segmentation fault on bnslr instruction

Vijay Sampath vsampath at gmail.com
Tue Oct 25 04:49:01 EST 2005 

Hi,

I am running an embedded linux (kernel 2.4.18) system with a bunch of
multithreaded applications compiled using uClibc (0.9.26). I have
noticed that very occasionally a couple of the processes die with a
segmentation fault. The core file points to the process dying on the
bnslr instruction inside the uClibc library code immediately after a
system call. I don't know why the system returned from the system
call, because nothing should have been going on at the time and the
process should have been sleeping in kernel space on the accept call.

Would like any pointers from people more knowledgeable on the ppc
architecture as to why a bnslr instruction would cause a segmentation
fault (the LR register is correct). I am assuming that the registers
saved by the OS when the fault occurred are precise (at the instant of
the fault and not sometime after). Also it bothers me as to why the OS
returned from the system call, as there was no activity going on.

Attached below is some debugging info using gdb.

Thanks,

Vijay


GNU gdb 5.2.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "powerpc-linux"...
Core was generated by `xmlagent.out 1 2 6500 6500 1'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.0...done.
Loaded symbols for /lib/libc.so.0
Reading symbols from /lib/ld.so.1...done.
Loaded symbols for /lib/ld.so.1
#0  0x30072000 in __uClibc_syscall () from /lib/libc.so.0


(gdb) bt
#0  0x30072000 in __uClibc_syscall () from /lib/libc.so.0
#1  0x3005f7b0 in accept () from /lib/libc.so.0
#2  0x3002175c in accept () from /lib/libpthread.so.0
#3  0x10002718 in xmlSocketThread (arg=0x200) at xmlMain.c:335
#4  0x3001b3ec in __pthread_manager_event () from /lib/libpthread.so.0
#5  0x30071fe0 in clone () from /lib/libc.so.0


(gdb) info frame
Stack level 0, frame at 0x7f7ffc60:
 pc = 0x30072000 in __uClibc_syscall; saved pc 0x3005f7b0
 (FRAMELESS), called by frame at 0x7f7ffc60
 Arglist at 0x7f7ffc60, args:
 Locals at 0x7f7ffc60, Previous frame's sp is 0x0


(gdb) disassemble
Dump of assembler code for function __uClibc_syscall:
0x30071ffc <__uClibc_syscall>:  sc
0x30072000 <__uClibc_syscall+4>:        bnslr             -------->
segmentation fault
0x30072004 <__uClibc_syscall+8>:        b       0x300897f8 <___brk_addr+2276>
End of assembler dump.
(gdb) info registers
r0             0x66     102
r1             0x7f7ffc60       2139094112
r2             0x0      0
r3             0x200    512
r4             0x7f7ffc68       2139094120
r5             0x7f7ffd1c       2139094300
r6             0x8      8
r7             0x38     56
r8             0x21     33
r9             0x7f7ffcc8       2139094216
r10            0x7f7ffc70       2139094128
r11            0x30071ffc       805773308
r12            0x1005a07c       268804220
r13            0x0      0
r14            0x30005140       805327168
r15            0x30005000       805326848
r16            0x2      2
r17            0xe4     228
r18            0x300050a0       805327008
r19            0xe4     228
r20            0x30035bf0       805526512
r21            0x30035d60       805526880
r22            0x0      0
---Type <return> to continue, or q <return> to quit---
r23            0x0      0
r24            0x100025f4       268445172
r25            0x10076ccc       268922060
r26            0x10070000       268894208
r27            0x7f7ffd1c       2139094300
r28            0x7f7ffcc8       2139094216
r29            0x10     16
r30            0x100726d8       268904152
r31            0x10072744       268904260
pc             0x30072000       805773312
ps             0xd030   53296
cr             0x32002028       838869032
lr             0x3005f7b0       805697456
ctr            0x30071ffc       805773308
xer            0x20000000       536870912


(gdb)  disassemble 0x3005f7b0                    --------> LR location
Dump of assembler code for function accept:
0x3005f784 <accept>:    stwu    r1,-48(r1)
0x3005f788 <accept+4>:  mflr    r0
0x3005f78c <accept+8>:  stw     r0,52(r1)
0x3005f790 <accept+12>: mr      r9,r4
0x3005f794 <accept+16>: mr      r0,r3
0x3005f798 <accept+20>: addi    r4,r1,8
0x3005f79c <accept+24>: li      r3,5
0x3005f7a0 <accept+28>: stw     r0,8(r1)
0x3005f7a4 <accept+32>: stw     r9,12(r1)
0x3005f7a8 <accept+36>: stw     r5,16(r1)
0x3005f7ac <accept+40>: bl      0x30088fb8 <___brk_addr+164>
0x3005f7b0 <accept+44>: lwz     r0,52(r1)
0x3005f7b4 <accept+48>: addi    r1,r1,48
0x3005f7b8 <accept+52>: mtlr    r0
0x3005f7bc <accept+56>: blr

More information about the Linuxppc-embedded mailing list