G5 qemu attempts.

[darthnVader]

It's worth trying to set R5 before AddMemoryRelocationEntry to the correct value to see if it fixes that fatal error.

Code: [Select]

(gdb) break *0x205A24
(gdb) cont
(gdb) set $r5=0x2AB00000
(gdb) cont
0x2AB00000 is calculated from the assigned physical memory, i.e. ((1024*1024*1024) / 3 * 2 + 0xFFFFF) & 0xFFF0000 = 0x2AB00000.

I'm curious what happens then...

Off to MacOS.  The next (and last) call into OpenFirmware is quiesce().

Never boots tho, I removed --nographic, and tried both the 970 and the 970fx.

I'm not getting any errors, the system just stays at the OB prompt with the last line:

Code: [Select]

Off to MacOS.  The next (and last) call into OpenFirmware is quiesce().

[powermax]

Off to MacOS.  The next (and last) call into OpenFirmware is quiesce().

Terrific! We're on the right track 

Never boots tho, I removed --nographic, and tried both the 970 and the 970fx.

I'm not getting any errors, the system just stays at the OB prompt with the last line:

Code: [Select]

Off to MacOS.  The next (and last) call into OpenFirmware is quiesce().

Yes, I suspect a silent crash in the RelocationEngine due to the use of unsupported BATs. We'll fix it later.

Let's figure out where and why NKSystemInfo.PhysicalMemorySize is set to zero.

Breakpoint at 0x2052F0, dword at $r26 will contain the pointer to NKSystemInfo. I need a dump of NKSystemInfo at this location.

Code: [Select]

(gdb) break *0x2052F0
(gdb) cont
(gdb) x/1xw $r26
GDB will display an address here
(gdb) x/8xw *address shown above

[darthnVader]

Code: [Select]

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  x/1xw $r26
0x117080: 0x3fee5000
(gdb) x/8xw *0x3fee5000
0x40000000: Cannot access memory at address 0x40000000
(gdb) x/8xw *0x117080
0x3fee5000: 0x40000000 0x40000000 0x00000000 0x00000000
0x3fee5010: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)


[powermax]

Code: [Select]

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  x/1xw $r26
0x117080: 0x3fee5000
(gdb) x/8xw *0x3fee5000
0x40000000: Cannot access memory at address 0x40000000
(gdb) x/8xw *0x117080
0x3fee5000: 0x40000000 0x40000000 0x00000000 0x00000000
0x3fee5010: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)


Thanks. The NKSystemInfo structure is located at 0x3fee5000. The first two dwords - PhysicalMemorySize and UsableMemorySize - contain the correct value of 0x40000000 (= 1024MB). The full definition of this structure is located in macosstructs.h:142.

Next step is to find out where these both fields will be set to zero. You'd need to work with watchpoints here to monitor access to 0x3fee5000 between 0x2052F0 and 0x205A24.

Code: [Select]

(gdb) break *0x2052F0
(gdb) break *0x205A24
(gdb) cont
(gdb) x/8xw *0x117080 (to verify the address for the command below)
(gdb) watch *0x3fee5000
(gdb) cont
Run this commands and record all addresses where 0x3fee5000 is accessed until the execution reaches 0x205A24. I hope this will work.

[darthnVader]

Code: [Select]

(gdb)  break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) break *0x205A24
Breakpoint 2 at 0x205a24
(gdb) target remote localhost:1234
A program is being debugged already.  Kill it? (y or n) y
Remote debugging using localhost:1234

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00000000fff00100 in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb) x/8xw *0x117080
0x3fee5000: 0x40000000 0x40000000 0x00000000 0x00000000
0x3fee5010: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) watch *0x3fee5000
Hardware watchpoint 3: *0x3fee5000
(gdb) watch *0x3fee5010
Hardware watchpoint 4: *0x3fee5010
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb)


[darthnVader]

Code: [Select]

(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 0
New value = 1073741824
0x000000000020271c in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) cont
Continuing.


[darthnVader]

Here is what it looks like for the G4 CPU:

Code: [Select]

(gdb) target remote localhost:1234
Remote debugging using localhost:1234
0x00000000fff00100 in ?? ()
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 0
New value = 1073741824
0x000000000020271c in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb) cont
Continuing.

Breakpoint 2, 0x0000000000205a24 in ?? ()
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 1073741824
New value = 1073725440
0x0000000000f105a0 in ?? ()
(gdb) cont
Continuing.

Are we jumping off into nowhere on the G5?

[powermax]

Can you please trace past the "blr" instruction at 0x20fda4 to obtain the address this subroutine returns to?

