diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-21 21:21:26 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-21 21:21:26 +0200 |
| commit | 4b927bc37359dec23f67d3427fc982945f24f404 (patch) | |
| tree | 245449ef9146942dc7fffd0235b48b7e70a00bf2 /gitlab/issues/target_arm | |
| parent | aa8bd79cec7bf6790ddb01d156c2ef2201abbaab (diff) | |
| download | emulator-bug-study-4b927bc37359dec23f67d3427fc982945f24f404.tar.gz emulator-bug-study-4b927bc37359dec23f67d3427fc982945f24f404.zip | |
add gitlab issues in toml format
Diffstat (limited to 'gitlab/issues/target_arm')
312 files changed, 12902 insertions, 0 deletions
diff --git a/gitlab/issues/target_arm/host:32bit/accel_TCG/2034.toml b/gitlab/issues/target_arm/host:32bit/accel_TCG/2034.toml new file mode 100644 index 00000000..188c6d93 --- /dev/null +++ b/gitlab/issues/target_arm/host:32bit/accel_TCG/2034.toml @@ -0,0 +1,20 @@ +id = 2034 +title = "ERROR:../accel/tcg/cpu-exec-common.c:56:cpu_loop_exit_atomic: assertion failed: (!cpu_in_serial_context(cpu))" +state = "closed" +created_at = "2023-12-12T16:48:33.609Z" +closed_at = "2023-12-13T15:28:35.731Z" +labels = ["Closed::Fixed", "accel: TCG", "host:32bit", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2034" +host-os = "ALTlinux" +host-arch = "i586" +qemu-version = "8.1.3" +guest-os = "ALTLinux" +guest-arch = "aarch64" +description = """``` +cat boot.log +aarch64>** +aarch64>ERROR:../accel/tcg/cpu-exec-common.c:56:cpu_loop_exit_atomic: assertion failed: (!cpu_in_serial_context(cpu)) +aarch64>Bail out! ERROR:../accel/tcg/cpu-exec-common.c:56:cpu_loop_exit_atomic: assertion failed: (!cpu_in_serial_context(cpu)) +```""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_aarch64/accel_HVF/2713.toml b/gitlab/issues/target_arm/host_aarch64/accel_HVF/2713.toml new file mode 100644 index 00000000..f8b7974d --- /dev/null +++ b/gitlab/issues/target_arm/host_aarch64/accel_HVF/2713.toml @@ -0,0 +1,21 @@ +id = 2713 +title = "Addressing Limitations with 64GB RAM on virt-9.2 Machine Type in QEMU 9.1.93" +state = "opened" +created_at = "2024-12-09T13:56:57.931Z" +closed_at = "n/a" +labels = ["accel: HVF", "host: aarch64", "hostos: macOS", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2713" +host-os = "macOS (M2 MacBook, arm64)" +host-arch = "ARM64" +qemu-version = "QEMU emulator version 9.1.93 (compiled by me from master)" +guest-os = "Windows 11" +guest-arch = "ARM64" +description = """When attempting to run a VM with 64GB of RAM using the `virt-9.2` machine type, QEMU encounters an error related to addressing limitations. It appears that the memory configuration exceeds the 32-bit addressing limit. + +Error output: +**qemu-system-aarch64: Addressing limited to 32 bits, but memory exceeds it by 65498251264 bytes**""" +reproduce = """1. Build QEMU from source on macOS (M2 MacBook, arm64). +2. Run the command with the `virt-9.2` machine type and 64GB of RAM.""" +additional = """- Changes in [UTM app](https://github.com/utmapp/UTM/releases) for release v4.6.2 - (macOS) Support > 32GiB RAM configurations in QEMU ([#5537](https://github.com/utmapp/UTM/issues/5537)) +- Although the site advertises release of qemu-9.2.0-rc3, the brew install doesn't install the latest version yet. +- The QEMU build environment includes dependencies installed via Homebrew: libffi, gettext, glib, pkg-config, pixman, ninja, meson, sdl2, gtk+3, gnu-tar.""" diff --git a/gitlab/issues/target_arm/host_arm/accel_HVF/2072.toml b/gitlab/issues/target_arm/host_arm/accel_HVF/2072.toml new file mode 100644 index 00000000..0aff96b7 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_HVF/2072.toml @@ -0,0 +1,15 @@ +id = 2072 +title = "Regression in 8.2: Synchronous Exception when running a VM on AArch64" +state = "closed" +created_at = "2024-01-04T19:57:56.783Z" +closed_at = "2024-01-05T22:21:36.990Z" +labels = ["accel: HVF", "host: arm", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2072" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_arm/accel_HVF/2312.toml b/gitlab/issues/target_arm/host_arm/accel_HVF/2312.toml new file mode 100644 index 00000000..df260c31 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_HVF/2312.toml @@ -0,0 +1,52 @@ +id = 2312 +title = "hvf_vcpu_exec isv assert with qemu-xhci device" +state = "closed" +created_at = "2024-04-25T19:52:40.633Z" +closed_at = "2024-09-16T16:13:34.496Z" +labels = ["accel: HVF", "host: arm", "hostos: macOS", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2312" +host-os = "macOS" +host-arch = "aarch64" +qemu-version = "9.0.0" +guest-os = "u-boot" +guest-arch = "aarch64" +description = """Using the qemu-xhci device with HVF on darwin-aarch64 causes [this assert](https://gitlab.com/qemu-project/qemu/-/blob/master/target/arm/hvf/hvf.c#L1920) to fire. + +``` +travis@gmachine vms % cat launch.sh +#!/usr/bin/env bash + +~/sources/nixpkgs/result-qemu/bin/qemu-system-aarch64 \\ + -nographic \\ + -machine virt \\ + -accel hvf \\ + -cpu host \\ + -m 16M \\ + -device qemu-xhci \\ + -bios ~/sources/nixpkgs/result-uboot-bin/u-boot.bin +travis@gmachine vms % ./launch.sh + + +U-Boot 2024.04 (Apr 02 2024 - 10:58:58 +0000) + +DRAM: 16 MiB (effective 16 EiB) +Assertion failed: (isv), function hvf_vcpu_exec, file ../target/arm/hvf/hvf.c, line 1920. +./launch.sh: line 10: 22295 Abort trap: 6 ~/sources/nixpkgs/result-qemu/bin/qemu-system-aarch64 -nographic -machine virt -accel hvf -cpu host -m 16M -device qemu-xhci -bios ~/sources/nixpkgs/result-uboot-bin/u-boot.bin +``` + +This is NixOS' build of u-boot 2024.04. This is also Nixpkgs' build of qemu-9.0.0; by default it contains some patches, but if I remove those and build with the unmodified release tarball there's no change in behavior. Naturally this doesn't happen with TCG and I haven't found any other (non-USB) device to cause this issue.""" +reproduce = """On a darwin-aarch64 machine with git and nix setup (8.2.2 is latest in Nixpkgs head, the same problem occurs with 9.0.0): + +``` +% git clone https://github.com/nixos/nixpkgs +% cd ./nixpkgs +% $(nix-build -A qemu)/bin/qemu-system-aarch64 -nographic -machine virt -accel hvf -cpu host -m 16M -device qemu-xhci -bios $(nix-build -E 'with import ./default.nix {system = "aarch64-linux";}; ubootQemuAarch64')/u-boot.bin + + +U-Boot 2024.04 (Apr 02 2024 - 10:58:58 +0000) + +DRAM: 16 MiB (effective 16 EiB) +Assertion failed: (isv), function hvf_vcpu_exec, file ../target/arm/hvf/hvf.c, line 1915. +zsh: abort $(nix-build -A qemu)/bin/qemu-system-aarch64 -nographic -machine virt -accel +```""" +additional = """I have not yet tried other u-boot binaries. I suppose it could be u-boots fault? Eyeballing hvf.c this seems to be an unhandled case in the MMIO callback? I'm far out of my element so that could be total nonsense.""" diff --git a/gitlab/issues/target_arm/host_arm/accel_HVF/2893.toml b/gitlab/issues/target_arm/host_arm/accel_HVF/2893.toml new file mode 100644 index 00000000..9c755f60 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_HVF/2893.toml @@ -0,0 +1,22 @@ +id = 2893 +title = "with m4 mac mini windows 11 arm 64 iso not booting for installation" +state = "opened" +created_at = "2025-03-30T22:19:25.938Z" +closed_at = "n/a" +labels = ["accel: HVF", "guest: Windows", "host: arm", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2893" +host-os = "macOS" +host-arch = "- QEMU flavor: qemu-aarch64" +qemu-version = "9.3.2" +guest-os = "Windows 11 Latest" +guest-arch = "ARM64" +description = """Trying to run win11 arm 64 version in m4 mac mini and the ios failed to boot + +i went to the efi shell and tried to boot from there and it just hangs no problem reported + +when i attach the serial to stdio i get the error convertprogress failed to find range errors""" +reproduce = """1. In m4 mac mini download win11 arm 64 iso from microsoft site +2. run the above mentioned command and you will see that it does not boot + +/label ~"kind::Bug"""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_arm/accel_HVF/2913.toml b/gitlab/issues/target_arm/host_arm/accel_HVF/2913.toml new file mode 100644 index 00000000..bd6e3adb --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_HVF/2913.toml @@ -0,0 +1,15 @@ +id = 2913 +title = "vmapple machine unusable with macOS 15.4" +state = "opened" +created_at = "2025-04-03T12:06:33.662Z" +closed_at = "n/a" +labels = ["accel: HVF", "host: arm", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2913" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_arm/accel_KVM/2551.toml b/gitlab/issues/target_arm/host_arm/accel_KVM/2551.toml new file mode 100644 index 00000000..08201c8c --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_KVM/2551.toml @@ -0,0 +1,21 @@ +id = 2551 +title = "RTC time could run slow 3s than host time when clock=vm & base=UTC" +state = "opened" +created_at = "2024-09-03T01:46:44.266Z" +closed_at = "n/a" +labels = ["accel: KVM", "host: arm", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2551" +host-os = "EulerOS" +host-arch = "ARM" +qemu-version = "QEMU emulator version 6.2.0 (qemu-6.2.0.oe2203sp1-2.12.0.5.399)" +guest-os = "EulerOS" +guest-arch = "ARM" +description = """When start qemu with `-rtc base=utc,clock=vm`, sometime guest time can slower 3s than host. There's no problem (also didn't be noticed) as we often start ntp service, who will adjust our system time. But let's talk about if we havn't enable NTP service(for example system just booted) + +After inspect into the code, i found that there are two problem we should think about: +#""" +reproduce = """1. start vm with `-rtc base=utc,clock=vm` +2. disable NTP (OS specific)`systemctl disable --now ntpd;systemctl disable --now ntpdate` +3. reboot in the guest +4. after guest started, compare guest time with host time(at the same time) `date +'%F %T.%3N'`""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_arm/accel_TCG/1616.toml b/gitlab/issues/target_arm/host_arm/accel_TCG/1616.toml new file mode 100644 index 00000000..cf831f40 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_TCG/1616.toml @@ -0,0 +1,15 @@ +id = 1616 +title = "convd on arm tcg test fails on arm64 (Apple M1)" +state = "closed" +created_at = "2023-04-24T07:14:08.323Z" +closed_at = "2023-08-14T08:26:34.155Z" +labels = ["accel: TCG", "host: arm", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1616" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_arm/accel_Xen/2173.toml b/gitlab/issues/target_arm/host_arm/accel_Xen/2173.toml new file mode 100644 index 00000000..15b54cb9 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_Xen/2173.toml @@ -0,0 +1,15 @@ +id = 2173 +title = "Disable CPU dirty region tracking on Xen + Arm64 where xen migration is not supported." +state = "opened" +created_at = "2024-02-16T19:24:53.395Z" +closed_at = "n/a" +labels = ["accel: Xen", "host: arm", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2173" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_arm/accel_missing/1167.toml b/gitlab/issues/target_arm/host_arm/accel_missing/1167.toml new file mode 100644 index 00000000..61fa7123 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_missing/1167.toml @@ -0,0 +1,15 @@ +id = 1167 +title = "Does qemu-system-aarch64 support hyper-v elightenment feature for windows for arm guest?" +state = "closed" +created_at = "2022-08-22T02:16:26.062Z" +closed_at = "2022-08-26T18:36:24.560Z" +labels = ["host: arm", "kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1167" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_arm/accel_missing/1776.toml b/gitlab/issues/target_arm/host_arm/accel_missing/1776.toml new file mode 100644 index 00000000..cba40af6 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_missing/1776.toml @@ -0,0 +1,15 @@ +id = 1776 +title = "qemu-armel SEGFAULTs when trying to map a commpage on armel" +state = "closed" +created_at = "2023-07-21T15:29:42.247Z" +closed_at = "2023-08-24T12:02:03.890Z" +labels = ["host: arm", "kind::Bug", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1776" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_arm/accel_missing/1857.toml b/gitlab/issues/target_arm/host_arm/accel_missing/1857.toml new file mode 100644 index 00000000..57effb59 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_missing/1857.toml @@ -0,0 +1,60 @@ +id = 1857 +title = "Major qemu-aarch64 performance slowdown since commit 59b6b42cd3" +state = "closed" +created_at = "2023-09-01T14:00:23.709Z" +closed_at = "2023-09-01T15:15:06.829Z" +labels = ["host: arm", "host: loongarch64", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1857" +host-os = "Gentoo Linux & Ubuntu & Debian" +host-arch = "loongarch64 & aarch64 & x86_64" +qemu-version = "8.0.0, 8.1.0 and master" +guest-os = "Linux user" +guest-arch = "AArch64" +description = """I have observed a major performance slowdown between qemu 8.0.0 and 8.1.0: + + +qemu 8.0.0: 0.8s + +qemu 8.1.0: 6.8s + + +After bisecting the commits between 8.0.0 and 8.1.0, the offending commit is 59b6b42cd3: + + +commit 59b6b42cd3446862567637f3a7ab31d69c9bef51 +Author: Richard Henderson <richard.henderson@linaro.org> +Date: Tue Jun 6 10:19:39 2023 +0100 + + target/arm: Enable FEAT_LSE2 for -cpu max + + Reviewed-by: Peter Maydell <peter.maydell@linaro.org> + Signed-off-by: Richard Henderson <richard.henderson@linaro.org> + Message-id: 20230530191438.411344-21-richard.henderson@linaro.org + Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + + +Reverting the commit in latest master fixes the problem: + +qemu 8.0.0: 0.8s + +qemu 8.1.0: 6.8s + +qemu master + revert 59b6b42cd3: 0.8s + +Alternatively, specify `-cpu cortex-a35` to disable LSE2: + +`time ./qemu-aarch64 -cpu cortex-a35`: 0.8s + +`time ./qemu-aarch64`: 6.77s + +The slowdown is also observed when running qemu-aarch64 on aarch64 machine: + +`time ./qemu-aarch64 /usr/bin/node -e 1`: 2.91s + +`time ./qemu-aarch64 -cpu cortex-a35 /usr/bin/node -e 1`: 1.77s + +The slowdown on x86_64 machine is small: 362ms -> 378ms.""" +reproduce = """1. Run `time ./qemu-aarch64 node-aarch64 -e 1` (node-aarch64 is NodeJS v16 built for AArch64) +2. Using qemu master, the output says `0.8s` +3. Using qemu master with commit 59b6b42cd3 reverted, the output says `6.77s`""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_arm/accel_missing/2884.toml b/gitlab/issues/target_arm/host_arm/accel_missing/2884.toml new file mode 100644 index 00000000..9f9f7e14 --- /dev/null +++ b/gitlab/issues/target_arm/host_arm/accel_missing/2884.toml @@ -0,0 +1,43 @@ +id = 2884 +title = "Questions about vfio-pci" +state = "opened" +created_at = "2025-03-27T09:32:21.969Z" +closed_at = "n/a" +labels = ["VFIO", "host: arm", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2884" +host-os = "n/a" +host-arch = "ARM" +qemu-version = "qemu v6.2.0 (qemu v8.2.0 also reproduces)" +guest-os = "n/a" +guest-arch = "n/a" +description = """When I use VFIO-PCI to pass through an hns3 device and load the driver to the VM to enable the hns3 network port, there is a possibility that the failure occurs.""" +reproduce = """1. Start the VM and load the hns3 driver. +2. enable net port + + `ifconfig eth0 10.10.10.10/24 up` +3. ping host + + `ping 10.10.10.11 -c 3`""" +additional = """I have the following findings: + +1. The problem can be reproduced in different kernel versions and QEMU versions. +2. The problem does not recur when the number of vCPUs is 1. +3. It is irrelevant to the GIC version. + +the hns3 relately logic: + +{width="394" height="285"} + +If the VM has two vCPUs, "ifconfig eth0 10.10.10.10/24 up" command performs two sequential enable_irq operations(vector_num=2). The enable_irq will trap into KVM for interrupt configuration and exit to QEMU for PCI device emulation. When emulating interrupt enabling in QEMU, vfio\\_\\[intx/msi/msix\\]\\_enable calls vfio_disable_interrupts to disable all interrupts on the vdev. + +{width="455" height="266"} + +vfio_disable_interrupts in QEMU calls the kernel vfio driver interface vfio_pci_set_irqs_ioctl + +{width="404" height="127"} + +dump stack as above. and then its_irq_domain_deactivate will call its_send_discard to discard the interrupt on the device. + +If an interrupt is handled after the first enable_irq but the second enable_irq discards it, this inconsistency leads to network port enablement failures. + +It puzzles me. why does the vfio-pci disable all interrupts of the device before enabling irqs?""" diff --git a/gitlab/issues/target_arm/host_mips/accel_TCG/496.toml b/gitlab/issues/target_arm/host_mips/accel_TCG/496.toml new file mode 100644 index 00000000..e588d0b5 --- /dev/null +++ b/gitlab/issues/target_arm/host_mips/accel_TCG/496.toml @@ -0,0 +1,25 @@ +id = 496 +title = "qemu-system-aarch64: ../accel/tcg/cpu-exec.c:681: cpu_loop_exec_tb: Assertion 'icount_enabled()' failed" +state = "opened" +created_at = "2021-07-23T07:18:15.178Z" +closed_at = "n/a" +labels = ["accel: TCG", "host: mips", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/496" +host-os = "Debian 10" +host-arch = "mips64el" +qemu-version = "v5.2 ,v6.0" +guest-os = "Debian 10" +guest-arch = "ARM" +description = """When I use qemu-system-aarch64 start a Debian(ARM64) on a mips64el host(ARM64 and X86_64 host don't have this bug), I get a bug as follows: + + +`qemu-system-aarch64: ../accel/tcg/cpu-exec.c:681: cpu_loop_exec_tb: Assertion 'icount_enabled()' failed` + + +The crash code is in ../accel/tcg/cpu-exec.c:681, the code in qemu v5.2.0 as follows: + + +``` +#""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/1029.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/1029.toml new file mode 100644 index 00000000..8ae1abf3 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/1029.toml @@ -0,0 +1,61 @@ +id = 1029 +title = "Unable to build qemu on macOS Monterey, M1 Pro" +state = "closed" +created_at = "2022-05-18T00:13:52.322Z" +closed_at = "2022-08-19T10:30:15.794Z" +labels = ["accel: HVF", "hostos: macOS", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1029" +host-os = "macOS Monterey" +host-arch = "Apple M1 Pro" +qemu-version = "git master" +guest-os = "n/a" +guest-arch = "n/a" +description = """qemu doesn't build, producing the following error: +``` +$ make +# snip +FAILED: libqemu-aarch64-softmmu.fa.p/target_arm_hvf_hvf.c.o +cc -Ilibqemu-aarch64-softmmu.fa.p -I. -I.. -Itarget/arm -I../target/arm -I../dtc/libfdt -I../capstone/include/capstone -Iqapi -Itrace -Iui -Iui/shader -I/opt/homebrew/Cellar/pixman/0.40.0/include/pixman-1 -I/opt/homebrew/Cellar/glib/2.72.1/include -I/opt/homebrew/Cellar/glib/2.72.1/include/glib-2.0 -I/opt/homebrew/Cellar/glib/2.72.1/lib/glib-2.0/include -I/opt/homebrew/opt/gettext/include -I/opt/homebrew/Cellar/pcre/8.45/include -fcolor-diagnostics -Wall -Winvalid-pch -std=gnu11 -O2 -g -iquote . -iquote /Users/duncanbayne/code/qemu -iquote /Users/duncanbayne/code/qemu/include -iquote /Users/duncanbayne/code/qemu/disas/libvixl -iquote /Users/duncanbayne/code/qemu/tcg/aarch64 -DOS_OBJECT_USE_OBJC=0 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wno-initializer-overrides -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-string-plus-int -Wno-typedef-redefinition -Wno-tautological-type-limit-compare -Wno-psabi -fstack-protector-strong -DNEED_CPU_H '-DCONFIG_TARGET="aarch64-softmmu-config-target.h"' '-DCONFIG_DEVICES="aarch64-softmmu-config-devices.h"' -MD -MQ libqemu-aarch64-softmmu.fa.p/target_arm_hvf_hvf.c.o -MF libqemu-aarch64-softmmu.fa.p/target_arm_hvf_hvf.c.o.d -o libqemu-aarch64-softmmu.fa.p/target_arm_hvf_hvf.c.o -c ../target/arm/hvf/hvf.c +../target/arm/hvf/hvf.c:586:15: error: unknown type name 'ARMCPRegInfo'; did you mean 'ARMCPUInfo'? + const ARMCPRegInfo *ri; + ^~~~~~~~~~~~ + ARMCPUInfo +../target/arm/cpu-qom.h:38:3: note: 'ARMCPUInfo' declared here +} ARMCPUInfo; + ^ +../target/arm/hvf/hvf.c:589:14: error: implicit declaration of function 'get_arm_cp_reginfo' is invalid in C99 [-Werror,-Wimplicit-function-declaration] + ri = get_arm_cp_reginfo(arm_cpu->cp_regs, key); + ^ +../target/arm/hvf/hvf.c:589:12: warning: incompatible integer to pointer conversion assigning to 'const ARMCPUInfo *' (aka 'const struct ARMCPUInfo *') from 'int' [-Wint-conversion] + ri = get_arm_cp_reginfo(arm_cpu->cp_regs, key); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../target/arm/hvf/hvf.c:591:26: error: no member named 'type' in 'struct ARMCPUInfo' + assert(!(ri->type & ARM_CP_NO_RAW)); + ~~ ^ +/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/assert.h:99:25: note: expanded from macro 'assert' + (__builtin_expect(!(e), 0) ? __assert_rtn(__func__, __ASSERT_FILE_NAME, __LINE__, #e) : (void)0) + ^ +../target/arm/hvf/hvf.c:591:33: error: use of undeclared identifier 'ARM_CP_NO_RAW' + assert(!(ri->type & ARM_CP_NO_RAW)); + ^ +1 warning and 4 errors generated. +ninja: build stopped: subcommand failed. +make[1]: *** [run-ninja] Error 1 +make: *** [all] Error 2 +```""" +reproduce = """``` +git clone https://gitlab.com/qemu-project/qemu.git +cd qemu +./configure +make +```""" +additional = """``` +$ cc --version +Apple clang version 13.1.6 (clang-1316.0.21.2.5) +Target: arm64-apple-darwin21.4.0 +Thread model: posix +InstalledDir: /Library/Developer/CommandLineTools/usr/bin + +$ ninja --version +1.10.2.git.kitware.jobserver-1 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/1073.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/1073.toml new file mode 100644 index 00000000..5085cc2c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/1073.toml @@ -0,0 +1,37 @@ +id = 1073 +title = "SIGABRT with -M raspi3b,accel=hvf on macOS" +state = "closed" +created_at = "2022-06-12T00:36:27.428Z" +closed_at = "2022-06-27T22:55:20.049Z" +labels = ["Closed::Fixed", "accel: HVF", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1073" +host-os = "macOS 12.4" +host-arch = "arm64" +qemu-version = "QEMU emulator version 7.0.50 (v7.0.0-1760-g30796f5567-dirty)" +guest-os = "N/A" +guest-arch = "N/A" +description = """There is a `SIGUSR2` or `SIGUSR1` raised which causes QEMU to abort: +``` +(lldb) bt +* thread #3, stop reason = signal SIGUSR2 + * frame #0: 0x0000000184c384a4 libsystem_kernel.dylib`__sigsuspend + 8 + frame #1: 0x0000000100b7ff34 qemu-system-aarch64`qemu_coroutine_new at coroutine-sigaltstack.c:221:9 + frame #2: 0x0000000100b91f0c qemu-system-aarch64`qemu_coroutine_create(entry=(qemu-system-aarch64`monitor_qmp_dispatcher_co at qmp.c:211), opaque=0x0000000000000000) at qemu-coroutine.c:90:14 + frame #3: 0x0000000100a833d8 qemu-system-aarch64`monitor_init_globals_core at monitor.c:707:25 +``` + +I tried skipping over it with `lldb`: +``` +(lldb) b main +(lldb) r +(lldb) process handle SIGUSR1 -s false -p true +(lldb) process handle SIGUSR2 -s false -p true +(lldb) c +qemu-system-aarch64: Unknown Error +``` + +I investigated the Unknown Error and and it's actually `HV_ILLEGAL_GUEST_STATE` which is unhandled in the `assert_hvf_ok` function. From here the VM will fail.""" +reproduce = """1. Get a fake disk. Or create a fake one with: `qemu-img create -f qcow2 zero.qcow2 2G` +2. Run QEMU with the HVF accelerator: `qemu-system-aarch64 -M raspi3b,accel=hvf -drive id=card0,if=none,format=qcow2,index=0,file=./zero.qcow2 -device sd-card,drive=card0 -serial stdio +`""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/1990.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/1990.toml new file mode 100644 index 00000000..262bdb82 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/1990.toml @@ -0,0 +1,29 @@ +id = 1990 +title = "qemu ASSERT [ArmCpuDxe] DefaultExceptionHandler.c:333 on Mac M3" +state = "opened" +created_at = "2023-11-20T22:51:55.968Z" +closed_at = "n/a" +labels = ["accel: HVF", "hostos: macOS", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1990" +host-os = "macOS Sonoma 14.1.1" +host-arch = "aarch64" +qemu-version = "8.1.2" +guest-os = "fedora-coreos-39.20231101.2.1" +guest-arch = "aarch64" +description = """I am installing Podman 4.7.2 and `podman-machine` uses `qemu-system-aarch64` to boot up an embedded coreos image to run containers. +With the new Apple M3 hardware, I am experiencing a QEMU assertion failure almost all of the time. + + + +`ASSERT [ArmCpuDxe] /home/kraxel/projects/qemu/roms/edk2/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(333): ((BOOLEAN)(0==1))` + +I have been unable to get the full crash output - I didn't figure out how to resize the console any larger, and I tried a couple different ways to hook the console up to qemu stdout without any success. (since the kernel command line parameters are not passed in, but instead the image uses a bootloader) + +I believe this is the same issue I experience, but with a better capture of the crash: +https://github.com/lima-vm/lima/issues/1996""" +reproduce = """1. Use Mac M3 (Max in my case) +2. Install Podman +3. Run `podman-machine init` +4. Run `podman-machine start --log-level=debug` +5. Crash (almost certainly)""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/2665.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/2665.toml new file mode 100644 index 00000000..f640b751 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/2665.toml @@ -0,0 +1,23 @@ +id = 2665 +title = "target/arm: cannot boot when CPU supports SME" +state = "closed" +created_at = "2024-11-11T05:18:05.252Z" +closed_at = "2025-03-03T12:11:47.718Z" +labels = ["accel: HVF", "hostos: macOS", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2665" +host-os = "macOS" +host-arch = "ARM64 (Apple M4)" +qemu-version = "main branch" +guest-os = "any" +guest-arch = "ARM64" +description = """On macOS 15.2 beta, Apple's Hypervisor.framework exposes the SME feat flag to QEMU. As a result, in `arm_cpu_sme_finalize`, `cpu_isar_feature(aa64_sme, cpu)` returns true and the program will always exit with the following: + +``` +qemu-aarch64-softmmu: cannot disable sme4224 +All SME vector lengths are disabled. +With SME enabled, at least one vector length must be enabled. +``` + +This is because `vq_supported` and `vq_init` are both 0 as they are not initialized anywhere. It seems that in the original commit e74c097638d38b46d9c68f11565432034afc0ad0 the only place `cpu->sme_vq.supported` is initialized is with `aarch64_max_initfn` when KVM and HVF are not used as the backend.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/2938.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/2938.toml new file mode 100644 index 00000000..c15f6093 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/2938.toml @@ -0,0 +1,19 @@ +id = 2938 +title = "10.0.0 HVF x86_64 regression: can't boot NetBSD 10.1 with -smp 2" +state = "opened" +created_at = "2025-04-28T18:35:47.768Z" +closed_at = "n/a" +labels = ["accel: HVF", "guest: BSD", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2938" +host-os = "macOS 15.4.1" +host-arch = "x86_64" +qemu-version = "10.0.0 (built from pkgsrc)" +guest-os = "NetBSD 10.1" +guest-arch = "amd64" +description = """Under 9.2.3, a NetBSD/amd64 10.1 guest with `-smp 2` booted and ran fine. + +Under 10.0.0, the same guest never finishes loading the kernel. It looks like it's retrying many times per second, possibly even reloading the NetBSD boot loader each time, though it's redrawing so fast I can't tell for sure. (I'll attempt to link to an asciinema capture shortly.) `-smp 1` lets the machine come up. + +For comparison, a NetBSD/aarch64 10.1 with `-smp 4` runs with `-accel hvf` under macOS/aarch64 15.4.1 just as well with 10.0.0 as it did with 9.2.3.""" +reproduce = """1. With x86 macOS host and NetBSD guest (possibly a wider range than the exact versions I'm currently using), attempt to boot NetBSD with `-smp 2`""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/743.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/743.toml new file mode 100644 index 00000000..3cea56ff --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/743.toml @@ -0,0 +1,21 @@ +id = 743 +title = "aarch64: Number of SMP CPUS exceeds max CPUs supported by machine (10 > 8) for M1 Pro/Max" +state = "closed" +created_at = "2021-11-23T01:25:52.101Z" +closed_at = "2024-04-18T09:08:36.323Z" +labels = ["accel: HVF", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/743" +host-os = "macOS Monterey 12.0.1" +host-arch = "ARM64" +qemu-version = "6.1.0" +guest-os = "N/A" +guest-arch = "ARM64" +description = """Trying to launch QEMU with more than 8 cores gives the following error: + +`qemu-system-aarch64: Number of SMP CPUs requested (10) exceeds max CPUs supported by machine 'mach-virt' (8)` + +Apple M1 Pro can have up to 10 cores while M1 Max only has 10 cores.""" +reproduce = """1. Install QEMU via homebrew (or MacPorts or from source) +2. Run `qemu-system-aarch64 -machine virt,highmem=off -accel hvf -cpu cortex-a72 -smp 10` +3. Get error, QEMU doesn't start""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/747.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/747.toml new file mode 100644 index 00000000..699d1a0f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/747.toml @@ -0,0 +1,38 @@ +id = 747 +title = "hvf-accelerated aarch64 hangs when switching to big endian mode" +state = "closed" +created_at = "2021-11-24T19:30:04.332Z" +closed_at = "2021-11-26T20:44:43.497Z" +labels = ["Closed::WontFix", "accel: HVF", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/747" +host-os = "macOS Monterey Version 12.0.1" +host-arch = "ARM" +qemu-version = "QEMU emulator version 6.1.0" +guest-os = "Gentoo Linux" +guest-arch = "ARM (64 bit big endian)" +description = """Trying to boot a big endian Linux kernel using the above command line on an M1 Mac Mini just hangs, there is not a single output. However, by replacing `hvf` with `tcg`, the kernel boots up fine. The kernel also starts if I use KVM acceleration on a Linux host system.""" +reproduce = """1. Build a Linux kernel for big endian arm64 +2. Try to boot it with -accel hvf on an M1 Mac +3. Observe a lot of nothing happening :-)""" +additional = """Sample run, TCG vs HVF +``` +mikan:/tmp% qemu-system-aarch64 -accel tcg -machine virt,highmem=off -cpu cortex-a72 -nographic -kernel /tmp/vmlinuz-5.10.76-gentoo-r1-arm64.be |& head -16 +[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd083] +[ 0.000000] Linux version 5.10.76-gentoo-r1-arm64 (root@localhost) (aarch64-unknown-linux-gnu-gcc (Gentoo 11.2.0 p1) 11.2.0, GNU ld (Gentoo 2.37_p1 p0) 2.37) #1 SMP Sun Nov 21 16:30:21 -00 2021 +[ 0.000000] Machine model: linux,dummy-virt +[ 0.000000] NUMA: No NUMA configuration found +[ 0.000000] NUMA: Faking a node at [mem 0x0000000040000000-0x0000000047ffffff] +[ 0.000000] NUMA: NODE_DATA [mem 0x47f65300-0x47f76fff] +[ 0.000000] Zone ranges: +[ 0.000000] DMA [mem 0x0000000040000000-0x0000000047ffffff] +[ 0.000000] DMA32 empty +[ 0.000000] Normal empty +[ 0.000000] Movable zone start for each node +[ 0.000000] Early memory node ranges +[ 0.000000] node 0: [mem 0x0000000040000000-0x0000000047ffffff] +[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x0000000047ffffff] +[ 0.000000] psci: probing for conduit method from DT. +[ 0.000000] psci: PSCIv0.2 detected in firmware. +mikan:/tmp% qemu-system-aarch64 -accel hvf -machine virt,highmem=off -cpu cortex-a72 -nographic -kernel /tmp/vmlinuz-5.10.76-gentoo-r1-arm64.be +``` +(followed by tumbleweeds)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/797.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/797.toml new file mode 100644 index 00000000..b45e72d1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/797.toml @@ -0,0 +1,17 @@ +id = 797 +title = "ARM64 hvf fails to boot Windows 11 on 6.2.0" +state = "opened" +created_at = "2021-12-29T23:23:49.727Z" +closed_at = "n/a" +labels = ["accel: HVF", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/797" +host-os = "macOS 12.1" +host-arch = "ARM64" +qemu-version = "6.2.0" +guest-os = "Windows 11" +guest-arch = "ARM64" +description = """On QEMU v6.1.0 with patches from @agraf manually applied, Windows 11 boots fine from the VHDX. Now that the patches have been mainlined, I would expect it to work the same but it gets stuck at EFI (no Windows "spinner").""" +reproduce = """1. `brew install qemu` +2. Download Windows 11 VHDX from https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewARM64 +3. Run command from above.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/864.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/864.toml new file mode 100644 index 00000000..91907f99 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/864.toml @@ -0,0 +1,23 @@ +id = 864 +title = "HVF virtual counter diverges from CLOCK_VIRTUAL when the host sleeps" +state = "opened" +created_at = "2022-02-10T01:36:27.240Z" +closed_at = "n/a" +labels = ["accel: HVF", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/864" +host-os = "macOS" +host-arch = "arm64" +qemu-version = "6621441db50d5bae7e34dbd04bf3c57a27a71b32" +guest-os = "Fedora 35" +guest-arch = "aarch64" +description = """HVF's virtual counter diverges from `CLOCK_VIRTUAL` when the host sleeps and causes the inconsistency between Linux's system counter and everything else. + +HVF's virtual counter apparently relies on something similar to `mach_absolute_time`, which stops when the host sleeps and resumes after it wakes up. However, `CLOCK_VIRTUAL` is implemented with `mach_continuous_time`, which continues even while the host sleeps. Linux uses the virtual counter as the source of the system counter and sees inconsistencies between the system counter and the other devices.""" +reproduce = """1. Launch Fedora. +2. Compare the time shown at the top of the guest display and one at the top of the host display. The difference should be less than 2 minutes. +3. Let the host sleep for 3 minutes. +4. Compare the times again. The difference is now greater than 2 minutes.""" +additional = """Here are solutions I've came up with so far. There are trade-offs but any of them should be better than the current situation. I'm happy to implement one if the maintainers have decided which one is the best or figure out a superior alternative. +- Implement `cpus_get_virtual_clock` of `AccelOpsClass` with `mach_absolute_time`. It would make HVF inconsistent with the other accelerators. Linux also expects the virtual clock is "continuous" and it leaves the divergence from the real time. +- Request XNU `HOST_NOTIFY_CALENDAR_CHANGE` to update the virtual clock with the continuous time. The interface is undocumented. +- Use `IORegisterForSystemPower` to update the virtual clock with the continuous time. It is undocumented that the interface handles every cases where `mach_absolute_time` and `mach_continuous_time`, but it actually does if I read XNU's source code correctly.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_HVF/949.toml b/gitlab/issues/target_arm/host_missing/accel_HVF/949.toml new file mode 100644 index 00000000..fb965768 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_HVF/949.toml @@ -0,0 +1,322 @@ +id = 949 +title = "M1 MacOS Panic with qemu version 6.2.0" +state = "closed" +created_at = "2022-03-30T10:16:33.564Z" +closed_at = "2022-04-05T09:37:27.016Z" +labels = ["accel: HVF", "hostos: macOS", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/949" +host-os = "macOS Monterrey version 12.2.1" +host-arch = "ARM" +qemu-version = "QEMU emulator version 6.2.0`" +guest-os = "Debian 11" +guest-arch = "ARM" +description = """After running the command above, the macbook freeze and reboots, here is the stacktrace: +``` +panic(cpu 2 caller 0xfffffe001748de90): vm_fault() KERN_FAILURE from guest fault on state 0xfffffe600c57c000 @sleh.c:3091 +Debugger message: panic +Memory ID: 0x1 +OS release type: User +OS version: 21D62 +Kernel version: Darwin Kernel Version 21.3.0: Wed Jan 5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_ARM64_T6000 +Fileset Kernelcache UUID: FA4EB485BA9DC1EBAA5D0E80232A48CC +Kernel UUID: BADF56F4-2876-3FF4-AC12-F25E78B09AA1 +iBoot version: iBoot-7429.81.3 +secure boot?: YES +Paniclog version: 13 +KernelCache slide: 0x000000000f9e8000 +KernelCache base: 0xfffffe00169ec000 +Kernel slide: 0x000000001021c000 +Kernel text base: 0xfffffe0017220000 +Kernel text exec slide: 0x0000000010304000 +Kernel text exec base: 0xfffffe0017308000 +mach_absolute_time: 0x2c74ea4beb +Epoch Time: sec usec + Boot : 0x62437319 0x0002a603 + Sleep : 0x62441e87 0x00018bb3 + Wake : 0x62442289 0x00044ebb + Calendar: 0x62442c00 0x000ccb26 + +Zone info: +Foreign : 0xfffffe001fb94000 - 0xfffffe001fba8000 +Native : 0xfffffe10001a8000 - 0xfffffe30001a8000 +Readonly : 0xfffffe14cce74000 - 0xfffffe1666808000 +Metadata : 0xfffffe62f056c000 - 0xfffffe62fc4f0000 +Bitmaps : 0xfffffe62fc4f0000 - 0xfffffe6302084000 +CORE 0 PVH locks held: None +CORE 1 PVH locks held: None +CORE 2 PVH locks held: None +CORE 3 PVH locks held: None +CORE 4 PVH locks held: None +CORE 5 PVH locks held: None +CORE 6 PVH locks held: None +CORE 7 PVH locks held: None +CORE 0: PC=0xfffffe001738ef4c, LR=0xfffffe001738ef4c, FP=0xfffffe60ba06bef0 +CORE 1: PC=0xfffffe001738ef4c, LR=0xfffffe001738ef4c, FP=0xfffffe60b7003ef0 +CORE 2 is the one that panicked. Check the full backtrace for details. +CORE 3: PC=0xfffffe001738ef50, LR=0xfffffe001738ef4c, FP=0xfffffe600c773ef0 +CORE 4: PC=0xfffffe001738ef50, LR=0xfffffe001738ef4c, FP=0xfffffe60a4dabef0 +CORE 5: PC=0xfffffe001738ef50, LR=0xfffffe001738ef4c, FP=0xfffffe600c683ef0 +CORE 6: PC=0xfffffe001738ef50, LR=0xfffffe001738ef4c, FP=0xfffffe60a5553ef0 +CORE 7: PC=0xfffffe001738ef4c, LR=0xfffffe001738ef4c, FP=0xfffffe60b7ae3ef0 +Panicked task 0xfffffe2997ce2d48: 24310 pages, 11 threads: pid 12708: qemu-system-aarc +Panicked thread: 0xfffffe1ffd861860, backtrace: 0xfffffe600c5c3300, tid: 97347 +\t\t lr: 0xfffffe001735a4e8 fp: 0xfffffe600c5c3370 +\t\t lr: 0xfffffe001735a1b8 fp: 0xfffffe600c5c33e0 +\t\t lr: 0xfffffe001749a2bc fp: 0xfffffe600c5c3400 +\t\t lr: 0xfffffe001748c6c8 fp: 0xfffffe600c5c3480 +\t\t lr: 0xfffffe001748a118 fp: 0xfffffe600c5c3540 +\t\t lr: 0xfffffe001730f7f8 fp: 0xfffffe600c5c3550 +\t\t lr: 0xfffffe0017359e2c fp: 0xfffffe600c5c38f0 +\t\t lr: 0xfffffe0017359e2c fp: 0xfffffe600c5c3960 +\t\t lr: 0xfffffe0017b6d738 fp: 0xfffffe600c5c3980 +\t\t lr: 0xfffffe001748de90 fp: 0xfffffe600c5c39e0 +\t\t lr: 0xfffffe001748da14 fp: 0xfffffe600c5c3a50 +\t\t lr: 0xfffffe001731a828 fp: 0xfffffe600c5c3a60 +\t\t lr: 0xfffffe00174a222c fp: 0xfffffe600c5c3e50 +\t\t lr: 0xfffffe001748a530 fp: 0xfffffe600c5c3f10 +\t\t lr: 0xfffffe001730f7f8 fp: 0xfffffe600c5c3f20 + +last started kext at 861542788: com.apple.driver.driverkit.serial\t6.0.0 (addr 0xfffffe00170fced0, size 3432) +loaded kexts: +com.apple.fileutil\t20.036.15 +com.apple.filesystems.autofs\t3.0 +com.apple.driver.AppleBiometricServices\t1 +com.apple.driver.CoreKDL\t1 +com.apple.driver.AppleTopCaseHIDEventDriver\t5020.1 +com.apple.driver.DiskImages.ReadWriteDiskImage\t493.0.0 +com.apple.driver.DiskImages.UDIFDiskImage\t493.0.0 +com.apple.driver.DiskImages.RAMBackingStore\t493.0.0 +com.apple.driver.DiskImages.FileBackingStore\t493.0.0 +com.apple.driver.SEPHibernation\t1 +com.apple.driver.BCMWLANFirmware4387.Hashstore\t1 +com.apple.filesystems.apfs\t1933.80.3 +com.apple.driver.AppleUSBDeviceNCM\t5.0.0 +com.apple.driver.AppleThunderboltIP\t4.0.3 +com.apple.driver.AppleFileSystemDriver\t3.0.1 +com.apple.nke.l2tp\t1.9 +com.apple.filesystems.tmpfs\t1 +com.apple.filesystems.lifs\t1 +com.apple.IOTextEncryptionFamily\t1.0.0 +com.apple.filesystems.hfs.kext\t582.60.2 +com.apple.security.BootPolicy\t1 +com.apple.BootCache\t40 +com.apple.AppleFSCompression.AppleFSCompressionTypeZlib\t1.0.0 +com.apple.AppleFSCompression.AppleFSCompressionTypeDataless\t1.0.0d1 +com.apple.AppleEmbeddedSimpleSPINORFlasher\t1 +com.apple.driver.ApplePMP\t1 +com.apple.driver.AppleCS42L84Audio\t530.2 +com.apple.driver.AppleSmartIO2\t1 +com.apple.driver.AppleSN012776Amp\t530.2 +com.apple.driver.AppleT6000SOCTuner\t1 +com.apple.driver.AppleT6000CLPCv3\t1 +com.apple.driver.AppleSmartBatteryManager\t161.0.0 +com.apple.driver.AppleALSColorSensor\t1.0.0d1 +com.apple.driver.AppleAOPVoiceTrigger\t100.1 +com.apple.driver.ApplePMPFirmware\t1 +com.apple.driver.AppleSPMIPMU\t1.0.1 +com.apple.driver.AppleM68Buttons\t1.0.0d1 +com.apple.driver.AppleSDXC\t3.1.1 +com.apple.driver.AppleSamsungSerial\t1.0.0d1 +com.apple.driver.AppleSerialShim\t1 +com.apple.AGXG13X\t188.10 +com.apple.driver.AppleAVD\t555 +com.apple.driver.AppleAVE2\t530.3.0 +com.apple.driver.AppleJPEGDriver\t4.7.9 +com.apple.driver.AppleProResHW\t128.2.0 +com.apple.driver.AppleMobileDispT600X-DCP\t140.0 +com.apple.driver.usb.AppleSynopsysUSB40XHCI\t1 +com.apple.driver.AppleMCDP29XXUpdateSupport\t1 +com.apple.driver.AppleDPDisplayTCON\t1 +com.apple.driver.AppleEventLogHandler\t1 +com.apple.driver.AppleS5L8960XNCO\t1 +com.apple.driver.AppleT6000PMGR\t1 +com.apple.driver.AppleS8000AES\t1 +com.apple.driver.AppleS8000DWI\t1.0.0d1 +com.apple.driver.AppleInterruptControllerV2\t1.0.0d1 +com.apple.driver.AppleT8110DART\t1 +com.apple.driver.AppleBluetoothModule\t1 +com.apple.driver.AppleBCMWLANBusInterfacePCIe\t1 +com.apple.driver.AppleS5L8920XPWM\t1.0.0d1 +com.apple.driver.AudioDMAController-T600x\t100.51 +com.apple.driver.AppleT6000DART\t1 +com.apple.driver.AppleSPIMC\t1 +com.apple.driver.AppleS5L8940XI2C\t1.0.0d2 +com.apple.driver.AppleT6000\t1 +com.apple.iokit.IOUserEthernet\t1.0.1 +com.apple.driver.usb.AppleUSBUserHCI\t1 +com.apple.iokit.IOKitRegistryCompatibility\t1 +com.apple.iokit.EndpointSecurity\t1 +com.apple.driver.AppleDiskImages2\t126.60.3 +com.apple.AppleSystemPolicy\t2.0.0 +com.apple.nke.applicationfirewall\t402 +com.apple.kec.InvalidateHmac\t1 +com.apple.kec.AppleEncryptedArchive\t1 +com.apple.driver.driverkit.serial\t6.0.0 +com.apple.kext.triggers\t1.0 +com.apple.iokit.IOAVBFamily\t1010.2 +com.apple.plugin.IOgPTPPlugin\t1000.11 +com.apple.iokit.IOEthernetAVBController\t1.1.0 +com.apple.driver.AppleMesaSEPDriver\t100.99 +com.apple.iokit.IOBiometricFamily\t1 +com.apple.driver.AppleHIDKeyboard\t228 +com.apple.driver.AppleActuatorDriver\t5430.21 +com.apple.driver.AppleMultitouchDriver\t5430.21 +com.apple.driver.AppleHSBluetoothDriver\t5020.1 +com.apple.driver.IOBluetoothHIDDriver\t9.0.0 +com.apple.driver.DiskImages.KernelBacked\t493.0.0 +com.apple.driver.AppleSEPHDCPManager\t1.0.1 +com.apple.driver.AppleTrustedAccessory\t1 +com.apple.iokit.AppleSEPGenericTransfer\t1 +com.apple.driver.AppleXsanScheme\t3 +com.apple.driver.usb.networking\t5.0.0 +com.apple.driver.AppleThunderboltUSBDownAdapter\t1.0.4 +com.apple.driver.AppleThunderboltPCIDownAdapter\t4.1.1 +com.apple.driver.AppleThunderboltDPInAdapter\t8.5.1 +com.apple.driver.AppleThunderboltDPAdapterFamily\t8.5.1 +com.apple.nke.ppp\t1.9 +com.apple.driver.AppleBSDKextStarter\t3 +com.apple.filesystems.hfs.encodings.kext\t1 +com.apple.driver.AppleConvergedIPCOLYBTControl\t1 +com.apple.driver.AppleConvergedPCI\t1 +com.apple.driver.AppleBluetoothDebug\t1 +com.apple.driver.AppleBTM\t1.0.1 +com.apple.driver.AppleHIDTransportSPI\t5400.30 +com.apple.driver.AppleHIDTransport\t5400.30 +com.apple.driver.AppleInputDeviceSupport\t5400.30 +com.apple.driver.AppleDCPDPTXProxy\t1.0.0 +com.apple.driver.DCPDPFamilyProxy\t1 +com.apple.driver.AppleDiagnosticDataAccessReadOnly\t1.0.0 +com.apple.driver.AppleCSEmbeddedAudio\t530.2 +com.apple.driver.ApplePassthroughPPM\t3.0 +com.apple.driver.AppleAOPAudio\t102.2 +com.apple.driver.AppleEmbeddedAudio\t530.2 +com.apple.iokit.AppleARMIISAudio\t100.1 +com.apple.driver.AppleSPU\t1 +com.apple.AGXFirmwareKextG13XRTBuddy\t188.10 +com.apple.AGXFirmwareKextRTBuddy64\t188.10 +com.apple.driver.AppleStockholmControl\t1.0.0 +com.apple.iokit.IONVMeFamily\t2.1.0 +com.apple.driver.AppleNANDConfigAccess\t1.0.0 +com.apple.driver.AppleDialogPMU\t1.0.1 +com.apple.driver.usb.AppleUSBHostPacketFilter\t1.0 +com.apple.iokit.IOGPUFamily\t35.11 +com.apple.driver.DCPAVFamilyProxy\t1 +com.apple.iokit.IOMobileGraphicsFamily-DCP\t343.0.0 +com.apple.driver.AppleDCP\t1 +com.apple.driver.AppleFirmwareKit\t1 +com.apple.iokit.IOMobileGraphicsFamily\t343.0.0 +com.apple.driver.AppleSPMI\t1.0.1 +com.apple.driver.AppleUSBXDCIARM\t1.0 +com.apple.driver.AppleUSBXDCI\t1.0 +com.apple.iokit.IOUSBDeviceFamily\t2.0.0 +com.apple.driver.usb.AppleSynopsysUSBXHCI\t1 +com.apple.driver.usb.AppleUSBXHCI\t1.2 +com.apple.driver.AppleEmbeddedUSBHost\t1 +com.apple.driver.usb.AppleUSBHub\t1.2 +com.apple.driver.usb.AppleUSBHostCompositeDevice\t1.2 +com.apple.driver.AppleT6000TypeCPhy\t1 +com.apple.driver.AppleT8103TypeCPhy\t1 +com.apple.driver.AppleHPM\t3.4.4 +com.apple.driver.AppleSART\t1 +com.apple.driver.ApplePMGR\t1 +com.apple.driver.AppleARMWatchdogTimer\t1 +com.apple.driver.AppleDisplayCrossbar\t1.0.0 +com.apple.iokit.IODisplayPortFamily\t1.0.0 +com.apple.driver.AppleTypeCPhy\t1 +com.apple.driver.AppleThunderboltNHI\t7.2.8 +com.apple.driver.AppleT6000PCIeC\t1 +com.apple.iokit.IOThunderboltFamily\t9.3.3 +com.apple.driver.ApplePIODMA\t1 +com.apple.driver.AppleT600xPCIe\t1 +com.apple.driver.AppleMultiFunctionManager\t1 +com.apple.driver.AppleBluetoothDebugService\t1 +com.apple.driver.AppleBCMWLANCore\t1.0.0 +com.apple.iokit.IO80211Family\t1200.12.2b1 +com.apple.driver.IOImageLoader\t1.0.0 +com.apple.driver.AppleOLYHAL\t1 +com.apple.driver.corecapture\t1.0.4 +com.apple.driver.AppleEmbeddedPCIE\t1 +com.apple.driver.AppleMCA2-T600x\t600.95 +com.apple.driver.AppleEmbeddedAudioLibs\t100.9.1 +com.apple.driver.AppleFirmwareUpdateKext\t1 +com.apple.driver.AppleH13CameraInterface\t4.87.0 +com.apple.driver.AppleH10PearlCameraInterface\t17.0.3 +com.apple.driver.AppleGPIOICController\t1.0.2 +com.apple.driver.AppleFireStormErrorHandler\t1 +com.apple.driver.AppleMobileApNonce\t1 +com.apple.iokit.IOTimeSyncFamily\t1000.11 +com.apple.driver.DiskImages\t493.0.0 +com.apple.iokit.IOGraphicsFamily\t593 +com.apple.iokit.IOBluetoothSerialManager\t9.0.0 +com.apple.iokit.IOBluetoothHostControllerUSBTransport\t9.0.0 +com.apple.iokit.IOBluetoothHostControllerUARTTransport\t9.0.0 +com.apple.iokit.IOBluetoothHostControllerTransport\t9.0.0 +com.apple.driver.IOBluetoothHostControllerPCIeTransport\t9.0.0 +com.apple.iokit.IOBluetoothFamily\t9.0.0 +com.apple.driver.FairPlayIOKit\t68.13.1 +com.apple.iokit.CSRBluetoothHostControllerUSBTransport\t9.0.0 +com.apple.iokit.BroadcomBluetoothHostControllerUSBTransport\t9.0.0 +com.apple.driver.AppleSSE\t1.0 +com.apple.driver.AppleSEPKeyStore\t2 +com.apple.driver.AppleUSBTDM\t532.40.7 +com.apple.iokit.IOUSBMassStorageDriver\t209.40.6 +com.apple.iokit.IOPCIFamily\t2.9 +com.apple.iokit.IOSCSIBlockCommandsDevice\t452.60.2 +com.apple.iokit.IOSCSIArchitectureModelFamily\t452.60.2 +com.apple.driver.AppleIPAppender\t1.0 +com.apple.driver.AppleFDEKeyStore\t28.30 +com.apple.driver.AppleEffaceableStorage\t1.0 +com.apple.driver.AppleCredentialManager\t1.0 +com.apple.driver.KernelRelayHost\t1 +com.apple.iokit.IOUSBHostFamily\t1.2 +com.apple.driver.AppleUSBHostMergeProperties\t1.2 +com.apple.driver.usb.AppleUSBCommon\t1.0 +com.apple.driver.AppleSMC\t3.1.9 +com.apple.driver.RTBuddy\t1.0.0 +com.apple.driver.AppleEmbeddedTempSensor\t1.0.0 +com.apple.driver.AppleARMPMU\t1.0 +com.apple.iokit.IOAccessoryManager\t1.0.0 +com.apple.driver.AppleOnboardSerial\t1.0 +com.apple.iokit.IOSkywalkFamily\t1.0 +com.apple.driver.mDNSOffloadUserClient\t1.0.1b8 +com.apple.iokit.IONetworkingFamily\t3.4 +com.apple.iokit.IOSerialFamily\t11 +com.apple.driver.AppleSEPManager\t1.0.1 +com.apple.driver.AppleA7IOP\t1.0.2 +com.apple.driver.IOSlaveProcessor\t1 +com.apple.driver.AppleBiometricSensor\t2 +com.apple.iokit.IOHIDFamily\t2.0.0 +com.apple.iokit.CoreAnalyticsFamily\t1 +com.apple.driver.AppleANELoadBalancer\t5.35.2 +com.apple.driver.AppleH11ANEInterface\t5.35.0 +com.apple.AUC\t1.0 +com.apple.iokit.IOAVFamily\t1.0.0 +com.apple.iokit.IOHDCPFamily\t1.0.0 +com.apple.iokit.IOCECFamily\t1 +com.apple.iokit.IOAudio2Family\t1.0 +com.apple.driver.AppleIISController\t100.1 +com.apple.driver.AppleAudioClockLibs\t100.9.1 +com.apple.driver.AppleM2ScalerCSCDriver\t265.0.0 +com.apple.iokit.IOSurface\t302.11.1 +com.apple.driver.IODARTFamily\t1 +com.apple.security.quarantine\t4 +com.apple.security.sandbox\t300.0 +com.apple.kext.AppleMatch\t1.0.0d1 +com.apple.driver.AppleMobileFileIntegrity\t1.0.5 +com.apple.security.AppleImage4\t4.2.0 +com.apple.kext.CoreTrust\t1 +com.apple.iokit.IOCryptoAcceleratorFamily\t1.0.1 +com.apple.driver.AppleARMPlatform\t1.0.2 +com.apple.iokit.IOStorageFamily\t2.1 +com.apple.iokit.IOSlowAdaptiveClockingFamily\t1.0.0 +com.apple.iokit.IOReportFamily\t47 +com.apple.kec.pthread\t1 +com.apple.kec.Libm\t1 +com.apple.kec.corecrypto\t12.0 + + + +** Stackshot Succeeded ** Bytes Traced 456730 (Uncompressed 1205472) ** +```""" +reproduce = """1. run the qemu command above""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_KVM/1002.toml b/gitlab/issues/target_arm/host_missing/accel_KVM/1002.toml new file mode 100644 index 00000000..94484c08 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_KVM/1002.toml @@ -0,0 +1,15 @@ +id = 1002 +title = "qemu-system-aarch64: Synchronous Exception with smp > 1 (on M1 running Asahi Linux with KVM)" +state = "closed" +created_at = "2022-04-24T00:23:16.940Z" +closed_at = "2022-05-03T19:38:28.213Z" +labels = ["accel: KVM", "hostos: Linux", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1002" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_KVM/1046.toml b/gitlab/issues/target_arm/host_missing/accel_KVM/1046.toml new file mode 100644 index 00000000..6bf7c34d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_KVM/1046.toml @@ -0,0 +1,20 @@ +id = 1046 +title = "Using more than 2G of RAM on armv7l guest with RPI4" +state = "closed" +created_at = "2022-05-29T18:24:31.225Z" +closed_at = "2022-08-01T17:21:36.625Z" +labels = ["Closed::Invalid", "accel: KVM", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1046" +host-os = "NixOS unstable" +host-arch = "aarch64" +qemu-version = "7.0.0" +guest-os = "NixOS unstable" +guest-arch = "armv7l" +description = """I was able to run my armv7l guest on RPI4 8G using qemu 6.2, but on 7.0 it doesn't work: +`qemu-kvm: Addressing limited to 32 bits, but memory exceeds it by 3221225472 bytes`. + +The only reference I found is this issue: https://gitlab.com/qemu-project/qemu/-/issues/903""" +reproduce = """1. `-M virt,highmem=off,gic-version=host,accel=kvm` +2. `-cpu host,aarch64=off` +3. `-m 6G`""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_KVM/412.toml b/gitlab/issues/target_arm/host_missing/accel_KVM/412.toml new file mode 100644 index 00000000..0f3c9fc1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_KVM/412.toml @@ -0,0 +1,15 @@ +id = 412 +title = "stable-5.0 crashes with SIGSEV while checking for kvm extension" +state = "closed" +created_at = "2021-06-14T12:12:43.542Z" +closed_at = "2021-06-16T07:54:46.031Z" +labels = ["accel: KVM", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/412" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_KVM/862.toml b/gitlab/issues/target_arm/host_missing/accel_KVM/862.toml new file mode 100644 index 00000000..b041a642 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_KVM/862.toml @@ -0,0 +1,57 @@ +id = 862 +title = "Using qemu+kvm is slower than using qemu in rv6(xv6 rust porting)" +state = "closed" +created_at = "2022-02-08T08:33:21.430Z" +closed_at = "2022-02-11T05:02:55.840Z" +labels = ["accel: KVM", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/862" +host-os = "Ubuntu 20.04" +host-arch = "ARM" +qemu-version = "6.2.0" +guest-os = "n/a" +guest-arch = "n/a" +description = """Using qemu+kvm is slower than using qemu in rv6(xv6 rust porting)""" +reproduce = """``` +git clone https://github.com/kaist-cp/rv6 +cd rv6 +make clean +TARGET=arm GIC_VERSION=3 KVM=yes make qemu +```""" +additional = """We are currently working on the [rv6 project](https://github.com/kaist-cp/rv6) which is porting MIT's educational operating system [xv6](https://github.com/mit-pdos/xv6-public) to Rust.<br> Our code is located [here](https://github.com/kaist-cp/rv6/tree/main/kernel-rs). +We use qemu and [qemu's virt platform](https://qemu.readthedocs.io/en/latest/system/arm/virt.html) to execute rv6, and it works well with using qemu. +Executing command on arm machine is this: +``` +RUST_MODE=release TARGET=arm KVM=yes GIC_VERSION=3 +qemu-system-aarch64 -machine virt -kernel kernel/kernel -m 128M -smp 80 -nographic -drive file=fs.img,if=none,format=raw,id=x0,copy-on-read=off -device virtio-blk-device,drive=x0,bus=virtio-mmio-bus.0 -cpu cortex-a53 -machine gic-version=3 -net none +``` +To make some speed boost experiment with KVM, we made rv6 support the arm architecture on arm machine. The arm architecture's driver code locates in [here](https://github.com/kaist-cp/rv6/tree/main/kernel-rs/src/arch/arm). +The problem is, when we use qemu with kvm, the performance is significantly reduced. +Executing command on arm machine with KVM is this: +``` +qemu-system-aarch64 -machine virt -kernel kernel/kernel -m 128M -smp 80 -nographic -drive file=fs.img,if=none,format=raw,id=x0,copy-on-read=off -device virtio-blk-device,drive=x0,bus=virtio-mmio-bus.0 -cpu host -enable-kvm -machine gic-version=3 -net none +``` +We repeated +1. Write 500 bytes syscall 10,000 times and the result was: kvm disable: 4,500,000 us, kvm enable: 29,000,000 us. (> 5 times) +2. Open/Close syscall 10,000 times result: kvm disable: 12,000,000 us, kvm enable: 29,000,000 us. (> 5 times) +3. Getppid syscall 10,000 times result: kvm disable: 735,000 us, kvm enable: 825,000 us. (almost same) +4. Simple calculation(a = a * 1664525 + 1013904223) 100 million times result: kvm disable: 2,800,000 us, kvm enable: 65,000,000 us. (> 20 times) + +And the elapsed time was estimated by [uptime_as_micro](https://github.com/kaist-cp/rv6/blob/90b84b60931327ae8635875b788b10280e47b99c/kernel-rs/src/arch/arm/timer.rs#L17) syscall in rv6. +These results were so hard to understand. <br>So first we tried to find the bottleneck on rv6's booting process, because finding bottleneck during processing user program was so difficult. +We found that the first noticeable bottleneck on rv6 booting process was [here](https://github.com/kaist-cp/rv6/blob/main/kernel-rs/src/kalloc.rs#L107-L108): +``` +run.as_mut().init(); +self.runs().push_front(run.as_ref()); +``` +As far as we know, this part is just kind of "list initialization and push element" part. So we thought that by some reason, the KVM is not actually working and it makes worse result. And also this part is even before turn on some interrupts, so we thought [arm's GIC](https://developer.arm.com/documentation/dai0492/b/) or interrupt related thing is not related with problem. + +So, how can I get better performance when using kvm with qemu? + +To solve this problem, we tried these already: +1. change qemu(4.2, 6.2), virt version, change [some command for qemu-kvm](https://linux.die.net/man/1/qemu-kvm) like cpu, drive cache, copy-on-read something, kernel_irqchip.., cpu core.. etc +2. find some kvm hypercall to use - but not exists on arm64 +3. Run [lmbench](http://lmbench.sourceforge.net/) by ubuntu on qemu with kvm to check KVM itself is okay. - We found KVM with ubuntu is super faster than only using qemu. +4. Check [16550a UART print code](https://github.com/kaist-cp/rv6/blob/main/kernel-rs/src/arch/arm/uart.rs) is really slow on enabling KVM which makes incorrect result on benchmark - Without bottleneck code, we found the progress time of rv6 booting were almost same with KVM enabled or not. +5. Check other people who suffer same situation like us - but [this superuser page](https://superuser.com/questions/1317948/qemu-enable-kvm-slower-than-pure-emulation-for-x86-64) not works. Our clocksource is arch_sys_counter. + +Thank you for your help.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_KVM/961.toml b/gitlab/issues/target_arm/host_missing/accel_KVM/961.toml new file mode 100644 index 00000000..8b942994 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_KVM/961.toml @@ -0,0 +1,15 @@ +id = 961 +title = "Property not found when using aarch64 `-machine=virt,secure=on` with KVM enabled" +state = "closed" +created_at = "2022-04-04T15:11:32.920Z" +closed_at = "2022-04-21T16:23:52.744Z" +labels = ["accel: KVM", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/961" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_KVM/966.toml b/gitlab/issues/target_arm/host_missing/accel_KVM/966.toml new file mode 100644 index 00000000..8c524525 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_KVM/966.toml @@ -0,0 +1,66 @@ +id = 966 +title = "simple code line is so slow on rv6(rust os) than ubuntu" +state = "closed" +created_at = "2022-04-07T07:04:05.569Z" +closed_at = "2022-04-12T12:38:35.556Z" +labels = ["accel: KVM", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/966" +host-os = "Ubuntu 20.04" +host-arch = "ARM" +qemu-version = "6.2.0" +guest-os = "n/a" +guest-arch = "n/a" +description = """[Simple code line for getppid](https://github.com/kaist-cp/rv6/blob/main/kernel-rs/src/proc/procs.rs#L470) takes so long time(About 0.08 microsec, which is about 70% time of ubuntu getppid() syscall) on kernel. So we wonder if there is a problem with the qemu or kvm side settings.""" +reproduce = """``` +git clone https://github.com/kaist-cp/rv6 +cd rv6 +make clean +RUST_MODE=release TARGET=arm GIC_VERSION=3 KVM=yes make qemu +```""" +additional = """We are currently working on the [rv6 project](https://github.com/kaist-cp/rv6) which is porting MIT's educational operating system [xv6](https://github.com/mit-pdos/xv6-public) to Rust.<br> Our code is located [here](https://github.com/kaist-cp/rv6/tree/main/kernel-rs). +We use qemu and [qemu's virt platform](https://qemu.readthedocs.io/en/latest/system/arm/virt.html) to execute rv6, and it works well with using qemu. +Executing command on arm machine is this: +``` +RUST_MODE=release TARGET=arm KVM=yes GIC_VERSION=3; # compile +qemu-system-aarch64 -machine virt -kernel kernel/kernel -m 128M -smp 1 -nographic -drive file=fs.img,if=none,format=raw,id=x0 -device virtio-blk-device,drive=x0,bus=virtio-mmio-bus.0 -cpu host -enable-kvm -machine gic-version=3 +``` +Now, we are comparing the speed(exactly, elapsed wall clock time) of system call of qemu+rv6+kvm and qemu+ubuntu 18.04+kvm with [lmbench](http://lmbench.sourceforge.net/). +For ubuntu, qemu command is this: +``` +qemu-system-aarch64 -cpu host -enable-kvm -device rtl8139,netdev=net0 -device virtio-scsi-device -device scsi-cd,drive=cdrom -device virtio-blk-device,drive=hd0 -drive "file=${iso},id=cdrom,if=none,media=cdrom" -drive "if=none,file=${img_snapshot},id=hd0" -m 2G -machine "virt,gic-version=3,its=off" -netdev user,id=net0 -nographic -pflash "$flash0" -pflash "$flash1" -smp 1 +``` +Now, our goal is to make rv6 perform similar or faster than ubuntu for relatively simple system call like getppid(). <br> +Relatively simple system call means, for example, in the case of getppid(), the actual system call execution part is so simple. So it mainly measures the time for user space -> kernel space -> user space. <br> +And we thought that on getppid() syscall, rv6 could show similar performance or more faster than ubuntu cause it's simple system.<br> +**The most important problem** is that, although it will be described later, a [simple code line for getppid](https://github.com/kaist-cp/rv6/blob/main/kernel-rs/src/proc/procs.rs#L470) takes so long time(About 0.08 microsec, which is about 70% time of ubuntu getppid() syscall) on kernel. So we wonder if there is a problem with the qemu or kvm side settings. + +First, the measured performance result for lmbench's "lat_syscall null" which executes internally getppid() is: + - rv6, Rust opt-level: 1, smp 3(qemu), gcc optimization level: -O -> average 1.662 microsec + - ubuntu, smp 3, gcc optimization level: -O -> average 0.126 microsec +So we see that rv6 is so slower than ubuntu over 10x. + +To find the bottleneck of rv6, we use [linux perf](https://perf.wiki.kernel.org/index.php/Main_Page) and divided execution path into 4 stages. <br> +Stage 1: Call getppid in the user space to until just before the trap handler is called<br> +Stage 2: From after stage 1 to until just before the start of code specific to sys_getppid.<br> +Stage 3: From after stage 2 to [end of actual sys_getppid function](https://github.com/kaist-cp/rv6/blob/main/kernel-rs/src/proc/procs.rs#L468-L473)<br> +Stage 4: From after stage 3 to the point which getppid syscall returns on user space<br> +The result with perf was: + - ubuntu: 0.042 microsec/ 0.0744 microsec / 0.00985 microsec / 0 -> total 0.126 microsec + - rv6: ? / ? / 0.3687 microsec / ? -> 1.662 microsec + - we made assumption for ubuntu stage 4 time is zero. + - The question mark is, on rv6 we couldn't use perf so only stage 3 time is measured for right now, but checked stage 3 part manually. + +So from the result, it can be confirmed that the rv6's stage 3 already consumes more than 3 times of ubuntu's syscall total time, and at least 30 times more than ubuntu's stage 3. +This is so bad, so we tried several things to inspect the problem: + - Check whether rv6's timer interrupt affects execution time: The interval is 100ms which is so big, so it seems not related. + - To check user space's execution speed, we made simple quick sort program and check rv6's user space speed is significantly slower than ubuntu. + - When running 100,000 times, rv6(smp 1, opt-level 1)'s execution time: 3.2s vs ubuntu(smp 1)'s execution time: 2.7s. + - Although it is 20% slower, it is judged that there is almost no difference compared to the lmbench result. So we thought it is no big problem. + + - Next we checked rv6's stage 3's code. https://github.com/kaist-cp/rv6/blob/main/kernel-rs/src/proc/procs.rs#L468 + - The lock is held twice at line 469 and line 472, whereas ubuntu's same code part, lock is held only once. So first if we change the structure to hold lock only once, there will be improvement in speed. we noticed that. + - **Also there's a big problem on 470 line.** We measured time for 470 line with CNTPCT_EL0 register, and it was found that at least 0.08 microsec was consumed in the corresponding line. + - So ubuntu's stage 3 consumes about 0.01 microsec, but only line 470 of rv6, which does not have complicated logic(it also doesn't hold lock) consumes about 8 times that ubuntu's stage 3. + - So we concluded that there may be a problem with the kvm setting on the kernel side or other settings. + +So do you have any idea for this problem? Thank you for your help.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1034.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1034.toml new file mode 100644 index 00000000..926d8236 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1034.toml @@ -0,0 +1,29 @@ +id = 1034 +title = "Erlang/OTP 25 JIT on AArch64 fails in user mode emulation" +state = "closed" +created_at = "2022-05-23T13:05:04.830Z" +closed_at = "2023-07-06T17:16:29.725Z" +labels = ["accel: TCG", "linux-user", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1034" +host-os = "Ubuntu 22.04" +host-arch = "x86-64" +qemu-version = "Debian 1:6.2+dfsg-2ubuntu6" +guest-os = "Alpine 3.15" +guest-arch = "ARM (AArch64)" +description = """Compiling Erlang/OTP 25 fails with segfault when using user mode (but works in system mode), the Erlang devs have tracked it down in [ErlangForums](https://erlangforums.com/t/otp-25-0-rc3-release-candidate-3-is-released/1317/24) and give this explanation: + +> Thanks, I’ve found a bug in QEMU that explains this. The gist of it is: +> +> Instead of interpreting guest code, QEMU dynamically translates it to the host architecture. When the guest overwrites code for one reason or another, the translation is invalidated and redone if needed. +> +> Our JIT:ed code is mapped in two regions to work in the face of W^X restrictions: one executable but not writable, and one writable but not executable. Both of these regions point to the same physical memory and writes to the writable region are “magically” reflected in the executable one. +> +> I would’ve expected QEMU to honor the IC IVAU / ISB instructions we use to tell the processor that we’ve altered code at a particular address, but for some reason QEMU just ignores them 3 and relies entirely on trapping writes to previously translated code. +> +> In system mode QEMU emulates the MMU and sees that these two regions point at the same memory, and has no problem invalidating the executable region after writing to the writable region. +> +> In user mode it instead calls mprotect(..., PROT_READ) on all code regions it has translated, and invalidates translations in the signal handler. The problem is that we never write to the executable region – just the writable one – so the code doesn’t get invalidated. + +There doesn't seem to a open or closed QEMU bug that actually describes this problem.