标题:【求助】汇编高手进
取消只看楼主
zhw3king
Rank: 1
等 级:新手上路
帖 子:1
专家分:0
注 册:2017-3-21
结帖率:0
已结贴  问题点数:20 回复次数:0 
【求助】汇编高手进
说一下背景,最近Android M的项目中在进行mtp拷贝时死机。 
kernel panic ,dump出来的obj如下,我尝试着翻译了一下还是没看明白。希望达成的目标是将下面的指令对和具体的函数调用匹配上。
函数如下:
struct page *follow_page_mask(struct vm_area_struct *vma,
                  unsigned long address, unsigned int flags,
                  unsigned int *page_mask)
{
    pgd_t *pgd;
    pud_t *pud;
    pmd_t *pmd;
    spinlock_t *ptl;
    struct page *page;
    struct mm_struct *mm = vma->vm_mm;
    *page_mask = 0;
    page = follow_huge_addr(mm, address, flags & FOLL_WRITE);
    if (!IS_ERR(page)) {
        BUG_ON(flags & FOLL_GET);
        return page;
    }
    pgd = pgd_offset(mm, address);
    if (pgd_none(*pgd) || unlikely(pgd_bad(*pgd)))
        return no_page_table(vma, flags);
    pud = pud_offset(pgd, address);
    if (pud_none(*pud))
        return no_page_table(vma, flags);
    if (pud_huge(*pud) && vma->vm_flags & VM_HUGETLB) {
        page = follow_huge_pud(mm, address, pud, flags);
        if (page)
            return page;
        return no_page_table(vma, flags);
    }
    if (unlikely(pud_bad(*pud)))
        return no_page_table(vma, flags);
    pmd = pmd_offset(pud, address);
    if (pmd_none(*pmd))
        return no_page_table(vma, flags);
    if (pmd_huge(*pmd) && vma->vm_flags & VM_HUGETLB) {
        page = follow_huge_pmd(mm, address, pmd, flags);
        if (page)
            return page;
        return no_page_table(vma, flags);
    }
    if ((flags & FOLL_NUMA) && pmd_numa(*pmd))
        return no_page_table(vma, flags);
    if (pmd_trans_huge(*pmd)) {
        if (flags & FOLL_SPLIT) {
            split_huge_page_pmd(vma, address, pmd);
            return follow_page_pte(vma, address, pmd, flags);
        }
        ptl = pmd_lock(mm, pmd);
        if (likely(pmd_trans_huge(*pmd))) {
            if (unlikely(pmd_trans_splitting(*pmd))) {
                spin_unlock(ptl);
                wait_split_huge_page(vma->anon_vma, pmd);
            } else {
                page = follow_trans_huge_pmd(vma, address,
                                 pmd, flags);
                spin_unlock(ptl);
                *page_mask = HPAGE_PMD_NR - 1;
                return page;
            }
        } else
            spin_unlock(ptl);
    }
    return follow_page_pte(vma, address, pmd, flags);
}


