| --------------------------------------------------------------------------------
Log No 24056.00-4C6-1UVO Desc type TS
Sequence no 01 Authr badge no 064297
Creation D/T 23-DEC-1994 18:56
--------------------------------------------------------------------------------
VAX/VMS System dump analyzer
Dump taken on 20-DEC-1994 16:48:05.38
SSRVEXCEPT, Unexpected system service exception
System crash information
------------------------
Time of system crash: 20-DEC-1994 16:48:05.38
Version of system: VAX/VMS VERSION V6.1
System Version Major ID/Minor ID: 1/0
VAXcluster node: WIZZ, a MicroVAX 3100-95
Crash CPU ID/Primary CPU ID: 00/00
Bitmask of CPUs active/available: 00000001/00000001
CPU bugcheck codes:
CPU 00 -- SSRVEXCEPT, Unexpected system service exception
CPU 00 reason for Bugcheck: SSRVEXCEPT, Unexpected system service exception
Process currently executing on this CPU: IAN
Current image file: $2$DKA100:[SYS0.SYSCOMMON.][SYSEXE]SSU.EXE;1
Current IPL: 0 (decimal)
CPU database address: 8505A000
General registers:
R0 = 00000009 R1 = 7FFE7790 R2 = 81839004 R3 = 00C00001
R4 = 84403980 R5 = 842FBAC0 R6 = 81839004 R7 = 00000001
R8 = 00005B30 R9 = 00000000 R10 = 00005690 R11 = 00000000
AP = 7FFE776C FP = 7FFE7754 SP = 7FFE7754 PC = 838AE5E3
PSL = 00000000
Processor registers:
P0BR = 88ED4000 SBR = 04DC4C00 ASTLVL = 00000004
P0LR = 00000462 SLR = 0008A900 SISR = 00000000
P1BR = 8877BE00 PCBB = 0440A620 ICCS = 00000041
P1LR = 001FF3A2 SCBB = 04DBDE00 SID = 13000202
TODR = C62660A9 BPCR = ECC80024 PAMODE = 00000000
MMEPTE = 88EEC000 MMESTS = 1C004001 PCSCR = 01000200
ICSR = 00000001 ECR = 0000008A TBSTS = 800001D0
PCCTL = FFFFFC13 PCSTS = FFFFF800 CEFSTS = 00019200
CCTL = 00000021 BCEDSTS= 00000000 BCETSTS= 00000000
NESTS = 00000000 NEOCMD = 0000F004 NEICMD = 00000000
MESR = 00006000 MMCDSR = 09CBC000
DSER = 00000000 CBTCR = 00000000
ISP = 8505B600
KSP = 7FFE7754
ESP = 7FFE9800
SSP = 7FFECA44
USP = 7FE76908
No spinlocks currently owned by CPU 00
Current operating stack (KERNEL):
7FFE7734 00000000
7FFE7738 00005690 DAP$K_CRC_TBL1+002AD
7FFE773C 00000000
7FFE7740 7FFE776C CTL$GL_KSTKBAS+0056C
7FFE7744 7FFE7754 CTL$GL_KSTKBAS+00554
7FFE7748 7FFE774C CTL$GL_KSTKBAS+0054C
7FFE774C 838AE5E3 EXE$EXCPTNE
7FFE7750 00000000
SP => 7FFE7754 00000000
7FFE7758 00000000
7FFE775C 7FE76944
7FFE7760 7FFE77E4 CTL$GL_KSTKBAS+005E4
7FFE7764 80000014 EXE$QIOW_3+00004
7FFE7768 838B0AD1 EXE$CONTSIGNAL+0007C
7FFE776C 00000002
7FFE7770 7FFE7790 CTL$GL_KSTKBAS+00590
7FFE7774 7FFE7778 CTL$GL_KSTKBAS+00578
7FFE7778 00000004
7FFE777C 7FFE77E4 CTL$GL_KSTKBAS+005E4
7FFE7780 FFFFFFFD LKB$K_SCSWAIT