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1054.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1054.toml new file mode 100644 index 00000000..0860f384 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1054.toml @@ -0,0 +1,38 @@ +id = 1054 +title = "Unable to start CirrOS 0.5.1 on QEMU 7.0 with -M virt and -cpu max" +state = "closed" +created_at = "2022-06-01T17:38:10.645Z" +closed_at = "2022-06-03T19:28:56.963Z" +labels = ["Closed::Invalid", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1054" +host-os = "Debian 11 with kernel from Debian/unstable" +host-arch = "AArch64" +qemu-version = "QEMU emulator version 7.0.0 (Debian 1:7.0+dfsg-2~bpo11+2)" +guest-os = "CirrOS 0.5.1" +guest-arch = "AArch64" +description = """""" +reproduce = """1. Fetch CirrOS image: ```wget https://github.com/cirros-dev/cirros/releases/download/0.5.1/cirros-0.5.1-aarch64-disk.img``` +2. Run QEMU: + ``` + qemu-system-aarch64 -drive file=cirros-0.5.1-aarch64-disk.img -M virt -m 2048 \\ + -bios /usr/share/qemu-efi-aarch64/QEMU_EFI.fd -cpu max -nographic + ```""" +additional = """When image boots, GRUB window appears for a second and then kernel/initramfs are loaded and booted: +``` +EFI stub: Booting Linux Kernel... +EFI stub: EFI_RNG_PROTOCOL unavailable, no randomness supplied +EFI stub: Using DTB from configuration table +EFI stub: Exiting boot services and installing virtual address map... +``` + +When everything is fine we can see kernel output: +``` +[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x411fd070] +[ 0.000000] Linux version 5.3.0-26-generic (buildd@bos02-arm64-028) (gcc version 7.4.0 (Ubuntu/Linaro 7.4.0-1ubuntu1~18.04.1)) #28~18.04.1-Ubuntu SMP Wed Dec 18 16:41:01 UTC 2019 (Ubuntu 5.3.0-26.28~18.04.1-generic 5.3.13) +[ 0.000000] efi: Getting EFI parameters from FDT: +[ 0.000000] efi: EFI v2.70 by EDK II +``` + +But on QEMU 7.0 with ```-M virt -cpu max``` we never get kernel output. + +#""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1057.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1057.toml new file mode 100644 index 00000000..b1ca6c08 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1057.toml @@ -0,0 +1,33 @@ +id = 1057 +title = "AArch64: ISV is set to 1 in ESR_EL2 when taking a data abort with post-indexed instructions" +state = "closed" +created_at = "2022-06-02T20:50:04.695Z" +closed_at = "2022-07-18T16:47:38.098Z" +labels = ["accel: TCG", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1057" +host-os = "MacOS 12.4" +host-arch = "ARM64" +qemu-version = "QEMU emulator version 7.0.0" +guest-os = "Custom - BedRock Hypervisor running with the NOVA microkernel" +guest-arch = "ARMv8" +description = """I think that I have a Qemu bug in my hands, but, I could still be missing something. Consider the following instruction: +`0x0000000000000000: C3 44 00 B8 str w3, [x6], #4` + +notice the last #4, I think this is what we would call a post-indexed instruction (falls into the category of instructions with writeback). As I understand it, those instructions should not have ISV=1 in ESR_EL2 when faulting. + +Here is the relevant part of the manual: + +``` +For other faults reported in ESR_EL2, ISV is 0 except for the following stage 2 aborts: +• AArch64 loads and stores of a single general-purpose register (including the register specified with 0b11111, including those with Acquire/Release semantics, but excluding Load Exclusive or Store Exclusive and excluding those with writeback). +``` + +However, I can see that Qemu sets ISV to 1 here. The ARM hardware that I tested gave me a value of ISV=0 for similar instructions. + +Another example of instruction: `0x00000000000002f8: 01 1C 40 38 ldrb w1, [x0, #1]!`""" +reproduce = """1. Run some hypervisor in EL2 +2. Create a guest running at EL1 that executes one of the mentioned instructions (and make the instruction fault by writing to some unmapped page in SLP) +3. Observe the value of ESR_EL2 on data abort + +Unfortunately, I cannot provide an image to reproduce this (the software is not open-source). But, I would be happy to help test a patch.""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1062.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1062.toml new file mode 100644 index 00000000..e0a5a35f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1062.toml @@ -0,0 +1,26 @@ +id = 1062 +title = "AArch64: SCR_EL3.RW behaves incorrectly for CPUs with no AArch32" +state = "closed" +created_at = "2022-06-05T04:51:08.258Z" +closed_at = "2022-06-10T23:03:46.969Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1062" +host-os = "Any" +host-arch = "Any" +qemu-version = "QEMU emulator version 7.0.0 (v6.2.0-3146-g7e0e865ad5-dirty)" +guest-os = "n/a" +guest-arch = "ARM" +description = """In the ARM DDI 0487G.a, D13-3572, the SCR_EL3.RW bit is defined as RAO/WI if both EL2 and EL1 don't support Aarch32. However, the function `scr_write` in `target/arm/helper.c` does not reflect this behavior, even though it checks for Aarch32 EL1 support. + +This would break this EL3 code, which should run on cpu reset to attempt to return to EL1: +```asm +mov x1, #((1<<0)|(1<<2)|(1<<6)|(1<<7)|(1<<8)|(1<<9)) ; EL1h, DAIF masked +mov SPSR_EL3, x1 +adr x1, 1f +msr ELR_EL3, x1 +eret +1: +; something something +```""" +reproduce = "n/a" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1130.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1130.toml new file mode 100644 index 00000000..5fd73ea4 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1130.toml @@ -0,0 +1,37 @@ +id = 1130 +title = "error on run qemu-system-aarch64 -icount shift=1,align=off,sleep=on -smp 2" +state = "closed" +created_at = "2022-07-30T02:20:53.788Z" +closed_at = "2022-08-09T19:16:47.047Z" +labels = ["accel: TCG", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1130" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """This issue happen with the most recent version. +* Compile parameters: +``` +./configure --target-list=aarch64-softmmu --prefix=pwd/release --disable-werror --enable-lto --enable-capstone --enable-system --enable-fdt --disable-xen --disable-kvm --enable-plugins +``` +* run: +``` +qemu-system-aarch64 -nographic -machine virt -cpu cortex-a57 -icount shift=1,align=off,sleep=on -smp 2 -vnc :2 -m 4080 -kernel /home/yuzy/mywork/linux/linux-5.15.30/arch/arm64/boot/Image.gz -initrd /home/yuzy/mywork/build/rootfs.cpio.gz +``` +* error occurred: +``` +** +ERROR:../accel/tcg/tcg-accel-ops.c:79:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked()) +Aborted (core dumped) +```""" +reproduce = """1. run qemu-system-aarch64 -machine virt -cpu cortex-a57 -icount shift=1,align=off,sleep=on -smp 2 -m 4080 -kernel Image.gz -initrd rootfs.cpio.gz +2. it will assertion failed: (qemu_mutex_iothread_locked())""" +additional = """The following two situations are good: +``` +qemu-system-aarch64 -machine virt -cpu cortex-a57 -icount shift=1,align=off,sleep=on -smp 1 -m 4080 -kernel Image.gz -initrd rootfs.cpio.gz +``` +``` +qemu-system-aarch64 -machine virt -cpu cortex-a57 -smp 2 -m 4080 -kernel Image.gz -initrd rootfs.cpio.gz +``` +I assume the issues are: gic""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1153.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1153.toml new file mode 100644 index 00000000..3ea8ff5e --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1153.toml @@ -0,0 +1,15 @@ +id = 1153 +title = "arm: wrong syndrome reported for FP and SIMD traps to AArch32 Hyp" +state = "opened" +created_at = "2022-08-12T14:47:07.476Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1153" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1154.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1154.toml new file mode 100644 index 00000000..62d584cc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1154.toml @@ -0,0 +1,15 @@ +id = 1154 +title = "arm: M-profile loads and stores done via helpers should enforce alignment restrictions" +state = "opened" +created_at = "2022-08-12T15:27:24.255Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1154" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1177.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1177.toml new file mode 100644 index 00000000..61f48c12 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1177.toml @@ -0,0 +1,24 @@ +id = 1177 +title = "booting linux hangs with -cpu max or -cpu max,lpa2=off, but works with -cpu cortex-a57" +state = "closed" +created_at = "2022-08-25T16:33:57.991Z" +closed_at = "2022-08-26T19:21:18.205Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1177" +host-os = "FreeBSD" +host-arch = "x86 (host)" +qemu-version = "QEMU emulator version 7.0.94 (v7.1.0-rc4-dirty)" +guest-os = "ubuntu" +guest-arch = "aarch64" +description = """""" +reproduce = """1. Snag mini.iso from http://ports.ubuntu.com/ubuntu-ports/dists/bionic-updates/main/installer-arm64/current/images/netboot/mini.iso +2. qemu-img create ubuntu-image.img 20G +3. dd if=/dev/zero of=flash1.img bs=1M count=64 +4. dd if=/dev/zero of=flash0.img bs=1M count=64 +5. dd if=/home/imp/git/qemu/00-build/pc-bios/edk2-aarch64-code.fd of=flash0.img conv=notrunc +6. Run the above command +7. Select install, watch the kernel hang. +8. Change -cpu max to -cpu cortex-a57 and it will work. -cpu max,lpa2=off also exhibits the problem""" +additional = """Just grabbed git and built it with ./configure in /home/imp/git/qemu/00-build. + +pm215 on irc suggested that it was an old EDK2 and a newer one is needed to cope with the newer CPU features in -cpu max""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1204.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1204.toml new file mode 100644 index 00000000..18746c2f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1204.toml @@ -0,0 +1,39 @@ +id = 1204 +title = "AArch64 unaligned accesses are allowed by QEMU when SCTLR_EL3.A is 0, but SCTLR_EL3.M is also 0" +state = "closed" +created_at = "2022-09-11T12:12:15.036Z" +closed_at = "2024-03-05T15:25:53.778Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1204" +host-os = "n/a" +host-arch = "aarch64" +qemu-version = "master" +guest-os = "n/a" +guest-arch = "aarch64" +description = """As per the ARM ARM, when address translation is disabled and the access is not done from EL1/0 with HCR_EL2.DC set to 1, data accesses receive the 'Device-nGnRnE' memory attribute (D.8.2.10 The effects of disabling an address translation stage - DDi0487I.a, Page D8-5119). +Memory regions marked as Device do not support unaligned access.""" +reproduce = """Run the following snippet under EL3, and notice the last load instruction completes successfully (doesn't raise an alignment fault) +``` +.balign 8 +.global first_variable +first_variable: + .word 0x1 +.balign 4 +.global second_variable +second_variable: + .word 0x2 + +no_mmu_sctlr: .dword 0x0000000030C51834 + +.globl reproducer +reproducer: + ldr x1, no_mmu_sctlr // A=0,M=0 + msr sctlr_el3, x1 + dsb sy + isb + + ldr x0, =first_variable + ldr x1, [x0, #0] // Aligned - Success + ldr x1, [x0, #4] // Unaligned - Success??? (Should be failure) +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1208.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1208.toml new file mode 100644 index 00000000..f900d5ec --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1208.toml @@ -0,0 +1,21 @@ +id = 1208 +title = "Raspberry Pi 4 Model B" +state = "closed" +created_at = "2022-09-14T10:38:04.179Z" +closed_at = "2024-03-12T12:08:32.581Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1208" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """There have been some attempts at implementing this a few years ago: see: +* https://gitlab.com/philmd/qemu/-/tree/raspi4_wip +* https://github.com/0xMirasio/qemu-patch-raspberry4 + + + +Thanks!""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1293.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1293.toml new file mode 100644 index 00000000..3239917f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1293.toml @@ -0,0 +1,15 @@ +id = 1293 +title = "Trusted Firmware stopped booting on SBSA-ref" +state = "closed" +created_at = "2022-11-01T16:48:05.904Z" +closed_at = "2022-11-05T12:24:58.371Z" +labels = ["Closed::Fixed", "Regression", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1293" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1347.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1347.toml new file mode 100644 index 00000000..de1afb03 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1347.toml @@ -0,0 +1,35 @@ +id = 1347 +title = "qemu-system-arm segfaults: arm_v7m_tcg_ops.restore_state_to_opc is NULL" +state = "closed" +created_at = "2022-11-29T10:57:28.636Z" +closed_at = "2022-11-29T23:17:40.156Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1347" +host-os = "Void Linux" +host-arch = "x86" +qemu-version = "7.1.92 (commit a33c25399f9bc3dcf83064adeba2a82e61bf4608)" +guest-os = "n/a" +guest-arch = "ARM" +description = """gdb backtrace: +``` +#0 0x0000000000000000 in ?? () +#1 0x0000555555eda714 in cpu_restore_state_from_tb (cpu=0x5555570020e0, tb=0x7fffb8f6ce80, host_pc=140735277023274) at ../accel/tcg/translate-all.c:311 +#2 0x0000555555eda785 in cpu_restore_state (cpu=0x5555570020e0, host_pc=140735277023274) at ../accel/tcg/translate-all.c:335 +#3 0x0000555555d01323 in arm_cpu_do_transaction_failed (cs=0x5555570020e0, physaddr=1073885184, addr=1073885184, size=4, access_type=MMU_DATA_LOAD, mmu_idx=1, attrs=..., response=1, retaddr=140735277023274) at ../target/arm/tlb_helper.c:199 +#4 0x0000555555ee4118 in cpu_transaction_failed (cpu=0x5555570020e0, physaddr=1073885184, addr=1073885184, size=4, access_type=MMU_DATA_LOAD, mmu_idx=1, attrs=..., response=1, retaddr=140735277023274) at ../accel/tcg/cputlb.c:1344 +#5 0x0000555555ee42aa in io_readx (env=0x555557003f50, full=0x5555580f26c0, mmu_idx=1, addr=1073885184, retaddr=140735277023274, access_type=MMU_DATA_LOAD, op=MO_32) at ../accel/tcg/cputlb.c:1380 +#6 0x0000555555ee59f2 in load_helper (env=0x555557003f50, addr=1073885184, oi=33, retaddr=140735277023274, op=MO_32, code_read=false, full_load=0x555555ee5dbf <full_le_ldul_mmu>) at ../accel/tcg/cputlb.c:1970 +#7 0x0000555555ee5e12 in full_le_ldul_mmu (env=0x555557003f50, addr=1073885184, oi=33, retaddr=140735277023274) at ../accel/tcg/cputlb.c:2070 +#8 0x0000555555ee5e44 in helper_le_ldul_mmu (env=0x555557003f50, addr=1073885184, oi=33, retaddr=140735277023274) at ../accel/tcg/cputlb.c:2077 +#9 0x00007fff7c31c0be in code_gen_buffer () +#10 0x0000555555ed15b8 in cpu_tb_exec (cpu=0x5555570020e0, itb=0x7fffb8f6ce80, tb_exit=0x7fff7a3fc068) at ../accel/tcg/cpu-exec.c:438 +#11 0x0000555555ed2185 in cpu_loop_exec_tb (cpu=0x5555570020e0, tb=0x7fffb8f6ce80, pc=2824872, last_tb=0x7fff7a3fc080, tb_exit=0x7fff7a3fc068) at ../accel/tcg/cpu-exec.c:868 +#12 0x0000555555ed2545 in cpu_exec (cpu=0x5555570020e0) at ../accel/tcg/cpu-exec.c:1032 +#13 0x0000555555ef3329 in tcg_cpus_exec (cpu=0x5555570020e0) at ../accel/tcg/tcg-accel-ops.c:69 +#14 0x0000555555ef39ca in mttcg_cpu_thread_fn (arg=0x5555570020e0) at ../accel/tcg/tcg-accel-ops-mttcg.c:95 +#15 0x00005555560b1e87 in qemu_thread_start (args=0x5555571358e0) at ../util/qemu-thread-posix.c:505 +#16 0x00007ffff7fb6cbe in start (p=0x7fff7a3fc1e0) at src/thread/pthread_create.c:195 +#17 0x00007ffff7fc3e7b in __clone () at src/thread/x86_64/clone.s:22 +```""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1400.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1400.toml new file mode 100644 index 00000000..36264913 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1400.toml @@ -0,0 +1,15 @@ +id = 1400 +title = "helper_access_check_cp_reg() raising Undefined Instruction on big-endian host" +state = "closed" +created_at = "2022-12-28T15:10:26.074Z" +closed_at = "2023-01-23T15:16:56.299Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1400" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1412.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1412.toml new file mode 100644 index 00000000..d0ecab53 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1412.toml @@ -0,0 +1,17 @@ +id = 1412 +title = "QEMU segfault (null pointer dereference) in sve_probe_page from ldff1* instructions" +state = "closed" +created_at = "2023-01-04T12:39:55.377Z" +closed_at = "2023-01-13T17:54:36.715Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1412" +host-os = "Fedora 36" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "n/a" +guest-arch = "AArch64" +description = """After upgrading to QEMU v7.2.0 from v7.1.0, when executing any SVE ldff1* instructions with a faulting address, QEMU crashes due to a null pointer dereference at target/arm/sve_helper.c:5364 + +I believe this was introduced in b8967ddf393aaf35fdbc07b4cb538a40f8b6fe37 (@rth7680), since in that commit `full` is dereferenced before the `flags & TLB_INVALID_MASK` check at line 5369, and full is set to null by `probe_access_full` when `TLB_INVALID_MASK` is given.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1416.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1416.toml new file mode 100644 index 00000000..dd35dd6b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1416.toml @@ -0,0 +1,17 @@ +id = 1416 +title = "MTE tags are applied at page granularity (4K) instead of tag granularity (16)" +state = "closed" +created_at = "2023-01-05T10:58:35.004Z" +closed_at = "2023-01-23T15:16:56.304Z" +labels = ["Closed::Fixed", "Stable::to backport", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1416" +host-os = "Fedora 36" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "n/a" +guest-arch = "AArch64" +description = """After upgrading to QEMU v7.2.0 from v7.1.0, when executing stg/ldg instructions on any address, QEMU behaves as if the instruction was executed on the page base of said address. + +I believe this was introduced in b8967ddf393aaf35fdbc07b4cb538a40f8b6fe37 (@rth7680), since in that commit `ptr_paddr` is changed to be calculated based on `CPUTLBEntryFull::phys_addr`, which contains the page base address, while beforehand it was calculated based on `host` which does have the page offset applied.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1417.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1417.toml new file mode 100644 index 00000000..828a47f1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1417.toml @@ -0,0 +1,17 @@ +id = 1417 +title = "QEMU fails an assertion when hitting a breakpoint that is set on a tlb-missed 2-stage translated AArch64 memory" +state = "closed" +created_at = "2023-01-05T11:06:04.428Z" +closed_at = "2023-01-23T15:16:56.306Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1417" +host-os = "Fedora 36" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "n/a" +guest-arch = "AArch64" +description = """After upgrading to QEMU v7.2.0 from v7.1.0, when hitting an instruction breakpoint on a memory address that is translated by 2 stages of translation, and is not already cached in the TLB, QEMU fails the assertion at target/arm/ptw.c:301 (`assert(fi->type != ARMFault_None);`). + +I believe this was introduced in f3639a64f602ea5c1436eb9c9b89f42028e3a4a8 (@rth7680), since in that commit the failure check for the return value of `get_phys_addr_lpae()` changed from checking for true (meaning failure) to checking for false (which actually means success).""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1498.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1498.toml new file mode 100644 index 00000000..58112da7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1498.toml @@ -0,0 +1,17 @@ +id = 1498 +title = "LDC, STC unimplemented in qemu-system-arm" +state = "closed" +created_at = "2023-02-21T02:37:02.668Z" +closed_at = "2023-03-06T05:44:44.457Z" +labels = ["Closed::WontFix", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1498" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "-" +guest-arch = "cortex-a7" +description = """I used differential testing to compared the instruction consistency (ARMv7) between QEMU and raspberry pi 2B in system level and some inconsistency in LDC, SDC instruction was detected. + +The instructions run successfully in raspi2b, but cause undefined in QEMU. I found that LDC and SDC instructions remain unimplemented in QEMU.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1499.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1499.toml new file mode 100644 index 00000000..1c9d1cce --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1499.toml @@ -0,0 +1,98 @@ +id = 1499 +title = "qemu-system-arm doesn't honour CPACR.ASEDIS, D32DIS" +state = "opened" +created_at = "2023-02-21T02:44:11.168Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1499" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "-" +guest-arch = "cortex-a7" +description = """We used differential testing to compared the instruction consistency (ARMv7) between QEMU and raspberry pi 2B in system level and some inconsistency in SIMD instruction was detected. + +We compiled the kernel with options `-mcpu=cortex-a7 -march=armv7ve -mfloat-abi=hard -mfpu=vfpv4 `. Some SIMD instructions are considered as **undefined** instructions in raspi2b, but run successfully in the QEMU. + +We checked that the CPACR.ASEDIS=1, which disables Advanced SIMD functionality, according to ARMv7-a manual B4.1.40. The manual says "All instruction encodings identified in the Alphabetical list of instructions on page A8-300 as being Advanced SIMD instructions, but that are not VFPv3 or VFPv4 +instructions, are UNDEFINED when accessed from PL1 and PL0 modes." + +Tested instruction samples are shown as follows: + +- VMAX_int_T1A1_A 11110010010010110000011010100100 0xf24b06a4 +- VMUL_scalar_A1_A 11110010101001001100100 001000011 0xf2a4c843 +- VADD_int_T1A1_A 11110010000111111010100000001100 0xf21fa80c + +... + +Some checks of the SIMD instructions may be needed before the execution of the instructions in function ` do_3same` etc. in target/arm/translate-neon.c.""" +reproduce = """1. Compile a kernel module to run the test instruction in PL1. +2. Hook a undefined handler in kernel module to catch the undefined instructions. A kernel module template we used to test is as follows + +```c +#include <linux/module.h> +#include <linux/kernel.h> +#include <asm/traps.h> + +MODULE_LICENSE("GPL"); +#pragma GCC optimize ("O0") +// instr is undefined instruction value +static int undef_instr_handler(struct pt_regs *regs, u32 instr) +{ + printk(KERN_INFO "get undefined instruction\\n"); + // Just skip over to the next instruction. + regs->ARM_pc += 4; + return 0; // All fine! +} + +static struct undef_hook uh = { + .instr_mask = 0x0, // any instruction + .instr_val = 0x0, // any instruction + .cpsr_mask = 0x0, // any pstate + .cpsr_val = 0x0, // any pstate + .fn = undef_instr_handler +}; +int init_module(void) { + // Lookup wanted symbols. + register_undef_hook(&uh); + __asm__ __volatile__("push {R0-R12}"); + __asm__ __volatile__( + ".global inialize_location\\n" + "inialize_location:\\n" + "mov r0, %[reg_init] \\n" + "mov r1, %[reg_init] \\n" + "mov r2, %[reg_init] \\n" + "mov r3, %[reg_init] \\n" + "mov r4, %[reg_init] \\n" + "mov r5, %[reg_init] \\n" + "mov r6, %[reg_init] \\n" + "mov r7, %[reg_init] \\n" + "mov r8, %[reg_init] \\n" + "mov r9, %[reg_init] \\n" + "mov r10, %[reg_init] \\n" + "mov r11, %[reg_init] \\n" + "mov r12, %[reg_init] \\n" + : + : [reg_init] "n"(0) + ); + // =======TODO======= + // replace nop with test instruction + __asm__ __volatile__( + ".global inst_location\\n" + "inst_location:\\n" + "nop\\n" + ); + // kgdb_breakpoint(); + __asm__ __volatile__( + ".global finish_location\\n" + "finish_location:\\n" + ); + __asm__ __volatile__("pop {R0-R12}"); + return 0; +} + +void cleanup_module(void) { + unregister_undef_hook(&uh); +} +```""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1500.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1500.toml new file mode 100644 index 00000000..623548b5 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1500.toml @@ -0,0 +1,46 @@ +id = 1500 +title = "Some system/debug regisiters are inconsistent with real device in qemu-system-arm" +state = "closed" +created_at = "2023-02-21T02:49:13.478Z" +closed_at = "2023-02-27T11:10:28.549Z" +labels = ["Closed::WontFix", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1500" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "-" +guest-arch = "cortex-a7" +description = """We used differential testing to compared the instruction consistency (ARMv7) between QEMU and raspberry pi 2B in system level and some inconsistency in system regisiter was detected. + +1. CCSIDR--Cache Size ID Registers + + **Inconsistency** + + - CCSIDR in QEMU: 0x701fe00a--Associativity: 2, Number of sets:256 + + - CCSIDR in Raspi2B: 0x700fe01a--Associativity: 4, Number of sets:128 + + **Tested Instruction sample** + + - MRC_T1A1_A 11101110001100000000111100010000 0xee300f10 + + According to ARMv7 Manual B4.1.19 encoding, the NumSets and Associativity are set different bewteen QEMU when emulating raspi2b and raspi2b. + + The CCSIDR is set in the function`cortex_a7_initfn(Object *obj)` in target/arm/cpu_tcg.c for cortex_a7. + +2. DBGDRAR--Debug ROM Address Register + + **Inconsistency** + + - DBGDRAR in QEMU: 0x0 --Invalid + + - DBGDRAR in Raspi2B: 0x40020003--Valid + + According to ARMv7 Manual C11.11.16 encoding, the DBGDRAR in qemu is invalid. + + **Tested Instruction sample** + + - MRC_T1A1_A 11101110000100010001111000010000 0xee111e10""" +reproduce = """1. Compile a kernel module to run the test instruction in PL1. +2. Use kgdb to get the register info""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1551.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1551.toml new file mode 100644 index 00000000..efd16910 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1551.toml @@ -0,0 +1,48 @@ +id = 1551 +title = "qemu-system-arm: ../accel/tcg/cpu-exec.c:917: cpu_loop_exec_tb: Assertion `icount_enabled()' failed." +state = "closed" +created_at = "2023-03-20T15:44:29.780Z" +closed_at = "2023-04-04T12:43:25.038Z" +labels = ["accel: TCG", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1551" +host-os = "Debian/Sid" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 7.2.90 (v8.0.0-rc0-31-g61b0608b68-dirty)" +guest-os = "Custom (L4Re)" +guest-arch = "ARM" +description = """When starting the guest, the mentioned assertion is triggered very soon: +``` +qemu-system-arm: ../accel/tcg/cpu-exec.c:917: cpu_loop_exec_tb: Assertion `icount_enabled()' failed. +``` +I'm able to successfully boot the same image with QEMU 7.2.0. + +The last output from the qemu logging with `-d guest_errors,in_asm,int,pcall,cpu` is +``` +---------------- +IN: +0x40209100: e92d4ff0 push {r4, r5, r6, r7, r8, sb, sl, fp, lr} +0x40209104: e28db020 add fp, sp, #0x20 +0x40209108: e24b3f49 sub r3, fp, #0x124 +0x4020910c: e24ddf43 sub sp, sp, #0x10c +0x40209110: e1a0e00f mov lr, pc +0x40209114: e3e0f0ff mvn pc, #0xff + +R00=4021000c R01=4020a5f8 R02=0000000f R03=40209100 +R04=40210018 R05=40210018 R06=4020c000 R07=40002000 +R08=00000000 R09=00000000 R10=00000000 R11=4020d7fc +R12=00000000 R13=4020d7f0 R14=4020074c R15=40209100 +PSR=2000011f --C- A sys32 +---------------- +IN: +0xffffff00: ee1d0f50 mrc p15, #0, r0, c13, c0, #2 + +R00=4021000c R01=4020a5f8 R02=0000000f R03=4020d6c8 +R04=40210018 R05=40210018 R06=4020c000 R07=40002000 +R08=00000000 R09=00000000 R10=00000000 R11=4020d7ec +R12=00000000 R13=4020d6c0 R14=40209118 R15=ffffff00 +PSR=2000011f --C- A sys32 +``` + +Please note that the L4Re OS uses `mvn pc, #0xff` to switch from EL1 to EL2 (system call).""" +reproduce = """1. Boot the attached image with the provided command line to trigger the assertion""" +additional = """I will attach the bootstrap image to this ticket.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1612.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1612.toml new file mode 100644 index 00000000..cb03a7d0 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1612.toml @@ -0,0 +1,59 @@ +id = 1612 +title = "SVE first-faulting gather loads return incorrect data" +state = "closed" +created_at = "2023-04-21T16:12:04.887Z" +closed_at = "2023-05-18T14:51:26.696Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1612" +host-os = "Ubuntu 20.04 LTS" +host-arch = "x86_64" +qemu-version = "qemu-aarch64 version 5.0.50 (v5.0.0-403-g50de9b78ce-dirty) (and latest master)" +guest-os = "n/a" +guest-arch = "n/a" +description = """The results of `ldff1(b|h|w|d)` seem to be incorrect when `<Zt> == <Zm>`. The first element is duplicated throughout the vector while the FFR indicates that all elements were successfully loaded. This happens since https://gitlab.com/qemu-project/qemu/-/commit/50de9b78cec06e6d16e92a114a505779359ca532, and still happens on the latest master.""" +reproduce = """1. This assembly sequence loads data with an `ldff1d` instruction (and also loads the ffr). Note that with `ldff1d`, `<Zt> == <Zm>`. + +asmtest.s +``` + .type asmtest, @function + .balign 16 + .global asmtest +asmtest: + setffr + ptrue p0.d + index z1.d, #0, #1 + ldff1d z1.d, p0/z, [x0, z1.d, LSL #3] + rdffr p1.b + st1d {z1.d}, p0, [x1] + str p1, [x2] + ret +``` + +This harness for convenience intialises some data and checks the element at index 1, which should be 1. + +test.c +``` +#include <arm_sve.h> +#include <stdio.h> + +void asmtest(int64_t const * data, svint64_t * loaded, svbool_t * ffr); + +int main() { + const int64_t data[] = {42, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, + 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, + 22, 23, 24, 25, 26, 27, 28, 29, 30, 31}; + svint64_t loaded; + svbool_t ffr; + + asmtest(data, &loaded, &ffr); + + // Check value of element at index 1 + svuint64_t lanes = svindex_u64(0, 1); + svbool_t lane = svcmpeq_n_u64(svptrue_b64(), lanes, 1); + printf("%ld\\n", svaddv_s64(lane, loaded)); +} +``` + +2. ```clang-15 -fuse-ld=lld -march=armv8-a+sve2 -target aarch64-unknown-linux-gnu -static *.c *.s -o svldffgathertest``` +3. ```qemu-aarch64 svldffgathertest``` - the value printed should be 1, but it can be seen that all values in the loaded vector are 42.""" +additional = """The above code was successfully tested on real SVE hardware. Normal gathers work fine in QEMU, as does a non-gather first-fault load.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1620.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1620.toml new file mode 100644 index 00000000..5fa6e1cc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1620.toml @@ -0,0 +1,104 @@ +id = 1620 +title = "SME FMOPA outer product instruction gives incorrect result" +state = "closed" +created_at = "2023-04-25T11:55:44.197Z" +closed_at = "2023-07-06T17:16:29.668Z" +labels = ["Closed::Fixed", "TestCase", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1620" +host-os = "Ubuntu 20.04" +host-arch = "x86-64" +qemu-version = "7.2.91 (v8.0.0-rc1-36-g60ca584b8a) (built from commit 60ca584b8af0de525656f959991a440f8c191f12)" +guest-os = "n/a" +guest-arch = "n/a" +description = """The SME outer product instructions operate on tiles of elements. In the +below example we are performing an outer product of a vector of 1.0 +by itself. This naturally should produce a matrix filled with 1.0 +values, however if we read the values of the tile and printf them we +instead observe 0.0 values. + +Without digging into the underlying QEMU code this appears to be a bug +in how elements are set based on the tile number, since the same code +using za0.s rather than za1.s correctly reports all 1.0 values as output +as expected. + +main.c +``` +#include <stdio.h> + +void foo(float *dst); + +int main() { + float dst[16]; + foo(dst); + + // This should print: + // >>> 1.000000 1.000000 1.000000 1.000000 + // >>> 1.000000 1.000000 1.000000 1.000000 + // >>> 1.000000 1.000000 1.000000 1.000000 + // >>> 1.000000 1.000000 1.000000 1.000000 + for (int i=0; i<4; ++i) { + printf(">>> "); + for (int j=0; j<4; ++j) { + printf("%lf ", (double)dst[i * 4 + j]); + } + printf("\\n"); + } +} +``` + +foo.S +``` +.global foo +foo: + stp x29, x30, [sp, -80]! + mov x29, sp + stp d8, d9, [sp, 16] + stp d10, d11, [sp, 32] + stp d12, d13, [sp, 48] + stp d14, d15, [sp, 64] + + smstart + + ptrue p0.s, vl4 + fmov z0.s, #1.0 + + // An outer product of a vector of 1.0 by itself should be a matrix of 1.0. + // Note that we are using tile 1 here (za1.s) rather than tile 0. + zero {za} + fmopa za1.s, p0/m, p0/m, z0.s, z0.s + + // Read the first 4x4 sub-matrix of elements from tile 1: + // Note that za1h should be interchangable here. + mov w12, #0 + mova z0.s, p0/m, za1v.s[w12, #0] + mova z1.s, p0/m, za1v.s[w12, #1] + mova z2.s, p0/m, za1v.s[w12, #2] + mova z3.s, p0/m, za1v.s[w12, #3] + + // And store them to the input pointer (dst in the C code): + st1w {z0.s}, p0, [x0] + add x0, x0, #16 + st1w {z1.s}, p0, [x0] + add x0, x0, #16 + st1w {z2.s}, p0, [x0] + add x0, x0, #16 + st1w {z3.s}, p0, [x0] + + smstop + + ldp d8, d9, [sp, 16] + ldp d10, d11, [sp, 32] + ldp d12, d13, [sp, 48] + ldp d14, d15, [sp, 64] + ldp x29, x30, [sp], 80 + ret +```""" +reproduce = """``` +$ clang -target aarch64-linux-gnu -march=armv9-a+sme test.c -O1 -static +$ ~/qemu/build/qemu-aarch64 ./a.out +>>> 0.000000 0.000000 0.000000 0.000000 +>>> 0.000000 0.000000 0.000000 0.000000 +>>> 0.000000 0.000000 0.000000 0.000000 +>>> 0.000000 0.000000 0.000000 0.000000 +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1658.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1658.toml new file mode 100644 index 00000000..87d11c56 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1658.toml @@ -0,0 +1,68 @@ +id = 1658 +title = "Zephyr TF-M IPC example triggers failed assertion !arm_feature(env, ARM_FEATURE_M) on recent Qemu" +state = "closed" +created_at = "2023-05-17T14:53:39.304Z" +closed_at = "2023-05-30T16:47:32.321Z" +labels = ["accel: TCG", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1658" +host-os = "**Debian Sid** (bookworm)" +host-arch = "**x86_64**" +qemu-version = "**v8.0.0-918-g6972ef1440**" +guest-os = "**TF-M / Zephyr**" +guest-arch = "**ARM Cortex-M33, Armv8-M with TrustZone**" +description = """I can't run the TrustedFirmware-M IPC example in the Zephyr repo with recent Qemu (in particular v8.0.0). + +By bisecting, I got the last commit OK : v7.2.0-351-gfaa1451e7b + +``` +$ qemu-system-arm -M mps2-an521 -device loader,file=tfm_merged.hex -serial stdio +[INF] Beginning TF-M provisioning +[WRN] TFM_DUMMY_PROVISIONING is not suitable for production! This device is NOT SECURE +[Sec Thread] Secure image initializing! +Booting TF-M 8209cb2ed +Creating an empty ITS flash layout. +Creating an empty PS flash layout. +[INF][Crypto] Provisioning entropy seed... complete. +*** Booting Zephyr OS build zephyr-v3.3.0-4041-g7ba5ecf451ef *** +TF-M IPC on mps2_an521_ns +The version of the PSA Framework API is 257. +The PSA Crypto service minor version is 1. +Generating 256 bytes of random data: +71 03 DD 50 8E E5 00 C7 E0 61 7B EB 77 15 E9 38 +E9 A8 7D 0C 51 23 76 9F C3 61 E9 8B 8A 67 BD 14 +73 A3 2C 6E E5 8C E3 19 53 6B 50 55 A8 A7 F4 7B +56 03 60 AA 48 B6 DF 04 33 56 BE 84 43 FA 4E AC +D7 6E 2E 2E 1D 7E 46 69 D5 9B B0 42 5C 54 E4 09 +73 9E 4F 55 F8 3E 05 9E A3 DE 46 D3 E4 02 B0 9C +F3 21 9F 20 85 74 34 07 19 79 07 B8 02 B5 0E 90 +74 21 BE B5 09 4C D7 20 D8 43 F7 72 23 1C F0 3E +77 7B D3 70 29 72 69 D3 7F 1F 61 16 12 73 D5 89 +C5 8B D1 A3 7B 4B FD F5 11 C2 B1 9A C0 A5 F9 7B +16 3D 98 17 66 FE E9 F4 FE 37 76 62 E0 E6 83 99 +69 26 41 CD FF 0C 44 AC F9 F4 91 B8 CA 63 5E 1D +B9 C4 38 D6 0C 11 19 1B 94 BE C9 4F EC 2E 5A 05 +3F 72 5F 41 44 3C 91 39 AC 2D 50 75 DF FD D3 11 +39 F2 43 18 D7 69 B0 A3 99 0C C0 6E 83 84 1A A8 +B0 37 6C 8E 32 B2 8E 4F AA 12 97 09 09 87 D3 FD +qemu-system-arm: terminating on signal 2 +``` + +But after 452c67a427, for example v8.0.0-918-g6972ef1440, I get : + +``` +$ qemu-system-arm -M mps2-an521 -device loader,file=tfm_merged.hex -serial stdio +[INF] Beginning TF-M provisioning +[WRN] TFM_DUMMY_PROVISIONING is not suitable for production! This device is NOT SECURE +[Sec Thread] Secure image initializing! +Booting TF-M 8209cb2ed +Creating an empty ITS flash layout. +Creating an empty PS flash layout. +[INF][Crypto] Provisioning entropy seed... complete. +*** Booting Zephyr OS build zephyr-v3.3.0-4041-g7ba5ecf451ef *** +TF-M IPC on mps2_an521_ns +qemu-system-arm: ../target/arm/cpu.h:2396: arm_is_secure_below_el3: Assertion `!arm_feature(env, ARM_FEATURE_M)' failed. +Aborted +```""" +reproduce = """1. Build the Zephyr tfm_merged.hex file from Zephyr 7ba5ecf451 https://github.com/zephyrproject-rtos/zephyr/commit/7ba5ecf451ef29f96b30dbe5f0e54c1865839093 : ``west -v build -p -b mps2_an521_ns ./samples/tfm_integration/tfm_ipc`` +2. Build qemu-system-arm and run : ``qemu-system-arm -M mps2-an521 -device loader,file=tfm_merged.hex -serial stdio``""" +additional = """More info to build Zephyr TF-M IPC example on the official repo https://github.com/zephyrproject-rtos/zephyr/tree/main/samples/tfm_integration/tfm_ipc""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1697.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1697.toml new file mode 100644 index 00000000..3e991d41 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1697.toml @@ -0,0 +1,27 @@ +id = 1697 +title = "qemu-arm -cpu cortex-m55 dummy_test qemu-arm: ../accel/tcg/user-exec.c:492: page_set_flags: Assertion `last <= GUEST_ADDR_MAX' failed." +state = "closed" +created_at = "2023-06-09T04:41:31.378Z" +closed_at = "2023-08-13T23:44:18.514Z" +labels = ["Closed::Fixed", "accel: TCG", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1697" +host-os = "ubuntu" +host-arch = "Arm" +qemu-version = "qemu-arm version 8.0.50 (v8.0.0-1739-g5f9dd6a8ce)" +guest-os = "n/a" +guest-arch = "n/a" +description = """Basic testing failed for cortex m55""" +reproduce = """1.Pulled the newest qemu 8.0.50 + +2.Create a Dummy test with only return 0 in main function + +3.run ` arm-none-eabi-gcc -o dummy_test -O2 -g -mcpu=cortex-m55 dummy_test.cc --specs=rdimon.specs` and then `qemu-arm -cpu cortex-m55 dummy_test` + +`arm-none-eabi-gcc (Arm GNU Toolchain 12.2.MPACBTI-Rel1 (Build arm-12-mpacbti.34)) 12.2.1 20230214 +Copyright (C) 2022 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.` + +`qemu-arm version 8.0.50 (v8.0.0-1739-g5f9dd6a8ce) +Copyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers`""" +additional = """It is a known problem in another issues: https://gitlab.com/qemu-project/qemu/-/issues/1528#note_1389268261.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1704.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1704.toml new file mode 100644 index 00000000..57092f2d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1704.toml @@ -0,0 +1,77 @@ +id = 1704 +title = "Booting arm64 Linux in TCG mode fails with \"ERROR:../tcg/tcg.c:4317:temp_load: code should not be reached\"" +state = "closed" +created_at = "2023-06-12T08:52:30.460Z" +closed_at = "2023-06-25T08:25:34.478Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1704" +host-os = "Debian 11.6 (X86_64)" +host-arch = "X86_64" +qemu-version = "HEAD (commit 5f9dd6a8ce3961db4ce47411ed2097ad88bdf5fc)" +guest-os = "Linux 6.3 + buildroot aarch64 filesystem" +guest-arch = "arm64" +description = """Linux seems to boot successfully, but around loading/executing userspace, QEMU crashes with an error: + +``` +[ 4.047919] EXT4-fs (vda): mounted filesystem 59b147ee-5613-43a2-aab4-eaceb6e95be5 with ordered data mode. Quota mode: none. +[ 4.049630] VFS: Mounted root (ext4 filesystem) on device 254:0. +[ 4.055437] devtmpfs: mounted +[ 4.160039] Freeing unused kernel memory: 8256K +[ 4.161855] Run /sbin/init as init process +[ 4.547387] EXT4-fs (vda): re-mounted 59b147ee-5613-43a2-aab4-eaceb6e95be5. Quota mode: none. +** +ERROR:../tcg/tcg.c:4317:temp_load: code should not be reached +Bail out! ERROR:../tcg/tcg.c:4317:temp_load: code should not be reached +zsh: abort /home/mark/.opt/apps/qemu-v8.0.0-1645-ge6dd5e782b/bin/qemu-system-aarch64 -sm +```""" +reproduce = """1. Run the provided qemu commandline +2. Wait for QEMU to crash""" +additional = """I attempted a bisect, which suggests that the first bad commit is: + +``` +[e6dd5e782becfe6d51f3575c086f5bd7162421d0] target/arm: Use tcg_gen_qemu_{ld, st}_i128 in gen_sve_{ld, st}r +``` + +The full bisect log is: + +``` +[mark@lakrids:~/src/qemu]% git bisect log +git bisect start +# good: [f7f686b61cf7ee142c9264d2e04ac2c6a96d37f8] Update version for 8.0.2 release +git bisect good f7f686b61cf7ee142c9264d2e04ac2c6a96d37f8 +# bad: [5f9dd6a8ce3961db4ce47411ed2097ad88bdf5fc] Merge tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu into staging +git bisect bad 5f9dd6a8ce3961db4ce47411ed2097ad88bdf5fc +# good: [c1eb2ddf0f8075faddc5f7c3d39feae3e8e9d6b4] Update version for v8.0.0 release +git bisect good c1eb2ddf0f8075faddc5f7c3d39feae3e8e9d6b4 +# good: [1a42d9d472b61e4db2fb16800495d402cb9b94af] tcg/sparc64: Split out tcg_out_movi_s32 +git bisect good 1a42d9d472b61e4db2fb16800495d402cb9b94af +# good: [a30498fcea5a8b9c544324ccfb0186090104b229] tcg/riscv: Support CTZ, CLZ from Zbb +git bisect good a30498fcea5a8b9c544324ccfb0186090104b229 +# good: [759573d05b808344f7047f893d2dd095884dfa4d] test-cutils: Add coverage of qemu_strtod +git bisect good 759573d05b808344f7047f893d2dd095884dfa4d +# good: [dc2a070d125772fe30384596d4d4ce6d9950b004] hw/arm/allwinner-r40: add Clock Control Unit +git bisect good dc2a070d125772fe30384596d4d4ce6d9950b004 +# good: [c0dde5fc5ccce56b69095bc29af72987efd65d1e] accel/tcg: Fix undefined shift in store_whole_le16 +git bisect good c0dde5fc5ccce56b69095bc29af72987efd65d1e +# bad: [e58e55dd8d5777f8a58ce30cfe04a8023282eb80] meson: fix "static build" entry in summary +git bisect bad e58e55dd8d5777f8a58ce30cfe04a8023282eb80 +# bad: [5c13983e23de4095e2dfa8bc52333ef40ebe40db] target/arm: Sink gen_mte_check1 into load/store_exclusive +git bisect bad 5c13983e23de4095e2dfa8bc52333ef40ebe40db +# good: [6c4f229a2e0d6f882bae389ce0c5bdaea712ce0f] tests: avocado: boot_linux_console: Add test case for bpim2u +git bisect good 6c4f229a2e0d6f882bae389ce0c5bdaea712ce0f +# good: [e452ca5af88fc49b3026c2de0f1e65fd18d1a656] target/arm: Introduce finalize_memop_{atom,pair} +git bisect good e452ca5af88fc49b3026c2de0f1e65fd18d1a656 +# good: [d450bd0157be43d273116c3e3617883c8a0ac3d1] target/arm: Use tcg_gen_qemu_{st, ld}_i128 for do_fp_{st, ld} +git bisect good d450bd0157be43d273116c3e3617883c8a0ac3d1 +# bad: [e6dd5e782becfe6d51f3575c086f5bd7162421d0] target/arm: Use tcg_gen_qemu_{ld, st}_i128 in gen_sve_{ld, st}r +git bisect bad e6dd5e782becfe6d51f3575c086f5bd7162421d0 +# good: [e6073d88cc1fb43b00be16f79d9d6b0f9d2276f5] target/arm: Use tcg_gen_qemu_st_i128 for STZG, STZ2G +git bisect good e6073d88cc1fb43b00be16f79d9d6b0f9d2276f5 +# first bad commit: [e6dd5e782becfe6d51f3575c086f5bd7162421d0] target/arm: Use tcg_gen_qemu_{ld, st}_i128 in gen_sve_{ld, st}r +``` + +Each build step was performed with: + +``` + git clean -fdx && ./configure --prefix=/home/mark/.opt/apps/qemu-$(git describe --long HEAD) --enable-debug-info --disable-strip && make -j64 && make install +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1737.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1737.toml new file mode 100644 index 00000000..ac14bbf6 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1737.toml @@ -0,0 +1,57 @@ +id = 1737 +title = "qemu-aarch64: Incorrect result for ssra instruction when using vector lengths of 1024-bit or higher." +state = "closed" +created_at = "2023-06-27T16:37:30.575Z" +closed_at = "2023-08-24T15:27:44.731Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1737" +host-os = "Fedora 38" +host-arch = "ARM" +qemu-version = "qemu-aarch64 version 7.2.1 (qemu-7.2.1-2.fc38) & qemu-aarch64 version 8.0.2" +guest-os = "- OS/kernel version:" +guest-arch = "## Description of problem" +description = """``` +#include <arm_sve.h> +#include <stdio.h> + +#define SZ 32 + +int main(int argc, char* argv[]) { + svbool_t pg = svptrue_b64(); + uint64_t VL = svcntd(); + + fprintf(stderr, "One SVE vector can hold %li uint64_ts\\n", VL); + + int64_t sr[SZ], sx[SZ], sy[SZ]; + uint64_t ur[SZ], ux[SZ], uy[SZ]; + + for (uint64_t i = 0; i < SZ; ++i) { + sx[i] = ux[i] = 0; + sy[i] = uy[i] = 1024; + } + + for (uint64_t i = 0; i < SZ; i+=VL) { + fprintf(stderr, "Processing elements %li - %li\\n", i, i + VL - 1); + + svint64_t SX = svld1(pg, sx + i); + svint64_t SY = svld1(pg, sy + i); + svint64_t SR = svsra(SX, SY, 4); + svst1(pg, sr + i, SR); + + svuint64_t UX = svld1(pg, ux + i); + svuint64_t UY = svld1(pg, uy + i); + svuint64_t UR = svsra(UX, UY, 4); + svst1(pg, ur + i, UR); + } + + for (uint64_t i = 0; i < SZ; ++i) { + fprintf(stderr, "sr[%li]=%li, ur[%li]\\n", i, sr[i], ur[i]); + } + + return 0; +} +```""" +reproduce = """1. Build the above C source using "gcc -march=armv9-a -O1 ssra.c", can also use clang. +2. Run with "qemu-aarch64 -cpu max,sve-default-vector-length=64 ./a.out" and you'll see the expected result of 64 (signed and unsigned) +3. Run with "qemu-aarch64 -cpu max,sve-default-vector-length=128 ./a.out" and you'll see the expected result of 64 for unsigned but the signed result is 0. This suggests the emulation of SVE2 ssra instruction is incorrect for this and bigger vector lengths.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1740.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1740.toml new file mode 100644 index 00000000..d35d9f9d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1740.toml @@ -0,0 +1,81 @@ +id = 1740 +title = "QEMU Abort in Cortex-M Exception raising" +state = "closed" +created_at = "2023-06-28T15:41:21.796Z" +closed_at = "2023-06-29T12:32:34.484Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1740" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "8.0.2" +guest-os = "-" +guest-arch = "ARM" +description = """When an exception should be raised in a ARM Cortex-M board QEMU aborts. + +``` +$ qemu-system-arm --version +QEMU emulator version 8.0.2 + +$ qemu-system-arm -M stm32vldiscovery -device loader,file=/tmp/raw-hardfault.hex -d in_asm,exec,int +[...] +Trace 0: 0x7f2aa8000680 [00800400/00000110/00000110/ff200000] +---------------- +IN: +0x00000140: f64b 6eef movw lr, #0xbeef +0x00000144: f6cd 6ead movt lr, #0xdead +0x00000148: 4770 bx lr + +Linking TBs 0x7f2aa8000680 index 0 -> 0x7f2aa80007c0 +Trace 0: 0x7f2aa80007c0 [00800400/00000140/00000110/ff200000] +qemu-system-arm: ../qemu-8.0.2/target/arm/cpu.h:2396: arm_is_secure_below_el3: Assertion `!arm_feature(env, ARM_FEATURE_M)' failed. +``` + +Expected behavior: +``` +$ qemu-system-arm --version +QEMU emulator version 7.1.0 + +$ qemu-system-arm -M stm32vldiscovery -device loader,file=raw-hardfault.hex -d in_asm,exec,int +[...] +Trace 0: 0x7fb488000680 [00800400/00000110/00000110/ff000000] +---------------- +IN: +0x00000140: f64b 6eef movw lr, #0xbeef +0x00000144: f6cd 6ead movt lr, #0xdead +0x00000148: 4770 bx lr + +Linking TBs 0x7fb488000680 [00000110] index 0 -> 0x7fb488000780 [00000140] +Trace 0: 0x7fb488000780 [00800400/00000140/00000110/ff000000] +Taking exception 3 [Prefetch Abort] on CPU 0 +...at fault address 0xdeadbeee +...with CFSR.IACCVIOL +...BusFault with BFSR.STKERR +...taking pending nonsecure exception 3 +...loading from element 3 of non-secure vector table at 0xc +...loaded new PC 0x0 +```""" +reproduce = """1. Run any Cortex-M firmware that raises an exception. (minimal example attached)""" +additional = """- Minimal Reproducer: +[raw-hardfault.hex](/uploads/113889116675b608e05748280d1db354/raw-hardfault.hex) +- Assert introduced in fcc7404eff24b4c8b322fb27ca5ae7f3113129c3. +- Stacktrace: +``` +#4 0x00007ffff6a483d6 in __assert_fail () from /usr/lib/libc.so.6 +#5 0x00007ffff73afe67 in arm_is_secure_below_el3 (env=0x55555712f9b0) at target/arm/cpu.h:2396 +#6 0x00007ffff73afedd in arm_is_el2_enabled (env=0x55555712f9b0) at target/arm/cpu.h:2448 +#7 0x00007ffff73afcd4 in arm_el_is_aa64 (env=0x55555712f9b0, el=0x1) at target/arm/cpu.h:2509 +#8 0x00007ffff73af68f in compute_fsr_fsc (env=0x55555712f9b0, fi=0x7fffffff7098, target_el=0x1, mmu_idx=0x1, ret_fsc=0x7fffffff6fe0) + at target/arm/tcg/tlb_helper.c:71 +#9 0x00007ffff73af483 in arm_deliver_fault (cpu=0x55555712d250, addr=0xdeadbeee, access_type=MMU_INST_FETCH, mmu_idx=0x1, fi=0x7fffffff7098) + at target/arm/tcg/tlb_helper.c:114 +#10 0x00007ffff73afa4c in arm_cpu_tlb_fill (cs=0x55555712d250, address=0xdeadbeee, size=0x1, access_type=MMU_INST_FETCH, mmu_idx=0x1, probe=0x0, retaddr=0x0) + at target/arm/tcg/tlb_helper.c:242 +#11 0x00007ffff74a3a1e in probe_access_internal (env=0x55555712f9b0, addr=0xdeadbeee, fault_size=0x1, access_type=MMU_INST_FETCH, mmu_idx=0x1, nonfault=0x0, phost=0x7fffffff71c8, + pfull=0x7fffffff71d0, retaddr=0x0) at accel/tcg/cputlb.c:1555 +#12 0x00007ffff74a4085 in get_page_addr_code_hostp (env=0x55555712f9b0, addr=0xdeadbeee, hostp=0x0) at accel/tcg/cputlb.c:1694 +#13 0x00007ffff7490c0f in get_page_addr_code (env=0x55555712f9b0, addr=0xdeadbeee) at include/exec/exec-all.h:748 +#14 0x00007ffff7490b2a in tb_htable_lookup (cpu=0x55555712d250, pc=0xdeadbeee, cs_base=0x800408, flags=0x110, cflags=0xff200200) at accel/tcg/cpu-exec.c:233 +#15 0x00007ffff748f719 in tb_lookup (cpu=0x55555712d250, pc=0xdeadbeee, cs_base=0x800408, flags=0x110, cflags=0xff200200) at accel/tcg/cpu-exec.c:270 +#16 0x00007ffff748f463 in helper_lookup_tb_ptr (env=0x55555712f9b0) at accel/tcg/cpu-exec.c:425 +#17 0x00007fff6800091c in code_gen_buffer () +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1742.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1742.toml new file mode 100644 index 00000000..b1536363 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1742.toml @@ -0,0 +1,103 @@ +id = 1742 +title = "Arm64 kernel run with qemu-system-aarch64 crashes handling program using SVE and Streaming SVE modes" +state = "closed" +created_at = "2023-06-29T12:50:23.395Z" +closed_at = "2023-07-17T11:24:23.241Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1742" +host-os = "Ubuntu 20.04.6 LTS" +host-arch = "x86" +qemu-version = "QEMU emulator version 8.0.50 (v8.0.0-762-gb111569da9) (git: b111569da9f82fdf05df03184836a4564adef599)" +guest-os = "Ubuntu 20.04 LTS" +guest-arch = "AArch64" +description = """The userspace program shown, which switches between SVE/SME states, crashes the kernel on task switch when running under qemu-system-aarch64. This does not reproduce on an Arm Fast Model, but I can't be sure that that is not a timing difference. + +The kernel appears to have no space allocated to save SVE state for this process, but also believes that it should save the state, where it then faults.""" +reproduce = """1. Compile the following program: +``` +#include <sys/prctl.h> + +int main() { + asm volatile("msr s0_3_c4_c7_3, xzr" /*smstart*/); + prctl(PR_SVE_SET_VL, 8 * 4); + asm volatile("msr s0_3_c4_c7_3, xzr" /*smstart*/); + while (1) {} // Wait to be preempted? + return 0; +} +``` +With: +``` +$ aarch64-unknown-linux-gnu-gcc main.c -o main.o -g -O3 -march=armv8.6-a+sve +``` +Compiler version does not matter I don't think, but in case: +``` +$ aarch64-unknown-linux-gnu-gcc --version +aarch64-unknown-linux-gnu-gcc (crosstool-NG 1.25.0.85_61c4cca) 10.4.0 +``` +It is a 10.4.0 built with CrossToolNG. + +2. Boot Linux and run the program in the emulated environment. I've found looping it to be more consistent: +``` +$ while true; do ./main.o; done +``` +Though sometimes it will crash after only one run.""" +additional = """Here is the output from the kernel: +``` +$ /mnt/virt_root/sme_crash/main.o +[ 190.813392] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 190.818912] Mem abort info: +[ 190.819255] ESR = 0x0000000096000046 +[ 190.819727] EC = 0x25: DABT (current EL), IL = 32 bits +[ 190.820391] SET = 0, FnV = 0 +[ 190.820757] EA = 0, S1PTW = 0 +[ 190.821145] FSC = 0x06: level 2 translation fault +[ 190.821635] Data abort info: +[ 190.821978] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 +[ 190.822490] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 +[ 190.822991] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 190.823645] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000475f1000 +[ 190.824269] [0000000000000000] pgd=0800000047645003, p4d=0800000047645003, pud=0800000047641003, pmd=0000000000000000 +[ 190.826225] Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP +[ 190.826996] Modules linked in: +[ 190.827748] CPU: 0 PID: 198 Comm: main.o Not tainted 6.4.0-01761-g6aeadf7896bf #1 +[ 190.828638] Hardware name: linux,dummy-virt (DT) +[ 190.829304] pstate: 234000c5 (nzCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) +[ 190.830115] pc : sve_save_state+0x4/0xf0 +[ 190.831378] lr : fpsimd_save+0x184/0x1f0 +[ 190.831848] sp : ffff80008047bc70 +[ 190.832223] x29: ffff80008047bc70 x28: ffff0000036c49c0 x27: 0000000000000000 +[ 190.833182] x26: ffff0000036c4f58 x25: ffff0000036c49c0 x24: ffff0000036c5868 +[ 190.834045] x23: 0000000000000020 x22: ffff24441ea31000 x21: 0000000000000001 +[ 190.834894] x20: ffff00003fdc50b0 x19: ffffdbbc213940b0 x18: 0000000000000000 +[ 190.835759] x17: ffff24441ea31000 x16: ffff800080000000 x15: 0000000000000000 +[ 190.836593] x14: 000000000000026c x13: 0000000000000001 x12: 0000000000000020 +[ 190.837436] x11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000800 +[ 190.838323] x8 : ffff00003fdcffc0 x7 : ffff00003fdcff40 x6 : 0000000002da9c8c +[ 190.839149] x5 : 0000000000000001 x4 : 0000000000000000 x3 : 0000000000000000 +[ 190.839976] x2 : 0000000000000001 x1 : ffff0000036c56a0 x0 : 0000000000000440 +[ 190.840936] Call trace: +[ 190.841406] sve_save_state+0x4/0xf0 +[ 190.841993] fpsimd_thread_switch+0x24/0xd4 +[ 190.842572] __switch_to+0x20/0x1d4 +[ 190.843043] __schedule+0x2a0/0xa7c +[ 190.843488] schedule+0x5c/0xc4 +[ 190.843912] do_notify_resume+0x1a4/0x474 +[ 190.844410] el0_interrupt+0xc4/0xd4 +[ 190.844855] __el0_irq_handler_common+0x18/0x24 +[ 190.845350] el0t_64_irq_handler+0x10/0x1c +[ 190.845824] el0t_64_irq+0x190/0x194 +[ 190.846661] Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) +[ 190.847545] ---[ end trace 0000000000000000 ]--- +[ 190.848125] note: main.o[198] exited with irqs disabled +``` + +I have looked the kernel functions in the backtrace and it seems to be loading memory fine, so it's not obviously a code generation problem. The pointer loaded prior to the crash is definitely a nullptr. + +Removing any of the lines (`while (1) {}` aside) from the example seems to avoid the issue but again, could be timing. + +An important point here is that the kernel syscall ABI states that streaming mode will be exited on +a syscall. I have observed that this does happen as expected. This is why the test case does a syscall, then immediately goes back to streaming mode. And it is perhaps where the confusion starts. + +I have confirmed that SME is supported by the emulated CPU and other SME programs do run correctly. + +I initially thought this was to do with having many cores, but it reproduces on a single core also.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1790.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1790.toml new file mode 100644 index 00000000..2f3ed1ff --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1790.toml @@ -0,0 +1,41 @@ +id = 1790 +title = "[AARCH64] STGP instruction is not writing the value of the second register to memory" +state = "closed" +created_at = "2023-07-26T08:36:49.418Z" +closed_at = "2023-07-31T17:59:45.754Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1790" +host-os = "Ubuntu 20.04.6 LTS" +host-arch = "- QEMU flavor: qemu-system-aarch64" +qemu-version = "QEMU 8.0.90 - 885fc169f09f5915ce037263d20a59eb226d473d" +guest-os = "Kinibi" +guest-arch = "AARCH64" +description = """My application is built with Clang 16 and the option -fsanitize=memtag-stack. +It means the the MTE protection is activated for the stack. +The local variables are tagged and the compiler is often using the STGP instruction "Store Allocation Tag and Pair of registers" in order to transfer the value of two 64-bit registers to memory. +The following instruction was not working as expected: + 18004: 69000895 \tstgp\tx21, x2, [x4] +The value of the second register x2 is not transferred to the memory. +Only x21 is written. + +I think that the issue is in trans_STGP(). +We don't call finalize_memop_pair() like we do for in the general trans_STP(). + +``` +diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c +index 7d0c8f79a7..f599f3e136 100644 +--- a/target/arm/tcg/translate-a64.c ++++ b/target/arm/tcg/translate-a64.c +@@ -3034,6 +3034,8 @@ static bool trans_STGP(DisasContext *s, arg_ldstpair *a) + + tcg_rt = cpu_reg(s, a->rt); + tcg_rt2 = cpu_reg(s, a->rt2); ++ mop = a->sz + 1; ++ mop = finalize_memop_pair(s, mop); + + assert(a->sz == 3); +``` + +With this fix, my OS (Kinibi) is now able to boot.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1799.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1799.toml new file mode 100644 index 00000000..c9441e62 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1799.toml @@ -0,0 +1,187 @@ +id = 1799 +title = "Support running real-world Android on Arm by supporting one-register list for the POP (LDMIA) Thumb32 instruction." +state = "closed" +created_at = "2023-07-28T22:37:39.920Z" +closed_at = "2023-10-31T17:39:10.200Z" +labels = ["Bite Sized", "accel: TCG", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1799" +host-os = "Linux" +host-arch = "x86_64" +qemu-version = "8.0.3" +guest-os = "LineageOS 18.1 on Waydroid 1.4.1 on PostmarketOS edge" +guest-arch = "aarch64" +description = "n/a" +reproduce = """1. Get any aarch64 Linux on QEMU for x86_64 running. Make sure that Wayland is running. (For example, build PostmarketOS with "phosh" for aarch64 and install it.) +2. Install waydroid (e.g. `apk add waydroid`). +3. Install the LineageOS 18.1 for waydroid image (e.g. `waydroid init`). +4. Run the waydroid-container (e.g. `rc-service waydroid-container restart`). +5. Start the waydroid session (e.g. click on the "Waydroid" symbol on the graphical user interface). +6. Observe the waydroid log file (e.g. run `waydroid logcat`).""" +additional = """The output of the Android log (using `waydroid logcat`) will be akin: + +``` +23908 23908 D AndroidRuntime: >>>>>> START com.android.internal.os.ZygoteInit uid 0 <<<<<< +23908 23908 I AndroidRuntime: Using default boot image +23908 23908 I AndroidRuntime: Leaving lock profiling enabled +23908 23908 E cutils-trace: Error opening trace file: No such file or directory (2) +23908 23908 I zygote : option[0]=-Xzygote +23908 23908 I zygote : option[1]=exit +23908 23908 I zygote : option[2]=vfprintf +23908 23908 I zygote : option[3]=sensitiveThread +23908 23908 I zygote : option[4]=-verbose:gc +23908 23908 I zygote : option[5]=-XX:PerfettoHprof=true +23908 23908 I zygote : option[6]=-Xms8m +23908 23908 I zygote : option[7]=-Xmx512m +23908 23908 I zygote : option[8]=-XX:HeapGrowthLimit=192m +23908 23908 I zygote : option[9]=-XX:HeapMinFree=8m +23908 23908 I zygote : option[10]=-XX:HeapMaxFree=16m +23908 23908 I zygote : option[11]=-XX:HeapTargetUtilization=0.6 +23908 23908 I zygote : option[12]=-Xusejit:true +23908 23908 I zygote : option[13]=-Xjitsaveprofilinginfo +23908 23908 I zygote : option[14]=-XjdwpOptions:suspend=n,server=y +23908 23908 I zygote : option[15]=-XjdwpProvider:default +23908 23908 I zygote : option[16]=-Xopaque-jni-ids:swapable +23908 23908 I zygote : option[17]=-Xlockprofthreshold:500 +23908 23908 I zygote : option[18]=-Xcompiler-option +23908 23908 I zygote : option[19]=--instruction-set-variant=generic +23908 23908 I zygote : option[20]=-Xcompiler-option +23908 23908 I zygote : option[21]=--instruction-set-features=default +23908 23908 I zygote : option[22]=-Xcompiler-option +23908 23908 I zygote : option[23]=--generate-mini-debug-info +23908 23908 I zygote : option[24]=-Ximage-compiler-option +23908 23908 I zygote : option[25]=--runtime-arg +23908 23908 I zygote : option[26]=-Ximage-compiler-option +23908 23908 I zygote : option[27]=-Xms64m +23908 23908 I zygote : option[28]=-Ximage-compiler-option +23908 23908 I zygote : option[29]=--runtime-arg +23908 23908 I zygote : option[30]=-Ximage-compiler-option +23908 23908 I zygote : option[31]=-Xmx64m +23908 23908 I zygote : option[32]=-Ximage-compiler-option +23908 23908 I zygote : option[33]=--dirty-image-objects=/system/etc/dirty-image-objects +23908 23908 I zygote : option[34]=-Ximage-compiler-option +23908 23908 I zygote : option[35]=--instruction-set-variant=generic +23908 23908 I zygote : option[36]=-Ximage-compiler-option +23908 23908 I zygote : option[37]=--instruction-set-features=default +23908 23908 I zygote : option[38]=-Ximage-compiler-option +23908 23908 I zygote : option[39]=--generate-mini-debug-info +23908 23908 I zygote : option[40]=-Duser.locale=en-US +23908 23908 I zygote : option[41]=--cpu-abilist=armeabi-v7a,armeabi +23908 23908 I zygote : option[42]=-Xcore-platform-api-policy:just-warn +23908 23908 I zygote : option[43]=-Xfingerprint:waydroid/lineage_waydroid_arm64/waydroid_arm64:11/RQ3A.211001.001/48:userdebug/test-keys +23908 23908 I zygote : Core platform API reporting enabled, enforcing=false +23908 23908 D zygote : Time zone APEX ICU file found: /apex/com.android.tzdata/etc/icu/icu_tzdata.dat +23908 23908 D zygote : I18n APEX ICU file found: /apex/com.android.i18n/etc/icu/icudt66l.dat +23908 23908 I zygote : Using memfd for future sealing +23908 23908 W zygote : Using default instruction set features for ARM CPU variant (generic) using conservative defaults + 49 49 I tombstoned: received crash request for pid 23908 +23908 23908 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** +23908 23908 F DEBUG : LineageOS Version: '18.1-20230723-VANILLA-waydroid_arm64' +23908 23908 F DEBUG : Build fingerprint: 'waydroid/lineage_waydroid_arm64/waydroid_arm64:11/RQ3A.211001.001/48:userdebug/test-keys' +23908 23908 F DEBUG : Revision: '0' +23908 23908 F DEBUG : ABI: 'arm' +23908 23908 F DEBUG : Timestamp: 2023-07-28 14:13:34+0000 +23908 23908 F DEBUG : pid: 23908, tid: 23908, name: main >>> zygote <<< +23908 23908 F DEBUG : uid: 0 +23908 23908 F DEBUG : signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x709443da (*pc=0x4000e8bd) +23908 23908 F DEBUG : r0 54647764 r1 3fb9709b r2 fffffe56 r3 4337ffff +23908 23908 F DEBUG : r4 707184b0 r5 3fdaaaaa r6 f295837e r7 00000001 +23908 23908 F DEBUG : r8 00000000 r9 f7986e00 r10 ffa33320 r11 ffa332e4 +23908 23908 F DEBUG : ip e9930ba4 sp ffa332cc lr 709443d5 pc 709443da +23908 23908 F DEBUG : +23908 23908 F DEBUG : backtrace: +23908 23908 F DEBUG : #00 pc 0007e3da /apex/com.android.art/javalib/arm/boot.oat (art_jni_trampoline+34) (BuildId: 4af94ec040111dd87be55d34780e36769428675c) +23908 23908 F DEBUG : #01 pc 000d39d5 /apex/com.android.art/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #02 pc 004f0759 /apex/com.android.art/lib/libart.so (art_quick_invoke_static_stub+276) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #03 pc 0012ca93 /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+166) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #04 pc 00240bbf /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #05 pc 002388df /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+746) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #06 pc 004e44db /apex/com.android.art/lib/libart.so (MterpInvokeStatic+482) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #07 pc 000ce594 /apex/com.android.art/lib/libart.so (mterp_op_invoke_static+20) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #08 pc 003bdaa0 /system/framework/framework.jar +23908 23908 F DEBUG : #09 pc 0023182b /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #10 pc 00238109 /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+144) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #11 pc 00239581 /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<true, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+536) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #12 pc 004e7239 /apex/com.android.art/lib/libart.so (MterpInvokeStaticRange+372) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #13 pc 000ce894 /apex/com.android.art/lib/libart.so (mterp_op_invoke_static_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #14 pc 003bd9d4 /system/framework/framework.jar +23908 23908 F DEBUG : #15 pc 0023182b /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #16 pc 00238109 /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+144) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #17 pc 00239581 /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<true, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+536) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #18 pc 004e7239 /apex/com.android.art/lib/libart.so (MterpInvokeStaticRange+372) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #19 pc 000ce894 /apex/com.android.art/lib/libart.so (mterp_op_invoke_static_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #20 pc 003bc286 /system/framework/framework.jar +23908 23908 F DEBUG : #21 pc 0023182b /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #22 pc 00238109 /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+144) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #23 pc 002388c7 /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+722) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #24 pc 004e44db /apex/com.android.art/lib/libart.so (MterpInvokeStatic+482) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #25 pc 000ce594 /apex/com.android.art/lib/libart.so (mterp_op_invoke_static+20) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #26 pc 003b1c7c /system/framework/framework.jar +23908 23908 F DEBUG : #27 pc 0023182b /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #28 pc 0023803d /apex/com.android.art/lib/libart.so (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+120) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #29 pc 004d321b /apex/com.android.art/lib/libart.so (artQuickToInterpreterBridge+686) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #30 pc 000d8561 /apex/com.android.art/lib/libart.so (art_quick_to_interpreter_bridge+32) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #31 pc 0042dbaf /system/framework/arm/boot-framework.oat (android.graphics.ColorSpace$Rgb.isSrgb+446) (BuildId: 7ce3c24f3f20164927036fc8f58e1baa2a8f4020) +23908 23908 F DEBUG : #32 pc 0042cddf /system/framework/arm/boot-framework.oat (android.graphics.ColorSpace$Rgb.