Related
the following code works fine on linux-x86, darwin-x86, but not for ios-armv7.
the right output should be:
m[0]: 0.500000, v: 0.500000
m[1]: 0.500000, v: 0.500000
m[2]: 0.500000, v: 0.500000
m[3]: 0.500000, v: 0.500000
m[4]: 0.500000, v: 0.500000
but I found the wrong output:
m[0]: 0.500000, v: 0.500000
m[1]: 0.500000, v: 0.000000
m[2]: 0.500000, v: 0.000000
m[3]: 0.500000, v: 0.000000
m[4]: 0.500000, v: 0.000000
I also found the stange when it's built for ios-armv7:
[a] remove function 'func', move the function body to 'main' function, it works fine
[b] declare the array 'm[5]' as 'double m[5]', it works fine
[c] set the variable 'v' as 'v = 0.5 or v = sqrt(2.0f/8)', it works fine
[d] if the gcc optimize option is '-O0', it works fine, but when it's '-O1 or -O2', wrong output occurs
My iPad1 was cracked, so I can cross-compile a executable on my MacBook Air, and 'scp' the executable to iPad1 and run it. The following is details:
1. cross-compile a executable on Mac:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -O1 -Wall -arch armv7 -mcpu=cortex-a8 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.1.sdk -I/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.1.sdk/usr/include -D__IPHONE_OS__ -miphoneos-version-min=4.0 foo.c
2. 'scp' the executable to iPad
scp a.out mobile#192.168.1.106:~
3. 'ssh' to iPad
ssh mobile#192.168.1.106 #the default password is 'alpine'
4. run a.out on iPad
./a.out
#include <stdio.h>
#include <math.h>
int
func(int n) /* [a] */
{
int i;
float m[5]; /* [b] */
double v;
v = sqrt(2.0f/n); /* [c] */
for(i=0;i<5;++i) {
m[i]=v;
printf("m[%d]: %f, v: %f\n", i, m[i], v);
}
return 0;
}
int
main(int argc, char **argv)
{
return func(8);
}
You can also find the whole code on https://gist.github.com/ashun/5992120
The following is the assembly. you can find the difference with the help of command 'vim -d'
assembly of the previous code, declare the array 'm[5]' as 'double m[5]'
.section __TEXT,__text,regular,pure_instructions
.section __TEXT,__textcoal_nt,coalesced,pure_instructions
.section __TEXT,__const_coal,coalesced
.section __TEXT,__picsymbolstub4,symbol_stubs,none,16
.section __TEXT,__StaticInit,regular,pure_instructions
.syntax unified
.section __TEXT,__text,regular,pure_instructions
.globl _func
.align 2
.code 16
.thumb_func _func
_func:
push {r4, r5, r6, r7, lr}
add r7, sp, #12
str r8, [sp, #-4]!
sub sp, #8
vmov.f32 s0, #2.000000e+00
movw r8, :lower16:(L_.str-(LPC0_0+4))
vmov s2, r0
movt r8, :upper16:(L_.str-(LPC0_0+4))
vcvt.f32.s32 d1, d1
LPC0_0:
add r8, pc
movs r4, #0
vdiv.f32 s0, s0, s2
vsqrt.f32 s0, s0
vcvt.f64.f32 d16, s0
vmov r5, r6, d16
LBB0_1:
mov r1, r4
mov r0, r8
mov r2, r5
mov r3, r6
vstr.64 d16, [sp]
adds r4, #1
blx _printf
cmp r4, #5
bne LBB0_1
movs r0, #0
add sp, #8
ldr r8, [sp], #4
pop {r4, r5, r6, r7, pc}
.globl _main
.align 2
.code 16
.thumb_func _main
_main:
push {r7, lr}
mov r7, sp
movs r0, #8
bl _func
movs r0, #0
pop {r7, pc}
.section __TEXT,__cstring,cstring_literals
L_.str:
.asciz "m[%d]: %f, v: %f\n"
.subsections_via_symbols
assembly of the previous code, declare the array 'm[5]' as 'double m[5]'
.section __TEXT,__text,regular,pure_instructions
.section __TEXT,__textcoal_nt,coalesced,pure_instructions
.section __TEXT,__const_coal,coalesced
.section __TEXT,__picsymbolstub4,symbol_stubs,none,16
.section __TEXT,__StaticInit,regular,pure_instructions
.syntax unified
.section __TEXT,__text,regular,pure_instructions
.globl _func
.align 2
.code 16
.thumb_func _func
_func:
push {r4, r5, r6, r7, lr}
add r7, sp, #12
str r8, [sp, #-4]!
