From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from SNT004-OMC4S32.hotmail.com (snt004-omc4s32.hotmail.com [65.55.90.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 54DBB1A1DFF for ; Sat, 13 Aug 2016 19:24:22 -0700 (PDT) Received: from EUR01-VE1-obe.outbound.protection.outlook.com ([65.55.90.201]) by SNT004-OMC4S32.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sat, 13 Aug 2016 19:24:21 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=inQ60pvOTH8+ecaEzKxwMoX1G2edabyoiI6Q9DBuoLs=; b=OwSb/CSDltfZgVIsYEcz4gmT2erDRBSqQ3MsZey0IEtZjap6bL3r9pr19StQIvSd1daTyBoKfpmlqqkDjen0joHwz2BsKvi9H7Fg3gdvpBBApJL9V7iYPu02Yc86fqBOWt2+Fq085YLNgG2iQEZbK5ERDlv6NbLspRdVkkpREz3INc6Ov0K+t6k99/GbBJInZzWbllLzFFWMrTzcRgPcEtEM9Quy7AqTdDbOyFXy7cd2pOz1oo8BxzUyEBfeN0KvzTEhH0sS4xISbjs9+vrb+VwsaDMEdfeDxhziQ14cVaORQkc+F60nWK8cb6yRNpFKrOJ3qdWiMY2jvR3N2BuQJg== Received: from VE1EUR01FT056.eop-EUR01.prod.protection.outlook.com (10.152.2.55) by VE1EUR01HT161.eop-EUR01.prod.protection.outlook.com (10.152.2.86) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.567.7; Sun, 14 Aug 2016 02:24:19 +0000 Received: from VI1PR06MB1792.eurprd06.prod.outlook.com (10.152.2.56) by VE1EUR01FT056.mail.protection.outlook.com (10.152.3.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.577.8 via Frontend Transport; Sun, 14 Aug 2016 02:24:18 +0000 Received: from VI1PR06MB1792.eurprd06.prod.outlook.com ([10.165.237.146]) by VI1PR06MB1792.eurprd06.prod.outlook.com ([10.165.237.146]) with mapi id 15.01.0549.027; Sun, 14 Aug 2016 02:24:17 +0000 From: Marvin H?user To: "edk2-devel@lists.01.org" CC: "afish@apple.com" Thread-Topic: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? Thread-Index: AQHR9PDLw0IWHW1VKkGn9Xki7O1tPKBGFpBggAGkvpA= Date: Sun, 14 Aug 2016 02:24:17 +0000 Message-ID: References: <7B465500-570A-4B78-B1F2-458C36E7DC08@apple.com> In-Reply-To: Accept-Language: de-DE, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=softfail (sender IP is 10.152.2.56) smtp.mailfrom=outlook.com; lists.01.org; dkim=none (message not signed) header.d=none;lists.01.org; dmarc=fail action=none header.from=outlook.com; received-spf: SoftFail (protection.outlook.com: domain of transitioning outlook.com discourages use of 10.152.2.56 as permitted sender) x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [P0tqjiA9baMEECHr3SDKHDh+FQSoCBeNPxIH6ewKNk+Q7D1WZJ9NxClRqiPLuHu+] x-eopattributedmessage: 0 x-forefront-antispam-report: CIP:10.152.2.56; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:VE1EUR01HT161; H:VI1PR06MB1792.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; x-microsoft-exchange-diagnostics: 1; VE1EUR01HT161; 6:cJJnyKyNt6KERZl877dOY9ecGxBo1/bhqeRDe2AaZDGf40TXL2O2I3sD8IK9+lm1EwR4zcGueNukrhwh/1yiONo28Er+/tMBjo1oSk99B6jbUhs7pl261zRYuN/ySO0s+VgxcVTAZ0TluCbUGObmIlgAR6QX9iWI5H6aQG6/kNimELPJFlnbX3Lab3KF8r7pqfqHZoCVCpbdpbf+t85X1Xf3XJhPEfJe6Yr0R0tZ/+DHsV0QAB0Ef1iLxCamL3hKFGNiC1Kh5ZhzxNhcNhDk0LNpOdYYmxEZgBo8sReQueTZFs9gG29MLalJJSWJV2Fg; 5:OzGZvI67Yv/AaElc4BvRrjViSQn/et9K+6k0e+0xm7A4VL+IKpGMjg2S04JGMouzutLfIVwB0FsUbnGtz7v/G8qiCTDK7EhELea6g1RhP5c0JPMnPiEI3JRKxhuHxWto9hFETM1v0kFryvGMywyPYw==; 24:DDG5061LqHreQkFgHcKMyshP/3z2YNG2h7IlSvuURFeEOP3tlZzf1ZgkBmVfKmP0hJlF0DHnNbFfSUMlFK75MJoMVOr2iEkrzxhou+8uBSQ=; 7:Zjq7t7J1Sn/UfSvIp1TcahI6YVUvX1RUWzcTbAwCQojglzO8TIiGd1ZxQawRt4yTJqjb6gOUsmbo63l2ejvHbAGT0ysVwtB0a9DFgwEiutZLMML37C7r9M5p3jvshi4IvCcdCb6A89zf66+9u2ppwipN1wNUw/gFF/t0KpjvL3wgOl+i3FgR6RRlR1FDuUYD3leVpsobfl7JdiK7VkU90LAw83gxrruZHbtlAsDSI8vaCC2LmzwcNcvW8gzYwxKM x-ms-office365-filtering-correlation-id: 