This is a hard question but I hope someone could help ;)
Here is the crash I have from simplest app which just calls pthread_create():
/ # /opt/zpm_thread
00032 : pthread_initialize: initial thread stack bounds: bos=0x1, tos=0xffffffff
00032 : __pthread_initialize_manager: manager stack: size=8160, bos=0xa02fc008, tos=0xa02fdfe8
00032 : __pthread_initialize_manager: send REQ_DEBUG to manager thread
00032 : pthread_create: write REQ_CREATE to manager thread
00032 : pthread_create: before suspend(self)
00033 : __pthread_manager: before poll
00033 : __pthread_manager: after poll
00033 : __pthread_manager: before read
00033 : __pthread_manager: after read, n=28
00033 : __pthread_manager: got REQ_CREATE
[ 13.100000]
[ 13.100000] zpm_thread: unhandled MPU fault (0x08) at 0x00000000 [pc=0xa0088e4a,sp=0xa02fde08]
[ 13.100000]
[ 13.100000] [fp=0x00000000]
[ 13.100000]
[ 13.100000]
[ 13.100000] Pid: 33, comm: zpm_thread
[ 13.100000] CPU: 0 Not tainted (2.6.33-arm1 #2)
[ 13.100000] pc : [<a0088e4a>] lr : [<a0088f8f>] psr: 21000000
[ 13.100000] sp : a02fde08 ip : a00980d8 fp : 00000000
[ 13.100000] Code dump at pc [a0088e4a]:
[ 13.100000] 68f8601a 683a6979 f7ff6a3b 697bffc8
[ 13.100000] r10: a0095bf0 r9 : 00000000 r8 : 00000000
[ 13.100000] r7 : a02fde28 r6 : a02fdf9c r5 : 00000020 r4 : a0097fb0
[ 13.100000] r3 : a001cff4 r2 : 00005000 r1 : a0018000 r0 : a009c5d0
[ 13.100000] Flags: nzCv IRQs on FIQs on Mode USER_26 ISA unknown Segment user
[ 13.100000] Backtrace: no frame pointer
Here is what I got from objdump by dissecting the app:
00008dec <__heap_add_free_area>:
free-area. */
struct heap_free_area *
__heap_add_free_area (struct heap_free_area **heap, void *mem, size_t size,
struct heap_free_area *prev,
struct heap_free_area *next)
{
8dec: b580 push {r7, lr}
8dee: b086 sub sp, #24
8df0: af00 add r7, sp, #0
8df2: 60f8 str r0, [r7, #12]
8df4: 60b9 str r1, [r7, #8]
8df6: 607a str r2, [r7, #4]
8df8: 603b str r3, [r7, #0]
struct heap_free_area *fa = (struct heap_free_area *)
8dfa: 68ba ldr r2, [r7, #8]
8dfc: 687b ldr r3, [r7, #4]
8dfe: f1a3 030c sub.w r3, r3, #12
((char *)mem + size - sizeof (struct heap_free_area));
8e02: 4413 add r3, r2
8e04: 617b str r3, [r7, #20]
fa->size = size;
8e06: 697b ldr r3, [r7, #20] <-- store to r3 value from r7+20 ( we have valid pointer - OK)
8e08: 687a ldr r2, [r7, #4] <-- store to r2 0x5000 - OK
8e0a: 601a str r2, [r3, #0] <-- FAIL HERE. (save 0x5000 to address a001cff4 (r3) - seems valid)
__heap_link_free_area (heap, fa, prev, next);
8e0c: 68f8 ldr r0, [r7, #12]
8e0e: 6979 ldr r1, [r7, #20]
8e10: 683a ldr r2, [r7, #0]
8e12: 6a3b ldr r3, [r7, #32]
8e14: f7ff ffc8 bl 8da8 <__heap_link_free_area>
return fa;
8e18: 697b ldr r3, [r7, #20]
}
8e1a: 4618 mov r0, r3
8e1c: f107 0718 add.w r7, r7, #24
8e20: 46bd mov sp, r7
8e22: bd80 pop {r7, pc}
(gdb) x/100x 0xa02fde28
0xa02fde28: 0x00000000 0x00005000 0xa0018000 0xa009c5d0
0xa02fde38: 0x04000021 0xa001cff4 0xa02fde50 0xa0088f8f
0xa02fde48: 0xa009c5c4 0xa0097fb0 0x00000020 0x00005000
0xa02fde58: 0xa0018000 0xa009c5d0 0x00000000 0xa009c5c4
0xa02fde68: 0x00000000 0xa001d000 0x00005000 0xa00a0834
0xa02fde78: 0xa02fde88 0xa00886b9 0x00000000 0x00000000
0xa02fde88: 0x00000000 0xa00a0834 0xa009c5d0 0x00004008
0xa02fde98: 0x00000000 0xa0018000 0x00005000 0x00000000
0xa02fdea8: 0x00000000 0x00000000 0xa02fdeb8 0xa0088851
0xa02fdeb8: 0x00000000 0x00004000 0x00000000 0x00000000
0xa02fdec8: 0xa02fded0 0xa0082b97 0xa02fdf3c 0x00001000
0xa02fded8: 0xffffbea1 0x00000000 0x00000000 0x00000000
0xa02fdee8: 0x00000000 0x00000000 0x00004000 0xa02fdf88