<init>+822) (BuildId: 7ce3c24f3f20164927036fc8f58e1baa2a8f4020) +23908 23908 F DEBUG : #33 pc 000d39d5 /apex/com.android.art/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #34 pc 004f0627 /apex/com.android.art/lib/libart.so (art_quick_invoke_stub+282) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #35 pc 0012ca81 /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+148) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #36 pc 00240bbf /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #37 pc 00239597 /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<true, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+558) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #38 pc 004e6b7d /apex/com.android.art/lib/libart.so (MterpInvokeDirectRange+392) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #39 pc 000ce814 /apex/com.android.art/lib/libart.so (mterp_op_invoke_direct_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #40 pc 003bce74 /system/framework/framework.jar +23908 23908 F DEBUG : #41 pc 004e6cdd /apex/com.android.art/lib/libart.so (MterpInvokeDirectRange+744) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #42 pc 000ce814 /apex/com.android.art/lib/libart.so (mterp_op_invoke_direct_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #43 pc 003bce8c /system/framework/framework.jar +23908 23908 F DEBUG : #44 pc 004e6cdd /apex/com.android.art/lib/libart.so (MterpInvokeDirectRange+744) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #45 pc 000ce814 /apex/com.android.art/lib/libart.so (mterp_op_invoke_direct_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #46 pc 003be6b6 /system/framework/framework.jar +23908 23908 F DEBUG : #47 pc 0023182b /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #48 pc 0023803d /apex/com.android.art/lib/libart.so (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+120) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #49 pc 004d321b /apex/com.android.art/lib/libart.so (artQuickToInterpreterBridge+686) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #50 pc 000d8561 /apex/com.android.art/lib/libart.so (art_quick_to_interpreter_bridge+32) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #51 pc 000d39d5 /apex/com.android.art/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #52 pc 004f0759 /apex/com.android.art/lib/libart.so (art_quick_invoke_static_stub+276) (BuildId: d0f40e4862987997ffa9c0a264e61174) +23908 23908 F DEBUG : #53 pc 0012ca93 /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+166) (BuildId: d0f40e4862987997ffa9c0a264e61174) +``` + + +Analyzing with `gdb` (by repeatedly calling `gdb -p "$(ps xua | grep zygote | grep -v grep | grep -v zygote64 | awk {'print $2'})"` until `gdb` attaches earlier to the current `zygote` process than the offending instruction is reached) reveals that the crash happens here: + +``` + 0x6fc373b0 <+944>: cmp r3, #223 @ 0xdf + 0x6fc373b2 <+946>: movs r6, r0 + 0x6fc373b4 <+948>: movs r0, r5 + 0x6fc373b6 <+950>: movs r0, r0 + 0x6fc373b8 <+952>: push {lr} + 0x6fc373ba <+954>: sub sp, #4 + 0x6fc373bc <+956>: vstr d0, [sp, #12] + 0x6fc373c0 <+960>: vstr d1, [sp, #20] + 0x6fc373c4 <+964>: mov r4, r0 + 0x6fc373c6 <+966>: ldr r2, [sp, #20] + 0x6fc373c8 <+968>: ldr r3, [sp, #24] + 0x6fc373ca <+970>: ldr r0, [sp, #12] + 0x6fc373cc <+972>: ldr r1, [sp, #16] + 0x6fc373ce <+974>: ldr.w r12, [r4, #20] + 0x6fc373d2 <+978>: blx r12 + 0x6fc373d4 <+980>: vmov d0, r0, r1 + 0x6fc373d8 <+984>: add sp, #4 +=> 0x6fc373da <+986>: ldmia.w sp!, {lr} + 0x6fc373de <+990>: bx lr +``` + +(note that the actual address changes for every instance of `zygote`, probably due to address-space layout randomization) + +The instruction at this location is 0xe8bd4000, as evidenced by: + +``` +(gdb) x/16hx 0x6fc373da +0x6fc373da <oatexec+986>: 0xe8bd 0x4000 0x4770 0x2c0f 0x0006 0x0020 0x0000 0xb500 +0x6fc373ea <oatexec+1002>: 0xb081 0xed8d 0x0b03 0x4604 0x9803 0x9904 0xf8d4 0xc014 +``` + +The disassembly into `ldmia.w sp!, {lr}` is indeed correct. However, such an instruction [would be assembled](https://developer.arm.com/documentation/ddi0308/d/Thumb-Instructions/Alphabetical-list-of-Thumb-instructions/POP?lang=en) into `pop lr` and then into `ldr.w lr,[sp,#-4]`, which would be encoded differently. Hence, the assembly into this instruction was incorrect in the first place. + +It turns out that the assembly error is due to an error in the [`vixl` ARMv8 Runtime Code Generation Library](https://github.com/Linaro/vixl), which is also used by Android. This error [has been fixed by Feb 9, 2021](https://github.com/Linaro/vixl/commit/b0a2e281aebbf93e6ee521dcc40ba6dd2aa5124d). However, this fix has [not made it into Android 13](https://android.googlesource.com/platform/external/vixl/+log/02ab12aafeb5278d89184ae6a3ff3a7883b34c5e). Thus, at least Android 11, Android 12, Android 13 cannot run on current `qemu-system-aarch64`, while it should. + +Users of the Android emulator (also based on QEMU) do not seem to suffer from this bug because the Android QEMU [has bitrotted since the year 2018](https://android.googlesource.com/platform/external/qemu/+log/e7390f2265257d66093dfe858ce3a47b2e1de539/target/arm/translate.c) and hence has not seen any Arm emulation modernization in QEMU (e.g. the Tiny Code Generator) since, and only this modernization has exposed this bug in the first place.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1812.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1812.toml new file mode 100644 index 00000000..437ad5e8 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1812.toml @@ -0,0 +1,33 @@ +id = 1812 +title = "older programs running under qemu-aarch64 segfaults" +state = "closed" +created_at = "2023-08-05T16:07:48.879Z" +closed_at = "2023-08-11T06:02:34.362Z" +labels = ["Closed::Fixed", "accel: TCG", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1812" +host-os = "Linux" +host-arch = "amd64" +qemu-version = "8.1.0-rc2" +guest-os = "Debian Jessie, Ubuntu Xenial, ..." +guest-arch = "aarch64" +description = """Numerous aarch64 programs segfaults when run under qemu-aarch64.""" +reproduce = """1. Install an arm64 chroot (with working qemu-aarch64 binfmt_misc setup): +``` +debootstrap --variant=minbase --arch=arm64 jessie /tmp/jessie-arm64/ http://archive.debian.org/debian +or +debootstrap --variant=minbase --arch=arm64 xenial /tmp/xenial-arm64/ http://ports.ubuntu.com/ +``` +2. build qemu-aarch64; cp qemu-aarch64 /tmp/jessie-arm64/ +3. chroot /tmp/jessie-arm64/ +4. ./qemu-aarch64 /bin/ls +``` +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +Segmentation fault +```""" +additional = """Old userspace (eg Debian jessie, Ubuntu xenial) does not work within qemu 8.1-rc2 aarch64 linux-user emulation, since commit 59b6b42cd3446862567637f3a7ab31d69c9bef51 . My guess is that old userspace isn't prepared for recent CPU features, but it still smells strange. + +Not all programs segfaults. dash works, ls or bash does not. + +A chroot is easier in this case, since many old programs don't run inside current environment, like asserting while reading locale-specific information. To run debootstrap and to enter the resulting chroot, a working qemu-aarch64 binfmt_misc setup is needed. + +Reverting the mentioned commit makes everything work again.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1833.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1833.toml new file mode 100644 index 00000000..309f9806 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1833.toml @@ -0,0 +1,92 @@ +id = 1833 +title = "ARM64 SME ST1Q incorrectly stores 9 bytes (rather than 16) per 128-bit element" +state = "closed" +created_at = "2023-08-16T20:54:29.517Z" +closed_at = "2023-08-24T15:27:44.757Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1833" +host-os = "Ubuntu 20.04.5 LTS" +host-arch = "ARM64" +qemu-version = "qemu-aarch64 version 8.0.93 (also confirmed on master branch)" +guest-os = "n/a" +guest-arch = "n/a" +description = """QEMU incorrectly stores 9 bytes instead of 16 per 128-bit element in the ST1Q SME instruction (https://developer.arm.com/documentation/ddi0602/2022-06/SME-Instructions/ST1Q--Contiguous-store-of-quadwords-from-128-bit-element-ZA-tile-slice-). It copies the first byte of the upper 64-bits, then lower the 64-bits. + +This seems to be a simple issue; I tracked it down to: +https://gitlab.com/qemu-project/qemu/-/blob/master/target/arm/tcg/sme_helper.c?ref_type=heads#L382 + +Updating that `+ 1` to a `+ 8` fixes the problem.""" +reproduce = """```c +#include <stdio.h> +#include <stdint.h> +#include <string.h> + +void st1q_sme_copy_test(uint8_t* src, uint8_t* dest) { + asm volatile( + "smstart sm\\n" + "smstart za\\n" + "ptrue p0.b\\n" + "mov x12, xzr\\n" + "ld1q {za0h.q[w12, 0]}, p0/z, %0\\n" + "st1q {za0h.q[w12, 0]}, p0, %1\\n" + "smstop za\\n" + "smstop sm\\n" : : "m"(*src), "m"(*dest) : "w12", "p0"); +} + +void print_first_128(uint8_t* data) { + putchar('['); + for (int i = 0; i < 16; i++) { + printf("%02d", data[i]); + if (i != 15) + printf(", "); + } + printf("]\\n"); +} + +int main() { + _Alignas(16) uint8_t dest[512] = { }; + _Alignas(16) uint8_t src[512] = { }; + for (int i = 0; i < sizeof(src); i++) + src[i] = i; + puts("Before"); + printf(" src: "); + print_first_128(src); + printf("dest: "); + print_first_128(dest); + st1q_sme_copy_test(src, dest); + puts("\\nAfter "); + printf(" src: "); + print_first_128(src); + printf("dest: "); + print_first_128(dest); +} +``` + +Compile with (requires at least clang ~14, tested with clang 16):<br/> +`clang ./qemu_repro.c -march=armv9-a+sme+sve -o ./qemu_repro` + +Run with:<br/> +`qemu-aarch64 -cpu max,sme=on ./qemu_repro` + +It's expected just to copy from `src` to `dest` and output: +``` +Before + src: [00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14, 15] +dest: [00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00] + +After + src: [00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14, 15] +dest: [00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14, 15] +``` + +But currently outputs: +``` +Before + src: [00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14, 15] +dest: [00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00] + +After + src: [00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14, 15] +dest: [00, 08, 09, 10, 11, 12, 13, 14, 15, 00, 00, 00, 00, 00, 00, 00] +```""" +additional = """N/A""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1953.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1953.toml new file mode 100644 index 00000000..cbd074ce --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1953.toml @@ -0,0 +1,154 @@ +id = 1953 +title = "Segmentation fault when compiling elixir app on qemu aarch64 on x86_64 host" +state = "opened" +created_at = "2023-10-22T06:22:15.759Z" +closed_at = "n/a" +labels = ["accel: TCG", "linux-user", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1953" +host-os = "Linux" +host-arch = "x86_64" +qemu-version = "8.1.2" +guest-os = "Linux" +guest-arch = "aarch64" +description = """When I try to install an elixir escript using + +``` +mix escript.install github upmaru/pakman --force +``` + +I run into a segfault with the following output + +``` + + +Build and Deploy +failed Oct 22, 2023 in 1m 27s +2s +2s +22s +56s +remote: Compressing objects: 86% (144/167) +remote: Compressing objects: 87% (146/167) +remote: Compressing objects: 88% (147/167) +remote: Compressing objects: 89% (149/167) +remote: Compressing objects: 90% (151/167) +remote: Compressing objects: 91% (152/167) +remote: Compressing objects: 92% (154/167) +remote: Compressing objects: 93% (156/167) +remote: Compressing objects: 94% (157/167) +remote: Compressing objects: 95% (159/167) +remote: Compressing objects: 96% (161/167) +remote: Compressing objects: 97% (162/167) +remote: Compressing objects: 98% (164/167) +remote: Compressing objects: 99% (166/167) +remote: Compressing objects: 100% (167/167) +remote: Compressing objects: 100% (167/167), done. +remote: Total 2568 (delta 86), reused 188 (delta 58), pack-reused 2341 +origin/HEAD set to develop +Resolving Hex dependencies... +Resolution completed in 0.872s +New: + castore 1.0.4 + finch 0.16.0 + hpax 0.1.2 + jason 1.4.1 + mime 2.0.5 + mint 1.5.1 + nimble_options 1.0.2 + nimble_pool 1.0.0 + slugger 0.3.0 + telemetry 1.2.1 + tesla 1.7.0 + yamerl 0.10.0 + yaml_elixir 2.8.0 +* Getting tesla (Hex package) +* Getting jason (Hex package) +* Getting yaml_elixir (Hex package) +* Getting slugger (Hex package) +* Getting finch (Hex package) +* Getting mint (Hex package) +* Getting castore (Hex package) +* Getting hpax (Hex package) +* Getting mime (Hex package) +* Getting nimble_options (Hex package) +* Getting nimble_pool (Hex package) +* Getting telemetry (Hex package) +* Getting yamerl (Hex package) +Resolving Hex dependencies... +Resolution completed in 0.413s +Unchanged: + castore 1.0.4 + finch 0.16.0 + hpax 0.1.2 + jason 1.4.1 + mime 2.0.5 + mint 1.5.1 + nimble_options 1.0.2 + nimble_pool 1.0.0 + slugger 0.3.0 + telemetry 1.2.1 + tesla 1.7.0 + yamerl 0.10.0 + yaml_elixir 2.8.0 +All dependencies are up to date +==> mime +Compiling 1 file (.ex) +Generated mime app +==> nimble_options +Compiling 3 files (.ex) +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +Segmentation fault (core dumped) +```""" +reproduce = """1. Create a repo using the github action zacksiri/setup-alpine +2. Install elixir +3. run `mix escript.install github upmaru/pakman --force`""" +additional = """You can use the following github action config as an example / starting point. + + +```yml +name: 'Deployment' + +on: + push: + branches: + - main + - master + - develop + +jobs: + build_and_deploy: + name: Build and Deploy + runs-on: ubuntu-latest + steps: + - name: 'Checkout' + uses: actions/checkout@v3 + with: + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + + - name: 'Setup Alpine' + uses: zacksiri/setup-alpine@master + with: + branch: v3.18 + arch: aarch64 + qemu-repo: edge + packages: | + zip + tar + sudo + alpine-sdk + coreutils + cmake + elixir + + - name: 'Setup PAKman' + run: | + export MIX_ENV=prod + + mix local.rebar --force + mix local.hex --force + mix escript.install github upmaru/pakman --force + shell: alpine.sh {0} +``` + +I'm using alpine 3.18 which has otp25 with jit enabled so I suspect this is something to do with https://gitlab.com/qemu-project/qemu/-/issues/1034""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/1970.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/1970.toml new file mode 100644 index 00000000..d3b51d46 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/1970.toml @@ -0,0 +1,15 @@ +id = 1970 +title = "A64 LDRA decode scales the immediate by wrong amount" +state = "closed" +created_at = "2023-11-05T13:50:20.014Z" +closed_at = "2023-11-07T03:01:37.876Z" +labels = ["accel: TCG", "kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1970" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2005.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2005.toml new file mode 100644 index 00000000..58e49ae2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2005.toml @@ -0,0 +1,39 @@ +id = 2005 +title = "qemu-system-aarch64: ../target/arm/helper.c:6757: sve_vqm1_for_el_sm: Assertion `sm' failed." +state = "closed" +created_at = "2023-11-26T21:51:07.381Z" +closed_at = "2023-12-05T12:32:56.271Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2005" +host-os = "openSUSE Tumbleweed 20231103" +host-arch = "x86_64" +qemu-version = "8.1.2" +guest-os = "openSUSE Tumbleweed 20231122" +guest-arch = "aarch64" +description = """Qemu crashes when sve is completely disabled for CPU model "max" (`-cpu max,sve=off`). Using any CPU model which does not include SVE, or using only e.g. SVE128 (`-cpu max,sve128=on`) works fine.\\ +\\ +`#0 0x00007f94b8291dec in __pthread_kill_implementation () at /lib64/libc.so.6 `\\ +`#1 0x00007f94b823f0c6 in raise () at /lib64/libc.so.6 `\\ +`#2 0x00007f94b82268d7 in abort () at /lib64/libc.so.6 `\\ +`#3 0x00007f94b82267eb in _nl_load_domain.cold () at /lib64/libc.so.6 `\\ +`#4 0x00007f94b8237016 in () at /lib64/libc.so.6 `\\ +`#5 0x000055d6794aa698 in sve_vqm1_for_el_sm (env=env@entry=0x55d67c6ff9b0, el=el@entry=1, sm=false) at ../target/arm/helper.c:6757 `\\ +`#6 0x000055d6794afc29 in sve_vqm1_for_el (el=1, env=0x55d67c6ff9b0) at ../target/arm/helper.c:6763 `\\ +`#7 smcr_write (env=0x55d67c6ff9b0, ri=0x55d67c78f600, value=<optimized out>) at ../target/arm/helper.c:6887 `\\ +`#8 0x00007f9469bad101 in code_gen_buffer () `\\ +`#9 0x000055d67977dc19 in cpu_tb_exec (cpu=cpu@entry=0x55d67c6fd1f0, itb=<optimized out>, tb_exit=tb_exit@entry=0x7f94acdcc4c4) at ../accel/tcg/cpu-exec.c:457 `\\ +`#10 0x000055d67977e59f in cpu_loop_exec_tb (tb_exit=0x7f94acdcc4c4, last_tb=<synthetic pointer>, pc=<optimized out>, tb=<optimized out>, cpu=<optimized out>) at ../accel/tcg/cpu-exec.c:919 `\\ +`#11 cpu_exec_loop (cpu=cpu@entry=0x55d67c6fd1f0, sc=sc@entry=0x7f94acdcc570) at ../accel/tcg/cpu-exec.c:1040 `\\ +`#12 0x000055d67977ee7d in cpu_exec_setjmp (cpu=0x55d67c6fd1f0, sc=0x7f94acdcc570) at ../accel/tcg/cpu-exec.c:1057 `\\ +`#13 0x000055d679787c3d in cpu_exec (cpu=0x55d67c6fd1f0) at ../accel/tcg/cpu-exec.c:1083 `\\ +`#14 0x000055d6797a1d52 in tcg_cpus_exec (cpu=0x55d67c6fd1f0) at ../accel/tcg/tcg-accel-ops.c:75 `\\ +`#15 mttcg_cpu_thread_fn (arg=arg@entry=0x55d67c6fd1f0) at ../accel/tcg/tcg-accel-ops-mttcg.c:95 `\\ +`#16 0x000055d679938698 in qemu_thread_start (args=0x55d67c7a1500) at ../util/qemu-thread-posix.c:541 `\\ +`#17 0x00007f94b828ff44 in start_thread () at /lib64/libc.so.6 `\\ +`#18 0x00007f94b8318314 in clone () at /lib64/``libc.so``.6`\\ + \\ +This happens when the system is booting, i.e. grub has just finished, loaded kernel and initrd, and the kernel has just began to run, i.e. early in the kernel startup.""" +reproduce = """1. +2. +3.""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2083.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2083.toml new file mode 100644 index 00000000..67784597 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2083.toml @@ -0,0 +1,119 @@ +id = 2083 +title = "AArch64 SME SMOPA (4-way) outer product instruction gives incorrect result" +state = "closed" +created_at = "2024-01-09T12:04:29.786Z" +closed_at = "2024-03-09T14:58:17.548Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2083" +host-os = "Ubuntu 20.04" +host-arch = "AArch64" +qemu-version = "8.2.50 (v8.2.0-442-gffd454c67e)" +guest-os = "same as host" +guest-arch = "same as host but with SME feature" +description = """The SME SMOPA (4-way) instruction ([spec](https://developer.arm.com/documentation/ddi0602/2023-09/SME-Instructions/SMOPA--4-way---Signed-integer-sum-of-outer-products-and-accumulate-?lang=en)) is giving incorrect result. Example below for 8-bit variant, which is equivalent to following Python example (128-bit VL) to make it clearer: + +``` +import numpy as np +vl = 128 +esize = 32 +dim = vl // esize + +A = range(16) +B = range(16, 32) +C = np.zeros((4, 4,), dtype=np.int32) + +for row in range(dim): + for col in range(dim): + for k in range(4): + C[row, col] += A[4*row + k] * B[4*col + k] + +print(C) + +[[ 110 134 158 182] + [ 390 478 566 654] + [ 670 822 974 1126] + [ 950 1166 1382 1598]] +``` + +main.c +``` +#include <stdio.h> +#include <stdint.h> + +void foo(int *dst); + +int main() { + int32_t dst[16]; + foo(dst); + + // This should print: + // >>> 110 134 158 182 + // >>> 390 478 566 654 + // >>> 670 822 974 1126 + // >>> 950 1166 1382 1598 + for (int i=0; i<4; ++i) { + printf(">>> "); + for (int j=0; j<4; ++j) { + printf("%d ", dst[i * 4 + j]); + } + printf("\\n"); + } +} +``` + +foo.S + +``` +.global foo +foo: + stp x29, x30, [sp, -80]! + mov x29, sp + stp d8, d9, [sp, 16] + stp d10, d11, [sp, 32] + stp d12, d13, [sp, 48] + stp d14, d15, [sp, 64] + + smstart + + ptrue p0.b + index z0.b, #0, #1 + mov z1.d, z0.d + add z1.b, z1.b, #16 + + zero {za} + smopa za0.s, p0/m, p0/m, z0.b, z1.b + + // Read the first 4x4 sub-matrix of elements from tile 0: + mov w12, #0 + mova z0.s, p0/m, za0h.s[w12, #0] + mova z1.s, p0/m, za0h.s[w12, #1] + mova z2.s, p0/m, za0h.s[w12, #2] + mova z3.s, p0/m, za0h.s[w12, #3] + + // And store them to the input pointer (dst in the C code): + st1w {z0.s}, p0, [x0] + add x0, x0, #16 + st1w {z1.s}, p0, [x0] + add x0, x0, #16 + st1w {z2.s}, p0, [x0] + add x0, x0, #16 + st1w {z3.s}, p0, [x0] + + smstop + + ldp d8, d9, [sp, 16] + ldp d10, d11, [sp, 32] + ldp d12, d13, [sp, 48] + ldp d14, d15, [sp, 64] + ldp x29, x30, [sp], 80 + ret +```""" +reproduce = """``` +$ clang -target aarch64-linux-gnu -march=armv9-a+sme main.c foo.S +$ ~/qemu/build/qemu-aarch64 -cpu max,sme128=on a.out +>>> 110 478 158 654 +>>> 0 0 0 0 +>>> 670 1166 974 1598 +>>> 0 0 0 0 +```""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2089.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2089.toml new file mode 100644 index 00000000..271a2cc5 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2089.toml @@ -0,0 +1,35 @@ +id = 2089 +title = "aarch64: incorrect emulation of sqshrn instruction" +state = "closed" +created_at = "2024-01-10T06:30:57.404Z" +closed_at = "2024-01-27T13:00:19.852Z" +labels = ["accel: TCG", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2089" +host-os = "Debian" +host-arch = "x86_64" +qemu-version = "qemu-aarch64 version 8.1.2 (Debian 1:8.1.2+ds-1)" +guest-os = "same as host" +guest-arch = "aarch64" +description = """`sqshrn` instruction test fails with qemu-aarch64, but passes on real aarch64 hardware.""" +reproduce = """1. Build [inline_asm_tests](https://cs.android.com/android/platform/superproject/main/+/main:frameworks/libs/binary_translation/tests/inline_asm_tests/) and run with qemu-aarch64 +2. Observe two failures + +``` +[ RUN ] Arm64InsnTest.SignedSaturatingShiftRightNarrowInt16x1 +frameworks/libs/binary_translation/tests/inline_asm_tests/main_arm64.cc:6697: Failure +Expected equality of these values: + res1 + Which is: 4294967188 + MakeUInt128(0x94U, 0U) + Which is: 148 +[ FAILED ] Arm64InsnTest.SignedSaturatingShiftRightNarrowInt16x1 (5 ms) +[ RUN ] Arm64InsnTest.SignedSaturatingRoundingShiftRightNarrowInt16x1 +frameworks/libs/binary_translation/tests/inline_asm_tests/main_arm64.cc:6793: Failure +Expected equality of these values: + res3 + Which is: 4294967168 + MakeUInt128(0x0000000000000080ULL, 0x0000000000000000ULL) + Which is: 128 +[ FAILED ] Arm64InsnTest.SignedSaturatingRoundingShiftRightNarrowInt16x1 (2 ms) +```""" +additional = """[Direct link to SignedSaturatingShiftRightNarrowInt16x1 test source](https://cs.android.com/android/platform/superproject/main/+/main:frameworks/libs/binary_translation/tests/inline_asm_tests/main_arm64.cc;l=6692;drc=4ee2c3035fa5dc0b7a48b6c6dc498296be071861)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2098.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2098.toml new file mode 100644 index 00000000..a3a26b69 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2098.toml @@ -0,0 +1,15 @@ +id = 2098 +title = "AArch32 Arm CPUs no longer support the 'vfp' property" +state = "closed" +created_at = "2024-01-12T16:39:53.312Z" +closed_at = "2024-02-03T13:27:02.847Z" +labels = ["Regression", "accel: TCG", "kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2098" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2150.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2150.toml new file mode 100644 index 00000000..b4c05f0b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2150.toml @@ -0,0 +1,21 @@ +id = 2150 +title = "ERROR:tcg/optimize.c:580:do_constant_folding_2: code should not be reached" +state = "closed" +created_at = "2024-02-05T07:38:32.684Z" +closed_at = "2024-04-10T13:42:48.180Z" +labels = ["Closed::Fixed", "Stable::to backport", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2150" +host-os = "Ubuntu 24.04" +host-arch = "ARM" +qemu-version = "8.2.0" +guest-os = "Windows 10/11" +guest-arch = "ARM64" +description = """After booting Windows 10 or 11 (ARM) QEMU suddenly quits with: + +ERROR:tcg/optimize.c:580:do_constant_folding_2: code should not be reached + +It seems like it is missing an OPCODE in that function?""" +reproduce = """1. Boot Windows +2. QEMU quits +3.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2183.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2183.toml new file mode 100644 index 00000000..168d7f4a --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2183.toml @@ -0,0 +1,28 @@ +id = 2183 +title = "aarch-64 emulation much slower since release 8.1.5 (issue also present on 8.2.1)" +state = "closed" +created_at = "2024-02-21T15:44:41.226Z" +closed_at = "2024-04-12T13:30:03.954Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2183" +host-os = "RockyLinux 8" +host-arch = "x86" +qemu-version = "8.1.5" +guest-os = "Linux" +guest-arch = "ARM" +description = """Since QEMU 8.1.5 our aarch64 based emulation got much slower. We use a linux 5.4 kernel which we cross-compile with the ARM toolchain. Things that are noticable: +- Boot time got a lot longer +- All memory accesses seem to take 3x longer (can be verified by e.g. executing below script, address does not matter): +``` +date +for i in $(seq 0 1000); do + devmem 0x200000000 2>/dev/null +done +date +```""" +reproduce = """Just boot an ARM based kernel on the virt machine and execute above script.""" +additional = """I've tried reproducing the issue on the master branch. There the issue is not present. It only seems to be present on releases 8.1.5 and 8.2.1. + +I've narrowed the problem down to following commit on the 8.2 branch (@bonzini): ef74024b76bf285e247add8538c11cb3c7399a1a accel/tcg: Revert mapping of PCREL translation block to multiple virtual addresses. + +Let me know if any other information / tests are required.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2224.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2224.toml new file mode 100644 index 00000000..58d0a160 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2224.toml @@ -0,0 +1,213 @@ +id = 2224 +title = "OpenBSD 7.4+ does not boot on sbsa-ref with Neoverse-V1/N2 or max cpu core" +state = "closed" +created_at = "2024-03-14T15:15:24.234Z" +closed_at = "2024-04-05T15:13:11.507Z" +labels = ["accel: TCG", "guest: BSD", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2224" +host-os = "Fedora 39" +host-arch = "aarch64" +qemu-version = "8.2.50 (v8.2.0-2543-gade27574f0-dirty)" +guest-os = "OpenBSD 7.4" +guest-arch = "AArch64" +description = """System boots and then hangs: + +``` +disks: sd0* +>> OpenBSD/arm64 BOOTAA64 1.18 +boot> +cannot open sd0a:/etc/random.seed: No such file or directory +booting sd0a:/bsd: 2861736+1091248+12711584+634544 [233295+91+666048+260913]=0x1 +3d5cf8 +FACP DBG2 MCFG SPCR IORT APIC SSDT PPTT GTDT BGRT +Copyright (c) 1982, 1986, 1989, 1991, 1993 + The Regents of the University of California. All rights reserved. +Copyright (c) 1995-2023 OpenBSD. All rights reserved. https://www.OpenBSD.org + +OpenBSD 7.4 (RAMDISK) #2131: Sun Oct 8 13:35:40 MDT 2023 + deraadt@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/RAMDISK +real mem = 1066156032 (1016MB) +avail mem = 996659200 (950MB) +random: boothowto does not indicate good seed +mainbus0 at root: ACPI +psci0 at mainbus0: PSCI 1.1, SMCCC 1.4 +efi0 at mainbus0: UEFI 2.7 +efi0: EFI Development Kit II / SbsaQemu rev 0x10000 +smbios0 at efi0: SMBIOS 3.4.0 +smbios0: vendor EFI Development Kit II / SbsaQemu version "1.0" date 03/13/2024 +smbios0: QEMU QEMU SBSA-REF Machine +cpu0 at mainbus0 mpidr 0: ARM Neoverse N2 r0p3 +cpu0: 0KB 64b/line 4-way L1 PIPT I-cache, 0KB 64b/line 4-way L1 D-cache +cpu0: 0KB 64b/line 8-way L2 cache +cpu0: RNDR,TLBIOS+IRANGE,TS+AXFLAG,FHM,DP,SM4,SM3,SHA3,RDM,Atomic,CRC32,SHA2+SHA512,SHA1,AES+PMULL,SPECRES,SB,FRINTTS,GPI,GPA,LRCPC+LDAPUR,FCMA,JSCVT,APA+PAC,DPB,ASID16,PAN+ATS1E1,LO,HPDS,VH,HAFDBS,CSV3,CSV2+SCXT,DIT,BT,SBSS+MSR +agintc0 at mainbus0 shift 4:3 nirq 288 nredist 4: "interrupt-controller" +agintcmsi0 at agintc0 +agtimer0 at mainbus0: 62500 kHz +acpi0 at mainbus0: ACPI 6.0 +acpi0: tables DSDT FACP DBG2 MCFG SPCR IORT APIC SSDT PPTT GTDT BGRT +acpimcfg0 at acpi0 +acpimcfg0: addr 0xf0000000, bus 0-255 +acpiiort0 at acpi0 +pluart0 at acpi0 COM0 addr 0x60000000/0x1000 irq 33 +pluart0: console +ahci0 at acpi0 AHC0 addr 0x60100000/0x10000 irq 42: AHCI 1.0 +ahci0: port 0: 1.5Gb/s +scsibus0 at ahci0: 32 targets +sd0 at scsibus0 targ 0 lun 0: <ATA, QEMU HARDDISK, 2.5+> t10.ATA_QEMU_HARDDISK_QM00001_ +sd0: 43MB, 512 bytes/sector, 88064 sectors, thin +xhci0 at acpi0 USB0 addr 0x60110000/0x10000 irq 43, xHCI 0.0 +usb0 at xhci0: USB revision 3.0 +uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1 +acpipci0 at acpi0 PCI0 +pci0 at acpipci0 +0:1:0: rom address conflict 0xfffc0000/0x40000 +0:2:0: rom address conflict 0xffff8000/0x8000 +"Red Hat Host" rev 0x00 at pci0 dev 0 function 0 not configured +em0 at pci0 dev 1 function 0 "Intel 82574L" rev 0x00: msi, address 52:54:00:12:34:56 +"Bochs VGA" rev 0x02 at pci0 dev 2 function 0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +simplefb0 at mainbus0: 1280x800, 32bpp +wsdisplay0 at simplefb0 mux 1 +wsdisplay0: screen 0 added (std, vt100 emulation) +``` + +If I use Neoverse-N1 (sbsa-ref default core type) then it boots into installer: + +``` +disks: sd0* +>> OpenBSD/arm64 BOOTAA64 1.18 +boot> +cannot open sd0a:/etc/random.seed: No such file or directory +booting sd0a:/bsd: 2861736+1091248+12711584+634544 [233295+91+666048+260913]=0x1 +3d5cf8 +FACP DBG2 MCFG SPCR IORT APIC SSDT PPTT GTDT BGRT +Copyright (c) 1982, 1986, 1989, 1991, 1993 + The Regents of the University of California. All rights reserved. +Copyright (c) 1995-2023 OpenBSD. All rights reserved. https://www.OpenBSD.org + +OpenBSD 7.4 (RAMDISK) #2131: Sun Oct 8 13:35:40 MDT 2023 + deraadt@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/RAMDISK +real mem = 1066156032 (1016MB) +avail mem = 996659200 (950MB) +random: boothowto does not indicate good seed +mainbus0 at root: ACPI +psci0 at mainbus0: PSCI 1.1, SMCCC 1.4 +efi0 at mainbus0: UEFI 2.7 +efi0: EFI Development Kit II / SbsaQemu rev 0x10000 +smbios0 at efi0: SMBIOS 3.4.0 +smbios0: vendor EFI Development Kit II / SbsaQemu version "1.0" date 03/13/2024 +smbios0: QEMU QEMU SBSA-REF Machine +cpu0 at mainbus0 mpidr 0: ARM Neoverse N1 r4p1 +cpu0: 64KB 64b/line 4-way L1 PIPT I-cache, 64KB 64b/line 4-way L1 D-cache +cpu0: 1024KB 64b/line 8-way L2 cache +cpu0: DP,RDM,Atomic,CRC32,SHA2,SHA1,AES+PMULL,LRCPC,DPB,ASID16,PAN+ATS1E1,LO,HPDS,VH,HAFDBS,CSV3,CSV2,SBSS+MSR +agintc0 at mainbus0 shift 4:3 nirq 288 nredist 4: "interrupt-controller" +agintcmsi0 at agintc0 +agtimer0 at mainbus0: 62500 kHz +acpi0 at mainbus0: ACPI 6.0 +acpi0: tables DSDT FACP DBG2 MCFG SPCR IORT APIC SSDT PPTT GTDT BGRT +acpimcfg0 at acpi0 +acpimcfg0: addr 0xf0000000, bus 0-255 +acpiiort0 at acpi0 +pluart0 at acpi0 COM0 addr 0x60000000/0x1000 irq 33 +pluart0: console +ahci0 at acpi0 AHC0 addr 0x60100000/0x10000 irq 42: AHCI 1.0 +ahci0: port 0: 1.5Gb/s +scsibus0 at ahci0: 32 targets +sd0 at scsibus0 targ 0 lun 0: <ATA, QEMU HARDDISK, 2.5+> t10.ATA_QEMU_HARDDISK_QM00001_ +sd0: 43MB, 512 bytes/sector, 88064 sectors, thin +xhci0 at acpi0 USB0 addr 0x60110000/0x10000 irq 43, xHCI 0.0 +usb0 at xhci0: USB revision 3.0 +uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1 +acpipci0 at acpi0 PCI0 +pci0 at acpipci0 +0:1:0: rom address conflict 0xfffc0000/0x40000 +0:2:0: rom address conflict 0xffff8000/0x8000 +"Red Hat Host" rev 0x00 at pci0 dev 0 function 0 not configured +em0 at pci0 dev 1 function 0 "Intel 82574L" rev 0x00: msi, address 52:54:00:12:34:56 +"Bochs VGA" rev 0x02 at pci0 dev 2 function 0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +simplefb0 at mainbus0: 1280x800, 32bpp +wsdisplay0 at simplefb0 mux 1 +wsdisplay0: screen 0 added (std, vt100 emulation) +softraid0 at root +scsibus1 at softraid0: 256 targets +root on rd0a swap on rd0b dump on rd0b +WARNING: CHECK AND RESET THE DATE! +erase ^?, werase ^W, kill ^U, intr ^C, status ^T + +Welcome to the OpenBSD/arm64 7.4 installation program. +(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? +```""" +reproduce = """1. download OpenBSD 7.4 image: https://cdn.openbsd.org/pub/OpenBSD/7.4/arm64/miniroot74.img +2. download sbsa-ref firmware files from https://artifacts.codelinaro.org/ui/native/linaro-419-sbsa-ref/20240313-116475/edk2/ and decompress them +3. start qemu-system-aarch64 as shown above (adapt paths if needed) +4. watch console serial output""" +additional = """I am going to discuss this on OpenBSD mailing list. Will point to this bug. + +OpenBSD 7.5-current snapshot works on Neoverse-N1 and fails on Neoverse-V1/N2/max: + +``` +disks: sd0* +>> OpenBSD/arm64 BOOTAA64 1.18 +boot> +cannot open sd0a:/etc/random.seed: No such file or directory +booting sd0a:/bsd: 3015576+1213504+12712936+634144 [269381+91+701664+287051]=0x1 +3edee0 +FACP DBG2 MCFG SPCR IORT APIC SSDT PPTT GTDT BGRT +Copyright (c) 1982, 1986, 1989, 1991, 1993 + The Regents of the University of California. All rights reserved. +Copyright (c) 1995-2024 OpenBSD. All rights reserved. https://www.OpenBSD.org + +OpenBSD 7.5 (RAMDISK) #121: Thu Mar 14 03:28:46 MDT 2024 + deraadt@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/RAMDISK +real mem = 1066147840 (1016MB) +avail mem = 992886784 (946MB) +random: boothowto does not indicate good seed +mainbus0 at root: ACPI +psci0 at mainbus0: PSCI 1.1, SMCCC 1.4 +efi0 at mainbus0: UEFI 2.7 +efi0: EFI Development Kit II / SbsaQemu rev 0x10000 +smbios0 at efi0: SMBIOS 3.4.0 +smbios0: vendor EFI Development Kit II / SbsaQemu version "1.0" date 03/13/2024 +smbios0: QEMU QEMU SBSA-REF Machine +cpu0 at mainbus0 mpidr 0: ARM Neoverse N2 r0p3 +cpu0: 0KB 64b/line 4-way L1 PIPT I-cache, 0KB 64b/line 4-way L1 D-cache +cpu0: 0KB 64b/line 8-way L2 cache +cpu0: RNDR,TLBIOS+IRANGE,TS+AXFLAG,FHM,DP,SM4,SM3,SHA3,RDM,Atomic,CRC32,SHA2+SHA512,SHA1,AES+PMULL,SPECRES,SB,FRINTTS,GPA,LRCPC+LDAPUR,FCMA,JSCVT,APA+PAC,DPB,ASID16,PAN+ATS1E1,LO,HPDS,VH,HAFDBS,CSV3,CSV2+SCXT,DIT,BT,SBSS+MSR,MTE +agintc0 at mainbus0 shift 4:3 nirq 288 nredist 4: "interrupt-controller" +agintcmsi0 at agintc0 +agtimer0 at mainbus0: 62500 kHz +acpi0 at mainbus0: ACPI 6.0 +acpi0: tables DSDT FACP DBG2 MCFG SPCR IORT APIC SSDT PPTT GTDT BGRT +acpimcfg0 at acpi0 +acpimcfg0: addr 0xf0000000, bus 0-255 +acpiiort0 at acpi0 +pluart0 at acpi0 COM0 addr 0x60000000/0x1000 irq 33 +pluart0: console +ahci0 at acpi0 AHC0 addr 0x60100000/0x10000 irq 42: AHCI 1.0 +ahci0: port 0: 1.5Gb/s +scsibus0 at ahci0: 32 targets +sd0 at scsibus0 targ 0 lun 0: <ATA, QEMU HARDDISK, 2.5+> t10.ATA_QEMU_HARDDISK_QM00001_ +sd0: 43MB, 512 bytes/sector, 88064 sectors, thin +xhci0 at acpi0 USB0 addr 0x60110000/0x10000 irq 43, xHCI 0.0 +usb0 at xhci0: USB revision 3.0 +uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1 +acpipci0 at acpi0 PCI0 +pci0 at acpipci0 +0:1:0: rom address conflict 0xfffc0000/0x40000 +0:2:0: rom address conflict 0xffff8000/0x8000 +"Red Hat Host" rev 0x00 at pci0 dev 0 function 0 not configured +em0 at pci0 dev 1 function 0 "Intel 82574L" rev 0x00: msi, address 52:54:00:12:34:56 +"Bochs VGA" rev 0x02 at pci0 dev 2 function 0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +"ACPI0007" at acpi0 not configured +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2248.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2248.toml new file mode 100644 index 00000000..756290ce --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2248.toml @@ -0,0 +1,44 @@ +id = 2248 +title = "qemu-aarch64: wrong execution result when executing the code" +state = "closed" +created_at = "2024-03-26T04:50:35.585Z" +closed_at = "2024-03-31T15:41:51.586Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2248" +host-os = "Ubuntu 22.04.4 LTS" +host-arch = "x86_64" +qemu-version = "8.2.1, 8.2.2, 9.0.0-rc0, latest commit 6a4180af9686830d88c387baab6d79563ce42a15" +guest-os = "n/a" +guest-arch = "n/a" +description = """The following aarch64 code results in the wrong execution result `4611686018427387903`, which is `0x3fffffffffffffff`. (The correct result is `-1`) The bug seems to be introduced in between v8.1.5 and v8.2.1 since the results are correct in v8.1.5. + +```c +// foo.c +#include <stdio.h> +#include <stdint.h> + +int64_t callme(size_t _1, size_t _2, int64_t a, int64_t b, int64_t c); + +int main() { + int64_t ret = callme(0, 0, 0, 1, 2); + printf("%ld\\n", ret); + return 0; +} +``` + +```s +// foo.S +.global callme +callme: + cmp x2, x3 + cset x12, lt + and w11, w12, #0xff + cmp w11, #0x0 + csetm x14, ne + lsr x13, x14, x4 + sxtb x0, w13 + ret +```""" +reproduce = """1. Build the code with `aarch64-linux-gnu-gcc foo.c foo.S -o foo` (`aarch64-linux-gnu-gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0`) +2. Run the code with `qemu-aarch64 -L /usr/aarch64-linux-gnu -E LD_LIBRARY_PATH=/usr/aarch64-linux-gnu/lib foo` and see the result""" +additional = """- Original discussion is held in [this wasmtime issue](https://github.com/bytecodealliance/wasmtime/issues/8233). Thanks to Alex Crichton for clarifying this bug.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2250.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2250.toml new file mode 100644 index 00000000..4b18aec6 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2250.toml @@ -0,0 +1,52 @@ +id = 2250 +title = "FEAT_RME: NS EL1/0 Address Translation from EL3 fails" +state = "closed" +created_at = "2024-03-28T15:51:46.524Z" +closed_at = "2024-04-09T08:47:18.058Z" +labels = ["accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2250" +host-os = "Arch Linux" +host-arch = "x86" +qemu-version = "8.2.91; master branch commit 5012e522ac" +guest-os = "Linux" +guest-arch = "aarch64" +description = """I'm playing around with the QEMU RME Stack (TF-A, TF-RMM, Linux/KVM) for a research project. +For this I want to access some virtual normal world memory address from within EL3. +To translate the address to the physical address I use the `AT` instructions (e.g., `ats1e2r`). +If the NW memory is initially mapped in the GPT as `GPT_GPI_ANY`, this works fine, however, if the NW memory is mapped as `GPT_GPI_NS` the address translation fails with the error `0b100101`/GPT on PTW. +However, EL3/Root World should be able to access memory from all PAS, and therefore, if I understand the ARM documentation correctly, should also be able to execute a PTW for an address marked NS in the GPT.""" +reproduce = """1. Setup GPT with some memory marked as `GPT_GPI_NS` +2. Forward some NW virtual address from the kernel to EL3 +3. Execute a PTW on this address via the `AT` instructions.""" +additional = """I also took a look into the QEMU source code and potentially found the issue. +When executing a PTW we execute `target/arm/ptw.c:granule_protection_check`. +The function extracts the target page's GPI (`ptw.c:440'): +```c + switch (gpi) { + case 0b0000: /* no access */ + break; + case 0b1111: /* all access */ + return true; + case 0b1000: + case 0b1001: + case 0b1010: + case 0b1011: + if (pspace == (gpi & 3)) { + return true; + } + break; + default: + goto fault_walk; /* reserved */ + } +``` +The if statement checks if the current `pstate` (previously set to `ptw->in_space`) is the same security state as the one contained in the GPI. +If this is not the case, we generate a GPF. +However, I think the code misses the fact, that EL3/Root world can access memory from each PAS, meaning that the if statement should be something like +```c +if (pspace == (gpi & 3) || (pspace == ARMSS_Root)) { + return true; +} +``` +Additionally, as both Secure and Realm World can also access Normal World memory, similar checks should also be added in such cases. + +I have a patch prepared for this, however, I first want to check in if I'm in line with the Arm ARM or if I'm missing something and EL3 is indeed not supposed to execute PTWs for NS memory.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2326.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2326.toml new file mode 100644 index 00000000..8bedf966 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2326.toml @@ -0,0 +1,32 @@ +id = 2326 +title = "qemu-system-arm regression with Qemu 9.0.0" +state = "closed" +created_at = "2024-05-05T01:03:11.035Z" +closed_at = "2024-08-14T02:52:58.840Z" +labels = ["accel: TCG", "kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2326" +host-os = "Debian 11" +host-arch = "ARM" +qemu-version = "9.0.0" +guest-os = "OpenADK with uClibc-ng" +guest-arch = "ARMv7 (thumb2)" +description = """Bootup of the userland crashes: +``` +[ 1.713693] Run /init as init process +[ 2.372470] Alignment trap: not handling instruction f8530b04 at [<0001225a>] +[ 2.391053] 8<--- cut here --- +[ 2.392942] Unhandled fault: alignment exception (0x001) at 0x00035335 +[ 2.397042] [00035335] *pgd=6066b831, *pte=6030734f, *ppte=6030783f +```""" +reproduce = """wget https://debug.openadk.org/vexpress-v2p-ca9.dtb + +wget https://debug.openadk.org/qemu-arm-vexpress-a9-initramfspiggyback-kernel + +qemu-system-arm -M vexpress-a9 -nographic -cpu cortex-a9 -net user -net nic,model=lan9118 -dtb vexpress-v2p-ca9.dtb -kernel qemu-arm-vexpress-a9-initramfspiggyback-kernel -qmp tcp:127.0.0.1:4444,server,nowait -no-reboot""" +additional = """It works fine for ARM instruction set, but not for Thumb2. + +Git bisect showed following commit as the problematic one:<br> +From 59754f85ed35cbd5f4bf2663ca2136c78d5b2413 Mon Sep 17 00:00:00 2001<br> +From: Richard Henderson <richard.henderson@linaro.org><br> +Date: Fri, 1 Mar 2024 10:41:09 -1000<br> +Subject: [PATCH] target/arm: Do memory type alignment check when translation disabled<br>""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2372.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2372.toml new file mode 100644 index 00000000..9ab69915 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2372.toml @@ -0,0 +1,117 @@ +id = 2372 +title = "A bug in AArch64 UMOPA/UMOPS (4-way) instruction" +state = "closed" +created_at = "2024-06-02T06:53:55.995Z" +closed_at = "2024-07-31T01:18:16.302Z" +labels = ["Closed::Fixed", "TestCase", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2372" +host-os = "Ubuntu 22.04" +host-arch = "x86-64" +qemu-version = "qemu-aarch64 version 9.0.50 (v9.0.0-1123-g74abb45dac)" +guest-os = "N/A (qemu-user)" +guest-arch = "aarch64" +description = """umopa computes the multiplication of two matrices in the source registers and accumulates the result to the destination register. A source register’s element size is 16 bits, while a destination register’s element size is 64 bits in case of the 4-way variant of this instruction. Before performing matrix multiplication, each element should be zero-extended to a 64-bit element. + +However, the current implementation of the helper function fails to convert the element type correctly. Below is the helper function implementation: +``` +// target/arm/tcg/sme_helper.c +#define DEF_IMOP_64(NAME, NTYPE, MTYPE) \\ +static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \\ +{ \\ + uint64_t sum = 0; \\ + /* Apply P to N as a mask, making the inactive elements 0. */ \\ + n &= expand_pred_h(p); \\ + sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0); \\ + sum += (NTYPE)(n >> 16) * (MTYPE)(m >> 16); \\ + sum += (NTYPE)(n >> 32) * (MTYPE)(m >> 32); \\ + sum += (NTYPE)(n >> 48) * (MTYPE)(m >> 48); \\ + return neg ? a - sum : a + sum; \\ +} + +DEF_IMOP_64(umopa_d, uint16_t, uint16_t) +``` +When the multiplication is performed, each element, such as `(NTYPE)(n >> 0)`, is automatically converted to `int32_t`, so the computation result has a type `int32_t`. The result is then converted to `uint64_t`, and it is added to `sum`. It seems the elements should be casted to `uint64_t` **before** performing the multiplication.""" +reproduce = """1. Write `test.c`. +``` +#include <stdio.h> + +char i_P1[4] = { 0xff, 0xff, 0xff, 0xff }; +char i_P5[4] = { 0xff, 0xff, 0xff, 0xff }; +char i_Z0[32] = { // Set only the first element as non-zero + 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +}; +char i_Z20[32] = { // Set only the first element as non-zero + 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +}; +char i_ZA2H[128] = { 0x0, }; +char o_ZA2H[128]; + +void __attribute__ ((noinline)) show_state() { + for (int i = 0; i < 8; i++) { + for (int j = 0; j < 16; j++) { + printf("%02x ", o_ZA2H[16*i+j]); + } + printf("\\n"); + } +} + +void __attribute__ ((noinline)) run() { + __asm__ ( + ".arch armv9.3-a+sme\\n" + "smstart\\n" + "adrp x29, i_P1\\n" + "add x29, x29, :lo12:i_P1\\n" + "ldr p1, [x29]\\n" + "adrp x29, i_P5\\n" + "add x29, x29, :lo12:i_P5\\n" + "ldr p5, [x29]\\n" + "adrp x29, i_Z0\\n" + "add x29, x29, :lo12:i_Z0\\n" + "ldr z0, [x29]\\n" + "adrp x29, i_Z20\\n" + "add x29, x29, :lo12:i_Z20\\n" + "ldr z20, [x29]\\n" + "adrp x29, i_ZA2H\\n" + "add x29, x29, :lo12:i_ZA2H\\n" + "mov x15, 0\\n" + "ld1d {za2h.d[w15, 0]}, p1, [x29]\\n" + "add x29, x29, 32\\n" + "ld1d {za2h.d[w15, 1]}, p1, [x29]\\n" + "add x29, x29, 32\\n" + "mov x15, 2\\n" + "ld1d {za2h.d[w15, 0]}, p1, [x29]\\n" + "add x29, x29, 32\\n" + "ld1d {za2h.d[w15, 1]}, p1, [x29]\\n" + ".inst 0xa1f43402\\n" // umopa za2.d, p5/m, p1/m, z0.h, z20.h + "adrp x29, o_ZA2H\\n" + "add x29, x29, :lo12:o_ZA2H\\n" + "mov x15, 0\\n" + "st1d {za2h.d[w15, 0]}, p1, [x29]\\n" + "add x29, x29, 32\\n" + "st1d {za2h.d[w15, 1]}, p1, [x29]\\n" + "add x29, x29, 32\\n" + "mov x15, 2\\n" + "st1d {za2h.d[w15, 0]}, p1, [x29]\\n" + "add x29, x29, 32\\n" + "st1d {za2h.d[w15, 1]}, p1, [x29]\\n" + "smstop\\n" + ".arch armv8-a\\n" + ); +} + +int main(int argc, char **argv) { + run(); + show_state(); + return 0; +} +``` +2. Compile `test.bin` using this command: `aarch64-linux-gnu-gcc-12 -O2 -no-pie ./test.c -o ./test.bin`. +3. Run `QEMU` using this command: `qemu-aarch64 -L /usr/aarch64-linux-gnu/ -cpu max,sme256=on ./test.bin`. +4. The program, runs on top of the buggy QEMU, prints the first 8 bytes of `ZA2H` as `01 00 fe ff ff ff ff ff`. It should print `01 00 fe ff 00 00 00 00` after the bug is fixed.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2373.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2373.toml new file mode 100644 index 00000000..bc4c44d0 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2373.toml @@ -0,0 +1,103 @@ +id = 2373 +title = "A bug in AArch64 FMOPA/FMOPS (widening) instruction" +state = "closed" +created_at = "2024-06-02T07:09:21.525Z" +closed_at = "2024-08-02T00:40:38.597Z" +labels = ["Closed::Fixed", "TestCase", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2373" +host-os = "Ubuntu 22.04" +host-arch = "x86-64" +qemu-version = "qemu-aarch64 version 9.0.50 (v9.0.0-1123-g74abb45dac)" +guest-os = "N/A (qemu-user)" +guest-arch = "aarch64" +description = """fmopa computes the multiplication of two matrices in the source registers and accumulates the result to the destination register. A source register’s element size is 16 bits, while a destination register’s element size is 64 bits in the case of widening variant of this instruction. Before the matrix multiplication is performed, each element should be converted to a 64-bit floating point. FPCR flags are considered when converting floating point values. Especially, when the FZ (or FZ16) flag is set, denormalized values are converted into zero. When the floating point size is 16 bits, FZ16 should be considered; otherwise, FZ flag should be used. + +However, the current implementation only considers FZ flag, not FZ16 flag, so it computes the wrong value.""" +reproduce = """1. Write `test.c`. +``` +#include <stdio.h> + +char i_P2[4] = { 0xff, 0xff, 0xff, 0xff }; +char i_P5[4] = { 0xff, 0xff, 0xff, 0xff }; +char i_Z0[32] = { // Set only the first element as non-zero + 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +}; +char i_Z16[32] = { // Set only the first element as non-zero + 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +}; +char i_ZA3H[128] = { 0x0, }; +uint64_t i_fpcr = 0x0001000000; // FZ = 1; +char o_ZA3H[128]; + +void __attribute__ ((noinline)) show_state() { + for (int i = 0; i < 8; i++) { + for (int j = 0; j < 16; j++) { + printf("%02x ", o_ZA3H[16*i+j]); + } + printf("\\n"); + } +} + +void __attribute__ ((noinline)) run() { + __asm__ ( + ".arch armv9.3-a+sme\\n" + "smstart\\n" + "adrp x29, i_P2\\n" + "add x29, x29, :lo12:i_P2\\n" + "ldr p2, [x29]\\n" + "adrp x29, i_P5\\n" + "add x29, x29, :lo12:i_P5\\n" + "ldr p5, [x29]\\n" + "adrp x29, i_Z0\\n" + "add x29, x29, :lo12:i_Z0\\n" + "ldr z0, [x29]\\n" + "adrp x29, i_Z16\\n" + "add x29, x29, :lo12:i_Z16\\n" + "ldr z16, [x29]\\n" + "adrp x29, i_ZA3H\\n" + "add x29, x29, :lo12:i_ZA3H\\n" + "mov x15, 0\\n" + "ld1w {za3h.s[w15, 0]}, p2, [x29]\\n" + "add x29, x29, 32\\n" + "ld1w {za3h.s[w15, 1]}, p2, [x29]\\n" + "add x29, x29, 32\\n" + "mov x15, 2\\n" + "ld1w {za3h.s[w15, 0]}, p2, [x29]\\n" + "add x29, x29, 32\\n" + "ld1w {za3h.s[w15, 1]}, p2, [x29]\\n" + "adrp x29, i_fpcr\\n" + "add x29, x29, :lo12:i_fpcr\\n" + "ldr x29, [x29]\\n" + "msr fpcr, x29\\n" + ".inst 0x81a0aa03\\n" // fmopa za3.s, p2/m, p5/m, z16.h, z0.h + "adrp x29, o_ZA3H\\n" + "add x29, x29, :lo12:o_ZA3H\\n" + "mov x15, 0\\n" + "st1w {za3h.s[w15, 0]}, p2, [x29]\\n" + "add x29, x29, 32\\n" + "st1w {za3h.s[w15, 1]}, p2, [x29]\\n" + "add x29, x29, 32\\n" + "mov x15, 2\\n" + "st1w {za3h.s[w15, 0]}, p2, [x29]\\n" + "add x29, x29, 32\\n" + "st1w {za3h.s[w15, 1]}, p2, [x29]\\n" + ".arch armv8-a\\n" + ); +} + +int main(int argc, char **argv) { + run(); + show_state(); + return 0; +} +``` +2. Compile `test.bin` using this command: `aarch64-linux-gnu-gcc-12 -O2 -no-pie ./test.c -o ./test.bin`. +3. Run QEMU using this command: `qemu-aarch64 -L /usr/aarch64-linux-gnu/ -cpu max,sme256=on ./test.bin`. +4. The program, runs on top of the buggy QEMU, prints only zero bytes. It should print `00 01 7e 2f + 00 .. (rest of bytes) .. 00` after the bug is fixed.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2374.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2374.toml new file mode 100644 index 00000000..057fc9e3 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2374.toml @@ -0,0 +1,119 @@ +id = 2374 +title = "A bug in AArch64 FMOPA/FMOPS (non-widening) instruction" +state = "closed" +created_at = "2024-06-02T07:17:49.512Z" +closed_at = "2024-07-19T01:20:04.098Z" +labels = ["Closed::Fixed", "TestCase", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2374" +host-os = "Ubuntu 22.04" +host-arch = "x86-64" +qemu-version = "qemu-aarch64 version 9.0.50 (v9.0.0-1123-g74abb45dac)" +guest-os = "N/A (qemu-user)" +guest-arch = "aarch64" +description = """fmopa computes the multiplication of two matrices in the source registers and accumulates the result to the destination register. Depending on the instruction encoding, the element size of operands is either 32 bits or 64 bits. When the computation produces a NaN as a result, the default NaN should be generated. + +However, the current implementation of 32-bit variant of this instruction does not generate default NaNs, because invalid float_status pointer is passed: +``` +// target/arm/tcg/sme_helper.c +void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn, + void *vpm, void *vst, uint32_t desc) +{ +... + float_status fpst; + + /* + * Make a copy of float_status because this operation does not + * update the cumulative fp exception status. It also produces + * default nans. + */ + fpst = *(float_status *)vst; + set_default_nan_mode(true, &fpst); + +... + *a = float32_muladd(n, *m, *a, 0, vst); // &fpst should be used +... +} +```""" +reproduce = """1. Write `test.c`. +``` +#include <stdio.h> + +char i_P0[4] = { 0xff, 0xff, 0xff, 0xff }; +char i_P6[4] = { 0xff, 0xff, 0xff, 0xff }; +char i_Z9[32] = { // Set only the first element as NaN, but it is not default NaN. + 0xff, 0xff, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +}; +char i_Z27[32] = { + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +}; +char i_ZA1H[128] = { 0x0, }; +char o_ZA1H[128]; + +void __attribute__ ((noinline)) show_state() { + for (int i = 0; i < 8; i++) { + for (int j = 0; j < 16; j++) { + printf("%02x ", o_ZA1H[16*i+j]); + } + printf("\\n"); + } +} + +void __attribute__ ((noinline)) run() { + __asm__ ( + ".arch armv9.3-a+sme\\n" + "smstart\\n" + "adrp x29, i_P0\\n" + "add x29, x29, :lo12:i_P0\\n" + "ldr p0, [x29]\\n" + "adrp x29, i_P6\\n" + "add x29, x29, :lo12:i_P6\\n" + "ldr p6, [x29]\\n" + "adrp x29, i_Z9\\n" + "add x29, x29, :lo12:i_Z9\\n" + "ldr z9, [x29]\\n" + "adrp x29, i_Z27\\n" + "add x29, x29, :lo12:i_Z27\\n" + "ldr z27, [x29]\\n" + "adrp x29, i_ZA1H\\n" + "add x29, x29, :lo12:i_ZA1H\\n" + "mov x15, 0\\n" + "ld1w {za1h.s[w15, 0]}, p0, [x29]\\n" + "add x29, x29, 32\\n" + "ld1w {za1h.s[w15, 1]}, p0, [x29]\\n" + "add x29, x29, 32\\n" + "mov x15, 2\\n" + "ld1w {za1h.s[w15, 0]}, p0, [x29]\\n" + "add x29, x29, 32\\n" + "ld1w {za1h.s[w15, 1]}, p0, [x29]\\n" + ".inst 0x809bc121\\n" // fmopa za1.s, p0/m, p6/m, z9.s, z27.s + "adrp x29, o_ZA1H\\n" + "add x29, x29, :lo12:o_ZA1H\\n" + "mov x15, 0\\n" + "st1w {za1h.s[w15, 0]}, p0, [x29]\\n" + "add x29, x29, 32\\n" + "st1w {za1h.s[w15, 1]}, p0, [x29]\\n" + "add x29, x29, 32\\n" + "mov x15, 2\\n" + "st1w {za1h.s[w15, 0]}, p0, [x29]\\n" + "add x29, x29, 32\\n" + "st1w {za1h.s[w15, 1]}, p0, [x29]\\n" + ".arch armv8-a\\n" + ); +} + +int main(int argc, char **argv) { + run(); + show_state(); + return 0; +} +``` +2. Compile `test.bin` using this command: `aarch64-linux-gnu-gcc-12 -O2 -no-pie ./test.c -o ./test.bin`. +3. Run QEMU using this command: `qemu-aarch64 -L /usr/aarch64-linux-gnu/ -cpu max,sme256=on ./test.bin`. +4. The program, runs on top of the buggy QEMU, prints 8 non-default NaNs (ff ff ff ff). It should print 8 default NaNs (00 00 c0 7f) after the bug is fixed.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2375.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2375.toml new file mode 100644 index 00000000..386d6648 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2375.toml @@ -0,0 +1,93 @@ +id = 2375 +title = "A bug in AArch64 FJCVTZS instruction" +state = "closed" +created_at = "2024-06-02T07:26:15.118Z" +closed_at = "2024-07-01T22:19:24.821Z" +labels = ["TestCase", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2375" +host-os = "Ubuntu 22.04" +host-arch = "x86-64" +qemu-version = "qemu-aarch64 version 9.0.50 (v9.0.0-1123-g74abb45dac)" +guest-os = "N/A (qemu-user)" +guest-arch = "aarch64" +description = """fjcvtzs instruction converts a double-precision floating-point value in the source register into a 32-bit signed integer, and stores the result in the destination register. The contents of the FPCR register influence the exception result. Especially, when FPCR.FZ (Flushing denormalized numbers to Zero) is set and an input is a denormalized number, the PSTATE.Z flag should be cleared even if the conversion result is zero. + +However, because the helper function for this instruction does not properly check the denormalized case, the Z flag will have an incorrect value: +``` +// target/arm/vfp_helper.c +uint64_t HELPER(fjcvtzs)(float64 value, void *vstatus) +{ + float_status *status = vstatus; + uint32_t inexact, frac; + uint32_t e_old, e_new; + + e_old = get_float_exception_flags(status); + set_float_exception_flags(0, status); + frac = float64_to_int32_modulo(value, float_round_to_zero, status); + e_new = get_float_exception_flags(status); + set_float_exception_flags(e_old | e_new, status); + + if (value == float64_chs(float64_zero)) { + /* While not inexact for IEEE FP, -0.0 is inexact for JavaScript. */ + inexact = 1; + } else { + /* Normal inexact or overflow or NaN */ + inexact = e_new & (float_flag_inexact | float_flag_invalid); // float_flag_input_denormal should also be checked. + } + + /* Pack the result and the env->ZF representation of Z together. */ + return deposit64(frac, 32, 32, inexact); +} +```""" +reproduce = """1. Write `test.c`. +``` +#include <stdint.h> +#include <stdio.h> +#include <string.h> + +char i_D27[8] = { 0x0, 0xff, 0xfc, 0x0, 0x0, 0x0, 0x0, 0x0 }; +uint64_t i_fpcr = 0x01000000; // FZ = 1; +char o_X28[8]; +uint64_t o_nzcv; + +void __attribute__ ((noinline)) show_state() { + char Z = ((o_nzcv >> 30) & 1); + + printf("PSTATE.Z: %d\\n", Z); + printf("X28: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", o_X28[i]); + } + printf("\\n"); +} + +void __attribute__ ((noinline)) run() { + __asm__ ( + "adrp x29, i_D27\\n" + "add x29, x29, :lo12:i_D27\\n" + "ldr d27, [x29]\\n" + "adrp x29, i_fpcr\\n" + "add x29, x29, :lo12:i_fpcr\\n" + "ldr x29, [x29]\\n" + "msr fpcr, x29\\n" + ".inst 0x1e7e037c\\n" // fjcvtzs w28, d27 + "mrs x26, nzcv\\n" + "adrp x29, o_nzcv\\n" + "add x29, x29, :lo12:o_nzcv\\n" + "str x26, [x29]\\n" + "adrp x29, o_X28\\n" + "add x29, x29, :lo12:o_X28\\n" + "str x28, [x29]\\n" + ); +} + +int main(int argc, char **argv) { + run(); + show_state(); + return 0; +} +``` +2. Compile `test.bin` using this command: `aarch64-linux-gnu-gcc-12 -O2 -no-pie ./test.c -o ./test.bin`. +3. Run QEMU using this command: `qemu-aarch64 -L /usr/aarch64-linux-gnu/ ./test.bin`. +4. The program, runs on top of the buggy QEMU, prints the value of Z as `01`. It should print `00` after the bug is fixed.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2376.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2376.toml new file mode 100644 index 00000000..520b6a7b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2376.toml @@ -0,0 +1,122 @@ +id = 2376 +title = "A bug in ARM VCMLA.f16/VCMLA.f32 instructions" +state = "closed" +created_at = "2024-06-02T08:50:19.028Z" +closed_at = "2024-07-01T22:19:24.482Z" +labels = ["TestCase", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2376" +host-os = "Ubuntu 22.04" +host-arch = "x86-64" +qemu-version = "qemu-arm version 9.0.50 (v9.0.0-1123-g74abb45dac)" +guest-os = "N/A (qemu-user)" +guest-arch = "ARM" +description = """The vcmla instruction performs complex-number operations on the vector registers. There is a bug in which this instruction modifies the contents of an irrelevant vector register. + +The reason is simple out-of-bound; the helper functions should correctly check the number of modified elements: +``` +// target/arm/tcg/vec_helper.c +void HELPER(gvec_fcmlah_idx)(void *vd, void *vn, void *vm, void *va, + void *vfpst, uint32_t desc) +{ + uintptr_t opr_sz = simd_oprsz(desc); + float16 *d = vd, *n = vn, *m = vm, *a = va; + float_status *fpst = vfpst; + intptr_t flip = extract32(desc, SIMD_DATA_SHIFT, 1); + uint32_t neg_imag = extract32(desc, SIMD_DATA_SHIFT + 1, 1); + intptr_t index = extract32(desc, SIMD_DATA_SHIFT + 2, 2); + uint32_t neg_real = flip ^ neg_imag; + intptr_t elements = opr_sz / sizeof(float16); + intptr_t eltspersegment = 16 / sizeof(float16); // This should be fixed; + intptr_t i, j; + + ... +} + +... + +void HELPER(gvec_fcmlas_idx)(void *vd, void *vn, void *vm, void *va, + void *vfpst, uint32_t desc) +{ + uintptr_t opr_sz = simd_oprsz(desc); + float32 *d = vd, *n = vn, *m = vm, *a = va; + float_status *fpst = vfpst; + intptr_t flip = extract32(desc, SIMD_DATA_SHIFT, 1); + uint32_t neg_imag = extract32(desc, SIMD_DATA_SHIFT + 1, 1); + intptr_t index = extract32(desc, SIMD_DATA_SHIFT + 2, 2); + uint32_t neg_real = flip ^ neg_imag; + intptr_t elements = opr_sz / sizeof(float32); + intptr_t eltspersegment = 16 / sizeof(float32); // This should be fixed; + intptr_t i, j; + + ... +} +```""" +reproduce = """1. Write `test.c`. +``` +#include <stdint.h> +#include <stdio.h> +#include <string.h> + +// zero inputs should produce zero output +char i_D4[8] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; +char i_D8[8] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; +char i_D30[8] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; +char i_D31[8] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; // this should never be touched +char o_D30[8]; +char o_D31[8]; + +void __attribute__ ((noinline)) show_state() { + printf("D30: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", o_D30[i]); + } + printf("\\n"); + printf("D31: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", o_D31[i]); + } + printf("\\n"); +} + +void __attribute__ ((noinline)) run() { + __asm__ ( + "movw r7, #:lower16:i_D4\\n" + "movt r7, #:upper16:i_D4\\n" + "vldr d4, [r7]\\n" + "movw r7, #:lower16:i_D8\\n" + "movt r7, #:upper16:i_D8\\n" + "vldr d8, [r7]\\n" + "movw r7, #:lower16:i_D30\\n" + "movt r7, #:upper16:i_D30\\n" + "vldr d30, [r7]\\n" + "movw r7, #:lower16:i_D31\\n" + "movt r7, #:upper16:i_D31\\n" + "vldr d31, [r7]\\n" + "adr r7, Lbl_thumb + 1\\n" + "bx r7\\n" + ".thumb\\n" + "Lbl_thumb:\\n" + ".inst 0xfed8e804\\n" // vcmla.f32 d30, d8, d4[0], #90 + "adr r7, Lbl_arm\\n" + "bx r7\\n" + ".arm\\n" + "Lbl_arm:\\n" + "movw r7, #:lower16:o_D30\\n" + "movt r7, #:upper16:o_D30\\n" + "vstr d30, [r7]\\n" + "movw r7, #:lower16:o_D31\\n" + "movt r7, #:upper16:o_D31\\n" + "vstr d31, [r7]\\n" + ); +} + +int main(int argc, char **argv) { + run(); + show_state(); + return 0; +} +``` +2. Compile `test.bin` using this command: `arm-linux-gnueabihf-gcc-12 -O2 -no-pie -marm -march=armv7-a+vfpv4 ./test.c -o ./test.bin`. +3. Run QEMU using this command: `qemu-arm -L /usr/arm-linux-gnueabihf/ ./test.bin`. +4. The program, runs on top of the buggy QEMU, prints the value of D31 as `00 00 c0 7f 00 00 c0 7f`. It should print `ff ff ff ff ff ff ff ff` after the bug is fixed.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2419.