[fedora-arm] Understanding gdb disassembly output
Daniel Drake
dsd at laptop.org
Tue May 1 21:10:30 UTC 2012
Hi,
I have been trying to understand more about the WebKit JIT crash,
looking at the assembly around the crash.
I'm confused about some of the output of gdb, can anyone help?
Core was generated by `epiphany'.
Program terminated with signal 11, Segmentation fault.
#0 0x000013e4 in ?? ()
Missing separate debuginfos, use: debuginfo-install
epiphany-3.3.90-1.fc17.armv7hl
(gdb) bt
#0 0x000013e4 in ?? ()
#1 0x499fe5dc in ?? ()
#2 0x499fe5dc in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) info registers
r0 0x4996e240 1234625088
r1 0xfffffffb 4294967291
r2 0x4996e240 1234625088
r3 0xfffffffb 4294967291
r4 0x47626688 1197631112
r5 0x1d2 466
r6 0x47626588 1197630856
r7 0x5357c57c 1398261116
r8 0x41d9f3e4 1104802788
r9 0x47626570 1197630832
r10 0x45a67400 1168536576
r11 0x41f55058 1106595928
r12 0x4c1d0ab0 1276971696
sp 0xbe8aed78 0xbe8aed78
lr 0x499fe5dc 1235215836
pc 0x13e4 0x13e4
cpsr 0x600f0010 1611595792
The PC is obviously bad here.
So lets look at the code around the LR to see where we came from.
(gdb) x/12i $lr-32
0x499fe5bc: mov r0, sp
0x499fe5c0: str r4, [sp, #3118288] ; 0x60
0x499fe5c4: mov r8, #408 ; 0x198
0x499fe5c8: str r8, [r4, #-3118288] ; 0x2c
0x499fe5cc: ldr r3, [pc, #31461008] ; 0x499fea40
0x499fe5d0: str r4, [r3]
0x499fe5d4: ldr r8, [pc, #31461008] ; 0x499fea44
0x499fe5d8: blx r8
0x499fe5dc: str r0, [r4, #3118288] ; 0x70
0x499fe5e0: str r1, [r4, #3118288] ; 0x74
0x499fe5e4: b 0x499fc264
0x499fe5e8: b 0x499fe618
Specifically this bit looks of interest:
0x499fe5d4: ldr r8, [pc, #31461008] ; 0x499fea44
0x499fe5d8: blx r8
So the first instruction here says "take the data at address
pc+31461008 and save it in r8".
pc is always 8 bytes on from the address of the current instruction,
so at the moment pc = 0x499fe5d4 + 8 = 0x499fe5dc
So the address of the data being loaded into r8 is: 0x499fe5dc +
31461008 = 0x4b7ff46c
The contents of this memory:
(gdb) x/x 0x4b7ff46c
0x4b7ff46c: 0x00000000
Hmm, seems unlikely.
But going back to the instruction:
0x499fe5d4: ldr r8, [pc, #31461008] ; 0x499fea44
What's that weird "; 0x499fea44" annotation? Where has gdb pulled that
number from?
Lets investigate it anyway:
(gdb) x/x 0x499fea44
0x499fea44: 0x41d9f3e4
Probably a pointer? Lets find out.
(gdb) x/4i 0x41d9f3e4
0x41d9f3e4 <cti_op_resolve_global>: str lr, [sp, #3118288] ; 0x40
0x41d9f3e8 <cti_op_resolve_global+4>: bl 0x41cf4aac
0x41d9f3ec <cti_op_resolve_global+8>:
ldr lr, [sp, #3118288] ; 0x40
0x41d9f3f0 <cti_op_resolve_global+12>: mov pc, lr
Yep, looks like a pointer.
Looking at the instruction once again:
0x499fe5d4: ldr r8, [pc, #31461008] ; 0x499fea44
Lets see what value r8 has (maybe it hasn't changed since we ran that
line of code). See top of this mail. It's 0x41d9f3e4 (i.e.
cti_op_resolve_global). Which is the location pointed at by the weird
annotation of address 0x499fea44.
So it seems very likely that code execution jumped to 0x41d9f3e4, and
gdb seems to confirm that, but I don't know how/why.
Digging further down... cti_op_resolve_global (as pasted above)
branches to 0x41cf4aac.
(gdb) x/4i 0x41cf4aac
0x41cf4aac: add r12, pc, #2097152 ; 0x200000
0x41cf4ab0: add r12, r12, #389120 ; 0x5f000
0x41cf4ab4: ldr pc, [r12, #3118288]! ; 0x240
So if I calculate right, on that first line, pc=0x41cf4aac + 8
So this causes a jump to the address pointed at by the memory location
0x41cf4aac + 8 + 2097152 + 389120 + 3118288 = 0x4224cf84. (r12 is also
updated to point at that same memory location).
So lets look at that address:
(gdb) x/x 0x4224cf84
0x4224cf84: Cannot access memory at address 0x4224cf84
Hmm.
Note that r12 was also updated to point at the same location where the
new PC value was read from. Lets assume it hasn't changed since that
assignment, and check it out. r12=0x4c1d0ab0
(gdb) x/x 0x4c1d0ab0
0x4c1d0ab0: 0x41f50e00
(gdb) x/4i 0x41f50e00
0x41f50e00 <_ZN3JSC9Structure6s_infoE>: ldrsbmi r4, [r0, #240]! ; 0xf0
0x41f50e04 <_ZN3JSC9Structure6s_infoE+4>: andeq r0, r0, r0
0x41f50e08 <_ZN3JSC9Structure6s_infoE+8>: andeq r0, r0, r0
0x41f50e0c <_ZN3JSC9Structure6s_infoE+12>: andeq r0, r0, r0
0x41f50e00 <_ZN3JSC9Structure6s_infoE>: 0x41f04fd0 0x00000000 0x00000000 0x00000000
0x41f50e10 <_ZN3JSC9Structure6s_infoE+16>: 0x41ea7bec 0x41ea7038 0x41e4b4bc 0x41e4b4c4
0x41f50e20 <_ZN3JSC9Structure6s_infoE+32>: 0x41e4b5f4 0x41e4b5b4 0x41e4b584 0x41e4b554
Looks like data, not code, so maybe r12 has been changed after all.
(or we're trying to execute those instructions and going wildly
wrong).
Either way, I feel like my own calculations are not agreeing with the
actual behaviour of the program. Where does the 0x499fea44 annotation
come from? Why can't I calculate the behaviour of the code at
0x41cf4aac?
Thanks,
Daniel
More information about the arm
mailing list