VxWorks任務(wù)掛死實(shí)戰(zhàn)分析_第1頁(yè)
VxWorks任務(wù)掛死實(shí)戰(zhàn)分析_第2頁(yè)
VxWorks任務(wù)掛死實(shí)戰(zhàn)分析_第3頁(yè)
VxWorks任務(wù)掛死實(shí)戰(zhàn)分析_第4頁(yè)
VxWorks任務(wù)掛死實(shí)戰(zhàn)分析_第5頁(yè)
已閱讀5頁(yè),還剩15頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

1、 背景描述操作系統(tǒng):VxWorks 5.5CPU:MIPS32 74Kc內(nèi)核CPU現(xiàn)象描述:聯(lián)調(diào)代碼時(shí)發(fā)現(xiàn)應(yīng)層代碼調(diào)以下接函數(shù)必現(xiàn)任務(wù)掛死,檢查代碼發(fā)現(xiàn)參均合法,代碼邏輯沒(méi)問(wèn)題,未發(fā)現(xiàn)異常。/* FunctionName : switch_port_qconfig_set* Author: justin* CreateDate : 20210606* Description : set port cosq qcofnig cell* InputParam : int unit*int ponno, PON 號(hào),取值范圍015int cosq, 07 for UNIportsint port_g

2、uarantee_cells, THDO_QCONFIG_CELLQ_MIN_CELLint q_shared_alpha, THDO_QCONFIG_CELLQ_SHARED_ALPHA_CELL* OutputParam : NA* ReturnValue : 0 - ok; 0 - error;* Relation: NA* OtherInfo : NA*/int switch_port_qconfig_set(int unit, int ponno, int cosq, int port_guarantee_cells,int q_shared_alpha)int switchport

3、 = ;/*參數(shù)初始化*/int cpu_cosq_num = NUM_CPU_COSQ_MAX;int port_cosq_num = ;int thdo_qconfig_cell_queue_no =;uint32 thdo_qconfig_cell_entry = ;/* 檢查參 */if (port_guarantee_cells THDO_QCONFIG_CELLS_MAX)port_guarantee_cells = THDO_QCONFIG_CELLS_MAX;/* alpha值取值范圍為09 */if (q_shared_alpha THDO_QCONFIG_ALPHA_MAX

4、)returnRV_ERROR;/* 只持配置UNI端 */if (ponno linecard_pon_port_end()returnRV_ERROR;switchport = switch_oldport_to_newport(ponno);/* 獲取端COSQ隊(duì)列數(shù) */BCM_IF_ERROR_RETURN(bcm_cosq_config_get(unit, &port_cosq_num);/* 計(jì)算指定端指定COS隊(duì)列的序號(hào) */thdo_qconfig_cell_queue_no = cpu_cosq_num + (switchport - ) * port_cosq_num +

5、 cosq;BCM_IF_ERROR_RETURN(READ_MMU_THDO_QCONFIG_CELLm(unit,MEM_BLOCK_ANY,thdo_qconfig_cell_queue_no, &thdo_qconfig_cell_entry);/* 保存默認(rèn)配置*/if (0 = g_switch_pon_qconfigponnocosq.flag)g_switch_pon_qconfigponnocosq.q_min_cell = soc_mem_field32_get(unit, MMU_THDO_QCONFIG_CELLm,&thdo_qconfig_cell_entry, Q

6、_MIN_CELLf);g_switch_pon_qconfigponnocosq.q_shared_alpha = soc_mem_field32_get(unit, MMU_THDO_QCONFIG_CELLm,&thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf);g_switch_pon_qconfigponnocosq.flag = ;/* 持PON恢復(fù)默認(rèn)配置*/if (THDO_QCONFIG_CELLS_MIN = port_guarantee_cells) & (THDO_QCONFIG_ALPHA_MIN = q_shared_alp

7、ha)& ( 1= g_switch_pon_qconfigponnocosq.flag)soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,&thdo_qconfig_cell_entry, Q_MIN_CELLf, g_switch_pon_qconfigponnocosq.q_min_cell);soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,&thdo_qconfig_cell_entry, Q_SHARED_ALPHA_CELLf,g_switch_pon_qconfigponnocosq

