From owner-freebsd-hackers@freebsd.org Sat Jul 1 01:50:44 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48D00DA11DD for ; Sat, 1 Jul 2017 01:50:44 +0000 (UTC) (envelope-from markmi@dsl-only.net) Received: from asp.reflexion.net (outbound-mail-210-15.reflexion.net [208.70.210.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 093921A9F for ; Sat, 1 Jul 2017 01:50:43 +0000 (UTC) (envelope-from markmi@dsl-only.net) Received: (qmail 25832 invoked from network); 1 Jul 2017 01:50:42 -0000 Received: from unknown (HELO mail-cs-01.app.dca.reflexion.local) (10.81.19.1) by 0 (rfx-qmail) with SMTP; 1 Jul 2017 01:50:42 -0000 Received: by mail-cs-01.app.dca.reflexion.local (Reflexion email security v8.40.1) with SMTP; Fri, 30 Jun 2017 21:50:42 -0400 (EDT) Received: (qmail 18686 invoked from network); 1 Jul 2017 01:50:42 -0000 Received: from unknown (HELO iron2.pdx.net) (69.64.224.71) by 0 (rfx-qmail) with (AES256-SHA encrypted) SMTP; 1 Jul 2017 01:50:42 -0000 Received: from [192.168.1.114] (c-76-115-7-162.hsd1.or.comcast.net [76.115.7.162]) by iron2.pdx.net (Postfix) with ESMTPSA id 47185EC81E6; Fri, 30 Jun 2017 18:50:41 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: head -r320482 vs. TARGET_ARCH=powerpc production style kernel: jumps to non-code and traps (involves ->sol_upcall pointing to ->so_rdsel) bugzilla 220404 From: Mark Millard In-Reply-To: <1F24D891-4D11-4623-8183-7F95D9637FB2@dsl-only.net> Date: Fri, 30 Jun 2017 18:50:40 -0700 Cc: Justin Hibbits , Nathan Whitehorn Content-Transfer-Encoding: quoted-printable Message-Id: <3C743FFC-2E40-4077-988C-8C4BFBA7556B@dsl-only.net> References: <1F24D891-4D11-4623-8183-7F95D9637FB2@dsl-only.net> To: glebius@FreeBSD.org, FreeBSD PowerPC ML , FreeBSD Current , freebsd-hackers@freebsd.org X-Mailer: Apple Mail (2.3273) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jul 2017 01:50:44 -0000 [It looks like the 2 anonymous structs in the union in the new "struct socket" are being abused such that the ->sol_upcall from the 2nd struct is being access when it has a value that was apparently assigned via ->so_rcv->sb_sel . Details follow, added to prior notes that I sent out. I've submitted bugzilla 220404 for this. The new detailed material is interlaced with earlier material that I'd sent out.] On 2017-Jun-30, at 2:07 AM, Mark Millard wrote: > The -r320482 kernel build is via gcc 4.2.1. > Both gcc 4.2.1 and clang based worlds show > the same problems. TARGET_ARCH=3Dpowerpc64 > is not showing the problems. >=20 > The production kernel build fails > but the debug works --each built > from the same /usr/src/ tree. >=20 > I'll note what a normal boot does > before getting to the login prompt but > after "Starting