From owner-acpi-jp@jp.freebsd.org  Tue Sep  4 03:23:49 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id DAA91123;
	Tue, 4 Sep 2001 03:23:49 +0900 (JST)
	(envelope-from owner-acpi-jp@jp.FreeBSD.org)
Received: from calliope1.fm.intel.com (fmfdns01.fm.intel.com [132.233.247.10])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id DAA91115;
	Tue, 4 Sep 2001 03:23:46 +0900 (JST)
	(envelope-from robert.moore@intel.com)
Received: from fmsmsxvs041.fm.intel.com (fmsmsxv041-1.fm.intel.com [132.233.48.109])
	by calliope1.fm.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.41 2001/07/09 21:06:22 root Exp $) with SMTP id SAA29597;
	Mon, 3 Sep 2001 18:23:37 GMT
Received: from fmsmsx18.intel.com ([132.233.233.232])
 by fmsmsxvs041.fm.intel.com (NAVGW 2.5.1.6) with SMTP id M2001090311251926726
 ; Mon, 03 Sep 2001 11:25:19 -0700
Received: by fmsmsx18.fm.intel.com with Internet Mail Service (5.5.2653.19)
	id <SFS08AZV>; Mon, 3 Sep 2001 11:25:29 -0700
Message-ID: <7B1A3FD0E515D211AC3E00A0C96B7AC907C8D2E0@orsmsx34.jf.intel.com>
From: "Moore, Robert" <robert.moore@intel.com>
To: "'Mitsuru IWASAKI'" <iwasaki@jp.FreeBSD.org>, acpi-jp@jp.FreeBSD.org
Cc: "Grover, Andrew" <andrew.grover@intel.com>
Date: Mon, 3 Sep 2001 11:23:34 -0700 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
Reply-To: acpi-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: acpi-jp 1240
Subject: [acpi-jp 1240] RE: Fix? acpica-unix-20010816
Errors-To: owner-acpi-jp@jp.freebsd.org
Sender: owner-acpi-jp@jp.freebsd.org
X-Originator: robert.moore@intel.com


This is the correct fix and I have integrated the change.  The fix will
appear in the first build in the month of September.  Thanks for your help
and thanks for the detailed information, this is exactly what I needed to
reproduce the problem and verify the fix.

Bob


		-----Original Message-----
		From:	Mitsuru IWASAKI [mailto:iwasaki@jp.FreeBSD.org]
		Sent:	Monday, September 03, 2001 7:03 AM
		To:	acpi-jp@jp.FreeBSD.org; robert.moore@intel.com
		Cc:	andrew.grover@intel.com
		Subject:	Re: [acpi-jp 1229] Re: Fix?
acpica-unix-20010816

		Hi,

		As Andrew requested, I've tried to get more detailed debug
info.
		Then I've successfully reproduced the problem with userland
ACPICA
		debugger, and have a possible fix for this.

		It looks like a `freeing a pointer in DSDT block' problem as
I suggested.

		Here, we have a following package object.
		        Name(PBIF, Package(0xd) {
		            0x1,
		            0x5,
		            0x5,
		            0x1,
		            0x5,
		            0x0190,
		            0x32,
		            0x40,
		            0x40,
		            "BAT1",
		            " ",
		            " ",
		            " ",
		        })
		Note that length of String objects PBIF[10] to PBIF[12] are
1.
		And update the package by executing a method, like;
		        Method(IVBI) {
		            Store(0x01e9, UBIF)
		            Store(0x5, Index(PBIF, 0x1, ))
		            Store(0x5, Index(PBIF, 0x2, ))
		            Store(0x5, Index(PBIF, 0x4, ))
		            Store("Bad", Index(PBIF, 0x9, ))
		            Store("Bad", Index(PBIF, 0xa, ))
		            Store("Bad", Index(PBIF, 0xb, ))
		            Store("Bad", Index(PBIF, 0xc, ))
		        }
		Last 3 statements are trying to free the current pointer
first,
		then allocate a new starage large enough to hold String
"Bad" in
		AcpiExCopyStringToString() because length of "Bad" is larger
than
		PBIF[10] - PBIF[12].  And we will get a fatal error
reported.

