From: Henry N. <hen...@ar...> - 2009-02-06 00:07:59
|
Hello Shai, > Shai Vaingast wrote: >> I've caused this to happen several times and it seems that the crash >> happens at the same point (i.e., same IP, same call stack, same >> disassembly location, etc.) >> >> Call stack: >> COLINUX-SLIRP-NET-DAEMON! 00402b90() >> COLINUX-SLIRP-NET-DAEMON! 004089db() >> COLINUX-SLIRP-NET-DAEMON! 00401d77() >> COLINUX-SLIRP-NET-DAEMON! 0040130d() >> COLINUX-SLIRP-NET-DAEMON! 00401247() >> COLINUX-SLIRP-NET-DAEMON! 00401298() >> KERNEL32! 7c817067() The stack with labels: COLINUX-SLIRP-NET-DAEMON! 00402b90() _tcp_input+0x5f0 COLINUX-SLIRP-NET-DAEMON! 004089db() _slirp_select_poll+0x11b COLINUX-SLIRP-NET-DAEMON! 00401d77() _co_slirp_main+0x237 COLINUX-SLIRP-NET-DAEMON! 0040130d() _main+0x2d COLINUX-SLIRP-NET-DAEMON! 00401247() ___mingw_CRTStartup+0xf7 COLINUX-SLIRP-NET-DAEMON! 00401298() _mainCRTStartup+0x18 >> Registers: >> EAX = 00000001 EBX = 00000002 >> ECX = 77C2C2E3 EDX = 00030608 >> ESI = 0051B03C EDI = 005143E0 >> EIP = 00402B90 ESP = 0023FA20 >> EBP = 0023FA98 EFL = 00000246 >> [...] >> CS = 001B DS = 0023 ES = 0023 SS = 0023 >> FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0 >> ZR=1 AC=0 PE=1 CY=0 >> >> 0051B046 = ???? >> >> [...] >> CTRL = 037F STAT = 0000 TAGS = FFFF >> EIP = 00000000 >> CS = 0000 DS = 0000 EDO = 00000000 >> >> Disassembly (current location is 00402B90, I've added a few lines >> before as well). >> 00402B66 je 00402B90 >> 00402B68 mov ecx,dword ptr [ebp-30h] >> 00402B6B cmp word ptr [ecx+8],9 >> 00402B70 jle 00402D67 >> 00402B76 mov edi,dword ptr [ebp-30h] >> 00402B79 mov eax,dword ptr [edi+8] >> 00402B7C sub eax,3 >> 00402B7F cmp ax,7 >> 00402B83 jbe 00402D5D >> 00402B89 lea esi,[esi] >> ---> 00402B90 movzx eax,word ptr [esi+0Ah] >> 00402B94 dec eax >> 00402B95 cmp ax,4 >> 00402B99 ja 00402BA5 OK. I have the same from "objdump": src/colinux/user/slirp/tcp_input.c:1403 402b76: 8b 7d d0 mov 0xffffffd0(%ebp),%edi 402b79: 8b 47 08 mov 0x8(%edi),%eax 402b7c: 83 e8 03 sub $0x3,%eax 402b7f: 66 83 f8 07 cmp $0x7,%ax 402b83: 0f 86 d4 01 00 00 jbe 402d5d <_tcp_input+0x7bd> 402b89: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi src/colinux/user/slirp/tcp_input.c:1460 ===> 402b90: 0f b7 46 0a movzwl 0xa(%esi),%eax <=== 402b94: 48 dec %eax 402b95: 66 83 f8 04 cmp $0x4,%ax 402b99: 77 0a ja 402ba5 <_tcp_input+0x605> 402b9b: 80 7e 28 1b cmpb $0x1b,0x28(%esi) 402b9f: 0f 84 e6 01 00 00 je 402d8b <_tcp_input+0x7eb> src/colinux/user/slirp/tcp_input.c:1468 402ba5: 8b 45 b4 mov 0xffffffb4(%ebp),%eax 402ba8: 85 c0 test %eax,%eax 402baa: 75 0d jne 402bb9 <_tcp_input+0x619> 402bac: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx 402baf: f6 41 1c 01 testb $0x1,0x1c(%ecx) 402bb3: 0f 84 29 fe ff ff je 4029e2 <_tcp_input+0x442> src/colinux/user/slirp/tcp_input.c:1469 Here is this source line number 1460 on SF: http://colinux.svn.sourceforge.net/viewvc/colinux/branches/devel/src/colinux/user/slirp/tcp_input.c?view=markup#l_1460 I don't see the problem. This is not the "first_char == (char)27", this I can see later as assembler "$0x1b". I have created a executable [1] with full debug (-ggdb). It would be nice, if you starts this under gdb.exe. Please use gdb-6.3-2.exe from the "Release Candidate: gdb-6.3" [2]. Install GDB and copy the SLiRP with debug version in your coLinux installation. The name is different to avoids problems. This special build you can use with coLinux version 0.7.3 or with one of the 0.8.0. Please use the coLinux version, you have currently installed, don't change or replace any coLinux exe files. Here is a small step guide for GDB session: * First run coLinux in normal way. * Note the current parameters of colinux-slirp-net-daemon.exe, with "ProcesExplorer" [3] you can do it * Kill the current colinux-slirp-net-daemon.exe, ignore the warning message * Open a new windows command prompt, change into coLinux directory and run GDB.EXE with colinux-slirp-net-daemon-dbg.exe, for example: C:\colinux> C:\mingw\bin\gdb colinux-slirp-net-daemon-dbg.exe * Set the parameters you noted on step 2, for example: (gdb) set args -i 2496 -u 0 * Run the SLiRP: (gdb) run * Now, use your network (SLiRP) in your error case to force the crash. * After the crash you should see any variable, that was out of range. (I hope) * Please print the "backtrace" from such session. If GDB needs any source, I think "src/colinux/user/slirp/tcp_input.c" would need. Then create such source tree under your current install directory ("C:\colinux" in my example) and store the file tcp_input.c there. Or unpack the complete source. Than GDB should give some more details about the variables. So, my hope. Use the gdb command "print" and try to give us an output from the variables "ti", "ti->ti_len" and "((struct tcpiphdr_2 *)ti)->first_char". [1] http://www.henrynestler.com/colinux/testing/devel-0.8.0/20090205-Snapshot/packages/colinux-slirp-net-daemon-dbg.zip [2] http://sourceforge.net/project/showfiles.php?group_id=2435&package_id=20507&release_id=38019 [3] technet.microsoft.com/en-us/sysinternals/bb896653.aspx -- Henry N. |