nfsd." ("Updating motd:" > can be mixed in the trap text: not shown > below.) >=20 > I use an example and note a lot about what > varies and what stays the same from example > boot to example boot of the production > kernel. >=20 > [Manually entered from camera pictures > of the screen.] >=20 > fatal kernel trap > exception =3D 0x700 (program) (for "illegal instruction") > srr0 =3D 0x70bf878 (note: this varies, for example: 0x5e37230) > (note: r0 always matches srr0) > (note: ctr always matches srr0) > srr1 =3D 0x89032 (stays the same) > lr =3D 0x5b7b94 (note: solisten_wakeup+0x4c) (stays the same) > curthread =3D 0x5ab8ae0 (varies) > pid =3D 920 (varies), comm =3D mountd (stays the same) >=20 > Tracing command mountd pid 920 tid 100119 (varies) td 0x5ab8ae0 = (varies)(CPU 1) > (stack addr > range varies) > 0xd250a500: at soisconnected+0x21c (at stays the same) > 0xd250a540: at unp_connect2+0xf0 (at stays the same) > 0xd250a560: at unp_connectat+0x658 (at stays the same) > 0xd250a770: at unp_connect+0x2c (at stays the same) > 0xd250a790: at uipc_connect+0xc0 (at stays the same) > 0xd250a7d0: at soconnectat+0xa0 (at stays the same) > 0xd250a800: at soconnect+0x2c (at stays the same) > 0xd250a820: at kern_connect+0134 (at stays the same) > 0xd250a870: at sys_connect+0x64 (at stays the same) > 0xd250a8b0: at trap+0x638 (at stays the same) > 0xd250aa50: at powerpc_interrupt+0x1a0 (at stays the same) > 0xd250aa80: at user SC trap (at stays the same) > by 0x419db168 (stays the same) > srr1=3D0xf032 (stays the same) > r1 =3D0xffffd5e0 (stays the same) > cr =3D0x24440840 (stays the same) > xer =3D0x20000000 (stays the same) > ctr =3D0x419db160 (stays the same) (these are objdump reported addresses) > 005b7b48 stwu r1,-32(r1) > 005b7b4c mflr r0 > 005b7b50 stw r29,20(r1) > 005b7b54 stw r30,24(r1) > 005b7b58 stw r31,28(r1) > 005b7b5c stw r0,36(r1) > 005b7b60 mr r31,r1 > 005b7b64 bcl- 20,4*cr7+so,005b7b68 = > 005b7b68 mflr r30 > 005b7b6c lwz r0,-36(r30) > 005b7b70 add r30,r0,r30 > 005b7b74 mr r29,r3 > 005b7b78 lwz r0,232(r3) > 005b7b7c cmpwi cr7,r0,0 > 005b7b80 beq- cr7,005b7b98 = > 005b7b84 lwz r4,236(r3) > 005b7b88 li r5,1 > 005b7b8c mtctr r0 > 005b7b90 bctrl > lr: > 005b7b94 b 005b7bb4 = > . . . >=20 > Apparently this means that sol->sol_upcall is not > pointing to code at all yet is not null. Given the > variability observed, it might be uninitialized > --or sol itself is junk. . . Note: r3 reported as: 0x70bf860 void solisten_wakeup(struct socket *sol) { if (sol->sol_upcall !