7FFE7784 00000000
7FFE7788 00C00008 PSL$M_PRVMOD+00008
7FFE778C 0000000A
7FFE7790 00000005
7FFE7794 0000000C
7FFE7798 00000001
7FFE779C 00C00008 PSL$M_PRVMOD+00008
7FFE77A0 80000010 EXE$QIOW_3
7FFE77A4 00000009
7FFE77A8 838B0A4D EXE$SRCHANDLER+00076
7FFE77AC 00000002
7FFE77B0 7FFE77D0 CTL$GL_KSTKBAS+005D0
7FFE77B4 7FFE77B8 CTL$GL_KSTKBAS+005B8
7FFE77B8 00000004
7FFE77BC 7FFE77E4 CTL$GL_KSTKBAS+005E4
7FFE77C0 00000000
7FFE77C4 84423618
7FFE77C8 00000001
7FFE77CC 05000001 NFB$C_PLI_LCK
7FFE77D0 00000005
7FFE77D4 0000000C
7FFE77D8 00000000
7FFE77DC 00000000
7FFE77E0 00000000
7FFE77E4 00C00008 PSL$M_PRVMOD+00008
7FFE77E8 00000000
7FFE77EC 7FE76944
7FFE77F0 7FE76908
7FFE77F4 838AE858 EXE$EXCEPTION+00227
7FFE77F8 0000782E DAP$K_CRC_TBLC+003AC
7FFE77FC 03C00000
SDA> ex/in 838B0A4D-20;20 ; From stack
%SDA-W-INSKIPPED, unreasonable instruction stream - 1 bytes skipped
EXE$SRCHANDLER+00057: BRW EXE$CONTSIGNAL+0003D
EXE$SRCHANDLER+0005A: BRW EXE$CONTSIGNAL
EXE$SRCHANDLER+0005D: CALLG (SP),EXE$CONTSIGNAL+000FD
EXE$SRCHANDLER+00062: BLBC R0,EXE$CONTSIGNAL+00054
EXE$SRCHANDLER+00065: BBC #01,20(SP),EXE$SRCHANDLER+00070
EXE$SRCHANDLER+0006A: INSV #04,#00,#03,28(SP)
EXE$SRCHANDLER+00070: JSB EXE$CALL_HANDL_JACKET ; -------
EXE$SRCHANDLER+00076: BLBC R0,EXE$SRCHANDLER+0005D |
|
SDA> ex/in EXE$CALL_HANDL_JACKET;20 <--------
EXE$CALL_HANDL_JACKET: MOVPSL R0
EXE$CALL_HANDL_JACKET+00002: CMPZV #18,#02,R0,#03
EXE$CALL_HANDL_JACKET+00007: BNEQ EXE$CALL_HANDL_JACKET+00016
EXE$CALL_HANDL_JACKET+00009: BLBC @#CTL$GL_VP_FLAGS,EXE$CALL_HANDL_JACKET+00
016
EXE$CALL_HANDL_JACKET+00010: JSB @#V_EXE$SET_VP_JACKET
EXE$CALL_HANDL_JACKET+00016: JMP @#EXE$QIOW_3 ;-------
|
|
EXE$QIOW_2+00007: RET |
EXE$QIOW_3: CALLG 04(SP),(R1) ; crash here R1=C00008 <-------
844039B0 PCB$L_ONQTIME 0105C864
844039B4 PCB$L_WAITIME 0105C695
SDA> ex/in 00006C41-20;20
%SDA-W-INSKIPPED, unreasonable instruction stream - 1 bytes skipped
DAP$K_CRC_TBL7+00280: CALLS #03,@DAP$K_CRC_TBLC+00006
DAP$K_CRC_TBL7+00287: CLRQ -(SP)
DAP$K_CRC_TBL7+00289: PUSHL R5
DAP$K_CRC_TBL7+0028B: MOVL 2739(R2),R0
DAP$K_CRC_TBL7+00290: PUSHAB 04(R0)
DAP$K_CRC_TBL7+00293: CLRQ -(SP)
DAP$K_CRC_TBL7+00295: PUSHL 04(R2)
DAP$K_CRC_TBL7+00298: CALLS #07,@DAP$K_CRC_TBLC+00026
DAP$K_CRC_TBL7+0029F: CMPL R0,#01
SDA>
SDA> ex/in 80000010-20;20
%SDA-W-INSKIPPED, unreasonable instruction stream - 18 bytes skipped
SYS$S0_VECTOR_BASE+00002: CHMK #002D
SYS$S0_VECTOR_BASE+00006: BLBC R0,EXE$QIOW_2+00007
EXE$QIOW_2+00001: PUSHL 10(AP)
EXE$QIOW_2+00004: BRW EXE$SYNCH+00005
EXE$QIOW_2+00007: RET
EXE$QIOW_3: CALLG 04(SP),(R1)
