From owner-acpi-jp@jp.freebsd.org  Mon Sep  3 23:02:57 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id XAA78148;
	Mon, 3 Sep 2001 23:02:57 +0900 (JST)
	(envelope-from owner-acpi-jp@jp.FreeBSD.org)
Received: from tasogare.imasy.or.jp (root@tasogare.imasy.or.jp [202.227.24.5])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id XAA78143
	for <acpi-jp@jp.freebsd.org>; Mon, 3 Sep 2001 23:02:56 +0900 (JST)
	(envelope-from iwasaki@jp.FreeBSD.org)
Received: from localhost (iwasaki.imasy.or.jp [202.227.24.92])
	by tasogare.imasy.or.jp (8.11.6+3.4W/8.11.6/tasogare) with ESMTP/inet id f83E2nm52287;
	Mon, 3 Sep 2001 23:02:49 +0900 (JST)
	(envelope-from iwasaki@jp.FreeBSD.org)
Date: Mon, 03 Sep 2001 23:02:50 +0900 (JST)
Message-Id: <20010903.230250.74756504.iwasaki@jp.FreeBSD.org>
To: acpi-jp@jp.freebsd.org, robert.moore@intel.com
Cc: andrew.grover@intel.com
From: Mitsuru IWASAKI <iwasaki@jp.freebsd.org>
In-Reply-To: <20010830005615B.iwasaki@jp.FreeBSD.org>
References: <7B1A3FD0E515D211AC3E00A0C96B7AC907C8D2C6@orsmsx34.jf.intel.com>
	<20010830005615B.iwasaki@jp.FreeBSD.org>
X-Mailer: Mew version 2.0 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Reply-To: acpi-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: acpi-jp 1239
Subject: [acpi-jp 1239] Re: Fix? acpica-unix-20010816
Errors-To: owner-acpi-jp@jp.freebsd.org
Sender: owner-acpi-jp@jp.freebsd.org
X-Originator: iwasaki@jp.freebsd.org

Hi,

As Andrew requested, I've tried to get more detailed debug info.
Then I've successfully reproduced the problem with userland ACPICA
debugger, and have a possible fix for this.

It looks like a `freeing a pointer in DSDT block' problem as I suggeste=
d.

Here, we have a following package object.
        Name(PBIF, Package(0xd) {
            0x1,
            0x5,
            0x5,
            0x1,
            0x5,
            0x0190,
            0x32,
            0x40,
            0x40,
            "BAT1",
            " ",
            " ",
            " ",
        })
Note that length of String objects PBIF[10] to PBIF[12] are 1.
And update the package by executing a method, like;
        Method(IVBI) {
            Store(0x01e9, UBIF)
            Store(0x5, Index(PBIF, 0x1, ))
            Store(0x5, Index(PBIF, 0x2, ))
            Store(0x5, Index(PBIF, 0x4, ))
            Store("Bad", Index(PBIF, 0x9, ))
            Store("Bad", Index(PBIF, 0xa, ))
            Store("Bad", Index(PBIF, 0xb, ))
            Store("Bad", Index(PBIF, 0xc, ))
        }
Last 3 statements are trying to free the current pointer first,
then allocate a new starage large enough to hold String "Bad" in
AcpiExCopyStringToString() because length of "Bad" is larger than
PBIF[10] - PBIF[12].  And we will get a fatal error reported.

It seems that AOPOBJ_STATIC_POINTER bit of ACPI_OPERAND_OBJECT::Common.=
Flags
is set only in AcpiNsRootInitialize() for pre-defined named object
currently, but I think it needs to be set also when we create internal
objects which have a reference to object in DSDT block.
Here is a patch for this in AcpiDsInitObjectFromOp();

Index: dsobject.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/contrib/dev/acpica/dsobject.c,v
retrieving revision 1.1.1.9
diff -u -r1.1.1.9 dsobject.c
--- dsobject.c	26 Aug 2001 22:28:16 -0000	1.1.1.9
+++ dsobject.c	3 Sep 2001 11:45:49 -0000
@@ -558,6 +558,7 @@
         break;
     }
 =

+    ObjDesc->Common.Flags |=3D AOPOBJ_STATIC_POINTER;
     return (AE_OK);
 }
 =


I attached a debug trace with userland ACPICA debugger for your conveni=
ence.