=3D NULL) (void )sol->sol_upcall(sol, sol->sol_upcallarg, = M_NOWAIT); else { selwakeuppri(&sol->so_rdsel, PSOCK); KNOTE_LOCKED(&sol->so_rdsel.si_note, 0); } SOLISTEN_UNLOCK(sol); wakeup_one(&sol->sol_comp); } (kgdb) print/x &((struct socket*)0x70bf860)->sol_upcall $3 =3D 0x70bf948 (kgdb) print/x ((struct socket*)0x70bf860)->sol_upcall $2 =3D 0x70bf878 (kgdb) print/x &((struct socket*)0x70bf860)->so_rdsel $7 =3D 0x70bf878 (kgdb) print/x &((struct socket*)0x70bf860)->so_rdsel.si_tdlist $8 =3D 0x70bf878 (kgdb) print/x &((struct = socket*)0x70bf860)->so_rdsel.si_tdlist.tqh_first $9 =3D 0x70bf878 But comparing to the first anonymous struct in the union in the new "struct socket": (kgdb) print/x &((struct socket*)0x70bf860)->sol_upcall $15 =3D 0x70bf948 (kgdb) print/x &((struct socket*)0x70bf860)->so_rcv->sb_sel $22 =3D 0x70bf948 ->so_rcv is a struct sockbuf and ->so_rcv->sb_sel is a struct slinfo* . So pointing back to ->so_rdsel might well make sense. The rest is just supporting notes from things that I looked at before isolating the above relationship. (these are kgdb reported addresses, not vmcore.5 file offsets) 0x70bf860: 0x00c4a0b4 0x01430000 0x00000000 = 0x00000000 . . . 0x70bf940: 0x00000000 0x00000000 0x070bf878 = 0x00000000 but: 0x70bf870: 0x05ab8ae0 0x00000002 0x07271f80 = 0x07271f84 (kgdb) print/x *((struct socket*)0x70bf860) =20 $4 =3D {so_lock =3D {lock_object =3D {lo_name =3D 0xc4a0b4, lo_flags =3D = 0x1430000, lo_data =3D 0x0, lo_witness =3D 0x0}, mtx_lock =3D = 0x5ab8ae0}, so_count =3D 0x2, so_rdsel =3D {si_tdlist =3D {tqh_first =3D = 0x7271f80,=20 tqh_last =3D 0x7271f84}, si_note =3D {kl_list =3D {slh_first =3D = 0x0}, kl_lock =3D 0x5b6e84, kl_unlock =3D 0x5b6c64, kl_assert_locked =3D = 0x5b65d4, kl_assert_unlocked =3D 0x5b65f0, kl_lockarg =3D 0x70bf860,=20 kl_autodestroy =3D 0x0}, si_mtx =3D 0x5ab01f0}, so_wrsel =3D = {si_tdlist =3D {tqh_first =3D 0x0, tqh_last =3D 0x0}, si_note =3D = {kl_list =3D {slh_first =3D 0x0}, kl_lock =3D 0x5b6d64, kl_unlock =3D = 0x5b6b64,=20 kl_assert_locked =3D 0x5b660c, kl_assert_unlocked =3D 0x5b6628, = kl_lockarg =3D 0x70bf860, kl_autodestroy =3D 0x0}, si_mtx =3D 0x0}, = so_type =3D 0x1, so_options =3D 0x2, so_linger =3D 0x0, so_state =3D = 0x0,=20 so_pcb =3D 0x70b08a0, so_vnet =3D 0x0, so_proto =3D 0xd03060, so_timeo = =3D 0x0, so_error =3D 0x0, so_sigio =3D 0x0, so_cred =3D 0x5b2e600, = so_label =3D 0x0, so_gencnt =3D 0x1285, so_emuldata =3D 0x0, osd =3D { osd_nslots =3D 0x0, osd_slots =3D 0x0, osd_next =3D {le_next =3D = 0x0, le_prev =3D 0x0}}, so_fibnum =3D 0x0, so_user_cookie =3D 0x0, = so_ts_clock =3D 0x0, so_max_pacing_rate =3D 0x0, {{so_rcv =3D {sb_mtx =3D = { lock_object =3D {lo_name =3D 0x0, lo_flags =3D 0x70bf920, = lo_data =3D 0x5d17860, lo_witness =3D 0x5d17a60}, mtx_lock =3D 0x1}, = sb_sx =3D {lock_object =3D {lo_name =3D 0x0, lo_flags =3D 0x80, lo_data = =3D 0x0,=20 lo_witness =3D 0x0}, sx_lock =3D 