[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MiNT] Corruption of high TPA

To: mint <mint@fishpool.com>
Subject: Re: [MiNT] Corruption of high TPA
From: Vincent Rivière <vincent.riviere@freesbee.fr>
Date: Thu, 11 Jun 2009 14:53:29 +0200
In-reply-to: <4A2F7B9F.3010100@freesbee.fr>
List-help: <mailto:ecartis@lists.fishpool.fi?Subject=help>
List-id: <mint.lists.fishpool.fi>
List-owner: <mailto:tjhukkan@fishpool.fi>
List-post: <mailto:mint@lists.fishpool.fi>
List-subscribe: <mailto:mint-request@lists.fishpool.fi?Subject=subscribe>
List-unsubscribe: <mailto:mint-request@lists.fishpool.fi?Subject=unsubscribe>
References: <4A2ED03D.1090600@freesbee.fr> <alpine.BSF.2.00.0906101033540.29737@antyk.ibi.uw.edu.pl> <4A2F7B9F.3010100@freesbee.fr>
Sender: mint-bounce@lists.fishpool.fi
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Vincent Rivière wrote:

Konrad M. Kokoszkiewicz wrote :
Is memory protection enabled in your setup? If so, setting the sp atthe end of the TPA will, IIRC, cause the program to crash at thenearest system call. This is so because the kernel entry code copiessimilar amount of bytes from the user stack to the supervisor stack.Because it does not know, how many bytes it should copy, it alwayscopies the maximum amount, and there are kludges in the kernel to fixthe sp at the correct value, when the program starts, but if you setit "manually", it will not work.
Thanks for your hints.
I have made further tests, this problem occurs only in ARAnyM + EmuTOS,even on the EmuTOS early console. So it is unrelated to the MiNT kernel,AUTO folder, AES or accessories.


Hello, Konrad.

Finally, you were totally right !

I have been fooled because there was the same bug in the FreeMiNT kernel andin EmuTOS.


Thanks to Petr Stehlik and Thomas Huth, EmuTOS has been fixed yesterday.

Now about the FreeMiNT kernel. The problem becomes visible only when memoryprotection is enabled.


From sys/arch/syscall.S:
#ifdef NEW_SYSCALL
	move.w (a1),d1
	cmp.w	_dos_max,d1
	bcc	gemdos
// offset 0 is func pointer, 4 is nr of args, 6 is their size
nospr:	move.w	6(a5,d1.w*8),d1		// fetch size in bytes
	lsr.w	#1,d1			// we need size in words
cparg:	move.w	(a1,d1.w*2),-(sp)
	dbra.w	d1,cparg
#else
	move.l	32(a1),-(sp)		// a1 was set by build_context
	move.l	28(a1),-(sp)
	move.l	24(a1),-(sp)
	move.l	20(a1),-(sp)
	move.l	16(a1),-(sp)
	move.l	12(a1),-(sp)
	move.l	8(a1),-(sp)
	move.l	4(a1),-(sp)
	move.l	(a1),-(sp)
#endif

I guess NEW_SYSCALL is not currently used.

On every TRAP #1, 36 bytes are unconditionally read from the user stack. Sowhen the user stack is at the very top of the TPA, this code tries to readthe memory after the TPA, it is illegal and it crashes with memoryprotection. I'm "happy" to see that we encounter again the magical "36"value I found by experimental tests.


Is there a reason for not using that NEW_SYSCALL stuff ? It seems a lot cleaner.

I'm not going to change the kernel (but it should be done).

I will provide a patch for the MiNTLib as a workaround.

--
Vincent Rivière

Follow-Ups:
- Re: [MiNT] Corruption of high TPA
  - From: Alan Hourihane <alanh@fairlite.co.uk>

References:
- [MiNT] Corruption of high TPA
  - From: Vincent Rivière <vincent.riviere@freesbee.fr>
- Re: [MiNT] Corruption of high TPA
  - From: "Konrad M. Kokoszkiewicz" <draco@obta.uw.edu.pl>
- Re: [MiNT] Corruption of high TPA
  - From: Vincent Rivière <vincent.riviere@freesbee.fr>

Prev by Date: [MiNT] appl_getinfo
Next by Date: Re: [MiNT] Corruption of high TPA
Previous by thread: Re: [MiNT] Corruption of high TPA
Next by thread: Re: [MiNT] Corruption of high TPA
Index(es):
- Date
- Thread