Re: General Protection fault (sounds familiar?)

Marcel Landman Mon, 15 Nov 1999 17:50:15 -0800
>> Also, I seem to end up at a different point in dosdebug,

>It is exactly the same: ffff:cd1a=10cd0a

Sorry, I wasn't very clear. I mean I crash at a different point when
then when I was using the .rpm version of 0.98.8. The above crash was
with 0.98.8 I installed from source.

>> General Protection Fault, system state: stopped
>> AX=0002  BX=0005  CX=0000  DX=8a86  SI=3246  DI=ffff  SP=087c  BP=0001
>> DS=0669  ES=081d  FS=0000  GS=0000  FL=3206
>> CS:IP=ffff:cd1a       SS:SP=0669:087c
>> ffff:cd1a D805             fadd    dword ptr [di]

> This opcode must cause the error: access to 32-bit data at end
> of segment (offset=ffff). The question is how did you get there.
> Check what segment DOS uses for its stack - maybe it is bug in
> the DOS (not DosEmu), and during DOS call processing it jumps
> to some strange address which contains this bad code. I suppose
> detailed check of stack contents will help find the reason.

Yes, the instructions prior to that:

ffff:cd10 0000             add     [bx+si],al
ffff:cd12 0000             add     [bx+si],al
ffff:cd14 0000             add     [bx+si],al
ffff:cd16 0000             add     [bx+si],al
ffff:cd18 0000             add     [bx+si],al
ffff:cd1a D805             fadd    dword ptr [di]

Looks like a cpu racing around in a data area. Here is the stack:

0669:0860 8C 6A 32 E7 02 00 05 00 00 00 86 8A 46 32 FF FF 
.j2g........F2
0669:0870 01 00 69 06 1D 08 30 CD FF FF 03 32 65 D1 2E D0 
..i...0M.2eQ.P
0669:0880 00 26 04 00 00 00 70 CB FF FF 00 00 00 00 00 00 
.&....pK......
0669:0890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
................
0669:08a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
................
0669:08b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
................
0669:08c0 00 00 00 00 00 00 00 00 00 00 01 02 00 06 5D 65 
..............]e
0669:08d0 00 44 0A 66 00 46 0A 67 00 48 0A 68 00 4A 0A 69 
.D.f.F.g.H.h.J.i

I am new to dosdebug, so you'll have to tell me which flags you want on
if you want to see some logging. I either get too much, or too litlle.
In the mean time, I have tried to figure out what is happening starting
from the beginning point. This is a bit much data, but may be useful to
some of the Sherlocks out there:

Ok. first the application calls a sub:

tc
(...)(lots of stuff and then:)
0615:1a42 E84203           call    1D87
General Protection Fault, AX=0002  BX=0005  CX=0000  DX=8a86  SI=3246 
DI=ffff  SP=087c  BP=0001
DS=0669  ES=081d  FS=0000  GS=0000  FL=3206
CS:IP=ffff:cd1a       SS:SP=0669:087c

ffff:cd1a D805             fadd    dword ptr [di]

-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

I then set a breakpoint so it lets me trace inside of 1D87 (after
restarting):
bp 615:1a42
tc
(...)
Trap 1, AX=1100  BX=0000  CX=000e  DX=2f21  SI=00c5  DI=0000  SP=7f42 
BP=7f48
DS=2a5f  ES=2932  FS=0000  GS=0000  FL=3302 
CS:IP=0615:19ea       SS:SP=2a5f:7f42

0615:19ea CD16             int     16
General Protection Fault, AX=0002  BX=0005  CX=0000  DX=8a86  SI=3246 
DI=ffff  SP=087c  BP=0001
DS=0669  ES=081d  FS=0000  GS=0000  FL=3206
CS:IP=ffff:cd1a       SS:SP=0669:087c

ffff:cd1a D805             fadd    dword ptr [di]

-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

right, so it crashes inside int 16... I look at 0:58, which I believe
to be the interrupt table entry for int 16 and use the address there
for my next break point:

bp 615:1a42
bp 70:42d
tc
...

Trap 1, AX=4b00  BX=0082  CX=0000  DX=00bc  SI=5861  DI=05f9  SP=028a 
BP=7dce
DS=0605  ES=0605  FS=0000  GS=0000  FL=3312
CS:IP=0605:046b       SS:SP=0605:028a

0605:046b CD21             int     21
General Protection Fault, AX=0002  BX=0005  CX=0000  DX=8a86  SI=3246 
DI=ffff  SP=087c  BP=0001
DS=0669  ES=081d  FS=0000  GS=0000  FL=3206
CS:IP=ffff:cd1a       SS:SP=0669:087c

ffff:cd1a D805             fadd    dword ptr [di]

-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

Facinating! This program is trying to load & excute another program.
This 
is asking for trouble ...