8678067e-131a-4cdf-4a2a-08d3c3ea178a x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601125047); SRVR:VE1EUR01HT161; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:VE1EUR01HT161; BCL:0; PCL:0; RULEID:; SRVR:VE1EUR01HT161; x-forefront-prvs: 00342DD5BC spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2016 02:24:17.3203 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT161 X-OriginalArrivalTime: 14 Aug 2016 02:24:21.0423 (UTC) FILETIME=[F77803F0:01D1F5D2] Subject: Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Aug 2016 02:24:22 -0000 Content-Language: de-DE Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sorry. For some reason, I didn't get to read the paragraph about TemporaryR= amSupportPpi and shomehow skipped to the PS. I suppose my hint is not related to the crash then, though I hope it was st= ill helpful in some way, as it seems to assume that the PPI List is in the = temporary heap nevertheless. Regards, Marvin. > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Marvin H?user > Sent: Saturday, August 13, 2016 3:47 AM > To: edk2-devel@lists.01.org > Cc: Andrew Fish > Subject: Re: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the > PEI Core by grabbing memory from PeiTemporaryRamBase? >=20 > Hello Andrew, >=20 > Unfortunately I cannot test anything right now and I don't have a whole l= ot of > knowledge in this area, though I might have a hint for you. >=20 > While PpiList is equal to the original TempRam base, the TempRam based > passed to PEI is equal to the original TempRam base + the size of the Ppi= List, > hence PpiList is smaller than the base address passed to PEI. The PpiList= is > then installed via the PeiServicesInstallPpi () function: >=20 > call: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > PeiMain/PeiMain.c#L386 > implementation: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L183 >=20 > The list is then added to PpiData.PpiListPtrs. >=20 > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L229 >=20 > I am not sure at which point of time you are experiencing the crash, but = after > permanent memory is available, ConvertPpiPointers () is called, which the= n > calls ConverSinglePpiPointer () for old heap, old stack and old hole (I'm= afraid > I do not know what TempRam Hole is and if it is related). >=20 > ConvertPpiPointers () call: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > PeiMain/PeiMain.c#L237 > Old Heap ConverSinglePpiPointer () call: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L127 >=20 > The call for the old heap conversion passes the TempRam base, which has > been incremented as we know, and thus the comparison to TempBottom will > fail, as TempBottom is PeiTemporaryRamBase, which is larger than PpiList, > which is one of the items in PpiListPtrs, which is the object of the conv= ersion. >=20 > comparison to TempBottom: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L60 >=20 > As the pointer to the PpiList passed by SecCore is probably not converted= as > detailed above, I assume something post-mem attempts to access this > former PpiList by the old temporary RAM address and that somehow causes > trouble; I assume the SEC PpiList being part of the PEI memory is an > assumption made by the person who wrote this code. I'm not sure about > why it crashes, as I do not know the entire PEI control flow, though I ho= pe > this can help you in some way. >=20 > Please excuse me if I have made a mistake in understanding the referenced > code and wasted your