>> Also, I seem to end up at a different point in dosdebug,
>It is exactly the same: ffff:cd1a=10cd0a
Sorry, I wasn't very clear. I mean I crash at a different point when
then when I was using the .rpm version of 0.98.8. The above crash was
with 0.98.8 I installed from source.
>> General Protection Fault, system state: stopped
>> AX=0002 BX=0005 CX=0000 DX=8a86 SI=3246 DI=ffff SP=087c BP=0001
>> DS=0669 ES=081d FS=0000 GS=0000 FL=3206
>> CS:IP=ffff:cd1a SS:SP=0669:087c
>> ffff:cd1a D805 fadd dword ptr [di]
> This opcode must cause the error: access to 32-bit data at end
> of segment (offset=ffff). The question is how did you get there.
> Check what segment DOS uses for its stack - maybe it is bug in
> the DOS (not DosEmu), and during DOS call processing it jumps
> to some strange address which contains this bad code. I suppose
> detailed check of stack contents will help find the reason.
Yes, the instructions prior to that:
ffff:cd10 0000 add [bx+si],al
ffff:cd12 0000 add [bx+si],al
ffff:cd14 0000 add [bx+si],al
ffff:cd16 0000 add [bx+si],al
ffff:cd18 0000 add [bx+si],al
ffff:cd1a D805 fadd dword ptr [di]
Looks like a cpu racing around in a data area. Here is the stack:
0669:0860 8C 6A 32 E7 02 00 05 00 00 00 86 8A 46 32 FF FF
.j2g........F2
0669:0870 01 00 69 06 1D 08 30 CD FF FF 03 32 65 D1 2E D0
..i...0M.2eQ.P
0669:0880 00 26 04 00 00 00 70 CB FF FF 00 00 00 00 00 00
.&....pK......
0669:0890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0669:08a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0669:08b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0669:08c0 00 00 00 00 00 00 00 00 00 00 01 02 00 06 5D 65
..............]e
0669:08d0 00 44 0A 66 00 46 0A 67 00 48 0A 68 00 4A 0A 69
.D.f.F.g.H.h.J.i
I am new to dosdebug, so you'll have to tell me which flags you want on
if you want to see some logging. I either get too much, or too litlle.
In the mean time, I have tried to figure out what is happening starting
from the beginning point. This is a bit much data, but may be useful to
some of the Sherlocks out there:
Ok. first the application calls a sub:
tc
(...)(lots of stuff and then:)
0615:1a42 E84203 call 1D87
General Protection Fault, AX=0002 BX=0005 CX=0000 DX=8a86 SI=3246
DI=ffff SP=087c BP=0001
DS=0669 ES=081d FS=0000 GS=0000 FL=3206
CS:IP=ffff:cd1a SS:SP=0669:087c
ffff:cd1a D805 fadd dword ptr [di]
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
I then set a breakpoint so it lets me trace inside of 1D87 (after
restarting):
bp 615:1a42
tc
(...)
Trap 1, AX=1100 BX=0000 CX=000e DX=2f21 SI=00c5 DI=0000 SP=7f42
BP=7f48
DS=2a5f ES=2932 FS=0000 GS=0000 FL=3302
CS:IP=0615:19ea SS:SP=2a5f:7f42
0615:19ea CD16 int 16
General Protection Fault, AX=0002 BX=0005 CX=0000 DX=8a86 SI=3246
DI=ffff SP=087c BP=0001
DS=0669 ES=081d FS=0000 GS=0000 FL=3206
CS:IP=ffff:cd1a SS:SP=0669:087c
ffff:cd1a D805 fadd dword ptr [di]
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
right, so it crashes inside int 16... I look at 0:58, which I believe
to be the interrupt table entry for int 16 and use the address there
for my next break point:
bp 615:1a42
bp 70:42d
tc
...
Trap 1, AX=4b00 BX=0082 CX=0000 DX=00bc SI=5861 DI=05f9 SP=028a
BP=7dce
DS=0605 ES=0605 FS=0000 GS=0000 FL=3312
CS:IP=0605:046b SS:SP=0605:028a
0605:046b CD21 int 21
General Protection Fault, AX=0002 BX=0005 CX=0000 DX=8a86 SI=3246
DI=ffff SP=087c BP=0001
DS=0669 ES=081d FS=0000 GS=0000 FL=3206
CS:IP=ffff:cd1a SS:SP=0669:087c
ffff:cd1a D805 fadd dword ptr [di]
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
Facinating! This program is trying to load & excute another program.
