 00000002 00000030 *L1_....P.......0* 4c315fd0: 00000008 00000038 00240009 d0000930 *.......8.$.....0* 4c315fe0: 00000001 80ebb650 00000000 00000000 *.......P........* 4c315ff0: 00000000 000000aa 00000007 4c316000 *............L1`.* 4c316000: 1d772ae9 00000000 000d0001 00000000 *.w*.............* 4c316010: 00000000 00070000 00000008 00000000 *................* 4c316020: 00000007 00000000 000000aa 00070001 *................* 4c316030: 00000000 00020000 00000003 00000000 *................* 4c316040: 00040000 00000005 00000000 00060000 *................* 4c316050: 00000007 00000000 4c316060 81042da4 *........L1``..-.* 4c316060: 87aa2bad 000000a8 000000b1 00000000 *..+.............* 4c316070: 00000000 00000000 00a84083 87aa2ab0 *..........@...*.* 4c316080: 4d3e8060 4d3e8030 00000000 00000000 *M>.`M>.0........* 4c316090: 1d7760a0 810426c8 4c3160a0 81042ad8 *.w`...&.L1`...*.* 4c3160a0: 87aa2ab0 87aa2b05 0300eeee eeeeeeee *..*...+.........* 4c3160b0: 4c3160b8 eeeeeeee eeeeeeee eeeeeeee *L1`.............* 4c3160c0: 000058e0 00f800a8 4083eeee 87aa2b05 *..X.....@.....+.* 4c3160d0: 87aa2ab0 00000000 00000000 f8000000 *..*.............* 4c3160e0: 00000055 00000000 4c3160f0 81041304 *...U....L1`.....* 4c3160f0: 87aa2ab0 00000000 eeeeeeee eeeeeeee *..*.............* 4c316100: 81040100 87aa2ab0 00000e10 eeeeeeee *......*.........* 4c316110: 00000000 8013870c 00000000 00000000 *................* 4c316120: 00000000 00000000 00000000 00000000 *................* 4c316130: 00000000 00000000 00000000 00000000 *................* value = 21 = 0x15
仔细查看上一条执行指令所在汇编代码,篡改s8压栈地址数据的指令为sw t1,-4(t4)
-> l 0x80146b20,10 ^@0x80146b20 1020fffb beqz at,0x80186b10 //beqz分支指令,正常情况下要接一个nop指令,作为延迟槽 0x80146b24 ad89fffc sw t1,65532(t4) //实际改写s8压栈地址的指令为这一条处于beqz延迟槽位置的指令,将t1寄存器值写入t4-1地址处,与实际现象相符 0x80146b28 01802825 move a1,t4 0x80146b2c 00602025 move a0,v1 0x80146b30 00a2082b sltu at,a1,v0 0x80146b34 10200063 beqz at,0x80146cc4 0x80146b38 00000000 nop 0x80146b3c 24a50001 addiu a1,a1,1 0x80146b40 908a0000 lbu t2,0(a0) 0x80146b44 00a2082b sltu at,a1,v0 value = -2146145464 = 0x80146b48 = bcopy + 0x98 //篡改位置位于bcopy()函数中
找到了篡改指令,那么,是bcopy()函数的bug吗?根据栈反推bcopy(s,d,l)的入参发现,l值为0xc,即12字节
4c3161e0: 00000000 00000000 00000000 00000000 *................* 4c3161f0: 00000000 00000000 00000001 00000002 *................* 4c316200: 00000000 eeeeeeee eeeeeeee 00000000 *................* 4c316210: 00000000 00000000 00000000 00000000 *................* 4c316220: 00000000 00000000 00000000 00000000 *................* 4c316230: 00000000 00000000 00000000 00000000 *................* 4c316240: 00000000 00000000 0000eeee eeeeeeee *................* 4c316 50: eeeeeeee eeeeeeee eeeeeeee eeeeeeee *................* 4c316260: eeeeeeee eeeeeeee 1000fc01 80146b08 *..............k.* 4c316270: 00000038 00000000 00000000 00000001 *...8............* 4c316280: 4c315fe4 4c315d7c 4c315d7c 4c315fd8 *L1_.L1]|L1]|L1_.* //source, destine 4c316290: 0000000c 00000004 1000fc01 1000fc00 *................* //length 4c3162a0: 00000004 00000001 00000000 00000000 *................* 4c3162b0: 000002a4 00000000 00000000 00000000 *................* 4c3162c0: 00000000 00000000 00000000 00000000 *................* value = 21 = 0x15
而最开始代码中thdo_qconfig_cell_entry局部变量为uint32型变量,因此,该问题是bcopy()拷贝越界,修改为thdo_qconfig_cell_entry[SOC_MAX_MEM_WORDS]数组解决!