Created By: zhaorong wu (4/8/2014 6:25 PM)
Hi xiansong:
thanks for your help, i will try to do it as you said.
Created By: Xiansong Shen (4/8/2014 12:59 AM)
Steps for loading dump manually,
system.cpu HEXAGONV5
system.up
cd dump path
do load.cmm
cd elf folder
d.load.elf M8x10BAAAANTZQ203007.elf /nocode /noclear
cd the floder of qurt_model.t32(\modem_proc\core\kernel\qurt\install\modemv5\debugger\T32)
menu.reset
task.config qurt_model.t32
menu.reprogram qurt_model.men
v.v %HEX (int)QURTK_flush_cache_status (int)QURT_system_state %OPEN.1 coredump QURT_error_info %OPEN.off %STRING qxdm_dbg_msg
Created By: Xiansong Shen (4/8/2014 12:36 AM)
We use internal tool, what's the error?
Created By: zhaorong wu (4/8/2014 12:23 AM)
Hi xiansong:
i follow this documents, but i can not load dump.
can you capture your whole process for me? many thanks!
Created By: Xiansong Shen (4/8/2014 12:10 AM)
Refer to 80-NC839-6 for modem dump loading. Thanks
Created By: Xiansong Shen (4/7/2014 10:18 PM)
As we talked, let put this stack corruption issue to monitor. Thanks
Created By: zhaorong wu (4/7/2014 6:23 PM)
Hi xiansong:
what's the next steps?
Created By: zhaorong wu (4/4/2014 1:46 AM)
Hi xiansong:
we just modify a little code at modem side, and i check more and more, i don't think the code we modify will case system crash.
Created By: zhaorong wu (4/3/2014 11:46 PM)
Hi xiansong:
for more dump. you can follow case:01492219.
Created By: Xiansong Shen (4/3/2014 11:24 PM)
0755 33960735
Created By: zhaorong wu (4/3/2014 10:54 PM)
Hi siqing and xiansong:
can you leave your phone number for more discussing?
Created By: zhaorong wu (4/3/2014 9:03 PM)
Hi xiansong:
i upload the file file we modify at wms module, you can search string "CONFIG_CALD01" for it.
we just modify for one file, please check.
my phone is 13480613219, any question you can call me.
Created By: Xiansong Shen (4/3/2014 8:22 PM)
For the "port_379 dump ", looks like the stack corrupt in the task "mc".
So, please review the code you added recently, doubt it has wild pointer.
Created By: Xiansong Shen (4/3/2014 8:08 PM)
Dear customer
Here is the issue, the stack of the pd_comms_wms_task was corrpted.
What did you added into this task? We can review related code.
Can you reproduce this issue? Maybe we can debug by set writable breakpoint.
018F001E Precise, Unrecoverable Program counter values that are not properly aligned.
SP 0B3780F8
FP 0B378148
LR 3 /// crash because LR is 3, not valid PC address
ELR 098008B0
SSR 018F001E
0B378128 09800370 time_get
0B378138 093E3058 msg_get_time
0B3781B8 097F6E88 diag_f3_trace_buffer_init
0B3781E8 093E3244 qsr_v3_int_msg_send_3
0B378298 08B1C8D8 pd_comms_wms_task /// didn't invoke the qsr_v3_int_msg_send_3, it invoke the os_DogHeartbeatReport
0B378348 097B9CEC TASK_ENTRY
0B378358 097C137C rex_os_thread_entry_func
Thanks
Created By: zhaorong wu (4/3/2014 7:54 PM)
Hi siqing:
i have uploaded about.xml and rex_signals.c files, please check, thanks!
Created By: Siqing Zhang (4/2/2014 11:55 PM)
what the modem project version do you use ? please give me the about.xml have a check
could you give me the rex_signals.c have a check
Created By: zhaorong wu (4/2/2014 11:19 PM)
这个我们不会动
Created By: Siqing Zhang (4/2/2014 11:07 PM)
hi
the call stack is
-000|time_genoff_get_pointer(
| ?)
| _xx_fmt = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x
| xx_msg_const = (desc = (line = 0x0, ss_id = 0x0, ss_mask = 0x0), fmt = 0x
-001|rex_os_set_sigs(
| ?,
| ?,
| p_ret_sigs = 0x3 = __assert_sink__+0x2 -> 0x0,
| sigs_array_limit = 0x1)
| _xx_fmt = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x
| xx_msg_const = (desc = (line = 0x0, ss_id = 0x0, ss_mask = 0x0), fmt = 0x
| _xx_fmt = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x
| xx_msg_const = (desc = (line = 0x0, ss_id = 0x0, ss_mask = 0x0), fmt = 0x
| _xx_fmt = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x
| xx_msg_const = (desc = (line = 0x0, ss_id = 0x0, ss_mask = 0x0), fmt = 0x
-002|rex_set_sigs(
| ?,
| set_sigs = 0x00010000)
| prev_sigs = 0x0
| _xx_fmt = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x
| xx_msg_const = (desc = (line = 0x0, ss_id = 0x0, ss_mask = 0x0), fmt = 0x
| _xx_fmt = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x
| xx_msg_const = (desc = (line = 0x0, ss_id = 0x0, ss_mask = 0x0), fmt = 0x
---|end of frame
i also can't find which function is called the time_genoff_get_pointer in the rex_os_set_sigs, do you chang somgthing in the rex_os_set_sigs
Created By: zhaorong wu (4/2/2014 8:54 PM)
but from the dump we can find the base is 0xAD02EE0 so it is wrong.
i will give you a attachment you can check.
any question you can tell me
-----这个还有上级的调用栈呢? 从哪个函数调入的,
请麻烦告之。谢谢。
Created By: zhaorong wu (4/1/2014 2:41 AM)
Hi Siqing:
i check the attachment, as you point out, if the value is wrong, i think maybe memory overflow can cause that.
but how to get the root case to fix it?