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2419.toml new file mode 100644 index 00000000..abf5ff8a --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2419.toml @@ -0,0 +1,26 @@ +id = 2419 +title = "ldapr_stlr_i instructions doesn't consider signed offset" +state = "closed" +created_at = "2024-07-02T13:05:24.359Z" +closed_at = "2024-07-19T01:20:04.204Z" +labels = ["accel: TCG", "kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2419" +host-os = "Linux" +host-arch = "ARM" +qemu-version = "8.1.3" +guest-os = "Linux" +guest-arch = "ARM" +description = """The format ldapr_stlr_i models the load acquire / store release immediate instructions. \\ +These instructions has a bug in the sign extension calculation of the imm field. \\ +imm should be defined as s9 instead of 9. + +@ldapr_stlr_i .. ...... .. . imm:9 .. rn:5 rt:5 &ldapr_stlr_i + +Should be changed to: + +@ldapr_stlr_i .. ...... .. . imm:s9 .. rn:5 rt:5 &ldapr_stlr_i""" +reproduce = """1. Run ARM target +2. Generate any ldapr_stlr_i instructions (for example: LDAPUR) +3. When the imm value is negative, the immediate calculation is done wrong. In case the calculation leads to an undefined location, QEMU will fail.""" +additional = """In trans_LDAPR_i (translate-a64.c), when imm field is negative, the value of a->imm will be 512-x instead of x. \\ +I already fixed the issue by adding the s9 to the imm field. This made a call to sextend32 for imm instead of extend32 in the generated file build/libqemu-aarch64-softmmu.fa.p/decode-a64.c.inc""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2432.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2432.toml new file mode 100644 index 00000000..02204473 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2432.toml @@ -0,0 +1,82 @@ +id = 2432 +title = "Bug in bcm2835_thermal interface" +state = "closed" +created_at = "2024-07-09T11:20:41.120Z" +closed_at = "2024-07-15T11:07:22.687Z" +labels = ["accel: TCG", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2432" +host-os = "Ubuntu 22.04.4 LTS" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 9.0.50 (v9.0.0-1733-g3f044554b9)" +guest-os = "Baremetal Application" +guest-arch = "Aarch64" +description = """Stack traces, crash detail: +``` +#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737230841344) at ./nptl/pthread_kill.c:44 +#1 __pthread_kill_internal (signo=6, threadid=140737230841344) at ./nptl/pthread_kill.c:78 +#2 __GI___pthread_kill (threadid=140737230841344, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 +#3 0x00007ffff5042476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 +#4 0x00007ffff50287f3 in __GI_abort () at ./stdlib/abort.c:79 +#5 0x00007ffff6f0eb57 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#6 0x00007ffff6f6870f in g_assertion_message_expr () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#7 0x0000555555d642a6 in bcm2835_thermal_write (opaque=0x7ffff0a475b0, addr=2, value=0, size=2) + at ../hw/misc/bcm2835_thermal.c:76 +#8 0x0000555556c4a119 in memory_region_write_accessor + (mr=0x7ffff0a478e0, addr=2, value=0x7fffffffd250, size=2, shift=0, mask=65535, attrs=...) + at ../system/memory.c:497 +#9 0x0000555556c49da6 in access_with_adjusted_size + (addr=2, value=0x7fffffffd250, size=2, access_size_min=1, access_size_max=4, access_fn=0x555556c49ef0 <memory_region_write_accessor>, mr=0x7ffff0a478e0, attrs=...) at ../system/memory.c:573 +#10 0x0000555556c49395 in memory_region_dispatch_write (mr=0x7ffff0a478e0, addr=2, data=0, op=MO_16, attrs=...) + at ../system/memory.c:1521 +#11 0x0000555556c84e88 in flatview_write_continue_step + (attrs=..., buf=0x7fffffffd470 "", len=512, mr_addr=2, l=0x7fffffffd360, mr=0x7ffff0a478e0) + at ../system/physmem.c:2757 +#12 0x0000555556c84c42 in flatview_write_continue + (fv=0x555559717490, addr=1059135490, attrs=..., ptr=0x7fffffffd470, len=512, mr_addr=2, l=2, mr=0x7ffff0a478e0) at ../system/physmem.c:2787 +#13 0x0000555556c73305 in flatview_write + (fv=0x555559717490, addr=1059135490, attrs=..., buf=0x7fffffffd470, len=512) at ../system/physmem.c:2818 +#14 0x0000555556c73179 in address_space_write +--Type <RET> for more, q to quit, c to continue without paging--c + (as=0x5555598056f0, addr=1059135490, attrs=..., buf=0x7fffffffd470, len=512) at ../system/physmem.c:2938 +#15 0x0000555556c735df in address_space_set (as=0x5555598056f0, addr=1059135490, c=0 '\\000', len=2025625, attrs=...) at ../system/physmem.c:2965 +#16 0x0000555555a95b66 in rom_reset (unused=0x0) at ../hw/core/loader.c:1284 +#17 0x0000555555ab872d in legacy_reset_hold (obj=0x5555598069b0, type=RESET_TYPE_COLD) at ../hw/core/reset.c:76 +#18 0x0000555556d7dbf4 in resettable_phase_hold (obj=0x5555598069b0, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:180 +#19 0x0000555556d7d19f in resettable_container_child_foreach (obj=0x5555595573d0, cb=0x555556d7d970 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resetcontainer.c:54 +#20 0x0000555556d7f4a4 in resettable_child_foreach (rc=0x555558b02f50, obj=0x5555595573d0, cb=0x555556d7d970 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:92 +#21 0x0000555556d7da92 in resettable_phase_hold (obj=0x5555595573d0, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:169 +#22 0x0000555556d7d47a in resettable_assert_reset (obj=0x5555595573d0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:58 +#23 0x0000555556d7d2f7 in resettable_reset (obj=0x5555595573d0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:45 +#24 0x0000555555ab842e in qemu_devices_reset (reason=SHUTDOWN_CAUSE_NONE) at ../hw/core/reset.c:179 +#25 0x000055555633227d in qemu_system_reset (reason=SHUTDOWN_CAUSE_NONE) at ../system/runstate.c:493 +#26 0x0000555555aa6bd2 in qdev_machine_creation_done () at ../hw/core/machine.c:1643 +#27 0x000055555633679f in qemu_machine_creation_done (errp=0x555558587ee0 <error_fatal>) at ../system/vl.c:2685 +#28 0x0000555556335ffd in qmp_x_exit_preconfig (errp=0x555558587ee0 <error_fatal>) at ../system/vl.c:2715 +#29 0x000055555633bfe4 in qemu_init (argc=9, argv=0x7fffffffdc68) at ../system/vl.c:3759 +#30 0x0000555556d6eea2 in main (argc=9, argv=0x7fffffffdc68) at ../system/main.c:47 +``` +Description: +I encountered a part of the code during QEMU execution that shouldn't have been reached, which led to an error. + +Crash detail: +``` +ERROR:../hw/misc/bcm2835_thermal.c:76:bcm2835_thermal_write: code should not be reached +Bail out! ERROR:../hw/misc/bcm2835_thermal.c:76:bcm2835_thermal_write: code should not be reached +Aborted +``` + +Malicious inputs: +Malicious input is attached as tar.gz archive to this file, it contains file name id:000017,sig:06,src:000428,time:48261741,execs:1725363,op:havoc,rep:8 +[malicious_input.tar.gz](/uploads/fcf47faafb59308cfdb04b3e81e788f3/malicious_input.tar.gz) + +Affected code area/snippet: + +qemu/hw/misc/bcm2835_thermal.c:bcm2835_thermal_write + + +Acknowledge for reporting this issue: +Alisher Darmenov (darmenovalisher@gmail.com), +Mohamadreza Rostami (mohamadreza.rostami@trust.tu-darmstadt.de), +Ahmad-Reza Sadeghi (ahmad.sadeghi@trust.tu-darmstadt.de)""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2542.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2542.toml new file mode 100644 index 00000000..4139edd8 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2542.toml @@ -0,0 +1,15 @@ +id = 2542 +title = "qemu-system-arm failure with picolibc tests since 59754f85ed35cbd5f4bf2663ca2136c78d5b2413" +state = "closed" +created_at = "2024-08-28T11:55:53.076Z" +closed_at = "2024-08-30T04:12:34.096Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2542" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2568.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2568.toml new file mode 100644 index 00000000..8730e412 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2568.toml @@ -0,0 +1,15 @@ +id = 2568 +title = "[AARCH64] HPFAR_EL2.NS not set for non secure read in S-EL1" +state = "opened" +created_at = "2024-09-11T07:19:49.202Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2568" +host-os = "Ubuntu" +host-arch = "x86_64" +qemu-version = "7b87a25f49a301d3377f3e71e0b4a62540c6f6e4 (Thu Sep 5 13:02:26 2024 +0100)" +guest-os = "n/a" +guest-arch = "AArch64" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2585.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2585.toml new file mode 100644 index 00000000..42397435 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2585.toml @@ -0,0 +1,19 @@ +id = 2585 +title = "qemu-system-arm highmem support broken with TCG" +state = "closed" +created_at = "2024-09-23T06:17:54.581Z" +closed_at = "2024-11-01T15:55:23.465Z" +labels = ["accel: TCG", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2585" +host-os = "Debian 12" +host-arch = "arm64" +qemu-version = "7.2 through 9.1" +guest-os = "Debian 12" +guest-arch = "arm" +description = "n/a" +reproduce = "n/a" +additional = """I initially bisected this to commit 39a1fd25287f ("target/arm: Fix handling of LPAE block descriptors"), which introduced an identical bug by masking the wrong address bits due to a type mismatch, but this was in turn fixed by commit c2360eaa0262 ("target/arm: Fix qemu-system-arm handling of LPAE block descriptors for highmem"). The bug resurfaced between qemu-7.1.0 and qemu-7.2.0 after commit f3639a64f602 ("target/arm: Use softmmu tlbs for page table walking"), but may be caused by the preceding 4a35855682ce ("target/arm: Plumb debug into S1Translate") which fails to boot for an unrelated reason. + +I reproduced this on qemu-7.2 as shipped by Debian as well as on qemu-9.1 (built locally). + +Part of this problem appeared to be hidden by the 'highmem=on' argument not having the intended effect during parts of the bisection, which I worked around by overriding the 'pa_bits' variable in machvirt_init().""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2601.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2601.toml new file mode 100644 index 00000000..b2a02fdb --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2601.toml @@ -0,0 +1,44 @@ +id = 2601 +title = "Executing LD1SB + MTE on Arm64 fails an assert" +state = "closed" +created_at = "2024-10-01T12:51:00.831Z" +closed_at = "2024-11-16T21:18:19.612Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2601" +host-os = "CentOS Linux release 8.5.2111" +host-arch = "x86" +qemu-version = "8.1.3" +guest-os = "bare-metal" +guest-arch = "aarch64" +description = """I'm getting +``` +qemu-system-aarch64: ../tcg/tcg-op-gvec.c:91: simd_desc: Assertion `data == sextract32(data, 0, (32 - ((0 + 8) + 2)))' failed. +``` +This is caused by the upper bits of `data` being set to 1, which violates the condition.""" +reproduce = """1. build QEMU with assertions enabled (e.g., `configure --enable-debug-tcg`). +2. have a `LD1SB f{z25.d}, p3/z, [x14, x9]` (binary a5894dd9) instruction in the executed code. +3. enable mte +4. Let QEMU execute the ld1sb instruction.""" +additional = """{width=699 height=141} + +This issue happens because for ld1sb, nregs=0 in `sve.decode`: +``` +# SVE contiguous load (scalar plus scalar) +LD_zprr 1010010 .... ..... 010 ... ..... ..... @rprr_load_dt nreg=0 +``` +As a result, in do_mem_zpa is called with n_reg=0, which becomes mte_n inside do_mem_zpa. +Since mte_n==0, and mte_active, then +```c +desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (mte_n << msz) - 1); +``` +sets (0) - 1 == -1 to the field, which also sets the upper bits of `desc`. +The `desc` with upper bits set to 1 is used to call: +```c +desc = simd_desc(vsz, vsz, zt | desc); +``` +Inside `simd_desc`, the last parameter is named `data` and it fails the assertion: +```c +tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS)) +``` + +#""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/271.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/271.toml new file mode 100644 index 00000000..c6ad4a34 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/271.toml @@ -0,0 +1,15 @@ +id = 271 +title = "ARM cpu emulation regression on QEMU 4.2.0" +state = "opened" +created_at = "2021-05-11T05:38:17.293Z" +closed_at = "n/a" +labels = ["Launchpad", "accel: TCG", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/271" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2823.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2823.toml new file mode 100644 index 00000000..e9cc17cc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2823.toml @@ -0,0 +1,51 @@ +id = 2823 +title = "func-aarch64-aarch64_rme_virt function test hangs especially when built with --enable-debug" +state = "closed" +created_at = "2025-02-20T20:22:45.519Z" +closed_at = "2025-04-04T17:07:31.690Z" +labels = ["Tests", "accel: TCG", "kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2823" +host-os = "Debian Bookworm" +host-arch = "x86" +qemu-version = "v9.2.0-1890-g9ed37826a9" +guest-os = "Linux" +guest-arch = "arm64" +description = """""" +reproduce = """1. Build with ../../configure --enable-debug +2. ./pyvenv/bin/meson test --setup thorough --suite func-thorough func-aarch64-aarch64_rme_virt +3. repeat until hang""" +additional = """Comparing a normal build to the hang: + +``` +2025-02-20 16:54:15,519: NOTICE: Booting Trusted Firmware | 2025-02-20 16:16:06,740: NOTICE: Booting Trusted Firmware +2025-02-20 16:54:15,519: NOTICE: BL1: v2.11.0(release):f2f94 | 2025-02-20 16:16:06,740: NOTICE: BL1: v2.11.0(release):f2f94 +2025-02-20 16:54:15,519: NOTICE: BL1: Built : 17:54:58, Dec | 2025-02-20 16:16:06,740: NOTICE: BL1: Built : 17:54:58, Dec +2025-02-20 16:54:15,520: NOTICE: BL1: Booting BL2 | 2025-02-20 16:16:06,741: NOTICE: BL1: Booting BL2 +2025-02-20 16:54:15,522: NOTICE: BL2: v2.11.0(release):f2f94 | 2025-02-20 16:16:06,743: NOTICE: BL2: v2.11.0(release):f2f94 +2025-02-20 16:54:15,522: NOTICE: BL2: Built : 17:55:12, Dec | 2025-02-20 16:16:06,743: NOTICE: BL2: Built : 17:55:12, Dec +2025-02-20 16:54:15,545: NOTICE: BL2: Booting BL31 | 2025-02-20 16:16:06,762: NOTICE: BL2: Booting BL31 +2025-02-20 16:54:15,550: NOTICE: BL31: v2.11.0(release):f2f9 | 2025-02-20 16:16:06,768: NOTICE: BL31: v2.11.0(release):f2f9 +2025-02-20 16:54:15,550: NOTICE: BL31: Built : 17:55:22, Dec | 2025-02-20 16:16:06,768: NOTICE: BL31: Built : 17:55:22, Dec +2025-02-20 16:54:15,555: Booting RMM v.0.5.0(release) 1b6bdf8 | 2025-02-20 16:16:06,774: Booting RMM v.0.5.0(release) 1b6bdf8 +2025-02-20 16:54:15,556: RMM-EL3 Interface v.0.4 | 2025-02-20 16:16:06,774: RMM-EL3 Interface v.0.4 +2025-02-20 16:54:15,556: Boot Manifest Interface v.0.3 | 2025-02-20 16:16:06,775: Boot Manifest Interface v.0.3 +2025-02-20 16:54:15,556: RMI/RSI ABI v.1.0/1.0 built: Dec 2 | 2025-02-20 16:16:06,775: RMI/RSI ABI v.1.0/1.0 built: Dec 2 +2025-02-20 16:54:15,587: UEFI firmware (version built at 17: | 2025-02-20 16:16:06,837: UEFI firmware (version built at 17: +2025-02-20 16:54:15,876: ESC[2JESC[01;01HESC[=3hESC[2JESC[01;01HESC[2JESC[01;01HESC[= | 2025-02-20 16:16:07,420: ESC[2JESC[01;01HESC[=3hESC[2JESC[01;01HESC[2JESC[01;01HESC[= +2025-02-20 16:54:15,898: EFI stub: Using DTB from configurati | 2025-02-20 16:16:07,421: +2025-02-20 16:54:15,898: EFI stub: Exiting boot services... | 2025-02-20 16:16:07,421: +2025-02-20 16:54:16,170: [ 0.000000] Booting Linux on phys | 2025-02-20 16:16:07,421: Synchronous Exception at 0x00000000B +2025-02-20 16:54:16,171: [ 0.000000] Linux version 6.12.0- | 2025-02-20 16:16:07,421: +2025-02-20 16:54:16,171: [ 0.000000] KASLR enabled | 2025-02-20 16:16:07,421: +2025-02-20 16:54:16,171: [ 0.000000] random: crng init don | 2025-02-20 16:16:07,421: Synchronous Exception at 0x00000000B +2025-02-20 16:54:16,171: [ 0.000000] Machine model: linux, < +2025-02-20 16:54:16,171: [ 0.000000] efi: EFI v2.7 by EDK < +2025-02-20 16:54:16,171: [ 0.000000] efi: SMBIOS=0xbf3c000 < +2025-02-20 16:54:16,171: [ 0.000000] OF: reserved mem: 0x0 < +2025-02-20 16:54:16,171: [ 0.000000] NUMA: Faking a node a < +2025-02-20 16:54:16,171: [ 0.000000] NODE_DATA(0) allocate < +2025-02-20 16:54:16,171: [ 0.000000] Zone ranges: < +2025-02-20 16:54:16,171: [ 0.000000] DMA [mem 0x000 < +2025-02-20 16:54:16,171: [ 0.000000] DMA32 empty < +2025-02-20 16:54:16,171: [ 0.000000] Normal empty < +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/2942.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/2942.toml new file mode 100644 index 00000000..f73af96c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/2942.toml @@ -0,0 +1,73 @@ +id = 2942 +title = "arm: TCG debug assertion failure when handling an ISB or SB insn inside an IT block" +state = "closed" +created_at = "2025-04-30T11:08:01.143Z" +closed_at = "2025-05-07T20:09:30.546Z" +labels = ["accel: TCG", "kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2942" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "10.0.0" +guest-os = "-" +guest-arch = "ARM" +description = """ARM thumb `IT` instruction triggers TCG debug asserts. + +``` +$ ./qemu-system-arm --version +QEMU emulator version 10.0.0 (v10.0.0) + +$ ./qemu-system-arm -M stm32vldiscovery -nographic -device loader,file=raw-it-bug.hex -d in_asm,exec +[...] +Trace 0: 0x72a584000800 [00800400/0000000000000164/00000110/ff020000] +---------------- +IN: +0x00000108: f000 f80a bl #0x120 + +Trace 0: 0x72a584000940 [00800400/0000000000000108/00000110/ff020000] +qemu-system-arm: ../tcg/tcg-op.c:3343: void tcg_gen_goto_tb(unsigned int): Assertion `(tcg_ctx->goto_tb_issue_mask & (1 << idx)) == 0' failed. +``` + +Expected behavior: +``` +$ qemu-system-arm -M stm32vldiscovery -device loader,file=raw-hardfault.hex -d in_asm,exec,int +[...] +Trace 0: 0x7df6dc000800 [00800400/0000000000000164/00000110/ff020000] +---------------- +IN: +0x00000108: f000 f80a bl #0x120 + +Trace 0: 0x7df6dc000940 [00800400/0000000000000108/00000110/ff020000] +---------------- +IN: +0x00000120: 2302 movs r3, #2 +0x00000122: bf00 nop +0x00000124: f04f 25e0 mov.w r5, #-0x1fff2000 +0x00000128: f8d5 1d10 ldr.w r1, [r5, #0xd10] +0x0000012c: f041 0014 orr r0, r1, #0x14 +0x00000130: f8c5 0d10 str.w r0, [r5, #0xd10] +0x00000134: f8d5 0200 ldr.w r0, [r5, #0x200] +0x00000138: f8d5 6100 ldr.w r6, [r5, #0x100] +0x0000013c: 4206 tst r6, r0 +0x0000013e: bf02 ittt eq +0x00000140: f3bf 8f4f dsbeq sy +0x00000144: bf20 wfeeq + +Linking TBs 0x7df6dc000940 index 0 -> 0x7df6dc000a80 +Trace 0: 0x7df6dc000a80 [00800400/0000000000000120/00000110/ff020000] +[...] +Trace 0: 0x7df6dc001fc0 [00800400/0000000000000170/00000110/ff020000] +Taking exception 3 [Prefetch Abort] on CPU 0 +...at fault address 0xdeadbeee +...with CFSR.IACCVIOL +...BusFault with BFSR.STKERR +...taking pending nonsecure exception 3 +...loading from element 3 of non-secure vector table at 0xc +...loaded new PC 0x111 +---------------- +IN: +0x00000110: e7fe b #0x110 +```""" +reproduce = """1. Build QEMU with `CONFIG_DEBUG_TCG` enabled, e.g. with `./configure --enable-debug`. +1. Run Cortex-M firmware with `IT` instruction. (minimal example attached)""" +additional = """- Minimal Reproducer: [raw-it-bug.hex](/uploads/3ae30ab78f49bbc933e48c51f6bf2a2b/raw-it-bug.hex) +- Reproduced on `main`, `v10.0.0` and `v9.1.0`.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/317.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/317.toml new file mode 100644 index 00000000..e6b56ed1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/317.toml @@ -0,0 +1,15 @@ +id = 317 +title = "synchronous abort on accessing unused I/O ports on aarch64" +state = "closed" +created_at = "2021-05-15T14:03:57.314Z" +closed_at = "2021-06-13T15:15:36.576Z" +labels = ["Launchpad", "TestCase", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/317" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/333.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/333.toml new file mode 100644 index 00000000..44e1d291 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/333.toml @@ -0,0 +1,15 @@ +id = 333 +title = "random errors on aarch64 when executing __aarch64_cas8_acq_rel" +state = "opened" +created_at = "2021-05-17T15:42:50.677Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Bug", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/333" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/364.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/364.toml new file mode 100644 index 00000000..75118a84 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/364.toml @@ -0,0 +1,15 @@ +id = 364 +title = "qemu-aarch64: incorrect signed comparison in ldsmax instructions" +state = "closed" +created_at = "2021-05-28T13:43:37.894Z" +closed_at = "2021-06-03T20:25:31.211Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/364" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/367.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/367.toml new file mode 100644 index 00000000..a69d374c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/367.toml @@ -0,0 +1,15 @@ +id = 367 +title = "qemu-system-aarch64 crash on qemu 6.0 - Windows 10" +state = "closed" +created_at = "2021-05-29T08:39:27.180Z" +closed_at = "2021-06-22T13:36:35.175Z" +labels = ["accel: TCG", "hostos: Windows", "kind::Bug", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/367" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/381.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/381.toml new file mode 100644 index 00000000..3cf1c7e5 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/381.toml @@ -0,0 +1,15 @@ +id = 381 +title = "ERROR:target/arm/translate-a64.c:13229:disas_simd_two_reg_misc_fp16: code should not be reached" +state = "closed" +created_at = "2021-06-01T06:33:36.167Z" +closed_at = "2021-06-16T19:16:45.203Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/381" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/385.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/385.toml new file mode 100644 index 00000000..d73fb9a8 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/385.toml @@ -0,0 +1,15 @@ +id = 385 +title = "ARM user regression since 87b74e8b6edd287ea2160caa0ebea725fa8f1ca1" +state = "closed" +created_at = "2021-06-02T14:23:28.538Z" +closed_at = "2021-09-15T13:51:51.282Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/385" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/403.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/403.toml new file mode 100644 index 00000000..5e6ba83f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/403.toml @@ -0,0 +1,15 @@ +id = 403 +title = "MTE false positives for unaligned accesses" +state = "closed" +created_at = "2021-06-10T02:28:33.055Z" +closed_at = "2021-06-16T19:16:45.227Z" +labels = ["Closed::Fixed", "TestCase", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/403" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/503.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/503.toml new file mode 100644 index 00000000..bcc998ab --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/503.toml @@ -0,0 +1,15 @@ +id = 503 +title = "QEMU aarch64 Segmentation fault on Mac OSX, machine raspi3" +state = "closed" +created_at = "2021-07-26T09:45:57.110Z" +closed_at = "2021-08-02T13:52:18.432Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/503" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/514.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/514.toml new file mode 100644 index 00000000..a0e4d976 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/514.toml @@ -0,0 +1,33 @@ +id = 514 +title = "MTE reports false positive for \"str\" instruction with the SP as the base register." +state = "closed" +created_at = "2021-08-04T17:17:17.140Z" +closed_at = "2021-09-07T15:05:49.630Z" +labels = ["Closed::Invalid", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/514" +host-os = "Android" +host-arch = "ARM" +qemu-version = "QEMU emulator version 6.0.0" +guest-os = "Android" +guest-arch = "ARM" +description = """When PE executes "sp"-based store instruction with offset I got tag check fault exception. But according to arm spec. load or store that uses "sp" register should generate Tag Unchecked access.""" +reproduce = """Clang version: clang version 12.0.1. +I compiled my code using "-target aarch64-linux -march=armv8+memtag -fsanitize=memtag" for Clang. Clang generates following code: +``` +0000000000000c14 <test_func>: + c14: a9bc7bfd stp x29, x30, [sp, #-64]! + c18: f9000bf7 str x23, [sp, #16] + ... +``` +Whole stack was mapped in translation tables as Tagged memory."SCTLR" register was configured to trigger synchronous exception on tag mismatch. +When cpu executes firs instruction "stp x29, x30, [sp, #-64]!" I got tag check fault exception: "0b010001 When FEAT_MTE is implemented Synchronous Tag Check Fault": +ESR_EL1=0x96000051. + +According to ARM specification load or store that uses "sp" register should generate Tag Unchecked access: +``` +A Tag Unchecked access will be generated for a load or store that uses either of the following: +• A base register only, with the SP as the base register. +• A base register plus immediate offset addressing form, with the SP as the base register. +``` +Looks like qemu erroneously generates tag mismatch exceptions for SP-based loads and stores with immediate offset.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/60.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/60.toml new file mode 100644 index 00000000..f5c316b6 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/60.toml @@ -0,0 +1,15 @@ +id = 60 +title = "qemu-system-aarch64 (tcg): cval + voff overflow not handled, causes qemu to hang" +state = "closed" +created_at = "2021-05-01T05:30:41.322Z" +closed_at = "2023-11-28T23:12:55.744Z" +labels = ["Closed::Fixed", "Launchpad", "Tests", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/60" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/734.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/734.toml new file mode 100644 index 00000000..7845a826 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/734.toml @@ -0,0 +1,36 @@ +id = 734 +title = "aarch64 tlb range invalidate is not accurate" +state = "closed" +created_at = "2021-11-18T07:58:24.759Z" +closed_at = "2021-12-15T20:11:57.280Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/734" +host-os = "Ubuntu 20.04" +host-arch = "x86_64" +qemu-version = "6.1.9.0 (v6.2.0-rc0)" +guest-os = "N/A" +guest-arch = "aarch64" +description = """In this (https://gitlab.com/qemu-project/qemu/-/commit/84940ed82552d3c7c7327c83076b02cee7978257) commit, tlb range invalidate support is added, and I think qemu's range calculation is wrong. + +In `tlbi_aa64_range_get_length` function, `num`, `scale`, `page_size_granule` is caculated as below. + + +``` + num = extract64(value, 39, 4); + scale = extract64(value, 44, 2); + page_size_granule = extract64(value, 46, 2); + + page_shift = page_size_granule * 2 + 12; +``` + +As [Arm documentation](https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Instructions/TLBI-RVALE1--TLBI-RVALE1NXS--TLB-Range-Invalidate-by-VA--Last-level--EL1), NUM bits's length is 5, but the code above only extract 4bits. + +And `page_shift` also should be calculated as `(page_size_granule-1) <<1) + 12` rather than `page_size_granule * 2 + 12`.""" +reproduce = """1. +2. +3.""" +additional = """I found this issue while debugging a phenomenon that kernel panic occurs randomly in my qemu fork. + +I'm pretty sure this is one of the causes, but even if I roughly correct it, my problem has not been solved. + +I think my problem is TLB invalidate related issue, so if I find any more problems, I'll comment here.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/735.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/735.toml new file mode 100644 index 00000000..e2fc9850 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/735.toml @@ -0,0 +1,36 @@ +id = 735 +title = "softmmu 'at' not behaving" +state = "closed" +created_at = "2021-11-18T11:31:26.857Z" +closed_at = "2021-11-22T07:21:07.425Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/735" +host-os = "Ubuntu 20" +host-arch = "x86-64" +qemu-version = "6.1.0" +guest-os = "Ubuntu 18" +guest-arch = "aarch64" +description = """This looks like a bug to me, please correct if I'm wrong. The execution context is EL2 here and we run KVM vms on top of the system emulation. Anyway, here we have stopped in the EL2 and want to translate a virtual address '0' with 'at'. While the '0' itself is not mapped, something in the first gigabyte is, and the softmmu refuses to walk to it: + +0x0000000100004a3c <at_s12e1r+8>: 80 78 0c d5 at s12e1r, x0 +0x0000000100004a40 <at_s12e1r+12>: 01 74 38 d5 mrs x1, par_el1 + +(gdb) info registers x0 x1 +x0 0x0 0 +x1 0x809 2057 + +So that would be translation fault level 0, stage 1 if I'm not mistaken. + +(gdb) info all-registers TCR_EL1 VTCR_EL2 TTBR1_EL1 +TCR_EL1 0x400035b5503510 18014629184681232 +VTCR_EL2 0x623590 6436240 +TTBR1_EL1 0x304000041731001 217298683118686209 + +(gdb) p print_table(0x41731000) +000:0x000000ffff9803 256:0x000000fffff803 507:0x00000041fbc803 +508:0x000000ff9ef803 + +The first gigabyte is populated, yet the 'at' knows nothing about it. Did I miss something? This seems to be working fine on the hardware.""" +reproduce = """1. Stop in the EL2 while the linux is running (GDB) +2. Use something along the lines of this function to translate any kernel virtual address: https://github.com/jkrh/kvms/blob/4c26c786be9971613b3b7f56121c1a1aa3b9585a/core/helpers.h#L74""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/788.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/788.toml new file mode 100644 index 00000000..30a3c6bd --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/788.toml @@ -0,0 +1,15 @@ +id = 788 +title = "FEAT_PAuth trapping behaviour incorrectly emulated on Secure-EL0/1 with Secure-EL2 disabled" +state = "closed" +created_at = "2021-12-20T15:23:40.192Z" +closed_at = "2022-03-19T10:09:12.517Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/788" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/790.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/790.toml new file mode 100644 index 00000000..305526a2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/790.toml @@ -0,0 +1,15 @@ +id = 790 +title = "Attribute bits in stage 1/stage 2 block descriptors are not fully masked during AArch64 page table walks" +state = "closed" +created_at = "2021-12-22T16:08:49.057Z" +closed_at = "2022-03-19T10:09:12.526Z" +labels = ["accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/790" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/799.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/799.toml new file mode 100644 index 00000000..faac7cd2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/799.toml @@ -0,0 +1,55 @@ +id = 799 +title = "TCG Optimizer crashes on AArch64 SVE2 instruction" +state = "closed" +created_at = "2022-01-03T10:35:06.082Z" +closed_at = "2022-01-05T02:53:01.437Z" +labels = ["Closed::Fixed", "Stable::to backport", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/799" +host-os = "Fedora 35" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 6.2.0 (v6.2.0) + QEMU latest master" +guest-os = "None" +guest-arch = "ARM aarch64" +description = """QEMU crashes due to an assertion in the TCG optimizer when optimizing an SVE2 instruction: +``` +Unrecognized operation 145 in do_constant_folding. +../tcg/optimize.c:458: tcg fatal error +```""" +reproduce = """1. Compile the following minimized reproducer: (a pre-compiled image is provided for convenience - [reproducer.img](/uploads/0bddbfac55306a297fee59dd2f6923cf/reproducer.img)) +```asm +.org 0x0 +entry: + mrs x1, cptr_el3 + orr x9, x1, #0x100 + msr cptr_el3, x9 + + msr cptr_el2, xzr + + mov x1, #0x3 + mrs x9, cpacr_el1 + bfi x9, x1, #16, #2 + bfi x9, x1, #20, #2 + msr cpacr_el1, x9 + + mov x9, 512 + mov x0, x9 + asr x0, x0, 7 + sub x9, x0, #1 + msr zcr_el1, x9 + + mov x9, 512 + mov x0, x9 + asr x0, x0, 7 + sub x9, x0, #1 + msr zcr_el2, x9 + + mov x9, 512 + mov x0, x9 + asr x0, x0, 7 + sub x9, x0, #1 + msr zcr_el3, x9 + + uqxtnt z11.s, z22.d +``` +2. Execute it using the command line given above.""" +additional = """I tested latest master as well, and the problem persists.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/826.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/826.toml new file mode 100644 index 00000000..53697a33 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/826.toml @@ -0,0 +1,26 @@ +id = 826 +title = "AArch64 SVE2 LDNT1SB (vector plus scalar) load address incorrectly calculated" +state = "closed" +created_at = "2022-01-18T14:30:58.249Z" +closed_at = "2022-03-19T10:09:12.541Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/826" +host-os = "n/a" +host-arch = "AArch64" +qemu-version = "version 6.2.0" +guest-os = "n/a" +guest-arch = "AArch64" +description = """During execution of the following SVE2 instruction: +`ldnt1sb {z6.d}, p3/z, [z14.d, x9]` +with the following register state: +``` +(gdb) p $p3 +$1 = {0x7, 0x0, 0x74, 0x0, 0x43, 0x0, 0x29, 0x0, 0x47, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x47, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x66, 0xe4, 0x64, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20, 0x11, 0x31, 0x1, 0x0, 0x0, 0x0, 0x0, 0x20, 0x11, 0x31, 0x1, 0x0, 0x0, 0x0, 0x0, 0xb0, 0x8b, 0x49, 0x34, 0xfc, 0x7f, 0x0, 0x0, 0xe0, 0x71, 0x30, 0x1, 0x0, 0x0, 0x0, 0x0} +(gdb) p $z14.d.u +$2 = {0x3bdeaa30, 0x3bdeaa33, 0x3bdeaa36, 0x3bdeaa39, 0x3bdeaa3c, 0x3bdeaa3f, 0x3bdeaa42, 0x3bdeaa45} +(gdb) p $x9 +$3 = 0x0 +``` +QEMU produces a data abort due to an address fault on address `0x5EE45E4E`, which it clearly should not have tried to load.""" +reproduce = "n/a" +additional = """A quick look at the implementation of the LDNT1SB instruction in QEMU points to the following commit: https://gitlab.com/qemu-project/qemu/-/commit/cf327449816d5643106445420a0b06b0f38d4f01 which simply redirects to SVE's LD1SB handler. As these instructions use a new flavor of SVE scatter/gather loads (vector plus scalar) which SVE LD1SB does not support, I wonder if the LD1SB handler simply decodes it as the wrong instruction and treats it as a (scalar plus vector) instruction, which LD1SB does support, but whose address calculation is completely different.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/840.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/840.toml new file mode 100644 index 00000000..9686ed35 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/840.toml @@ -0,0 +1,18 @@ +id = 840 +title = "When O2 level is enabled raspi3b board crash randomly when creating abuffer of a differnt size" +state = "closed" +created_at = "2022-01-25T18:12:44.413Z" +closed_at = "2022-10-31T15:39:49.010Z" +labels = ["Closed::Duplicate", "accel: TCG", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/840" +host-os = "Arch Linux 22.1.2" +host-arch = "x86_64" +qemu-version = "6.2.0" +guest-os = "Custom" +guest-arch = "ARM64" +description = """Sometimes when running the code creating a framebuffer different from the default size ej:1024x768 qemu hangs and crash with a SIGV, making a weird screen that's painted with the original size and the background of the current window merged onto a large window. This happens when you resize a window without updating it's contents, so qemu is crashing before the first frame after reising the window.""" +reproduce = """1. Create a producedure similar to the one descrived below +2. Run qemu with O2 enabled(debuggind disabled) +3. You may need to run it multiple times to see the bug(like two or three times)""" +additional = """Here is the example procedure implemented on rust, the mailbox interface is test and it's sure that the procedure it's well implemented: +[code.rs](/uploads/a28fe33a856fb843d80ffeb078bc6729/code.rs)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/876.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/876.toml new file mode 100644 index 00000000..231fd139 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/876.toml @@ -0,0 +1,44 @@ +id = 876 +title = "snek-arm fails on s390x with qemu >6.1" +state = "closed" +created_at = "2022-02-15T12:57:47.721Z" +closed_at = "2022-03-01T19:43:10.320Z" +labels = ["Closed::Fixed", "accel: TCG", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/876" +host-os = "Tried Ubuntu 22.04 or Fedora 35 so far" +host-arch = "s390x" +qemu-version = "6.2" +guest-os = "snek elf file" +guest-arch = "ARM" +description = """snek is a language inspired by python for embedded. The tests run snek code natively (in this case on s390x) as well as in python3 as well as emulated for arm. +The latter is what fails... + +the Ubuntu testing has spotted this in: + +- https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/s390x/s/snek/20220211_065108_2144a@/log.gz +- https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/s390x/s/snek/20220212_050524_3b7ee@/log.gz +- https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/s390x/s/snek/20220214_080226_46968@/log.gz + +In there all work, but one test fails reproducible, that is `test/pass-slice.py` + +When eliminating the automation in makefiles and all that it comes down to: +``` +$ qemu-system-arm -chardev stdio,mux=on,id=stdio0 -serial none -monitor none -semihosting-config enable=on,chardev=stdio0,arg='snek',arg=test/pass-slice.py -machine mps2-an385,accel=tcg -cpu cortex-m3 -kernel /usr/share/snek/snek-qemu-arm-1.7.elf -nographic -bios none +fail: [::-5] (model 'o' impl '') +``` + +To be clear: +- the test for python3 works on all platforms +- the test for snek-native works on all platforms +- the test for snek-arm work on all platforms except s390x +- with qemu 6.0 this worked, but the more recent qemu 6.2 makes it fail +- only some subtests of pass-slice.py fail (see below) + +I've gone into some details for the snek side of things in [the bug report there](https://github.com/keith-packard/snek/issues/58).""" +reproduce = """1. get an s390x system +2. get the snek elf file for arm +3. run qemu-system-arm as shown above + +P.S. I tried this on latest head (building qemu in an F35 container) and it fails there as well, hence I'm listing commit 2d88a3a595 as affected as well. +We know 6.0 was ok, so likely 6.0->6.1 brought the issue, I have not yet checked if a bisect is feasible for this.""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/890.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/890.toml new file mode 100644 index 00000000..878010dc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/890.toml @@ -0,0 +1,15 @@ +id = 890 +title = "Misinterpretation of arm neon invalid insn" +state = "closed" +created_at = "2022-03-03T02:16:25.004Z" +closed_at = "2022-03-08T17:08:40.681Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/890" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/910.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/910.toml new file mode 100644 index 00000000..42a1806a --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/910.toml @@ -0,0 +1,15 @@ +id = 910 +title = "Black screen in qemu 6.2 with wayland, weston, gtk, virgl, ivi shell, Aarch64" +state = "opened" +created_at = "2022-03-15T15:11:45.775Z" +closed_at = "n/a" +labels = ["accel: TCG", "device:graphics", "device:virtio", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/910" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/925.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/925.toml new file mode 100644 index 00000000..b7174c4f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/925.toml @@ -0,0 +1,28 @@ +id = 925 +title = "AArch64 SVE2 LD/ST instructions segfault on MMIO addresses" +state = "closed" +created_at = "2022-03-21T15:55:15.875Z" +closed_at = "2022-03-26T10:19:10.583Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/925" +host-os = "n/a" +host-arch = "AArch64" +qemu-version = "version 6.2.0" +guest-os = "n/a" +guest-arch = "AArch64" +description = """During execution of the following SVE2 instruction: `ld1b {z9.s}, p2/z, [x17, z26.s, sxtw]` with the following register state: +``` +(gdb) p $x17 +$1 = 0xffffffe2 +(gdb) p $z26.s.u +$2 = {0x0 <repeats 16 times>} +(gdb) p $p2 +$3 = {0xc4, 0x0, 0x9d, 0x0, 0xe5, 0x0, 0x83, 0x0, 0x80, 0xce, 0x3f, 0x3, 0x0, 0x0, 0x0, 0x0, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56, 0x1a, 0x6e, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0xd8, 0x96, 0xee, 0xfc, 0x7f, 0x0, 0x0, 0x50, 0xce, 0x94, 0x1, 0x0, 0x0, 0x0, 0x0, 0xf0, 0xd8, 0x96, 0xee, 0xfc, 0x7f, 0x0, 0x0, 0x10, 0x38, 0x40, 0x3, 0x0, 0x0, 0x0, 0x0} +``` +QEMU segfaults due to a null pointer access. Note that after translation this address is an MMIO address that points to a UART device.""" +reproduce = "n/a" +additional = """A quick look at the implementation of the SVE2 load/store host memory access functions I've noticed that the `TLB_MMIO` flag is ignored in `sve_probe_page`, which means that users use the (null) host address as if it was pointing to real memory. This function (or the ones above it) should (probably) throw the appropriate external data abort, otherwise this needs to be instrumented to support reading from MMIO mapped devices. + +<details><summary>Reproducer seed for my future self</summary> +S6008340160849309262|Q|cd4t|pq|w5|lK124 +</details>""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/953.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/953.toml new file mode 100644 index 00000000..b2f2f5c1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/953.toml @@ -0,0 +1,15 @@ +id = 953 +title = "qemu-system-aarch64 asserts trying to execute STXP on hosts without HAVE_CMPXCHG128" +state = "closed" +created_at = "2022-03-31T13:04:23.530Z" +closed_at = "2022-04-02T08:35:49.229Z" +labels = ["accel: TCG", "kind::Bug", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/953" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/964.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/964.toml new file mode 100644 index 00000000..2d27a1be --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/964.toml @@ -0,0 +1,48 @@ +id = 964 +title = "arm64 defconfig kernel (4.14.275) no longer boots after FEAT_LPA implementation in TCG" +state = "closed" +created_at = "2022-04-05T20:46:15.389Z" +closed_at = "2022-04-06T17:43:52.052Z" +labels = ["Closed::Invalid", "accel: TCG", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/964" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 6.2.92 (v7.0.0-rc2-62-gf53faa70bb)" +guest-os = "Linux (simple rootfs from Buildroot)" +guest-arch = "arm64" +description = """I am not really sure if this is a bug or merely a scenario where this is not expected to work. After 7a928f43d8724bdf0777d7fc67a5ad973a0bf4bf, the attached `Image.gz` (`ARCH=arm64 defconfig`, based on the latest `linux-4.14.y`) just hangs with no output when using `-cpu max` (or `-cpu max,lpa2=off` due to 69b2265d5fe8e0f401d75e175e0a243a7d505e53). At 0af312b6edd231e1c8d0dec12494a80bc39ac761, `-cpu max` works just fine, as shown by the bisect log below. + +``` +$ git bisect log +# bad: [99eb313ddbbcf73c1adcdadceba1423b691c6d05] ui/cocoa: Use the standard about panel +# good: [44f28df24767cf9dca1ddc9b23157737c4cbb645] Update version for v6.2.0 release +git bisect start '99eb313ddbbcf73c1adcdadceba1423b691c6d05' 'v6.2.0' +# good: [2fc1b44dd0e7ea9ad5920352fd04179e4d6836d9] target/riscv: rvv-1.0: Allow Zve32f extension to be turned on +git bisect good 2fc1b44dd0e7ea9ad5920352fd04179e4d6836d9 +# good: [e64e27d5cb103b7764f1a05b6eda7e7fedd517c5] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread +git bisect good e64e27d5cb103b7764f1a05b6eda7e7fedd517c5 +# good: [747ffe28cad7129e1d326d943228fdcbe109530d] pnv/xive2: Add support XIVE2 P9-compat mode (or Gen1) +git bisect good 747ffe28cad7129e1d326d943228fdcbe109530d +# bad: [4377683df969e715e3cb2dbd258e44f9ff51f788] edid: Fix clock of Detailed Timing Descriptor +git bisect bad 4377683df969e715e3cb2dbd258e44f9ff51f788 +# good: [755e8d7cb6ce2ba62d282ffbb367de391fe0cc3d] migration: Move static var in ram_block_from_stream() into global +git bisect good 755e8d7cb6ce2ba62d282ffbb367de391fe0cc3d +# bad: [6629bf78aac7e53f83fd0bcbdbe322e2302dfd1f] Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20220302' into staging +git bisect bad 6629bf78aac7e53f83fd0bcbdbe322e2302dfd1f +# good: [0af312b6edd231e1c8d0dec12494a80bc39ac761] target/arm: Implement FEAT_LVA +git bisect good 0af312b6edd231e1c8d0dec12494a80bc39ac761 +# bad: [dc8bc9d6574aa563ed2fcc0ff495e77a2a2a8faa] target/arm: Report KVM's actual PSCI version to guest in dtb +git bisect bad dc8bc9d6574aa563ed2fcc0ff495e77a2a2a8faa +# bad: [d976de218c534735e307fc4a6c03e3ae764fd419] target/arm: Fix TLBIRange.base for 16k and 64k pages +git bisect bad d976de218c534735e307fc4a6c03e3ae764fd419 +# bad: [13e481c9335582fc7eed12e24e8d4d7068b24ff8] target/arm: Extend arm_fi_to_lfsc to level -1 +git bisect bad 13e481c9335582fc7eed12e24e8d4d7068b24ff8 +# bad: [7a928f43d8724bdf0777d7fc67a5ad973a0bf4bf] target/arm: Implement FEAT_LPA +git bisect bad 7a928f43d8724bdf0777d7fc67a5ad973a0bf4bf +# first bad commit: [7a928f43d8724bdf0777d7fc67a5ad973a0bf4bf] target/arm: Implement FEAT_LPA +``` + +A `4.19.237` kernel boots right up with `-cpu max`/`-cpu max,lpa2=off`. Is this expected behavior given the age of the kernel or is there something else going on here? If this is expected, should we be using something like `-cpu cortex-a72` for these older kernels?""" +reproduce = """Run the above command with the attached `Image.gz` and `rootfs.cpio`.""" +additional = """[Image.gz](/uploads/7b25b70f210354663b8e391290d3f39c/Image.gz) +[rootfs.cpio](/uploads/4793be1a500bdf615e212d3379c4c175/rootfs.cpio)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_TCG/998.toml b/gitlab/issues/target_arm/host_missing/accel_TCG/998.toml new file mode 100644 index 00000000..3e10d3df --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_TCG/998.toml @@ -0,0 +1,70 @@ +id = 998 +title = "AArch64: SCTLR_EL1.BT0 set incorrectly in user mode" +state = "closed" +created_at = "2022-04-22T15:22:46.821Z" +closed_at = "2022-05-05T17:53:48.578Z" +labels = ["Closed::Fixed", "accel: TCG", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/998" +host-os = "Ubuntu 20.04" +host-arch = "ARM" +qemu-version = "v7.0.0-rc4" +guest-os = "Fedora 34" +guest-arch = "ARM" +description = """PACIASP normally acts as a BTI landing pad, but not in every situation. When SCTLR_EL1.BT is set, PACIASP checks that the indirect branch originates from X16 or X17 when the indirect branch is taken from a BTI guarded area. Linux sets this bit, ideally QEMU-user should too. This sample program should crash with a SIGILL if QEMU is working correctly, otherwise it will crash with a SIGSEGV. + + #include <stdint.h> + #include <stdlib.h> + #include <unistd.h> + #include <string.h> + #include <stdio.h> + #include <sys/mman.h> + + // PACIASP is a valid BTI landing pad, but there are some conditions + // under Linux which sets SCTLR_ELx.BT0 = 1. In this mode, a branch + // onto a PACIASP landing pad is only valid if it originates from + // x16 or x17 (i.e. br x17 is OK, br x3 is not). + // More info on page D5-4851 of the Arm Architecture Reference Manual (ARM DDI 0487H.a). + + // Sample function which starts with a paciasp instruction + // (comes from -mbranch-protection=pac-ret+leaf) + void indirect_fn(int i) { + // paciasp instruction inserted here - should crash with SIGILL here if everything's operating OK. + i = i+1; + // Can't access this function from the copied location, so will segfault. + fprintf(stderr, "reachable\\n"); + } + + int main(int argc, char **argv) { + // It's difficult to get a whole binary BTI compatible without the appropriate crtbegin etc + // so instead map a page and copy the sample function there. + void *e = mmap(0, getpagesize(), PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (e == MAP_FAILED) { + return 1; + } + memcpy(e, (void*)indirect_fn, 64); + mprotect(e, getpagesize(), PROT_READ | PROT_EXEC | PROT_BTI); + + // paciasp is a valid landing pad if the branch comes from an unprotected area, + // so to ensure that we're protected - assemble an intermediate shim that's also PROT_BTI. + void *f = mmap(0, getpagesize(), PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (f == MAP_FAILED) { + return 1; + } + uint32_t *x = (uint32_t*)f; + x[0] = 0xd503245fuL; // bti c + x[1] = 0xd61f0060uL; // br x1 - n.b. must be BR + mprotect(f, getpagesize(), PROT_READ | PROT_EXEC | PROT_BTI); + + // Jump to the shim + asm volatile ( + "mov x3, %0\\n" + "mov x2, %1\\n" + "blr x2\\n" + : : "p"(e), "p"(f) : "x2", "x3"); + + // Execution should not reach here + return 1; + }""" +reproduce = """1. Compile with `clang-12 -g --sysroot=/work/home/fedora-rootfs/fedora_aarch64 -o sample --target=aarch64-linux-gnu -mbranch-protection=pac-ret+leaf -march=armv8-a -O1 -g sample.c` or similar. +2. Run with `../qemu/build/qemu-aarch64 --cpu max -L ~/fedora-rootfs/fedora_aarch64 sample`""" +additional = """n/a""" diff --git a/gitlab/issues/target_arm/host_missing/accel_Xen/2174.toml b/gitlab/issues/target_arm/host_missing/accel_Xen/2174.toml new file mode 100644 index 00000000..c4cd98ef --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_Xen/2174.toml @@ -0,0 +1,15 @@ +id = 2174 +title = "XenBus machines have almost no hotplug support" +state = "opened" +created_at = "2024-02-16T19:31:30.059Z" +closed_at = "n/a" +labels = ["accel: Xen", "kind::Bug", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2174" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1039.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1039.toml new file mode 100644 index 00000000..efb1e9c4 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1039.toml @@ -0,0 +1,15 @@ +id = 1039 +title = "Building qemu in MSYS2 clangarm64" +state = "opened" +created_at = "2022-05-26T16:01:17.017Z" +closed_at = "n/a" +labels = ["hostos: Windows", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1039" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/105.toml b/gitlab/issues/target_arm/host_missing/accel_missing/105.toml new file mode 100644 index 00000000..ec522b79 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/105.toml @@ -0,0 +1,15 @@ +id = 105 +title = "Gdb hangs when trying to single-step after an invalid instruction" +state = "closed" +created_at = "2021-05-03T16:40:45.010Z" +closed_at = "2021-11-19T16:46:58.916Z" +labels = ["GDB", "Launchpad", "kind::Bug", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/105" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1056.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1056.toml new file mode 100644 index 00000000..c6f967fc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1056.toml @@ -0,0 +1,15 @@ +id = 1056 +title = "Bad Performance of Windows 11 ARM64 VM on Windows 11 Qemu 7.0 Host System" +state = "opened" +created_at = "2022-06-02T17:44:20.000Z" +closed_at = "n/a" +labels = ["hostos: Windows", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1056" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1078.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1078.toml new file mode 100644 index 00000000..0b48653b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1078.toml @@ -0,0 +1,52 @@ +id = 1078 +title = "qemu-system-arm: unable to use LPAE" +state = "closed" +created_at = "2022-06-16T11:56:50.844Z" +closed_at = "2022-06-27T22:55:20.002Z" +labels = ["Closed::Fixed", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1078" +host-os = "Ubuntu 18.04.6 LTS" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 7.0.50 (v7.0.0-1865-g9ac873a469-dirty)" +guest-os = "irrelevant" +guest-arch = "qemuarm cortex-a15" +description = """Failed to run qemu: qemu-system-arm: Addressing limited to 32 bits, +but memory exceeds it by 1073741824 bytes""" +reproduce = """1. ./configure --target-list=arm-softmmu +2. make +3. +./qemu-system-arm \\ +-machine virt,highmem=on \\ +-cpu cortex-a15 -smp 4 \\ +-m 4096 \\ +-kernel ./zImage \\ +-drive id=disk0,file=./rootfs.ext4,if=none,format=raw \\ +-object rng-random,filename=/dev/urandom,id=rng0 \\ +-device virtio-rng-pci,rng=rng0 \\ +-device virtio-blk-device,drive=disk0 \\ +-device virtio-gpu-pci \\ +-serial mon:stdio -serial null \\ +-nographic \\ +-append 'root=/dev/vda rw mem=4096M ip=dhcp console=ttyAMA0 console=hvc0'""" +additional = """We set physical address bits to 40 if ARM_FEATURE_LPAE is enabled. But ARM_FEATURE_V7VE also implies ARM_FEATURE_LPAE as set later in arm_cpu_realizefn. + +We should add condition for ARM_FEATURE_V7VE, otherwise we would not be able to use highmem larger than 3GB even though we have enabled highmem, since we would fail and return right from machvirt_init. + +I have already made a patch to fix this issue. +https://gitlab.com/realhezhe/qemu/-/commit/4dad8167c1c1a7695af88d8929e8d7f6399177de +`hw/arm/virt.c` +```c + if (object_property_get_bool(cpuobj, "aarch64", NULL)) { + pa_bits = arm_pamax(armcpu); + } else if (arm_feature(&armcpu->env, ARM_FEATURE_LPAE)) { + } else if (arm_feature(&armcpu->env, ARM_FEATURE_LPAE) + || arm_feature(&armcpu->env, ARM_FEATURE_V7VE)) { + /* v7 with LPAE */ + pa_bits = 40; + } else { +``` + +After applying the patch, I can make sure that the pa_bits has already been set to 40, but qemu hangs later. By bisecting I found if the following commit is reverted qemu can boot up successfully.. +39a1fd2528 ("target/arm: Fix handling of LPAE block descriptors") + +It can't be quickly determined what's going on here at my side. Maybe the author can help give some hints. Thanks.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1103.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1103.toml new file mode 100644 index 00000000..7fba0014 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1103.toml @@ -0,0 +1,15 @@ +id = 1103 +title = "VTCR fields are not checked when building parameters for aarch64 secure EL2 page table walk" +state = "closed" +created_at = "2022-07-12T09:25:33.359Z" +closed_at = "2022-07-18T16:47:38.092Z" +labels = ["target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1103" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1104.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1104.toml new file mode 100644 index 00000000..88abdfcb --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1104.toml @@ -0,0 +1,15 @@ +id = 1104 +title = "PAN support for AArch32" +state = "closed" +created_at = "2022-07-12T11:31:44.412Z" +closed_at = "2023-03-14T16:41:13.735Z" +labels = ["target: arm", "workflow::Confirmed"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1104" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1105.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1105.toml new file mode 100644 index 00000000..0bf486fe --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1105.toml @@ -0,0 +1,15 @@ +id = 1105 +title = "QEMU gdbstub should support PAC for aarch64" +state = "closed" +created_at = "2022-07-13T16:57:31.491Z" +closed_at = "2023-03-07T12:41:14.371Z" +labels = ["Closed::Fixed", "GDB", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1105" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """The fix should probably be in gdbstub.c""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1109.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1109.toml new file mode 100644 index 00000000..867764ce --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1109.toml @@ -0,0 +1,52 @@ +id = 1109 +title = "rpi3b frame buffer segfault" +state = "opened" +created_at = "2022-07-16T19:08:53.271Z" +closed_at = "n/a" +labels = ["GUI", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1109" +host-os = "Ubuntu 20.04" +host-arch = "x86 (64-bit)" +qemu-version = "QEMU emulator version 7.0.50 (v7.0.0-2578-g0ebf76aae5-dirty)" +guest-os = "Raspberry Pi 3b bare metal" +guest-arch = "aarch64 (ARM 64 bit)" +description = """I'm compiling a series of bare metal Raspberry Pi labs for the RPi 3B. One particular lab that I tried to compile and run, which makes use of the framebuffer, causes QEMU to segfault when trying to draw to the framebuffer. It looks like the value of `dst` passed into `draw_line_s16` is bogus and this causes the segfault. I'm not familiar enough with the code in QEMU to immediately know why `dst` is bogus. + +The lab I'm trying to run (the code compiled to `kernel8.img`) is here: https://github.com/bztsrc/raspi3-tutorial/tree/master/09_framebuffer + +A gdb stacktrace of the segfault is here: + +``` +Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault. +0x00005555559580c0 in rgb_to_pixel32 (b=<optimized out>, g=<optimized out>, r=<optimized out>) + at /home/rhett/qemu/include/ui/pixel_ops.h:46 +46\t return (r << 16) | (g << 8) | b; +(gdb) bt +#0 0x00005555559580c0 in rgb_to_pixel32 (b=<optimized out>, g=<optimized out>, r=<optimized out>) + at /home/rhett/qemu/include/ui/pixel_ops.h:46 +#1 draw_line_src16 + (opaque=opaque@entry=0x7fffe84d1c30, dst=dst@entry=0x7fffe8235010 <error: Cannot access memory at address 0x7fffe8235010>, src=0x7fff94300004 "", src@entry=0x7fff94300000 "", width=639, width@entry=640, deststep=deststep@entry=0) at ../hw/display/bcm2835_fb.c:131 +#2 0x0000555555953977 in framebuffer_update_display + (ds=<optimized out>, mem_section=<optimized out>, cols=640, rows=480, src_width=1280, dest_row_pitch=2560, dest_col_pitch=0, invalidate=1, fn=0x555555957fe0 <draw_line_src16>, opaque=0x7fffe84d1c30, first_row=0x7fffffffdb90, last_row=0x7fffffffdb94) + at ../hw/display/framebuffer.c:107 +#3 0x0000555555957eeb in fb_update_display (opaque=0x7fffe84d1c30) at ../hw/display/bcm2835_fb.c:203 +#4 0x00005555558a9146 in graphic_hw_update (con=0x555556b9bc00) at ../ui/console.c:230 +#5 0x00005555558a7fea in dpy_refresh (s=0x5555571c6aa0) at ../ui/console.c:1842 +#6 gui_update (opaque=opaque@entry=0x5555571c6aa0) at ../ui/console.c:165 +#7 0x0000555556068ecd in timerlist_run_timers (timer_list=0x555556b15350) at ../util/qemu-timer.c:576 +#8 timerlist_run_timers (timer_list=0x555556b15350) at ../util/qemu-timer.c:501 +#9 0x00005555560690c0 in qemu_clock_run_timers (type=<optimized out>) at ../util/qemu-timer.c:672 +#10 qemu_clock_run_all_timers () at ../util/qemu-timer.c:672 +#11 0x0000555556064bf6 in main_loop_wait (nonblocking=nonblocking@entry=0) at ../util/main-loop.c:607 +#12 0x0000555555b0a4f9 in qemu_main_loop () at ../softmmu/runstate.c:726 +#13 0x000055555589ec74 in qemu_main (envp=0x0, argv=<optimized out>, argc=<optimized out>) at ../softmmu/main.c:36 +#14 main (argc=<optimized out>, argv=<optimized out>) at ../softmmu/main.c:45 +```""" +reproduce = """1. Clone the git repo for the labs I linked above +2. `cd raspi3-tutorial/09_framebuffer` +3. `make` +4. `make run` +5. Segfault + +I have found this on QEMU 5.2, QEMU 7.0, and the bleeding edge of the github repo""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1121.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1121.toml new file mode 100644 index 00000000..d7ff6e5d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1121.toml @@ -0,0 +1,78 @@ +id = 1121 +title = "Segmentation fault in aspeed-hace" +state = "opened" +created_at = "2022-07-28T06:42:52.316Z" +closed_at = "n/a" +labels = ["target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1121" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """""" +reproduce = """1. run qemu-machine nf5280m7-bmc +2. it will seg falult when load fitimage""" +additional = """Captured by gdb + +``` +0x00007ffff6e08a06 in has_padding (pad_offset=<synthetic pointer>, total_msg_len=<synthetic pointer>, req_len=17, total_req_len=56476, iov=0x7ffff5e973c0) at ../hw/misc/aspeed_hace.c:129 +129\t if (padding[*pad_offset] == 0x80) { +(gdb) p padding_size +$1 = 45 +(gdb) p *padding_offset +No symbol "padding_offset" in current context. +(gdb) p *pad_offset +$2 = 4294967268 +(gdb) bt +#0 0x00007ffff6e08a06 in has_padding (pad_offset=<synthetic pointer>, total_msg_len=<synthetic pointer>, req_len=17, total_req_len=56476, + iov=0x7ffff5e973c0) at ../hw/misc/aspeed_hace.c:129 +#1 gen_acc_mode_iov (cache=0x7ffff7fd5600 <iov_cache>, total_req_len=0x7ffff7fd55e4 <total_len>, count=0x7ffff7fd55e0 <count>, + req_len=0x7ffff5e973a8, id=<optimized out>, iov=0x7ffff5e973b0) at ../hw/misc/aspeed_hace.c:176 +#2 do_hash_operation (s=s@entry=0x7ffff60077b0, algo=3, sg_mode=sg_mode@entry=true, acc_mode=acc_mode@entry=true) + at ../hw/misc/aspeed_hace.c:235 +#3 0x00007ffff6e09001 in aspeed_hace_write (opaque=<optimized out>, addr=12, data=262488, size=<optimized out>) + at ../hw/misc/aspeed_hace.c:372 +#4 0x00007ffff706ad54 in memory_region_write_accessor (mr=mr@entry=0x7ffff6007ad0, addr=48, value=value@entry=0x7ffff5e98548, + size=size@entry=4, shift=<optimized out>, mask=mask@entry=4294967295, attrs=...) at ../softmmu/memory.c:492 +#5 0x00007ffff7068266 in access_with_adjusted_size_aligned (addr=addr@entry=48, value=value@entry=0x7ffff5e98548, size=size@entry=4, + access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=0x7ffff706acd0 <memory_region_write_accessor>, + mr=0x7ffff6007ad0, attrs=...) at ../softmmu/memory.c:553 +#6 0x00007ffff706c948 in memory_region_dispatch_write (mr=mr@entry=0x7ffff6007ad0, addr=addr@entry=48, data=<optimized out>, + data@entry=262488, op=op@entry=MO_32, attrs=...) at ../softmmu/memory.c:1650 +#7 0x00007ffff7157ea9 in io_writex (env=env@entry=0x7ffff5fe7f10, iotlbentry=0x7fff6803f200, mmu_idx=mmu_idx@entry=7, val=val@entry=262488, + addr=addr@entry=510459952, retaddr=retaddr@entry=140736149505328, op=MO_32) at ../accel/tcg/cputlb.c:1429 +#8 0x00007ffff715c7dc in store_helper (op=MO_32, retaddr=140736149505328, oi=<optimized out>, val=262488, addr=510459952, + env=0x7ffff5fe7f10) at ../accel/tcg/cputlb.c:2363 +#9 full_le_stl_mmu (env=0x7ffff5fe7f10, addr=<optimized out>, val=262488, oi=<optimized out>, retaddr=140736149505328) + at ../accel/tcg/cputlb.c:2451 +#10 0x00007fffb032c530 in code_gen_buffer () +#11 0x00007ffff714eace in cpu_tb_exec (cpu=cpu@entry=0x7ffff5fde1b0, itb=itb@entry=0x7fffb033e7c0 <code_gen_buffer+3401619>, + tb_exit=tb_exit@entry=0x7ffff5e98c2c) at ../accel/tcg/cpu-exec.c:357 +#12 0x00007ffff714fc68 in cpu_loop_exec_tb (tb_exit=0x7ffff5e98c2c, last_tb=<synthetic pointer>, + tb=0x7fffb033e7c0 <code_gen_buffer+3401619>, cpu=0x7ffff5fde1b0) at ../accel/tcg/cpu-exec.c:847 +#13 cpu_exec (cpu=cpu@entry=0x7ffff5fde1b0) at ../accel/tcg/cpu-exec.c:1006 +#14 0x00007ffff7163d54 in tcg_cpus_exec (cpu=cpu@entry=0x7ffff5fde1b0) at ../accel/tcg/tcg-accel-ops.c:68 +#15 0x00007ffff7163ea7 in mttcg_cpu_thread_fn (arg=arg@entry=0x7ffff5fde1b0) at ../accel/tcg/tcg-accel-ops-mttcg.c:96 +#16 0x00007ffff7344c31 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:556 +#17 0x00007ffff74c74eb in start_thread () +#18 0x00007ffff75649c0 in clone3 () +``` +the uboot: https://github.com/openbmc/u-boot/commit/0f245563c2cb3a6b4f1206db4f1a9f0325406094 + +we should remove the hash check, otherwise, the boot will stop at uboot-cli +``` +diff --git a/common/image-fit.c b/common/image-fit.c +index 3c8667f93d..c655b297e5 100644 +--- a/common/image-fit.c ++++ b/common/image-fit.c +@@ -1193,7 +1193,7 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data, + return -1; + } else if (memcmp(value, fit_value, value_len) != 0) { + *err_msgp = "Bad hash value"; +- return -1; ++ return 0; + } + + return 0; +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1122.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1122.toml new file mode 100644 index 00000000..4e20676f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1122.toml @@ -0,0 +1,136 @@ +id = 1122 +title = "ARMv7M (Cortex M) NVIC does not make number of priority bits a board/SoC-configurable parameter" +state = "closed" +created_at = "2022-07-29T04:07:35.344Z" +closed_at = "2024-01-12T16:10:28.459Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1122" +host-os = "Linux, MacOS" +host-arch = "ARMv8, x86_64" +qemu-version = "any (>7.0, git)" +guest-os = "FreeRTOS" +guest-arch = "ARMv7M" +description = """In FreeRTOS code for function of `xPortStartScheduler()` in [`main/portable/GCC/ARM_CM4F/port.c`](https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/portable/GCC/ARM_CM4F/port.c#L293) file code sets the value of 0x400 register of NVIC to the maximum bits and expect to read back only maximum priority bits that are supported by the platform. The QEMU code doesn't unset these bits (same 0xff value written is read back): +``` +NVIC: priority [0x400] = 0x00 +NVIC[NS]: [0x400] -> 0x00000000 +NVIC: priority [0x400] = 0xff +NVIC[NS]: [0x400] <- 0x000000ff +nvic_recompute_state NVIC state recomputed: vectpending 0 vectpending_prio 256 exception_prio 256 +NVIC: priority [0x400] = 0x00 +NVIC[NS]: [0x400] -> 0x000000ff +``` +Logging function for reading and writing added in `hw/intc/armv7_nvic.c` like these: +writing: +```c + case 0x400 ... 