Interrupt 21 lives, I believe, at 0:84, so I set another breakpoint:

bp 615:1a42
bp 70:42d
bp c9:fb2
tc
(...)
Trap 1, AX=1123  BX=0004  CX=751f  DX=8a86  SI=8a86  DI=03be  SP=090e 
BP=0444
DS=0669  ES=00c9  FS=0000  GS=0000  FL=3346
CS:IP=ff33:ada2       SS:SP=00c9:090e

ff33:ada2 CD2F             int     2F
General Protection Fault, AX=0002  BX=0005  CX=0000  DX=8a86  SI=3246 
DI=ffff  SP=087c  BP=0001
DS=0669  ES=081d  FS=0000  GS=0000  FL=3206
CS:IP=ffff:cd1a       SS:SP=0669:087c

ffff:cd1a D805             fadd    dword ptr [di]

-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

hmmm, dos crashes while trying to resolve a filename? A network problem
perhaps. Let's see what happens inside of int 2f...

bp 615:1a42
bp 70:042d
bp c9:fb2
bp 436:1cc
tc
(...)
Trap 1, AX=0002  BX=0005  CX=0000  DX=8a86  SI=3246  DI=ffff  SP=0876 
BP=0001
DS=0669  ES=081d  FS=0000  GS=0000  FL=3146
CS:IP=ff33:43ac       SS:SP=0669:0876

ff33:43ac CF               iret
General Protection Fault, AX=0002  BX=0005  CX=0000  DX=8a86  SI=3246 
DI=ffff  SP=087c  BP=0001
DS=0669  ES=081d  FS=0000  GS=0000  FL=3206
CS:IP=ffff:cd1a       SS:SP=0669:087c

ffff:cd1a D805             fadd    dword ptr [di]

-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

ehm, right so iret goes nowhere, I suppose. Let's see what the stack
says 
at that point...

bp ff33:43ac
g

-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

Gets me there 2-3 times and then crashes without even looking at my
beautiful
break point! (read-only?)

ok, how about this,

bp ff33:43ac
bp 615:1a42
bp 70:042d
bp c9:fb2
bp 436:1cc
tc
(...)

ff33:11dc 0000             add     [bx+si],al
Trap 1, AX=0005  BX=1042  CX=0000  DX=0000  SI=0000  DI=0000  SP=f012 
BP=43ad
DS=ff33  ES=3106  FS=0000  GS=0000  FL=3106
CS:IP=ff33:11de       SS:SP=0750:f012

ff33:11de 0000             add     [bx+si],al
Trap 1, AX=0005  BX=1042  CX=0000  DX=0000  SI=0000  DI=0000  SP=f012 
BP=43ad
DS=ff33  ES=3106  FS=0000  GS=0000  FL=3102
CS:IP=ff33:11e0       SS:SP=0750:f012

ff33:11e0 0000             add     [bx+si],al

****
leavedos(4) called, at termination point of DOSEMU
****

AX=0005  BX=1042  CX=0000  DX=0000  SI=0000  DI=0000  SP=f012  BP=43ad
DS=ff33  ES=3106  FS=0000  GS=0000  FL=3306
CS:IP=ff33:11fc       SS:SP=0750:f012

ff33:11fc FFFF             ???     di


-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

Crashes differently and the program's output is also different:

ERROR: unexpected CPU exception 0x06 errorcode: 0x00000000 while in vm86
(DOS)

Program=sigsegv.c, Line=246
EIP: ff33:000011fc ESP: 0750:0000f012  VFLAGS(b): 00000 00110001
00000110
EAX: 00000005 EBX: 00001042 ECX: 00000000 EDX: 00000000 VFLAGS(h):
00003106
ESI: 00000000 EDI: 00000000 EBP: 000043ad DS: ff33 ES: 3106 FS: 0000 GS:
0000
FLAGS: PF TF IF RF VM  IOPL: 3
STACK: 00 00 00 00 ad 43 42 10 33 ff -> 00 00 00 00 00 00 00 00 00 00 
OPS  : 00 00 00 00 00 00 00 00 3c 02 -> ff ff 3f 02 27 03 50 00 00 10 
        ffff                ff33:11fc ???     di


-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/

Right, well that is as far as I get. I'll need a bit more coaching in
how to get to the bottom of this, obviously.

-Marcel Landman
Re: General Protection fault (sounds familiar?)

Reply via email to
