Comment 1 for bug 1596160

I've narrowed the crash to a stmia instruction in U-Boot's relocate_code:

Breakpoint 3, relocate_code () at arch/arm/lib/relocate.S:81
81 subs r4, r0, r1 /* r4 <- relocation offset */
(gdb) disas
Dump of assembler code for function relocate_code:
   0x17802620 <+0>: ldr r1, [pc, #76] ; 0x17802674 <relocate_done+4>
=> 0x17802624 <+4>: subs r4, r0, r1
   0x17802628 <+8>: beq 0x17802670 <relocate_done>
   0x1780262c <+12>: ldr r2, [pc, #68] ; 0x17802678 <relocate_done+8>
   0x17802630 <+16>: ldm r1!, {r10, r11}
   0x17802634 <+20>: stmia r0!, {r10, r11}
   0x17802638 <+24>: cmp r1, r2
   0x1780263c <+28>: bcc 0x17802630 <relocate_code+16>
   0x17802640 <+32>: ldr r2, [pc, #52] ; 0x1780267c <relocate_done+12>
   0x17802644 <+36>: ldr r3, [pc, #52] ; 0x17802680 <relocate_done+16>
   0x17802648 <+0>: ldm r2!, {r0, r1}
   0x1780264c <+4>: and r1, r1, #255 ; 0xff
   0x17802650 <+8>: cmp r1, #23
   0x17802654 <+12>: bne 0x17802668 <fixnext>
   0x17802658 <+16>: add r0, r0, r4
   0x1780265c <+20>: ldr r1, [r0]
   0x17802660 <+24>: add r1, r1, r4
   0x17802664 <+28>: str r1, [r0]
   0x17802668 <+0>: cmp r2, r3
   0x1780266c <+4>: bcc 0x17802648 <fixloop>
   0x17802670 <+0>: bx lr
End of assembler dump.
(gdb) si
82 beq relocate_done /* skip relocation */
(gdb)
83 ldr r2, =__image_copy_end /* r2 <- SRC &__image_copy_end */
(gdb)
86 ldmia r1!, {r10-r11} /* copy from source address [r1] */
(gdb)
87 stmia r0!, {r10-r11} /* copy to target address [r0] */
(gdb) bt
#0 relocate_code () at arch/arm/lib/relocate.S:87
#1 0x178025cc in _main () at arch/arm/lib/crt0.S:121
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) si
Remote connection closed