**vpush {d8}**
sub sp, #8
vmov.f32 s0, #2.000000e+00
movw r8, :lower16:(L_.str-(LPC0_0+4))
vmov s2, r0
movt r8, :upper16:(L_.str-(LPC0_0+4))
vcvt.f32.s32 d1, d1
LPC0_0:
add r8, pc
movs r4, #0
vdiv.f32 s0, s0, s2
vcvt.f64.f32 d16, s0
vsqrt.f64 d8, d16
vmov r5, r6, d8
LBB0_1:
mov r1, r4
mov r0, r8
mov r2, r5
mov r3, r6
vstr.64 d8, [sp]
adds r4, #1
blx _printf
cmp r4, #5
bne LBB0_1
movs r0, #0
add sp, #8
vpop {d8}
ldr r8, [sp], #4
pop {r4, r5, r6, r7, pc}
.globl _main
.align 2
.code 16
.thumb_func _main
_main:
push {r7, lr}
mov r7, sp
movs r0, #8
bl _func
movs r0, #0
pop {r7, pc}
.section __TEXT,__cstring,cstring_literals
L_.str:
.asciz "m[%d]: %f, v: %f\n"
.subsections_via_symbols
It is not clear which assembly goes wrong as both are marked as 'declare the array m[5] as double m[5]' and unfortunately I don't have the hardware nor the cross-compiler to reproduce your problem.
Remarkably the loops in both assembly codes are very similar. The only difference being that v is located in d16 in the first and in d8 in the second. The v that is passed to the printf is located in (r5,r6) in both loops and correctly copied to (r2,r3) before calling printf. For variadic functions the floating point registers shall not be used to pass parameters, contrary to non-variadic functions. Thus both loops look correct.
The only explanation I can think of is a mismatch in the ABI used for the compiled code and the ABI of the library containing printf. Especially considering that the compiled code comes from a cross compiler and I'm assuming the printf comes from a dynamic library on the system. As the printf is called conforming to the EABI for ARM, I think the bug is in the printf of the library.
If your cross compiler allows static linking, you may try that as you will be using a library that corresponds with the compiler. Of course the application becomes bigger, but it could at least confirm suspicion on the implementation of the printf. You may want to check if the library is compiled with an EABI complying compiler. If you can step through the printf on a debugger on the iPad, then you should be able to determine where the printf is taking its floating point parameter from. It should take it from (r2,r3).
Unfortunately I can not give a conclusive answer, but I hope my pointers for further investigation are helpful.
I wrote this arm assembler code calling pthread to implement multi-threading features. I wrote two similar files, but this one is quite tricky.
The main function is:
main:
stmfd sp!, {fp,lr}
add fp, sp, #4
sub sp, sp, #8
sub r3, sp, #8
mov r0, r3
mov r1, #0
ldr r2, .l_thrd1
mov r3, #0
bl pthread_create
ldr r3, [fp, #-8]
mov r0, r3
mov r1, #0
bl pthread_join
...
use objdump to see the related disassembled code:
00405468 <pthread_join>:
405468: e5903068 ldr r3, [r0, #104] ; 0x68
40546c: e92d45f0 push {r4, r5, r6, r7, r8, sl, lr}
405470: e3530000 cmp r3, #0
405474: e24dd014 sub sp, sp, #20
405478: e1a05000 mov r5, r0
40547c: e1a06001 mov r6, r1
405480: ba00004a blt 4055b0 <pthread_join+0x148>
405484: e590321c ldr r3, [r0, #540] ; 0x21c
....