Created By: Siqing Zhang (3/31/2014 7:57 PM)
hi customer
about the dump Port_COM483,the result is the base is wrong ,you can check the function
time_genoff_ptr time_genoff_get_pointer
(
/* Time bases whose pointer needs to be returned */
time_bases_type base
)
{
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
ASSERT( base < ATS_MAX ); // i suspect the base is wrong
return &(ats_bases[base]) ;
}
the base is time_bases_type ,and from the
typedef enum time_bases
{
ATS_RTC = 0, /**< Real time clock timebase.*/
ATS_TOD, /**< Proxy base for number of bases.*/
ATS_USER, /**< User timebase. */
ATS_SECURE, /**< Secure timebase. */
ATS_DRM, /**< Digital rights management timebase. */
ATS_USER_UTC, /**< Universal Time Coordinated user timebase. */
ATS_USER_TZ_DL, /**< Global time zone user timebase. */
ATS_GPS, /**< Base for GPS time. \n
@note1hang When ATS_GSTK is modified, changes are also
reflected on ATS_TOD. */
ATS_1X, /**< Base for 1X time. \n
@note1hang When ATS_1X is modified, changes are also
reflected on ATS_TOD. */
ATS_HDR, /**< Base for HDR time. \n
@note1hang When ATS_HDR is modified, changes are also
reflected on ATS_TOD. */
ATS_WCDMA, /**< Base for WCDMA time. \n
@note1hang When ATS_WCDMA is modified, changes are also
reflected on ATS_TOD. */
ATS_MFLO, /**< Base for MediaFLO time. \n
@note1hang When ATS_MFLO is modified, changes are also
reflected on ATS_TOD. */
ATS_3GPP, /**< LTE timebase. */
ATS_LTE_HR, /**< Base for storing LTE SIB16 Time. SIB16 has the same
granularity as 1x. It will also have TOD as a proxy base*/
ATS_PRIVATE = 0x1000000, /**< Holder for Private Bases that are declared
outside of generic time framework */
ATS_INVALID = 0x10000000
} time_bases_type;
#define ATS_MAX ( ATS_LTE_HR + 1 )
the ATS_LTE_HR=14 so ATS_MAX=15
but from the dump we can find the base is 0xAD02EE0 so it is wrong.
i will give you a attachment you can check.
any question you can tell me
thanks
Created By: zhaorong wu (3/30/2014 11:33 PM)
HI siqing:
for Port_COM483 dump, we donen't do anything, just open wifi hot function.
Created By: Siqing Zhang (3/30/2014 7:36 PM)
Hi customer
in the case 01490261 i find the dump 483 is add the debug information,please deleate this and have a try you can check below function ,i suspect the base is wrong
time_genoff_ptr time_genoff_get_pointer
(
/* Time bases whose pointer needs to be returned */
time_bases_type base
)
{
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
ASSERT( base < ATS_MAX ); // i suspect the base is wrong
return &(ats_bases[base]) ;
}
Created By: Siqing Zhang (3/30/2014 7:28 PM)
Hi customer
about the Port_COM483 dump ,what do you do when it is crash ?
and how often this happend?
thanks
Created By: Siqing Zhang (3/30/2014 7:03 PM)
Hi customer
from the dump it is not the modem bsp issue .
you can work together with the case 01492219 owner to solve it
thanks
Created By: zhaorong wu (3/30/2014 6:35 PM)
Hi siqing:
if that, how to fix it?
Created By: Siqing Zhang (3/28/2014 1:38 AM)
Hi customer
in the port_379 dump
in the rlp_tx_get_next_frame
(
byte **frame_ptr, /* address of ptr for the TX frame */
boolean primary_frame, /* Primary channel yes/no indicator */
rlp_rate_enum_type allowed_rate /* required rate (for sig/sec. chans) */
)
the primary_frame is boolean only can be true or False ,but from the call stack it is 0x22
rlp_tx_get_next_frame(frame_ptr = 0x03E8 = EIPSIZE+0x28, primary_frame = 0x22, ?)
maybe it is the root cause
thanks
Created By: Siqing Zhang (3/28/2014 1:15 AM)
hi customer
these two dump are not the same
for port_379 dump
09F417E0 0B433640 00000057 9E 0 SUSPENDED mc /// died in this task
died in this file mdrrlp.c in the rlp_tx_get_next_frame function
call stack is
rlp_tx_get_next_frame(frame_ptr = 0x03E8 = EIPSIZE+0x28, primary_frame = 0x22, ?)
send_handoff_complete_msg()
mcctcho_post_process_handoff()
tc_trans_done_rpt()
tc_tc()
cdma_tc()
mcc_subtask(?)
mc_cdma_prot_activate(?)
mc_process_cmd()
mc_task(?)
TASK_ENTRY(argv = 0x0B0E4BC8)
rex_get_errno_addr()
pthread_stub(?)
qurt_root_setup(?, stack_size = 0x0)
end of frame