[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: video mem access with oskit-mach

From: Marcus Brinkmann
Subject: Re: video mem access with oskit-mach
Date: Tue, 11 Dec 2001 02:54:41 +0100
User-agent: Mutt/1.3.24i

On Mon, Dec 10, 2001 at 03:38:17PM -0500, Roland McGrath wrote:
> > Here the mode is hard coded to read only.
> I checked in a fix for that.  Please try a variety of operations on "mem"
> and verify that none of them crash or anything.  Obviously the writing code
> has never been tested.

Yep, there seems to be a small buglet, but I am not yet sure what it is.
Remote debugging rocks, Roland!  Thanks for bringing this to us!

If you look at the back trace, there seems to be the bogosity that offset
has the wrong value if evaluated with "print offset", but in the frame it is
correct (offset=753664, which is B8000, which is the video mem).

The failing if seems to indicate that round_page (4294967291) gives a wrong
result, as the number is 2^32-5.  Indeed, round page rounds UP, so this is
bad mojo.  Seems to me it ends up being 0, and the comparison always fails.

 *      File:   mach/vm_param.h

#undef  round_page
#define round_page(x)   ((vm_offset_t)((((vm_offset_t)(x)) + PAGE_MASK) & 
#undef  trunc_page
#define trunc_page(x)   ((vm_offset_t)(((vm_offset_t)(x)) & ~PAGE_MASK))

This needs to be fixed, mmh.  Is the mem.size value sane?  It seems to be
quite bogus to me. In fact, the size and recsize values passed to
special_mem_device are:

~(vm_offset_t)0 - 4, 1

the first one being the 2^32 - 5.  The comment above this, talking about the
granularity being four bytes I don't really understand.  Did something got
mixed up here?  Also, I suggest testing if offset+size overflows (same
for read_inband etc).


#0  0x00201586 in panic ()
#1  0x0012e4eb in ds_mem_map (dev=0x80965ec, prot=3, offset=753664, size=4096,
    pa=0x9a51ce4) at ../oskit/ds_mem.c:33
#2  0x0012908f in device_map_page (dsp=0x8096688, offset=753664)
    at ../device/dev_pager.c:542
#3  0x00125d8e in vm_object_page_map (object=0x80934bc, offset=753664,
    size=4096, map_fn=0x129068 <device_map_page>, map_fn_data=0x8096688)
    at ../vm/vm_object.c:2997
#4  0x00128fcb in device_pager_data_request (pager=0x8097988,
    pager_request=0x8097a20, offset=753664, length=4096, protection_required=3)
    at ../device/dev_pager.c:348
#5  0x00134f28 in _Xdevice_pager_data_request (InHeadP=0x8090240,
    OutHeadP=0x81e3010) at device_pager_server.c:337
#6  0x00113320 in ipc_kobject_server (request=0x8090230)
    at ../kern/ipc_kobject.c:192
#7  0x001046bf in ipc_mqueue_send (kmsg=0x8090230, option=65536, time_out=0)
    at ../ipc/ipc_mqueue.c:208
#8  0x00113584 in mach_msg_send_from_kernel (msg=0x9a51e70, send_size=56)
    at ../kern/ipc_mig.c:83
#9  0x00130075 in memory_object_data_request (memory_object=0x8097988,
    memory_control=0x8097a20, offset=753664, length=4096, desired_access=3)
    at memory_object_user_user.c:369
#10 0x0011e511 in vm_fault_page (first_object=0x80934bc, first_offset=753664,
    fault_type=3, must_be_resident=0, interruptible=1, protection=0x9a51f7c,
    result_page=0x9a51f80, top_page=0x9a51f84, resume=0,
    continuation=0x11ec38 <vm_fault_continue>) at ../vm/vm_fault.c:667
#11 0x0011edd2 in vm_fault (map=0x8091908, vaddr=167936, fault_type=3,
    change_wiring=0, resume=0,
    continuation=0x13bb04 <user_page_fault_continue>) at ../vm/vm_fault.c:1299
#12 0x0013bfd4 in user_trap (regs=0x80985bc) at ../i386/i386/trap.c:472
#13 0x0013e82e in _take_trap ()
(gdb) up
#1  0x0012e4eb in ds_mem_map (dev=0x80965ec, prot=3, offset=753664, size=4096,
    pa=0x9a51ce4) at ../oskit/ds_mem.c:33
33          INVALREC;
(gdb) l
28      io_return_t
29      ds_mem_map (device_t dev, vm_prot_t prot,
30                  vm_offset_t offset, vm_size_t size, oskit_addr_t *pa)
31      {
32        if (offset + size > round_page (dev->com.mem.size))
33          INVALREC;
34        if (offset % dev->com.mem.recsize || !page_aligned (offset))
35          INVALREC;
36        if (round_page (size) % dev->com.mem.recsize)
37          INVALSZ;
(gdb) print offset
$6 = 2461380
(gdb) print size
$7 = 4096
(gdb) print dev->com.mem.size
$8 = 4294967291
(gdb) print dev->com.mem
$9 = {pa = 0, size = 4294967291, recsize = 1}

`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org

reply via email to

[Prev in Thread] Current Thread [Next in Thread]