Thanks

Script started on Mon Sep  3 19:06:11 2001
% ./acpicadb fiva-MPC-206VL.dsdt
  utmisc-0420[12] UtAcquireMutex: Mutex [ACPI_MTX_Namespace] already ac=
quired by this thread [0]
  utmisc-0428[15] UtAcquireMutex: Invalid acquire order: Thread 0 owns =
[ACPI_MTX_Tables], wants [ACPI_MTX_Execute]
  utmisc-0504[03] UtReleaseMutex: Mutex [ACPI_MTX_Namespace] is not acq=
uired, cannot release
Parsing Methods:...........................................  utmisc-042=
8[13] UtAcquireMutex: Invalid acquire order: Thread 0 owns [ACPI_MTX_Ta=
bles], wants [ACPI_MTX_Execute]
.......................................................................=
....
118 Control Methods found and parsed (511 nodes total)
ACPI Namespace successfully loaded at root 0x808924c
- f IVBI
                 \_SB_.BAT1.IVBI (0x809fe28) - Method
- debug _SB_.BAT1.IVBI
Executing \_SB_.BAT1.IVBI
00000 #0070 [00]  Store
            [00]  (
00001 #000B [01]  ....(UINT16) 0x01E9,
00004 #002D [01]  ....UBIF  (Path =

            [01]  }

% =

ArgObj:    0x80bc628 <Obj>             Integer 00000000000001E9
ArgObj:    0x809f9a8 <Node>            Name UBIF Type-Integer
ResultObj: 0x80bc628 <Obj>             Integer 00000000000001E9

0000B #0088 [00]  Index
            [00]  (
0000C #002D [01]  ....PBIF,  (Path =

00010 #000A [01]  ....(UINT8)  0x01,
00012 #002D [01]  ....<NULL NAME PTR>
            [01]  }

% =

ArgObj:    0x809f8a8 <Node>            Name PBIF Type-Package
ArgObj:    0x80bc628 <Obj>             Integer 0000000000000001
ArgObj:    0x80bc6a8 <Obj> [Const]     Zero (0) [Null Target]
ResultObj: 0x80bc728 <Obj> [Index]     =


00008 #0070 [00]  Store
            [00]  (
00009 #000A [01]  ....(UINT8)  0x05,
00000 #0036 [01]  ....[Return Value] Reference
            [01]  }

% =

ArgObj:    0x80bc628 <Obj>             Integer 0000000000000005
ArgObj:    0x80bc628 <Obj>             Integer 0000000000000005
ArgObj:    0x80bc728 <Obj> [Index]     =

ResultObj: 0x80bc628 <Obj>             Integer 0000000000000005

00016 #0088 [00]  Index
            [00]  (
00017 #002D [01]  ....PBIF,  (Path =

0001B #000A [01]  ....(UINT8)  0x02,
0001D #002D [01]  ....<NULL NAME PTR>
            [01]  }

% =

ArgObj:    0x809f8a8 <Node>            Name PBIF Type-Package
ArgObj:    0x80bc628 <Obj>             Integer 0000000000000002
ArgObj:    0x80bc728 <Obj> [Const]     Zero (0) [Null Target]
ResultObj: 0x80bc6a8 <Obj> [Index]     =


00013 #0070 [00]  Store
            [00]  (
00014 #000A [01]  ....(UINT8)  0x05,
00000 #0036 [01]  ....[Return Value] Reference
            [01]  }

% =

ArgObj:    0x80bc628 <Obj>             Integer 0000000000000005
ArgObj:    0x80bc628 <Obj>             Integer 0000000000000005
ArgObj:    0x80bc6a8 <Obj> [Index]     =

ResultObj: 0x80bc628 <Obj>             Integer 0000000000000005

00021 #0088 [00]  Index
            [00]  (
00022 #002D [01]  ....PBIF,  (Path =

00026 #000A [01]  ....(UINT8)  0x04,
00028 #002D [01]  ....<NULL NAME PTR>
            [01]  }

% =

ArgObj:    0x809f8a8 <Node>            Name PBIF Type-Package
ArgObj:    0x80bc628 <Obj>             Integer 0000000000000004
ArgObj:    0x80bc6a8 <Obj> [Const]     Zero (0) [Null Target]
ResultObj: 0x80bc728 <Obj> [Index]     =


0001E #0070 [00]  Store
            [00]  (
0001F #000A [01]  ....(UINT8)  0x05,
00000 #0036 [01]  ....[Return Value] Reference
            [01]  }