This
is asking for trouble ...
Interrupt 21 lives, I believe, at 0:84, so I set another breakpoint:
bp 615:1a42
bp 70:42d
bp c9:fb2
tc
(...)
Trap 1, AX=1123 BX=0004 CX=751f DX=8a86 SI=8a86 DI=03be SP=090e
BP=0444
DS=0669 ES=00c9 FS=0000 GS=0000 FL=3346
CS:IP=ff33:ada2 SS:SP=00c9:090e
ff33:ada2 CD2F int 2F
General Protection Fault, AX=0002 BX=0005 CX=0000 DX=8a86 SI=3246
DI=ffff SP=087c BP=0001
DS=0669 ES=081d FS=0000 GS=0000 FL=3206
CS:IP=ffff:cd1a SS:SP=0669:087c
ffff:cd1a D805 fadd dword ptr [di]
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
hmmm, dos crashes while trying to resolve a filename? A network problem
perhaps. Let's see what happens inside of int 2f...
bp 615:1a42
bp 70:042d
bp c9:fb2
bp 436:1cc
tc
(...)
Trap 1, AX=0002 BX=0005 CX=0000 DX=8a86 SI=3246 DI=ffff SP=0876
BP=0001
DS=0669 ES=081d FS=0000 GS=0000 FL=3146
CS:IP=ff33:43ac SS:SP=0669:0876
ff33:43ac CF iret
General Protection Fault, AX=0002 BX=0005 CX=0000 DX=8a86 SI=3246
DI=ffff SP=087c BP=0001
DS=0669 ES=081d FS=0000 GS=0000 FL=3206
CS:IP=ffff:cd1a SS:SP=0669:087c
ffff:cd1a D805 fadd dword ptr [di]
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
ehm, right so iret goes nowhere, I suppose. Let's see what the stack
says
at that point...
bp ff33:43ac
g
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
Gets me there 2-3 times and then crashes without even looking at my
beautiful
break point! (read-only?)
ok, how about this,
bp ff33:43ac
bp 615:1a42
bp 70:042d
bp c9:fb2
bp 436:1cc
tc
(...)
ff33:11dc 0000 add [bx+si],al
Trap 1, AX=0005 BX=1042 CX=0000 DX=0000 SI=0000 DI=0000 SP=f012
BP=43ad
DS=ff33 ES=3106 FS=0000 GS=0000 FL=3106
CS:IP=ff33:11de SS:SP=0750:f012
ff33:11de 0000 add [bx+si],al
Trap 1, AX=0005 BX=1042 CX=0000 DX=0000 SI=0000 DI=0000 SP=f012
BP=43ad
DS=ff33 ES=3106 FS=0000 GS=0000 FL=3102
CS:IP=ff33:11e0 SS:SP=0750:f012
ff33:11e0 0000 add [bx+si],al
****
leavedos(4) called, at termination point of DOSEMU
****
AX=0005 BX=1042 CX=0000 DX=0000 SI=0000 DI=0000 SP=f012 BP=43ad
DS=ff33 ES=3106 FS=0000 GS=0000 FL=3306
CS:IP=ff33:11fc SS:SP=0750:f012
ff33:11fc FFFF ??? di
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
Crashes differently and the program's output is also different:
ERROR: unexpected CPU exception 0x06 errorcode: 0x00000000 while in vm86
(DOS)
Program=sigsegv.c, Line=246
EIP: ff33:000011fc ESP: 0750:0000f012 VFLAGS(b): 00000 00110001
00000110
EAX: 00000005 EBX: 00001042 ECX: 00000000 EDX: 00000000 VFLAGS(h):
00003106
ESI: 00000000 EDI: 00000000 EBP: 000043ad DS: ff33 ES: 3106 FS: 0000 GS:
0000
FLAGS: PF TF IF RF VM IOPL: 3
STACK: 00 00 00 00 ad 43 42 10 33 ff -> 00 00 00 00 00 00 00 00 00 00
OPS : 00 00 00 00 00 00 00 00 3c 02 -> ff ff 3f 02 27 03 50 00 00 10
ffff ff33:11fc ??? di
-*/-*/-*/-*/-*/-*/-*/-*/-*/-*/
Right, well that is as far as I get. I'll need a bit more coaching in
how to get to the bottom of this, obviously.
-Marcel Landman