From owner-freebsd-ia64@FreeBSD.ORG Wed Apr 23 12:45:44 2008 Return-Path: Delivered-To: freebsd-ia64@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B34401065672 for ; Wed, 23 Apr 2008 12:45:44 +0000 (UTC) (envelope-from christian.kandeler@hob.de) Received: from mailgate.hob.de (mailgate.hob.de [212.185.199.3]) by mx1.freebsd.org (Postfix) with ESMTP id 68C938FC16 for ; Wed, 23 Apr 2008 12:45:44 +0000 (UTC) (envelope-from christian.kandeler@hob.de) Received: by mailgate.hob.de (Postfix, from userid 104) id 1513A59A623; Wed, 23 Apr 2008 14:39:41 +0200 (CEST) Received: from imap.hob.de (mail2.hob.de [172.25.1.102]) by mailgate.hob.de (Postfix) with ESMTP id 511C561A3E7 for ; Wed, 23 Apr 2008 14:22:57 +0200 (CEST) Received: from [172.22.0.192] (linux04.hob.de [172.22.0.192]) by imap.hob.de (Postfix on SuSE eMail Server 2.0) with ESMTP id 8AB6DFD0FE for ; Wed, 23 Apr 2008 14:22:57 +0200 (CEST) From: Christian Kandeler Organization: HOB To: freebsd-ia64@freebsd.org Date: Wed, 23 Apr 2008 14:22:57 +0200 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200804231422.57226.christian.kandeler@hob.de> Subject: syscalls & mcontext X-BeenThere: freebsd-ia64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the IA-64 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2008 12:45:44 -0000 Hi, during testing of a FreeBSD/IA64 application I had written I noticed that it kept getting a SIGILL signal seemingly out of nowhere. On closer inspection, I found out that the following happens: - The library calls the kse_switchin syscall. - The kernel's kse_switchin() function is called with the second argument == address of trapframe + 0xe8, as set up by epc_syscall. - The kse_switchin() function calls set_mcontext(), which, among other things, sets tf->tf_scratch = mc->mc_scratch. But tf->tf_scratch overlaps the second argument of kse_switchin(), so now uap->tmbx in kse_switchin() is no longer a pointer to the thread mailbox, but some random value (whatever was in mc_scratch.gr16). - After set_mcontext() has returned, kse_switchin() sets td->td_mailbox = uap->tmbx, i.e. the bogus value is now copied into the thread structure. - ... - The thread_export_context() function tries to copy the thread's mailbox contents, chokes on the bogus pointer and calls sigexit(), which results in the SIGILL signal being sent to the process. Any idea of what is going wrong here? My first, uneducated guess would be that we shouldn't set tf_scratch (because why does a synchronous interruption need to restore the scratch registers), but my insight into the syscall mechanism is rather superficial and I assume the problem is more complex than that. Regards, Christian Kandeler PS: Kernel version is 6.1.