8、.q_shared_alpha);else if (THDO_QCONFIG_CELLS_MIN != port_guarantee_cells) & (THDO_QCONFIG_ALPHA_MIN != q_shared_alpha)soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,&thdo_qconfig_cell_entry, Q_MIN_CELLf, port_guarantee_cells);soc_mem_field32_set(unit, MMU_THDO_QCONFIG_CELLm,&thdo_qconfig_cell_entr

9、y, Q_SHARED_ALPHA_CELLf,q_shared_alpha);BCM_IF_ERROR_RETURN(WRITE_MMU_THDO_QCONFIG_CELLm(unit,MEM_BLOCK_ANY,thdo_qconfig_cell_queue_no, &thdo_qconfig_cell_entry);returnRV_OK;根本原因1、bcopy()拷貝越界導(dǎo)致2、調(diào)試過(guò)程中發(fā)現(xiàn),交換SDK庫(kù)件指定編譯選項(xiàng),此時(shí)r30寄存器被當(dāng)作通寄存器s8使;其他模塊使默認(rèn)的編譯選項(xiàng),此時(shí)r30寄存器被當(dāng)作(frame )指針使。當(dāng)應(yīng)程序調(diào)使s8寄存器的交換SDK接函數(shù)時(shí),可能出現(xiàn)s8

10、寄存器值被改寫,導(dǎo)致觸發(fā)法地址訪問(wèn)的情況。分析過(guò)程既然代碼查沒(méi)有發(fā)現(xiàn)問(wèn)題,只能使出洪荒之,通過(guò)反匯編定位分析了。先,通過(guò)i命令查看系統(tǒng)任務(wù)狀態(tài),發(fā)現(xiàn)掛死任務(wù)為cmd_process任務(wù)。- iNAMEENTRYTID PRI STATUSPCSP ERRNO DELAY- - - - - - - - -tExcTask excTask87d80cb0 0PEND87d7e120 0PEND80a6f360 87d80b90 3006b0tLogTask logTask80a6f360 87d7e0088025707c 87a9328800tShell shell87a93670 1 READY

11、87ab28e0 3 PEND00tWdbTask wdbTask8015b4cc 87ab2650 3d00020tAioIoTask1aioIoTask 87d8f3f0 50PENDtAioIoTask0aioIoTask 87d88180 50PEND8015b4cc 87d8f3588015b4cc 87d880e88015b4cc 87bf27d00000tNetTask netTask87bf2860 50PEND00cmd_processMsgProcessTa 4c31d5a0 80 SUSPEND 8016a354 4c31d328 3d0004value = 0 = 0

12、x00然后,通過(guò)ti命令查看任務(wù)詳情。- ti 0 x4c31d5a0NAMEENTRYTID PRI STATUSPCSP ERRNO DELAY- - - - - - - - -cmd_processMsgProcessTa 4c31d5a0 80SUSPEND 8016a354 4c31d328 3d00040stack: base 0 x4c31d5a0 end 0 x4c3185a0 size 20464 high 7760 margin 12704options: 0 xcVX_DEALLOC_STACK VX_FP_TASKVxWorks Events-Events Pended

13、 on : NotPendedReceived Events : 0 x0Options: N/A0at=0 t01 t1=0 s01 s1=0 t80 t9=0=50v0 = 4c31d374 t2=4 s20 s30 s420 s56c8 s60 s7=0 k0 = 813a3fb80 k1v1a0=c t3=035 t4=0 gp = 813a16400 sp = 4c31d3280 s8 = 4c31d3280 ra = 80159e30a1 = 4c31d370 t5a2 4 t6a3 = 80ad31f0 t7divlo = 38 divhi =value = 0 = 0 x0=0

14、 sr = 1000fc01 pc = 8016a354通過(guò)命令查看掛死前任務(wù)調(diào)軌跡。- tt 0 x4c31d5a08015bee4 vxTaskEntry +c : MsgProcessTask ( , , , )80c58e9c MsgProcessTask +1bc: GeponProcGswCmd (87aa5760, , eeeeeeee, eeeeeeee)80c5a670 GeponProcGswCmd+: compare_and_exec_cmd (87aa5760, 87aa57b5, 300eeee, eeeeeeee)80c5a93c compare_and_exec_