% =

ArgObj:    0x80bc628 <Obj>             Integer 0000000000000005
ArgObj:    0x80bc628 <Obj>             Integer 0000000000000005
ArgObj:    0x80bc728 <Obj> [Index]     =

ResultObj: 0x80bc628 <Obj>             Integer 0000000000000005

0002F #0088 [00]  Index
            [00]  (
00030 #002D [01]  ....PBIF,  (Path =

00034 #000A [01]  ....(UINT8)  0x09,
00036 #002D [01]  ....<NULL NAME PTR>
            [01]  }

% =

ArgObj:    0x809f8a8 <Node>            Name PBIF Type-Package
ArgObj:    0x80bc628 <Obj>             Integer 0000000000000009
ArgObj:    0x80bc728 <Obj> [Const]     Zero (0) [Null Target]
ResultObj: 0x80bc6a8 <Obj> [Index]     =


00029 #0070 [00]  Store
            [00]  (
0002A #000D [01]  ...."Bad",
00000 #0036 [01]  ....[Return Value] Reference
            [01]  }

% =

ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
ArgObj:    0x80bc6a8 <Obj> [Index]     =

ResultObj: 0x80bc628 <Obj>             String(3) "Bad"

0003D #0088 [00]  Index
            [00]  (
0003E #002D [01]  ....PBIF,  (Path =

00042 #000A [01]  ....(UINT8)  0x0A,
00044 #002D [01]  ....<NULL NAME PTR>
            [01]  }

% =

ArgObj:    0x809f8a8 <Node>            Name PBIF Type-Package
ArgObj:    0x80bc628 <Obj>             Integer 000000000000000A
ArgObj:    0x80bc6a8 <Obj> [Const]     Zero (0) [Null Target]
ResultObj: 0x80bc728 <Obj> [Index]     =


00037 #0070 [00]  Store
            [00]  (
00038 #000D [01]  ...."Bad",
00000 #0036 [01]  ....[Return Value] Reference
            [01]  }

% =

ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
ArgObj:    0x80bc728 <Obj> [Index]     =

Segmentation fault (core dumped)
% gdb acpicadb acpicadb.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and yo=
u are
welcome to change it and/or distribute copies of it under certain condi=
tions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for deta=
ils.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `acpicadb'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.5...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x8071b9f in AcpiUtDeleteElementFromAllocList (ListId=3D0, =

    Address=3D0x8090b70, Component=3D128, Module=3D0x807f720 "exstorob"=
, Line=3D257)
    at /usr/ports/devel/acpicatools/work/acpicadb/../utilities/utalloc.=
c:479
479	        (Address->Previous)->Next =3D Address->Next;
(gdb) bt
#0  0x8071b9f in AcpiUtDeleteElementFromAllocList (ListId=3D0, =

    Address=3D0x8090b70, Component=3D128, Module=3D0x807f720 "exstorob"=
, Line=3D257)
    at /usr/ports/devel/acpicatools/work/acpicadb/../utilities/utalloc.=
c:479
#1  0x80721a5 in AcpiUtFree (Address=3D0x8090b98, Component=3D128, =

    Module=3D0x807f720 "exstorob", Line=3D257)
    at /usr/ports/devel/acpicatools/work/acpicadb/../utilities/utalloc.=
c:838
#2  0x8060de8 in AcpiExCopyStringToString (SourceDesc=3D0x80bc628, =

    TargetDesc=3D0x80bb128)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/execut=
er/exstorob.c:257
#3  0x8060c60 in AcpiExStoreObject (SourceDesc=3D0x80bc628, TargetType=3D=
2 '\002', =

    TargetDescPtr=3D0xbfbff224, WalkState=3D0x8092028)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/execut=
er/exstoren.c:317
#4  0x8060a36 in AcpiExStoreObjectToObject (SourceDesc=3D0x80bc628, =

    DestDesc=3D0x80bb128, WalkState=3D0x8092028)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/execut=
er/exstore.c:775
#5  0x8060580 in AcpiExStoreObjectToIndex (ValDesc=3D0x80bc628, =

    DestDesc=3D0x80bc728, WalkState=3D0x8092028)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/execut=
er/exstore.c:452
#6  0x80602a2 in AcpiExStore (ValDesc=3D0x80bc628, DestDesc=3D0x80bc728=
, =