It looks normal, unless it caused the segment error. The qemu.log looks messy and crappy around this:
----------------
IN: pthread_join
INST: isa=[0] opk=[JMP_OP] src={-,-,-,-} dst={-,-} shift={-,-,-} c=[1] s=[-] imm=[24,74] rotate_reg=[-] vfp={-,-,-,-} vfp_val={-,-,-,-} ###
0x00405468: e5903068 ### ldr r3, [r0, #104]
0x0040546c: e92d45f0 ### push {r4, r5, r6, r7, r8, sl, lr}
0x00405470: e3530000 ### cmp r3, #0 ; 0x0
0x00405474: e24dd014 ### sub sp, sp, #20 ; 0x14
0x00405478: e1a05000 ### mov r5, r0
0x0040547c: e1a06001 ### mov r6, r1
0x00405480: ba00004a ### b.lt 0x4055b0
----------------
IN: pthread_join
INST: isa=[0] opk=[JMP_OP] src={-,-,-,-} dst={-,-} shift={-,-,-} c=[1] s=[-] imm=[24,74] rotate_reg=[-] vfp={-,-,-,-} vfp_val={-,-,-,-} ###
0x00405468: e5903068 ### ldr r3, [r0, #104]
0x0040546c: e92d45f0 ### push----------------
IN: start_thread
INST: isa=[0] opk=[JMP_OP] src={-,-,-,-} dst={-,-} shift={-,-,-} c=[0] s=[-] imm=[24,4148] rotate_reg=[-] vfp={-,-,-,-} vfp_val={-,-,-,-} ###
0x00404274: e7802003 ### str{r4, r5 , r6, r7r2, ,r8, sl[r0, , lrr3}]
0x00405470: e3530000 ###
....
Obviously, pthread_join has been entered twice. And at the second time, the 'push' instruction seems not to have been fully executed. The registers also seem normal. I just do not get it.
Another code runs in the right order. They almost same coded.
Nobody's got an answer for the question. I got to answer it myself.
The problem was caused by because stack pointer (r13) was unintentionally saved on the memory and changed by another thread. So r13 pointed to another memory address and caused the segment error.
I'm trying to determine what's causing a crash I'm seeing while testing my app. It now throws EXEC_BAD_ACCESS (code=1, address=0x1) each time I try to run the app from xcode with the iphone connected.
The app crashes but I don't see a new entry in the crash log.I've tried running with Zombies enabled but I get the same crash.
Weird thing is if I debug with the simulator, run the app on the device by tapping its icon, or even in Instruments, I don't get this error. Any suggestion and/or explanation would be very much appreciated.
Here's what I see in Xcode:
libobjc.A.dylib`objc_msgSend:
0x36acb5c0: teq.w r0, #0
0x36acb5c4: beq 0x36acb606 ; objc_msgSend + 70
0x36acb5c6: push.w {r3, r4}
**0x36acb5ca: ldr r4, [r0]** < ------ This is where the app gets caught up EXEC_BAD_ACCESS (code=1, address=0x1)
0x36acb5cc: lsr.w r9, r1, #2
0x36acb5d0: ldr r3, [r4, #8]
0x36acb5d2: add.w r3, r3, #8
0x36acb5d6: ldr r12, [r3, #-8]
0x36acb5da: and.w r9, r9, r12
0x36acb5de: ldr.w r4, [r3, r9, lsl #2]
0x36acb5e2: teq.w r4, #0
0x36acb5e6: add.w r9, r9, #1
0x36acb5ea: beq 0x36acb600 ; objc_msgSend + 64
0x36acb5ec: ldr.w r12, [r4]
0x36acb5f0: teq.w r1, r12
0x36acb5f4: bne 0x36acb5d6 ; objc_msgSend + 22
0x36acb5f6: ldr.w r12, [r4, #8]
0x36acb5fa: pop.w {r3, r4}
0x36acb5fe: bx r12
0x36acb600: pop.w {r3, r4}
0x36acb604: b 0x36acb620 ; objc_msgSend_uncached
0x36acb606: mov.w r1, #0
0x36acb60a: bx lr
0x36acb60c: nop
0x36acb60e: nop
0x36acb610: nop
0x36acb612: nop
0x36acb614: nop
0x36acb616: nop
0x36acb618: nop
0x36acb61a: nop
0x36acb61c: nop
0x36acb61e: nop
Try to enable all memory debugging options in cmd-alt-b menu: zombies, scribble, etc. And set exception breakpoint.