0x0}, sb_sel =3D 0x70bf878, = sb_state =3D 0x0, sb_mb =3D 0x1, sb_mbtail =3D 0x800, sb_lastrecord =3D = 0x2000, sb_sndptr =3D 0x2000, sb_fnrdy =3D 0x0, sb_sndptroff =3D 0x0,=20 sb_acc =3D 0x0, sb_ccc =3D 0x0, sb_hiwat =3D 0x0, sb_mbcnt =3D = 0x0, sb_mcnt =3D 0x0, sb_ccnt =3D 0x0, sb_mbmax =3D 0x0, sb_ctl =3D 0x0, = sb_lowat =3D 0x1, sb_timeo =3D 0x0, sb_flags =3D 0x0, sb_upcall =3D 0x0,=20= sb_upcallarg =3D 0x0, sb_aiojobq =3D {tqh_first =3D 0x0, = tqh_last =3D 0x70bf9a4}, sb_aiotask =3D {ta_link =3D {stqe_next =3D = 0x0}, ta_pending =3D 0x0, ta_priority =3D 0x0, ta_func =3D 0x58eeb4,=20 ta_context =3D 0x70bf860}}, so_snd =3D {sb_mtx =3D = {lock_object =3D {lo_name =3D 0xc588cc, lo_flags =3D 0x1020000, lo_data = =3D 0x0, lo_witness =3D 0x0}, mtx_lock =3D 0x6}, sb_sx =3D {lock_object = =3D { lo_name =3D 0xc58efc, lo_flags =3D 0x2320000, lo_data =3D = 0x0, lo_witness =3D 0x0}, sx_lock =3D 0x6}, sb_sel =3D 0x70bf8a0, = sb_state =3D 0x0, sb_mb =3D 0x0, sb_mbtail =3D 0x0, sb_lastrecord =3D = 0x0,=20 sb_sndptr =3D 0x0, sb_fnrdy =3D 0x0, sb_sndptroff =3D 0x0, = sb_acc =3D 0x0, sb_ccc =3D 0x0, sb_hiwat =3D 0x0, sb_mbcnt =3D 0x0, = sb_mcnt =3D 0x0, sb_ccnt =3D 0x0, sb_mbmax =3D 0x0, sb_ctl =3D 0x0, = sb_lowat =3D 0x800,=20 sb_timeo =3D 0x0, sb_flags =3D 0x0, sb_upcall =3D 0x0, = sb_upcallarg =3D 0x0, sb_aiojobq =3D {tqh_first =3D 0x0, tqh_last =3D = 0x70bfa44}, sb_aiotask =3D {ta_link =3D {stqe_next =3D 0x0}, ta_pending = =3D 0x0,=20 ta_priority =3D 0x0, ta_func =3D 0x58ee80, ta_context =3D = 0x70bf860}}, so_list =3D {tqe_next =3D 0x0, tqe_prev =3D 0x0}, so_listen = =3D 0x0, so_qstate =3D 0x0, so_peerlabel =3D 0x0, so_oobmark =3D 0x0}, { sol_incomp =3D {tqh_first =3D 0x0, tqh_last =3D 0x70bf920}, = sol_comp =3D {tqh_first =3D 0x5d17860, tqh_last =3D 0x5d17a60}, sol_qlen = =3D 0x1, sol_incqlen =3D 0x0, sol_qlimit =3D 0x80, sol_accept_filter =3D = 0x0,=20 sol_accept_filter_arg =3D 0x0, sol_accept_filter_str =3D 0x0, = sol_upcall =3D 0x70bf878, sol_upcallarg =3D 0x0, sol_sbrcv_lowat =3D = 0x1, sol_sbsnd_lowat =3D 0x800, sol_sbrcv_hiwat =3D 0x2000,=20 sol_sbsnd_hiwat =3D 0x2000, sol_sbrcv_flags =3D 0x0, = sol_sbsnd_flags =3D 0x0, sol_sbrcv_timeo =3D 0x0, sol_sbsnd_timeo =3D = 0x0}}} For lo_name in sb_sx's lock_object: (kgdb) x/64c 0xc58ef0 0xc58ef0 <.rodata.str1.4+376864>: 116 't' 109 'm' 99 'c' 111 'o' = 112 'p' 121 'y' 105 'i' 110 'n' 0xc58ef8 <.rodata.str1.4+376872>: 0 '\0' 0 '\0' 0 '\0' 0 '\0' = 115 's' 111 'o' 95 '_' 115 's' 0xc58f00 <.rodata.str1.4+376880>: 110 'n' 100 'd' 95 '_' 115 's' = 120 'x' 0 '\0' 0 '\0' 0 '\0' which looks coherent to me: so_snd_sx For ta_func in sb_aiotask: (kgdb) x/64i 0x58ee80 0x58ee80 : stwu r1,-32(r1) . . . Looks coherent to me. But sol_upcall