15、cmd+2ac: olt_config_set_pon_cosq_config (87aa585d, a8, b1, )80ad31e8 olt_config_set_pon_cosq_config+73c: switch_port_qconfig_set (, , , )8016c6c4 excStub+ : unaligned_load_handler , 4c31d388, 4c31d3b0, c)80159e28 unaligned_load_handler+: bcopy (, 4c31d388, 4c31d3b0, 80ad31f0)value = 0 = 0 x0此時(shí),sp為0

16、x4c31d328,ra為0 x80159e30,pc為0 x8016a354。打印sp指向的棧數(shù)據(jù)。- d 0 x4c31d328,44c31d320:000000044c31d388 *L1.*4c31d330: 4c31d3b0 80ad31f0000000004c31d34c *L1.L1.L*4c31d340: 4c31d3680000000080ad31f0 80ad31f4 *L1.h.*4c31d350: 00000001000000358fc20034 00000000 *. .*4c31d360: 0000001e000000020000000000000000 *.*4c

17、31d370: 00000000000000010000000100000003 *.*4c31d380: 000000018016c6cc 000000044c31d388 *.L1.*4c31d390: 4c31d3b0 0000000c 00002cd000000010 *L1.,.*4c31d3a0: 4c31d438000000000000003500000000 *L1.*4c31d3b0: 1000fc03 80ad31f00000003800000000 *. .*4c31d3c0: 00000000000310000000000000000000 *.*4c31d3d0: 8

18、0ec45d0 80ec45e4 000000aa00000000 *.E.E.*4c31d3e0: 1000fc01 1000fc00 0000000400000000 *.*4c31d3f0: 0000000000000020000006c800000000 *. .*4c31d400: 00000000000000000000000000000000 *.*4c31d410: 00000000000000000000000000000000 *.*4c31d420: 00000000000000500000000200000000 *.P.*4c31d430: 813a1640 4c31

19、d4480000000180ad31f0 *.:.L1.H.*4c31d440: 0000000180ad31f00000000000000000 *. .*4c31d450: 00000000000000010000000100000000 *.*4c31d460: 039f579900000000000d000100000014 *.W.*4c31d470: 00070007000700000000000800000000 *.*4c31d480: 00000007000000000000000100010001 *.*4c31d490: 0001000100020002000200030

20、0030003 *.*4c31d4a0: 00040004000400050005000500060006 *.*4c31d4b0: 00060007000700074c31d4c0 80c5a944 *.L1.D*4c31d4c0: 87aa585d 000000a8 000000b100000000 *.X.*4c31d4d0: 000000000000000000a84083 87aa5760 *.W*4c31d4e0: 4d3e8110 4d3e80e00000000000000000 *M.M.*4c31d4f0: 039fd500 80c5a268 4c31d500 80c5a67

21、8 *.hL1.x*4c31d500: 87aa5760 87aa57b5 0300eeee eeeeeeee *.W.W.*4c31d510: 4c31d518 eeeeeeee eeeeeeee eeeeeeee *L1.*4c31d520: 0000be49 00f800a8 4083eeee 87aa57b5 *.I.W.*4c31d530: 87aa57600000000000000000f8000000 *.W.*4c31d540: 00000055000000004c31d550 80c58ea4 *.U.L1.P.*4c31d550: 87aa576000000000eeeee

22、eee eeeeeeee *.W.*4c31d560: 80c57ca0 87aa5760 00000e10 eeeeeeee *.|.W.*4c31d570: 000000008015beec0000000000000000 *.*4c31d580: 00000000000000000000000000000000 *.*4c31d590: 00000000000000000000000000000000 *.*4c31d5a0: 00000000000000000000005000000000 *.P.*4c31d5b0: 4c392520 4c74e3f0 0000c1190000000

23、0 *L9% Lt.*4c31d5c0: 4c318350 4c3200b0 8015bc10 1000fc01 *L1.PL2.*4c31d5d0: 813a503c 4c3185a0 0000000c00000001 *.:P 0 x8016a354value = -2146000044= 0 x8016a354 = bcopy + 0 xc4- l bcopy,50bcopy:0 x8016a290 00a41023 subu0 x8016a294 18400003 blez0 x8016a298 0046082a slt0 x8016a29c 14200040 bnez0 x8016a

24、2a0 00a01025 move0 x8016a2a4 28c1000a slti0 x8016a2a8 14200024 bnez0 x8016a2ac 00a61021 addu0 x8016a2b0 00a47026 xor0 x8016a2b4 31cf0003 andi0 x8016a2b8 15e00021 bnezv0,a1,a0v0, 0 x8016a2a4at,v0,a2at, 0 x8016a3a0v0,a1at,a2, 10at, 0 x8016a33cv0,a1,a2t6,a1,a0t7,t6, 0 x3t7, 0 x8016a3400 x8016a2bc 00a20

25、82b sltu0 x8016a2c0 30b80003 andi0 x8016a2c4 13000008 beqz0 x8016a2c8 00801825 move0 x8016a2cc 90990000 lbu0 x8016a2d0 24a50001 addiu0 x8016a2d4 30a80003 andi0 x8016a2d8 24840001 addiu0 x8016a2dc 1500fffb bnez0 x8016a2e0 a0b9ffff sbat,a1,v0t8,a1, 0 x3t8, 0 x8016a2e8v1,a0t9, (a0)a1,a1, 1t0,a1, 0 x3a0

26、,a0, 1t0, 0 x801aa2cct9, (a1)v1,a00 x8016a2e4 00801825 move0 x8016a2e8 00a06025 move0 x8016a2ec 2447fffc addiu0 x8016a2f0 8c690000 lw0 x8016a2f4 258c0004 addiu0 x8016a2f8 00ec082b sltu0 x8016a2fc 24630004 addiu0 x8016a300 1020fffb beqz0 x8016a304 ad89fffc swt4,a1a3,v0, 65532t1, (v1)t4,t4, 4at,a3,t4v

27、1,v1, 4at, 0 x801aa2f0t1, (t4)a1,t40 x8016a308 01802825 move0 x8016a30c 00602025 move0 x8016a310 00a2082b sltu0 x8016a314 10200063 beqz0 x8016a318 00000000 nop0 x8016a31c 24a50001 addiu0 x8016a320 908a0000 lbu0 x8016a324 00a2082b sltu0 x8016a328 24840001 addiu0 x8016a32c 1420fffb bnez0 x8016a330 a0a

28、affff sba0,v1at,a1,v0at, 0 x8016a4a4a1,a1, 1t2, (a0)at,a1,v0a0,a0, 1at, 0 x801aa31ct2, (a1)ra0 x8016a334 03e00008 jr0 x8016a338 00000000 nop0 x8016a33c 00a2082b sltu0 x8016a340 10200058 beqz0 x8016a344 00000000 nop0 x8016a348 2cc80004 sltiu0 x8016a34c 1408000c bne0 x8016a350 00064882 srl0 x8016a354

29、88880000 lwlat,a1,v0at, 0 x8016a4a4t0,a2, 4zero,t0, 0 x8016a380t1,a2, 2t0, (a0)/* 掛死指令,將a0+0內(nèi)存地址值加載到t0寄存器,此時(shí)為0 x35,進(jìn)制53 */value = -2146000040= 0 x8016a358= bcopy + 0 xc8查看bcopy函數(shù)的反匯編代碼,發(fā)現(xiàn)該函數(shù)沒(méi)有壓棧通寄存器(局部變量)和ra返回地址的操作,說(shuō)明bcopy函數(shù)為葉函數(shù)。此時(shí),推導(dǎo)出上級(jí)函數(shù)的sp為0 x4c31d328,pc為當(dāng)前函數(shù)的ra,即80159e30。找到pc所在函數(shù)并反匯編。- 0 x80159e

30、30value = -2146066896= 0 x80159e30 = unaligned_load_handler +0 x240- l unaligned_load_handler,300unaligned_load_handler:0 x80159bf0 27bdffa0 addiu0 x80159bf4 afbf005c sw0 x80159bf8 afbe0058 sw0 x80159bfc 03a0f025 move0 x80159c00 afc40060 sw0 x80159c04 afc50064 sw0 x80159c08 afc60068 sw0 x80159c0c 8f