When in doubt, reboot your device. Works fine now. Could not isolate what was causing the error.
I have a app, when I had run it for a few minutes, it always crashed. I check the crash log, it always said
malloc: * mmap(size=1048576) failed (error code=12)
* error: can't allocate region securely
I checked the memory leaks by using the instruments tools, but did not find any memory leak. I wonder if there are some memory leaks the instruments can not find, or some other reasons for the crash.
any help will be appreciated!
Edit:
I used the time profiler to check the performance. but I don't know what's the key point because the top items are these:
Running Time Self Symbol Name
6494.0ms 9.4% 6494.0 -[DLStarView initWithDefault:highlighted:position:allowFractions:]
(my app has a lot of list, each item has a self made star view)
Running Time Self Symbol Name
5848.0ms 8.4% 5848.0 +[ASIHTTPRequest runRequests]
(my app always get data from sever)
Running Time Self Symbol Name
2169.0ms 3.1% 2169.0 -[BMKUserLocationInternal updateLocationInfo]
Running Time Self Symbol Name
1435.0ms 2.0% 1435.0 -[EGOCache imageForKey:]
Running Time Self Symbol Name
1252.0ms 1.8% 1252.0 -[KLRestDetailViewController tableView:cellForRowAtIndexPath:]
is it userful? how can I check if I stuffing a bunch of stuff?
PS: this crash only appear on the real device, I ran it in the simulator for about 20 minutes and the app still run smoothly, my device is iPhone4S iOS 6.0.1
I set a break point and got the messages:
the crash thread messages are not always the same
but in the console output, It always said
malloc: * mmap(size=1048576) failed (error code=12)
error: can't allocate region securely
** set a breakpoint in malloc_error_break to debug
I was so confused by this bug for a few days, any idea? thanks!
I used the time profiler to check the performance. but I don't know what's the key point because the top items are these:
Running Time Self Symbol Name
6494.0ms 9.4% 6494.0 -[DLStarView initWithDefault:highlighted:position:allowFractions:]
(my app has a lot of list, each item has a self made star view)
Running Time Self Symbol Name
5848.0ms 8.4% 5848.0 +[ASIHTTPRequest runRequests]
(my app always get data from sever)
Running Time Self Symbol Name
2169.0ms 3.1% 2169.0 -[BMKUserLocationInternal updateLocationInfo]
Running Time Self Symbol Name
1435.0ms 2.0% 1435.0 -[EGOCache imageForKey:]
Running Time Self Symbol Name
1252.0ms 1.8% 1252.0 -[KLRestDetailViewController tableView:cellForRowAtIndexPath:]
is it userful? how can I check if I stuffing a bunch of stuff?