time. >=20 > Regards, > Marvin. >=20 >=20 > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Andrew Fish > > Sent: Saturday, August 13, 2016 1:25 AM > > To: edk2-devel > > Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the > > PEI Core by grabbing memory from PeiTemporaryRamBase? > > > > I grabbed some memory between SEC and the PEI Core by adjusting > > SecCoreData-> PeiTemporaryRamBase and SecCoreData-> > > PeiTemporaryRamSize. > > > > When looking at the code I don't really understand the logic of the > algorithm? > > So maybe I'm doing something wrong. > > > > This adjustment does not seem right to me? > > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > > Dispatcher/Dispatcher.c#L768 > > // > > // Heap Offset > > // > > BaseOfNewHeap =3D TopOfNewStack; > > if (BaseOfNewHeap >=3D (UINTN)SecCoreData->PeiTemporaryRamBase) { > > Private->HeapOffsetPositive =3D TRUE; > > Private->HeapOffset =3D (UINTN)(BaseOfNewHeap - > > (UINTN)SecCoreData->PeiTemporaryRamBase); > > } else { > > Private->HeapOffsetPositive =3D FALSE; > > Private->HeapOffset =3D (UINTN)((UINTN)SecCoreData- > > >PeiTemporaryRamBase - BaseOfNewHeap); > > } > > > > > > The above code seems to be making a very strange adjustment. I noticed > > the adjustment in my failing case was off by 0xC0 which is the amount > > of memory I carved out prior to entering the PEI Core. > > > > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > > Dispatcher/Dispatcher.c#L796 > > > > // > > // Temporary Ram Support PPI is provided by platform, it will cop= y > > // temporary memory to permenent memory and do stack switching. > > // After invoking Temporary Ram Support PPI, the following code's > > // stack is in permanent memory. > > // > > TemporaryRamSupportPpi->TemporaryRamMigration ( > > PeiServices, > > TemporaryRamBase, > > > > (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize), > > TemporaryRamSize > > ); > > > > > > And this is also a case in which the stack got bigger. But it seems to > > me the shift if really defined by TemporaryRamBase, TopOfNewStack, and > > TemporaryStackSize in this case. > > > > The failure I hit was OldCoreData->Fv pointer was shifted so when the > > PPI was called the system crashed. Is this a bug in the > > gEfiTemporaryRamSupportPpiGuid path? > > > > If I changed the HeadOffset algorithm my crash went away? Private- > > >HeapOffset =3D ((UINTN)TopOfNewStack - TemporaryStackSize) - > > TemporaryRamBase; > > > > Thanks, > > > > Andrew Fish > > > > PS My failure case was the EmulatorPkg. I've not had a chance to > > verify this failure in the open source yet, but I'm guessing reversing > > this #if will make it happen. > > > > > > > https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L1 > > 07 > > > > #if 0 > > // Tell the PEI Core to not use our buffer in temp RAM > > SecPpiList =3D (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData- > > >PeiTemporaryRamBase; > > SecCoreData->PeiTemporaryRamBase =3D (VOID *)((UINTN)SecCoreData- > > >PeiTemporaryRamBase + SecReseveredMemorySize); > > SecCoreData->PeiTemporaryRamSize -=3D SecReseveredMemorySize; #else > > { > > // > > // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core > > crashes? Either there is a bug > > // or I don't understand temp RAM correctly? > > // > > EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; > > > > SecPpiList =3D &PpiArray[0]; > > ASSERT (sizeof (PpiArray) >=3D SecReseveredMemorySize); > > } > > #endif > > > > > > > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel