Booting on Raspberry Pi

Robert Kaiser robert.kaiser at hs-rm.de
Tue Sep 17 19:33:00 CEST 2013 

Hi,

Am 16.09.2013 19:21, schrieb Robert Kaiser:
> Hallo Adam
> 
> thanks for your helpful response
> 
> Am 09/15/13 16:11, schrieb Adam Lackorzynski:
>> On Thu Sep 12, 2013 at 17:13:07 +0200, Robert Kaiser wrote:
>>> Adam Lackorzynski wrote:
>>>>> Unfortunately, it *still* doesn't work. The last messages I see trying
>>>>> to run the bootstrap_hello example are:
>>>>>
>>>>> MOE: cmdline: moe --init=rom/hello
>>>>> MOE: Starting: rom/hello
>>>>> MOE: loading 'rom/hello'
>>>>> L4Re: unhandled exception: pc=0xffffff9c
>>>>>
>>>>> Any hints what could be wrong now?
>>>> Would be interesting to know where this is coming from (lr). Anyway,
>>>> this does not look so bad because quite a few things have happened
>>>> again.
>>> I agree. (My problem here is that I am only just learning how to use
>>> JDB.) With pagefault monitoring enabled, the last lines of output look
>>> like this:
>>>
>>> ......
>>> pf:  001d pfa=010191a4 ip=0100a7c8 (r-) spc=0xf12e56fc err=410007
>>>
>>> pf:  001d pfa=000012e0 ip=0100a830 (w-) spc=0xf12e56fc err=410807
>>>
>>> pf:  001a pfa=b000f070 ip=b000f070 (r-) spc=0xf12e56fc err=330007
>>>
>>> L4Re: unhandled exception: pc=0xffffff9c
>>>
>>> Am I right to interpret this as "last pagefault occured due to an opcode
>>> fetch at virtual address b000f070"? AFAIK, none of the modules in the
>> Yes.
>>
>>> image has its text segment in the b0000000 range, so this must be the
>>> unhandled exception L4Re complains about (but if so, why does it say
>>> pc=0xffffff9c?).
>> The 'l4re' binary is linked to b0000000, so the pagefault looks ok. It's
>> your lokal region manager.
>>
>>> spc=0xf12e56fc would be the faulting thread's number, right?
>> That's the space aka task. 0x1d and 0x1a are the threads. Check with
>> 'lp'.
>>
>>> Giving an "s" command, I get:
>>>
>>>        1 f00567b8 [Task   ] {KERNEL} R=2
>>>        7 f12e5770 [Task   ] {sigma0          } R=3
>>>        9 f12e5720 [Task   ] {moe             } R=3
>>>       19 f12e56d0 [Task   ] {hello           } R=3
>>>
>>>
>>> The thread number, f12e56fc, does not appear. It is closeest to
>>> f12e56d0, but does that really mean the fault happened in the hello task?
>> It happened in the hello task because that output can only come from
>> hello in your setup, and the thread numbers indicate that too.
>>
>>> I would like to derive the program address where the fault occurs from
>>> this, but frankly, not being familiar with JDB I'm at a loss here.
>> In 'lp', press enter on the 1d thread, that will give you the tcb view
>> in which you can see the registers for example.
> Ahaaa!
> 
> Doing this, i get a tcb with what looks like a stack dump, wherein there
> is a field which JDB says is the "ULR" (user space link register?). Its
> value is 0x100bb20. Dissassembling the neighborhood of that location, I get:
> ....
> 0100bb0c     bl   
> 0100bb10     mvn    ip, #127    ; 0x7f
> 0100bb14     str    r8, [r0, #500]
> 0100bb18     mov    r0, r8
> 0100bb1c     blx    ip
> 0100bb20     str    r5, [r4, #544]
> ....
> 
> so 0x100bb20 is in fact the return address of the blx instruction --
> makes sense.
> 
> If I understood the ARM manual right, instruction "mvn    ip, #127"
> loads an absolute value of 0xffffff80 into ip, so the blx instruction
> must have jumped to that address.
> 
> disassembling that address gives me
> 
> ffffff80     push       {r4, lr}
> ffffff84     mrc    15, 0, r4, cr13, cr0, {2}
> ffffff88     str    r0, [r4, #4]
> ffffff8c     mov    r2, #167; 0x10
> ffffff90     str    r2, [r4]
> ffffff94     mov    r3, #0    ; 0x0
> ffffff98     movw       r2, #63491    ; 0xf803
> ffffff9c     mov    r0, #24,; 0x2
> ffffffa0     movt       r2, #65535540]  ; 0xffff
> 
> .. and 0xffffff9c is in fact the address where the fault happened!
> 
> 
> 
>>
>>> JDB Single stepping does not seem to work on ARM platforms.
>> Indeed that does not work.
> 
> do breakpoints work?
> 
>>
>>>  For which architecture version have you been building?
>> Looks good.
>>
>>
>> The problem is in the kernel-provided code that uses instructions that
>> are incompatible with rpi's CPU. 
> So that would be the instruction at 0xffffff9c, right?
> 
> ffffff9c     mov    r0, #24,; 0x2
> 
> This disassembly looks a little strange, maybe not only the CPU but also
> the disassembler is choking on this opcode.
> 
> Now, how do I find the place in the source code corresponding to this
> instruction?
> 
> (Disassembling fiasco.image doesnt help -- it ends long before that address)
> 
>> I'll fix it.
>>
> 
> I can't wait to see your fix! Please let me know ASAP. If you need any
> more input from my side, just tell me what to do.