Process index: 0095 Name: IAN Extended PID: 21600A95
--------------------------------------------------------
Status : 02040001 res,phdres,inter
Status2: 00000001 quantum_resched
PCB address 84403980 JIB address 84418EC0
PHD address 88EA7400 Swapfile disk address 00000000
Master internal PID 00050095 Subprocess count 0
Internal PID 00050095 Creator internal PID 00000000
Extended PID 21600A95 Creator extended PID 00000000
State CUR Termination mailbox 0000
Current priority 9 AST's enabled KESU
Base priority 4 AST's active NONE
UIC [00300,000007] AST's remaining 94
Mutex count 0 Buffered I/O count/limit 100/100
Waiting EF cluster 1 Direct I/O count/limit 100/100
Starting wait time 1B001B1B BUFIO byte count/limit 31872/31936
Event flag wait mask 03FFFFFF # open files allowed left 98
Local EF cluster 0 E0000001 Timer entries allowed left 10
Local EF cluster 1 02000000 Active page table count 0
Global cluster 2 pointer 00000000 Process WS page count 410
Global cluster 3 pointer 00000000 Global WS page count 143
SDA>
SDA> sho call
Call Frame Information
----------------------
Call Frame Generated by CALLG Instruction
Condition Handler 7FFE7754 00000000
SP Align Bits = 00 7FFE7758 00000000
Saved AP 7FFE775C 7FE76944
Saved FP 7FFE7760 7FFE77E4 CTL$GL_KSTKBAS+005E4
Return PC 7FFE7764 80000014 EXE$QIOW_3+00004
Align Stack by 0 Bytes =>
SDA> sho call/n
Call Frame Information
----------------------
Call Frame Generated by CALLG Instruction
Condition Handler 7FFE77E4 00C00008 PSL$M_PRVMOD+00008
SP Align Bits = 00 7FFE77E8 00000000
Saved AP 7FFE77EC 7FE76944
Saved FP 7FFE77F0 7FE76908
Return PC 7FFE77F4 838AE858 EXE$EXCEPTION+00227
Align Stack by 0 Bytes =>
SDA>
Call Frame Information
----------------------
Call Frame Generated by CALLS Instruction
Condition Handler 7FE76908 00000000
SP Align Bits = 00 7FE7690C 2FFC0000
Saved AP 7FE76910 7FE7699C
Saved FP 7FE76914 7FE76968
Return PC 7FE76918 00006C41 DAP$K_CRC_TBL7+0029F
R2 7FE7691C 00076210
R3 7FE76920 00000001
R4 7FE76924 00000000
R5 7FE76928 00000001
R6 7FE7692C 0000127C VCRP$K_EC_DLL_LAST+00071
R7 7FE76930 7FE769A0
R8 7FE76934 00005B30 DAP$K_CRC_TBL1+0074D
R9 7FE76938 00000000
R10 7FE7693C 00005690 DAP$K_CRC_TBL1+002AD
R11 7FE76940 00005590 DAP$K_CRC_TBL1+001AD
Align Stack by 0 Bytes =>
Argument List 7FE76944 00000007
Call Frame Information
----------------------
7FE76948 000000F0
7FE7694C 00000000
7FE76950 00000000
7FE76954 0008C204
7FE76958 00000001
7FE7695C 00000000
7FE76960 00000000
Process index: 0095 Name: IAN Extended PID: 21600A95
--------------------------------------------------------