PS: this crash only appear on the real device, I ran it in the simulator for about 20 minutes and the app still run smoothly, my device is iPhone4S iOS 6.0.1
I set a break point and got the messages:
libsystem_c.dylib`malloc_error_break:
0x33c742e8: push {r7, lr}
0x33c742ea: mov r7, sp
0x33c742ec: nop
0x33c742ee: nop
0x33c742f0: pop {r7, pc}
0x33c742f2: nop
0x3393ed86: movs r2, #0
0x3393ed88: ldr r0, [r0]
0x3393ed8a: ldr r0, [r4, r0]
0x3393ed8c: blx 0x33aaf1c0; symbol stub for: -[NSUUID copyWithZone:]
0x3393ed90: movw r0, #52700
0x3393ed94: movt r0, #1571
0x3393ed98: add r0, pc
0x3393ed9a: ldr r1, [r0]
0x23ac72: mov r0, r5
0x23ac74: str.w r8, [sp]
0x23ac78: blx 0x2c7d04 ; symbol stub for: objc_msgSend
0x23ac7c: b 0x23aca4 ; -[BMKUserLocationInternal updateLocationInfo] + 912 at BMKUserLocationInternal.mm:131
0x23ac7e: bl 0x1cbcd8 ; bmengine::GetGlobalMan() at IphoneBaiduMaps.mm:61
0x33941b7e: mov r0, r11
0x33941b80: mov r1, r8
0x33941b82: mov r2, r10
0x33941b84: blx 0x33aace80 ; symbol stub for: CFDictionarySetValue$shim
0x33941b88: movw r0, #36884
0x33941b8c: movt r0, #1571
0x33941b90: add r0, pc
0x33941b92: ldr r4, [r0]
0x33941b94: mov r0, r11
0x23acd6: movs r3, #1
0x23acd8: str r3, [sp]
0x23acda: movs r3, #0
0x23acdc: blx 0x2c7d04 ; symbol stub for: objc_msgSend
0x23ace0: add sp, #4
0x23ace2: pop {r7, pc}
0x35bee92e: ldr r1, [sp, #224]
0x35bee930: ldr r2, [sp, #136]
0x35bee932: ldr r3, [sp, #232]
0x35bee934: blx 0x35c268e4 ; symbol stub for: CLLocationDictionaryUtilitiesGetTransitionInterval
0x35bee938: movw r0, #1732
0x35bee93c: movt r0, #1078
0x35bee940: add r0, pc
0x35bee942: ldr r1, [r0]
the crash thread messages are not always the same
but in the console output, It always said
malloc: * mmap(size=1048576) failed (error code=12)
error: can't allocate region securely
** set a breakpoint in malloc_error_break to debug
I was so confused by this bug for a few days, any idea? thanks!
We're using PG 2.0 to wrap up a mobile app built with jQuery 1.8.2. We're on Xcode 4.4 and iOS 5.1.1.
We often encounter the following exception: Thread 1: EXC_BAD_ACCESS (code=1, address=0x130). The stack trace is below. Here is the output from Zombies: * -[UIWebOverflowScrollView _viewDelegate]: message sent to deallocated instance 0xf4e0330**
We have no clue what could cause this since we're coding entirely in HTML and JavaScript, relying on PG to interface with the hardware.
Any clues? Has this happened to other PG users?
Thanks!
=============
libobjc.A.dylib`objc_msgSend:
0x353a3f68: teq.w r0, #0
0x353a3f6c: beq 0x353a3faa ; objc_msgSend + 66
0x353a3f6e: push.w {r3, r4}
0x353a3f72: ldr r4, [r0]
0x353a3f74: lsr.w r9, r1, #2
0x353a3f78: ldr r3, [r4, #8]
0x353a3f7a: add.w r3, r3, #8
0x353a3f7e: ldr r12, [r3, #-8]
0x353a3f82: and.w r9, r9, r12
0x353a3f86: ldr.w r4, [r3, r9, lsl #2]
0x353a3f8a: teq.w r4, #0
0x353a3f8e: add.w r9, r9, #1
0x353a3f92: beq 0x353a3fa6 ; objc_msgSend + 62
0x353a3f94: ldr.w r12, [r4]
0x353a3f98: teq.w r1, r12
0x353a3f9c: bne 0x353a3f7e ; objc_msgSend + 22
0x353a3f9e: ldr.w r12, [r4, #8]
0x353a3fa2: pop {r3, r4}
0x353a3fa4: bx r12
0x353a3fa6: pop {r3, r4}
0x353a3fa8: b 0x353a3fb0 ; objc_msgSend_uncached
0x353a3faa: mov.w r1, #0
0x353a3fae: bx lr
We removed references to -webkit-overflow-scrolling in the CSS, and this bug went away. Argh, Apple!