From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <afish@apple.com>
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id EEDAE1A1E07
 for <edk2-devel@lists.01.org>; Fri, 12 Aug 2016 16:25:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s;
 c=relaxed/simple; 
 q=dns/txt; i=@apple.com; t=1471044313; x=2334957913;
 h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=cVTt/Gy8s5NonsnubqXemh8h9JKpTAYDniVFy5pEUk4=;
 b=u9q64THrfEjvUP1jr9vmiMp41siN2mErAQi04sZU4qnZ3nLuFuqbZk+iUUCsMZH0
 OmF5ZBY4dIqvMsdp/becYeeWr6FbTbivnaE7121aPTr+LztVkLBt30qt0sIDLihK
 /gmPgOuRxz7Eh4kacowRzSIAoLoTp5997NM/4sgSTC+HpxeZnTOBuH4XNyDpie8Q
 Gev/h4QfLWc9AwtU/iugHNfZygHBNV73lb8sthlCQbs1927C/EjJZaPmJhBBDDAt
 2pvsB/e/B+5OcsWNLYkEz8i4jyGNCu+gLuFH0LL9ZXlCTHmqZ1fCcKfqKyJddrnp
 XSv3W141SxkzmJNKjnRnIA==;
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88])
 by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id
 78.A6.07433.9DA5EA75; Fri, 12 Aug 2016 16:25:13 -0700 (PDT)
X-AuditID: 11973e12-f79b16d000001d09-da-57ae5ad9856a
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com
 [17.128.115.155])
 by relay5.apple.com (Apple SCV relay) with SMTP id 3E.07.30701.9DA5EA75;
 Fri, 12 Aug 2016 16:25:13 -0700 (PDT)
MIME-version: 1.0
Received: from [17.153.71.106] by nwk-mmpp-sz11.apple.com
 (Oracle Communications Messaging Server 8.0.1.1.0 64bit (built Jun 15 2016))
 with ESMTPSA id <0OBT000R3L20AZ70@nwk-mmpp-sz11.apple.com> for
 edk2-devel@lists.01.org; Fri, 12 Aug 2016 16:25:13 -0700 (PDT)
Sender: afish@apple.com
From: Andrew Fish <afish@apple.com>
Message-id: <7B465500-570A-4B78-B1F2-458C36E7DC08@apple.com>
Date: Fri, 12 Aug 2016 16:25:12 -0700
To: edk2-devel <edk2-devel@lists.01.org>
X-Mailer: Apple Mail (2.3112)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMLMWRmVeSWpSXmKPExsUi2FAYoXszal24warZahZ7Dh1ldmD06J79
 jyWAMYrLJiU1J7MstUjfLoEr4/WC94wFrxcwVxy7fI2xgfH2K6YuRk4OCQETifZ5x6BsMYkL
 99azdTFycQgJ7GWUeHX+BBtM0d+paxhBbCGBQ4wS7Z/BbF4BQYkfk++xgNjMAmESj1auYYdo
 7mKSONixFCwhLCAu8e7MJmYQm01AWWLF/A/sEPFSid9HLzBDDLKROPxyFZjNIqAqcXvLbbAa
 EQENia3drcwQR8hK7NuwAOw6CYEZbBI/H39in8AoMAvJIbOQHAJha0l8f9QKFOcAsuUlDp6X
 hQhrSjy79wmqRFviybsLrAsY2VYxCuUmZuboZuaZ6CUWFOSk6iXn525iBIXydDuhHYynVlkd
 YhTgYFTi4f3AuS5ciDWxrLgy9xCjNAeLkjivkPjacCGB9MSS1OzU1ILUovii0pzU4kOMTByc
 Ug2M0ZUtt/8cUFi5r7Zw6iSNZslVea0njGaeManorAysaXtS/qhG9X4er/LkaV7aL9/GJgue
 +VnJ9HNOtdfzVLHnCSlV09/NrC8LsfSdP+FS+YWpHFJzzJpChNp474Y0W4Zw/Ipf1VUyM/B1
 onTn7sx2nj0ZTS/ShCdxy4Tv4PZz/jYro6jxJ7sSS3FGoqEWc1FxIgCosRT2RgIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLIsWRmVeSWpSXmKPExsUi2FA8W/dm1LpwgxkL5S32HDrK7MDo0T37
 H0sAYxSXTUpqTmZZapG+XQJXxusF7xkLXi9grjh2+RpjA+PtV0xdjJwcEgImEn+nrmGEsMUk
 LtxbzwZiCwkcYpRo/wwW5xUQlPgx+R4LiM0sECbxaOUa9i5GLqCaLiaJgx1LwRLCAuIS785s
 Ygax2QSUJVbM/8AOES+V+H30AjPEIBuJwy9XgdksAqoSt7fcBqsREdCQ2NrdygxxhKzEvg0L
 2CYw8s5CsnsWkt0QtpbE90etQHEOIFte4uB5WYiwpsSze5+gSrQlnry7wLqAkW0Vo0BRak5i
 paleYkFBTqpecn7uJkZw6BVG7GD8v8zqEKMAB6MSD+8HznXhQqyJZcWVuUD/czArifB2hwOF
 eFMSK6tSi/Lji0pzUosPMU5kBHpgIrOUaHI+MDLySuINTUwMTIyNzYyNzU3MaSmsJM572wno
 IoH0xJLU7NTUgtQimKOYODilGhjP/73yxKBSV/RVWtS3xgv/ji2eWNE9fYpxRazVk1Tx5Z4X
 sxa4Rhw4MH+q+oHb/xMj07iljdTFuS54ltp3+0/SPG7MJXws9HD27Y+3i60/VB211p69qjLm
 ut3MbQKvHuU/r92yn9ldgHuqmqTcugUdn8wbnZgt9xe2/d++Xtrz3yW9faFB7zYrsRRnJBpq
 MRcVJwIA2I9ie7ACAAA=
X-Content-Filtered-By: Mailman/MimeDel 2.1.21
Subject: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 23:25:14 -0000
Content-Type: text/plain; CHARSET=US-ASCII
Content-Transfer-Encoding: 7BIT

I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize.

When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. 

This adjustment does not seem right to me?
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768
      //
      // Heap Offset
      //
      BaseOfNewHeap = TopOfNewStack;
      if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) {
        Private->HeapOffsetPositive = TRUE;
        Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase);
      } else {
        Private->HeapOffsetPositive = FALSE;
        Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap);
      }


The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. 

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796

      //
      // Temporary Ram Support PPI is provided by platform, it will copy 
      // temporary memory to permenent memory and do stack switching.
      // After invoking Temporary Ram Support PPI, the following code's 
      // stack is in permanent memory.
      //
      TemporaryRamSupportPpi->TemporaryRamMigration (
                                PeiServices,
                                TemporaryRamBase,
                                (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize),
                                TemporaryRamSize
                                );


And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. 

The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path?

If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase;

Thanks,

Andrew Fish

PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen.


https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107

#if 0
  // Tell the PEI Core to not use our buffer in temp RAM
  SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase;
  SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize);
  SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize;
#else
  {
    //
    // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug
    // or I don't understand temp RAM correctly?
    //
    EFI_PEI_PPI_DESCRIPTOR    PpiArray[10];

    SecPpiList = &PpiArray[0];
    ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize);
  }
#endif