does not. >=20 >=20 > 005b8548 li r10,1 > 005b854c b 005b8558 > 005b8550 stwcx. r10,0,r9 > 005b8554 li r10,0 > 005b8558 cmpwi cr7,r10,0 > 005b855c bne- cr7,005b8568 = > 005b8560 addi r3,r28,16 > 005b8564 bl 004d4218 <__mtx_unlock_sleep> > 005b8568 mr r3,r27 > at soisconnected+0x21c: > 005b856c bl 005b7b48 > 005b8570 b 005b89f0 > . . . >=20 > void > soisconnected(struct socket *so) > { > struct socket *head; > . . . > restart: =20 > SOCK_LOCK(so); > if ((head =3D so->so_listen) !=3D NULL && > __predict_false(SOLISTEN_TRYLOCK(head) =3D=3D 0)) { > SOCK_UNLOCK(so); > goto restart; > } =20 > so->so_state &=3D = ~(SS_ISCONNECTING|SS_ISDISCONNECTING|SS_ISCONFIRMING); > so->so_state |=3D SS_ISCONNECTED; > if (head !=3D NULL && (so->so_qstate =3D=3D SQ_INCOMP)) { > again: > if ((so->so_options & SO_ACCEPTFILTER) =3D=3D 0) { > TAILQ_REMOVE(&head->sol_incomp, so, so_list); > head->sol_incqlen--; > TAILQ_INSERT_TAIL(&head->sol_comp, so, = so_list); > head->sol_qlen++; > so->so_qstate =3D SQ_COMP; > SOCK_UNLOCK(so); > solisten_wakeup(head); /* unlocks */ > . . . Exception and its struct trapframe: (these are vmcore file offsets: subtract 0x1000 to get address) [ lr#0 ]: inside dbtrap 00c83f40 d2 50 a4 e0 00 10 0c 54 07 0b f8 78 d2 50 a4 e0 = |.P.....T...x.P..| 00c83f50 05 ab 8a e0 07 0b f8 60 00 00 00 00 00 00 00 01 = |.......`........| [ r3 ] 00c83f60 00 00 00 00 00 00 00 01 00 00 00 00 05 d1 78 70 = |..............xp| 00c83f70 00 00 00 01 05 ab 8a e0 00 00 00 00 00 00 00 00 = |................| 00c83f80 01 81 00 00 01 82 00 00 00 00 00 00 01 82 00 00 = |................| 00c83f90 01 82 00 00 00 03 8d 6c 00 03 8d 6c 00 00 00 00 = |.......l...l....| 00c83fa0 ff ff d7 58 00 00 00 00 00 d1 1a 84 00 d1 1a 84 = |...X............| 00c83fb0 d2 50 a5 1c 07 0b f8 60 05 d1 78 60 07 0b f8 60 = |.P.....`..x`...`| [ r28 ] 00c83fc0 00 d2 aa a0 d2 50 a4 e0 00 5b 7b 94 20 00 f0 44 = |.....P...[{. ..D| [ lr#1 ]: solisten_wakeup+0x4c 00c83fd0 00 00 00 00 07 0b f8 78 07 0b f8 78 00 08 90 32 = |.......x...x...2| [ srr0 ] [exception] 00c83fe0 00 00 07 00 00 00 00 00 00 00 00 00 01 c4 5f 00 = |.............._.| 00c83ff0 00 00 00 00 00 10 01 40 00 00 00 00 00 00 00 00 = |.......@........| solisten_wakeup+0x4c's related stack frame: 0b4004e0 d2 50 a5 00 00 50 8d f8 00 d2 b0 60 00 00 00 04 = |.P...P.....`....| 0b4004f0 05 d1 7a 78 05 d1 79 30 00 d2 aa a0 d2 50 a5 00 = |..zx..y0.....P..| 0xd250a500: at soisconnected+0x21c (at stays the same) 0b400500 d2 50 a5 40 00 5b 85 70 00 d2 aa a0 d2 50 a5 10 = |.P.@.[.p.....P..| 0b400510 d2 50 a5 60 00 5b d0 d8 00 d2 ab 90 00 00 00 04 = |.P.`.[..........| 0b400520 05 d1 78 60 05 ab 8a e0 07 25 94 80 05 d1 7a 78 = |..x`.....