31、c20064 lw0 x80159c10 8c42002c lw0 x80159c14 afc20020 sw0 x80159c18 8fc20064 lw0 x80159c1c 8c420014 lw0 x80159c20 000217c2 srl0 x80159c24 afc20034 sw0 x80159c28 8fc20064 lw0 x80159c2c 8fc30020 lw0 x80159c30 8c42002c lw0 x80159c34 10620003 beq0 x80159c38 00000000 nopsp,sp, )ra, (sp)s8, (sp)s8,sp/上級(jí)函數(shù)s

32、p = sp + 96,為0 x4c31d388/ra位于當(dāng)前sp + 92,即0 x4c31d384地址處,其值為0 x8016c6cc/壓棧s8到sp+88/s8 = sp,s8作frame pointera0, (s8)a1, (s8)a2, (s8)v0, (s8)v0, (v0)v0, (s8)v0, (s8)v0, (v0)v0,v0, 31v0, (s8)v0, (s8)v1, (s8)v0, (v0)v1,v0, 0 x80159c440 x80159c3c 080567b7j0 x80159edc0 x80159c40 00000000 nop0 x80159c44 8fc2

33、0064 lw0 x80159c48 8c42002c lw0 x80159c4c 30420003 andi0 x80159c50 10400003 beqz0 x80159c54 00000000 nopv0, (s8)v0, (v0)v0,v0, 0 x3v0, 0 x80159c600 x80159c58 080567b7j0 x80159edc0 x80159c5c 00000000 nop0 x80159c60 8fc20034 lw0 x80159c64 afa20010 sw0 x80159c68 27c20024 addiu0 x80159c6c afa20014 sw0 x

34、80159c70 27c20040 addiuv0, (s8)v0, (sp)v0,s8, 36v0, (sp)v0,s8, 640 x80159c74 afa20018 sw0 x80159c78 8fc40060 lw0 x80159c7c 8fc50064 lw0 x80159c80 8fc60068 lw0 x80159c84 8fc70020 lw0 x80159c88 0c056544 jal0 x80159c8c 00000000 nop0 x80159c90 10400003 beqz0 x80159c94 00000000 nopv0, (sp)a0, (s8)a1, (s8

35、)a2, (s8)a3, (s8)0 x80159510v0, 0 x80159ca00 x80159edc0 x80159c98 080567b7j0 x80159c9c 00000000 nop0 x80159ca0 8fc20034 lw0 x80159ca4 10400004 beqz0 x80159ca8 00000000 nop0 x80159cac 8fc20020 lw0 x80159cb0 24420004 addiu0 x80159cb4 afc20020 sw0 x80159cb8 27c20030 addiu0 x80159cbc 8fc40020 lw0 x80159

36、cc0 00402825 move0 x80159cc4 24060004 li0 x80159cc8 0c05a8a4 jal0 x80159ccc 00000000 nop0 x80159cd0 8fc20030 lw0 x80159cd4 00021542 srl0 x80159cd8 3042001f andi0 x80159cdc afc20038 sw0 x80159ce0 8fc20030 lw0 x80159ce4 00021402 srl0 x80159ce8 3042001f andi0 x80159cec afc2003c sw0 x80159cf0 8fc20038 l

37、w0 x80159cf4 1040000a beqz0 x80159cf8 00000000 nop0 x80159cfc 8fc30064 lw0 x80159d00 8fc20038 lw0 x80159d04 00021080 sll0 x80159d08 24420038 addiu0 x80159d0c 00621021 addu0 x80159d10 8c420000 lw0 x80159d14 afc2004c swv0, (s8)v0, 0 x80159cb8v0, (s8)v0,v0, 4v0, (s8)v0,s8, 48a0, (s8)a1,v0a2, 4bcopyv0,