0x5ef: /* NVIC Priority */ + startvec = (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */ + + for (i = 0; i < size && startvec + i < s->num_irq; i++) { + if (attrs.secure || s->itns[startvec + i]) { + qemu_log("NVIC: priority [0x%03x] = 0x%02llx\\n", offset, (value >> (i * 8)) & 0xff); + set_prio(s, startvec + i, false, (value >> (i * 8)) & 0xff); + } + } + qemu_log("NVIC[%s]: [0x%03x] <- 0x%08llx\\n", attrs.secure ? "S" : "NS", offset, value); + + nvic_irq_update(s); + goto exit_ok; +``` +reading: +```c + case 0x400 ... 0x5ef: /* NVIC Priority */ + val = 0; + startvec = offset - 0x400 + NVIC_FIRST_IRQ; /* vector # */ + + // TODO: should return either 0x70 or 0x78 + for (i = 0; i < size && startvec + i < s->num_irq; i++) { + qemu_log("NVIC: priority [0x%03x] = 0x%02x\\n", offset, 8 * i); + if (attrs.secure || s->itns[startvec + i]) { + val |= s->vectors[startvec + i].prio << (8 * i); + } + } + qemu_log("NVIC[%s]: [0x%03x] -> 0x%08x\\n", attrs.secure ? "S" : "NS", offset, val); + break; +```""" +reproduce = """1. Run FreeRTOS for any ARMv7 Cortex-M platform with NVIC +2. Observe failure to proceed to `prvPortStartFirstTask();` function.""" +additional = """Here is the piece of standard FreeRTOS code that runs that check: +```c + /* configMAX_SYSCALL_INTERRUPT_PRIORITY must not be set to 0. + * See https://www.FreeRTOS.org/RTOS-Cortex-M3-M4.html */ + configASSERT( configMAX_SYSCALL_INTERRUPT_PRIORITY ); + + /* This port can be used on all revisions of the Cortex-M7 core other than + * the r0p1 parts. r0p1 parts should use the port from the + * /source/portable/GCC/ARM_CM7/r0p1 directory. */ + configASSERT( portCPUID != portCORTEX_M7_r0p1_ID ); + configASSERT( portCPUID != portCORTEX_M7_r0p0_ID ); + + #if ( configASSERT_DEFINED == 1 ) + { + volatile uint32_t ulOriginalPriority; + volatile uint8_t * const pucFirstUserPriorityRegister = ( volatile uint8_t * const ) ( portNVIC_IP_REGISTERS_OFFSET_16 + portFIRST_USER_INTERRUPT_NUMBER ); + volatile uint8_t ucMaxPriorityValue; + + /* Determine the maximum priority from which ISR safe FreeRTOS API + * functions can be called. ISR safe functions are those that end in + * "FromISR". FreeRTOS maintains separate thread and ISR API functions to + * ensure interrupt entry is as fast and simple as possible. + * + * Save the interrupt priority value that is about to be clobbered. */ + ulOriginalPriority = *pucFirstUserPriorityRegister; + + /* Determine the number of priority bits available. First write to all + * possible bits. */ + *pucFirstUserPriorityRegister = portMAX_8_BIT_VALUE; + + /* Read the value back to see how many bits stuck. */ + ucMaxPriorityValue = *pucFirstUserPriorityRegister; + + /* Use the same mask on the maximum system call priority. */ + ucMaxSysCallPriority = configMAX_SYSCALL_INTERRUPT_PRIORITY & ucMaxPriorityValue; + + /* Calculate the maximum acceptable priority group value for the number + * of bits read back. */ + ulMaxPRIGROUPValue = portMAX_PRIGROUP_BITS; + + while( ( ucMaxPriorityValue & portTOP_BIT_OF_BYTE ) == portTOP_BIT_OF_BYTE ) + { + ulMaxPRIGROUPValue--; + ucMaxPriorityValue <<= ( uint8_t ) 0x01; + } + + #ifdef __NVIC_PRIO_BITS + { + /* Check the CMSIS configuration that defines the number of + * priority bits matches the number of priority bits actually queried + * from the hardware. */ + configASSERT( ( portMAX_PRIGROUP_BITS - ulMaxPRIGROUPValue ) == __NVIC_PRIO_BITS ); + } + #endif + + #ifdef configPRIO_BITS + { + /* Check the FreeRTOS configuration that defines the number of + * priority bits matches the number of priority bits actually queried + * from the hardware. */ + configASSERT( ( portMAX_PRIGROUP_BITS - ulMaxPRIGROUPValue ) == configPRIO_BITS ); + } + #endif + + /* Shift the priority group value back to its position within the AIRCR + * register. */ + ulMaxPRIGROUPValue <<= portPRIGROUP_SHIFT; + ulMaxPRIGROUPValue &= portPRIORITY_GROUP_MASK; + + /* Restore the clobbered interrupt priority register to its original + * value. */ + *pucFirstUserPriorityRegister = ulOriginalPriority; + } + #endif /* configASSERT_DEFINED */ +``` + +See also these pages: +- https://www.freertos.org/RTOS-Cortex-M3-M4.html +- https://www.freertos.org/freertos-on-qemu-mps2-an385-model.html""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1123.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1123.toml new file mode 100644 index 00000000..9580ef47 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1123.toml @@ -0,0 +1,101 @@ +id = 1123 +title = "Xilinx ZynqMP CAN controller logical error - mixed RX and TX channels" +state = "closed" +created_at = "2022-07-29T04:30:43.927Z" +closed_at = "2022-09-26T19:22:44.964Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1123" +host-os = "-" +host-arch = "-" +qemu-version = "any" +guest-os = "anything" +guest-arch = "ARM" +description = """In the code of CAN controller of Xilinx ZynqMP board (`hw/net/can/xlnx-zynqmp-can.c`) in function `update_rx_fifo()` there seems to be a typo or logical error mixing RX and TX buffers: +```c + /* Store the message in fifo if it passed through any of the filters. */ + if (filter_pass && frame->can_dlc <= MAX_DLC) { + + if (fifo32_is_full(&s->rx_fifo)) { + ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOFLW, 1); + } else { + timestamp = CAN_TIMER_MAX - ptimer_get_count(s->can_timer); + + fifo32_push(&s->rx_fifo, frame->can_id); + + fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DLC_DLC_SHIFT, + R_RXFIFO_DLC_DLC_LENGTH, + frame->can_dlc) | + deposit32(0, R_RXFIFO_DLC_RXT_SHIFT, + R_RXFIFO_DLC_RXT_LENGTH, + timestamp)); + + /* First 32 bit of the data. */ + fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA1_DB3_SHIFT, + R_TXFIFO_DATA1_DB3_LENGTH, + frame->data[0]) | + deposit32(0, R_TXFIFO_DATA1_DB2_SHIFT, + R_TXFIFO_DATA1_DB2_LENGTH, + frame->data[1]) | + deposit32(0, R_TXFIFO_DATA1_DB1_SHIFT, + R_TXFIFO_DATA1_DB1_LENGTH, + frame->data[2]) | + deposit32(0, R_TXFIFO_DATA1_DB0_SHIFT, + R_TXFIFO_DATA1_DB0_LENGTH, + frame->data[3])); +```""" +reproduce = "n/a" +additional = """Possible fix: +```diff + git diff 12:29:23 +diff --git a/hw/net/can/xlnx-zynqmp-can.c b/hw/net/can/xlnx-zynqmp-can.c +index 82ac48cee2..e93e6c5e19 100644 +--- a/hw/net/can/xlnx-zynqmp-can.c ++++ b/hw/net/can/xlnx-zynqmp-can.c +@@ -696,30 +696,30 @@ static void update_rx_fifo(XlnxZynqMPCANState *s, const qemu_can_frame *frame) + timestamp)); + + /* First 32 bit of the data. */ +- fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA1_DB3_SHIFT, +- R_TXFIFO_DATA1_DB3_LENGTH, ++ fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DATA1_DB3_SHIFT, ++ R_RXFIFO_DATA1_DB3_LENGTH, + frame->data[0]) | +- deposit32(0, R_TXFIFO_DATA1_DB2_SHIFT, +- R_TXFIFO_DATA1_DB2_LENGTH, ++ deposit32(0, R_RXFIFO_DATA1_DB2_SHIFT, ++ R_RXFIFO_DATA1_DB2_LENGTH, + frame->data[1]) | +- deposit32(0, R_TXFIFO_DATA1_DB1_SHIFT, +- R_TXFIFO_DATA1_DB1_LENGTH, ++ deposit32(0, R_RXFIFO_DATA1_DB1_SHIFT, ++ R_RXFIFO_DATA1_DB1_LENGTH, + frame->data[2]) | +- deposit32(0, R_TXFIFO_DATA1_DB0_SHIFT, +- R_TXFIFO_DATA1_DB0_LENGTH, ++ deposit32(0, R_RXFIFO_DATA1_DB0_SHIFT, ++ R_RXFIFO_DATA1_DB0_LENGTH, + frame->data[3])); + /* Last 32 bit of the data. */ +- fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA2_DB7_SHIFT, +- R_TXFIFO_DATA2_DB7_LENGTH, ++ fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DATA2_DB7_SHIFT, ++ R_RXFIFO_DATA2_DB7_LENGTH, + frame->data[4]) | +- deposit32(0, R_TXFIFO_DATA2_DB6_SHIFT, +- R_TXFIFO_DATA2_DB6_LENGTH, ++ deposit32(0, R_RXFIFO_DATA2_DB6_SHIFT, ++ R_RXFIFO_DATA2_DB6_LENGTH, + frame->data[5]) | +- deposit32(0, R_TXFIFO_DATA2_DB5_SHIFT, +- R_TXFIFO_DATA2_DB5_LENGTH, ++ deposit32(0, R_RXFIFO_DATA2_DB5_SHIFT, ++ R_RXFIFO_DATA2_DB5_LENGTH, + frame->data[6]) | +- deposit32(0, R_TXFIFO_DATA2_DB4_SHIFT, +- R_TXFIFO_DATA2_DB4_LENGTH, ++ deposit32(0, R_RXFIFO_DATA2_DB4_SHIFT, ++ R_RXFIFO_DATA2_DB4_LENGTH, + frame->data[7])); + + ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOK, 1); +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1141.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1141.toml new file mode 100644 index 00000000..bdce2455 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1141.toml @@ -0,0 +1,18 @@ +id = 1141 +title = "virtio-gpu-gl-pci not working with arm/aarch64" +state = "opened" +created_at = "2022-08-03T17:17:26.365Z" +closed_at = "n/a" +labels = ["device:graphics", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1141" +host-os = "Xubuntu 20.04" +host-arch = "x86-64 (Ryzen 2700x + nVidia GT1030; another host: Ryzen 4700U + integrated VEGA graphics)" +qemu-version = "QEMU emulator version 7.0.50 (v7.0.0-2789-g616a6459d8)" +guest-os = "Debian 11 for arm (looks like any system fail)" +guest-arch = "ARM" +description = """Since migration to using virtio-gpu-gl-pci instead of virtio-gpu-pci (commit 17cdac0b51bc4ad7a68c3e5e0b1718729b74d512, used git-bisect to find the problem) my arm guests fail to load. If I use -device virtio-gpu-gl-pci, I don't get any image on the virtual guest screen. If I use -device virtio-gpu-pci, I can boot the guest and get the image, but GL acceleration is not working. Changing sdl to gtk doesn't help.""" +reproduce = """1. Download debian netinstall boot iso for arm (https://cdimage.debian.org/debian-cd/current/armhf/iso-cd/debian-11.4.0-armhf-netinst.iso) +2. Copy edk2-arm-code.fd and edk2-arm-vars.fd files from build dir. +3. Run command line ```qemu-system-arm -machine virt -m 512 -cdrom debian.iso -device virtio-gpu-gl-pci -display sdl,gl=on,show-cursor=on -pflash edk2-arm-code.fd -pflash edk2-arm-vars.fd```, get a black virtual screen. +4. Run command line ```qemu-system-arm -machine virt -m 512 -cdrom debian.iso -device virtio-gpu-pci -display sdl,gl=on,show-cursor=on -pflash edk2-arm-code.fd -pflash edk2-arm-vars.fd```, get an image on the virtual screen.""" +additional = """I have an x86_64 guest which uses virgl, and it runs fine after 17cdac0b51bc4ad7a68c3e5e0b1718729b74d512 with only changing virtio-gpu-pci to virtio-gpu-gl-pci""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1145.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1145.toml new file mode 100644 index 00000000..40b6951e --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1145.toml @@ -0,0 +1,39 @@ +id = 1145 +title = "Support register name resolution in debugger part of monitor for `x` commands for ARM platforms" +state = "opened" +created_at = "2022-08-05T03:12:49.714Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1145" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """From the looks of `get_monitor_def()` function from `monitor/misc.c` it seems to be cross-target but somehow still doesn't work for some targets anyway. + +Then grepping for the actual target implementation, it seems only i386, PPC, SPARC, and M68K support it, but nor ARM, MIPS, RISC V, etc: +``` +[i] ℤ rg monitor_defs +target/sparc/monitor.c +59:const MonitorDef monitor_defs[] = { +162:const MonitorDef *target_monitor_defs(void) +164: return monitor_defs; + +target/ppc/monitor.c +86:const MonitorDef monitor_defs[] = { +102:const MonitorDef *target_monitor_defs(void) +104: return monitor_defs; + +target/i386/monitor.c +611:const MonitorDef monitor_defs[] = { +647:const MonitorDef *target_monitor_defs(void) +649: return monitor_defs; + +target/m68k/monitor.c +25:static const MonitorDef monitor_defs[] = { +59:const MonitorDef *target_monitor_defs(void) +61: return monitor_defs; +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1230.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1230.toml new file mode 100644 index 00000000..214e4d52 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1230.toml @@ -0,0 +1,33 @@ +id = 1230 +title = "qtest-aarch64/migration-test non-deterministic test failure" +state = "closed" +created_at = "2022-09-26T14:13:46.719Z" +closed_at = "2024-03-15T13:55:08.341Z" +labels = ["Migration", "Tests", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1230" +host-os = "Guix System" +host-arch = "x86_64" +qemu-version = "7.1.0" +guest-os = "n/a" +guest-arch = "n/a" +description = """The test suite fails: +``` +Summary of Failures: + + 32/619 qemu:qtest+qtest-aarch64 / qtest-aarch64/migration-test ERROR 161.19s killed by signal 6 SIGABRT + + +Ok: 552 +Expected Fail: 0 +Fail: 1 +Unexpected Pass: 0 +Skipped: 66 +Timeout: 0 + +Full log written to /tmp/guix-build-qemu-7.1.0.drv-0/qemu-7.1.0/b/qemu/meson-logs/testlog.txt +make: *** [Makefile.mtest:25: do-meson-check] Error 1 +``` + +See the full build log below.""" +reproduce = "n/a" +additional = """[qt60pm4fcc63jcbwfgz86z6cwqgx4zgm-qemu-7.1.0.txt.gz](/uploads/6d7f0da152193213a7fe694e2d535879/qt60pm4fcc63jcbwfgz86z6cwqgx4zgm-qemu-7.1.0.txt.gz)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/124.toml b/gitlab/issues/target_arm/host_missing/accel_missing/124.toml new file mode 100644 index 00000000..16903bda --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/124.toml @@ -0,0 +1,15 @@ +id = 124 +title = "SIGSEGV when reading ARM GIC registers through GDB stub" +state = "opened" +created_at = "2021-05-04T08:04:44.736Z" +closed_at = "n/a" +labels = ["GDB", "Launchpad", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/124" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1245.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1245.toml new file mode 100644 index 00000000..2d7080c8 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1245.toml @@ -0,0 +1,15 @@ +id = 1245 +title = "arm: cp15 support" +state = "closed" +created_at = "2022-10-10T09:25:08.865Z" +closed_at = "2022-10-11T14:48:10.573Z" +labels = ["Closed::Invalid", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1245" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1255.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1255.toml new file mode 100644 index 00000000..5f3419d1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1255.toml @@ -0,0 +1,19 @@ +id = 1255 +title = "32bit qemu-arm fails to run systemctl \"Allocating guest commpage: Cannot allocate memory\"" +state = "opened" +created_at = "2022-10-14T23:34:25.711Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1255" +host-os = "Debian" +host-arch = "x86" +qemu-version = "7.1.50 (v7.1.0-987-g2ba341b369)" +guest-os = "- OS/kernel version:" +guest-arch = "ARM" +description = """I am using a bare minimal install of the latest 32 bit version of debian with only ssh installed. I have compiled qemu from the latest git with "./configure --target-list=arm-linux-user --static --disable-pie". When I try to run systemctl from the latest version of raspbian, I experience the error: "Allocating guest commpage: Cannot allocate memory".""" +reproduce = """1. Download and extract the included systemctl and required libs. [systemctl+libs.tgz](/uploads/a2834ed651a981fded4bcc19ea9ca31b/systemctl+libs.tgz) +2. run "qemu-arm -L ./ systemctl --version"""" +additional = """- I think this is related to [Issue 690](https://gitlab.com/qemu-project/qemu/-/issues/690). +- When I run "qemu-arm -L ./ -B 0x20000 systemctl --version" there is no error. +- The error still happens when setting vm.mmap_min_addr to 0. +- The error does not occur on v5.0.0, but does occur on v5.1.0 and v6.1.0.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1263.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1263.toml new file mode 100644 index 00000000..fb021b4a --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1263.toml @@ -0,0 +1,15 @@ +id = 1263 +title = "arm/imx EPIT timer interrupt does not fire properly on sabrelight" +state = "closed" +created_at = "2022-10-19T13:56:12.795Z" +closed_at = "2022-10-30T22:27:20.896Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1263" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/127.toml b/gitlab/issues/target_arm/host_missing/accel_missing/127.toml new file mode 100644 index 00000000..edcef1cc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/127.toml @@ -0,0 +1,15 @@ +id = 127 +title = "linux-user missing cmsg IP_PKTINFO support (\"Unsupported ancillary data: 0/8\")" +state = "opened" +created_at = "2021-05-04T08:05:20.061Z" +closed_at = "n/a" +labels = ["Launchpad", "hostos: Linux", "kind::Bug", "linux-user", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/127" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1280.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1280.toml new file mode 100644 index 00000000..cbf56416 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1280.toml @@ -0,0 +1,18 @@ +id = 1280 +title = "qemu-system-arm 7.1 can not boot my cortex-m55 image" +state = "closed" +created_at = "2022-10-27T14:13:39.315Z" +closed_at = "2022-11-05T04:14:37.984Z" +labels = ["Regression", "Semihosting", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1280" +host-os = "(Ubuntu 22.04)" +host-arch = "(X86)" +qemu-version = "(QEMU emulator version 7.1.50 (v7.1.0-256-g79dfa177ae))" +guest-os = "(cortex-m55 bare metal)" +guest-arch = "(ARM, cortex-m55.)" +description = "n/a" +reproduce = """``` +1.qemu-system-arm -cpu cortex-m55 -machine mps3-an547 -nographic -vga none -monitor none -semihosting -semihosting-config enable=on,target=native -kernel qemu_simu.elf +2.arm-none-eabi-gdb -ex "target extended-remote localhost:1234" qemu_simu.elf +```""" +additional = """[qemu_simu.tar.gz](/uploads/b8b3bf0f4868fdbb22b19027f685b4f0/qemu_simu.tar.gz)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1297.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1297.toml new file mode 100644 index 00000000..b419d3b7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1297.toml @@ -0,0 +1,15 @@ +id = 1297 +title = "qemu: fatal: Lockup: can't escalate 3 to HardFault (current priority -1)" +state = "closed" +created_at = "2022-11-03T16:36:06.364Z" +closed_at = "2022-11-14T23:33:08.830Z" +labels = ["Closed::Invalid", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1297" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1326.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1326.toml new file mode 100644 index 00000000..bc939d0c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1326.toml @@ -0,0 +1,66 @@ +id = 1326 +title = "qemu-system-aarch64: piix3 or ehci usb controller and usb kbd don't work" +state = "closed" +created_at = "2022-11-21T11:50:21.478Z" +closed_at = "2022-12-01T08:10:54.871Z" +labels = ["ACPI", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1326" +host-os = "centos8.4 or centos9-stream" +host-arch = "ARM" +qemu-version = "n/a" +guest-os = "CentOS Linux release 8.4.2105" +guest-arch = "arm" +description = """the usb device initialization failed in vm, and can not input in vnc console + +message for virtual machine: + +``` +root@localhost ~]# dmesg | grep -i usb +[ 0.925798] ACPI: bus type USB registered +[ 0.927204] usbcore: registered new interface driver usbfs +[ 0.928980] usbcore: registered new interface driver hub +[ 0.930746] usbcore: registered new device driver usb +[ 2.329004] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver +[ 2.332659] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver +[ 2.336069] uhci_hcd: USB Universal Host Controller Interface driver +[ 2.342659] uhci_hcd 0000:02:02.0: new USB bus registered, assigned bus number 1 +[ 2.348905] usb usb1: New USB device found, idVendor=1d6b, idProduct=0001, bcdDevice= 4.18 +[ 2.352268] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 +[ 2.354598] usb usb1: Product: UHCI Host Controller +[ 2.356194] usb usb1: Manufacturer: Linux 4.18.0-305.3.1.el8.aarch64 uhci_hcd +[ 2.358474] usb usb1: SerialNumber: 0000:02:02.0 +[ 2.360228] hub 1-0:1.0: USB hub found +[ 2.363347] usbcore: registered new interface driver usbserial_generic +[ 2.365456] usbserial: USB Serial support registered for generic +[ 2.384154] usbcore: registered new interface driver usbhid +[ 2.385962] usbhid: USB HID core driver +[ 2.730277] usb 1-1: new full-speed USB device number 2 using uhci_hcd +[ 18.509908] usb 1-1: device descriptor read/64, error -110 +[ 34.509908] usb 1-1: device descriptor read/64, error -110 +[ 34.779906] usb 1-1: new full-speed USB device number 3 using uhci_hcd +[ 50.509910] usb 1-1: device descriptor read/64, error -110 +[ 66.509907] usb 1-1: device descriptor read/64, error -110 +[ 66.629982] usb usb1-port1: attempt power cycle +[ 67.119904] usb 1-1: new full-speed USB device number 4 using uhci_hcd +[ 78.079921] usb 1-1: device not accepting address 4, error -110 +[ 78.229962] usb 1-1: new full-speed USB device number 5 using uhci_hcd +[ 89.079917] usb 1-1: device not accepting address 5, error -110 +[ 89.082006] usb usb1-port1: unable to enumerate USB device +[ 89.229908] usb 1-2: new full-speed USB device number 6 using uhci_hcd +[ 105.009910] usb 1-2: device descriptor read/64, error -110 +[ 121.009910] usb 1-2: device descriptor read/64, error -110 +[ 121.279907] usb 1-2: new full-speed USB device number 7 using uhci_hcd +[ 137.009910] usb 1-2: device descriptor read/64, error -110 +[ 153.009925] usb 1-2: device descriptor read/64, error -110 +[ 153.129984] usb usb1-port2: attempt power cycle +[ 153.619917] usb 1-2: new full-speed USB device number 8 using uhci_hcd +[ 164.579912] usb 1-2: device not accepting address 8, error -110 +[ 164.729913] usb 1-2: new full-speed USB device number 9 using uhci_hcd +[ 175.329921] usb 1-2: device not accepting address 9, error -110 +[ 175.331973] usb usb1-port2: unable to enumerate USB device +```""" +reproduce = """1. ./configure +2. make -j60 +3.virsh create vm.xml +[vm.xml](/uploads/9f946b3637f68c9cd029dfb650f5bd57/vm.xml)""" +additional = """the commit "1c2cb7e0b3" cause the problem, but i don't know the reason""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1327.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1327.toml new file mode 100644 index 00000000..9ba0ccc8 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1327.toml @@ -0,0 +1,102 @@ +id = 1327 +title = "vhost-user-test outputs scary messages" +state = "opened" +created_at = "2022-11-21T19:37:30.717Z" +closed_at = "n/a" +labels = ["Tests", "device:virtio", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1327" +host-os = "Ubuntu 20.04" +host-arch = "ARM" +qemu-version = "commit a082fab9d259473a9d5d53307cf83b1223301181" +guest-os = "n/a" +guest-arch = "ARM" +description = """The qos-test seems to output failure messages when run in verbose mode, see e.g.: + +https://gitlab.com/qemu-project/qemu/-/jobs/3340919275#L5615 + +``` +――――――――――――――――――――――――――――――――――――― ✀ ――――――――――――――――――――――――――――――――――――― +stderr: +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: -chardev socket,id=chr-reconnect,path=/tmp/vhost-test-9B51V1/reconnect.sock,server=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-9B51V1/reconnect.sock,server=on +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: -chardev socket,id=chr-connect-fail,path=/tmp/vhost-test-49UUV1/connect-fail.sock,server=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-49UUV1/connect-fail.sock,server=on +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: Failed to read msg header. Read 0 instead of 12. Original request 1. +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: vhost_backend_init failed: Protocol error +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: failed to init vhost_net for queue 0 +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-49UUV1/connect-fail.sock,server=on +qemu-system-aarch64: Failed to write msg. Wrote -1 instead of 20. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: -chardev socket,id=chr-flags-mismatch,path=/tmp/vhost-test-LTKOV1/flags-mismatch.sock,server=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-LTKOV1/flags-mismatch.sock,server=on +qemu-system-aarch64: Failed to write msg. Wrote -1 instead of 52. +qemu-system-aarch64: vhost_set_mem_table failed: Invalid argument (22) +qemu-system-aarch64: unable to start vhost net: 22: falling back on userspace virtio +vhost lacks feature mask 0x40000000 for backend +qemu-system-aarch64: failed to init vhost_net for queue 0 +qemu-system-aarch64: Failed to write msg. Wrote -1 instead of 20. +qemu-system-aarch64: vhost_set_vring_num failed: Invalid argument (22) +qemu-system-aarch64: unable to start vhost net: 22: falling back on userspace virtio +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 2 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 3 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_call failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_call failed: Invalid argument (22) +―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― +```""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1399.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1399.toml new file mode 100644 index 00000000..e8702f29 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1399.toml @@ -0,0 +1,80 @@ +id = 1399 +title = "Early faults when direct booting large Linux kernel images on x86_64 and aarch64 guests." +state = "opened" +created_at = "2022-12-28T02:43:02.224Z" +closed_at = "n/a" +labels = ["target: arm", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1399" +host-os = "Gentoo Linux" +host-arch = "x86_64" +qemu-version = "7.1.0 and newer (possibly also on older versions)" +guest-os = "Custom Linux system created using Buildroot" +guest-arch = "x86_64, aarch64" +description = """When attempting to load a Linux kernel image for direct boot via the `-kernel` command line option, a triple fault occurs shortly after attempting to hand off execution to the kernel if the kernel image is ‘large’ in size (this can be easily reproduced with a custom kernel build by embedding an initramfs in the kernel that includes a few large but mostly incompressible files). I’m not certain of the exact cutoff, but a 75 MB kernel image on x86_64, and a 67 MB kernel image on AArch64 both exhibit the issue, while a 13 MB kernel image on x86_64 does not.""" +reproduce = """1. Attempt to direct boot an exceptionally large kernel image as an x86_64 or aarch64 guest.""" +additional = """I have not yet been able to track down exactly where the initial fault is happening, and am not even certain that it’s in Linux’s early boot code, but the fact that this is reproducible across multiple architectures and is unaffected by things like KASLR and the exact compression algorithm for the guest kernel suggests to me that it’s more likely to be an issue in QEMU’s loader code for direct kernel boot than in the Linux kernel itself. + +Running on x86_64, the initial fault appears to be a general protection fault, followed by a double and then triple fault. Output from running QEMU as above with `-d int,guest_error -no-reboot’: + +``` +check_exception old: 0xffffffff new 0xd + 0: v=0d e=0000 i=0 cpl=0 IP=0010:000000000789f7f0 pc=000000000789f7f0 SP=0018:00000000078e6fd8 env->regs[R_EAX]=0000000000000000 +RAX=0000000000000000 RBX=6fb84fe3052f53e2 RCX=00000000fb600000 RDX=00000000078fbed0 +RSI=00000000078f6000 RDI=00000000078e80e0 RBP=00000000078e80e0 RSP=00000000078e6fd8 +R8 =00000000078fb000 R9 =00000000fb600000 R10=000fffffffe00000 R11=0000000000000000 +R12=0000000000000000 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000 +RIP=000000000789f7f0 RFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 +ES =0000 0000000000000000 00000000 00000000 +CS =0010 0000000000000000 ffffffff 00af9a00 DPL=0 CS64 [-R-] +SS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +DS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +FS =0000 0000000000000000 00000000 00000000 +GS =0000 0000000000000000 00000000 00000000 +LDT=0000 0000000000000000 00000000 00008200 DPL=0 LDT +TR =0020 0000000000000000 00000fff 00808900 DPL=0 TSS64-avl +GDT= 00000000078b1030 0000002f +IDT= 00000000078b1070 000001ff +CR0=80050033 CR2=6fb84fe3052f53ee CR3=00000000078f6000 CR4=00000020 +DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 +DR6=00000000ffff0ff0 DR7=0000000000000400 +CCS=0000000000000018 CCD=6fb84fe3052f53e2 CCO=LOGICQ +EFER=0000000000000500 +check_exception old: 0xd new 0xd + 1: v=08 e=0000 i=0 cpl=0 IP=0010:000000000789f7f0 pc=000000000789f7f0 SP=0018:00000000078e6fd8 env->regs[R_EAX]=0000000000000000 +RAX=0000000000000000 RBX=6fb84fe3052f53e2 RCX=00000000fb600000 RDX=00000000078fbed0 +RSI=00000000078f6000 RDI=00000000078e80e0 RBP=00000000078e80e0 RSP=00000000078e6fd8 +R8 =00000000078fb000 R9 =00000000fb600000 R10=000fffffffe00000 R11=0000000000000000 +R12=0000000000000000 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000 +RIP=000000000789f7f0 RFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 +ES =0000 0000000000000000 00000000 00000000 +CS =0010 0000000000000000 ffffffff 00af9a00 DPL=0 CS64 [-R-] +SS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +DS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +FS =0000 0000000000000000 00000000 00000000 +GS =0000 0000000000000000 00000000 00000000 +LDT=0000 0000000000000000 00000000 00008200 DPL=0 LDT +TR =0020 0000000000000000 00000fff 00808900 DPL=0 TSS64-avl +GDT= 00000000078b1030 0000002f +IDT= 00000000078b1070 000001ff +CR0=80050033 CR2=6fb84fe3052f53ee CR3=00000000078f6000 CR4=00000020 +DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 +DR6=00000000ffff0ff0 DR7=0000000000000400 +CCS=0000000000000018 CCD=6fb84fe3052f53e2 CCO=LOGICQ +EFER=0000000000000500 +check_exception old: 0x8 new 0xd +``` + +Running on AArch64, the emulated CPU gets stuck in a loop trying to handle ‘exception 5’, showing the following output when run as above with `-d int, guest_error -no-reboot`, repeated infinitely until the emulator gets killed: + +``` +Taking exception 5 [IRQ] on CPU 0 +...from EL1 to EL1 +...with ESR 0x15/0x56000000 +...with ELR 0xffffffef0dee4098 +...to EL1 PC 0xffffffef0d810a80 PSTATE 0x3c5 +Exception return from AArch64 EL1 to AArch64 EL1 PC 0xffffffef0dee4098 +``` + +I have also attempted to reproduce this on 64-bit little-endian POWER using qemu-system-ppc64 and an equivalent kernel config, and was _not_ able to reproduce it there with a 69 MB kernel image. + +I can provide Linux kernel configs for the affected kernels upon request, but am not (currently) able to provide full system images (the project I was working on when I came across this is not yet public).""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1407.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1407.toml new file mode 100644 index 00000000..f4a98058 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1407.toml @@ -0,0 +1,84 @@ +id = 1407 +title = "Assertion failure in fimd_update_memory_section()" +state = "opened" +created_at = "2023-01-02T03:04:10.418Z" +closed_at = "n/a" +labels = ["Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1407" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.250" +guest-os = "n/a" +guest-arch = "n/a" +description = """It seems the frame buffer is not properly initialized before usage.""" +reproduce = """``` +export QEMU=/path/to/qemu-system-arm + +cat << EOF | $QEMU \\ +-machine smdkc210 -monitor none -serial none \\ +-display none -nodefaults -qtest stdio +writel 0x11c00020 0x3454d403 +writel 0x11c00000 0x61988eaf +EOF +```""" +additional = """``` +==13250==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x5590b12d2240). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 3376651198 +INFO: Loaded 1 modules (583356 inline 8-bit counters): 583356 [0x5590b4672000, 0x5590b47006bc), +INFO: Loaded 1 PC tables (583356 PCs): 583356 [0x5590b3d8b3b0,0x5590b4671f70), +/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *exynos4210.fimd* +This process will fuzz the following MemoryRegions: + * exynos4210.fimd[0] (size 4114) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * exynos4210.fimd, EVENT_TYPE_MMIO_READ, 0x11c00000 +0x4114, 4,4 + * exynos4210.fimd, EVENT_TYPE_MMIO_WRITE, 0x11c00000 +0x4114, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 227Mb +Running: poc-qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd-crash-eda3de9b6941dd8c14e22959b56dbe5d8d07dae3 +qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd: ../hw/display/exynos4210_fimd.c:1152: void fimd_update_memory_section(Exynos4210fimdState *, unsigned int): Assertion `w->mem_section.mr' failed. +==13250== ERROR: libFuzzer: deadly signal + #0 0x5590acce30ee in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x5590acc31d61 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x5590acc0ac96 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x5590acc0ad62 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x5590acc0ad62 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f9ed33c741f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f9ed31d900a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f9ed31d900a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f9ed31b8858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7f9ed31b8728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7f9ed31c9fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x5590ad56dce3 in fimd_update_memory_section /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/exynos4210_fimd.c:1152:5 + #12 0x5590ad565fb7 in exynos4210_fimd_enable /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/exynos4210_fimd.c:1198:13 + #13 0x5590ad5590a3 in exynos4210_fimd_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/exynos4210_fimd.c:1387:13 + #14 0x5590b03e7bc3 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:493:5 + #15 0x5590b03e7501 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #16 0x5590b03e5e26 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1515:16 + #17 0x5590b047669e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2825:23 + #18 0x5590b046444b in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2867:12 + #19 0x5590b0463f08 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2963:18 + #20 0x5590acd23d38 in qemu_writel /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1096:5 + #21 0x5590acd220a3 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1245:28 + #22 0x5590b12cd6bf in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #23 0x5590b12c4a3d in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #24 0x5590b12c47e4 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #25 0x5590acd2b07c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #26 0x5590b12d250b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #27 0x5590acc0b806 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #28 0x5590acbee434 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #29 0x5590acbf93de in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #30 0x5590acbe59c6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #31 0x7f9ed31ba082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #32 0x5590acbe5a1d in _start (/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd+0x31cea1d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1408.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1408.toml new file mode 100644 index 00000000..ae341fb5 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1408.toml @@ -0,0 +1,95 @@ +id = 1408 +title = "Out of bounds in imx_usbphy_read()" +state = "closed" +created_at = "2023-01-02T06:04:43.860Z" +closed_at = "2023-04-06T10:31:01.394Z" +labels = ["Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1408" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.50" +guest-os = "n/a" +guest-arch = "n/a" +description = """The size of the memory region of imx-usb-phy is 0x1000. + +``` +memory_region_init_io(&s->iomem, OBJECT(s), &imx_usbphy_ops, s, + "imx-usbphy", 0x1000); +``` + +A read to s->usbphy[33] will easily overflow. + +``` +static uint64_t imx_usbphy_read(void *opaque, hwaddr offset, unsigned size) +{ + // ... + default: + value = s->usbphy[index]; + break; + } +``` + +Maybe we should drop this read in default branch.""" +reproduce = """``` +export QEMU=/path/to/qemu-system-arm + +cat << EOF | $QEMU \\ +-machine sabrelite -monitor none -serial none \\ +-display none -nodefaults -qtest stdio +readl 0x20c9870 +EOF +```""" +additional = """``` ++ DEFAULT_INPUT_MAXSIZE=10000000 ++ ./qemu-videzzo-arm-target-videzzo-fuzz-imx-usb-phy -max_len=10000000 -detect_leaks=0 ./crash-2f5e9c8ec69dd69f8db69aaa84dde878482b8690.minimized +==14370==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x561837db1240). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 1679742864 +INFO: Loaded 1 modules (583356 inline 8-bit counters): 583356 [0x56183b151000, 0x56183b1df6bc), +INFO: Loaded 1 PC tables (583356 PCs): 583356 [0x56183a86a3b0,0x56183b150f70), +./qemu-videzzo-arm-target-videzzo-fuzz-imx-usb-phy: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *imx-usbphy* +This process will fuzz the following MemoryRegions: + * imx-usbphy[0] (size 1000) + * imx-usbphy[0] (size 1000) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * imx-usbphy, EVENT_TYPE_MMIO_READ, 0x20c9000 +0x1000, 4,4 + * imx-usbphy, EVENT_TYPE_MMIO_WRITE, 0x20c9000 +0x1000, 4,4 + * imx-usbphy, EVENT_TYPE_MMIO_READ, 0x20ca000 +0x1000, 4,4 + * imx-usbphy, EVENT_TYPE_MMIO_WRITE, 0x20ca000 +0x1000, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 222Mb +Running: ./crash-2f5e9c8ec69dd69f8db69aaa84dde878482b8690.minimized +../hw/usb/imx-usb-phy.c:93:17: runtime error: index 540 out of bounds for type 'uint32_t [33]' + #0 0x5618357ddb2a in imx_usbphy_read /root/videzzo/videzzo_qemu/qemu/out-san/../hw/usb/imx-usb-phy.c:93:17 + #1 0x561836f07a0b in memory_region_read_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:441:11 + #2 0x561836ec6501 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #3 0x561836ec38cc in memory_region_dispatch_read1 /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1425:16 + #4 0x561836ec3008 in memory_region_dispatch_read /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1458:9 + #5 0x561836f415ad in flatview_read_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2892:23 + #6 0x561836f42bb8 in flatview_read /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2934:12 + #7 0x561836f42678 in address_space_read_full /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2947:18 + #8 0x5618337f4b41 in address_space_read /root/videzzo/videzzo_qemu/qemu/include/exec/memory.h:2873:18 + #9 0x5618337f4b41 in qemu_readl /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1037:5 + #10 0x5618337f2c06 in dispatch_mmio_read /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1051:35 + #11 0x561837dac6bf in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #12 0x561837da3a3d in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #13 0x561837da37e4 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #14 0x56183380a07c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #15 0x561837db150b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #16 0x5618336ea806 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #17 0x5618336cd434 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #18 0x5618336d83de in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #19 0x5618336c49c6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #20 0x7f74d2914082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #21 0x5618336c4a1d in _start (/root/bugs/metadata/imx_usb_phy-00/qemu-videzzo-arm-target-videzzo-fuzz-imx-usb-phy+0x31cea1d) + +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/usb/imx-usb-phy.c:93:17 in +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +0x0,0x8,0x70,0x98,0xc,0x2,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0, +\\x00\\x08p\\x98\\x0c\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1415.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1415.toml new file mode 100644 index 00000000..20c97d5d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1415.toml @@ -0,0 +1,97 @@ +id = 1415 +title = "Abort in xlnx_dp_change_graphic_fmt()" +state = "opened" +created_at = "2023-01-05T10:51:48.177Z" +closed_at = "n/a" +labels = ["Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1415" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.50" +guest-os = "n/a" +guest-arch = "n/a" +description = """xlnx_dp_change_graphic_fmt() will directly abort if either graphic format or the +video format is not supported. + +Replacing abort() in xlnx_dp_change_graphic_fmt() to `return` might be OK but I +am not sure what side effect there is.""" +reproduce = """``` +export QEMU=/path/to/to/qemu-system-aarch64 + +cat << EOF | $QEMU \\ +-machine xlnx-zcu102 -monitor none -serial none \\ +-display none -nodefaults -qtest stdio +writel 0xfd4ab000 0xcf6e998 +EOF +```""" +additional = """``` +==20455==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x564934146c90). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 4022227410 +INFO: Loaded 1 modules (618619 inline 8-bit counters): 618619 [0x5649372a5000, 0x56493733c07b), +INFO: Loaded 1 PC tables (618619 PCs): 618619 [0x564936933f40,0x5649372a46f0), +./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes +Matching objects by name , *.core*, *.v_blend*, *.av_buffer_manager*, *.audio* +This process will fuzz the following MemoryRegions: + * xlnx.v-dp.audio[0] (size 50) + * xlnx.v-dp.av_buffer_manager[0] (size 238) + * xlnx.v-dp.core[0] (size 3b0) + * xlnx.v-dp.v_blend[0] (size 1e0) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_READ, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_WRITE, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_READ, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_WRITE, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_READ, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_WRITE, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_READ, 0xfd4ac000 +0x50, 1,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_WRITE, 0xfd4ac000 +0x50, 1,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 489Mb +Running: crash-8b178268936b24c569a421d702ef5b6d911c99e7 +aarch64: xlnx_dp_change_graphic_fmt: unsupported graphic format 2304 +==20455== ERROR: libFuzzer: deadly signal + #0 0x56492f51f10e in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x56492f46dd81 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x56492f446cb6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x56492f446d82 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x56492f446d82 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f7a315a641f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f7a313b800a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f7a313b800a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f7a31397858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x56492f54f65a in __wrap_abort /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/less_crashes_wrappers.c:24:12 + #10 0x56492fe7e0d7 in xlnx_dp_change_graphic_fmt /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/display/xlnx_dp.c:644:9 + #11 0x56492fe7be58 in xlnx_dp_avbufm_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/display/xlnx_dp.c:1046:9 + #12 0x5649330fa313 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:492:5 + #13 0x5649330f9c51 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:554:18 + #14 0x5649330f8576 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:1514:16 + #15 0x56493318672e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2825:23 + #16 0x56493317486b in flatview_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2867:12 + #17 0x564933174328 in address_space_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2963:18 + #18 0x56492f55f0cb in qemu_writel /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1088:5 + #19 0x56492f55d544 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1229:28 + #20 0x56493414264f in videzzo_dispatch_event /root/videzzo/videzzo.c:1122:5 + #21 0x5649341399cb in __videzzo_execute_one_input /root/videzzo/videzzo.c:272:9 + #22 0x5649341398a0 in videzzo_execute_one_input /root/videzzo/videzzo.c:313:9 + #23 0x56492f56610c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1504:12 + #24 0x564934146f32 in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1891:18 + #25 0x56492f447826 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #26 0x56492f42a454 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #27 0x56492f4353fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #28 0x56492f4219e6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #29 0x7f7a31399082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #30 0x56492f421a3d in _start (/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp+0x3291a3d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +0x0,0xc,0x1c,0xb0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x4,0x2,0x48,0x40,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0xa,0x20,0xa1,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x0,0xe,0x8,0xc0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x8,0x0,0x0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x4,0x2,0x3e,0xc6,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0xc,0x78,0xb1,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x1,0x9,0x4,0x2,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0xc2,0x1b,0xe,0x7b,0x0,0x0,0x0,0x0,0x1,0xb,0x84,0xa1,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0xd8,0x1f,0x9a,0x30,0x0,0x0,0x0,0x0,0x0,0x8,0x70,0x0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x1,0x9,0xec,0x2,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x50,0x62,0xd6,0x13,0x0,0x0,0x0,0x0,0x0,0xa,0x18,0xa0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x1,0xd,0x0,0xb0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x98,0xe9,0xf6,0xc,0x0,0x0,0x0,0x0, +\\x00\\x0c\\x1c\\xb0J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x04\\x02H@\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0a \\xa1J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x0e\\x08\\xc0J\\xfd\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x04\\x02>\\xc6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0cx\\xb1J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x01\\x09\\x04\\x02J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xc2\\x1b\\x0e{\\x00\\x00\\x00\\x00\\x01\\x0b\\x84\\xa1J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xd8\\x1f\\x9a0\\x00\\x00\\x00\\x00\\x00\\x08p\\x00J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x01\\x09\\xec\\x02J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00Pb\\xd6\\x13\\x00\\x00\\x00\\x00\\x00\\x0a\\x18\\xa0J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x01\\x0d\\x00\\xb0J\\xfd\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x98\\xe9\\xf6\\x0c\\x00\\x00\\x00\\x00 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1421.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1421.toml new file mode 100644 index 00000000..4476d10e --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1421.toml @@ -0,0 +1,29 @@ +id = 1421 +title = "GDB memory reads fail on Cortex-M33" +state = "closed" +created_at = "2023-01-07T00:12:28.630Z" +closed_at = "2023-03-07T12:41:14.403Z" +labels = ["Closed::Fixed", "GDB", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1421" +host-os = "Fedora 36" +host-arch = "x86_64 host, Arm cortex-m33 emulated" +qemu-version = "QEMU emulator version 7.2.50 (v7.2.0-334-gca5181d8d7-dirty) (This is based on upstream git revision 222059a0fccf4af3be776fe35a5ea2d6a68f9a0b with some irrelevant local changes)." +guest-os = "Bare metal" +guest-arch = "Arm Cortex M-33" +description = """GDB fails to read memory from the guest. There appear to be at least two problems: + +1. In `arm_cpu_get_phys_page_attrs_debug`, `arm_is_secure(env)` returns false, because the implementation doesn't seem to know about Armv7-M or Armv8-M secure states. However, `arm_mmu_idx(env)` does know how to check `env->v7m.secure`, so it returns `ARMMMUIdx_MSPriv` (the S stands for secure). The mismatch between an apparently non-secure access to a secure MMU seems to cause the read to fail laster. +2. With the MPU enabled (not the case in this repro, but I can provide one), `cpu_memory_rw_debug` computes `page = addr & TARGET_PAGE_MASK`, and uses the page to compute permissions. However, TARGET_PAGE_MASK is based on 4K pages on this platform, but the MPU granularity is 32 bytes. So the wrong page is used for checking.""" +reproduce = """``` +# Sorry for the large clone. It's mostly unused files in CMSIS. +git clone --recursive -b qemu-repro-1 https://github.com/dreiss/mpu_experiments +cd mpu_experiments +git checkout origin/qemu-repro-1 +cmake -S . -B build -DBOARD=qemu-mps2-an505 -DAPP=mpu_stacktrace -DCMAKE_BUILD_TYPE=Debug +cmake --build build +/path/to/qemu-system-arm -machine mps2-an505 -nographic -kernel build/kernel.elf -s -S -d int +# Open a separate terminal and cd into mpu_experiments +gdb build/kernel.elf -ex 'target remote :1234' -ex 'break base_case' -ex continue -ex backtrace -ex quit +# Note the memory read failures in the backtrace. +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1424.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1424.toml new file mode 100644 index 00000000..6ad8b9e8 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1424.toml @@ -0,0 +1,111 @@ +id = 1424 +title = "Overflow in xlnx_dp_aux_push_tx_fifo()" +state = "opened" +created_at = "2023-01-09T05:42:31.608Z" +closed_at = "n/a" +labels = ["Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1424" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.50" +guest-os = "n/a" +guest-arch = "n/a" +description = """Invoking xlnx_dp_aux_push_tx_fifo() 17 times overflow the s->tx_fifo.""" +reproduce = """``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \\ +-machine xlnx-zcu102 -monitor none -serial none \\ +-display none -nodefaults -qtest stdio +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x666e0fa2 +writel 0xfd4a0104 0x666e0fa2 +writel 0xfd4a0104 0x666e0fa2 +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +EOF +```""" +additional = """``` +root@621cbd136b6f:~/bugs/metadata/xlnx_dp-07# bash -x xlnx_dp-07.videzzo ++ DEFAULT_INPUT_MAXSIZE=10000000 ++ ./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp -max_len=10000000 -detect_leaks=0 ./poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp-crash-8070de484ac8d4d9bfff9b439311058e05b8b40f.minimized +==47609==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x564c9e37c2b0). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 2128347645 +INFO: Loaded 1 modules (600768 inline 8-bit counters): 600768 [0x564ca198f000, 0x564ca1a21ac0), +INFO: Loaded 1 PC tables (600768 PCs): 600768 [0x564ca1063b10,0x564ca198e710), +./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *.core*, *.v_blend*, *.av_buffer_manager*, *.audio* +This process will fuzz the following MemoryRegions: + * xlnx.v-dp.core[0] (size 3b0) + * xlnx.v-dp.v_blend[0] (size 1e0) + * xlnx.v-dp.audio[0] (size 50) + * xlnx.v-dp.av_buffer_manager[0] (size 238) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_READ, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_WRITE, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_READ, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_WRITE, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_READ, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_WRITE, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_READ, 0xfd4ac000 +0x50, 1,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_WRITE, 0xfd4ac000 +0x50, 1,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 510Mb +Running: ./poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp-crash-8070de484ac8d4d9bfff9b439311058e05b8b40f.minimized +qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp: ../util/fifo8.c:43: void fifo8_push_all(Fifo8 *, const uint8_t *, uint32_t): Assertion `fifo->num + num <= fifo->capacity' failed. +==47609== ERROR: libFuzzer: deadly signal + #0 0x564c998420fe in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x564c99790d71 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x564c99769ca6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x564c99769d72 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x564c99769d72 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f8ef929941f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f8ef90ab00a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f8ef90ab00a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f8ef908a858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7f8ef908a728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7f8ef909bfd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x564c9e1cdbb3 in fifo8_push_all /root/videzzo/videzzo_qemu/qemu/out-san/../util/fifo8.c:43:5 + #12 0x564c9a189c13 in xlnx_dp_aux_push_tx_fifo /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/xlnx_dp.c:467:5 + #13 0x564c9a1842f2 in xlnx_dp_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/xlnx_dp.c:857:9 + #14 0x564c9d491e93 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:493:5 + #15 0x564c9d4917d1 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #16 0x564c9d4900f6 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1515:16 + #17 0x564c9d5209ce in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2825:23 + #18 0x564c9d50e77b in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2867:12 + #19 0x564c9d50e238 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2963:18 + #20 0x564c99882d48 in qemu_writel /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1096:5 + #21 0x564c998810b3 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1245:28 + #22 0x564c9e37772f in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #23 0x564c9e36eaad in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #24 0x564c9e36e854 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #25 0x564c9988a08c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #26 0x564c9e37c57b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #27 0x564c9976a816 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #28 0x564c9974d444 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #29 0x564c997583ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #30 0x564c997449d6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #31 0x7f8ef908c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #32 0x564c99744a2d in _start (/root/bugs/metadata/xlnx_dp-07/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp+0x3453a2d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1425.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1425.toml new file mode 100644 index 00000000..4fb1cb2c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1425.toml @@ -0,0 +1,92 @@ +id = 1425 +title = "Assertion failed in transfer_fifo()" +state = "closed" +created_at = "2023-01-09T07:36:57.265Z" +closed_at = "2023-11-28T23:12:55.034Z" +labels = ["Fuzzer", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1425" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.50" +guest-os = "n/a" +guest-arch = "n/a" +description = """In transfer_fifo(), fifo32_pop() fails since less than 32 bytes are in the fifo.""" +reproduce = """``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \\ +-machine xlnx-zcu102 -monitor none -serial none \\ +-display none -nodefaults -qtest stdio -audio none +writel 0xff070000 0x0f73720a +writel 0xff07003c 0x1f37ee63 +EOF +```""" +additional = """``` +==31717==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x55871da359f0). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 1734665286 +INFO: Loaded 1 modules (618606 inline 8-bit counters): 618606 [0x558720b94000, 0x558720c2b06e), +INFO: Loaded 1 PC tables (618606 PCs): 618606 [0x558720222e60,0x558720b93540), +/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *xlnx.zynqmp-can* +This process will fuzz the following MemoryRegions: + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff060000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff060000 +0x84, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 491Mb +Running: poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can-crash-97ef02583c679111ba6ad823f573f139fac7c72e +qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: ../util/fifo8.c:62: uint8_t fifo8_pop(Fifo8 *): Assertion `fifo->num > 0' failed. +==31717== ERROR: libFuzzer: deadly signal + #0 0x558718e0e10e in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x558718d5cd81 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x558718d35cb6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x558718d35d82 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x558718d35d82 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f3ad4eba41f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f3ad4ccc00a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f3ad4ccc00a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f3ad4cab858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7f3ad4cab728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7f3ad4cbcfd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x55871d6eeac9 in fifo8_pop /root/videzzo/videzzo_qemu/qemu/build-san-6/../util/fifo8.c:62:5 + #12 0x55871a33f303 in fifo32_pop /root/videzzo/videzzo_qemu/qemu/include/qemu/fifo32.h:137:17 + #13 0x55871a334bb5 in transfer_fifo /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/net/can/xlnx-zynqmp-can.c:455:23 + #14 0x55871a32d4c0 in can_tx_post_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/net/can/xlnx-zynqmp-can.c:830:9 + #15 0x558719393dcb in register_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/core/register.c:122:9 + #16 0x558719397de8 in register_write_memory /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/core/register.c:203:5 + #17 0x55871c9e9073 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:492:5 + #18 0x55871c9e89b1 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:554:18 + #19 0x55871c9e72d6 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:1514:16 + #20 0x55871ca7548e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2825:23 + #21 0x55871ca635cb in flatview_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2867:12 + #22 0x55871ca63088 in address_space_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2963:18 + #23 0x558718e4e0cb in qemu_writel /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1081:5 + #24 0x558718e4c544 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1222:28 + #25 0x55871da313af in videzzo_dispatch_event /root/videzzo/videzzo.c:1122:5 + #26 0x55871da2872b in __videzzo_execute_one_input /root/videzzo/videzzo.c:272:9 + #27 0x55871da28600 in videzzo_execute_one_input /root/videzzo/videzzo.c:313:9 + #28 0x558718e5510c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1497:12 + #29 0x55871da35c92 in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1891:18 + #30 0x558718d36826 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #31 0x558718d19454 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #32 0x558718d243fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #33 0x558718d109e6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #34 0x7f3ad4cad082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #35 0x558718d10a3d in _start (/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can+0x3291a3d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1427.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1427.toml new file mode 100644 index 00000000..c6942ff5 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1427.toml @@ -0,0 +1,382 @@ +id = 1427 +title = "Fifo overflow in transfer_fifo()" +state = "closed" +created_at = "2023-01-09T08:47:44.034Z" +closed_at = "2023-11-28T23:12:55.027Z" +labels = ["Fuzzer", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1427" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.50" +guest-os = "n/a" +guest-arch = "n/a" +description = """In transfer_fifo(), fifo32_push() fails since less than 32 bytes are free in the +fifo.""" +reproduce = """``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \\ +-machine xlnx-zcu102 -monitor none -serial none \\ +-display none -nodefaults -qtest stdio +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x554439e4 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x7439dad1 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x554439e4 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x7439dad1 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070030 0x5b33c2da +writel 0xff070004 0x6847773b +writel 0xff070030 0x5b33c2da +writel 0xff070000 0x7a9e77fa +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x0bbac0b1 +readl 0xff070054 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +EOF +```""" +additional = """``` +==60953==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x55c4943a85f0). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 1771329340 +INFO: Loaded 1 modules (600781 inline 8-bit counters): 600781 [0x55c4979bb000, 0x55c497a4dacd), +INFO: Loaded 1 PC tables (600781 PCs): 600781 [0x55c49708fbf0,0x55c4979ba8c0), +./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *xlnx.zynqmp-can* +This process will fuzz the following MemoryRegions: + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff060000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff060000 +0x84, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 509Mb +Running: poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can-crash-8c83f08fb7643e6eb55af43e76de522c6f5fcef2.minimized.minimized +qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: ../util/fifo8.c:34: void fifo8_push(Fifo8 *, uint8_t): Assertion `fifo->num < fifo->capacity' failed. +==60953== ERROR: libFuzzer: deadly signal + #0 0x55c48f86e0fe in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x55c48f7bcd71 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x55c48f795ca6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x55c48f795d72 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x55c48f795d72 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7fe36599541f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7fe3657a700a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7fe3657a700a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7fe365786858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7fe365786728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7fe365797fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x55c4941f98ef in fifo8_push /root/videzzo/videzzo_qemu/qemu/out-san/../util/fifo8.c:34:5 + #12 0x55c490d83bb0 in fifo32_push /root/videzzo/videzzo_qemu/qemu/include/qemu/fifo32.h:94:9 + #13 0x55c490d79d17 in transfer_fifo /root/videzzo/videzzo_qemu/qemu/out-san/../hw/net/can/xlnx-zynqmp-can.c:476:21 + #14 0x55c490d71a00 in can_tx_post_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/net/can/xlnx-zynqmp-can.c:836:9 + #15 0x55c48fdfaf9b in register_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/core/register.c:122:9 + #16 0x55c48fdfefb8 in register_write_memory /root/videzzo/videzzo_qemu/qemu/out-san/../hw/core/register.c:203:5 + #17 0x55c4934be1d3 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:493:5 + #18 0x55c4934bdb11 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #19 0x55c4934bc436 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1515:16 + #20 0x55c49354cd0e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2825:23 + #21 0x55c49353aabb in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2867:12 + #22 0x55c49353a578 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2963:18 + #23 0x55c48f8aed48 in qemu_writel /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1096:5 + #24 0x55c48f8ad0b3 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1245:28 + #25 0x55c4943a3a6f in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #26 0x55c49439aded in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #27 0x55c49439ab94 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #28 0x55c48f8b608c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #29 0x55c4943a88bb in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #30 0x55c48f796816 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #31 0x55c48f779444 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #32 0x55c48f7843ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #33 0x55c48f7709d6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #34 0x7fe365788082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #35 0x55c48f770a2d in _start (/root/bugs/metadata/xlnx_zynqmp_can-01/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can+0x3454a2d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1436.