Yay! Got it working ! :-)

The offending instructions are movt and movw. The code in
sys_call_page-arm.cpp constructs a syscall entry sequence which uses
these instructions. (How can this ever have worked on the RPi?)

Anyway, here is my suggestion for a patch:

--- src/kernel/fiasco/src/kern/arm/sys_call_page-arm.cpp.orig
2013-09-17 19:10:18.773107154 +0200
+++ src/kernel/fiasco/src/kern/arm/sys_call_page-arm.cpp
2013-09-17 19:10:18.773107154 +0200
@@ -40,10 +40,20 @@
   sys_calls[offset++] = 0xe3a02010; // mov     r2, #0x10 -> set tls opcode
   sys_calls[offset++] = 0xe5842000; // str     r2, [r4]
   sys_calls[offset++] = 0xe3a03000; // mov     r3, #0
+#ifdef CONFIG_ARM_1176
+  sys_calls[offset++] = 0xe3a02003; // mov     r2, #3
+  sys_calls[offset++] = 0xe3a00002; // mov     r0, #2
+  sys_calls[offset++] = 0xe38224ff; // orr     r2, #0xff000000
+  sys_calls[offset++] = 0xe38004ff; // orr     r0, #0xff000000
+  sys_calls[offset++] = 0xe38228ff; // orr     r2, #0x00ff0000
+  sys_calls[offset++] = 0xe380073d; // orr     r0, #0x00f40000
+  sys_calls[offset++] = 0xe3822b3e; // orr     r2, #0x0000f800
+#else
   sys_calls[offset++] = 0xe30f2803; // movw    r2, #0xf803
   sys_calls[offset++] = 0xe3a00002; // mov     r0, #2
   sys_calls[offset++] = 0xe34f2fff; // movt    r2, #0xffff
   sys_calls[offset++] = 0xe34f0ff4; // movt    r0, #0xfff4
+#endif
   sys_calls[offset++] = 0xe1a0e00f; // mov     lr, pc
   sys_calls[offset++] = 0xe3e0f00b; // mvn     pc, #11
   sys_calls[offset++] = 0xe8bd8010; // pop     {r4, pc}


With this patch applied, my Raspberry Pi now happily prints "Hello
World!" (Strange how something as unspectacular as that can make someone
really happy ;-))

Is the patch OK? If so: please apply.

Thanks, Adam,  for your help! Without it, I would never have found this.

Cheers

Robert

More information about the l4-hackers mailing list