		It seems that AOPOBJ_STATIC_POINTER bit of
ACPI_OPERAND_OBJECT::Common.Flags
		is set only in AcpiNsRootInitialize() for pre-defined named
object
		currently, but I think it needs to be set also when we
create internal
		objects which have a reference to object in DSDT block.
		Here is a patch for this in AcpiDsInitObjectFromOp();

		Index: dsobject.c
	
===================================================================
		RCS file: /home/ncvs/src/sys/contrib/dev/acpica/dsobject.c,v
		retrieving revision 1.1.1.9
		diff -u -r1.1.1.9 dsobject.c
		--- dsobject.c	26 Aug 2001 22:28:16 -0000	1.1.1.9
		+++ dsobject.c	3 Sep 2001 11:45:49 -0000
		@@ -558,6 +558,7 @@
		         break;
		     }
		 
		+    ObjDesc->Common.Flags |= AOPOBJ_STATIC_POINTER;
		     return (AE_OK);
		 }
		 

		I attached a debug trace with userland ACPICA debugger for
your convenience.

		Thanks

		Script started on Mon Sep  3 19:06:11 2001
		% ./acpicadb fiva-MPC-206VL.dsdt
		  utmisc-0420[12] UtAcquireMutex: Mutex [ACPI_MTX_Namespace]
already acquired by this thread [0]
		  utmisc-0428[15] UtAcquireMutex: Invalid acquire order:
Thread 0 owns [ACPI_MTX_Tables], wants [ACPI_MTX_Execute]
		  utmisc-0504[03] UtReleaseMutex: Mutex [ACPI_MTX_Namespace]
is not acquired, cannot release
		Parsing Methods:...........................................
utmisc-0428[13] UtAcquireMutex: Invalid acquire order: Thread 0 owns
[ACPI_MTX_Tables], wants [ACPI_MTX_Execute]
	
...........................................................................
		118 Control Methods found and parsed (511 nodes total)
		ACPI Namespace successfully loaded at root 0x808924c
		- f IVBI
		                 \_SB_.BAT1.IVBI (0x809fe28) - Method
		- debug _SB_.BAT1.IVBI
		Executing \_SB_.BAT1.IVBI
		00000 #0070 [00]  Store
		            [00]  (
		00001 #000B [01]  ....(UINT16) 0x01E9,
		00004 #002D [01]  ....UBIF  (Path 
		            [01]  }

		% 
		ArgObj:    0x80bc628 <Obj>             Integer
00000000000001E9
		ArgObj:    0x809f9a8 <Node>            Name UBIF
Type-Integer
		ResultObj: 0x80bc628 <Obj>             Integer
00000000000001E9

		0000B #0088 [00]  Index
		            [00]  (
		0000C #002D [01]  ....PBIF,  (Path 
		00010 #000A [01]  ....(UINT8)  0x01,
		00012 #002D [01]  ....<NULL NAME PTR>
		            [01]  }

		% 
		ArgObj:    0x809f8a8 <Node>            Name PBIF
Type-Package
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000001
		ArgObj:    0x80bc6a8 <Obj> [Const]     Zero (0) [Null
Target]
		ResultObj: 0x80bc728 <Obj> [Index]     

		00008 #0070 [00]  Store
		            [00]  (
		00009 #000A [01]  ....(UINT8)  0x05,
		00000 #0036 [01]  ....[Return Value] Reference
		            [01]  }

		% 
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000005
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000005
		ArgObj:    0x80bc728 <Obj> [Index]     
		ResultObj: 0x80bc628 <Obj>             Integer
0000000000000005

		00016 #0088 [00]  Index
		            [00]  (
		00017 #002D [01]  ....PBIF,  (Path 
		0001B #000A [01]  ....(UINT8)  0x02,
		0001D #002D [01]  ....<NULL NAME PTR>
		            [01]  }

		% 
		ArgObj:    0x809f8a8 <Node>            Name PBIF
Type-Package
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000002
		ArgObj:    0x80bc728 <Obj> [Const]     Zero (0) [Null
Target]
		ResultObj: 0x80bc6a8 <Obj> [Index]     

		00013 #0070 [00]  Store
		            [00]  (
		00014 #000A [01]  ....(UINT8)  0x05,
		00000 #0036 [01]  ....[Return Value] Reference
		            [01]  }

		% 
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000005
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000005
		ArgObj:    0x80bc6a8 <Obj> [Index]     
		ResultObj: 0x80bc628 <Obj>             Integer
0000000000000005

		00021 #0088 [00]  Index
		            [00]  (
		00022 #002D [01]  ....PBIF,  (Path 
		00026 #000A [01]  ....(UINT8)  0x04,
		00028 #002D [01]  ....<NULL NAME PTR>
		            [01]  }