%....zx| 0b400530 07 0b 7a 10 05 d1 78 60 00 d2 ab 90 d2 50 a5 40 = |..z...x`.....P.@| 0xd250a540: at unp_connect2+0xf0 (at stays the same) 0b400540 d2 50 a5 60 00 5c 38 34 07 25 94 80 05 d1 7a 78 = |.P.`.\84.%....zx| 0b400550 07 0b 7a 10 07 0b 79 58 00 d2 ab 90 d2 50 a5 60 = |..z...yX.....P.`| "so" first then "so2" second, with so2 failing: 0x005c3824 : mr r3,r8 0x005c3828 : bl 0x5b8350 0x005c382c : mr r3,r29 0x005c3830 : bl 0x5b8350 0x005c3834 : li r3,0 static int unp_connect2(struct socket *so, struct socket *so2, int req) . . . case SOCK_STREAM: case SOCK_SEQPACKET: unp2->unp_conn =3D unp; if (req =3D=3D PRU_CONNECT && ((unp->unp_flags | unp2->unp_flags) & UNP_CONNWAIT)) soisconnecting(so); else soisconnected(so); soisconnected(so2); break; . . . 0xd250a560: at unp_connectat+0x658 (at stays the same) 0b400560 d2 50 a7 70 00 5c 3e c4 05 ab 8a e0 00 fd c1 c0 = |.P.p.\>.........| 0b400570 d2 50 a6 3d 00 00 00 01 02 00 01 00 00 00 04 00 = |.P.=3D............| 0b400580 04 00 00 00 00 00 00 00 00 00 00 00 05 a3 7c 60 = |..............|`| 0b400590 00 00 00 00 ff ff ff 9c 00 00 00 00 00 fd c1 c0 = |................| 0b4005a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 = |................| 0b4005b0 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 = |................| 0b4005c0 07 25 94 80 05 a3 72 40 00 00 00 01 05 b2 10 15 = |.%....r@........| 0b4005d0 00 00 00 00 00 8c 05 bc 00 00 00 00 44 eb 41 81 = |............D.A.| 0b4005e0 00 00 00 00 00 00 c1 44 05 ab 8a e0 05 b2 e6 00 = |.......D........| 0b4005f0 00 20 00 00 05 b2 10 00 05 b2 10 09 00 00 00 0c |. = ..............| 0b400600 00 00 00 00 d2 50 a6 00 00 d3 23 bc 00 ce eb 40 = |.....P....#....@| 0b400610 07 25 94 80 d2 50 a6 38 05 b2 e6 00 05 ab 8a e0 = |.%...P.8........| 0b400620 02 00 01 00 00 00 04 00 04 00 00 00 00 00 00 00 = |................| 0b400630 05 c9 91 ec 00 00 00 04 07 0b 79 58 d2 2f 76 61 = |..........yX./va| 0b400640 72 2f 72 75 6e 2f 72 70 63 62 69 6e 64 2e 73 6f = |r/run/rpcbind.so| 0b400650 63 6b 00 70 00 00 00 05 00 00 00 00 00 00 00 10 = |ck.p............| 0b400660 05 d8 c4 80 d0 21 56 d4 00 d3 23 bc 00 00 00 04 = |.....!V...#.....| 0b400670 d2 50 a6 a0 40 00 f0 34 00 d1 1a 84 00 f5 0d 00 = |.P..@..4........| 0b400680 00 f5 0d 00 00 d1 1a 84 05 c9 91 ec 00 00 00 08 = |................| 0b400690 41 99 00 00 05 c2 49 d8 41 98 80 00 41 98 c0 00 = |A.....I.A...A...| 0b4006a0 00 00 00 07 00 00 00 05 d0 21 57 c8 41 99 00 00 = |.........!W.A...| 0b4006b0 05 c9 91 ec 00 fd c1 c0 00 d3 36 8c d2 50 a6 c0 = |..........6..P..| 0b4006c0 d2 50 a6 e0 00 8c 74 c0 05 c9 91 38 00 00 00 04 = |.P....t....8....| 0b4006d0 d2 50 a6 f0 00 fd c1 c0 d2 50 a6 e0 d2 50 a6 e0 = |.P.......P...P..| 0b4006e0 d2 50 a7 10 00 8f a0 94 d2 50 a6 f0 d2 50 a6 f0 = |.P.......P...P..