38、(s8)v0,v0, 21v0,v0, 0 x1fv0, (s8)v0, (s8)v0,v0, 16v0,v0, 0 x1fv0, (s8)v0, (s8)v0, 0 x80159d20v1, (s8)v0, (s8)v0,v0, 2v0,v0, 56v0,v1,v0v0, (v0)v0, (s8)0 x80159d240 x80159d18 08056749j0 x80159d1c 00000000 nop0 x80159d20 afc0004c sw0 x80159d24 8fc2004c lw0 x80159d28 afc20028 sw0 x80159d2c 8fc30028 lw0

39、x80159d30 afc30050 sw0 x80159d34 8fc20038 lw0 x80159d38 1040000c beqz0 x80159d3c 00000000 nop0 x80159d40 8fc30064 lw0 x80159d44 8fc20038 lw0 x80159d48 00021080 sll0 x80159d4c 24420038 addiu0 x80159d50 00621021 addu0 x80159d54 8c420000 lw0 x80159d58 8fc30050 lw0 x80159d5c 1462005f bne0 x80159d60 0000

40、0000 nopzero, (s8)v0, (s8)v0, (s8)v1, (s8)v1, (s8)v0, (s8)v0, 0 x80159d6cv1, (s8)v0, (s8)v0,v0, 2v0,v0, 56v0,v1,v0v0, (v0)v1, (s8)v1,v0, 0 x80159edc0 x80159d64 0805675ej0 x80159d780 x80159d68 00000000 nop0 x80159d6c 8fc20050 lw0 x80159d70 1440005a bnez0 x80159d74 00000000 nop0 x80159d78 87c30032 lh0

41、 x80159d7c 8fc20028 lw0 x80159d80 00431021 addu0 x80159d84 afc2002c sw0 x80159d88 8fc20030 lw0 x80159d8c 00021682 srl0 x80159d90 3042003f andi0 x80159d94 2442ffe0 addiu0 x80159d98 afc20054 sw0 x80159d9c 8fc30054 lw0 x80159da0 2c620018 sltiu0 x80159da4 1040004d beqz0 x80159da8 00000000 nop0 x80159dac

42、 8fc20054 lw0 x80159db0 00021880 sll0 x80159db4 3c0280c7 lui0 x80159db8 2442e4a0 addiu0 x80159dbc 00621021 addu0 x80159dc0 8c420000 lwv0, (s8)v0, 0 x80159edcv1, (s8)v0, (s8)v0,v0,v1v0, (s8)v0, (s8)v0,v0, 26v0,v0, 0 x3fv0,v0, 65504v0, (s8)v1, (s8)v0,v1, 24v0, 0 x80159edcv0, (s8)v1,v0, 2v0, 0 x80c7v0,

43、v0, 58528v0,v1,v0v0, (v0)0 x80159dc4 00400008 jr0 x80159dc8 00000000 nop0 x80159dcc 27c20044 addiu0 x80159dd0 8fc4002c lw0 x80159dd4 00402825 move0 x80159dd8 24060002 li0 x80159ddc 0c05a8a4 jal0 x80159de0 00000000 nop0 x80159de4 00000000 nop0 x80159de8 8fc2003c lw0 x80159dec 1040002e beqz0 x80159df0

44、 00000000 nop0 x80159df4 8fc30064 lw0 x80159df8 8fc2003c lw0 x80159dfc 00021080 sll0 x80159e00 24420038 addiu0 x80159e04 00621821 addu0 x80159e08 87c20044 lh0 x80159e0c ac620000 swv0v0,s8, 68a0, (s8)a1,v0a2, 2bcopyv0, (s8)v0, 0 x80159ea8v1, (s8)v0, (s8)v0,v0, 2v0,v0, 56v1,v1,v0v0, (s8)v0, (v1)0 x801

45、59ea80 x80159e10 080567aaj0 x80159e14 00000000 nop0 x80159e18 27c20048 addiu0 x80159e1c 8fc4002c lw0 x80159e20 00402825 move0 x80159e24 24060004 li0 x80159e28 0c05a8a4 jal0 x80159e2c 00000000 nop0 x80159e30 00000000 nop0 x80159e34 8fc2003c lw0 x80159e38 1040001b beqz0 x80159e3c 00000000 nop0 x80159e