Process activated images
------------------------
ICB Start End Type Image Name Major ID,Minor ID
-------- -------- -------- -------------- -----------------------------
7FF966B8 00000200 000077FF MAIN SSU 0,0
7FF96798 00052800 0006A7FF GLOBAL SHR VAXCRTL 4,3
7FF979C0 0006A800 0006AFFF GLOBAL CMA$TIS_SHR 1,1
7FF978E0 00008200 000325FF GLOBAL SHR MTHRTL 129,32780
7FF96F00 00032600 000527FF GLOBAL SHR LIBRTL 1,14
7FF97950 00007800 000081FF GLOBAL PRT SHR PTD$SERVICES_SHR 1,0
Total images = 6 Pages allocated = 855
SDA>
--------------------------------------------------------------------------------
Log No 24056.00-4C6-1UVO Desc type TS
Sequence no 02 Authr badge no 231847
Creation D/T 2-JAN-1995 21:42
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Log No 24056.00-4C6-1UVO Desc type TS
Sequence no 03 Authr badge no 231847
Creation D/T 3-JAN-1995 10:54
--------------------------------------------------------------
<<< Note 199.1 by COMICS::GLEDHILL >>>
-< rocol watch induced crash. >-
From: NICES::GLEDHILL 4-JAN-1995 01:14:49.52
To: GLEDHILL
CC: GLEDHILL
Subj:
***** THIS IS A READ ONLY COPY FROM NICE - please handle accordingly *****
********************************************************************************
Log No 24056.00-4C6-1UVO Queue GLEDHILL
Log D/T 20-DEC-1994 17:04 Owner GLEDHILL
LSDT D/T 3-JAN-1995 09:00 Loc/Phone UVO 3245
Status as at 4-JAN-1995 01:15 is OPEN
EXT REQ Stat Code Escalation Indicator Y
Hold Indicator N Planned Indicator Y
---------------------------------Customer---------------------------------------
Company ROCOL LTD
Department ROCOL HOUSE
Street SWILLINGTON
City LEEDS
Postal Code LS26 8BS PO No
Caller JOHN ELLIOT Title MR
Phone 0532 866511 Extension ASK
Service Wish ** dump on ryrgrs::$4$DIA1:[24056_ROCOL]SYSDUMP.DMP;1 **
--------------------------------------------------------------------------------
******************************INITIAL CALL DETAILS******************************
UPDATED BY / DATE-TIME :: Theo Bartley Wed 21-Dec-1994::09:56
PROBLEM DESCRIPTION / CONFIG :: System bugchecked
ACTION PLAN :: Look at dump.
NEXT UPDATE TIME & DATE :: Cust's modem is in use. He will call back
later when it becomes free
****************************** Update ******************************
UPDATED BY /DATE-TIME :: Theo Bartley / Wed 21-Dec-1994::11:13
CURRENT STATUS :: Customer is unable to give us access to the
system to look at the dump online. He will
send the dump in on tape. No errors in the
errorlog, so customer won't include errorlog
on the tape. Customer ran WATCH just before
system crashed.
ACTION PLAN :: Analyse dump.