0xa02fdef8: 0x0000001c 0x00000003 0x726f6665 0x00000002
0xa02fdf08: 0xa02fdf20 0xa0082d25 0xa02fdf38 0xa02fdf34
0xa02fdf18: 0xa02fdf30 0x00000003 0x00000000 0xa00800a5
0xa02fdf28: 0x00000000 0xa0097fe0 0x00000000 0x00000000
0xa02fdf38: 0x00000000 0x00000000 0x00000002 0xa0098110
0xa02fdf48: 0xa02fdf50 0x0000002a 0x00001000 0x00000000
0xa02fdf58: 0xa02fdf80 0xa0082841 0xa0095efc 0xa0097fb0
0xa02fdf68: 0xa02fdf80 0xa0082881 0xa02fdf9c 0x00000020
0xa02fdf78: 0x00000000 0xa00980d8 0x00000000 0x00000003
0xa02fdf88: 0xa0097fb0 0x00000000 0x00000000 0xa00800a5
0xa02fdf98: 0x00000000 0x80000000 0x00000000 0xffffffef
0xa02fdfa8: 0xfffffffe 0x00000003 0x00010001 0x00000003
(gdb) x/100x 0xa001cff4
0xa001cff4: 0x00000000 0x00000000 0x00000000 0x1d03d003
0xa001d004: 0x28006840 0x6841d1f8 0xf0066019 0x4620fa3d
0xa001d014: 0x490d4632 0xfe74f004 0xe74c2001 0x4b091c58
0xa001d024: 0x99029000 0xb9ab681b 0xbf00e75e 0x64790100
0xa001d034: 0x70790100 0x80790100 0x90790100 0xa0790100
0xa001d044: 0x50790100 0xb4a90100 0x58790100 0x2b00685b
0xa001d054: 0xaf4af43f 0x4291681a 0x4668d1f8 0xf7ffa901
0xa001d064: 0x4680fc49 0xf47f2800 0x9f00af3f 0xc000f897
0xa001d074: 0x0f2cf1bc 0xaf38f47f 0x19a61c7d 0x95001b76
0xa001d084: 0xf7ff4630 0x2e00f901 0xdd384605 0xe001f897
0xa001d094: 0x36011e71 0xf1be4642 0xf0010f7d 0xbf1c0101
0xa001d0a4: 0xe000f880 0x0801f04f 0x2302d04b 0xd02342b3
0xa001d0b4: 0x5cf9b159 0x297db9b2 0xf805bf1a 0xf1081008
0xa001d0c4: 0x22010801 0x42b33301 0x5cf9d016 0xf081b352
0xa001d0d4: 0x22000020 0x0008f805 0x0801f108 0x5cf93301
0xa001d0e4: 0xd0e82a00 0x22003301 0xf08142b3 0xf8050c20
0xa001d0f4: 0xf108c008 0xd1e80801 0xf47f2a00 0x4642aef5
0xa001d104: 0x46299802 0xf0049b01 0xf1b0fb13 0xd01a3fff
0xa001d114: 0x49174602 0xf0044620 0x4628fdf3 0xf9b4f006
0xa001d124: 0xe6c82001 0xbf1a297d 0x1008f805 0x0801f108
0xa001d134: 0xe7d32201 0xf7ff4620 0x2001fd11 0x4b0de6bb
0xa001d144: 0x2201e761 0x4620e7b1 0xfd08f7ff 0xf0064628
0xa001d154: 0x2001f99b 0x4620e6af 0x4631462b 0xfd9af7ff
0xa001d164: 0xf7ffe716 0x4630fcfb 0xf98ef006 0xe6a22001
0xa001d174: 0x58790100 0xb4a90100 0xe92d4b76 0x681a01f0
So we are trying to save value 0x5000 to the address 0xa001cff4 and have an exception:
zpm_thread: unhandled MPU fault (0x08) at 0x00000000 [pc=0xa0088e4a,sp=0xa02fde08]
I have 8Mb SDRAM in range 0xa0000000 - 0xa0800000
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0x00000000 - 0x00001000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] vmalloc : 0x00000000 - 0xffffffff (4095 MB)
[ 0.000000] lowmem : 0xa0000000 - 0xa0800000 ( 8 MB)
[ 0.000000] modules : 0xa0000000 - 0x01000000 (1552 MB)
[ 0.000000] .init : 0xa0008000 - 0xa00e4000 ( 880 kB)
[ 0.000000] .text : 0xa00e4000 - 0xa0197000 ( 716 kB)
[ 0.000000] .data : 0xa0198000 - 0xa01a7c80 ( 64 kB)
...
[ 4.700000] Freeing init memory: 880K
So it seems to be a valid physical RAM area and address 0xa001cff4 seems valid either. Now this is quite strange for me why in kernel exception it says about 0x00000000 and what this exception means.
Also I want to say that single thread apps works fine and I have those MPU issues during stack allocation for a new threads. But what I want to understand now - why is it MPU fault and how is it able to fail on valid address.
What I actually did - disabled CONFIG_MPU in kernel and it started to work. After that I found that my u-boot is custom fork and probably doesn't setup MPU well. Without CONFIG_MPU everything started to work great. As I said it's Cortex-M3 related issue and what I found is that kernel debug not properly describes the fault (0x00000000 instead of real fault address etc).