46、40 8fc30064 lw0 x80159e44 8fc2003c lw0 x80159e48 00021080 sll0 x80159e4c 24420038 addiu0 x80159e50 00621821 addu0 x80159e54 8fc20048 lw0 x80159e58 ac620000 swv0,s8, 72a0, (s8)a1,v0a2, 4bcopyv0, (s8)v0, 0 x80159ea8v1, (s8)v0, (s8)v0,v0, 2v0,v0, 56v1,v1,v0v0, (s8)v0, (v1)0 x80159ea80 x80159e5c 080567a

47、aj0 x80159e60 00000000 nop0 x80159e64 27c20044 addiu0 x80159e68 8fc4002c lw0 x80159e6c 00402825 move0 x80159e70 24060002 li0 x80159e74 0c05a8a4 jal0 x80159e78 00000000 nop0 x80159e7c 00000000 nop0 x80159e80 8fc2003c lw0 x80159e84 10400008 beqz0 x80159e88 00000000 nop0 x80159e8c 8fc30064 lw0 x80159e9

48、0 8fc2003c lw0 x80159e94 00021080 sll0 x80159e98 24420038 addiu0 x80159e9c 00621821 addu0 x80159ea0 97c20044 lhu0 x80159ea4 ac620000 sw0 x80159ea8 8fc20040 lw0 x80159eac 10400006 beqz0 x80159eb0 00000000 nop0 x80159eb4 8fc30064 lw0 x80159eb8 8fc20064 lw0 x80159ebc 8c42002c lw0 x80159ec0 24420008 add

49、iu0 x80159ec4 ac6200b4 sw0 x80159ec8 8fc30064 lw0 x80159ecc 8fc20024 lw0 x80159ed0 ac62002c swv0,s8, 68a0, (s8)a1,v0a2, 2bcopyv0, (s8)v0, 0 x80159ea8v1, (s8)v0, (s8)v0,v0, 2v0,v0, 56v1,v1,v0v0, (s8)v0, (v1)v0, (s8)v0, 0 x80159ec8v1, (s8)v0, (s8)v0, (v0)v0,v0, 8v0, (v1)v1, (s8)v0, (s8)v0, (v1)0 x8015

50、9ef00 x80159ed4 080567bcj0 x80159ed8 00000000 nop0 x80159edc 8fc40060 lw0 x80159ee0 8fc50064 lw0 x80159ee4 8fc60068 lw0 x80159ee8 0c05ac45 jal0 x80159eec 00000000 nop0 x80159ef0 03c0e825 move0 x80159ef4 8fbf005c lw0 x80159ef8 8fbe0058 lw0 x80159efc 27bd0060 addiu0 x80159f00 03e00008 jr0 x80159f04 00

51、000000 nopa0, (s8)a1, (s8)a2, (s8)excExcHandlesp,s8ra, (sp)s8, (sp)sp,sp, 96ra根據(jù)unaligned_load_handler函數(shù)的壓棧操作,推導(dǎo)出上級(jí)函數(shù)的sp為0 x4c31d388,pc為0 x8016c6cc。找到pc所在函數(shù)并反匯編。- 0 x8016c6ccvalue = -2145990964= 0 x8016c6cc = excStub + 0 x128- l excStub,200excStub:0 x8016c5a4 afbdffec sw0 x8016c5a8 27bdff40 addiu0 x

52、8016c5ac afa1003c sw0 x8016c5b0 afa20040 sw0 x8016c5b4 401b4000 mfc00 x8016c5b8 00000000 nop0 x8016c5bc 401a7000 mfc00 x8016c5c0 00000000 nop0 x8016c5c4 00000040 ssnop0 x8016c5c8 00000040 ssnop0 x8016c5cc afbb0020 sw0 x8016c5d0 afba002c sw0 x8016c5d4 40026800 mfc00 x8016c5d8 00000000 nop0 x8016c5dc

53、401b6000 mfc00 x8016c5e0 00000000 nop0 x8016c5e4 00000040 ssnop0 x8016c5e8 00000040 ssnop0 x8016c5ec afa20014 sw0 x8016c5f0 3042007c andi0 x8016c5f4 afbb0028 sw0 x8016c5f8 409b6000 mtc00 x8016c5fc 2401fffd lisp, (sp)sp,sp, )at, (sp)/觸發(fā)異常處理的函數(shù)的sp壓棧在sp-20,即0 x4c31d434地址處0 x4c31d448/上級(jí)函數(shù)sp = sp + 192,為