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1436.toml new file mode 100644 index 00000000..90394907 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1436.toml @@ -0,0 +1,69 @@ +id = 1436 +title = "Out of memory in hw/omap-dss for ARM" +state = "closed" +created_at = "2023-01-11T10:45:14.950Z" +closed_at = "2024-10-16T15:33:48.764Z" +labels = ["Closed::WontFix", "Fuzzer", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1436" +host-os = "Ubuntu 20.04" +host-arch = "x86" +qemu-version = "7.2.50" +guest-os = "n/a" +guest-arch = "n/a" +description = """In omap-dss, g_realloc() can allocate a large buffer using out of the memory. + +- [1] set pixels to any value +- [2] double pixels +- [3] allocate a large buffer + +``` +static void omap_rfbi_write(...) { + switch (addr) { + case 0x44: /* RFBI_PIXELCNT */ + s->rfbi.pixels = value; // ------------------------------------> [1] + break; + +static void omap_rfbi_transfer_start(struct omap_dss_s *s) { + len = s->rfbi.pixels * 2; // -------------------------------------> [2] + if (!data) { + if (len > bounce_len) { + bounce_buffer = g_realloc(bounce_buffer, len); // ---------> [3] + } +```""" +reproduce = """``` +export QEMU=/path/to/qemu-system-arm + +cat << EOF | $QEMU \\ +-machine n810,accel=qtest -m 128M -qtest stdio -monitor none -serial none \\ +-display none -nodefaults -qtest stdio +writel 0x48050440 0x74a57907 +writel 0x48050858 0x34982d63 +writel 0x48050840 0x65a61a51 +EOF +```""" +additional = """``` + +================================================================= +==1029323==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffe (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0) + #0 0x7f4650b4ec3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 + #1 0x7f464fa27f3f in g_realloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57f3f) + #2 0x55cf6212c85b in omap_rfbi_write ../hw/display/omap_dss.c:761 + #3 0x55cf636b9c9b in memory_region_write_accessor ../softmmu/memory.c:493 + #4 0x55cf636ba132 in access_with_adjusted_size ../softmmu/memory.c:555 + #5 0x55cf636c76f8 in memory_region_dispatch_write ../softmmu/memory.c:1515 + #6 0x55cf637049b9 in flatview_write_continue ../softmmu/physmem.c:2825 + #7 0x55cf63704ddc in flatview_write ../softmmu/physmem.c:2867 + #8 0x55cf637057c4 in address_space_write ../softmmu/physmem.c:2963 + #9 0x55cf63716261 in qtest_process_command ../softmmu/qtest.c:533 + #10 0x55cf6371ac52 in qtest_process_inbuf ../softmmu/qtest.c:802 + #11 0x55cf6371ad43 in qtest_read ../softmmu/qtest.c:814 + #12 0x55cf63d4d5e5 in qemu_chr_be_write_impl ../chardev/char.c:201 + #13 0x55cf63d4d68c in qemu_chr_be_write ../chardev/char.c:213 + #14 0x55cf63d544c9 in fd_chr_read ../chardev/char-fd.c:72 + #15 0x55cf63938b9b in qio_channel_fd_source_dispatch ../io/channel-watch.c:84 + #16 0x7f464fa2204d in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) + +==1029323==HINT: if you don't care about these errors you may set allocator_may_return_null=1 +SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 in __interceptor_realloc +==1029323==ABORTING +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1444.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1444.toml new file mode 100644 index 00000000..8da8effd --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1444.toml @@ -0,0 +1,50 @@ +id = 1444 +title = "ld.so on aarch64 crashes (SIGSEGV) qemu-aarch64-static to verify attached executable" +state = "closed" +created_at = "2023-01-17T11:39:00.706Z" +closed_at = "2023-01-18T09:15:45.903Z" +labels = ["linux-user", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1444" +host-os = "Fedora 37" +host-arch = "X86" +qemu-version = "qemu-aarch64 version 7.0.0 (qemu-7.0.0-12.fc37)" +guest-os = "Custom built OS" +guest-arch = "aarch64" +description = """I'm currently managing an automation to build a linux distribution from nothing. +The issues is when I try to cross compile gobject-introspection for aarch64 (it is currently working on arm) because the g-ir-compile phase requires a binary verification using ld-linux-aarch64-so-1 --verify GLib-2.0 process used by ldd, that crashes qemu-aarch64-static. +Original command is: ${SYSROOT}/lib/ld-linux-aarch64-so-1 --verify ${HOME}/builds/gobject-introspection_1.75.4/tmp-introspectnpyrhpje/GLib-2.0. +I simplified the problem bringing out the ld.so and GLib-2.0 binary to obtain the same result. + +This happens with glibc 2.35 and glibc 2.36 on aarch64 built with a gcc-12.2 cross compiler (x86 -> aarch64). + +[GLib-2.0](/uploads/47932b18278835fb13ef0de4c34872fa/GLib-2.0) + +[ld-linux-aarch64.so.1](/uploads/0ee01949285bea8ccfcebdc88a1d5b33/ld-linux-aarch64.so.1) + +I tried to debug the SIGSEGV but it's out completely out of my capacity.""" +reproduce = """1. Copy the 2 attached files in a directory: +2. Run: qemu-aarch64-static ./ld-linux-aarch64.so.1 --verify ./GLib-2.0 +3. Result: Segmentation fault.""" +additional = """I attach the output of gdb after install qemu debug symbols: + +``` +Thread 1 "qemu-aarch64-st" received signal SIGSEGV, Segmentation fault. +0x0000000000401088 in ?? () +(gdb) bt +#0 0x0000000000401088 in ?? () +#1 0x00000000006aa439 in g_malloc0 () +#2 0x000000000061bb4b in page_find_alloc (index=index@entry=1024, alloc=alloc@entry=1) + at ../accel/tcg/translate-all.c:494 +#3 0x000000000061db12 in page_set_flags (start=start@entry=4194304, end=end@entry=4206592, flags=9, flags@entry=73) + at ../accel/tcg/translate-all.c:2288 +#4 0x0000000000629f10 in target_mmap (start=<optimized out>, start@entry=4194304, len=<optimized out>, + len@entry=12288, target_prot=target_prot@entry=1, flags=2066, fd=fd@entry=3, offset=offset@entry=0) + at ../linux-user/mmap.c:629 +#5 0x0000000000641e1d in do_syscall1 (cpu_env=0x9e8c10, num=222, arg1=4194304, arg2=12288, arg3=1, + arg4=<optimized out>, arg5=3, arg6=0, arg8=<optimized out>, arg7=<optimized out>) at ../linux-user/syscall.c:9961 +#6 0x0000000000644c8c in do_syscall (cpu_env=cpu_env@entry=0x9e8c10, num=222, arg1=4194304, arg2=12288, arg3=1, + arg4=2066, arg5=3, arg6=0, arg7=0, arg8=0) at ../linux-user/syscall.c:13203 +#7 0x000000000040fca8 in cpu_loop (env=env@entry=0x9e8c10) at ../linux-user/aarch64/cpu_loop.c:93 +#8 0x000000000040267f in main (argc=<optimized out>, argv=0x7fffffffdfc8, envp=<optimized out>) + at ../linux-user/main.c:897 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1488.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1488.toml new file mode 100644 index 00000000..3483d2c8 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1488.toml @@ -0,0 +1,45 @@ +id = 1488 +title = "Memory not accessible from GDB when using mps3-an547" +state = "closed" +created_at = "2023-02-13T12:30:05.839Z" +closed_at = "2023-04-05T16:54:43.626Z" +labels = ["GDB", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1488" +host-os = "Ubuntu 20.04.5 LTS" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "none (bare-metal)" +guest-arch = "cortex-m55, Armv8.1-M" +description = """Memory (including variables) is not accessible when connecting to the emulated machine via GDB""" +reproduce = """1. Create minimal program `main.c`: + ```c + int main(void) { + int myvar = 42; + for(;;) + } + ``` +2. Compile + ```bash + arm-none-eabi-gcc -c -o build/main.o -c -mcpu=cortex-m55 -mfloat-abi=hard -mthumb -funsigned-char -mlittle-endian -O0 -g -std=c11 main.c + ``` + (ARM startup files and include directories omitted for brevity) +3. Link + ```bash + arm-none-eabi-g++ -o build/test.elf build/main.o -mcpu=cortex-m55 -mfloat-abi=hard -mthumb -funsigned-char -mlittle-endian --entry=Reset_Handler -static -T./platform.ld -O0 -g + ``` + (ARM startup files omitted for brevity) +4. Run binary in QEMU: + ```bash + qemu-system-arm --machine mps3-an547 -serial mon:stdio -kernel test.elf -gdb tcp::1234 -S + ``` +5. Attach using GDB `arm-none-eabi-gdb build/test.elf` and set break point to infinite loop + ```gdb + target remote :1234 + break main.c:18 + continue + print myvar + ``` + +Expected Output: 42 +Actual Output: `Cannot access memory at address 0x11fffe4`""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1491.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1491.toml new file mode 100644 index 00000000..ea4df735 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1491.toml @@ -0,0 +1,15 @@ +id = 1491 +title = "imx_epit will stop unexpectedly when couter rollover" +state = "closed" +created_at = "2023-02-14T08:21:58.162Z" +closed_at = "2023-04-21T10:49:10.152Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1491" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1493.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1493.toml new file mode 100644 index 00000000..0a39967e --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1493.toml @@ -0,0 +1,93 @@ +id = 1493 +title = "Devision by zero in uart_parameters_setup()" +state = "closed" +created_at = "2023-02-15T13:06:37.750Z" +closed_at = "2023-03-21T17:14:27.948Z" +labels = ["Fuzzer", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1493" +host-os = "Ubuntu" +host-arch = "x86" +qemu-version = "7.2.50" +guest-os = "n/a" +guest-arch = "n/a" +description = """s->r[R_BRGR] could be zero but there is no check[1]. + +``` +static void uart_parameters_setup(CadenceUARTState *s) +{ + QEMUSerialSetParams ssp; + unsigned int baud_rate, packet_size, input_clk; + input_clk = clock_get_hz(s->refclk); + + baud_rate = (s->r[R_MR] & UART_MR_CLKS) ? input_clk / 8 : input_clk; + baud_rate /= (s->r[R_BRGR] * (s->r[R_BDIV] + 1)); // ----> [1] +```""" +reproduce = """Build with ASan. + +``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \\ +-machine xlnx-zcu102 -monitor none -serial none \\ +-display none -nodefaults -qtest stdio +writel 0xff000018 0x12330000 +writew 0xff000004 0xbcc4 +EOF +```""" +additional = """``` +==23==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x55555d6bab70). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 4102190864 +INFO: Loaded 1 modules (603606 inline 8-bit counters): 603606 [0x555560d6e000, 0x555560e015d6), +INFO: Loaded 1 PC tables (603606 PCs): 603606 [0x5555604379b0,0x555560d6d710), +./qemu-videzzo-aarch64-target-videzzo-fuzz-cadence-uart: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *uart* +This process will fuzz the following MemoryRegions: + * uart[0] (size 1000) + * uart[0] (size 1000) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * uart, EVENT_TYPE_MMIO_READ, 0xff000000 +0x1000, 1,4 + * uart, EVENT_TYPE_MMIO_WRITE, 0xff000000 +0x1000, 1,4 + * uart, EVENT_TYPE_MMIO_READ, 0xff010000 +0x1000, 1,4 + * uart, EVENT_TYPE_MMIO_WRITE, 0xff010000 +0x1000, 1,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 512Mb +Running: ./poc-qemu-videzzo-aarch64-target-videzzo-fuzz-cadence-uart-crash-cef41ca061384b94899472d8e2e6b5a86b62d259.minimized +../hw/char/cadence_uart.c:181:15: runtime error: division by zero +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/char/cadence_uart.c:181:15 in +AddressSanitizer:DEADLYSIGNAL +================================================================= +==23==ERROR: AddressSanitizer: FPE on unknown address 0x555558fee913 (pc 0x555558fee913 bp 0x7fffffffb5f0 sp 0x7fffffffb220 T0) + #0 0x555558fee913 in uart_parameters_setup /root/videzzo/videzzo_qemu/qemu/out-san/../hw/char/cadence_uart.c:181:15 + #1 0x555558fe8165 in uart_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/char/cadence_uart.c:471:9 + #2 0x55555c7bee3e in memory_region_write_with_attrs_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:514:12 + #3 0x55555c7be051 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #4 0x55555c7bcd1e in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1522:13 + #5 0x55555c84ce1e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2826:23 + #6 0x55555c83abcb in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2868:12 + #7 0x55555c83a688 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2964:18 + #8 0x555558b3e91e in qemu_writew /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1101:5 + #9 0x555558b3d173 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1253:28 + #10 0x55555d6b5fef in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #11 0x55555d6ad36d in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #12 0x55555d6ad114 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #13 0x555558b4646c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1530:12 + #14 0x55555d6bae3b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #15 0x555558a26bf6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #16 0x555558a09824 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #17 0x555558a147ce in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #18 0x555558a00db6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #19 0x7ffff607a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #20 0x555558a00e0d in _start (/root/bugs/metadata/cadence_uart-00/qemu-videzzo-aarch64-target-videzzo-fuzz-cadence-uart+0x34ace0d) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: FPE /root/videzzo/videzzo_qemu/qemu/out-san/../hw/char/cadence_uart.c:181:15 in uart_parameters_setup +==23==ABORTING +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +0x1,0x9,0x18,0x0,0x0,0xff,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x33,0x12,0x0,0x0,0x0,0x0,0x1,0x9,0x4,0x0,0x0,0xff,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xc4,0xbc,0x4e,0x4c,0x0,0x0,0x0,0x0, +\\x01\\x09\\x18\\x00\\x00\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x003\\x12\\x00\\x00\\x00\\x00\\x01\\x09\\x04\\x00\\x00\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xc4\\xbcNL\\x00\\x00\\x00\\x00 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1514.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1514.toml new file mode 100644 index 00000000..4ab1f591 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1514.toml @@ -0,0 +1,15 @@ +id = 1514 +title = "Cpu flags for ARM is surprising" +state = "closed" +created_at = "2023-02-27T10:40:57.982Z" +closed_at = "2024-04-12T15:54:51.045Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1514" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1552.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1552.toml new file mode 100644 index 00000000..dc5f81c9 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1552.toml @@ -0,0 +1,23 @@ +id = 1552 +title = "newer version(>=5.2.0) of qemu-system-aarch64 cannot debug arm64 linux kernel" +state = "opened" +created_at = "2023-03-21T03:43:48.006Z" +closed_at = "n/a" +labels = ["GDB", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1552" +host-os = "Ubuntu22" +host-arch = "x86_64" +qemu-version = "qemu-system-aarch64 6.2.0" +guest-os = "linux" +guest-arch = "aarch64" +description = """""" +reproduce = """1. Run QEMU in on teminal. +2. Run gdb-multiarch in another terminal, for example: gdb-multiarch ./linux-5.10.4/vmlinux +3. In gdb-multiarch, enter three commands in sequence:"target remote localhost:1234"、"b do_sys_open"、"continue" +4. GDB breakpoint cannot take effect +5. If using qemu-system-aarch64 5.0.0(manually compiled),GDB breakpoint can take effect.""" +additional = """I tested this problem using different combinations: +Host Os:Ubuntu18/Ubuntu20/Ubuntu22 +ARM64 Linux Kernel: 5.4.50/5.10.4 +QEMU:qemu 2.11/qemu 4.2/qemu 5.0/qemu 5.2/qemu 6.2/qemu 7 +Finally, I found out that arm64 linux kernel cannot be debugged since qemu-system-aarch64 5.2.0.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1575.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1575.toml new file mode 100644 index 00000000..87821b81 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1575.toml @@ -0,0 +1,15 @@ +id = 1575 +title = "how to implement a heterogeneous machine(several sysbus/mem map)?" +state = "closed" +created_at = "2023-04-04T08:50:13.150Z" +closed_at = "2023-04-05T17:01:48.392Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1575" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1600.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1600.toml new file mode 100644 index 00000000..763127da --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1600.toml @@ -0,0 +1,33 @@ +id = 1600 +title = "Aarch64/FEAT_SEL2 secure S1 translation for a NS page resolves to the secure IPA space" +state = "closed" +created_at = "2023-04-13T12:44:55.524Z" +closed_at = "2023-05-13T08:35:45.554Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1600" +host-os = "Ubuntu" +host-arch = "x86" +qemu-version = "7.2.91 (v8.0.0-rc1-36-g60ca584b8a)" +guest-os = "TF-A/Hafnium firmware + Linux" +guest-arch = "Arm" +description = """Follow up to https://lists.trustedfirmware.org/archives/list/hafnium@lists.trustedfirmware.org/thread/ZUHRGWVDPUQ5CK6SRWZ7AMI5IKVS6J47/ + +In context of Hafnium project (SEL2 / SPM firmware), implementing secure/non-secure page tables split rooted by VTTBR/VSTTBR in TZ secure world. +Observing transactions always resolve to the secure IPA space (hence to the page tables rooted to by VSTTBR) whichever the state of the S1 MMU translation NS bit. +Access to a page mapped NS from the SEL1 Trusted OS, causes a S2 page fault even though mapped in page tables rooted to by VTTBR. + +The VTCR_EL2/VSTCR_EL2 settings at SEL2 are as follows: +VTCR_EL2.NSA/NSW=10b +VSTCR_EL2.SA/SW=00b + +Note the same set of changes (https://review.trustedfirmware.org/q/topic:%2522od/split-vttbr%2522+status:open) run fine for the same scenario on FVP.""" +reproduce = """1. build qemu master 60ca584b8af0de525656f959991a440f8c191f12 +2. unzip [qemu-sel2-vttbr-fail.zip](/uploads/ec556347c32d97f79c140c5bccf45c6b/qemu-sel2-vttbr-fail.zip) +3. Run + +``` +<...>/qemu/build/aarch64-softmmu/qemu-system-aarch64 -nographic -serial file:uart0.log -serial file:uart1.log -smp 2 -machine virt,secure=on,mte=on,gic-version=3,virtualization=true -cpu max,sme=off,pauth-impdef=on -d unimp -semihosting-config enable=on,target=native -m 1057 -bios bl1.bin -initrd rootfs.cpio.gz -kernel Image -no-acpi -append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2 nokaslr' -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0,max-bytes=1024,period=1000 -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic +```""" +additional = """[qemu-60ca58-qemu-tfa-hf-linux-fail.txt](/uploads/1db0155fc49140cf52913cd75b7494c1/qemu-60ca58-qemu-tfa-hf-linux-fail.txt) illustrates the failure, linux boot stops, after sharing a NS page to the TOS, and the TOS retrieving the page, mapping as NS and accessing it (ends in a dead loop, because of the S2 PF in the TOS). + +[qemu-tfa-hf-linux-pass.txt](/uploads/4e672617838e40fe3614c127531443b5/qemu-tfa-hf-linux-pass.txt) shows the expected output where the NS mem sharing operation succeeds.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1608.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1608.toml new file mode 100644 index 00000000..edaebfd7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1608.toml @@ -0,0 +1,15 @@ +id = 1608 +title = "QEMU gives wrong MPIDR value for Arm CPU types with MT=1" +state = "opened" +created_at = "2023-04-18T16:42:37.887Z" +closed_at = "n/a" +labels = ["kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1608" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1627.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1627.toml new file mode 100644 index 00000000..7064f8d2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1627.toml @@ -0,0 +1,49 @@ +id = 1627 +title = "Aarch64: VTCR.T0SZ / iasize test for Aarch32 guests wrong" +state = "closed" +created_at = "2023-04-27T15:23:21.691Z" +closed_at = "2023-05-13T08:35:45.595Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1627" +host-os = "Debian/Sid/Bookworm" +host-arch = "x86 / 64-bit" +qemu-version = "v8.0.0-248-g732d6603d0-dirty" +guest-os = "L4Re (custom)" +guest-arch = "ARM (Aarch64)" +description = """With QEMU 8 we are no longer able to execute Aarch32 guest code on an Aarch64 host. We use virtualization for the QEMU guest: +- The QEMU guest kernel (L4Re kernel) runs at EL2 in AArch64 mode. +- The L4Re guest code runs at EL1 in AAarch32 mode. + +It seems that the check for T0SZ / iasize in `ptw.c` / `check_s2_mmu_setup()` is too strict: +``` +if (is_aa64) { + /* + * AArch64.S2InvalidTxSZ: While we checked tsz_oob near the top of + * get_phys_addr_lpae, that used aa64_va_parameters which apply + * to aarch64. If Stage1 is aarch32, the min_txsz is larger. + * See AArch64.S2MinTxSZ, where min_tsz is 24, translated to + * inputsize is 64 - 24 = 40. + */ + if (iasize < 40 && !arm_el_is_aa64(&cpu->env, 1)) { + goto fail; + } +``` +The above test fails for us when executing Aarch32 EL1 code on Aarch64 EL2. + +Please note that the comment talks about `S2MinTxSZ` / `min_tsz`, so if the **minimum** value of `T0SZ` is 24, then the **maximum** value of `iasize` is `64-24=40` so the following comparison would be more appropriate (I replaces `<` by `>`): +``` +if (iasize > 40 && !arm_el_is_aa64(&cpu->env, 1)) { + goto fail; +} +``` +However, the minimum value of `VTCR_EL2.T0SZ` is either 16 or 12, see `VTCR_EL2.DS`: +- `VTCR_EL2.DS=0b0`: **minimum** value of `VTCR_EL2.T0SZ` is 16 => **maximum** value of `iasize` is 48, +- `VTCR_EL2.DS=0b1`: **minimum** value of `VTCR_EL2.T0SZ` is 12 => **maximum** value of `iasize` is 52. + +Regarding the minimum of `iasize` / maximum of `VTCR_EL2.T0SZ`, see `ID_AA64MMFR_EL1.ST`: +- `ID_AA64MMFR2_EL1.ST=0b0000`: **maximum** value of `VTCR_EL2.T0SZ` is 39 => **minimum** value of `iasize` is 25, +- `ID_AA64MMFR2_EL1.ST=0b0001`: **maximum** value of `VTCR_EL2.T0SZ` is 48 => **minimum** value of `iasize` is 16 (or 47/17 for 64KiB granules). + +Our system executes Aarch32 EL1 code fine on Aarch64 EL2 if I weaken the comparison.""" +reproduce = "n/a" +additional = """Sorry for not providing a test build but I'm not sure if it's worth to provide a custom build of our L4Re system, but I will happily provide one if you insist.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1640.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1640.toml new file mode 100644 index 00000000..73a219b1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1640.toml @@ -0,0 +1,33 @@ +id = 1640 +title = "aarch64: usb_mtp_get_data: Assertion `(s->dataset.size == 0xFFFFFFFF) || (s->dataset.size == d->offset)' failed" +state = "closed" +created_at = "2023-05-09T13:53:19.237Z" +closed_at = "2024-03-12T13:58:24.153Z" +labels = ["USB", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1640" +host-os = "NixOS" +host-arch = "aarch64" +qemu-version = "8.0.0" +guest-os = "NixOS" +guest-arch = "aarch64" +description = """When attempting to write to an MTP device in QEMU 8.0.0 on arm64, QEMU will crash at runtime with the following error: +`qemu-system-aarch64: ../hw/usb/dev-mtp.c:1819: usb_mtp_get_data: Assertion '(s->dataset.size == 0xFFFFFFFF) || (s->dataset.size == d->offset)' failed.` + +This was observed in Nixpkgs where we use QEMU to provide automated testing of MTP devices for GVFS and jmtpfs, the full log for that test run that crashes due to this QEMU regression on arm64 is available here https://hydra.nixos.org/build/218858556/nixlog/1""" +reproduce = """1. Launch a QEMU virtual machine with `-usb -device usb-mtp,rootdir=/tmp,readonly=false` using any QEMU version above 6.0.0 +2. Mount the MTP device using something like: + ``` + mkdir mtpDevice && jmtpfs mtpDevice + ``` +3. Try to write to the mtp device: + ``` + dd if=/dev/urandom of=./mtpDevice/file + ``` +4. Observe that QEMU will crash when trying to write to the device, like this: + ``` + client # 10+0 records in + client # 10+0 records out + client # 10485760 bytes (10 MB, 10 MiB) copied, 0.0318363 s, 329 MB/s + client # qemu-system-aarch64: ../hw/usb/dev-mtp.c:1819: usb_mtp_get_data: Assertion '(s->dataset.size == 0xFFFFFFFF) || (s->dataset.size == d->offset)' failed.error + ```""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1651.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1651.toml new file mode 100644 index 00000000..ceffc056 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1651.toml @@ -0,0 +1,15 @@ +id = 1651 +title = "bcm2835 timer jumps to max delay" +state = "opened" +created_at = "2023-05-15T09:15:31.712Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1651" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1657.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1657.toml new file mode 100644 index 00000000..f7abeb41 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1657.toml @@ -0,0 +1,41 @@ +id = 1657 +title = "Unable to use ide hard drive when using xlnx-zcu102 board" +state = "opened" +created_at = "2023-05-17T08:04:26.630Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1657" +host-os = "ubuntu1~22.04.1" +host-arch = "x86" +qemu-version = "7.2.0" +guest-os = "- OS/kernel version:" +guest-arch = "aarch64" +description = """I have only recently started using qemu and am reading content related to ahci. When I started QEMU using the above command line (I did not specify the Linux kernel because I only wanted to see which devices were initialized on the motherboard), I found the following devices in the device tree: + ``` +dev: sysbus-ahci, id "" + +gpio-out "sysbus-irq" 1 + +num-ports = 2 (0x2) + +mmio 00000000fd0c0000/0000000000001000 + +bus: ide.1 + +type IDE + +bus: ide.0 + +type IDE + ``` + +I think this is similar to the ICH9 ahci device, so I tried to mount an IDE hard drive(using command line:-drive file=./testide.img)but failed. QEMU shows + ``` +qemu-system-aarch64: -drive file=./ testide.img: machine type does not support if=ide,bus=0,unit=0 + ``` +So if the ide bus generated by sysbus ahci cannot mount a hard drive, what device should it mount? +It will be grateful if anyone can answer this question.""" +reproduce = """1. +2. +3.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/172.toml b/gitlab/issues/target_arm/host_missing/accel_missing/172.toml new file mode 100644 index 00000000..9289840c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/172.toml @@ -0,0 +1,15 @@ +id = 172 +title = "qemu seems to lack support for pid namespace." +state = "opened" +created_at = "2021-05-05T11:28:20.916Z" +closed_at = "n/a" +labels = ["Launchpad", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/172" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1761.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1761.toml new file mode 100644 index 00000000..6df56fec --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1761.toml @@ -0,0 +1,15 @@ +id = 1761 +title = "vexpress-a9 board maps both RAM and flash at address 0" +state = "closed" +created_at = "2023-07-13T11:58:42.801Z" +closed_at = "2023-11-07T03:01:52.880Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1761" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1763.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1763.toml new file mode 100644 index 00000000..248dc7d4 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1763.toml @@ -0,0 +1,20 @@ +id = 1763 +title = "ldd fails with qemu-aarch64" +state = "opened" +created_at = "2023-07-15T00:58:48.487Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1763" +host-os = "Ubuntu 20.04/23.04" +host-arch = "x86_64" +qemu-version = "multiple tested: 7.0, 7.2" +guest-os = "Ubuntu 16.04" +guest-arch = "aarch64" +description = """see the original issue for full details https://github.com/multiarch/qemu-user-static/issues/172""" +reproduce = """1. docker run --rm -it arm64v8/ubuntu:16.04 ldd /bin/ls + +Also possible on other newer OSs (eg: Ubuntu:18.04) with different compiled binaries.""" +additional = """``` +WARNING: The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64) and no specific platform was requested +ldd: exited with unknown exit code (139) +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1772.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1772.toml new file mode 100644 index 00000000..12f06080 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1772.toml @@ -0,0 +1,20 @@ +id = 1772 +title = "MPS2 AN521 has the wrong number of MPU region defined" +state = "closed" +created_at = "2023-07-18T21:11:31.996Z" +closed_at = "2023-08-31T16:14:26.140Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1772" +host-os = "any" +host-arch = "any" +qemu-version = "7.0.0" +guest-os = "Zephyr" +guest-arch = "Arm" +description = """The AN521 is integrating SSE-200 on the MPS2+ FPGA prototyping board. +The current implementation in qemu behaves as though there are 16MPU regions when it really only has 8, as describes as `MPU_NS` and `MPU_S` core configuration parameters in the SSE-200's [Techincal Reference Manual](https://developer.arm.com/documentation/101104/0200/functional-description/cpu-elements/cortex-m33-configurations?lang=en).""" +reproduce = """1. Prepare your Zephyr dev environment +2. fix `boards/arm/mps2_an521/mps2_an521.dts` to set `arm,num-mpu-regions` to the appropriate value of 8. +3. build a Zephyr test such as `west build -p -b mps2_an521 -T tests/kernel/interrupt/arch.interrupt` +4. run `qemu-system-arm -machine mps2-an521 -chardev stdio,id=con,mux=on -serial chardev:con -kernel ./build/zephyr/zephyr.elf`""" +additional = """With matching MPU region number in QEMU and Zephyr's DTS, the application shows the test suite's progress & outcome. +If there's a mismatch, the application will enter a fault and not display the expected traces.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1802.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1802.toml new file mode 100644 index 00000000..706b54ef --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1802.toml @@ -0,0 +1,17 @@ +id = 1802 +title = "windows serial COM PollingFunc don't sleep if guest uart can't write" +state = "opened" +created_at = "2023-08-01T20:57:30.533Z" +closed_at = "n/a" +labels = ["hostos: Windows", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1802" +host-os = "Windows 10 22H2" +host-arch = "x64" +qemu-version = "QEMU 8.0.91" +guest-os = "none / machine mps2-an386" +guest-arch = "ARM Cortex-M4" +description = """If two or more characters are sent from the host to the guest via Windows Com/Serial, everything freezes.""" +reproduce = """1. +2. +3.""" +additional = """I fix it in qemu/chardev/char-win.c see attached file""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1819.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1819.toml new file mode 100644 index 00000000..254c5fe4 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1819.toml @@ -0,0 +1,20 @@ +id = 1819 +title = "segmentation fault for rpm -qa command on centos:centos7 linux/arm/v7 architecture for docker container in shell." +state = "opened" +created_at = "2023-08-08T09:05:22.768Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1819" +host-os = "ubuntu aws t2.large machine.cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION=\"Ubuntu 22.04.2 LTS\"" +host-arch = "arm/v7" +qemu-version = "- QEMU command line:" +guest-os = "n/a" +guest-arch = "arm/v7" +description = """""" +reproduce = """1. docker pull centos:centos7@sha256:6887440ab977f751d6675157b73e42428d8ac05cf244c5d09ba036cc22d40d13 //pull an image centos:centos7 linux/arm/v7 tag +2. docker run -it b22fdcc90005 //docker run in interactive mode just pulled image +3. on shell run command -\\> rpm -qa. +4. docker run -it b22fdcc90005 + + WARNING: The requested image's platform (linux/arm/v7) does not match the detected host platform (linux/amd64) and no specific platform was requested \\[root@e23bc92686e8 /\\]# rpm -qa Segmentation fault (core dumped)""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1825.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1825.toml new file mode 100644 index 00000000..5aa4761d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1825.toml @@ -0,0 +1,22 @@ +id = 1825 +title = "pigz crashes when running in an aarch64 chroot (entered through qemu-binfmt) with qemu 8.1.0-rc*, qemu 8.0.3 is ok" +state = "closed" +created_at = "2023-08-11T11:51:42.963Z" +closed_at = "2023-08-14T18:46:59.035Z" +labels = ["Closed::Duplicate", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1825" +host-os = "OpenMandriva Cooker (Linux 6.4.9, glibc 2.38, clang 16.0.6)" +host-arch = "x86" +qemu-version = "8.0.93 (8.1.0-rc3)" +guest-os = "OpenMandriva Cooker aarch64" +guest-arch = "aarch64" +description = """If qemu 8.1.0-rc1, -rc2 or -rc3 is used, pigz crashes. +``` +# chroot /chroot/aarch64 pigz /tmp/test +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +Segmentation fault +``` +With qemu 8.0.3 on the same chroot enviroment, it works and produces the expected /chroot/aarch64/tmp/test.gz""" +reproduce = """1. Install an aarch64 chroot environment on x86_64 +2. Try using pigz to compress a file inside the chroot environment using qemu-binfmt""" +additional = """Unfortunately `git bisect`-ing the issue isn't easy because many snapshots between 8.0.0 (good) and 8.1.0-rc1 (first known bad) don't compile.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1850.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1850.toml new file mode 100644 index 00000000..f490b16b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1850.toml @@ -0,0 +1,37 @@ +id = 1850 +title = "AARCH64 Illegal Instruction (CurrentEL)" +state = "closed" +created_at = "2023-08-28T16:52:43.798Z" +closed_at = "2023-08-28T18:30:08.582Z" +labels = ["Closed::Invalid", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1850" +host-os = "Ubuntu 22.04.2 LTS" +host-arch = "x86" +qemu-version = "6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.12)" +guest-os = "Alpine (3.18.0)" +guest-arch = "aarch64" +description = """While emulating Aarch64 in QEMU, whenever the instruction `CurrentEL` is executed, +QEMU crashes with the following message. + +`qemu: uncaught target signal 4 (Illegal instruction) - core dumped +Illegal instruction (core dumped)` + +I've tried both QEMU user space translation (qemu-aarch64-static) and QEMU emulation (qemu-system-aarch64), +and both fail with the above message. + +C Code to reproduce bug, courtesy of https://github.com/cirosantilli/linux-kernel-module-cheat/blob/35684b1b7e0a04a68987056cb15abd97e3d2f0cc/baremetal/arch/aarch64/el.c +``` +#include <stdio.h> +#include <inttypes.h> + +int main(void) { + register uint64_t x0 __asm__ ("x0"); +\t__asm__ ("mrs x0, CurrentEL;" : : : "%x0"); +\tprintf("%" PRIu64 "\\n", x0 >> 2); +\treturn 0; +} +```""" +reproduce = """1. Copy C code above into file. +2. Compile code `gcc ./main.c --static` +3. Execute elf bin `./a.out`""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1852.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1852.toml new file mode 100644 index 00000000..4daebfbf --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1852.toml @@ -0,0 +1,118 @@ +id = 1852 +title = "aarch64: crash failed to analyze vmcore of dump-guest-memory" +state = "opened" +created_at = "2023-08-30T01:53:33.082Z" +closed_at = "n/a" +labels = ["kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1852" +host-os = "`" +host-arch = "ARM" +qemu-version = "`" +guest-os = "`" +guest-arch = "`" +description = """``` +1、 dump guest memory +virsh qemu-monitor-command 3 --hmp "dump-guest-memory /home/ecs3.kdump" +2、crash kdump failed +[root@ceasphere-node-1 home]# ./crash ./vmlinux ./ecs3.kdump + +crash 7.2.9-2.el8 +Copyright (C) 2002-2020 Red Hat, Inc. +Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation +Copyright (C) 1999-2006 Hewlett-Packard Co +Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited +Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. +Copyright (C) 2005, 2011 NEC Corporation +Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. +Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. +This program is free software, covered by the GNU General Public License, +and you are welcome to change it and/or distribute copies of it under +certain conditions. Enter "help copying" to see the conditions. +This program has absolutely no warranty. Enter "help warranty" for details. + +crash: read error: kernel virtual address: ffff000010e0ba48 type: "vabits_user" +GNU gdb (GDB) 7.6 +Copyright (C) 2013 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. Type "show copying" +and "show warranty" for details. +This GDB was configured as "aarch64-unknown-linux-gnu"... + +crash: read error: kernel virtual address: ffff000011a609b8 type: "possible" +WARNING: cannot read cpu_possible_map +crash: read error: kernel virtual address: ffff000011a60bb8 type: "present" +WARNING: cannot read cpu_present_map +crash: read error: kernel virtual address: ffff000011a607b8 type: "online" +WARNING: cannot read cpu_online_map +crash: read error: kernel virtual address: ffff000011a60db8 type: "active" +WARNING: cannot read cpu_active_map +crash: read error: kernel virtual address: ffff0000123da120 type: "shadow_timekeeper xtime_sec" +crash: read error: kernel virtual address: ffff000011a6a6ac type: "init_uts_ns" +crash: ./vmlinux and ./ecs3.kdump do not match! + +Usage: + + crash [OPTION]... NAMELIST MEMORY-IMAGE[@ADDRESS] (dumpfile form) + crash [OPTION]... [NAMELIST] (live system form) + +Enter "crash -h" for details. +```""" +reproduce = """1. virsh create vm.xml +2. virsh qemu-monitor-command 3 --hmp "dump-guest-memory /home/ecs3.kdump" +3. crash ./vmlinux ./ecs3.kdump""" +additional = """The vmcore by 'echo c > /proc/sysrq-trigger' in guest is ok, crash work. + +``` +[root@ceasphere-node-1 home]# crash ./vmlinux ./vmcore + +crash 8.0.3-1.el9 +Copyright (C) 2002-2022 Red Hat, Inc. +Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation +Copyright (C) 1999-2006 Hewlett-Packard Co +Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited +Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. +Copyright (C) 2005, 2011, 2020-2022 NEC Corporation +Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. +Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. +Copyright (C) 2015, 2021 VMware, Inc. +This program is free software, covered by the GNU General Public License, +and you are welcome to change it and/or distribute copies of it under +certain conditions. Enter "help copying" to see the conditions. +This program has absolutely no warranty. Enter "help warranty" for details. + +GNU gdb (GDB) 10.2 +Copyright (C) 2021 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +Type "show copying" and "show warranty" for details. +This GDB was configured as "aarch64-unknown-linux-gnu". +Type "show configuration" for configuration details. +Find the GDB manual and other documentation resources online at: + <http://www.gnu.org/software/gdb/documentation/>. + +For help, type "help". +Type "apropos word" to search for commands related to "word"... + + KERNEL: ./vmlinux + DUMPFILE: ./vmcore [PARTIAL DUMP] + CPUS: 4 + DATE: Wed Aug 30 09:06:01 CST 2023 + UPTIME: 00:01:08 +LOAD AVERAGE: 0.91, 0.34, 0.12 + TASKS: 158 + NODENAME: localhost + RELEASE: 4.18.0-305.3.1.el8.aarch64 + VERSION: #1 SMP Tue Jun 1 16:22:50 UTC 2021 + MACHINE: aarch64 (unknown Mhz) + MEMORY: 16 GB + PANIC: "sysrq: SysRq : Trigger a crash" + PID: 1310 + COMMAND: "bash" + TASK: ffff8003d47d3200 [THREAD_INFO: ffff8003d47d3200] + CPU: 1 + STATE: TASK_RUNNING (SYSRQ) + +crash> +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1874.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1874.toml new file mode 100644 index 00000000..d0de09cd --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1874.toml @@ -0,0 +1,25 @@ +id = 1874 +title = "QGA:Whether arm windows VMS are supported?" +state = "opened" +created_at = "2023-09-07T01:50:29.422Z" +closed_at = "n/a" +labels = ["Build System", "Guest Agent", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1874" +host-os = "linux" +host-arch = "ARM" +qemu-version = "8.0.93" +guest-os = "Windows 11 ARM" +guest-arch = "ARM" +description = """Whether qga can be used within an arm windows virtual machine? + +Windows reports an error (Failed to pCatalog->InstallComponent.(Error: 80110401) Errors occurred accessing one or more objects - the ErrorInfo collection may have more detail) when I try to install msi. Windows reports a warning(Catalog Event ID 5488: Unable to load DLL qga-vss.dll) (Unable to validate DLL entry points) in Event Viewer. + +I get msi from https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-qemu-ga/qemu-ga-win-105.0.2-1.el9/qemu-ga-x86_64.msi +Either gqa does not support ARM or this msi is only for X86 architecture? + + + +""" +reproduce = """1. Start arm windows 11 vm. +2. Install qemu guest agent.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1878.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1878.toml new file mode 100644 index 00000000..dc497da3 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1878.toml @@ -0,0 +1,37 @@ +id = 1878 +title = "QEMU doesn't implement ARMv4/v5 legacy SCTLR.U==0 load-and-rotate unaligned access handling" +state = "opened" +created_at = "2023-09-11T14:22:36.971Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1878" +host-os = "Windows 11 Pro 22H2" +host-arch = "x64" +qemu-version = "8.0.94 (v8.1.0-rc4-12032-g74a4cbee04)" +guest-os = "bare metal software" +guest-arch = "ARM" +description = """**ldr r7, \\[r0, r1\\]** works differently on real device and QEMU. Probably all **ldr Rd, \\[Rs\\]** commands works wrongly in QEMU with Raspberry Pi emulation.""" +reproduce = """1. Launch the attached software **kernel_qemu.img** in QEMU. +2. Launch the attached software **kerenel.img** on real Raspberry Pi 1B+. +3. Look at the r7. It contains different data.""" +additional = """**kernel_qemu.img** and **kerenel.img** are the same program. It just compiled with different origins - 0x8000 for real device and 0x10000 for QEMU. But code inside the program works at the same addresses. + +r0 = 0x183a4 + +r1 = 0x817 + +**\\[r0, r1\\]** points to byte 0x42 in memory with such data: + +**0x80 0x15 0x22 \\[0x42\\] 0x03 0x21 0x87** + +After **ldr r7, \\[r0, r1\\]** execution real device puts to r7: **0x22158042** + +After **ldr r7, \\[r0, r1\\]** execution QEMU puts to r7: **0x87210342** + +QEMU: + + + +Real Raspberry Pi 1B+:  + +[kernel_qemu.img](/uploads/ae6a7490660569d5fe56adc9f4dde85d/kernel_qemu.img) [kernel.img](/uploads/48c94a66370c1fe8720fe89603c45c7b/kernel.img)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1899.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1899.toml new file mode 100644 index 00000000..9501e522 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1899.toml @@ -0,0 +1,49 @@ +id = 1899 +title = "AArch64: Wrong SCR_EL3 after turning on secondary cores via PSCI" +state = "closed" +created_at = "2023-09-21T13:00:42.972Z" +closed_at = "2023-10-21T07:31:16.981Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1899" +host-os = "openSUSE Tumbleweed" +host-arch = "x86_64" +qemu-version = "current master ( 55394dcbec) + https://lore.kernel.org/qemu-devel/4831384.GXAFRqVoOG@linux-e202.suse.de/" +guest-os = "Linux / Windows 11" +guest-arch = "aarch64" +description = """The system fails to boot when using "direct kernel boot" with EL3 enabled. After the guest OS enables secondary cores via PSCI, those have an incorrectly set up `SCR_EL3`. When the OS then executes an intruction which traps into (QEMU provided fake) EL3, the core ends up in an endless loop of "Undefined Instruction" exceptions. + +This is nicely visible with `-serial stdio -append "earlycon=pl011,0x9000000 console=/dev/ttyAMA0" -d int`: + +```plaintext +[ 0.173173][ T1] smp: Bringing up secondary CPUs ... +(...) +Taking exception 11 [Hypervisor Call] on CPU 0 +...from EL1 to EL2 +...with ESR 0x16/0x5a000000 +...handled as PSCI call +Taking exception 5 [IRQ] on CPU 0 +...from EL1 to EL1 +...with ESR 0x16/0x5a000000 +...with ELR 0xffffa9ff8b593438 +...to EL1 PC 0xffffa9ff8aa11280 PSTATE 0x3c5 +Exception return from AArch64 EL1 to AArch64 EL1 PC 0xffffa9ff8b593438 +Exception return from AArch64 EL1 to AArch64 EL1 PC 0x41f7832c +Taking exception 1 [Undefined Instruction] on CPU 1 +...from EL1 to EL3 +...with ESR 0x18/0x62300882 +...with ELR 0xffffa9ff8aa3d0d8 +...to EL3 PC 0x400 PSTATE 0x3cd +Taking exception 1 [Undefined Instruction] on CPU 1 +...from EL3 to EL3 +...with ESR 0x0/0x2000000 +...with ELR 0x400 +...to EL3 PC 0x200 PSTATE 0x3cd +(repeats forever, CPU 1 is stuck) +```""" +reproduce = """1. `qemu-system-aarch64 -M virt,secure=on -cpu max -smp 1 -kernel linux` works +2. `qemu-system-aarch64 -M virt,secure=on -cpu max -smp 2 -kernel linux` does not""" +additional = """The setup for `SCR_EL3` is done by `do_cpu_reset` in hw/arm/boot.c, but this is only called on full system reset. The PSCI call ends up in `arm_set_cpu_on_async_work` (target/arm/arm-powerctl.c) which calls `cpu_reset`. This clears `SCR_EL3` to the architectural reset value, not the one needed for direct kernel boot. + +`arm_set_cpu_on_async_work` has code for `SCR_HCE`, but none of the other flags handled by `do_cpu_reset`. It would probably work after copying all of `do_cpu_reset` into `arm_set_cpu_on_async_work`, but that seems wrong. I prepared a patch which makes `do_cpu_reset` public such that `arm_set_cpu_on_async_work` can call it (works here), but I'm not sure whether that's the right way. + +CC @pm215""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1909.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1909.toml new file mode 100644 index 00000000..b6668bc1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1909.toml @@ -0,0 +1,60 @@ +id = 1909 +title = "regression: 8.0.0 segfaults on coverage counter increment" +state = "opened" +created_at = "2023-09-27T13:11:51.320Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1909" +host-os = "Ubuntu 22.04" +host-arch = "x86_64" +qemu-version = "$ qemu-aarch64 --version" +guest-os = "None" +guest-arch = "arm64" +description = """With qemu 8.0.0, my test program segfaults while incrementing a gcov counter: + +``` +Breakpoint 2, 0x00000000004bc9a8 in __CortexA53843419_464004 () +(gdb) x/2i $pc +=> 0x4bc9a8 <__CortexA53843419_464004>:\tstr\tx8, [x9, #2512] + 0x4bc9ac <__CortexA53843419_464004+4>:\tb\t0x464008 <mock_hyp_params_Destroy+24> +(gdb) p $x8 +$10 = 1 +(gdb) p $x9 +$11 = 5234688 +(gdb) x/x $x9+2512 +0x4fe9d0 <__llvm_gcov_ctr.5>:\t0x00000000 +(gdb) stepi + +Program received signal SIGSEGV, Segmentation fault. +0x00000000004bc9a8 in __CortexA53843419_464004 () +(gdb) x/x $x9+2512 +0x4fe9d0 <__llvm_gcov_ctr.5>:\t0x00000000 +(gdb) shell llvm-objdump --syms --arch-name=aarch64 ./build/gcov/out/test_hyp-props.out | grep 4fe9d0 +00000000004fe9d0 l O .bss\t0000000000000008 __llvm_gcov_ctr.5 +(gdb) shell qemu-aarch64 --version +qemu-aarch64 version 8.0.0 +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +(gdb) +``` + +With qemu 6.2.0, it doesn't segfault (at least not at this point, you +may ignore the segfault at the end due to a bug in the test program). +``` +$ /usr/bin/qemu-aarch64 --version +qemu-aarch64 version 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.12) +Copyright (c) 2003-2021 Fabrice Bellard and the QEMU Project developers + +$ /usr/bin/qemu-aarch64 ./build/gcov/out/test_hyp-props.out +test_hyp-props.c:13:test__setup_str_prop:PASS +test_hyp-props.c:14:test__log_print_handler:PASS +test_hyp-props.c:15:test__setup_log_print_prop:PASS +test_hyp-props.c:16:test__vm_vcpu_abort_reset_handler:PASS +test_hyp-props.c:17:test__vm_info_alloc:PASS +test_hyp-props.c:18:test__memory_status_get:PASS +test_hyp-props.c:19:test__memory_status_get_fail:PASS +Segmentation fault (core dumped) +```""" +reproduce = """1. Compile and link statically (with ld.lld) a test program, with clang, targetting aarch64 with: -target aarch64-linux-android -mcpu=cortex-a53, using --coverage option to generate gcov coverage. +2. Run it with qemu-aarch64 8.0.0 +3. Hopefully, it will segfault early for no good reason.""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1913.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1913.toml new file mode 100644 index 00000000..5cfe1e9a --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1913.toml @@ -0,0 +1,29 @@ +id = 1913 +title = "Regression in 8.1.1: qemu-aarch64-static running ldconfig" +state = "closed" +created_at = "2023-09-28T19:00:33.931Z" +closed_at = "2025-02-19T02:48:16.239Z" +labels = ["linux-user", "target: arm", "workflow::Confirmed"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1913" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "8.1.1" +guest-os = "n/a" +guest-arch = "n/a" +description = """Since updating to 8.1.1, qemu crashes when running ldconfig in my sysroot (It's a more or less default Ubuntu 22.04 arm64 rootfs)""" +reproduce = """1. Download the arm64 ubuntu base from https://cdimage.ubuntu.com/ubuntu-base/releases/jammy/release/ +2. Extract it +3. Run `qemu-aarch64-static rootfs/sbin/ldconfig.real -r rootfs` where `rootfs` is where you extracted it with qemu 8.1.1 + +```bash +$ qemu-aarch64-static --version +qemu-aarch64 version 8.1.0 +$ qemu-aarch64-static rootfs/sbin/ldconfig.real -r rootfs +<works> +$ sudo pacman -U /var/cache/pacman/pkg/qemu-user-static*-8.1.1*.zst +$ qemu-aarch64-static --version +qemu-aarch64 version 8.1.1 +$ qemu-aarch64-static rootfs/sbin/ldconfig.real -r rootfs +<segfault> +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1920.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1920.toml new file mode 100644 index 00000000..684ceddf --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1920.toml @@ -0,0 +1,19 @@ +id = 1920 +title = "regrssion on 8.1.x: java/maven fails to run on qemu-aarch64" +state = "closed" +created_at = "2023-10-03T13:30:44.415Z" +closed_at = "2024-01-20T16:45:21.621Z" +labels = ["hostos: Linux", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1920" +host-os = "Fedora 39" +host-arch = "x86_64" +qemu-version = "8.1.1-1.fc39" +guest-os = "Ubuntu 22.04.3 LTS" +guest-arch = "aarch64" +description = """Java process crashes when running simple "mvn -version" command inside qemu-aarch64. "java -version" works. +Last known working version: 8.0.3 (qemu-8.0.3-4.fc39) +Failing versions: 8.1.1 (qemu-8.1.1-1.fc39) and 8.1.0 (qemu-8.1.0-1.fc39) +The same image works on native arm64 machine.""" +reproduce = """1. podman run --platform linux/arm64 docker.io/library/maven:3.9-eclipse-temurin-20 mvn -version +2. should display few lines of version information and not a NullPointerException""" +additional = """podman version 4.7.0""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1938.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1938.toml new file mode 100644 index 00000000..bfec904c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1938.toml @@ -0,0 +1,48 @@ +id = 1938 +title = "[ARM/PL011] Wrong UART register spacing reported in DBG2/SPCR" +state = "closed" +created_at = "2023-10-13T22:29:56.122Z" +closed_at = "2023-11-07T03:01:37.643Z" +labels = ["ACPI", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1938" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """QEMU reports the UART address on aarch64 (for PL011 UART) via the ACPI DBG2 and SPCR tables using the ACPI GAS structure. According to MSFT documentation at https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/acpi-debug-port-table: + +> * The Register Bit Width field contains the register stride and must be a power of 2 that is at least as large as the access size. On 32-bit platforms this value cannot exceed 32. On 64-bit platforms this value cannot exceed 64. +> * The Access Size field is used to determine whether byte, WORD, DWORD, or QWORD accesses are to be used. QWORD accesses are only valid on 64-bit architectures. + +For the PL011, the MMIO registers are: +* spaced 4 bytes apart; therefore the reported bit width should be 32 instead of 8. +* 16 bits wide; therefore the access width should be 2 instead of 1. + +In other words: +``` +diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c +index 6b674231c2..cd284676d7 100644 +--- a/hw/arm/virt-acpi-build.c ++++ b/hw/arm/virt-acpi-build.c +@@ -482,7 +482,7 @@ build_spcr(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + build_append_int_noprefix(table_data, 3, 1); /* ARM PL011 UART */ + build_append_int_noprefix(table_data, 0, 3); /* Reserved */ + /* Base Address */ +- build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 8, 0, 1, ++ build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 32, 0, 2, + vms->memmap[VIRT_UART].base); + /* Interrupt Type */ + build_append_int_noprefix(table_data, +@@ -673,7 +673,7 @@ build_dbg2(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + build_append_int_noprefix(table_data, 34, 2); + + /* BaseAddressRegister[] */ +- build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 8, 0, 1, ++ build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 32, 0, 2, + vms->memmap[VIRT_UART].base); + + /* AddressSize[] */ +```""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1948.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1948.toml new file mode 100644 index 00000000..45e9df47 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1948.toml @@ -0,0 +1,15 @@ +id = 1948 +title = "ARM GICv3 cannot support irq number > 992" +state = "opened" +created_at = "2023-10-17T02:59:17.701Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1948" +host-os = "Linux" +host-arch = "x86" +qemu-version = "v7.2.0" +guest-os = "Linux" +guest-arch = "ARM" +description = """If we want to create a gic with supported irq number 992, we need to set the `num-irq` property to 992 + 32 while 32 is the extra SGI number. But there is a problem, when QEMU initialize GICv3, it will check the variable `num_irq <= 1020 && (num_irq & 32) == 0`, which will lead to error abort. So there is no way to bypass the ```num_irq <= 1020``` check and we cannot use irq number bigger than 992 while in ARM GIC specification, irq number < 1020 should all be aviliable to use.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1950.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1950.toml new file mode 100644 index 00000000..2c840d3b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1950.toml @@ -0,0 +1,21 @@ +id = 1950 +title = "[AARCH64] GP bit (BTI) lost during two stages translation" +state = "closed" +created_at = "2023-10-18T15:41:11.662Z" +closed_at = "2023-11-03T03:23:37.162Z" +labels = ["target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1950" +host-os = "Ubuntu 20.04.6 LTS" +host-arch = "* QEMU flavor: qemu-system-aarch64" +qemu-version = "ec6f9f135d5e5596ab0258da2ddd048f1fd8c359" +guest-os = "Kinibi (SEL1)" +guest-arch = "AARCH64" +description = """I noticed that the BTI faults were not reported. +That's because the GP (guarded page) information is lost during the two stages translation in get_phys_addr_twostage(). +The "guarded" information is correctly retrieved by the first call to get_phys_addr_nogpc() but overwritten by the the second call to get_phys_addr_nogpc(). +The call to combine_cacheattrs() copies cacheattrs1.guarded but this field is never modified. + +The attached patch fixes the issue for me. +[get_phys_addr_twostage_bti_gp_bit_lost_master.patch](/uploads/2fbe8090f92c43a63e39ee66ab2daf47/get_phys_addr_twostage_bti_gp_bit_lost_master.patch)""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1960.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1960.toml new file mode 100644 index 00000000..917221ba --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1960.toml @@ -0,0 +1,30 @@ +id = 1960 +title = "Invalid pmu interrupt id in arm virt machine device-tree" +state = "closed" +created_at = "2023-10-26T07:25:40.479Z" +closed_at = "2023-11-27T14:16:13.661Z" +labels = ["target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1960" +host-os = "NA" +host-arch = "NA" +qemu-version = "9036e917f8357f4e5965ebfecdab5964d40e6a40" +guest-os = "NA" +guest-arch = "ARM" +description = """commit 9036e917f8357f4e5965ebfecdab5964d40e6a40 changes the definition of PPI interrupt ID, but forgets to modify the PMU device tree. +The following patch can solve this problem: +``` +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index dd6bb80ce2..1d118974ee 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -663,7 +663,7 @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms) + qemu_fdt_setprop(ms->fdt, "/pmu", "compatible", + compat, sizeof(compat)); + qemu_fdt_setprop_cells(ms->fdt, "/pmu", "interrupts", +- GIC_FDT_IRQ_TYPE_PPI, VIRTUAL_PMU_IRQ, irqflags); ++ GIC_FDT_IRQ_TYPE_PPI, INTID_TO_PPI(VIRTUAL_PMU_IRQ), irqflags); + } + } +```""" +reproduce = """NA""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/198.toml b/gitlab/issues/target_arm/host_missing/accel_missing/198.toml new file mode 100644 index 00000000..8967d970 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/198.toml @@ -0,0 +1,15 @@ +id = 198 +title = "USB Ethernet device (RNDIS) does not work on several tested operating systems" +state = "opened" +created_at = "2021-05-06T15:08:47.566Z" +closed_at = "n/a" +labels = ["Networking", "USB", "kind::Bug", "target: arm", "target: i386", "target: ppc", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/198" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1985.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1985.toml new file mode 100644 index 00000000..9f74a5b0 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1985.toml @@ -0,0 +1,15 @@ +id = 1985 +title = "Possible infinite loop in target/arm/sme_helper.c: helper_sme_fmopa_h" +state = "closed" +created_at = "2023-11-17T15:23:49.303Z" +closed_at = "2023-11-21T15:12:23.875Z" +labels = ["Closed::Fixed", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1985" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/1993.toml b/gitlab/issues/target_arm/host_missing/accel_missing/1993.toml new file mode 100644 index 00000000..8d8b64a2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/1993.toml @@ -0,0 +1,58 @@ +id = 1993 +title = "test-hmp fails on aarch64 target when CFI is enabled" +state = "closed" +created_at = "2023-11-21T10:19:22.116Z" +closed_at = "2023-11-28T16:22:38.812Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1993" +host-os = "Linux (Fedora 39)" +host-arch = "x86" +qemu-version = "commit af9264da800734 (close to 8.2-rc1)" +guest-os = "n/a" +guest-arch = "n/a" +description = """QEMU crashes during test-hmp when CFI is enabled""" +reproduce = """1. ../qemu/configure --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug --enable-safe-stack --disable-slirp --target-list=aarch64-softmmu --disable-docs +2. make -j$(nproc) +3. V=2 QTEST_QEMU_BINARY=./qemu-system-aarch64 tests/qtest/test-hmp --verbose""" +additional = """The error messages look like this: +``` +\tinfo qtree +UndefinedBehaviorSanitizer:DEADLYSIGNAL +==677987==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address (pc 0x55fec2a3b7ce bp 0x7feef35ff970 sp 0x7fffbc8acd20 T677987) +==677987==The signal is caused by a READ memory access. +==677987==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. + #0 0x55fec2a3b7ce in start_list.83665.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/string-output-visitor.c:291:18 + #1 0x55fec2a34dbe in visit_start_list /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/qapi-visit-core.c:80:10 + #2 0x55fec27dcb58 in get_prop_array.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/hw/core/qdev-properties.c:698:10 + #3 0x55fec27e7173 in object_property_get /tmp/qemu-cfi/../../home/thuth/devel/qemu/qom/object.c:1415:5 + #4 0x55fec27e87a4 in object_property_print /tmp/qemu-cfi/../../home/thuth/devel/qemu/qom/object.c:1692:10 + #5 0x55fec224dd72 in qdev_print_props /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/qdev-monitor.c:761:21 + #6 0x55fec224dd72 in qdev_print /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/qdev-monitor.c:813:9 + #7 0x55fec224dd72 in qbus_print /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/qdev-monitor.c:831:9 + #8 0x55fec22bd945 in handle_hmp_command_exec /tmp/qemu-cfi/../../home/thuth/devel/qemu/monitor/hmp.c:1106:9 + #9 0x55fec22bcfeb in handle_hmp_command /tmp/qemu-cfi/../../home/thuth/devel/qemu/monitor/hmp.c:1158:9 + #10 0x55fec22c020e in qmp_human_monitor_command /tmp/qemu-cfi/../../home/thuth/devel/qemu/monitor/qmp-cmds.c:182:5 + #11 0x55fec29cfe0b in qmp_marshal_human_monitor_command.cfi /tmp/qemu-cfi/qapi/qapi-commands-misc.c:347:14 + #12 0x55fec2a3c470 in do_qmp_dispatch_bh.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/qmp-dispatch.c:128:5 + #13 0x55fec2a63fc4 in aio_bh_call /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/async.c:169:5 + #14 0x55fec2a6418f in aio_bh_poll /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/async.c:216:13 + #15 0x55fec2a49deb in aio_dispatch /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/aio-posix.c:423:5 + #16 0x55fec2a64ffa in aio_ctx_dispatch.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/async.c:358:5 + #17 0x7feef8d6ae5b (/lib64/libglib-2.0.so.0+0x5be5b) (BuildId: c5377a60d8282e2a61a4af1201dc10c9666139c2) + #18 0x7feef8d6b124 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x5c124) (BuildId: c5377a60d8282e2a61a4af1201dc10c9666139c2) + #19 0x55fec2a6656b in glib_pollfds_poll /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/main-loop.c:290:9 + #20 0x55fec2a6656b in os_host_main_loop_wait /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/main-loop.c:313:5 + #21 0x55fec2a6656b in main_loop_wait /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/main-loop.c:592:11 + #22 0x55fec22553e6 in qemu_main_loop /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/runstate.c:782:9 + #23 0x55fec27da3f5 in qemu_default_main.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/main.c:37:14 + #24 0x7feef7aff149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 651b2bed7ecaf18098a63b8f10299821749766e6) + #25 0x7feef7aff20a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2820a) (BuildId: 651b2bed7ecaf18098a63b8f10299821749766e6) + #26 0x55fec1e865b4 in _start (/tmp/qemu-cfi/qemu-system-aarch64+0x5435b4) (BuildId: c8a2f51d83ddef5c97f11783d94381f60c82c2ac) + +UndefinedBehaviorSanitizer can not provide additional info. +SUMMARY: UndefinedBehaviorSanitizer: SEGV /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/string-output-visitor.c:291:18 in start_list.83665.cfi +==677987==ABORTING +Broken pipe +../../home/thuth/devel/qemu/tests/qtest/libqtest.c:195: kill_qemu() tried to terminate QEMU process but encountered exit status 1 (expected 0) +Aborted (core dumped) +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2053.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2053.toml new file mode 100644 index 00000000..7c7b1723 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2053.toml @@ -0,0 +1,15 @@ +id = 2053 +title = "virtio is broken in qemu-system-arm" +state = "closed" +created_at = "2023-12-22T13:32:20.685Z" +closed_at = "2024-01-11T13:39:24.937Z" +labels = ["kind::Bug", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2053" +host-os = "linux" +host-arch = "x86_64" +qemu-version = "8.2.0" +guest-os = "linux" +guest-arch = "armel, armhf" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2066.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2066.toml new file mode 100644 index 00000000..282f46fe --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2066.toml @@ -0,0 +1,15 @@ +id = 2066 +title = "Feature Request: UART 8250 Support in QEMU Virt Machine for aarch64" +state = "closed" +created_at = "2024-01-03T12:12:36.299Z" +closed_at = "2024-01-11T17:29:36.328Z" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2066" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2084.