<bonda_000>
the cma allocator being initialized in vmcs_initialise_auto_vchi_services()
<bonda_000>
it is actually not the only thing
<bonda_000>
that's being allocated
<bonda_000>
the label "cma_service_start_info" is also __VCHIQ_SERVICES_START
<bonda_000>
aliased
<bonda_000>
so
<bonda_000>
it traverses that memory until the iterator equals __VCHIQ_SERVICES_END
<clever>
yep, thats what i said
<bonda_000>
and it will call two functions via code pointer
<bonda_000>
cma_service_start and mmal_server_start
<clever>
2024-05-13 20:33:11 < clever> i think technically, its loading the address of __VCHIQ_SERVICES_START and __VCHIQ_SERVICES_END
<clever>
2024-05-13 20:34:19 < clever> so it starts at __VCHIQ_SERVICES_START, reads a 12 byte thing, increments by 12, and repeats, until it hits __VCHIQ_SERVICES_END
<bonda_000>
yeah just the decompile window is misleading
<bonda_000>
it looks like it only loads cma block
<clever>
yeah, its confused by multiple symbols on the same addr
<bonda_000>
and then
<bonda_000>
also interesting
<bonda_000>
each of these function has 4 bytes after it
<bonda_000>
that looks legitimate
<bonda_000>
0ef060e8 for cma_service_start
<clever>
dont remember if they did anything
<bonda_000>
and 0ef06814 for mmal_server start
<bonda_000>
yeah I don't see them being referenced in that code
pavelow_ has joined ##raspberrypi-internals
pavelow has quit [Read error: Connection reset by peer]
eightdot has quit [Ping timeout: 268 seconds]
eightdot has joined ##raspberrypi-internals
<bonda_000>
clever: dude
<bonda_000>
do you see what's going on in vmcs_app_message_handler?
<bonda_000>
it's doing ld r0, (sp+0x38)
<bonda_000>
and that function hasn't written anything in ther
<bonda_000>
could that be "switchData"?
<bonda_000>
all the stack operations are
<bonda_000>
stm r6-r9, lr, (--sp)
<bonda_000>
add sp, -0x3C
<clever>
thats local variables
<bonda_000>
so every time it calls another init() function it pulls r0 from sp+0x38
<clever>
its allocating 0x3c bytes for local variables
<clever>
and sp+0x38 is just a local variable
<bonda_000>
it allocated, but it never wrote anything to that place
f_ has quit [Quit: To contact me, send a memo using MemoServ, PM f_[xmpp], or send an email. See https://vitali64.duckdns.org/.]
<bonda_000>
ah I see
<clever>
struct?
<bonda_000>
I was looking at ilcs_init()
<bonda_000>
and prior to that ilcs_config() was called with the same r0
<bonda_000>
and did a bunch of st's
<bonda_000>
still though that doesnt tell what is in that place on the stack
<bonda_000>
all I know is that this function, vmcs_app_message_handler() is called from a thread_wrapper() as a code ptr
<bonda_000>
something could have been written to that place prior to that
<bonda_000>
clever: do you know what is the difference between lea r0, (sp+0x38) and ld r0, (sp+0x38)?
<clever>
one is just r0 = sp+0x38
<clever>
the other is r0 = ram[sp+0x38]
<bonda_000>
so it does
<bonda_000>
lea r0, (sp+0x38) and then bl vchi_initialise
<bonda_000>
I guess that first lea is where it is written then?
<bonda_000>
brb gonna run to the store
<clever>
thats passing the addr of a struct to the function
<clever>
that struct is at least 0x38 in size
<clever>
so you need to look at vchi_initialise and guess how big the struct is
<bonda_000>
It puts the address of vchiq_instances in there