		% 
		ArgObj:    0x809f8a8 <Node>            Name PBIF
Type-Package
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000004
		ArgObj:    0x80bc6a8 <Obj> [Const]     Zero (0) [Null
Target]
		ResultObj: 0x80bc728 <Obj> [Index]     

		0001E #0070 [00]  Store
		            [00]  (
		0001F #000A [01]  ....(UINT8)  0x05,
		00000 #0036 [01]  ....[Return Value] Reference
		            [01]  }

		% 
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000005
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000005
		ArgObj:    0x80bc728 <Obj> [Index]     
		ResultObj: 0x80bc628 <Obj>             Integer
0000000000000005

		0002F #0088 [00]  Index
		            [00]  (
		00030 #002D [01]  ....PBIF,  (Path 
		00034 #000A [01]  ....(UINT8)  0x09,
		00036 #002D [01]  ....<NULL NAME PTR>
		            [01]  }

		% 
		ArgObj:    0x809f8a8 <Node>            Name PBIF
Type-Package
		ArgObj:    0x80bc628 <Obj>             Integer
0000000000000009
		ArgObj:    0x80bc728 <Obj> [Const]     Zero (0) [Null
Target]
		ResultObj: 0x80bc6a8 <Obj> [Index]     

		00029 #0070 [00]  Store
		            [00]  (
		0002A #000D [01]  ...."Bad",
		00000 #0036 [01]  ....[Return Value] Reference
		            [01]  }

		% 
		ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
		ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
		ArgObj:    0x80bc6a8 <Obj> [Index]     
		ResultObj: 0x80bc628 <Obj>             String(3) "Bad"

		0003D #0088 [00]  Index
		            [00]  (
		0003E #002D [01]  ....PBIF,  (Path 
		00042 #000A [01]  ....(UINT8)  0x0A,
		00044 #002D [01]  ....<NULL NAME PTR>
		            [01]  }

		% 
		ArgObj:    0x809f8a8 <Node>            Name PBIF
Type-Package
		ArgObj:    0x80bc628 <Obj>             Integer
000000000000000A
		ArgObj:    0x80bc6a8 <Obj> [Const]     Zero (0) [Null
Target]
		ResultObj: 0x80bc728 <Obj> [Index]     

		00037 #0070 [00]  Store
		            [00]  (
		00038 #000D [01]  ...."Bad",
		00000 #0036 [01]  ....[Return Value] Reference
		            [01]  }

		% 
		ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
		ArgObj:    0x80bc628 <Obj>             String(3) "Bad"
		ArgObj:    0x80bc728 <Obj> [Index]     
		Segmentation fault (core dumped)
		% gdb acpicadb acpicadb.core
		GNU gdb 4.18
		Copyright 1998 Free Software Foundation, Inc.
		GDB is free software, covered by the GNU General Public
License, and you are
		welcome to change it and/or distribute copies of it under
certain conditions.
		Type "show copying" to see the conditions.
		There is absolutely no warranty for GDB.  Type "show
warranty" for details.
		This GDB was configured as "i386-unknown-freebsd"...
		Core was generated by `acpicadb'.
		Program terminated with signal 11, Segmentation fault.
		Reading symbols from /usr/lib/libc.so.5...done.
		Reading symbols from /usr/libexec/ld-elf.so.1...done.
		#0  0x8071b9f in AcpiUtDeleteElementFromAllocList (ListId=0,

		    Address=0x8090b70, Component=128, Module=0x807f720
"exstorob", Line=257)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../utilities/utalloc.c:479
		479	        (Address->Previous)->Next = Address->Next;
		(gdb) bt
		#0  0x8071b9f in AcpiUtDeleteElementFromAllocList (ListId=0,