| 0b4006f0 d2 50 a7 10 00 00 00 00 00 00 01 21 00 00 00 41 = |.P.........!...A| 0b400700 00 00 00 06 05 be e4 c0 00 d2 ab 64 d2 50 a7 10 = |...........d.P..| 0b400710 d2 50 a7 80 00 48 f2 70 00 d3 11 94 d2 50 a7 20 = |.P...H.p.....P. | 0b400720 d2 50 a7 40 00 87 1c 04 02 00 07 ff ff ff ff ff = |.P.@............| 0b400730 04 00 00 00 00 1f ff ff 00 d3 10 54 68 a4 aa 22 = |...........Th.."| 0b400740 d2 50 a7 60 00 87 1c 40 00 00 00 00 05 ab 8a e0 = |.P.`...@........| 0b400750 05 ab 8a e0 ff ff ff 9c 05 ab 8a e0 05 ab 8a e0 = |................| 0b400760 05 b1 54 20 05 d1 7a 78 00 d2 ab 90 d2 50 a7 70 |..T = ..zx.....P.p| The unp_connectat context is more complicated so I stop quoting code here. 0xd250a770: at unp_connect+0x2c (at stays the same) 0b400770 d2 50 a7 90 00 5c 41 c8 00 d2 ab 64 d2 50 a7 80 = |.P...\A....d.P..| 0b400780 d2 50 a7 e0 00 48 f5 e0 d2 50 a7 90 00 00 00 00 = |.P...H...P......| 0xd250a790: at uipc_connect+0xc0 (at stays the same) 0b400790 d2 50 a7 d0 00 5c 7b cc 00 00 00 06 05 be e4 c0 = |.P...\{.........| 0b4007a0 d2 50 a8 10 00 86 32 e8 20 00 f0 38 00 00 00 01 |.P....2. = ..8....| 0b4007b0 00 03 8d 6c 00 00 00 00 ff ff d7 58 05 b1 54 20 = |...l.......X..T | 0b4007c0 ff ff ff 9c 05 d1 7a 78 00 d2 ab 64 d2 50 a7 d0 = |......zx...d.P..| 0xd250a7d0: at soconnectat+0xa0 (at stays the same) 0b4007d0 d2 50 a8 00 00 5b 61 68 00 d2 ab 64 d2 50 a7 e0 = |.P...[ah...d.P..| 0b4007e0 d2 50 a8 20 00 5b ff 64 05 b1 54 20 05 ab 8a e0 |.P. .[.d..T = ....| 0b4007f0 00 00 00 00 05 d1 7a 78 00 d2 ab 64 d2 50 a8 00 = |......zx...d.P..| 0xd250a800: at soconnect+0x2c (at stays the same) 0b400800 d2 50 a8 20 00 5b 61 f4 05 b1 54 20 05 ab 8a e0 |.P. .[a...T = ....| 0b400810 00 00 00 25 05 d1 7a 78 d2 50 a8 20 d2 50 a8 20 |...%..zx.P. = .P. | 0xd250a820: at kern_connect+0134 (at stays the same) 0b400820 d2 50 a8 70 00 5c 19 14 ff ff d7 68 00 00 00 16 = |.P.p.\.....h....| 0b400830 00 00 00 17 05 b1 54 20 02 00 00 00 80 00 00 00 |......T = ........| 0b400840 04 00 00 00 00 00 00 00 41 98 c0 00 05 be e4 c0 = |........A.......| 0b400850 05 ab 8a e0 00 00 00 00 d2 50 aa 88 05 ab 8a e0 = |.........P......| 0b400860 00 00 00 00 05 ab 8d 78 00 d2 ab 64 d2 50 a8 70 = |.......x...d.P.p| 0xd250a870: at sys_connect+0x64 (at stays the same) 0b400870 d2 50 a8 b0 00 5c 1c 58 d2 50 aa 88 00 00 04 00 = |.P...\.X.P......| 0b400880 00 00 00 01 d2 50 aa 88 00 00 00 80 05 b1 54 20 = |.....P........T | 0b400890 d2 50 a8 b0 00 8f c3 b0 d2 50 aa 88 00 00 00 00 = |.P.......P......| 0b4008a0 05 ab 8d 70 05 d9 5a b0 00 d3 37 e8 d2 50 a8 b0 = |...p..Z...7..P..| 0xd250a8b0: at trap+0x638 (at stays the same) 0b4008b0 d2 50 aa 50 00 8f cc 3c 5a 2e a6 14 b1 ae c2 60 = |.P.P...