NEXT UPDATE TIME & DATE :: Call cust if tape hasn't arrived by Fri 12:00
****************************** Update ******************************
UPDATED BY /DATE-TIME :: MIKE AYLING 23-DEC-1994 10:10
CURRENT STATUS :: TK50 TAPE RECEIVED
ACTION PLAN :: TO BE ANALYSED BY SPECIALIST WHEN AVAILABLE
NEXT UPDATE TIME & DATE ::
****************************** Update ******************************
UPDATED BY /DATE-TIME :: Norm Pettet 23-Dec-1994:16:58
CURRENT STATUS :: dump copied to ryrgrs::$4$DIA1:[24056_ROCOL]
Directory $4$DIA1:[24056_ROCOL]
SYSDUMP.DMP;1 90892
Total of 1 file, 90892 blocks.
ACTION PLAN ::
NEXT UPDATE TIME & DATE ::
****************************** Update ******************************
UPDATED BY /DATE-TIME :: Norm Pettet
CURRENT STATUS :: process crash - lloks like a process run-down
problem - further re-work required
ACTION PLAN ::
NEXT UPDATE TIME & DATE ::
****************************** Update ******************************
UPDATED BY /DATE-TIME :: Norm Pettet 31-Dec-1994
CURRENT STATUS :: Reading the supplied information from the
customer, it appears he was using DEBUG and
was exiting when user IAN had a problem. User
IAN logged in again then customer, using WATCH
from DECUS, monitored his process. It was then
that the system crashed. I can't find however
the initial login from user IAN.
ACTION PLAN :: Suggest discussing with customer - if this is
the first time this crash has occured then
wait for it to happen again (if ever)
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
canasta description.
Status: UNIDENTIFIED
VMS Version: 6.1 More Admin Reference
CPU Type: 3100-95
Bugcheck: SSRVEXCEPT
Process Name: IAN
Image Name: SSU
SID Register: 13000202
Argument Count: 00000005
Condition Code: 0000000C
Reason Mask: 00000001
Virtual Address: 00C00008
Exception PC: 80000010
Exception PSL: 00000009
Module: EXE$QIOW_3
Offset: 00000000
Instruction: CALLG
|
| ------------------
This is an interesting one (thanks roland!) I think the clue is in the info
the customer sent in saying he was using watch from decus, but thought I would
go thru it make sure anyway!.
here is from the process.
SDA> SHOW CALL
Call Frame Information
----------------------
Call Frame Generated by CALLG Instruction
Condition Handler 7FFE7754 00000000
SP Align Bits = 00 7FFE7758 00000000
Saved AP 7FFE775C 7FE76944
Saved FP 7FFE7760 7FFE77E4 CTL$GL_KSTKBAS+005E4
Return PC 7FFE7764 80000014 EXE$QIOW_3+00004
Align Stack by 0 Bytes =>
SDA> SHOW CALL/NEXT
Call Frame Information
----------------------
Call Frame Generated by CALLG Instruction
Condition Handler 7FFE77E4 00C00008
SP Align Bits = 00 7FFE77E8 00000000
Saved AP 7FFE77EC 7FE76944
Saved FP 7FFE77F0 7FE76908
Return PC 7FFE77F4 838AE858 EXCEPTION+00458
Align Stack by 0 Bytes =>
** the above is on the kernel stack, the below on the user stack, this is
the call frame that took us into K mode.
SDA> SHOW CALL/NEXT
Call Frame Information
----------------------
Call Frame Generated by CALLS Instruction
Condition Handler 7FE76908 00000000
SP Align Bits = 00 7FE7690C 2FFC0000
Saved AP 7FE76910 7FE7699C
Saved FP 7FE76914 7FE76968
Return PC 7FE76918 00006C41 **
etc
Press RETURN for more.
SDA> EX/INST 6C41
00006C41: CMPL R0,#01
SDA> EX/INST 6C41-20;20
....
00006C37: PUSHL 04(R2)
00006C41: CMPL R0,#01
00006C3A: CALLS #07,@000074A8 <-
SDA> EX 74A8
000074A8: 00007828 "(x.."