ffffffc00018e9b4 <__get_user_pages.part.22>:
ffffffc00018e724:    a9b97bfd     stp    x29, x30, [sp,#-112]! //将x29 x30 存储器的数据地址存储到sp-112 并将sp-112地址存储到sp
ffffffc00018e728:    910003fd     mov    x29, sp               //将栈指针移动到存储器x29里
ffffffc00018e72c:    a90153f3     stp    x19, x20, [sp,#16]    //将x19 x20 存储器的数据地址存储到sp+16
ffffffc00018e730:    a9025bf5     stp    x21, x22, [sp,#32]    //将x21 x22 存储器的数据地址存储到sp+32
ffffffc00018e734:    a9046bf9     stp    x25, x26, [sp,#64]    //将x25 x26 存储器的数据地址存储到sp+64
ffffffc00018e738:    a90363f7     stp    x23, x24, [sp,#48]    //将x23 x24 存储器的数据地址存储到sp+48
ffffffc00018e73c:    a90573fb     stp    x27, x28, [sp,#80]    //将x27 x28 存储器的数据地址存储到sp+80
ffffffc00018e740:    aa0003f5     mov    x21, x0               //将x0存储器内容移动到x21中
ffffffc00018e744:    aa0103fa     mov    x26, x1               //将x1存储器内容移动到x26中
ffffffc00018e748:    f9402000     ldr    x0, [x0,#64]          //将x0+64后的内容读入到x0
ffffffc00018e74c:    d35e9821     ubfx    x1, x1, #30, #9       //?
ffffffc00018e750:    b900007f     str    wzr, [x3]             //丢弃结果?也许是
ffffffc00018e754:    2a0203f4     mov    w20, w2               //移动w2到w20
ffffffc00018e758:    f9402000     ldr    x0, [x0,#64]          //将寄存器x0+64的字数据后读入到x0
ffffffc00018e75c:    f8617800     ldr    x0, [x0,x1,lsl #3]    //将存储器地址为x0+x1*3的字数据读入寄存器x0
ffffffc00018e760:    b4001060     cbz    x0, ffffffc00018e96c <follow_page_mask+0x248> x0的字数句为0进行跳转
ffffffc00018e764:    36081040     tbz    w0, #1, ffffffc00018e96c <follow_page_mask+0x248>
ffffffc00018e768:    d000c393     adrp    x19, ffffffc001a00000 <reset_devices>
ffffffc00018e76c:    92748c00     and    x0, x0, #0xfffffffff000
ffffffc00018e770:    b25a67f7     mov    x23, #0xffffffc000000000        // #-274877906944
ffffffc00018e774:    f943de61     ldr    x1, [x19,#1976]       //将x19+1976字数据读入寄存器x1
ffffffc00018e778:    cb010000     sub    x0, x0, x1            //x0 = x0 -x1
ffffffc00018e77c:    d3557741     ubfx    x1, x26, #21, #9      //?
ffffffc00018e780:    8b170000     add    x0, x0, x23           //x0 = x0 + x23
ffffffc00018e784:    d37df021     lsl    x1, x1, #3            //lsl alias ubfm ?
ffffffc00018e788:    8b010019     add    x25, x0, x1           //x25 = x1 + 3
ffffffc00018e78c:    f8616800     ldr    x0, [x0,x1]           //将寄存器地址为x0 + x1的字数据读入到x0
ffffffc00018e790:    b4000ee0     cbz    x0, ffffffc00018e96c <follow_page_mask+0x248> //条件跳转
ffffffc00018e794:    f94022a0     ldr    x0, [x21,#64]         //将地址为x21+64的字数据读入到寄存器x0
ffffffc00018e798:    d34c5358     ubfx    x24, x26, #12, #9      //?
ffffffc00018e79c:    f90037a0     str    x0, [x29,#104]         //x0的字数据写入x29+104
ffffffc00018e7a0:    d280161b     mov    x27, #0xb0                      // #176
ffffffc00018e7a4:    d37df300     lsl    x0, x24, #3            //ubfm
ffffffc00018e7a8:    1216005c     and    w28, w2, #0x400        //w2与上0x400
ffffffc00018e7ac:    f90033a0     str    x0, [x29,#96]          //x0的字数据写入到x29+400
ffffffc00018e7b0:    f9400320     ldr    x0, [x25]              //x25的字数据读入x0
ffffffc00018e7b4:    36080dc0     tbz    w0, #1, ffffffc00018e96c <follow_page_mask+0x248>
ffffffc00018e7b8:    f943de61     ldr    x1, [x19,#1976]        // x19+1976读入到x1
ffffffc00018e7bc:    92748c02     and    x2, x0, #0xfffffffff000 x2 = x0 与 0xfffffff000
ffffffc00018e7c0:    d34cbc00     ubfx    x0, x0, #12, #36      //?
ffffffc00018e7c4:    cb0102e1     sub    x1, x23, x1            //x1 = x23 -x1
ffffffc00018e7c8:    8b020038     add    x24, x1, x2            //x24 = x1 + x2
ffffffc00018e7cc:    d2a80002     mov    x2, #0x40000000                // #1073741824
ffffffc00018e7d0:    f2dff742     movk    x2, #0xffba, lsl #32    //Move with Keep (extended immediate): Xt<pos+15:pos> = uimm16.
ffffffc00018e7d4:    f2ffffe2     movk    x2, #0xffff, lsl #48
ffffffc00018e7d8:    9b1b0800     madd    x0, x0, x27, x2
ffffffc00018e7dc:    f9401816     ldr    x22, [x0,#48]          //将寄存器地址x0+48的字数据读入寄存器x22



 - STP Wt1, Wt2, addr
Store Pair Registers: stores two words from Wt1 and Wt2 to
memory addressed by addr.
 - STP Xt1, Xt2, addr
Store Pair Registers (extended): stores two doublewords
from Xt1 and Xt2 to memory addressed by addr.
 - UBFX Xd, Xn, #lsb, #width
Unsigned Bitfield Extract (extended): alias for UBFM Xd,Xn,#lsb,#(lsb+width-1).
Preferred for disassembly when s >= r.
 - UBFM Xd, Xn, #r, #s
Unsigned Bitfield Move: if s>=r then Xd<s-r:0> = Xn<s:r>,
else Xd<32+s-r,32-r> = Xn<s:0>. Sets bits to the left and
 right of the destination bitfield to zero.
- STR Xt, addr
Store Register (extended): stores doubleword from Xt to
 memory addressed by addr.
寄存器r31是一个特殊的寄存器:
Zero Register: 在大多数情况下,作为源寄存器使用时, r31读出来的值 是0; 作为目标寄存器使用时, 丢弃结果。
WZR(word zero rigiser)或者XZR(64位)
 - CBZ Xn, label
Compare and Branch Zero (extended): conditionally jumps to
label if Xn is equal to zero.
 - TBZ Xn|Wn, #uimm6, label
Test and Branch Zero: conditionally jumps to label if bit
 number uimm6 in register Xn is zero. The bit
number implies the width of the register, which may be
 written and should be disassembled as Wn if
uimm6 is less than 32. Limited to a branch offset range
of ±32KiB.
 - ADRP Xd, label
Address of Page: sign extends a 21-bit offset, shifts it
left by 12 and adds it to the value of the PC with its
bottom 12 bits cleared, writing the result to register Xd.
This computes the base address of the 4KiB aligned memory region
containing label, and is designed to be used in conjunction with a load, store or
ADD instruction which supplies the bottom 12 bits of the label’s address.
This permits positionindependent addressing of any location
within ±4GiB of the PC using two instructions, providing
that dynamic relocation is done with a minimum granularity of 4KiB
 (i.e. the bottom 12 bits of the label’s address are
 unaffected by the relocation). The term “page” is short-
 hand for the 4KiB relocation granule,and is not necessarily
 related to the virtual memory page size.
 - LSL Xd, Xn, #uimm
Logical Shift Left (extended immediate): alias for
UBFM Xd,Xn,#((64-uimm)&63),#(63-uimm)
 - MOVK Wt, #uimm16{, LSL #pos}
Move with Keep (immediate): Wt<pos+15:pos> = uimm16.
 - MOVK Xt, #uimm16{, LSL #pos}
Move with Keep (extended immediate): Xt<pos+15:pos> = uimm16.
搜索更多相关主题的帖子: address 项目 
2017-03-21 11:48



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-475316-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.017210 second(s), 8 queries.
Copyright©2004-2025, BCCN.NET, All Rights Reserved