azonenberg

azonenberg, 8 days ago

@whitequark This isn't hardware it's just a SFTP "open" packet.

My real question isn't so much the packed struct as why it's generating a 64-bit load for accessing a 32-bit scalar? It should be assuming 32-bit alignment at most (and since ARMv7-m allows 32-bit loads at any alignment, this should be fine).

Why would it assume that my 32-bit variable is 64-bit aligned?

azonenberg, 8 days ago

@whitequark Actually, looking more closely at the offending code it wasn't a packed struct pointer at all, it was a uint32_t* created by pointer arithmetic on the buffer (due to variable length fields).

The same thing stands though. If i give you a random uint32_t* on ARMv7-m you should not assume it's 64-bit aligned.

azonenberg, 8 days ago

@whitequark https://github.com/azonenberg/staticnet/blob/master/sftp/SFTPOpenPacket.h?ts=4#L88

The __builtin_bswap32 call in line 92 is crashing (only with -O3) in a ldrd instruction. I have no idea where it got the idea issuing a 64-bit load was necessary or OK.

azonenberg, 8 days ago

@whitequark The "fixed" (not crashy) version is

char* tmp = GetPathStart() + GetPathLength() + sizeof(uint32_t);
uint32_t n;
memcpy(&n, tmp, sizeof(n));
return __builtin_bswap32(n);

azonenberg, 8 days ago

@whitequark (note that the overall SFTPOpenPacket object may have any alignment since it's coming out of a network rx buffer, not allocated on the stack or anything).

azonenberg, 8 days ago

@whitequark (this is using Debian bookworm packaged arm-none-eabi-g++ (15:12.2.rel1-1) 12.2.1 20221205)

azonenberg, 8 days ago

@pkhuong @whitequark I mean, this struct was created from a larger buffer (ultimately it's an EthernetFrame which is a fixed MTU-sized static buffer, then I have a struct at the beginning for the fixed-sized fields then offset off the end of that).

Not sure how else you'd handle this?

azonenberg, 8 days ago

@whitequark No explicit -march but -mcpu=cortex-m7

azonenberg, 8 days ago

@whitequark Full CFLAGS (other than macro defines and include search paths) are -g -O3 --std=c++17 -Wall -Wextra -fno-rtti -fno-exceptions --specs nano.specs -mcpu=cortex-m7

azonenberg, 8 days ago

@whitequark Interesting. There's probably some additional context required to trigger the bug? I don't have time to really troubleshoot this at the moment since I have a workaround.

azonenberg, 8 days ago

@whitequark This was the actual offending code as generated

azonenberg, 8 days ago

@whitequark I didn't fully trace out what register had what values, this was optimized code so a pain to debug (a lot of the values I wanted to dump to troubleshoot were optimized out).

Got a workaround and went on with my development, now chasing a different bug that looks to be an actual application logic error of some sort.

azonenberg, 8 days ago

@whitequark If it helps the actual SFTPOpenPacket comes from this

auto payload = reinterpret_cast<SFTPOpenPacket*>(pack->Payload());
payload->ByteSwap();
OnRxOpen(id, state, socket, payload);

azonenberg, 8 days ago

@whitequark where "pack" is a SFTPPacket* which itself comes from

while(IsPacketReady(state))
{
auto pack = reinterpret_cast<SFTPPacket*>(state->m_rxBuffer.Rewind());
pack->ByteSwap();
OnRxPacket(id, state, socket, pack);
state->m_rxBuffer.Pop(pack->m_length + sizeof(uint32_t));
}

azonenberg, 8 days ago

@whitequark There should be no expectation of 64-bit alignment on any of this. Ultimately "pack" in this outer code should be on at least a 32-bit boundary since state->m_rxBuffer was rewound (this is a circular FIFO but "rewind" rotates the buffer so the contents are contiguous and start at address 0 of the buffer) and that buffer is a large array so I would expect it to be aligned to some extent.

But once I start parsing out variable-length fields from within it, all bets are off.

azonenberg, 8 days ago

@pkhuong @whitequark How else can I make a member function that does this?

I can't store a pointer to the outer buffer in the object because I can't have any variables that aren't part of the packet itself.

azonenberg, 8 days ago

@steve @whitequark So, on ARMv7-M it's legal to load a uint32_t (ldr) from any alignment so even if it is unaligned, it shouldn't matter.

What's not legal is to load an unaligned uint64_t (ldrd).

The bug is that gcc took a type that should only have guaranteed 32-bit alignment and emitted an instruction that required 64-bit alignment.

azonenberg, 8 days ago

@steve @whitequark Doesn't matter. The bug isn't that it took an odd-aligned uint32 and treated it as 32-bit aligned.

The bug is that it took a 32-bit aligned value and treated it as 64-bit aligned. Nothing in the code gave gcc permission to assume this uint32_t* was on a 64-bit boundary rather than an odd 32-bit index.

azonenberg, 8 days ago

@steve @whitequark More specifically, given uint32_t* foo = 0xdeadbee4, ldr will work and ldrd will segfault.

There was no reason to issue a 64-bit load in the first place, this is a 32-bit variable.

azonenberg, 8 days ago

@whitequark @steve ... wait, what? Ok now I'm confused.

azonenberg, 8 days ago

@whitequark It was the cheapest implementation for ATA Secure Erase they could come up with.

azonenberg, 8 days ago

Next step is to be able to DFU the FPGA.

Coming along nicely, but not done yet. I'm parsing the entire .bit structure on the fly in order to enable editing some config settings for multi-boot, although for now the data is being passed through to the write buffer unchanged (then discarded since I've implemented flash erasing but not writes).

azonenberg, 8 days ago

I'm now thoroughly confused.

I can now OTA flash the bitstream, but the image is subtly corrupted.

I tried three times with different SPI clock frequencies, and each time the exact same, byte for byte, incorrect bitstream is burned to the flash. So it seems pretty clear this is an application logic bug and not SI (which I would expect to have a more nondeterministic effect).

The bug manifests itself as two corrupted bytes, repeating on 1024 byte boundaries for a while, then something else.

For example, starting at 0x10b60, 10f60, 0x11360, etc. I have 0x60 03 overwriting the intended bitstream values. This persists up to 0x17f60.

Then at 18b44, 18f44, etc. I have 0x44 03 overwriting the intended values.

And so on. Weird 2-byte corruptions repeating at 1 kB boundaries. The flash write blocks are 512 bytes and the SFTP packets are mostly 1024 bytes, so it might have something to do with that... This is gonna be fun to debug.

azonenberg, 8 days ago

Hmm, seems like corruption in the RX circular FIFO. Making the buffer larger fixed it, but my error detection should have logged an overflow. Great, now I have something else to poke at...