SDA> ex/inst 7828
00007828: XFC
SDA> ex/inst
SDA> ex/inst
0000782A: CHMK #4249
** this wont be a normal system service, most likely a user written or vms
supplied one in a privileged image (checking black book vms codes are 0 - 255,
the vms supplied privileged higher than this, the -ve ones reserved for
customer use)
** show proc/image show this is in ptd$services, ie the psuedo terminal driver
thing.
Process activated images
------------------------
ICB Start End Type Image Name Major ID,Minor ID
-------- -------- -------- -------------- -----------------------------
7FF96798 00000200 000077FF MAIN SSU 0,0
7FF96F00 00052800 0006A7FF GLOBAL SHR VAXCRTL 4,3
7FF97840 0006A800 0006AFFF GLOBAL CMA$TIS_SHR 1,1
7FF978B0 00008200 000325FF GLOBAL SHR MTHRTL 129,32780
7FF97920 00032600 000527FF GLOBAL SHR LIBRTL 1,14
7FF966B8 00007800 000081FF GLOBAL PRT SHR PTD$SERVICES_SHR 1,0
(actually checking the listings shows that this is the transfer vector for
ptd$write, see below for listings).
To check that this is a valid privileged image we need to check the P1 space
stuff. I did this and all seems in order, comparing this with another process
running the same images, they are the same.
IE
SDA> SHOW SYM/ALL CTL$GL_USR
...
CTL$GL_USRCHMK = 7FFEFF18 : 7FFE5804
This is
CTL$A_DISPVEC+00004: JSB @#00007863 - this is in ptd$services as we would
CTL$A_DISPVEC+0000A: RSB have expected.
SDA> SH PROC/CHAN
Process index: 0095 Name: IAN Extended PID: 21600A95
--------------------------------------------------------
* ok so now have established that this is meant to be and we are calling
a valid (dec supplied) system service. Looking at the listings of ptd$write
(this corrresponds to our 7828)
0028 209 .ALIGN QUAD
0028 210 .TRANSFER PTD$WRITE ; Define routine public name
0028 211 .MASK PTD$WRITE_K ; Define entry mask
002A 212 CHMK #PTD$WRITE_NUMBER ; Change to Kernel mode and execute
and here is the code that this calls.
01E3 729 PTD$WRITE::
01E3 730 .ENTRY PTD$WRITE_K, - ; Build read request
01E5 731 ^M<R2,R3,R4,R5,R6,R7,R8,R9,R10,R11>
01E5 732 MOVZWL WRITE_CHAN(AP),R0 ; Get channel number
01E9 733 BSBW PTD$VALIDATE_CHAN ; Validate channel number
01EC 734 MOVL WRITE_AST(AP),R0 ; Get write AST address
01F0 735 BEQL 10$ ; EQL no AST
01F2 736 MOVL WRITE_ASTPRM(AP),R1 ; Get AST parameter
01F6 737 MNEGL #1,R6 ; No EFN
01F9 738 BSBW PTD$BUILD_ACB ; Build an ACB
01FC 739 ; (raises IPL to IPL$_ASTDEL)
01FC 740 MOVL R3,R11 ; Copy ACB address
01FF 741 BRB 20$ ; Continue
0201 742 10$:
0201 743 CLRL R11 ; No AST to deliver
0203 744
0203 745 20$:
0203 746 MOVL WRITE_BUF(AP),R0 ; Get write buffer
0207 747 MOVZWL WRITE_BUF_LEN(AP),R1 ; Get write buffer size
020B 748 BSBW PTD$VALIDATE_BUFF ; Validate buffer
020E 749 BLBC R0,40$ ; LBC error handle it
0211 750 MOVL R1,R7 ; Copy write buffer size
0214 751 CLRL (R2) ; Clear out I/O status longword
0216 752 MOVL R2,R6 ; Copy system address of first character to write
0219 753 CLRL R9 ; Assume no echo buffer
021B 754 MOVL WRITE_ECHOBUF(AP),R0 ; Get echo buffer address
021F 755 BEQL 30$ ; EQL no echo buffer
0221 756 MOVZWL WRITE_ECHOBUF_LEN(AP),R1 ; Get Echo buffer size
0225 757 BSBW PTD$VALIDATE_BUFF ; Validate Echo buffer
0228 758 BLBC R0,40$ ; LBC error exit
022B 759 CLRL (R2) ; Clear I/O status longword in echo buffer
022D 760 MOVL R2,R9 ; Copy system address of first
0230 761 ; character position in echo buffer
0230 762 MOVL R1,R10 ; Copy echo buffer size
0233 763
0233 764 30$:
0233 765 MOVL UCB$L_TT_PORT(R5),R0 ; Get port vector address
0238 766 JMP @PORT_FT_WRITE(R0) ; Jump to driver to finish request
**I think we crashed after here, if we check the stack we see that the saved r0
contains the ucb$l_tt_port address. Also note tht there are two signal
arrays on the stack (the lower one is the relevant one)
--------------------------------------------------------------------------------
for more details ....