		    Address=0x8090b70, Component=128, Module=0x807f720
"exstorob", Line=257)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../utilities/utalloc.c:479
		#1  0x80721a5 in AcpiUtFree (Address=0x8090b98,
Component=128, 
		    Module=0x807f720 "exstorob", Line=257)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../utilities/utalloc.c:838
		#2  0x8060de8 in AcpiExCopyStringToString
(SourceDesc=0x80bc628, 
		    TargetDesc=0x80bb128)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/executer/exstorob.
c:257
		#3  0x8060c60 in AcpiExStoreObject (SourceDesc=0x80bc628,
TargetType=2 '\002', 
		    TargetDescPtr=0xbfbff224, WalkState=0x8092028)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/executer/exstoren.
c:317
		#4  0x8060a36 in AcpiExStoreObjectToObject
(SourceDesc=0x80bc628, 
		    DestDesc=0x80bb128, WalkState=0x8092028)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/executer/exstore.c
:775
		#5  0x8060580 in AcpiExStoreObjectToIndex
(ValDesc=0x80bc628, 
		    DestDesc=0x80bc728, WalkState=0x8092028)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/executer/exstore.c
:452
		#6  0x80602a2 in AcpiExStore (ValDesc=0x80bc628,
DestDesc=0x80bc728, 
		---Type <return> to continue, or q <return> to quit---
		    WalkState=0x8092028)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/executer/exstore.c
:234
		#7  0x805cd2a in AcpiExMonadic2R (Opcode=112,
WalkState=0x8092028, 
		    ReturnDesc=0xbfbff314)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/executer/exmonad.c
:600
		#8  0x80517f1 in AcpiDsExecEndOp (WalkState=0x8092028,
Op=0x8094928)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/dispatcher/dswexec
.c:555
		#9  0x8069af4 in AcpiPsParseLoop (WalkState=0x8092028)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/parser/psparse.c:1
027
		#10 0x806a005 in AcpiPsParseAml (StartScope=0x808ba28, 
		    Aml=0x8091159 "p\013\001UBIFp\n\005\210PBIF\n\001",
AmlSize=97, 
		    ParseFlags=49, MethodNode=0x809fe28, Params=0x80a4228, 
		    CallerReturnDesc=0xbfbff4e4, 
		    DescendingCallback=0x8051444 <AcpiDsExecBeginOp>, 
		    AscendingCallback=0x80515e8 <AcpiDsExecEndOp>)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/parser/psparse.c:1
344
		#11 0x806b050 in AcpiPsxExecute (MethodNode=0x809fe28,
Params=0x80a4228, 
		    ReturnObjDesc=0xbfbff4e4)
		---Type <return> to continue, or q <return> to quit---
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/parser/psxface.c:2
38
		#12 0x8061642 in AcpiExExecuteMethod (MethodNode=0x809fe28,
Params=0x80a4228, 
		    ReturnObjDesc=0xbfbff4e4)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/executer/exxface.c
:187
		#13 0x8064eec in AcpiNsExecuteControlMethod
(MethodNode=0x809fe28, 
		    Params=0x80a4228, ReturnObjDesc=0xbfbff4e4)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../namespace/nseval.c:518
		#14 0x8064de4 in AcpiNsEvaluateByHandle (Handle=0x809fe28,
Params=0x80a4228, 
		    ReturnObject=0xbfbff564)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../namespace/nseval.c:401
		#15 0x8064c9b in AcpiNsEvaluateByName (Pathname=0x8088a74
"\\_SB_.BAT1.IVBI", 
		    Params=0x80a4228, ReturnObject=0xbfbff564)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../namespace/nseval.c:302
		#16 0x8067d80 in AcpiEvaluateObject (Handle=0x0, 
		    Pathname=0x8088a74 "\\_SB_.BAT1.IVBI",
ParamObjects=0xbfbff5a0, 
		    ReturnBuffer=0xbfbff660)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../namespace/nsxfobj.c:253
		#17 0x804cb3b in AcpiDbExecuteMethod (Info=0x8088a60,
ReturnObj=0xbfbff660)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugger/dbexec.c:
204
		#18 0x804cc72 in AcpiDbExecute (Name=0x8088926
"_SB_.BAT1.IVBI", 
		---Type <return> to continue, or q <return> to quit---
		    Args=0x8088908, Flags=2)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugger/dbexec.c:
334
		#19 0x804b955 in AcpiDbCommandDispatch
(InputBuffer=0x80889c0 "", 
		    WalkState=0x0, Op=0x0)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugger/dbinput.c
:648
		#20 0x804bdd9 in AcpiDbSingleThread ()
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugger/dbinput.c
:920
		#21 0x804be51 in AcpiDbUserCommands (Prompt=0, Op=0x0)
		    at
/usr/ports/devel/acpicatools/work/acpicadb/../interpreter/debugger/dbinput.c
:987
		#22 0x80495c1 in load_dsdt (dsdtfile=0xbfbff913
"fiva-MPC-206VL.dsdt")
		    at acpicadb.c:515
		#23 0x804963b in main (argc=2, argv=0xbfbff7dc) at
acpicadb.c:541
		#24 0x8048bfd in _start ()
		(gdb) q
		% exit

		Script done on Mon Sep  3 19:08:33 2001