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2084.toml new file mode 100644 index 00000000..b88723bd --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2084.toml @@ -0,0 +1,15 @@ +id = 2084 +title = "\"qemu-system-arm -machine virt -cpu cortex-a9\" error message includes a lot of \"(null)\"s" +state = "closed" +created_at = "2024-01-09T14:13:19.763Z" +closed_at = "2024-01-19T16:38:18.921Z" +labels = ["kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2084" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2106.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2106.toml new file mode 100644 index 00000000..bce4f368 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2106.toml @@ -0,0 +1,63 @@ +id = 2106 +title = "QEMU build fail on Solaris 11.4 because \"FSCALE\" #defined by sys/param.h" +state = "opened" +created_at = "2024-01-16T19:39:42.479Z" +closed_at = "n/a" +labels = ["Build System", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2106" +host-os = "Solaris 11.4" +host-arch = "sparc" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """Building `target/arm/tcg/translate-sve.c` fails on Solaris 11.4 because system's +`/usr/include/sys/param.h` has `#define FSCALE (1 << FSHIFT)` which results +in `DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn)` at `translate-sve.c:3864` +attempting to expand the `#define` substitution instead of the text `FSCALE`.<p>I have not determined what the sequence of includes was that brought in `sys/param.h`<p>A workaround is to `#undef FSCALE`, but that may not be an appropriate long-term fix.""" +reproduce = """1. mkdir build && cd build +2. ../configure --disable-docs --disable-rdma --enable-slirp +3. gmake""" +additional = """Full diagnostic output: +``` +[1865/5402] Compiling C object libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o +FAILED: libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o +cc -Ilibqemu-aarch64-softmmu.fa.p -I. -I.. -Itarget/arm -I../target/arm -Isubprojects/dtc/libfdt -I../subprojects/dtc/libfdt -Iqapi -Itrace -Iui -Iui/shader -I/usr/include/pixman-1 -I/usr/include/libdrm -I/usr/include/glib-2.0 -I/usr/lib/sparcv9/glib-2.0/include -I/usr/include/pcre -fdiagnostics-color=auto -Wall -Winvalid-pch -std=gnu11 -O2 -g -fstack-protector-strong -Wundef -Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wmissing-format-attribute -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -Wshadow=local -iquote . -iquote /opt/qemu -iquote /opt/qemu/include -iquote /opt/qemu/host/include/generic -iquote /opt/qemu/tcg/sparc64 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -D_XOPEN_SOURCE=600 -D__EXTENSIONS__ -fPIE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNEED_CPU_H '-DCONFIG_TARGET="aarch64-softmmu-config-target.h"' '-DCONFIG_DEVICES="aarch64-softmmu-config-devices.h"' -MD -MQ libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o -MF libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o.d -o libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o -c ../target/arm/tcg/translate-sve.c +In file included from ../target/arm/tcg/translate-sve.c:21: +../target/arm/tcg/translate.h:728:17: error: pasting "trans_" and "(" does not give a valid preprocessing token + 728 | static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \\ + | ^~~~~~ +../target/arm/tcg/translate-sve.c:3854:5: note: in expansion of macro ‘TRANS_FEAT’ + 3854 | TRANS_FEAT(NAME, FEAT, gen_gvec_fpst_arg_zpzz, name##_zpzz_fns[a->esz], a) + | ^~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:1: note: in expansion of macro ‘DO_ZPZZ_FP’ + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:12: error: expected declaration specifiers or ‘...’ before numeric constant + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~ +../target/arm/tcg/translate.h:728:25: note: in definition of macro ‘TRANS_FEAT’ + 728 | static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \\ + | ^~~~ +../target/arm/tcg/translate-sve.c:3864:1: note: in expansion of macro ‘DO_ZPZZ_FP’ + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~ +../target/arm/tcg/translate.h:728:47: error: pasting "arg_" and "(" does not give a valid preprocessing token + 728 | static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \\ + | ^~~~ +../target/arm/tcg/translate-sve.c:3854:5: note: in expansion of macro ‘TRANS_FEAT’ + 3854 | TRANS_FEAT(NAME, FEAT, gen_gvec_fpst_arg_zpzz, name##_zpzz_fns[a->esz], a) + | ^~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:1: note: in expansion of macro ‘DO_ZPZZ_FP’ + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~ +In file included from ../target/arm/tcg/translate-sve.c:86: +libqemu-aarch64-softmmu.fa.p/decode-sve.c.inc:1112:13: warning: ‘trans_FSCALE’ used but never defined + 1112 | static bool trans_FSCALE(DisasContext *ctx, arg_FSCALE *a); + | ^~~~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:30: warning: ‘sve_fscalbn_zpzz_fns’ defined but not used [-Wunused-const-variable=] + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3850:42: note: in definition of macro ‘DO_ZPZZ_FP’ + 3850 | static gen_helper_gvec_4_ptr * const name##_zpzz_fns[4] = { \\ + | ^~~~ +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/211.toml b/gitlab/issues/target_arm/host_missing/accel_missing/211.toml new file mode 100644 index 00000000..3108584b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/211.toml @@ -0,0 +1,15 @@ +id = 211 +title = "qemu-aarch64-static segfault if /proc not mounted inside chroot" +state = "closed" +created_at = "2021-05-07T10:25:37.936Z" +closed_at = "2022-07-29T21:46:56.146Z" +labels = ["Closed::Invalid", "linux-user", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/211" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2120.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2120.toml new file mode 100644 index 00000000..e35d3d82 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2120.toml @@ -0,0 +1,15 @@ +id = 2120 +title = "arm64: Typo in isar_feature_aa64_tidcp1" +state = "closed" +created_at = "2024-01-22T14:16:02.672Z" +closed_at = "2024-01-27T13:00:19.814Z" +labels = ["Bite Sized", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2120" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2155.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2155.toml new file mode 100644 index 00000000..5d0dc63e --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2155.toml @@ -0,0 +1,31 @@ +id = 2155 +title = "LoadVM assert on ARM_FEATURE_M for Cortex M3" +state = "closed" +created_at = "2024-02-07T18:22:10.940Z" +closed_at = "2024-02-16T10:58:42.355Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2155" +host-os = "Ubuntu 20.04" +host-arch = "x86_64" +qemu-version = "v8.0.0 through v8.2.0" +guest-os = "-" +guest-arch = "ARM Cortex M3" +description = """This appears to be a similar issue to https://gitlab.com/qemu-project/qemu/-/issues/1775 and https://gitlab.com/qemu-project/qemu/-/issues/1658 + +When running `loadvm` qemu aborts with this error: + +"qemu/target/arm/helper.c:12383: arm_security_space_below_el3: Assertion `!arm_feature(env, ARM_FEATURE_M)' failed." + +I've traced the error to `pmu_counter_enabled` in `qemu\\target\\arm\\helper.c:1172` + [uint64_t mdcr_el2 = arm_mdcr_el2_eff(env)](https://gitlab.com/qemu-project/qemu/-/blob/v8.2.0/target/arm/helper.c?ref_type=tags#L1172) (link is to 8.2.0 release tag) + + +The issue is caused by attempting to get the MDCR_EL2 register prior to checking if the CPU has ARM_FEATURE_PMU support. + +A simple fix seems to be to check for `ARM_PMU_ENABLED` and returning early if it is not enabled.""" +reproduce = """1. Start emulation and connect monitor +2. savevm <snapshot-name> +3. Loadvm <snapshot-name>""" +additional = """See screenshot for stack trace + +""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2213.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2213.toml new file mode 100644 index 00000000..9ef901cc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2213.toml @@ -0,0 +1,23 @@ +id = 2213 +title = "QEMU fails with duplicate SaveStateEntry when using two legacy virtio input devices" +state = "closed" +created_at = "2024-03-08T09:29:17.349Z" +closed_at = "2024-04-29T09:36:05.063Z" +labels = ["Closed::WontFix", "Migration", "device:virtio", "target: arm", "target: s390x"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2213" +host-os = "n/a" +host-arch = "x86" +qemu-version = ">= 8.2.0" +guest-os = "n/a" +guest-arch = "s390x" +description = """QEMU bails out when it is started with two virtio-input devices running in legacy virtio mode, using two different transports (like PCI and CCW on s390x).""" +reproduce = """``` +qemu-system-s390x -M s390-ccw-virtio-2.6 -cpu max -nographic -device virtio-multitouch-pci -device virtio-tablet-ccw +``` +fails with: +``` +qemu-system-s390x: -device virtio-tablet-ccw: savevm_state_handler_insert: Detected duplicate SaveStateEntry: id=virtio-input, instance_id=0x0 +```""" +additional = """The problem does *not* occur if using modern virtio devices (which automatically happens for -M s390-ccw-virtio-2.7 and newer) or if using virtio-input devices with the same transport (e.g. two PCI devices instead of one PCI and one CCW). + +Also note that the problem only occurs since QEMU 8.1 since older versions did not check for duplicate SaveStateEntries (see commit caa91b3c44cdb2d2921e25 ).""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2226.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2226.toml new file mode 100644 index 00000000..6eb29ba7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2226.toml @@ -0,0 +1,64 @@ +id = 2226 +title = "arm HSTR trap settings routed to EL1 instead of EL2" +state = "closed" +created_at = "2024-03-16T12:55:02.893Z" +closed_at = "2024-04-02T11:57:51.884Z" +labels = ["target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2226" +host-os = "Debian Bookworm" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 8.2.50 (v8.2.0-2542-gba49d760eb)" +guest-os = "Bare mental test program (listed in Steps to reproduce)" +guest-arch = "ARM" +description = """ARM's HSTR register is used to trap CP15 access from EL1/0. qemu's implementation seems to be inconsistent with ARM's documentation. + +Take the system register VBAR for example, the following pseudo code is grabbed from ARM DDI 0487J.a ID042523 G8-10651, which is the logics behind when reading VBAR. +``` +if PSTATE.EL == EL0 then + UNDEFINED; +elsif PSTATE.EL == EL1 then + if EL2Enabled() && !ELUsingAArch32(EL2) && HSTR_EL2.T12 == '1' then + AArch64.AArch32SystemAccessTrap(EL2, 0x03); + elsif EL2Enabled() && ELUsingAArch32(EL2) && HSTR.T12 == '1' then + AArch32.TakeHypTrapException(0x03); + elsif HaveEL(EL3) && ELUsingAArch32(EL3) then + R[t] = VBAR_NS; + else + R[t] = VBAR; +elsif PSTATE.EL == EL2 then + if HaveEL(EL3) && ELUsingAArch32(EL3) then + R[t] = VBAR_NS; + else + R[t] = VBAR; +elsif PSTATE.EL == EL3 then + if SCR.NS == '0' then + R[t] = VBAR_S; + else + R[t] = VBAR_NS; +``` + +The main logics in my attached test program are: +1. Setting EL2 and EL1's exception table +2. Set HSTR.T12 +3. ERET to EL1, and read VBAR from EL1 + +As the document mentions, when CPU running on EL1 && HSTR.T12 is set, HypTrapException 0x3 should be taken, which is EL2. But the test program shows, on such circumstances, CPU is being routed to EL1's undefined exception.""" +reproduce = """1. Clone this repo https://github.com/roolrz/reproduce-qemu-arm-hstr-issue +2. Use make to build the test program +3. Use following command to launch it +``` +qemu-system-arm \\ +\t-nographic \\ +\t-cpu cortex-a7 \\ +\t-M virt,virtualization=on \\ +\t-m 1G \\ +\t-kernel el2.elf +``` +4. The following message is printed by the program, problem reproduced +``` +EL2 Booted +Jumping to el1 +el1 reached, triggering trap +EL1 undefined sync triggered +```""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2227.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2227.toml new file mode 100644 index 00000000..b0aba278 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2227.toml @@ -0,0 +1,44 @@ +id = 2227 +title = "Crash when using the ast2600-a3 device with the \"virt\" aarch64 machine" +state = "closed" +created_at = "2024-03-18T13:49:50.951Z" +closed_at = "2024-03-25T16:45:56.517Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2227" +host-os = "Linux" +host-arch = "x86" +qemu-version = "commit ba49d760eb04630" +guest-os = "n/a" +guest-arch = "ARM" +description = """QEMU crashes with a segmentation fault when trying to use the "ast2600-a3" device with the "virt" machine.""" +reproduce = """1. Run ``./qemu-system-aarch64 -display none -machine virt -device ast2600-a3``""" +additional = """Backtrace indicates that it is crashing in the aspeed_soc_ast2600_realize() function: + +``` +#0 memory_region_update_container_subregions (subregion=0x555558c4b630) at ../../devel/qemu/system/memory.c:2637 +#1 memory_region_add_subregion_common (mr=<optimized out>, offset=<optimized out>, subregion=0x555558c4b630) at ../../devel/qemu/system/memory.c:2661 +#2 0x0000555555d1bd40 in aspeed_soc_ast2600_realize (dev=<optimized out>, errp=0x7fffffffd870) at ../../devel/qemu/hw/arm/aspeed_ast2600.c:301 +#3 0x0000555555ff26ab in device_set_realized (obj=<optimized out>, value=<optimized out>, errp=0x7fffffffda00) at ../../devel/qemu/hw/core/qdev.c:510 +#4 0x0000555555ff6edd in property_set_bool (obj=0x555558c4b360, v=<optimized out>, name=<optimized out>, opaque=0x555557cd5b50, errp=0x7fffffffda00) + at ../../devel/qemu/qom/object.c:2358 +#5 0x0000555555ffa25b in object_property_set (obj=obj@entry=0x555558c4b360, name=name@entry=0x5555563794ed "realized", v=v@entry=0x555558ce0650, errp=errp@entry=0x7fffffffda00) + at ../../devel/qemu/qom/object.c:1472 +#6 0x0000555555ffdb9f in object_property_set_qobject + (obj=obj@entry=0x555558c4b360, name=name@entry=0x5555563794ed "realized", value=value@entry=0x555558cdf270, errp=errp@entry=0x7fffffffda00) + at ../../devel/qemu/qom/qom-qobject.c:28 +#7 0x0000555555ffa8c4 in object_property_set_bool (obj=obj@entry=0x555558c4b360, name=name@entry=0x5555563794ed "realized", value=value@entry=true, errp=errp@entry=0x7fffffffda00) + at ../../devel/qemu/qom/object.c:1541 +#8 0x0000555555ff319c in qdev_realize (dev=dev@entry=0x555558c4b360, bus=bus@entry=0x0, errp=errp@entry=0x7fffffffda00) at ../../devel/qemu/hw/core/qdev.c:292 +#9 0x0000555555c11be3 in qdev_device_add_from_qdict (opts=opts@entry=0x555558c4a2d0, from_json=from_json@entry=false, errp=0x7fffffffda00, errp@entry=0x55555725b478 <error_fatal>) + at ../../devel/qemu/system/qdev-monitor.c:718 +#10 0x0000555555c12051 in qdev_device_add (opts=0x555557cd2a10, errp=errp@entry=0x55555725b478 <error_fatal>) at ../../devel/qemu/system/qdev-monitor.c:737 +#11 0x0000555555c1720f in device_init_func (opaque=<optimized out>, opts=<optimized out>, errp=0x55555725b478 <error_fatal>) at ../../devel/qemu/system/vl.c:1200 +#12 0x00005555561a29c1 in qemu_opts_foreach + (list=<optimized out>, func=func@entry=0x555555c17200 <device_init_func>, opaque=opaque@entry=0x0, errp=errp@entry=0x55555725b478 <error_fatal>) + at ../../devel/qemu/util/qemu-option.c:1135 +#13 0x0000555555c19aea in qemu_create_cli_devices () at ../../devel/qemu/system/vl.c:2637 +#14 qmp_x_exit_preconfig (errp=<optimized out>) at ../../devel/qemu/system/vl.c:2705 +#15 0x0000555555c1d67f in qmp_x_exit_preconfig (errp=<optimized out>) at ../../devel/qemu/system/vl.c:2699 +#16 qemu_init (argc=<optimized out>, argv=<optimized out>) at ../../devel/qemu/system/vl.c:3736 +#17 0x00005555558f6f59 in main (argc=<optimized out>, argv=<optimized out>) at ../../devel/qemu/system/main.c:47 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2228.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2228.toml new file mode 100644 index 00000000..9b4df6b7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2228.toml @@ -0,0 +1,18 @@ +id = 2228 +title = "hw/core/gpio.c:108: qdev_get_gpio_in_named: Assertion n >= 0 && n < gpio_list->num_in failed" +state = "closed" +created_at = "2024-03-18T14:25:03.720Z" +closed_at = "2024-03-19T17:33:20.179Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2228" +host-os = "Linux" +host-arch = "x86" +qemu-version = "commit ba49d760eb04630" +guest-os = "n/a" +guest-arch = "ARM" +description = """It's quite easy to trigger the assertion ``hw/core/gpio.c:108: qdev_get_gpio_in_named: Assertion n >= 0 && n < gpio_list->num_in failed``""" +reproduce = """Run one of the following command lines: +1. ``./qemu-system-aarch64 -display none -machine qcom-dc-scm-v1-bmc -device max1111`` +2. ``./qemu-system-aarch64 -display none -machine fby35-bmc -device max1110`` +3. ``./qemu-system-aarch64 -display none -machine yosemitev2-bmc -device corgi-ssp``""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/224.toml b/gitlab/issues/target_arm/host_missing/accel_missing/224.toml new file mode 100644 index 00000000..bc929a5b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/224.toml @@ -0,0 +1,15 @@ +id = 224 +title = "Wrong interrupts generated for I.MX6 FEC controller" +state = "opened" +created_at = "2021-05-09T15:11:38.354Z" +closed_at = "n/a" +labels = ["Launchpad", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/224" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2279.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2279.toml new file mode 100644 index 00000000..627409db --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2279.toml @@ -0,0 +1,33 @@ +id = 2279 +title = "Debugging with Lauterbach Trace32 -> Cortex-A76, no SP register update" +state = "closed" +created_at = "2024-04-10T13:05:13.581Z" +closed_at = "2024-08-05T14:44:03.604Z" +labels = ["GDB", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2279" +host-os = "Windows 10 Enterprise 64-bit 10.0" +host-arch = "x64" +qemu-version = "QEMU emulator version 8.2.0 (v8.2.0-12045-g3d58f9b5c5)" +guest-os = "Bare metal code" +guest-arch = "Aarch64" +description = """We do not see changes in the SP_EL1 register value when debugging the QEMU application with Lauterbach Trace32.""" +reproduce = """1. Compile bare metal code that uses push and pop instructions (stack). +2. Run QEMU with bare metal code. +3. Connect via Lauterbach Trace32 and check the displayed SP register value.""" +additional = """ +This is a screenshot from QEMU 8.0.0, but updating to QEMU 8.2.0 does not resolve the problem. + +I have discussed this with Lauterbach Trace32 support with these results: +- Trace32 uses RSP protocol `p` packets to read some registers, including SP_EL1. GDB seems to use `g` packet. +- QEMU responds to `p` packet with an invalid value, which causes Trace32 to display invalid value. + +Some related RSP protocol logs from Trace32. + + + +Different part of RSP protocol log: +``` +Sending packet: $p20#d2 ... +receiving packet: ec00004000000000 +``` +So it looks like Trace32 can receive different values that zero as response to `p` packet.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2300.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2300.toml new file mode 100644 index 00000000..4887065a --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2300.toml @@ -0,0 +1,15 @@ +id = 2300 +title = "Unintialized variable in double_cpdo.c" +state = "closed" +created_at = "2024-04-22T06:36:41.843Z" +closed_at = "2024-04-22T16:25:35.576Z" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2300" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2304.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2304.toml new file mode 100644 index 00000000..73afa739 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2304.toml @@ -0,0 +1,50 @@ +id = 2304 +title = "Disabling SVE via `-cpu max,sve=off` leaves SVE2 advertised by `getauxval`" +state = "closed" +created_at = "2024-04-23T12:16:36.267Z" +closed_at = "2024-08-01T08:31:57.918Z" +labels = ["Closed::Fixed", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2304" +host-os = "Ubuntu 22.04" +host-arch = "x86_64" +qemu-version = "qemu-aarch64 version 8.2.94" +guest-os = "n/a" +guest-arch = "n/a" +description = """The documentation on https://qemu-project.gitlab.io/qemu/system/arm/cpu-features.html suggests that it should be possible to disable SVE support by passing `-cpu max,sve=off` on the command line, however this appears to only disable the SVE support advertised in the return value from `getauxval(AT_HWCAP)`. In particular it leaves SVE2 reported as enabled. This leaves the feature set advertised by `getauxval` in an inconsistent state since SVE is mandatory if SVE2 is available. + +This may also affect other feature dependencies for example FEAT_SVE_BITPerm also requiring SVE2 to be available, I've not checked exhaustively. + +For example, given the following code: + + #include <sys/auxv.h> + #include <stdio.h> + + int main() { + unsigned long hwcap = getauxval(AT_HWCAP); + unsigned long hwcap2 = getauxval(AT_HWCAP2); + + if (hwcap & HWCAP_SVE) { + printf("have sve!\\n"); + } else { + printf("don't have sve!\\n"); + } + if (hwcap2 & HWCAP2_SVE2) { + printf("have sve2!\\n"); + } else { + printf("don't have sve2!\\n"); + } + } + +We can observe the following: + + $ aarch64-linux-gnu-gcc test.c -static + $ ../qemu-aarch64 -cpu max ./a.out + have sve! + have sve2! + $ ../qemu-aarch64 -cpu max,sve=off ./a.out + don't have sve! + have sve2! + +I don't believe that there is a `-cpu ...,sve2=off` option, so I would expect that disabling SVE also prevents SVE2 from being advertised as available.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2309.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2309.toml new file mode 100644 index 00000000..40e9fa95 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2309.toml @@ -0,0 +1,39 @@ +id = 2309 +title = "qemu-aarch64 hangs running cargo test after libc6 upgrade to 2.36-9+deb12u6" +state = "opened" +created_at = "2024-04-24T19:56:19.595Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2309" +host-os = "Debian" +host-arch = "X86_64" +qemu-version = "qemu-aarch64 version 9.0.50 (v9.0.0-92-g88daa112d4)" +guest-os = "Debian" +guest-arch = "ARM64" +description = """qemu-aarch64 seems to hang with 100% cpu usage without any indication. +with -p 12345 for gdb debugging, gdb could not interrupt the remote with ctrl-c.""" +reproduce = """1. Ensure the test env has 2.36-9+deb12u6 +2. Install the latest rust toolchain. +3. mkdir test_test && cargo init +4. ensure src/main.rs has +``` +fn main() { + println!("Hello, world!"); +} + +#[test] +fn test() { + println!("hAAA!"); +} +``` +5. create .cargo/config.toml +``` +[target.aarch64-unknown-linux-gnu] +linker = "aarch64-linux-gnu-gcc" +runner = "qemu-aarch64 -L /usr/aarch64-linux-gnu" +rustflags = ["-C", "target-cpu=neoverse-n1"] +``` +6. cargo test --target aarch64-unknown-linux-gnu""" +additional = """The issue does not seem to occur with libc6:2.36-9+deb12u4 + +The same binary runs fine on a real arm64 target with the upgraded libc6 version 2.36-9+deb12u6.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2333.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2333.toml new file mode 100644 index 00000000..95e4cd6d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2333.toml @@ -0,0 +1,53 @@ +id = 2333 +title = "VDSO on armeb seems broken" +state = "closed" +created_at = "2024-05-07T23:20:27.725Z" +closed_at = "2024-11-16T21:18:19.592Z" +labels = ["Closed::Fixed", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2333" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """I'm seeing the VDSO method for `__clock_gettime64()` crashing under `qemu-armeb` (stack trace under Additional information, below). + +I rebuilt glibc with VDSO globally kludged off, and all was well.""" +reproduce = """``` +#include <time.h> +#include <stdlib.h> +#include <stdio.h> + +int main(int argc, char **argv) { + time_t ts; + printf("%ld\\n", time(&ts)); + exit(0); +} +``` + +Results, first with VDSO active via a system snapshot, second with the patched glibc: +``` +$ armeb-linux-gnueabihf-gcc -o /tmp/time /tmp/time.c +$ qemu-armeb -L /.mirrorsnaps/.rootsnap.prev/usr/armeb-linux-gnueabihf /tmp/time +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +Segmentation fault +$ qemu-armeb -L /usr/armeb-linux-gnueabihf /tmp/time +1715123280 +```""" +additional = """``` +Program received signal SIGSEGV, Segmentation fault. +0x4082b462 in ?? () +(gdb) bt +#0 0x4082b462 in ?? () +#1 0x40bf64a4 in __GI___clock_gettime64 (clock_id=clock_id@entry=5, tp=tp@entry=0x407fe9c0) + at ../sysdeps/unix/sysv/linux/clock_gettime.c:42 +#2 0x40be9f58 in __GI___time64 (timer=0x0) at ../sysdeps/unix/sysv/linux/time.c:60 +#3 __time (timer=0x407fea04) at ../sysdeps/unix/sysv/linux/time.c:73 +``` + +`clock_gettime.c:42` is +``` + r = INTERNAL_VSYSCALL_CALL (vdso_time64, 2, clock_id, tp); +``` + +Interestingly, the problem doesn't occur on qemu-arm (little endian), all else equal.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2351.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2351.toml new file mode 100644 index 00000000..46090706 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2351.toml @@ -0,0 +1,25 @@ +id = 2351 +title = "Raspberry Pi: Unable to start raspios bookworm" +state = "opened" +created_at = "2024-05-19T15:35:16.531Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2351" +host-os = "Ubuntu 23.10 (mantic)" +host-arch = "x86_64" +qemu-version = "9.0.0 - QEMU command line:" +guest-os = "RaspiOS" +guest-arch = "ARM" +description = """I am able to start RaspiOS bullseye (2023-05-03-raspios-bullseye-arm64-lite) in both, the rpi3 and rpi4 configurations, by first extracting the DTB and the kernel from the downloaded image (see the command lines). + +When I attempt to start RaspiOS bookworm (2024-03-15-raspios-bookworm-arm64-lite), I only get the following messages on the host's terminal: + +``` +usbnet: failed control transaction: request 0x8006 value 0x600 index 0x0 length 0xa +usbnet: failed control transaction: request 0x8006 value 0x600 index 0x0 length 0xa +usbnet: failed control transaction: request 0x8006 value 0x600 index 0x0 length 0xa +``` + +[start-raspios.sh](/uploads/041fb113d1d0d920e52f3b11a9f51290/start-raspios.sh)""" +reproduce = """To reproduce, adapt the attached script, download the raspios images and run it.""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2355.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2355.toml new file mode 100644 index 00000000..9af2f2fe --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2355.toml @@ -0,0 +1,89 @@ +id = 2355 +title = "buffer overflow in aspeed gpio" +state = "closed" +created_at = "2024-05-23T20:16:28.634Z" +closed_at = "2024-07-02T22:47:38.780Z" +labels = ["Fuzzer", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2355" +host-os = "Ubuntu 22.04.4 LTS" +host-arch = "aarch64" +qemu-version = "commit 7e1c004701" +guest-os = "n/a" +guest-arch = "n/a" +description = """The following log reveals it: + +``` +==2602930==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a5da29e128 at pc 0x55a5d700dc62 bp 0x7fff096c4e90 sp 0x7fff096c4e88 +READ of size 2 at 0x55a5da29e128 thread T0 + #0 0x55a5d700dc61 in aspeed_gpio_read /home/joey/repo/qemu/build/../hw/gpio/aspeed_gpio.c:564:14 + #1 0x55a5d933f3ab in memory_region_read_accessor /home/joey/repo/qemu/build/../system/memory.c:445:11 + #2 0x55a5d92fba40 in access_with_adjusted_size /home/joey/repo/qemu/build/../system/memory.c:573:18 + #3 0x55a5d92f842c in memory_region_dispatch_read1 /home/joey/repo/qemu/build/../system/memory.c:1426:16 + #4 0x55a5d92f7b68 in memory_region_dispatch_read /home/joey/repo/qemu/build/../system/memory.c:1459:9 + #5 0x55a5d9376ad1 in flatview_read_continue_step /home/joey/repo/qemu/build/../system/physmem.c:2836:18 + #6 0x55a5d9376399 in flatview_read_continue /home/joey/repo/qemu/build/../system/physmem.c:2877:19 + #7 0x55a5d93775b8 in flatview_read /home/joey/repo/qemu/build/../system/physmem.c:2907:12 + #8 0x55a5d9377078 in address_space_read_full /home/joey/repo/qemu/build/../system/physmem.c:2920:18 + #9 0x55a5d8189aa2 in address_space_read /home/joey/repo/qemu/include/exec/memory.h:3100:18 + #10 0x55a5d8189aa2 in qtest_process_command /home/joey/repo/qemu/build/../system/qtest.c:597:13 + #11 0x55a5d818231d in qtest_process_inbuf /home/joey/repo/qemu/build/../system/qtest.c:811:9 + #12 0x55a5d81915ae in qtest_read /home/joey/repo/qemu/build/../system/qtest.c:823:5 + #13 0x55a5d9bc115d in qemu_chr_be_write_impl /home/joey/repo/qemu/build/../chardev/char.c:214:9 + #14 0x55a5d9bc1219 in qemu_chr_be_write /home/joey/repo/qemu/build/../chardev/char.c:226:9 + #15 0x55a5d9bccd25 in fd_chr_read /home/joey/repo/qemu/build/../chardev/char-fd.c:72:9 + #16 0x55a5d95d958c in qio_channel_fd_source_dispatch /home/joey/repo/qemu/build/../io/channel-watch.c:84:12 + #17 0x7f8909babc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #18 0x55a5d9f62319 in glib_pollfds_poll /home/joey/repo/qemu/build/../util/main-loop.c:287:9 + #19 0x55a5d9f60c53 in os_host_main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:310:5 + #20 0x55a5d9f6081c in main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:589:11 + #21 0x55a5d8198807 in qemu_main_loop /home/joey/repo/qemu/build/../system/runstate.c:796:9 + #22 0x55a5d9544c6c in qemu_default_main /home/joey/repo/qemu/build/../system/main.c:37:14 + #23 0x55a5d9544cb7 in main /home/joey/repo/qemu/build/../system/main.c:48:12 + #24 0x7f8909229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + #25 0x7f8909229e3f in __libc_start_main csu/../csu/libc-start.c:392:3 + #26 0x55a5d671ed34 in _start (/home/joey/repo/qemu/build/qemu-system-aarch64+0x2773d34) + +0x55a5da29e128 is located 24 bytes to the left of global variable '<string literal>' defined in '../hw/gpio/aspeed_gpio.c:1180:23' (0x55a5da29e140) of size 20 + '<string literal>' is ascii string 'aspeed.gpio-ast2500' +0x55a5da29e128 is located 22 bytes to the right of global variable '<string literal>' defined in '/home/joey/repo/qemu/include/hw/gpio/aspeed_gpio.h:17:1' (0x55a5da29e100) of size 18 + '<string literal>' is ascii string 'ASPEED_GPIO_CLASS' +SUMMARY: AddressSanitizer: global-buffer-overflow /home/joey/repo/qemu/build/../hw/gpio/aspeed_gpio.c:564:14 in aspeed_gpio_read +Shadow bytes around the buggy address: + 0x0ab53b44bbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bc00: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0ab53b44bc10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 +=>0x0ab53b44bc20: 00 00 02 f9 f9[f9]f9 f9 00 00 04 f9 f9 f9 f9 f9 + 0x0ab53b44bc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bc40: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 04 f9 + 0x0ab53b44bc50: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 00 00 + 0x0ab53b44bc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +```""" +reproduce = """``` +cat << EOF | qemu-system-aarch64 -display \\ +none -machine accel=qtest, -m 512M -machine ast1030-evb -qtest stdio +readq 0x7e780272 +EOF +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2356.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2356.toml new file mode 100644 index 00000000..bd06ceba --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2356.toml @@ -0,0 +1,25 @@ +id = 2356 +title = "assert in stm32l4x5_rcc" +state = "closed" +created_at = "2024-05-23T20:20:22.412Z" +closed_at = "2024-08-14T02:52:58.763Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2356" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """The following log reveals it: + +``` +qemu-system-aarch64: ../hw/misc/stm32l4x5_rcc.c:546: void rcc_update_cfgr_register(Stm32l4x5RccState *): Assertion `val <= 0b100' failed. +Aborted +```""" +reproduce = """``` +cat << EOF | qemu-system-aarch64 -display \\ +none -machine accel=qtest, -m 512M -machine b-l475e-iot01a -qtest stdio +writeq 0x40021008 0xffffffff +EOF +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2358.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2358.toml new file mode 100644 index 00000000..61178844 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2358.toml @@ -0,0 +1,60 @@ +id = 2358 +title = "null-pointer-dereference in a9gtimer" +state = "closed" +created_at = "2024-05-23T20:26:54.381Z" +closed_at = "2024-07-18T12:51:23.709Z" +labels = ["Bite Sized", "Fuzzer", "Tests", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2358" +host-os = "Ubuntu 22.04.4 LTS" +host-arch = "aarch64" +qemu-version = "commit 7e1c004701" +guest-os = "n/a" +guest-arch = "n/a" +description = """The following log reveals it: + +``` +../hw/timer/a9gtimer.c:51:22: runtime error: member access within null pointer of type 'CPUState' (aka 'struct CPUState') +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/timer/a9gtimer.c:51:22 in +AddressSanitizer:DEADLYSIGNAL +================================================================= +==2624453==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002d0 (pc 0x55df9673422f bp 0x7fff7310e930 sp 0x7fff7310e8a0 T0) +==2624453==The signal is caused by a READ memory access. +==2624453==Hint: address points to the zero page. + #0 0x55df9673422f in a9_gtimer_get_current_cpu /home/joey/repo/qemu/build/../hw/timer/a9gtimer.c:51:22 + #1 0x55df9673408c in a9_gtimer_this_write /home/joey/repo/qemu/build/../hw/timer/a9gtimer.c:246:14 + #2 0x55df97e00353 in memory_region_write_accessor /home/joey/repo/qemu/build/../system/memory.c:497:5 + #3 0x55df97dffa40 in access_with_adjusted_size /home/joey/repo/qemu/build/../system/memory.c:573:18 + #4 0x55df97dfd986 in memory_region_dispatch_write /home/joey/repo/qemu/build/../system/memory.c:1521:16 + #5 0x55df97ea8973 in flatview_write_continue_step /home/joey/repo/qemu/build/../system/physmem.c:2755:18 + #6 0x55df97ea81df in flatview_write_continue /home/joey/repo/qemu/build/../system/physmem.c:2785:19 + #7 0x55df97e7be4b in flatview_write /home/joey/repo/qemu/build/../system/physmem.c:2816:12 + #8 0x55df97e7b908 in address_space_write /home/joey/repo/qemu/build/../system/physmem.c:2936:18 + #9 0x55df96c8b041 in qtest_process_command /home/joey/repo/qemu/build/../system/qtest.c:559:13 + #10 0x55df96c8631d in qtest_process_inbuf /home/joey/repo/qemu/build/../system/qtest.c:811:9 + #11 0x55df96c955ae in qtest_read /home/joey/repo/qemu/build/../system/qtest.c:823:5 + #12 0x55df986c515d in qemu_chr_be_write_impl /home/joey/repo/qemu/build/../chardev/char.c:214:9 + #13 0x55df986c5219 in qemu_chr_be_write /home/joey/repo/qemu/build/../chardev/char.c:226:9 + #14 0x55df986d0d25 in fd_chr_read /home/joey/repo/qemu/build/../chardev/char-fd.c:72:9 + #15 0x55df980dd58c in qio_channel_fd_source_dispatch /home/joey/repo/qemu/build/../io/channel-watch.c:84:12 + #16 0x7f76346edc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #17 0x55df98a66319 in glib_pollfds_poll /home/joey/repo/qemu/build/../util/main-loop.c:287:9 + #18 0x55df98a64c53 in os_host_main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:310:5 + #19 0x55df98a6481c in main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:589:11 + #20 0x55df96c9c807 in qemu_main_loop /home/joey/repo/qemu/build/../system/runstate.c:796:9 + #21 0x55df98048c6c in qemu_default_main /home/joey/repo/qemu/build/../system/main.c:37:14 + #22 0x55df98048cb7 in main /home/joey/repo/qemu/build/../system/main.c:48:12 + #23 0x7f7633e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + #24 0x7f7633e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3 + #25 0x55df95222d34 in _start (/home/joey/repo/qemu/build/qemu-system-aarch64+0x2773d34) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/joey/repo/qemu/build/../hw/timer/a9gtimer.c:51:22 in a9_gtimer_get_current_cpu +==2624453==ABORTING +```""" +reproduce = """``` +cat << EOF | /home/joey/repo/qemu/build/qemu-system-aarch64 -display \\ +none -machine accel=qtest, -m 512M -machine npcm750-evb -qtest stdio +writel 0xf03fe20c 0x26d7468c +EOF +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/236.toml b/gitlab/issues/target_arm/host_missing/accel_missing/236.toml new file mode 100644 index 00000000..b7f3b93c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/236.toml @@ -0,0 +1,15 @@ +id = 236 +title = "CPU fetch from unpopulated ROM on reset" +state = "opened" +created_at = "2021-05-09T15:44:41.452Z" +closed_at = "n/a" +labels = ["Launchpad", "target: arm", "target: m68k"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/236" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2377.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2377.toml new file mode 100644 index 00000000..e8d2dcb3 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2377.toml @@ -0,0 +1,35 @@ +id = 2377 +title = "Debootstrapping debian-bullseye arm64 segfaults with qemu >=8.1" +state = "opened" +created_at = "2024-06-02T11:10:44.734Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2377" +host-os = "- Gentoo Linux" +host-arch = "AMD64" +qemu-version = "- 8.1.5, 8.2.3, 9.0.0" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = """1. Use qemu >= 8.1 (version <= 8.0.x work well) +2. Install `debootstrap` package +3. Run `sudo debootstrap --arch=arm64 bullseye root11-arm64` + +This fails to chroot into the system being debootstrapped: + +``` +$ sudo debootstrap --arch=arm64 bullseye root11-arm64 +... +W: Failure trying to run: chroot "/home/3/root11" /sbin/ldconfig +W: See /home/3/root11/debootstrap/debootstrap.log for details +$ tail -n2 /home/3/root11/debootstrap/debootstrap.log +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +/usr/share/debootstrap/functions: line 1092: 3869 Segmentation fault chroot "/home/3/root11" "$@" +```""" +additional = """Failure happens only when debootstrapping "bullseye" with "arm64" architecture. +Older (e.g. <= "buster") and newer (e.g. > "bookworm") distros are deboostrapped OK. +Other (e.g. "armhf" and others) architectures are debootstrapped OK. + +Qemu version <8.1 (e.g. 8.0.5 I use in Gentoo or versions in Debian <= bookworm) don't have the bug. + +Originally faced the issue with Gentoo host. Recently rechecked with Debian Trixie host.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2382.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2382.toml new file mode 100644 index 00000000..c54bbfe9 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2382.toml @@ -0,0 +1,22 @@ +id = 2382 +title = "QEMU occurs an Error when testing my DIY UEFI aarch64 kernel:Synchronous Exception at 0x00000000E46CCEAC" +state = "closed" +created_at = "2024-06-05T12:36:50.899Z" +closed_at = "2024-10-28T13:29:14.039Z" +labels = ["target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2382" +host-os = "Fedora" +host-arch = "x64" +qemu-version = "9.0.0" +guest-os = "my DIY kernel(TYDQ System,which source code is on github[UEFIPascalOS](https://github.com/TYDQSoft/UEFIPascalOS))" +guest-arch = "aarch64(arm64)" +description = """Shows Synchronous Exception at 0x00000000E46CCEAC and the program halts.""" +reproduce = """1.Download the UEFIPascalOS on github. +2.run the bash buildaarch64.sh to build the kernel iso. +3.Go through the installer guide and enter the kernel. +4.Enter the account's name and password and press enter,now you can got an error that shows Synchronous Exception at 0x00000000E46CCEAC""" +additional = """(no logs,stack traces was shown for the error because logs and stack traces are not exists.) +screenshots: + +If I create two accounts,it will halt on sentence "Welcome to TYDQ System!" and give me Synchronous Exception at other numbers. +If I change the memory in virt-machine,the Synchronous Exception showing number will be changed.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/239.toml b/gitlab/issues/target_arm/host_missing/accel_missing/239.toml new file mode 100644 index 00000000..95596430 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/239.toml @@ -0,0 +1,15 @@ +id = 239 +title = "Confusing error message when KVM can not start requested ARM CPU" +state = "opened" +created_at = "2021-05-09T15:48:36.089Z" +closed_at = "n/a" +labels = ["Launchpad", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/239" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/247.toml b/gitlab/issues/target_arm/host_missing/accel_missing/247.toml new file mode 100644 index 00000000..d844f4f3 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/247.toml @@ -0,0 +1,15 @@ +id = 247 +title = "qemu-system-arm segmentation fault using pmemsave on the interrupt controller registers" +state = "opened" +created_at = "2021-05-10T07:43:15.129Z" +closed_at = "n/a" +labels = ["Launchpad", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/247" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2473.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2473.toml new file mode 100644 index 00000000..de154bb1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2473.toml @@ -0,0 +1,15 @@ +id = 2473 +title = "qemu-system-aarch64: Stop execution on unhandled exceptions" +state = "opened" +created_at = "2024-08-01T11:44:42.962Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2473" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2484.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2484.toml new file mode 100644 index 00000000..5ef55257 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2484.toml @@ -0,0 +1,15 @@ +id = 2484 +title = "Confusing query-gic-capabilities output in --without-default-devices config" +state = "opened" +created_at = "2024-08-06T12:35:30.382Z" +closed_at = "n/a" +labels = ["QAPI/QMP", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2484" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2533.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2533.toml new file mode 100644 index 00000000..4a02d21b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2533.toml @@ -0,0 +1,15 @@ +id = 2533 +title = "Black screen while I'm trying to emulate Android using \"-machine raspi4b\"" +state = "opened" +created_at = "2024-08-24T09:24:42.223Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2533" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2536.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2536.toml new file mode 100644 index 00000000..4b336f51 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2536.toml @@ -0,0 +1,15 @@ +id = 2536 +title = "Dynamic translation issue of arm instruction VFNMA and VFNMS" +state = "closed" +created_at = "2024-08-26T05:25:33.470Z" +closed_at = "2024-09-06T14:24:24.019Z" +labels = ["target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2536" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2540.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2540.toml new file mode 100644 index 00000000..192466f7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2540.toml @@ -0,0 +1,25 @@ +id = 2540 +title = "Machine B-L475E-IOT01A USART devices not functional" +state = "closed" +created_at = "2024-08-27T06:21:05.271Z" +closed_at = "2024-09-19T20:31:05.573Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2540" +host-os = "Alpine Linux v3.20" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 9.0.2" +guest-os = "Bare metal" +guest-arch = "ARM Cortex-M4" +description = """The B-L475E-IOT01A claims to support STM32L4x5 USARTs, UARTs and LPUART (Serial ports) but does not appear to actually function. + +I created a minimal bare metal binary that attempts to write to UART (via printf) but it does not succeed. While debugging it appears that all UART registers for USART1 are zero despite code that is writing to those registers and USART_ISR should have the default value of 0x020000C0 per STM documentation RM0351. The code ends up in an infinite loop waiting for the USART module to become ready but it never does. + +For comparison an almost identical program compiled for the netduino-plus-2 (also an STM32 Cortex-M4 CPU) is able to use USART succesfully.""" +reproduce = """1. Clone https://github.com/satur9nine/arm-cortex-qemu-demo/tree/STM_b-l475e-iot01a (note branch is STM_b-l475e-iot01a) +2. Obtain arm-none-eabi-gcc version 13.3.rel1 or higher from ARM or linux package manager and install +3. Go to `STM_b-l475e-iot01a_Build` and run `make all` to produce arm-cortex-qemu-demo.bin +4. Run command provided above (optionally run with additional `-gdb tcp::1234,ipv4 -S` options and attach debugger), observe there is no UART output +5. Repeat steps but with `STM_netduino-plus-2_Build` and observe UART output is produced for comparison""" +additional = """Notice memory located at 0x40013800 which is where USART1 is located shows all zeros. + +""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2546.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2546.toml new file mode 100644 index 00000000..7614f194 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2546.toml @@ -0,0 +1,15 @@ +id = 2546 +title = "Troubleshooting Data Abort Error While Debugging U-Boot on mcimx6ul-evk in QEMU" +state = "opened" +created_at = "2024-08-30T07:46:09.395Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2546" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2547.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2547.toml new file mode 100644 index 00000000..6e2e2fdd --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2547.toml @@ -0,0 +1,15 @@ +id = 2547 +title = "Raspberry 4B Ethernet support" +state = "opened" +created_at = "2024-08-30T10:37:07.840Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2547" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """There is available WIP patch https://patchew.org/QEMU/20240226000259.2752893-1-sergey.kambalin@auriga.com/""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2549.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2549.toml new file mode 100644 index 00000000..970adaa4 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2549.toml @@ -0,0 +1,15 @@ +id = 2549 +title = "qemu-system-arm, ast2400-a1, The ECC_TEST_CTRL register of aspeed_2400_sdmc_write is not implemented" +state = "opened" +created_at = "2024-09-01T12:37:59.591Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2549" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """The ast2400-a1 has a few more memory test modes compared to the ast2500-a2 (1xxb in 8:6 and 11b in 2:1), but I think it should be enough to always return a test pass result.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2554.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2554.toml new file mode 100644 index 00000000..a0cba9ec --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2554.toml @@ -0,0 +1,19 @@ +id = 2554 +title = "qemu-system-arm: thumb2: vector table branch instruction not followed" +state = "closed" +created_at = "2024-09-03T17:57:16.484Z" +closed_at = "2024-09-04T23:25:32.249Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2554" +host-os = "Debian 12 Bookworm" +host-arch = "amd64" +qemu-version = "QEMU emulator version 9.0.2 (Debian 1:9.0.2+ds-1~bpo12+1)" +guest-os = "None" +guest-arch = "ARM thumb" +description = """When an undefined instruction is hit and causes an exception that causes a jump to the undef vector at 0x04; translation of the branch instruction found there appears to fail since instead of branching to the handler it steps to the next instruction - the next entry in the vector table, translates that, and on stepping once again moves to the next entry in the vector table. Eventually it steps out of the table and (re)enters the _start subroutine pointed to by vector 0x0.""" +reproduce = """This is related to issue #2542 in as much as I am hunting down failures in the picolibc 1.8.6 test suite on Debian. After fixing issues such as the failure to enable the MMU and some others via incorporating upstream commits I'm left with 10 tests, all for exception handling, that result in meson (build system) TIMEOUT instead of EXPECTEDFAIL. All of these tests should fail instantly and cause Qemu to exit but it continues - apparently spinning in an endless loop as described above until meson kills it. + +Creating a small reproducer has proved challenging and nigh impossible (for me) - even identifying the crux as described here has taken 4 days. However with the help of `qemu-system-arm -d in_asm,op,out_asm ...` and `gdb-multiarch` I believe I may have produced a focused report that will help figure this out. + +#""" +additional = """Since this is hard to debug I can give remote ssh access via `tmate` to directly control the debug session if necessary.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2577.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2577.toml new file mode 100644 index 00000000..41dbef3d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2577.toml @@ -0,0 +1,15 @@ +id = 2577 +title = "buildx: Illegal instruction, exit code: 132" +state = "opened" +created_at = "2024-09-18T11:26:57.985Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2577" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2580.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2580.toml new file mode 100644 index 00000000..ade96c8a --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2580.toml @@ -0,0 +1,24 @@ +id = 2580 +title = "qemu-aarch64_be 9.1.0 fails to run any Linux programs due to unreachable in gdb_find_static_feature()" +state = "closed" +created_at = "2024-09-20T11:15:14.158Z" +closed_at = "2024-10-28T14:17:40.132Z" +labels = ["GDB", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2580" +host-os = "Ubuntu 23.10" +host-arch = "x86_64" +qemu-version = "9.1.0" +guest-os = "n/a" +guest-arch = "n/a" +description = """``` +❯ cat empty.c +void _start() {} +❯ clang empty.c -target aarch64_be-linux -nostdlib -fuse-ld=lld +❯ qemu-aarch64_be ./a.out +** +ERROR:../gdbstub/gdbstub.c:493:gdb_find_static_feature: code should not be reached +Bail out! ERROR:../gdbstub/gdbstub.c:493:gdb_find_static_feature: code should not be reached +fish: Job 1, 'qemu-aarch64_be ./a.out' terminated by signal SIGABRT (Abort) +```""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2588.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2588.toml new file mode 100644 index 00000000..117f860c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2588.toml @@ -0,0 +1,51 @@ +id = 2588 +title = "qemu-system-arm regression: NonSecure World can change Secure World MMU mapping." +state = "closed" +created_at = "2024-09-25T08:33:04.420Z" +closed_at = "2024-11-06T11:15:14.630Z" +labels = ["TestCase", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2588" +host-os = "Windows, Linux" +host-arch = "Guest:x86, Host:ARM" +qemu-version = "9.1.0" +guest-os = "ARM Bare Metal (TamaGo)" +guest-arch = "ARM (ARMv7)" +description = """A NonSecure execution context is able to override MMU L1 translation table +flags set by Secure context on Secure World memory. + +This is not consistent with the same code running on real hardware and it's a +regression over past qemu releases as 9.0.0 behaves correctly.""" +reproduce = """This has been tested with +[GoTEE-example](https://github.com/usbarmory/GoTEE-example) as follows: + +``` +# building tamago +wget https://github.com/usbarmory/tamago-go/archive/refs/tags/latest.zip +unzip latest.zip +cd tamago-go-latest/src && ./all.bash +cd ../bin && export TAMAGO=`pwd`/go + +# building and running GoTEE-example +wget https://github.com/usbarmory/GoTEE-example/archive/refs/heads/master.zip +unzip master.zip +cd GoTEE-example +export TARGET=usbarmory && make clean && make nonsecure_os_go && make trusted_applet_go && make trusted_os && make qemu +``` + +#""" +additional = """The issue relates to the fact that the NonSecure World, at startup, configures +the MMU with the NX bit for the entire address space not belonging to its +firmware .text area. + +On real hardware this MMU configuration by NonSecure world does not affect the +Secure World translation tables. + +On qemu 9.1.0, however it does and this is inconsistent with real hardware +behavior. On qemu 9.0.0 the behaviour is correct so the issue has been +introduced between these two releases. + +The switch between Secure and NonSecure is done +[here](https://github.com/usbarmory/GoTEE/blob/7e62563c0628fed3ee0aebb4702e22be9bb636e3/monitor/exec_arm.s#L73). + +The MMU first level address table which sets the NX bit is done +[here](https://github.com/usbarmory/tamago/blob/273d67cd811dfcb1782c0fe596ac14d43d0ce117/arm/mmu.go#L85).""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2591.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2591.toml new file mode 100644 index 00000000..c3bb8aa7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2591.toml @@ -0,0 +1,15 @@ +id = 2591 +title = "Black screen and DTB errors while trying to emulate the kernel of the RaspiOS (based on Debian Bookworm) using the parameter -machine raspi4b" +state = "opened" +created_at = "2024-09-25T15:44:43.634Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2591" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2595.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2595.toml new file mode 100644 index 00000000..8638ac50 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2595.toml @@ -0,0 +1,143 @@ +id = 2595 +title = "Incorrect behavior with 64-bit element SDOT and UDOT instructions on ARM SVE when sve-default-vector-length>=64" +state = "closed" +created_at = "2024-09-26T16:12:19.731Z" +closed_at = "2024-11-06T11:15:14.568Z" +labels = ["target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2595" +host-os = "Ubuntu 22.04.5 LTS on Windows 10 x86_64" +host-arch = "x86_64" +qemu-version = "version 9.1.50 (v9.1.0-475-ga53b931645)" +guest-os = "N/A" +guest-arch = "Arm" +description = """The behavior of SDOT and UDOT instructions are incorrect when the Zresult.D register is used, which is the 64-bit svdot_lane\\_{s,u}64 intrinsic in ACLE. + +I have tested the same code using [Arm Instruction Emulator](https://developer.arm.com/Tools%20and%20Software/Arm%20Instruction%20Emulator) (which is deprecated though) and gem5 which produced correct result, I believe that the SDOT and UDOT implementation in qemu is incorrect.""" +reproduce = """1. Get Arm Gnu toolchain from [Arm GNU Toolchain Downloads – Arm Developer](https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads), for x86 Linux hosts, download arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu.tar.xz and extract it. Alternatively, use any compiler that is able to cross compile for armv8.2-a+sve targets. +2. Compile the following program with these compiler arguments + + ``` + arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-gcc -O3 -march=armv8.2-a+sve dot_lane.c -o dot_lane + ``` + + ```c + #include <stdio.h> + #include <arm_sve.h> + + int64_t a[32] = { 0 }; + int16_t b[128]; + int16_t c[128]; + int64_t r[32]; + int64_t expected_r[32]; + + #define IMM 0 + + int main(void) + { + for (size_t i = 0; i < 128; i++) { + b[i] = 1; + c[i] = i / 4; + } + + svint64_t av = svld1(svptrue_b64(), a); + svint16_t bv = svld1(svptrue_b16(), b); + svint16_t cv = svld1(svptrue_b16(), c); + + svint64_t result = svdot_lane_s64(av, bv, cv, IMM); + + svst1(svptrue_b64(), r, result); + + for (size_t i = 0; i < svcntd(); i++) { + expected_r[i] = + (int64_t)b[i * 4 + 0] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 0] + + (int64_t)b[i * 4 + 1] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 1] + + (int64_t)b[i * 4 + 2] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 2] + + (int64_t)b[i * 4 + 3] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 3] + + a[i]; + } + + printf("%12s", "r: "); + for (size_t i = 0; i < svcntd(); i++) { + printf("%4ld", r[i]); + } + printf("\\n"); + printf("%12s", "expected_r: "); + for (size_t i = 0; i < svcntd(); i++) { + printf("%4ld", expected_r[i]); + } + printf("\\n\\t\\t"); + for (size_t i = 0; i < svcntd(); i++) { + if (r[i] != expected_r[i]) { + printf("%4c", '^'); + } else { + printf("%4c", ' '); + } + } + printf("\\n"); + printf("idx:\\t\\t"); + for (size_t i = 0; i < svcntd(); i++) { + if (r[i] != expected_r[i]) { + printf("%4d", i); + } else { + printf("%4c", ' '); + } + } + printf("\\n"); + + return 0; + } + ``` +3. Execute it with the following commands: + + ``` + qemu-aarch64 -cpu max,sve-default-vector-length=16 -L arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/bin/../aarch64-none-linux-gnu/libc dot_lane + ``` + + Change the value of `sve-default-vector-length` to 32, 64, 128, 256 and observe the outputs, we should see that for `sve-default-vector-length` \\>= 64, the result is incorrect. + + `sve-default-vector-length=16` + + ``` + r: 0 0 + expected_r: 0 0 + + idx: + ``` + + `sve-default-vector-length=32` + + ``` + r: 0 0 8 8 + expected_r: 0 0 8 8 + + idx: + ``` + + `sve-default-vector-length=64` + + ``` + r: 0 0 8 8 8 8 24 24 + expected_r: 0 0 8 8 16 16 24 24 + ^ ^ + idx: 4 5 + ``` + + `sve-default-vector-length=128` + + ``` + r: 0 0 8 8 8 8 24 24 24 24 40 40 40 40 56 56 + expected_r: 0 0 8 8 16 16 24 24 32 32 40 40 48 48 56 56 + ^ ^ ^ ^ ^ ^ + idx: 4 5 8 9 12 13 + ``` + + `sve-default-vector-length=256` + + ``` + r: 0 0 8 8 8 8 24 24 24 24 40 40 40 40 56 56 56 56 72 72 72 72 88 88 88 88 104 104 104 104 120 120 + expected_r: 0 0 8 8 16 16 24 24 32 32 40 40 48 48 56 56 64 64 72 72 80 80 88 88 96 96 104 104 112 112 120 120 + ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ + idx: 4 5 8 9 12 13 16 17 20 21 24 25 28 29 + ``` +4. By passing `-S` to the compiler, we can see that sdot (or udot if using `svdot_lane_u64()`) is produced in assembly (`sdot z0.d, z1.h, z2.h[0]`), which is correct behavior according to [Intrinsics – Arm Developer](https://developer.arm.com/architectures/instruction-sets/intrinsics/svdot_lane%5B_s64%5D).""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2604.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2604.toml new file mode 100644 index 00000000..d0faeed3 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2604.toml @@ -0,0 +1,52 @@ +id = 2604 +title = "qemu-user-static crash when executing generated NEON code due to failure to detect invalidation" +state = "opened" +created_at = "2024-10-01T22:34:31.319Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2604" +host-os = "Linux (Manjaro)" +host-arch = "x86_64" +qemu-version = "8.2.4" +guest-os = "Ubuntu 20.04 LTS (Docker image: `ghcr.io/amyspark/appimage2004:armv7a-latest`)" +guest-arch = "armv7a" +description = """`qemu-arm-static` crashes 100% of times when attempting to run NEON code. The same executable, when run in `system` emulation mode, works without issue. + +I experience this particular issue when attempting to test GStreamer's Orc library with NEON codegen with QEMU user emulation.""" +reproduce = """1. Clone https://gitlab.freedesktop.org/gstreamer/orc.git +2. Build with `meson setup build -Ddefault_library=static; meson compile -C build` +3. Run `qemu-arm-static ./build/tools/orc-bugreport`""" +additional = """The crash always happens inside the same JIT code. It is not a memory access, so there is no reason for QEMU to report SIGSEGV: + +``` +Program received signal SIGSEGV, Segmentation fault. +0x409e503c in ?? () +(gdb) bt +#0 0x409e503c in ?? () +#1 0x00408bc6 in orc_executor_run (ex=0x51cfc0) at ../orc/orcexecutor.c:51 +#2 0x00489692 in orc_test_compare_output_full_for_target (program=0x4bcd90, flags=0, + target_name=0x0) at ../orc-test/orctest.c:800 +#3 0x00489004 in orc_test_compare_output_full (program=0x4bcd90, flags=0) + at ../orc-test/orctest.c:664 +#4 0x00404826 in test_opcode_src (opcode=0x4b098c <opcodes+2400>) + at ../tools/orc-bugreport.c:252 +#5 0x004045d8 in test_opcodes () at ../tools/orc-bugreport.c:188 +#6 0x004043f2 in main (argc=1, argv=0x40800704) at ../tools/orc-bugreport.c:118 +(gdb) disas 0x409e5030 +No function contains specified address. +(gdb) disas 0x409e5030, +10 +Dump of assembler code from 0x409e5030 to 0x409e503a: + 0x409e5030: vld1.8 {d4-d5}, [r3] + 0x409e5034: vst1.8 {d4-d5}, [r2] + 0x409e5038: add r2, r2, #16 +End of assembler dump. +(gdb) disas 0x409e5030, +20 +Dump of assembler code from 0x409e5030 to 0x409e5044: + 0x409e5030: vld1.8 {d4-d5}, [r3] + 0x409e5034: vst1.8 {d4-d5}, [r2] + 0x409e5038: add r2, r2, #16 +=> 0x409e503c: add r3, r3, #16 + 0x409e5040: subs r12, r12, #1 +End of assembler dump. +(gdb) +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2610.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2610.toml new file mode 100644 index 00000000..87f84cdf --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2610.toml @@ -0,0 +1,15 @@ +id = 2610 +title = "pl011: incorrect IBRD_MASK and FBRD_MASK" +state = "closed" +created_at = "2024-10-05T22:17:33.579Z" +closed_at = "2024-10-15T16:29:47.415Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2610" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2625.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2625.toml new file mode 100644 index 00000000..1cdf557b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2625.toml @@ -0,0 +1,95 @@ +id = 2625 +title = "Adding TPM support for ARM SBSA-Ref machine" +state = "opened" +created_at = "2024-10-17T19:54:07.520Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2625" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """Here is a proposed change where a new memory region is added to the machine initialization routine: + +```diff +diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c +index e3195d5449..84bc7d9adb 100644 +--- a/hw/arm/sbsa-ref.c ++++ b/hw/arm/sbsa-ref.c +@@ -28,6 +28,8 @@ + #include "sysemu/numa.h" + #include "sysemu/runstate.h" + #include "sysemu/sysemu.h" ++#include "sysemu/tpm.h" ++#include "sysemu/tpm_backend.h" + #include "exec/hwaddr.h" + #include "kvm_arm.h" + #include "hw/arm/boot.h" +@@ -94,6 +96,7 @@ enum { + SBSA_SECURE_MEM, + SBSA_AHCI, + SBSA_XHCI, ++ SBSA_TPM, + }; + + struct SBSAMachineState { +@@ -132,6 +135,7 @@ static const MemMapEntry sbsa_ref_memmap[] = { + /* Space here reserved for more SMMUs */ + [SBSA_AHCI] = { 0x60100000, 0x00010000 }, + [SBSA_XHCI] = { 0x60110000, 0x00010000 }, ++ [SBSA_TPM] = { 0x60120000, 0x00010000 }, + /* Space here reserved for other devices */ + [SBSA_PCIE_PIO] = { 0x7fff0000, 0x00010000 }, + /* 32-bit address PCIE MMIO space */ +@@ -629,6 +633,24 @@ static void create_smmu(const SBSAMachineState *sms, PCIBus *bus) + } + } + ++static void create_tpm(SBSAMachineState *sbsa, PCIBus *bus) ++{ ++ Error *errp = NULL; ++ DeviceState *dev; ++ ++ TPMBackend *be = qemu_find_tpm_be("tpm0"); ++ if (be == NULL) { ++ error_report("Couldn't find tmp0 backend"); ++ return; ++ } ++ ++ dev = qdev_new(TYPE_TPM_TIS_SYSBUS); ++ object_property_set_link(OBJECT(dev), "tpmdev", OBJECT(be), &errp); ++ object_property_set_str(OBJECT(dev), "tpmdev", be->id, &errp); ++ sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); ++ sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, sbsa_ref_memmap[SBSA_TPM].base); ++} ++ + static void create_pcie(SBSAMachineState *sms) + { + hwaddr base_ecam = sbsa_ref_memmap[SBSA_PCIE_ECAM].base; +@@ -686,6 +708,8 @@ static void create_pcie(SBSAMachineState *sms) + pci_create_simple(pci->bus, -1, "bochs-display"); + + create_smmu(sms, pci->bus); ++ ++ create_tpm(sms, pci->bus); + } + + static void *sbsa_ref_dtb(const struct arm_boot_info *binfo, int *fdt_size) +``` + +With such, the tpm can get used when setting the TPM base address to be 0x60120000 with the following launching command: + +```bash +qemu-system-aarch64 -machine sbsa-ref,gic-version=3,acpi=off \\ + -cpu host -m 4G \\ + -nographic -accel kvm \\ + -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \\ + -tpmdev emulator,id=tpm0,chardev=chrtpm \\ + -device virtio-blk-pci,drive=drv0 \\ + -drive format=qcow2,file=hda.qcow2,if=none,id=drv0 \\ + -drive if=pflash,format=raw,file=flash0.img,readonly=on \\ + -drive if=pflash,format=raw,file=flash1.img +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2636.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2636.toml new file mode 100644 index 00000000..64a5c12b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2636.toml @@ -0,0 +1,15 @@ +id = 2636 +title = "ast2600 fails to run u-boot" +state = "closed" +created_at = "2024-10-22T03:14:18.176Z" +closed_at = "2025-04-02T00:15:40.438Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2636" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2652.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2652.toml new file mode 100644 index 00000000..0304527b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2652.toml @@ -0,0 +1,15 @@ +id = 2652 +title = "qemu-user please allow to emulate aarch64 cpu in 32bits mode" +state = "opened" +created_at = "2024-11-04T16:49:36.759Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2652" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2656.