Alternatively, you just can dump the register file at the watchpoint 0x20fd94 and post the value of LR (link register) here. No need to trace anything at all...

[powermax]

Are we jumping off into nowhere on the G5?

No, I don't think so. We probably hit an exception when running the RelocationEngine on G5. At this time, because we don't have any OS running (OF has been shut down, Mac OS Nanokernel hasn't started yet), no recovering from low-level exceptions is possible so the CPU much likely enters the machine check state (that is, it hangs waiting for reset)...

[darthnVader]

Can you please trace past the "blr" instruction at 0x20fda4 to obtain the address this subroutine returns to?

Alternatively, you just can dump the register file at the watchpoint 0x20fd94 and post the value of LR (link register) here. No need to trace anything at all...

Not sure how to do either?

[powermax]

Not sure how to do either?

Code: [Select]

(gdb) break *0x2052F0
(gdb) cont
(gdb) watch *0x3fee5000
(gdb) cont

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr

[darthnVader]

Code: [Select]

(gdb) break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  watch *0x3fee5000
Hardware watchpoint 2: *0x3fee5000
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb)


[powermax]

Code: [Select]

(gdb) break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  watch *0x3fee5000
Hardware watchpoint 2: *0x3fee5000
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb)


Can you also print the value of $r12 at the same location?

[darthnVader]

This?

Code: [Select]

(gdb) break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  watch *0x3fee5000
Hardware watchpoint 2: *0x3fee5000
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb) p/x $r12
$2 = 0x203cec
(gdb)


[powermax]

Code: [Select]

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb) p/x $r12
$2 = 0x203cec
(gdb)


Yes, thanks a lot! The address 0x20fd94 belongs to the function bcopy() that simply copies bytes from src to dst. So bcopy() itself isn't a problem but merely another function that calls bcopy.

$r12 contains return address to the caller of bcopy: 0x203cec belongs to MakeROMAreas() in main.c:39, originated at 0x203b88.

Could you set a breakpoint at 0x203ce8 (that's the call to bcopy), run the code until it hits that BP and tell me what do $r3, $r4 and $r5 contain there? These will contain parameters for bcopy...

[darthnVader]

Code: [Select]

(gdb) break *0x203ce8
Breakpoint 1 at 0x203ce8
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
0x00000000fff00100 in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x0000000000203ce8 in ?? ()
(gdb)  p/x $r3
$1 = 0x3fee5038
(gdb)  p/x $r4
$2 = 0x3fee5048
(gdb)  p/x $r5
$3 = 0xb8
(gdb)


[powermax]

A comparison with a working (G4 32bit) configuration could shed some light at this issue. Maybe you'll find some free time for doing such a comparison...

Under "comparison with G4", I mean "instruction-by-instruction" comparison starting with 0x203ce8. That's required to find the instruction that doesn't work as expected. You'll probably need to trace about 20-30 instructions, first on G4, then on G5:

trace an instruction
write down what it changes (we're interested mostly in register values)
an so on...

It's a superb tutorial on the PPC Assembly...

[darthnVader]

G4:

Code: [Select]

Breakpoint 1, 0x0000000000203ce8 in ?? ()
(gdb) p/x $r3
$4 = 0x3fee5038
(gdb) p/x $r4
$5 = 0x3fee5048
(gdb) p/x $r5
$6 = 0xb8
(gdb)


[powermax]

It looks like I've just mistakenly overridden my own post. Sorry 

A comparison with a working (G4 32bit) configuration could shed some light at this issue. Maybe you'll find some free time for doing such a comparison...

Under "comparison with G4", I mean "instruction-by-instruction" comparison starting with 0x203ce8. That's required to find the instruction that doesn't work as expected. You'll probably need to trace about 20-30 instructions, first on G4, then on G5:

trace an instruction
write down what it changes (we're interested mostly in register values)
an so on...

It's a superb tutorial on the PPC Assembly...

[darthnVader]

It looks like I've just mistakenly overridden my own post. Sorry 

A comparison with a working (G4 32bit) configuration could shed some light at this issue. Maybe you'll find some free time for doing such a comparison...

Under "comparison with G4", I mean "instruction-by-instruction" comparison starting with 0x203ce8. That's required to find the instruction that doesn't work as expected. You'll probably need to trace about 20-30 instructions, first on G4, then on G5:

trace an instruction
write down what it changes (we're interested mostly in register values)
an so on...

It's a superb tutorial on the PPC Assembly...

Ok I'm game, but you'll have to walk me through what I need to do, as so far I only understand some of what we are doing.