54、0 x4c31d448v0, (sp)k1,badvaddrk0,epck1, (sp)k0, (sp)v0,cause/BADVADDR壓棧在sp+32,即0 x4c31d3a8地址處,其值為0 x00000035/EPC壓棧在sp+44,即0 x4c31d3b4地址處,其值為0 x80ad31f0k1,srv0, (sp)v0,v0, 0 x7ck1, (sp)k1,sr/Cause壓棧在sp+20at, 65533k1,k1,at0 x8016c600 0361d824 and0 x8016c604 409b6000 mtc00 x8016c608 00000040 ssnop0 x80

55、16c60c 00000040 ssnop0 x8016c610 00000040 ssnop0 x8016c614 00000040 ssnop0 x8016c618 00000000 nop0 x8016c61c 00000812 mflo0 x8016c620 00000000 nop0 x8016c624 afa10030 sw0 x8016c628 00000000 nop0 x8016c62c 00000810 mfhi0 x8016c630 00000000 nop0 x8016c634 afa10034 sw0 x8016c638 afa00038 sw0 x8016c63c

56、afa000a4 sw0 x8016c640 afa30044 sw0 x8016c644 afa40048 sw0 x8016c648 afa5004c sw0 x8016c64c afa60050 sw0 x8016c650 afa70054 sw0 x8016c654 afa80058 sw0 x8016c658 afa9005c sw0 x8016c65c afaa0060 sw0 x8016c660 afab0064 sw0 x8016c664 afac0068 sw0 x8016c668 afad006c sw0 x8016c66c afae0070 sw0 x8016c670 a

57、faf0074 sw0 x8016c674 afb80098 sw0 x8016c678 afb9009c sw0 x8016c67c afb00078 sw0 x8016c680 afb1007c sw0 x8016c684 afb20080 sw0 x8016c688 afb30084 sw0 x8016c68c afb40088 sw0 x8016c690 afb5008c sw0 x8016c694 afb60090 sw0 x8016c698 afb70094 sw0 x8016c69c afbe00b0 sw0 x8016c6a0 afbc00a8 sw0 x8016c6a4 af

58、bf00b4 sw0 x8016c6a8 00022082 srl0 x8016c6ac 03a02825 move0 x8016c6b0 27a60028 addiu0 x8016c6b4 3c088101 lui0 x8016c6b8 2508e610 addiu0 x8016c6bc 00481021 addu0 x8016c6c0 8c420000 lw0 x8016c6c4 0040f809 jalr0 x8016c6c8 00000000 nop0 x8016c6cc 8fa20040 lw0 x8016c6d0 8fa30044 lw0 x8016c6d4 8fa40048 lw

59、0 x8016c6d8 8fa5004c lw0 x8016c6dc 8fa60050 lwk1,sratat, (sp)atat, (sp)zero, (sp)zero, (sp)v1, (sp)a0, (sp)a1, (sp)a2, (sp)a3, (sp)t0, (sp)t1, (sp)t2, (sp)t3, (sp)t4, (sp)t5, (sp)t6, (sp)t7, (sp)t8, (sp)t9, (sp)s0, (sp)s1, (sp)s2, (sp)s3, (sp)s4, (sp)s5, (sp)s6, (sp)s7, (sp)s8, (sp)gp, (sp)ra, (sp)a

60、0,v0, 2/壓棧異常處理前函數(shù)的參到sp+72,即0 x4c31d3d0,其值為0 x80ec45d0/壓棧異常處理前函數(shù)的參到sp+76,即0 x4c31d3d4,其值為0 x80ec45e4/壓棧異常處理前函數(shù)的參到sp+80,即0 x4c31d3d8,其值為0 x000000aa/壓棧異常處理前函數(shù)的參到sp+84,即0 x4c31d3dc,其值為0 x00000000/1000fc01/1000fc00/00000004/s8壓棧在sp + 176,即0 x4c31d438地址處,其值為0 x0000001/ ra位于sp + 180,即0 x4c31d43c地址處,其值為0 x8

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論