Now this process is running ssu, the session support utility, this runs a
process that presents a split screen interace to the user, so that they can
run 2 programs on one screen. The ssu process communicates to the programs via
these peuedo terminal devices.
Process active channels
-----------------------
Channel Window Status Device/file accessed
------- ------ ------ --------------------
0010 00000000 DKA100:
0020 8422CE40 DKA100:(9074,1,0)
0030 840C6A40 DKA100:(3664,4,0)
0040 00000000 VTA230:
0050 840C35C0 DKA100:(193,1,0) (section file)
0060 00000000 VTA230:
0070 840BE700 DKA100:(344,1,0) (section file)
0080 840D6640 DKA100:(171,1,0) (section file)
0090 840C1280 DKA100:(282,1,0) (section file)
00A0 840C6E80 DKA100:(187,1,0) (section file)
00B0 840C38C0 DKA100:(3705,2,0) (section file)
00C0 840C7600 DKA100:(138,1,0) (section file)
00D0 00000000 VTA230:
00E0 00000000 VTA230:
00F0 00000000 FTA295:
ie the vta devices are used to talke to the physical terminal - the fta
devices to the application(s).
However this process is being watched by watch and this watches other processes
by revectoring the read + write etc routines into their own routines first so
that they can log what the users are doing. These routines are stored in
the ucb of the device and in class and vector tables.
What it actually does is clone new port and class vector tables, putting most
of the contents the same as in the original, modifying the ones it wants to
revector, plus modify the get/put next routines in the ucb.
Looking at fta295s UCB
842FBBE8 UCB$L_TT_GETNXT 84424415
842FBBEC UCB$L_TT_PUTNXT 8442442A
842FBBF0 UCB$L_TT_CLASS 84423664
842FBBF4 UCB$L_TT_PORT 84423618
this is code in nonpaged pool, comparing with other ftdevices which
have these addresses in this (ft) or ttdriver
84392368 UCB$L_TT_GETNXT 843E9170 TTDRIVER+02BB0
8439236C UCB$L_TT_PUTNXT 843E8DD8 TTDRIVER+02818
84392370 UCB$L_TT_CLASS 843E6E50 DDT+0010F
84392374 UCB$L_TT_PORT 84355FAC FTDRIVER+0016C
So in ptd$write we jump to 54 hex of the port vect, looking at this we see
SDA> eval @(84423618 + 54)
Hex = 843EB315 Decimal = -2076265707 TTDRIVER+04D55
SDA> ex/inst ttdriver + 4d55;50
TTDRIVER+04D55: PUSHL R0
TTDRIVER+04D57: MOVL 00D4(R5),R0
TTDRIVER+04D5C: BEQL TTDRIVER+04D67 (ucb$l_tt_logucb <> 0 so don't branch)
TTDRIVER+04D5E: TSTW 70(R0) (ucb$w_refc = 3 so don't branch)
TTDRIVER+04D61: BEQL TTDRIVER+04D67
TTDRIVER+04D63: MOVL (SP)+,R0
TTDRIVER+04D66: RSB
So we would have gone thru this and rsbed, plus r0 will end up with what we
started with. So we will rsb, but to what, remember we went into here with a
jmp and left with a rsb.
