Dump call stack on TA panic #1858
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jforissier
changed the title
|
Replaces #1834. |
|
|
|
|
|
|
| FUNC utee_panic, : | ||
| UNWIND( .fnstart) | ||
| adr r11, . | ||
| push {r0-r11, lr} |
There was a problem hiding this comment.
Why not push pc instead of passing it via r11? There's also the risk that the original value of r11 is needed for stack unwinding.
| END_FUNC \name | ||
| .endm | ||
|
|
||
| FUNC utee_panic, : | ||
| UNWIND( .fnstart) | ||
| push {pc} |
There was a problem hiding this comment.
This could be merged with the instruction below.
There was a problem hiding this comment.
And I forgot .save {pc}! But it won't work if I do. In fact, as soon as I push pc (on its own or as part of the reg list) and add the proper .save pseudo-op(s), unwind crashes and I don't understand why. With this:
FUNC utee_panic, :
UNWIND( .fnstart)
push {r0-r11, lr, pc}
UNWIND( .save {r0-r11, lr, pc})
mov r1, sp
bl __utee_panic
/* Not reached */
UNWIND( .fnend)
END_FUNC utee_panic
...I get this:
ERROR: [0x0] TEE-CORE: TA panicked with code 0xbeef
DEBUG: [0x0] TEE-CORE:get_panic_regs_a32_ta:270: pc=0x0x1227dc
ERROR: [0x0] TEE-CORE: Status of TA 5b9e0e40-2636-11e1-ad9e-0002a5d5c51b (0xe077c18) (active)
ERROR: [0x0] TEE-CORE: arch: arm load address: 0x103000 ctx-idr: 1
ERROR: [0x0] TEE-CORE: stack: 0x100000 10240
ERROR: [0x0] TEE-CORE: region 0: va 0x100000 pa 0xe41e000 size 0x3000 flags rw-
ERROR: [0x0] TEE-CORE: region 1: va 0x103000 pa 0xe300000 size 0x2d000 flags r-x .ta_head .text .rodata
ERROR: [0x0] TEE-CORE: region 2: va 0x130000 pa 0xe32d000 size 0xb000 flags r-- .rodata .ARM.extab .ARM.extab.text.__aeabi_ldivmod .ARM.extab.text.__aeabi_uldivmod .ARM.exidx .got .dynsym .rel.got .dynamic .dynstr .hash .rel.dyn
ERROR: [0x0] TEE-CORE: region 3: va 0x13b000 pa 0xe338000 size 0xe6000 flags rw- .data .bss
ERROR: [0x0] TEE-CORE: region 4: va 0 pa 0 size 0 flags ---
ERROR: [0x0] TEE-CORE: region 5: va 0 pa 0 size 0 flags ---
ERROR: [0x0] TEE-CORE: region 6: va 0 pa 0 size 0 flags ---
ERROR: [0x0] TEE-CORE: region 7: va 0 pa 0 size 0 flags ---
ERROR: [0x0] TEE-CORE: Call stack:
ERROR: [0x0] TEE-CORE: 0x001227dc utee_panic at optee_os/lib/libutee/arch/arm/utee_syscalls_a32.S:72
ERROR: [0x0] TEE-CORE: 0x001227dc utee_panic at optee_os/lib/libutee/arch/arm/utee_syscalls_a32.S:72
ERROR: [0x0] TEE-CORE: 0x00000006 ???