---Type <return> to continue, or q <return> to quit---
    WalkState=3D0x8092028)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/execut=
er/exstore.c:234
#7  0x805cd2a in AcpiExMonadic2R (Opcode=3D112, WalkState=3D0x8092028, =

    ReturnDesc=3D0xbfbff314)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/execut=
er/exmonad.c:600
#8  0x80517f1 in AcpiDsExecEndOp (WalkState=3D0x8092028, Op=3D0x8094928=
)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/dispat=
cher/dswexec.c:555
#9  0x8069af4 in AcpiPsParseLoop (WalkState=3D0x8092028)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/parser=
/psparse.c:1027
#10 0x806a005 in AcpiPsParseAml (StartScope=3D0x808ba28, =

    Aml=3D0x8091159 "p\013=E9\001UBIFp\n\005\210PBIF\n\001", AmlSize=3D=
97, =

    ParseFlags=3D49, MethodNode=3D0x809fe28, Params=3D0x80a4228, =

    CallerReturnDesc=3D0xbfbff4e4, =

    DescendingCallback=3D0x8051444 <AcpiDsExecBeginOp>, =

    AscendingCallback=3D0x80515e8 <AcpiDsExecEndOp>)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/parser=
/psparse.c:1344
#11 0x806b050 in AcpiPsxExecute (MethodNode=3D0x809fe28, Params=3D0x80a=
4228, =

    ReturnObjDesc=3D0xbfbff4e4)
---Type <return> to continue, or q <return> to quit---
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/parser=
/psxface.c:238
#12 0x8061642 in AcpiExExecuteMethod (MethodNode=3D0x809fe28, Params=3D=
0x80a4228, =

    ReturnObjDesc=3D0xbfbff4e4)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/execut=
er/exxface.c:187
#13 0x8064eec in AcpiNsExecuteControlMethod (MethodNode=3D0x809fe28, =

    Params=3D0x80a4228, ReturnObjDesc=3D0xbfbff4e4)
    at /usr/ports/devel/acpicatools/work/acpicadb/../namespace/nseval.c=
:518
#14 0x8064de4 in AcpiNsEvaluateByHandle (Handle=3D0x809fe28, Params=3D0=
x80a4228, =

    ReturnObject=3D0xbfbff564)
    at /usr/ports/devel/acpicatools/work/acpicadb/../namespace/nseval.c=
:401
#15 0x8064c9b in AcpiNsEvaluateByName (Pathname=3D0x8088a74 "\\_SB_.BAT=
1.IVBI", =

    Params=3D0x80a4228, ReturnObject=3D0xbfbff564)
    at /usr/ports/devel/acpicatools/work/acpicadb/../namespace/nseval.c=
:302
#16 0x8067d80 in AcpiEvaluateObject (Handle=3D0x0, =

    Pathname=3D0x8088a74 "\\_SB_.BAT1.IVBI", ParamObjects=3D0xbfbff5a0,=
 =

    ReturnBuffer=3D0xbfbff660)
    at /usr/ports/devel/acpicatools/work/acpicadb/../namespace/nsxfobj.=
c:253
#17 0x804cb3b in AcpiDbExecuteMethod (Info=3D0x8088a60, ReturnObj=3D0xb=
fbff660)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugg=
er/dbexec.c:204
#18 0x804cc72 in AcpiDbExecute (Name=3D0x8088926 "_SB_.BAT1.IVBI", =

---Type <return> to continue, or q <return> to quit---
    Args=3D0x8088908, Flags=3D2)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugg=
er/dbexec.c:334
#19 0x804b955 in AcpiDbCommandDispatch (InputBuffer=3D0x80889c0 "", =

    WalkState=3D0x0, Op=3D0x0)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugg=
er/dbinput.c:648
#20 0x804bdd9 in AcpiDbSingleThread ()
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugg=
er/dbinput.c:920
#21 0x804be51 in AcpiDbUserCommands (Prompt=3D0, Op=3D0x0)
    at /usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugg=
er/dbinput.c:987
#22 0x80495c1 in load_dsdt (dsdtfile=3D0xbfbff913 "fiva-MPC-206VL.dsdt"=
)
    at acpicadb.c:515
#23 0x804963b in main (argc=3D2, argv=3D0xbfbff7dc) at acpicadb.c:541
#24 0x8048bfd in _start ()
(gdb) q
% exit

Script done on Mon Sep  3 19:08:33 2001