Now on entry to a system service (see chaper 6 in internal book i think)
we have a standard 5 argument call frame(may have extra stuff on stack for a
non-standard system service, but checking the ptd dispatcher we see that it
clears the stack (movl fp,sp) so we will rsb to the top thing on the stack
which wil be the condition handler = 0. Checking the stack. (didn't bother to
see why the 2nd exception occurred)
SP => 7FFE7754 00000000
7FFE7758 00000000
7FFE775C 7FE76944
7FFE7760 7FFE77E4 CTL$GL_KSTKBAS+005E4
7FFE7764 80000014 EXE$QIOW_3+00004
7FFE7768 838B0AD1 EXCEPTION+026D1
7FFE776C 00000002
7FFE7770 7FFE7790 CTL$GL_KSTKBAS+00590
7FFE7774 7FFE7778 CTL$GL_KSTKBAS+00578
7FFE7778 00000004
7FFE777C 7FFE77E4 CTL$GL_KSTKBAS+005E4
7FFE7780 FFFFFFFD LKB$K_SCSWAIT
7FFE7784 00000000
7FFE7788 00C00008 PSL$M_PRVMOD+00008
7FFE778C 0000000A
7FFE7790 00000005
7FFE7794 0000000C
7FFE7798 00000001
7FFE779C 00C00008 PSL$M_PRVMOD+00008
7FFE77A0 80000010 EXE$QIOW_3
7FFE77A4 00000009
7FFE77A8 838B0A4D EXCEPTION+0264D
7FFE77AC 00000002 -> call frame of original exception
7FFE77B0 7FFE77D0 CTL$GL_KSTKBAS+005D0
7FFE77B4 7FFE77B8 CTL$GL_KSTKBAS+005B8
7FFE77B8 00000004 - > mech array
7FFE77BC 7FFE77E4 CTL$GL_KSTKBAS+005E4
7FFE77C0 00000000
7FFE77C4 84423618 - > ro = ucb$l_tt_port
7FFE77C8 00000001 - > r1
7FFE77CC 05000001
7FFE77D0 00000005 -> sig array
7FFE77D4 0000000C accvio
7FFE77D8 00000000 rm
7FFE77DC 00000000 va
7FFE77E0 00000000 PC
top of ss--> 7FFE77E4 00C00008 PSL$M_PRVMOD+00008 PSL
call frame
should be here
7FFE77E8 00000000 register save mask
7FFE77EC 7FE76944 saved ap
7FFE77F0 7FE76908 saved fp
7FFE77F4 838AE858 EXCEPTION+00458 (return pc - ie
sys_service exit)
exception saved PC/PSL from cmkl
7FFE77F8 0000782E saved PC
7FFE77FC 03C00000 saved PSL
So we crash due to rsbing to 0. Only question that remains is what was wrong
in the prot and class vector table. I think the reasons for this is that the
port/class vector of the ptd devices are different to the standard tt ones.
In particular ptd is larger than that for the standard terminal device.
Watch doesn't realise this, and allocates new port class vectors of the
standard size, ofset 54 in the port table goes past the end of the standard one
so we get jumping to an irelevent address. The actual adress we dump to is
the class_setup ucb address within the class table which is adjacent (higher)
in memory to the port table.
ie port+ 54 is 8442367c which is class + 08 which corresponds to the
class_setup_ucb routine
842FBBF0 UCB$L_TT_CLASS 84423664
842FBBF4 UCB$L_TT_PORT 84423618
Must assume from this that it is not safe to use watch on any psuedo-terminal
device. This would include any process communicating via ssu but also perhaps
workstations processes (as these use ptd devices).PS don't think watch was used
on this processes, but on the client process (index 96), ie on the other end of
the psuedo terminal.
|