ERROR: [0x0] TEE-CORE:
ERROR: [0x0] TEE-CORE: Core data-abort at address 0x12202c8 (translation fault)
ERROR: [0x0] TEE-CORE: fsr 0x00000005 ttbr0 0x0e07e06a ttbr1 0x0e07806a cidr 0x1
ERROR: [0x0] TEE-CORE: cpu #0 cpsr 0x20000033
ERROR: [0x0] TEE-CORE: r0 0x00000008 r4 0x00138b94 r8 0x0e083c18 r12 0x0a7898f0
ERROR: [0x0] TEE-CORE: r1 0x00138b90 r5 0x0012276f r9 0x0e002d80 sp 0x0e0839f0
ERROR: [0x0] TEE-CORE: r2 0x012202cc r6 0x00000000 r10 0x00000000 lr 0x0e017287
ERROR: [0x0] TEE-CORE: r3 0x012202c8 r7 0x0e0839f8 r11 0x00000000 pc 0x0e0172c8
ERROR: [0x0] TEE-CORE: Call stack:
ERROR: [0x0] TEE-CORE: 0x0e0172c8 unwind_exec_insn at optee_os/core/arch/arm/kernel/unwind_arm32.c:200
ERROR: [0x0] TEE-CORE: 0x0e017573 unwind_tab at optee_os/core/arch/arm/kernel/unwind_arm32.c:302
ERROR: [0x0] TEE-CORE: 0x0e017645 unwind_stack_arm32 at optee_os/core/arch/arm/kernel/unwind_arm32.c:349
ERROR: [0x0] TEE-CORE: 0x0e0176d9 print_stack_arm32 at optee_os/core/arch/arm/kernel/unwind_arm32.c:368 (discriminator 1)
ERROR: [0x0] TEE-CORE: 0x0e0146d9 __print_stack_unwind_arm32 at optee_os/core/arch/arm/kernel/abort.c:119
ERROR: [0x0] TEE-CORE: 0x0e014a0b __abort_print at optee_os/core/arch/arm/kernel/abort.c:357
ERROR: [0x0] TEE-CORE: 0x0e014a51 abort_print_error at optee_os/core/arch/arm/kernel/abort.c:370
ERROR: [0x0] TEE-CORE: 0x0e01e2bb print_panic_stack at optee_os/core/arch/arm/tee/arch_svc.c:284
ERROR: [0x0] TEE-CORE: 0x0e01e323 tee_svc_sys_return_helper at optee_os/core/arch/arm/tee/arch_svc.c:300
ERROR: [0x0] TEE-CORE: 0x0e002d68 tee_svc_do_call at optee_os/core/arch/arm/tee/arch_svc_a32.S:82
ERROR: [0x0] TEE-CORE: Panic 'unhandled pageable abort' at core/arch/arm/kernel/abort.c:685 <abort_handler>
ERROR: [0x0] TEE-CORE: Call stack:
ERROR: [0x0] TEE-CORE: 0x0e0176e9 print_kernel_stack at optee_os/core/arch/arm/kernel/unwind_arm32.c:376
ERROR: [0x0] TEE-CORE: 0x0e026997 __do_panic at optee_os/core/kernel/panic.c:54 (discriminator 1)
ERROR: [0x0] TEE-CORE: 0x0e014e1d abort_handler at optee_os/core/arch/arm/kernel/abort.c:686
ERROR: [0x0] TEE-CORE: 0x0e001640 .thread_abort_generic at optee_os/core/arch/arm/kernel/thread_a32.S:775
There was a problem hiding this comment.
What if you do:
push {r0-r11, lr}
UNWIND( .save {r0-r11, lr})
mov lr, pc
push {lr}
UNWIND( .save {lr})
If that doesn't work you could go back to the original code, but use r12 instead of r11 to pass the value of pc.
There was a problem hiding this comment.
Both work. Updated with your first suggestion.
|
|
$(platform-aflags-generic) is used only in $(core-platform-aflags), not in $(ta_arm32-platform-aflags) or $(ta_arm64-platform-aflags). As a result, only the TEE core is built with -g. The user-mode libraries are not. Fix this so that symbolize.py can correctly find file and line information when it encounters an assembler file in a call stack. Signed-off-by: Jerome Forissier <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
It is currently not possible to unwind a call stack from within a syscall wrapper, that is the utee_xxx() functions such as utee_panic() for instance. That is because the assembler macro that defines the utee_ functions lacks the proper .fnstart/.save/.fnend pseudo-ops. Add them. Signed-off-by: Jerome Forissier <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Adds support for dumping the call stack of a user-mode TA when it panics. Stack unwinding happens in kernel mode by re-using abort_print_error() in core/arch/arm/kernel/abort.c. Like for abort dumps, the helper script scripts/symbolize.py may be used to obtain source-level information. This feature is enabled by default. Set CFG_UNWIND=n to disable it (or CFG_TEE_CORE_DEBUG=n). In libutee, the utee_panic() syscall wrapper is renamed __utee_panic() and now takes an additional parameters: a stack pointer, in addition to the panic code. utee_panic() is written in assembly and pushes some registers onto the stack before calling __utee_panic(). When it is time to return from syscall_panic(), tee_svc_sys_return_helper() uses the stack pointer to get the information needed to unwind the TA stack. A struct abort_info is created and abort_print_error() is called. Signed-off-by: Jerome Forissier <[email protected]> Reviewed-by: Jens Wiklander <[email protected]> Tested-by: Jerome Forissier <[email protected]> (QEMU) Tested-by: Jerome Forissier <[email protected]> (HiKey 32/64) Tested-by: Jerome Forissier <[email protected]> (QEMUv8)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.