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2656.toml new file mode 100644 index 00000000..ba2b4e15 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2656.toml @@ -0,0 +1,15 @@ +id = 2656 +title = "impossible to specify pauth-impdef=on when specifying multiple accelerators" +state = "opened" +created_at = "2024-11-05T19:50:31.575Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2656" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/268.toml b/gitlab/issues/target_arm/host_missing/accel_missing/268.toml new file mode 100644 index 00000000..d4e99a82 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/268.toml @@ -0,0 +1,15 @@ +id = 268 +title = "arm gic: gic_acknowledge_irq doesn't clear line level for other cores for 1-n level-sensitive interrupts and gic_clear_pending uses GIC_DIST_TEST_MODEL (even on v2 where it always read 0 - \"N-N\")" +state = "opened" +created_at = "2021-05-11T05:37:20.959Z" +closed_at = "n/a" +labels = ["Launchpad", "TestCase", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/268" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2689.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2689.toml new file mode 100644 index 00000000..5eb224b2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2689.toml @@ -0,0 +1,15 @@ +id = 2689 +title = "arm64be tuxrun test is sometimes failing with I/O errors" +state = "closed" +created_at = "2024-11-19T12:06:29.673Z" +closed_at = "2024-11-26T14:06:02.817Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2689" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2698.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2698.toml new file mode 100644 index 00000000..4e93ff3f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2698.toml @@ -0,0 +1,17 @@ +id = 2698 +title = "virtualization not working with TCG mode on macOS" +state = "closed" +created_at = "2024-11-25T08:43:04.235Z" +closed_at = "2024-12-05T22:08:33.303Z" +labels = ["hostos: macOS", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2698" +host-os = "macOS" +host-arch = "aarch64" +qemu-version = "latest" +guest-os = "Linux" +guest-arch = "aarch64" +description = """TCG is supposed to work with virtualization=on option but it stops without priting anything. +if I set it to off, I can get to the prompt.""" +reproduce = """1. Execute the qemu +2. Hung.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2702.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2702.toml new file mode 100644 index 00000000..ab73967c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2702.toml @@ -0,0 +1,61 @@ +id = 2702 +title = "qtest-arm/sse-timer-test sometimes fails on s390x host" +state = "closed" +created_at = "2024-11-27T10:29:46.536Z" +closed_at = "2025-02-28T15:41:52.216Z" +labels = ["kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2702" +host-os = "Ubuntu Jammy" +host-arch = "s390x" +qemu-version = "9.2-rc2" +guest-os = "qtests" +guest-arch = "ARM" +description = """The sse-timer-test sometimes fails on the s390x runner in Travis, see: + +https://app.travis-ci.com/github/huth/qemu/jobs/628508770#L6337 : + +``` +>>> G_TEST_DBUS_DAEMON=/home/travis/build/huth/qemu/tests/dbus-vmstate-daemon.sh MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MESON_TEST_ITERATION=1 UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 PYTHON=/home/travis/build/huth/qemu/build/pyvenv/bin/python3 MALLOC_PERTURB_=165 QTEST_QEMU_BINARY=./qemu-system-arm /home/travis/build/huth/qemu/build/tests/qtest/sse-timer-test --tap -k + +▶ 70/287 ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) ERROR + + 70/287 qemu:qtest+qtest-arm / qtest-arm/sse-timer-test ERROR 0.71s killed by signal 6 SIGABRT + +――――――――――――――――――――――――――――――――――――― ✀ ――――――――――――――――――――――――――――――――――――― + +stderr: + +** + +ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) + +(test program exited with status code -6) + +―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― +``` + +https://app.travis-ci.com/github/huth/qemu/jobs/628373181#L6336 : + +``` +>>> G_TEST_DBUS_DAEMON=/home/travis/build/huth/qemu/tests/dbus-vmstate-daemon.sh PYTHON=/home/travis/build/huth/qemu/build/pyvenv/bin/python3 UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 QTEST_QEMU_BINARY=./qemu-system-arm MALLOC_PERTURB_=250 MESON_TEST_ITERATION=1 /home/travis/build/huth/qemu/build/tests/qtest/sse-timer-test --tap -k + +▶ 70/287 ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) ERROR + + 70/287 qemu:qtest+qtest-arm / qtest-arm/sse-timer-test ERROR 0.95s killed by signal 6 SIGABRT + +――――――――――――――――――――――――――――――――――――― ✀ ――――――――――――――――――――――――――――――――――――― + +stderr: + +** + +ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) + +(test program exited with status code -6) + +―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― +```""" +reproduce = """1. Run the QEMU CI on Travis""" +additional = """It seems to be a new or intermittent problem, two weeks ago it was still working fine: + +https://app.travis-ci.com/github/huth/qemu/jobs/627999506#L6325""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2708.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2708.toml new file mode 100644 index 00000000..b188feb7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2708.toml @@ -0,0 +1,15 @@ +id = 2708 +title = "aarch64 register MDCCINT_EL1 exhibits bizzare behavior" +state = "closed" +created_at = "2024-12-04T01:09:54.162Z" +closed_at = "2025-03-09T00:40:01.338Z" +labels = ["target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2708" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2715.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2715.toml new file mode 100644 index 00000000..4cce4413 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2715.toml @@ -0,0 +1,15 @@ +id = 2715 +title = "QEMU AARCH64 only supports canonical addresses running on x64." +state = "opened" +created_at = "2024-12-10T18:42:28.666Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2715" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2718.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2718.toml new file mode 100644 index 00000000..14876e94 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2718.toml @@ -0,0 +1,110 @@ +id = 2718 +title = "9.2.0 build failure: FAILED: libcommon.a.p/hw_intc_arm_gicv3_its.c.o" +state = "closed" +created_at = "2024-12-11T19:20:44.456Z" +closed_at = "2024-12-19T12:29:19.315Z" +labels = ["Build System", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2718" +host-os = "Chromebrew on ChromeOS Milestone M97 image" +host-arch = "x86_64" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """Unable to build 9.2.0 via our docker container based builder inside a ChromeOS M97 based Docker container (using glibc 2.32).""" +reproduce = """1. See build logs. (I thought this was a vte issue, but libvte is the current version, `0.78.2`.)""" +additional = """``` +FAILED: libcommon.a.p/hw_intc_arm_gicv3_its.c.o +cc -m64 -Ilibcommon.a.p -I../common-user/host/x86_64 -I../linux-user/include/host/x86_64 -I../linux-user/include -Isubprojects/dtc/libfdt -I../subprojects/dtc/libfdt -Isubprojects/libvduse -I../subprojects/libvduse -I/usr/local/include/p11-kit-1 -I/usr/local/include/pixman-1 -I/usr/local/include/libpng16 -I/usr/local/include/libusb-1.0 -I/usr/local/include/SDL2 -I/usr/local/include/libmount -I/usr/local/include/blkid -I/usr/local/include/glib-2.0 -I/usr/local/lib64/glib-2.0/include -I/usr/local/include/gio-unix-2.0 -I/usr/local/include/slirp -I/usr/local/include/ncursesw -I/usr/local/include/gtk-3.0 -I/usr/local/include/at-spi2-atk/2.0 -I/usr/local/include/at-spi-2.0 -I/usr/local/include/dbus-1.0 -I/usr/local/lib64/dbus-1.0/include -I/usr/local/include/pango-1.0 -I/usr/local/include/harfbuzz -I/usr/local/include/fribidi -I/usr/local/include/atk-1.0 -I/usr/local/include/cairo -I/usr/local/include/freetype2 -I/usr/local/include/gdk-pixbuf-2.0 -I/usr/local/include/webp -I/usr/local/include/vte-2.91 -I/usr/local/include/pipewire-0.3 -I/usr/local/include/spa-0.2 -flto=auto -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -fstack-protector-strong -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /usr/local/tmp/crew/qemu.20241211185452.dir/linux-headers -isystem linux-headers -iquote . -iquote /usr/local/tmp/crew/qemu.20241211185452.dir -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/include -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/host/include/x86_64 -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/host/include/generic -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/tcg/i386 -pthread -mcx16 -msse2 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -O3 -pipe -ffat-lto-objects -fPIC -fuse-ld=mold -flto=auto -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR=1 -D_REENTRANT -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.a.p/hw_intc_arm_gicv3_its.c.o -MF libcommon.a.p/hw_intc_arm_gicv3_its.c.o.d -o libcommon.a.p/hw_intc_arm_gicv3_its.c.o -c ../hw/intc/arm_gicv3_its.c +In file included from ../hw/intc/trace.h:1, + from ../hw/intc/arm_gicv3_its.c:16: +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_vmapti’ at ../hw/intc/arm_gicv3_its.c:680:9: +../hw/intc/trace-events:222:13: error: ‘dte.ittaddr’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_vmapti’: +../hw/intc/arm_gicv3_its.c:654:13: note: ‘dte.ittaddr’ was declared here + 654 | DTEntry dte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_vmapti’ at ../hw/intc/arm_gicv3_its.c:680:9: +../hw/intc/trace-events:222:13: error: ‘dte.size’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_vmapti’: +../hw/intc/arm_gicv3_its.c:654:13: note: ‘dte.size’ was declared here + 654 | DTEntry dte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_mapti’ at ../hw/intc/arm_gicv3_its.c:608:9: +../hw/intc/trace-events:222:13: error: ‘dte.ittaddr’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_mapti’: +../hw/intc/arm_gicv3_its.c:586:13: note: ‘dte.ittaddr’ was declared here + 586 | DTEntry dte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_mapti’ at ../hw/intc/arm_gicv3_its.c:608:9: +../hw/intc/trace-events:222:13: error: ‘dte.size’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_mapti’: +../hw/intc/arm_gicv3_its.c:586:13: note: ‘dte.size’ was declared here + 586 | DTEntry dte; + | ^~~ +In function ‘lookup_vte’, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1036:14: +../hw/intc/arm_gicv3_its.c:459:8: error: ‘vte.rdbase’ may be used uninitialized [-Werror=maybe-uninitialized] + 459 | if (vte->rdbase >= s->gicv3->num_cpu) { + | ^ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘vte.rdbase’ was declared here + 1033 | VTEntry vte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_vte_write’, + inlined from ‘trace_gicv3_its_vte_write’ at trace/trace-hw_intc.h:6789:9, + inlined from ‘update_vte’ at ../hw/intc/arm_gicv3_its.c:944:5, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1051:10: +../hw/intc/trace-events:227:13: error: ‘vte.vptaddr’ may be used uninitialized [-Werror=maybe-uninitialized] + 227 | gicv3_its_vte_write(uint32_t vpeid, int valid, uint32_t vptsize, uint64_t vptaddr, uint32_t rdbase) "GICv3 ITS: vPE Table write for vPEID 0x%x: valid %d VPTsize 0x%x VPTaddr 0x%" PRIx64 " RDbase 0x%x" + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘vte.vptaddr’ was declared here + 1033 | VTEntry vte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_vte_write’, + inlined from ‘trace_gicv3_its_vte_write’ at trace/trace-hw_intc.h:6789:9, + inlined from ‘update_vte’ at ../hw/intc/arm_gicv3_its.c:944:5, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1051:10: +../hw/intc/trace-events:227:13: error: ‘vte.vptsize’ may be used uninitialized [-Werror=maybe-uninitialized] + 227 | gicv3_its_vte_write(uint32_t vpeid, int valid, uint32_t vptsize, uint64_t vptaddr, uint32_t rdbase) "GICv3 ITS: vPE Table write for vPEID 0x%x: valid %d VPTsize 0x%x VPTaddr 0x%" PRIx64 " RDbase 0x%x" + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘vte.vptsize’ was declared here + 1033 | VTEntry vte; + | ^~~ +In function ‘lookup_vte’, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1036:14: +../hw/intc/arm_gicv3_its.c:453:13: error: ‘MEM <unsigned char> [(struct VTEntry *)&vte]’ may be used uninitialized [-Werror=maybe-uninitialized] + 453 | if (!vte->valid) { + | ~~~^~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘MEM <unsigned char> [(struct VTEntry *)&vte]’ was declared here + 1033 | VTEntry vte; + | ^~~ +cc1: all warnings being treated as errors + +``` + +Full Build log: + +[qemu-build-log.zip](/uploads/db227e4a6bbbcfccd0e1e3ccaacf1aec/qemu-build-log.zip)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2721.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2721.toml new file mode 100644 index 00000000..d8484f0b --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2721.toml @@ -0,0 +1,15 @@ +id = 2721 +title = "Failure with macOS 15.2 on ARM64: Property 'host-arm-cpu.sme' not found" +state = "opened" +created_at = "2024-12-12T18:29:18.992Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2721" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2725.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2725.toml new file mode 100644 index 00000000..c8d59c51 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2725.toml @@ -0,0 +1,15 @@ +id = 2725 +title = "multi-arch build at AMD64 for ARM64 fails without flag \"F\"" +state = "closed" +created_at = "2024-12-15T17:03:32.175Z" +closed_at = "2025-04-02T06:56:51.445Z" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2725" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2729.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2729.toml new file mode 100644 index 00000000..f7102c10 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2729.toml @@ -0,0 +1,84 @@ +id = 2729 +title = "qemu-system-aarch64 -M raspi4b -- no valid DTB provided in x0 register" +state = "closed" +created_at = "2024-12-19T01:59:55.229Z" +closed_at = "2025-02-04T17:26:34.014Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2729" +host-os = "Ubuntu 24.04.1 LTS" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 9.2.50 (v9.2.0-319-gca80a5d026)" +guest-os = "custom" +guest-arch = "aarch64" +description = """When starting `qemu-system-aarch64 -M raspi4b`, no valid DTB is provided in x0.""" +reproduce = """Make a simple binary to loop forever + +``` +$ cat loop.c +void _start(void) +{ +\tfor(;;) +\t\t; +} +$ aarch64-linux-gnu-gcc loop.c -nostdlib +$ aarch64-linux-gnu-objcopy -O binary a.out loop.bin +``` + +Start qemu for debugging and start gdb + +``` +$ qemu-system-aarch64 -S -s -M raspi4b -kernel loop.bin +# in another terminal +$ aarch64-linux-gnu-gdb +(gdb) target remote :1234 +Remote debugging using :1234 +warning: No executable has been specified and target does not support +determining executable automatically. Try using the "file" command. +0x0000000000000000 in ?? () +(gdb) watch *$x0 +Watchpoint 3: *$x0 +(gdb) watch $x0 +Watchpoint 4: $x0 +(gdb) x/2x$x0 +0x0:\t0x580000c0\t0xaa1f03e1 +(gdb) si + +Thread 1 hit Watchpoint 3: *$x0 + +Old value = 1476395200 +New value = 5 + +Thread 1 hit Watchpoint 4: $x0 + +Old value = 0 +New value = 256 +0x0000000000000004 in ?? () +(gdb) x/2x$x0 +0x100:\t0x00000005\t0x54410001 +(gdb) si +0x0000000000000008 in ?? () +(gdb) si +0x000000000000000c in ?? () +(gdb) si +0x000000000000000c in ?? () +(gdb) si +0x0000000000000010 in ?? () +(gdb) si +0x0000000000000014 in ?? () +(gdb) si +0x0000000000080000 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) x/2x$x0 +0x100:\t0x00000005\t0x54410001 +(gdb) +``` + +Note that at no time is a valid DTB provided in x0. I expected to see the DTB magic 0xd00dfeed (or 0xedfe0dd0) at the memory pointed to by x0""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2733.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2733.toml new file mode 100644 index 00000000..0fe14329 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2733.toml @@ -0,0 +1,20 @@ +id = 2733 +title = "-machine raspi4b won't dump dtb" +state = "closed" +created_at = "2024-12-20T01:44:23.813Z" +closed_at = "2025-03-03T12:11:47.294Z" +labels = ["target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2733" +host-os = "Ubuntu 24.04.1 LTS" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 9.2.50 (v9.2.0-319-gca80a5d026)" +guest-os = "custom" +guest-arch = "aarch64" +description = """the raspi4b machine won't dump tdb""" +reproduce = """``` +$ qemu-system-aarch64 -machine virt -machine dumpdtb=p.dmp +qemu-system-aarch64: info: dtb dumped to p.dmp. Exiting. +$ qemu-system-aarch64 -machine raspi4b -machine dumpdtb=p.dmp +``` +notice no dtb is dumped for the raspi4b machine""" +additional = """see also https://gitlab.com/qemu-project/qemu/-/issues/2729""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2734.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2734.toml new file mode 100644 index 00000000..4c83ad18 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2734.toml @@ -0,0 +1,34 @@ +id = 2734 +title = "many aarch64 machines exit with \"fatal: Lockup: can't escalate 3 to HardFault\"" +state = "closed" +created_at = "2024-12-20T07:21:02.991Z" +closed_at = "2025-02-28T15:46:47.539Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2734" +host-os = "Ubuntu 24.04.1 LTS" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 9.2.50 (v9.2.0-319-gca80a5d026)" +guest-os = "custom" +guest-arch = "aarch64" +description = """`-machine netduino2` and `-machine microbit` and many others dump core""" +reproduce = """``` +qemu-system-aarch64 -machine netduino2 +qemu-system-aarch64 -machine microbit +... +$ for x in microbit netduino2 b-l475e-iot01a emcraft-sf2 fby35-bmc lm3s6965evb lm3s811evb musca-a musca-b1 netduinoplus2 olimex-stm32-h405 stm32vldiscovery +do qemu-system-aarch64 -machine $x +done +``` +and all the `mps2-*` machines all result in +``` +qemu: fatal: Lockup: can't escalate 3 to HardFault (current priority -1) + +R00=00000000 R01=00000000 R02=00000000 R03=00000000 +R04=00000000 R05=00000000 R06=00000000 R07=00000000 +R08=00000000 R09=00000000 R10=00000000 R11=00000000 +R12=00000000 R13=ffffffe0 R14=fffffff9 R15=00000000 +XPSR=40000003 -Z-- A handler +FPSCR: 00000000 +Aborted (core dumped) +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2760.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2760.toml new file mode 100644 index 00000000..4995db15 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2760.toml @@ -0,0 +1,15 @@ +id = 2760 +title = "Some Aarch64 system registers not available via the debugger" +state = "opened" +created_at = "2025-01-02T19:54:41.525Z" +closed_at = "n/a" +labels = ["GDB", "kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2760" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2792.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2792.toml new file mode 100644 index 00000000..e6cf9caa --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2792.toml @@ -0,0 +1,80 @@ +id = 2792 +title = "qemu-system-aarch64 segfault at startup with --enable-rust" +state = "closed" +created_at = "2025-01-24T01:01:59.283Z" +closed_at = "2025-02-15T03:04:34.453Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2792" +host-os = "CentOS 9" +host-arch = "x86_64" +qemu-version = "9.2.50" +guest-os = "N/A" +guest-arch = "ARM" +description = """The following commit breaks type class initialization for `pl011_luminary`: + +``` +d9434f29ca83e114fe02ed24c8ad2ccfa7ac3fe9 is the first bad commit +commit d9434f29ca83e114fe02ed24c8ad2ccfa7ac3fe9 +Author: Paolo Bonzini <pbonzini@redhat.com> +Date: Fri Nov 29 11:38:59 2024 +0100 + + rust: qom: move device_id to PL011 class side + + There is no need to monkeypatch DeviceId::Luminary into the already-initialized + PL011State. Instead, now that we can define a class hierarchy, we can define + PL011Class and make device_id a field in there. + + There is also no need anymore to have "Arm" as zero, so change DeviceId into a + wrapper for the array; all it does is provide an Index<hwaddr> implementation + because arrays can only be indexed by usize. + + Reviewed-by: Zhao Liu <zhao1.liu@intel.com> + Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + + rust/hw/char/pl011/src/device.rs | 59 +++++++++++++++++++--------------------- + 1 file changed, 28 insertions(+), 31 deletions(-) +bisect found first bad commit +``` + +It results in a segmentation fault during type initialization at startup: + +``` +$ ./build/qemu-system-aarch64 -machine help +zsh: segmentation fault (core dumped) ./build/qemu-system-aarch64 -machine help +``` + +Because the class is uninitialized on the `pl011_luminary` TypeInfo (I think): + +``` +$ gdb --args ./build/qemu-system-aarch64 -machine help +... +Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault. +0x0000555555fc0fcf in object_class_dynamic_cast (class=class@entry=0x5555575ca128, typename=typename@entry=0x5555562650cd "resettable") at ../qom/object.c:966 +966 if (type->class->interfaces && +(gdb) p type->class +$1 = (ObjectClass *) 0x0 +(gdb) bt +#0 0x0000555555fc0fcf in object_class_dynamic_cast (class=class@entry=0x5555575ca128, typename=typename@entry=0x5555562650cd "resettable") at ../qom/object.c:966 +#1 0x0000555555fc1473 in object_class_dynamic_cast_assert (class=class@entry=0x5555575ca128, typename=typename@entry=0x5555562650cd "resettable", + file=file@entry=0x5555562651a0 "/home/pdel/qemu/include/hw/resettable.h", line=line@entry=21, func=func@entry=0x55555643d2b0 <__func__.13> "RESETTABLE_CLASS") at ../qom/object.c:1016 +#2 0x0000555555fbc61b in RESETTABLE_CLASS (klass=0x5555575ca128) at /home/pdel/qemu/include/hw/resettable.h:21 +#3 device_class_set_legacy_reset (dc=0x5555575ca128, dev_reset=0x5555560dacb0 <qemu_api::qdev::rust_reset_fn>) at ../hw/core/qdev.c:790 +#4 0x00005555560dac03 in qemu_api::qdev::<impl qemu_api::qom::ClassInitImpl<qemu_api::bindings::DeviceClass> for T>::class_init (dc=0x5555575ca128) + at rust/qemu-api/libqemu_api.rlib.p/structured/qdev.rs:84 +#5 qemu_api::sysbus::<impl qemu_api::qom::ClassInitImpl<qemu_api::bindings::SysBusDeviceClass> for T>::class_init (sdc=0x5555575ca128) at rust/qemu-api/libqemu_api.rlib.p/structured/sysbus.rs:31 +#6 <pl011::device::PL011State as qemu_api::qom::ClassInitImpl<pl011::device::PL011Class>>::class_init (klass=0x5555575ca120) at ../rust/hw/char/pl011/src/device.rs:140 +#7 qemu_api::qom::rust_class_init (klass=0x5555575ca120, _data=<optimized out>) at rust/qemu-api/libqemu_api.rlib.p/structured/qom.rs:176 +#8 0x0000555555fc0930 in type_initialize (ti=0x555557555eb0) at ../qom/object.c:359 +#9 type_initialize (ti=ti@entry=0x555557556070) at ../qom/object.c:365 +#10 0x0000555555fc1190 in type_initialize (ti=0x555557556070) at ../qom/object.c:1122 +#11 object_class_foreach_tramp (key=<optimized out>, value=0x555557556070, opaque=0x7fffffffdd00) at ../qom/object.c:1110 +#12 0x00007ffff7528668 in g_hash_table_foreach () from /lib64/libglib-2.0.so.0 +#13 0x0000555555fc1931 in object_class_foreach (opaque=0x7fffffffdcf8, include_abstract=false, implements_type=<optimized out>, fn=0x555555fbf810 <object_class_get_list_tramp>) at ../qom/object.c:87 +#14 object_class_get_list (implements_type=implements_type@entry=0x5555562c5440 "machine", include_abstract=include_abstract@entry=false) at ../qom/object.c:1189 +#15 0x0000555555bf53ac in machine_help_func (qdict=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../system/vl.c:1559 +#16 qemu_init (argc=3, argv=<optimized out>) at ../system/vl.c:3319 +#17 0x00005555558f1a89 in main (argc=<optimized out>, argv=<optimized out>) at ../system/main.c:68 +```""" +reproduce = """1. Checkout cf86770c7aa31ebd6e56f4eeb25c34107f92c51e +2. `./configure --target-list=aarch64-softmmu --enable-rust && ninja -C build && ./build/qemu-system-aarch64 -machine help`""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2797.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2797.toml new file mode 100644 index 00000000..eba7a556 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2797.toml @@ -0,0 +1,15 @@ +id = 2797 +title = "arm/raspi.c - incease memory limit" +state = "opened" +created_at = "2025-01-28T22:08:57.233Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2797" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """I can attempt to make a PR that increases this limit, but not sure if others would find it useful.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2861.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2861.toml new file mode 100644 index 00000000..e49002ca --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2861.toml @@ -0,0 +1,19 @@ +id = 2861 +title = "hw/pci-host/designware.c incorrect write to DESIGNWARE_PCIE_ATU_UPPER_TARGET register" +state = "closed" +created_at = "2025-03-13T13:41:16.866Z" +closed_at = "2025-04-02T00:15:39.783Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2861" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """I think this is a obvious bug + +https://gitlab.com/qemu-project/qemu/-/blob/master/hw/pci-host/designware.c?ref_type=heads#L374 + +Write to register DESIGNWARE_PCIE_ATU_UPPER_TARGET, val should be shifted left to update upper 32 bit part.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2870.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2870.toml new file mode 100644 index 00000000..3abf4290 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2870.toml @@ -0,0 +1,15 @@ +id = 2870 +title = "How to Create BE32-Type Instruction Emulation" +state = "opened" +created_at = "2025-03-18T07:57:39.052Z" +closed_at = "n/a" +labels = ["target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2870" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2886.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2886.toml new file mode 100644 index 00000000..2732d4d9 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2886.toml @@ -0,0 +1,23 @@ +id = 2886 +title = "ACPI MADT advertises GITS even when disabled" +state = "opened" +created_at = "2025-03-28T15:50:00.229Z" +closed_at = "n/a" +labels = ["ACPI", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2886" +host-os = "Linux" +host-arch = "Host:x86 Guest:Arm" +qemu-version = "9.2.3" +guest-os = "Custom OS" +guest-arch = "Arm (aarch64)" +description = """As per the command line given above, QEMU shall emulate a GICv4 without GIC Interrupt Translation Service (GITS). + +The following happens: +- ACPI **incorrectly** lists a GITS (type 0xf) structure in the MADT with GITS MMIO Base = 0x8080000 +- The OS reads that structure and interprets it to mean a GITS is present at the given MMIO address +- Subsequent access to GITS MMIO causes a data abort (0x25) because QEMU doesn't emulate a GITS (as requested) + +The bug is thus that QEMU wrongly advertises GITS as present (via the MADT) when it is in fact absent.""" +reproduce = """1. Disable GITS emulation by passing `its=off` on the QEMU command line +2. Check if a GITS structure is listed in the ACPI MADT (must be present in ACPI MADT only if GITS is enabled and absent otherwise)""" +additional = """When booting with `its=on` (default), everything works as expected.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2896.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2896.toml new file mode 100644 index 00000000..a1bf29a5 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2896.toml @@ -0,0 +1,15 @@ +id = 2896 +title = "How to enable MPU support on Cortex-R5F?" +state = "closed" +created_at = "2025-03-31T13:55:03.193Z" +closed_at = "2025-04-01T03:19:39.947Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2896" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2898.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2898.toml new file mode 100644 index 00000000..7415b0e9 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2898.toml @@ -0,0 +1,123 @@ +id = 2898 +title = "-M virt,dumpdtb is missing information from the device tree" +state = "closed" +created_at = "2025-04-01T03:59:08.221Z" +closed_at = "2025-05-08T13:46:59.812Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2898" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "v10.0.0-rc1" +guest-os = "n/a" +guest-arch = "n/a" +description = """dumpdtb no longer produces a device tree with the full system described. + + +``` +$ dtc -I dtb -O dts test.dtb +<stdout>: Warning (unit_address_vs_reg): /soc/pci@30000000: node has a unit name, but no reg or ranges property +<stdout>: Warning (simple_bus_reg): /soc/pci@30000000: missing or empty reg/ranges property +/dts-v1/; + +/ { +\t#address-cells = <0x02>; +\t#size-cells = <0x02>; +\tcompatible = "riscv-virtio"; +\tmodel = "riscv-virtio,qemu"; + +\tpmu { +\t\triscv,event-to-mhpmcounters = <0x01 0x01 0x7fff9 0x02 0x02 0x7fffc 0x10019 0x10019 0x7fff8 0x1001b 0x1001b 0x7fff8 0x10021 0x10021 0x7fff8>; +\t\tcompatible = "riscv,pmu"; +\t}; + +\tfw-cfg@10100000 { +\t\tdma-coherent; +\t\treg = <0x00 0x10100000 0x00 0x18>; +\t\tcompatible = "qemu,fw-cfg-mmio"; +\t}; + +\tflash@20000000 { +\t\tbank-width = <0x04>; +\t\treg = <0x00 0x20000000 0x00 0x2000000 0x00 0x22000000 0x00 0x2000000>; +\t\tcompatible = "cfi-flash"; +\t}; + +\taliases { +\t}; + +\tchosen { +\t\trng-seed = <0xd4266784 0xc7a7c66f 0xd5b7347d 0x862188f3 0x78065a8e 0xebdedae5 0xd77c47b0 0x34d31eff>; +\t}; + +\tsoc { +\t\t#address-cells = <0x02>; +\t\t#size-cells = <0x02>; +\t\tcompatible = "simple-bus"; +\t\tranges; + +\t\tpci@30000000 { +\t\t}; +\t}; +}; +```""" +reproduce = """1. qemu-system-riscv64 -machine virt,dumpdtb=test.dtb +2. dtc -I dtb -O dts test.dtb""" +additional = """The regression was introduced in https://gitlab.com/qemu-project/qemu/-/commit/8fd2518ef2f8d. If this commit is reverted, the expected behavior returns. + +``` +dtc -I dtb -O dts test.dtb | grep "@" +\tplatform-bus@4000000 { +\tmemory@80000000 { +\t\tcpu@0 { +\tfw-cfg@10100000 { +\tflash@20000000 { +\t\tserial0 = "/soc/serial@10000000"; +\t\tstdout-path = "/soc/serial@10000000"; +\t\trtc@101000 { +\t\tserial@10000000 { +\t\t\tclock-frequency = "", "8@"; +\t\ttest@100000 { +\t\tvirtio_mmio@10008000 { +\t\tvirtio_mmio@10007000 { +\t\tvirtio_mmio@10006000 { +\t\tvirtio_mmio@10005000 { +\t\tvirtio_mmio@10004000 { +\t\tvirtio_mmio@10003000 { +\t\tvirtio_mmio@10002000 { +\t\tvirtio_mmio@10001000 { +\t\tplic@c000000 { +\t\tclint@2000000 { +\t\tpci@30000000 { +``` + +Other machines are affected to a lesser degree. The arm virt machine: + +qemu-system-arm -machine virt,dumpdtb=test.dtb +``` +@@ -8,28 +8,6 @@ + \t#address-cells = <0x02>; + \tcompatible = "linux,dummy-virt"; + +-\tpsci { +-\t\tmigrate = <0x84000005>; +-\t\tcpu_on = <0x84000003>; +-\t\tcpu_off = <0x84000002>; +-\t\tcpu_suspend = <0x84000001>; +-\t\tmethod = "hvc"; +-\t\tcompatible = "arm,psci-1.0", "arm,psci-0.2", "arm,psci"; +-\t}; +- +-\tmemory@40000000 { +-\t\treg = <0x00 0x40000000 0x00 0x8000000>; +-\t\tdevice_type = "memory"; +-\t}; +- +-\tplatform-bus@c000000 { +-\t\tinterrupt-parent = <0x8002>; +-\t\tranges = <0x00 0x00 0xc000000 0x2000000>; +-\t\t#address-cells = <0x01>; +-\t\t#size-cells = <0x01>; +-\t\tcompatible = "qemu,platform", "simple-bus"; +-\t}; +- +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2910.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2910.toml new file mode 100644 index 00000000..1dd2e4b9 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2910.toml @@ -0,0 +1,17 @@ +id = 2910 +title = "SME2 support for aarch64?" +state = "opened" +created_at = "2025-04-02T08:22:51.199Z" +closed_at = "n/a" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2910" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """We've noticed that most `SME2` instructions work, despite `ARM_HWCAP2_A64_SME2` not being set. + +Cheers, Pedro""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2916.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2916.toml new file mode 100644 index 00000000..e678e0c6 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2916.toml @@ -0,0 +1,34 @@ +id = 2916 +title = "qemu-system-arm hangs when attempting to enable MMU on Cortex-A7" +state = "opened" +created_at = "2025-04-07T11:27:39.291Z" +closed_at = "n/a" +labels = ["target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2916" +host-os = "Ubuntu 22.04.5 LTS" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 9.2.3" +guest-os = "bare-metal/?" +guest-arch = "ARM" +description = """QEMU 9.x.x+ hangs when attempting to do enable the MMU from SCTLRL - M bit: https://developer.arm.com/documentation/ddi0601/2025-03/AArch32-Registers/SCTLR--System-Control-Register + +The instruction that hangs is the writing of the SCTLR register: + +``` +mrc p15, 0, r0, c1, c0, 0 +orr r0, r0, 1 +mcr p15, 0, r0, c1, c0, 0 +``` + +I am attempting to enable unaligned accesses and SCTLR-A bit doesn't seem to have any effect if the SCTLR-M is not enabled. Doing an unaligned access on cortex-a7 should be supported but it always trigger a Fault.""" +reproduce = """1. add the mrc/orr/mcr instruction sequence in the ResetHandler +2. link the elf +3. attempt to execute it""" +additional = """The unaligned access looked like it was working in QEMU 8.x.x but it might not have been emulated(?). I also am facing the same issues with MCR hanging and unaligned access not supported with latest 10.0.0-RC2. + +When it hangs, QEMU has to be killed and terminal reset. + +There might be two separate issues here: + +1. writing SCTLR register +2. emulated cortex-a7 not supporting unaligned access (hardware supports it)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2917.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2917.toml new file mode 100644 index 00000000..f3b7928d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2917.toml @@ -0,0 +1,30 @@ +id = 2917 +title = "build failure because of warnings when -O3 is used" +state = "closed" +created_at = "2025-04-09T08:07:33.589Z" +closed_at = "2025-04-09T10:10:36.824Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2917" +host-os = "Ubuntu 25.04 (dev)" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """qemu build fails when -O3 is enabled and the build is done either from a git cloned qemu or with -Werror enabled (qemu build enables -Werror automatically when it detects the .git folder)""" +reproduce = """1. git clone qemu && install appropriate dependencies for qemu build +2. mkdir build +3. ../configure --extra-cflags="-O3" +4. make -j$(nbproc) + +``` +cc -m64 -Ilibcommon.a.p -I../common-user/host/x86_64 -I../linux-user/include/host/x86_64 -I../linux-user/include -Isubprojects/libvduse -I../subprojects/libvduse -I/usr/include/p11-kit-1 -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/spice-server -I/usr/include/spice-1 -I/usr/include/libusb-1.0 -I/usr/include/SDL2 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/sysprof-6 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/include/slirp -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/x86_64-linux-gnu -I/usr/include/webp -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/at-spi-2.0 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/vte-2.91 -I/usr/include/virgl -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr -I/usr/include/PCSC -I/usr/include/pipewire-0.3 -I/usr/include/spa-0.2 -I/usr/include/fuse3 -I/usr/include/uuid -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -fstack-protector-strong -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /home/ubuntu/qemu/linux-headers -isystem linux-headers -iquote . -iquote /home/ubuntu/qemu -iquote /home/ubuntu/qemu/include -iquote /home/ubuntu/qemu/host/include/x86_64 -iquote /home/ubuntu/qemu/host/include/generic -iquote /home/ubuntu/qemu/tcg/i386 -pthread -mcx16 -msse2 -D_GNU_SOURCE -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -O3 -fPIE -D_FILE_OFFSET_BITS=64 -D__USE_FILE_OFFSET64 -D__USE_LARGEFILE64 -DUSE_POSIX_ACLS=1 -isystem /usr/include/mit-krb5 -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR=1 -D_REENTRANT -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.a.p/hw_ssi_xilinx_spips.c.o -MF libcommon.a.p/hw_ssi_xilinx_spips.c.o.d -o libcommon.a.p/hw_ssi_xilinx_spips.c.o -c ../hw/ssi/xilinx_spips.c +../hw/ssi/xilinx_spips.c: In function ‘xilinx_spips_flush_txfifo’: +../hw/ssi/xilinx_spips.c:624:30: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] + 624 | tx_rx[i] = fifo8_pop(&s->tx_fifo); + | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~ +../hw/ssi/xilinx_spips.c:613:17: note: at offset 2 into destination object ‘tx_rx’ of size 2 + 613 | uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 }; + | ^~~~~ +cc1: all warnings being treated as errors +```""" +additional = """I fixed this warning locally on my build however it is only a start of several build warnings that happen down the road (\\~6 warnings in total)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2921.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2921.toml new file mode 100644 index 00000000..956b0b19 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2921.toml @@ -0,0 +1,376 @@ +id = 2921 +title = "Aarch64 reverse debugging test is unreliable" +state = "opened" +created_at = "2025-04-14T08:45:53.579Z" +closed_at = "n/a" +labels = ["kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2921" +host-os = "Fedora 41" +host-arch = "x86" +qemu-version = "v10.0-rc3" +guest-os = "n/a" +guest-arch = "n/a" +description = """The reverse-debugging test for the aarch64 target is not working reliably, especially if the host system is under load, approx. 1 or 2 out of 10 test runs fail. The log looks like this: + +``` +2025-04-14 10:24:35,042 test L0310 INFO | INIT 1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:35,043 parameters L0142 DEBUG| PARAMS (key=timeout, path=*, default=10) => 10 +2025-04-14 10:24:35,043 test L0338 DEBUG| Test metadata: +2025-04-14 10:24:35,043 test L0340 DEBUG| filename: /.../tmp/qemu-build/tests/avocado/reverse_debugging.py +2025-04-14 10:24:35,044 test L0346 DEBUG| teststmpdir: /var/tmp/avocado_w5d2bkam +2025-04-14 10:24:35,044 test L0536 INFO | START 1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:35,044 test L0207 DEBUG| DATA (filename=output.expected) => NOT FOUND (data sources: variant, test, file) +2025-04-14 10:24:35,045 parameters L0142 DEBUG| PARAMS (key=arch, path=*, default=aarch64) => 'aarch64' +2025-04-14 10:24:35,045 parameters L0142 DEBUG| PARAMS (key=cpu, path=*, default=cortex-a53) => 'cortex-a53' +2025-04-14 10:24:35,046 parameters L0142 DEBUG| PARAMS (key=qemu_bin, path=*, default=./qemu-system-aarch64) => './qemu-system-aarch64' +2025-04-14 10:24:35,272 parameters L0142 DEBUG| PARAMS (key=machine, path=*, default=virt) => 'virt' +2025-04-14 10:24:35,290 test L0465 DEBUG| Test workdir initialized at: /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:35,290 process L0658 INFO | Running '/.../tmp/qemu-build/qemu-img create -f qcow2 /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/disk.qcow2 128M' +2025-04-14 10:24:35,347 process L0470 DEBUG| [stdout] Formatting '/var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/disk.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=134217728 lazy_refcounts=off refcount_bits=16 +2025-04-14 10:24:35,393 process L0739 INFO | Command '/.../tmp/qemu-build/qemu-img create -f qcow2 /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/disk.qcow2 128M' finished with 0 after 0.100170269s +2025-04-14 10:24:35,475 __init__ L0314 DEBUG| QEMUMachine "28fc0d7d-bd0a-44c0-afa8-f24a1800132f" created +2025-04-14 10:24:35,475 __init__ L0315 DEBUG| QEMUMachine "28fc0d7d-bd0a-44c0-afa8-f24a1800132f" temp_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/qemu-machine-052_8e_k +2025-04-14 10:24:35,475 __init__ L0316 DEBUG| QEMUMachine "28fc0d7d-bd0a-44c0-afa8-f24a1800132f" log_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:36,195 __init__ L0314 DEBUG| QEMUMachine "3f348d83-7aa3-4381-9919-389bc85ed85b" created +2025-04-14 10:24:36,196 __init__ L0315 DEBUG| QEMUMachine "3f348d83-7aa3-4381-9919-389bc85ed85b" temp_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/qemu-machine-vxlortdq +2025-04-14 10:24:36,196 __init__ L0316 DEBUG| QEMUMachine "3f348d83-7aa3-4381-9919-389bc85ed85b" log_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:37,623 stacktrace L0039 ERROR| +2025-04-14 10:24:37,628 stacktrace L0041 ERROR| Reproduced traceback from: /usr/lib/python3.13/site-packages/avocado/core/test.py:793 +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/decorators.py", line 90, in wrapper +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| return function(obj, *args, **kwargs) +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 239, in test_aarch64_virt +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| self.reverse_debugging( +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~^ +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| args=('-kernel', kernel_path)) +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 179, in reverse_debugging +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| if self.vm_get_icount(vm) == last_icount - 1: +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~^^^^ +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 100, in vm_get_icount +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| return vm.qmp('query-replay')['return']['icount'] +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ~~~~~~^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ret = self._qmp.cmd_raw(cmd, args=qmp_args) +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| return self.cmd_obj(qmp_cmd) +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 186, in cmd_obj +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| self._sync( +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ~~~~~~~~~~^ +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| # pylint: disable=protected-access +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ...<5 lines>... +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| self._timeout +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ^^^^^^^^^^^^^ +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| return self._aloop.run_until_complete( +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| asyncio.wait_for(future, timeout=timeout) +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| return future.result() +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| return await fut +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| ^^^^^^^^^ +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 547, in _raw +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| return await self._execute(msg, assign_id=assign_id) +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 496, in _execute +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| return await self._reply(exec_id) +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 463, in _reply +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| raise result +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| qemu.qmp.qmp_client.ExecInterruptedError: Disconnected +2025-04-14 10:24:37,649 stacktrace L0046 ERROR| +2025-04-14 10:24:37,649 test L0798 DEBUG| Local variables: +2025-04-14 10:24:37,671 test L0801 DEBUG| -> obj <class 'reverse_debugging.ReverseDebugging_AArch64'>: 1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:37,671 test L0801 DEBUG| -> args <class 'tuple'>: () +2025-04-14 10:24:37,671 test L0801 DEBUG| -> kwargs <class 'dict'>: {} +2025-04-14 10:24:37,671 test L0801 DEBUG| -> condition <class 'str'>: 1 +2025-04-14 10:24:37,671 test L0801 DEBUG| -> function <class 'function'>: <function ReverseDebugging_AArch64.test_aarch64_virt at 0x7fc6d4cc87c0> +2025-04-14 10:24:37,672 test L0801 DEBUG| -> message <class 'str'>: Test is unstable on GitLab +2025-04-14 10:24:37,672 test L0801 DEBUG| -> negate <class 'bool'>: True +2025-04-14 10:24:37,673 stacktrace L0039 ERROR| +2025-04-14 10:24:37,673 stacktrace L0041 ERROR| Reproduced traceback from: /usr/lib/python3.13/site-packages/avocado/core/test.py:819 +2025-04-14 10:24:37,678 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 580, in _soft_shutdown +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| self.qmp('quit') +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| ~~~~~~~~^^^^^^^^ +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| ret = self._qmp.cmd_raw(cmd, args=qmp_args) +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| return self.cmd_obj(qmp_cmd) +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| ~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 192, in cmd_obj +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| self._qmp._raw(qmp_cmd, assign_id=False), +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 155, in _wrapper +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| raise StateError(emsg, proto.runstate, required_state) +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| qemu.qmp.protocol.StateError: QMPClient is disconnecting. Call disconnect() to return to IDLE state. +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| During handling of the above exception, another exception occurred: +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 611, in _do_shutdown +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._soft_shutdown(timeout) +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 583, in _soft_shutdown +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._close_qmp_connection() +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 501, in _close_qmp_connection +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._qmp.close() +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 281, in close +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._sync( +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| self._qmp.disconnect() +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| return self._aloop.run_until_complete( +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| asyncio.wait_for(future, timeout=timeout) +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| return future.result() +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| ~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| return await fut +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| ^^^^^^^^^ +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 399, in disconnect +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| await self._wait_disconnect() +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 719, in _wait_disconnect +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| await all_defined_tasks # Raise Exceptions from the bottom half. +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 870, in _bh_loop_forever +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| await async_fn() +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 908, in _bh_recv_message +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| msg = await self._recv() +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 1009, in _recv +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| message = await self._do_recv() +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 402, in _do_recv +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| msg_bytes = await self._readline() +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 977, in _readline +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| raise EOFError +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| EOFError +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| The above exception was the direct cause of the following exception: +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/avocado_qemu/__init__.py", line 372, in tearDown +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| vm.shutdown() +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| ~~~~~~~~~~~^^ +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 648, in shutdown +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| self._do_shutdown(timeout) +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 618, in _do_shutdown +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| raise AbnormalShutdown("Could not perform graceful shutdown") \\ +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| from exc +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown +2025-04-14 10:24:37,686 stacktrace L0046 ERROR| +2025-04-14 10:24:37,694 test L0941 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,694 test L0941 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/test.py", line 881, in _run_avocado + raise test_exception +2025-04-14 10:24:37,694 test L0941 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/test.py", line 788, in _run_avocado + testMethod() + ~~~~~~~~~~^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/decorators.py", line 90, in wrapper + return function(obj, *args, **kwargs) +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 239, in test_aarch64_virt + self.reverse_debugging( + ~~~~~~~~~~~~~~~~~~~~~~^ + args=('-kernel', kernel_path)) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 179, in reverse_debugging + if self.vm_get_icount(vm) == last_icount - 1: + ~~~~~~~~~~~~~~~~~~^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 100, in vm_get_icount + return vm.qmp('query-replay')['return']['icount'] + ~~~~~~^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp + ret = self._qmp.cmd_raw(cmd, args=qmp_args) +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw + return self.cmd_obj(qmp_cmd) + ~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 186, in cmd_obj + self._sync( + ~~~~~~~~~~^ + # pylint: disable=protected-access + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ...<5 lines>... + self._timeout + ^^^^^^^^^^^^^ + ) + ^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync + return self._aloop.run_until_complete( + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ + asyncio.wait_for(future, timeout=timeout) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete + return future.result() + ~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for + return await fut + ^^^^^^^^^ +2025-04-14 10:24:37,696 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 547, in _raw + return await self._execute(msg, assign_id=assign_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,696 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 496, in _execute + return await self._reply(exec_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,696 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 463, in _reply + raise result +2025-04-14 10:24:37,696 test L0941 ERROR| qemu.qmp.qmp_client.ExecInterruptedError: Disconnected +2025-04-14 10:24:37,696 test L0956 ERROR| ERROR 1-ReverseDebugging_AArch64.test_aarch64_virt -> ExecInterruptedError: Disconnected +2025-04-14 10:24:37,696 test L0948 INFO | +```""" +reproduce = """1. ``make check-venv`` +2. Run something in the background that keeps all CPUs busy +3. ``for ((x=0;x<20;x++)); do QEMU_TEST_FLAKY_TESTS=1 pyvenv/bin/avocado run tests/avocado/reverse_debugging.py:ReverseDebugging_AArch64.test_aarch64_virt ; done``""" +additional = """The problem can be reproduced with the test converted to the functional framework, too (that's where I noticed it first). In that case the stack trace looked like this: + +``` +$ QEMU_TEST_ALLOW_SLOW=1 QEMU_TEST_ALLOW_UNTRUSTED_CODE=1 QEMU_TEST_FLAKY_TESTS=1 QEMU_TEST_ALLOW_LARGE_STORAGE=1 ~/devel/qemu/tests/functional/test_aarch64_reverse_debug.py +TAP version 13 +Traceback (most recent call last): + File "/.../devel/qemu/tests/functional/test_aarch64_reverse_debug.py", line 33, in test_aarch64_virt + self.reverse_debugging(args=('-kernel', kernel_path)) + ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 147, in reverse_debugging + pc = self.get_pc(g) + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 82, in get_pc + return self.get_reg(g, self.REG_PC) + ~~~~~~~~~~~~^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 77, in get_reg + return self.get_reg_le(g, reg) + ~~~~~~~~~~~~~~~^^^^^^^^ + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 63, in get_reg_le + res = g.cmd(b'p%x' % reg) + File "/usr/lib/python3.13/site-packages/avocado/utils/gdb.py", line 783, in cmd + response_payload = self.decode(result) + File "/usr/lib/python3.13/site-packages/avocado/utils/gdb.py", line 738, in decode + raise InvalidPacketError +avocado.utils.gdb.InvalidPacketError + +not ok 1 test_aarch64_reverse_debug.ReverseDebugging_AArch64.test_aarch64_virt +Traceback (most recent call last): + File "/.../devel/qemu/python/qemu/machine/machine.py", line 580, in _soft_shutdown + self.qmp('quit') + ~~~~~~~~^^^^^^^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp + ret = self._qmp.cmd_raw(cmd, args=qmp_args) + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw + return self.cmd_obj(qmp_cmd) + ~~~~~~~~~~~~^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 186, in cmd_obj + self._sync( + ~~~~~~~~~~^ + # pylint: disable=protected-access + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ...<5 lines>... + self._timeout + ^^^^^^^^^^^^^ + ) + ^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync + return self._aloop.run_until_complete( + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ + asyncio.wait_for(future, timeout=timeout) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ + File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete + return future.result() + ~~~~~~~~~~~~~^^ + File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for + return await fut + ^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 547, in _raw + return await self._execute(msg, assign_id=assign_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 496, in _execute + return await self._reply(exec_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 463, in _reply + raise result +qemu.qmp.qmp_client.ExecInterruptedError: Disconnected + +During handling of the above exception, another exception occurred: + +Traceback (most recent call last): + File "/.../devel/qemu/python/qemu/machine/machine.py", line 611, in _do_shutdown + self._soft_shutdown(timeout) + ~~~~~~~~~~~~~~~~~~~^^^^^^^^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 583, in _soft_shutdown + self._close_qmp_connection() + ~~~~~~~~~~~~~~~~~~~~~~~~~~^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 501, in _close_qmp_connection + self._qmp.close() + ~~~~~~~~~~~~~~~^^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 281, in close + self._sync( + ~~~~~~~~~~^ + self._qmp.disconnect() + ^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync + return self._aloop.run_until_complete( + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ + asyncio.wait_for(future, timeout=timeout) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ + File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete + return future.result() + ~~~~~~~~~~~~~^^ + File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for + return await fut + ^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 399, in disconnect + await self._wait_disconnect() + File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 719, in _wait_disconnect + await all_defined_tasks # Raise Exceptions from the bottom half. + ^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 834, in _bh_close_stream + await wait_closed(self._writer) + File "/.../devel/qemu/python/qemu/qmp/util.py", line 130, in wait_closed + await writer.wait_closed() + File "/usr/lib64/python3.13/asyncio/streams.py", line 358, in wait_closed + await self._protocol._get_close_waiter(self) + File "/usr/lib64/python3.13/asyncio/selector_events.py", line 1067, in write + n = self._sock.send(data) +BrokenPipeError: [Errno 32] Broken pipe + +The above exception was the direct cause of the following exception: + +Traceback (most recent call last): + File "/.../devel/qemu/tests/functional/qemu_test/testcase.py", line 398, in tearDown + vm.shutdown() + ~~~~~~~~~~~^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 648, in shutdown + self._do_shutdown(timeout) + ~~~~~~~~~~~~~~~~~^^^^^^^^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 618, in _do_shutdown + raise AbnormalShutdown("Could not perform graceful shutdown") \\ + from exc +qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown + +not ok 1 test_aarch64_reverse_debug.ReverseDebugging_AArch64.test_aarch64_virt +1..1 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/2944.toml b/gitlab/issues/target_arm/host_missing/accel_missing/2944.toml new file mode 100644 index 00000000..9ad11e16 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/2944.toml @@ -0,0 +1,29 @@ +id = 2944 +title = "Commit 59754f85 introduces regression with U-Boot on Cortex-A9 platforms" +state = "opened" +created_at = "2025-05-01T15:27:16.797Z" +closed_at = "n/a" +labels = ["TestCase", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2944" +host-os = "Ubuntu 2022.04" +host-arch = "x86_64" +qemu-version = "v10.0.0-365-g73d29ea241" +guest-os = "U-Boot" +guest-arch = "arm" +description = """In U-Boot CI, we started to update from v8.2.0 to v9.2.3 and found that the vexpress_ca9x4 platform was now failing one of the CI tests. I have reconfirmed the problem on top of tree QEMU, and bisected the failure to commit [59754f85("target/arm: Do memory type alignment check when translation disabled +")](https://gitlab.com/qemu-project/qemu/-/commit/59754f85ed35cbd5f4bf2663ca2136c78d5b2413). I have also re-verified the test is fine on a physical platform with a Cortex-A9 that is as follows (per the RM): +``` +Table 12-2. Cortex-A9 revision +Core MP004-BU-50000-r2p10-0rel0 +NEON AT397-BU-50001- r2p0-00rel0 +PL310 PL310-BU-00000-r3p2-50rel0 +```""" +reproduce = """1. git clone https://source.denx.de/u-boot/u-boot.git; cd u-boot +2. make O=/tmp/vexpress_ca9x4 CROSS_COMPILE=arm-linux-gnueabi- vexpress_ca9x4_config +3. make O=/tmp/vexpress_ca9x4 CROSS_COMPILE=arm-linux-gnueabi- -sj$(nproc) +4. qemu-system-arm -nographic -m 1G -audio none -net user,tftp=/tmp/vexpress_ca9x4 -net nic -M vexpress-a9 -kernel /tmp/vexpress_ca9x4/u-boot +5. Stop autoboot with any key +6. setenv autoload no +7. dhcp +8. tftpboot 60200000 lib/efi_loader/helloworld.efi""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/340.toml b/gitlab/issues/target_arm/host_missing/accel_missing/340.toml new file mode 100644 index 00000000..0342cf54 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/340.toml @@ -0,0 +1,15 @@ +id = 340 +title = "qemu: uncaught target signal 6 (Aborted) - core dumped on Apple Silicon M1 arm64" +state = "opened" +created_at = "2021-05-18T22:41:03.395Z" +closed_at = "n/a" +labels = ["hostos: macOS", "linux-user", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/340" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/373.toml b/gitlab/issues/target_arm/host_missing/accel_missing/373.toml new file mode 100644 index 00000000..9c0d318c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/373.toml @@ -0,0 +1,15 @@ +id = 373 +title = "Indentation should be done with spaces, not with TABs, in the ARM subsystem" +state = "closed" +created_at = "2021-05-31T05:14:50.854Z" +closed_at = "2025-05-15T21:52:35.349Z" +labels = ["Bite Sized", "kind::Task", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/373" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/386.toml b/gitlab/issues/target_arm/host_missing/accel_missing/386.toml new file mode 100644 index 00000000..d5ca4ee5 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/386.toml @@ -0,0 +1,15 @@ +id = 386 +title = "raspi0 machine has incorrect memory mapping for devices" +state = "closed" +created_at = "2021-06-02T19:19:10.420Z" +closed_at = "2021-06-02T20:59:08.943Z" +labels = ["Closed::Invalid", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/386" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/410.toml b/gitlab/issues/target_arm/host_missing/accel_missing/410.toml new file mode 100644 index 00000000..2f7ea6bf --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/410.toml @@ -0,0 +1,15 @@ +id = 410 +title = "Abort in audio_bug triggered in sb16/pl041" +state = "opened" +created_at = "2021-06-14T06:24:02.615Z" +closed_at = "n/a" +labels = ["Audio", "Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/410" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/411.toml b/gitlab/issues/target_arm/host_missing/accel_missing/411.toml new file mode 100644 index 00000000..7028121f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/411.toml @@ -0,0 +1,15 @@ +id = 411 +title = "Abort when runs into unsupported AUXCommand in xlnx_dp_aux_set_command" +state = "closed" +created_at = "2021-06-14T07:42:03.865Z" +closed_at = "2022-08-09T21:44:31.732Z" +labels = ["Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/411" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/447.toml b/gitlab/issues/target_arm/host_missing/accel_missing/447.toml new file mode 100644 index 00000000..8bd19f12 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/447.toml @@ -0,0 +1,15 @@ +id = 447 +title = "qemu-arm: Unable to reserve 0xffff0000 bytes of virtual address space at 0x1000 (Success) for use as guest address space (check yourvirtual memory ulimit setting, min_mmap_addr or reserve less using -R option)" +state = "opened" +created_at = "2021-06-24T16:52:44.534Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/447" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/448.toml b/gitlab/issues/target_arm/host_missing/accel_missing/448.toml new file mode 100644 index 00000000..6a2a287d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/448.toml @@ -0,0 +1,15 @@ +id = 448 +title = "raspi0 machine leads to kernel panic of latest raspberry pi os kernel" +state = "opened" +created_at = "2021-06-24T19:04:49.031Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/448" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/45.toml b/gitlab/issues/target_arm/host_missing/accel_missing/45.toml new file mode 100644 index 00000000..67036029 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/45.toml @@ -0,0 +1,15 @@ +id = 45 +title = "qemu-system-aarch64: no function defined to set boot device list for this architecture" +state = "closed" +created_at = "2021-03-26T00:00:56.645Z" +closed_at = "2022-08-01T14:40:48.342Z" +labels = ["kind::Bug", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/45" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/452.toml b/gitlab/issues/target_arm/host_missing/accel_missing/452.toml new file mode 100644 index 00000000..4f68dae7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/452.toml @@ -0,0 +1,64 @@ +id = 452 +title = "Akita (and probably all Spitz-like / PXA270) platform does not load BIOS binary" +state = "closed" +created_at = "2021-06-26T20:58:47.780Z" +closed_at = "2024-10-16T15:41:11.144Z" +labels = ["Closed::WontFix", "TestCase", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/452" +host-os = "Raw BIOS file (not OS)" +host-arch = "x64" +qemu-version = "4.2.1" +guest-os = "Raw BIOS file (not OS)" +guest-arch = "ARM (akita)" +description = """QEMU does not appear to load a binary file passed with the "-bios" argument for the "akita" target. This probably extends to other spitz-type systems. + +Exptected behavior: qemu loads the binary into address 0x0000. +Actual behavior: address space at 0x0000 contains only zeros.""" +reproduce = """Terminal 1: +``` +qemu-system-arm -M akita -bios c750.rom -s -S +``` + +Terminal 2: +``` +gdb-multiarch +target remote localhost:1234 +x/64i $pc +``` + +Result: +``` +=> 0x0: andeq r0, r0, r0 + 0x4: andeq r0, r0, r0 + 0x8: andeq r0, r0, r0 + 0xc: andeq r0, r0, r0 + 0x10: andeq r0, r0, r0 +``` + +Correct behavior (can demonstrate with virt machine): +Same as before, but start Terminal 1 with: +``` +qemu-system-arm -M akita -bios c750.rom -s -S +``` + +Result: +``` +=> 0x0: b 0x34 + 0x4: ldr pc, [pc, #156] ; 0xa8 + 0x8: ldr pc, [pc, #156] ; 0xac + 0xc: ldr pc, [pc, #156] ; 0xb0 + 0x10: ldr pc, [pc, #156] ; 0xb4 + 0x14: nop ; (mov r0, r0) + 0x18: ldr pc, [pc, #152] ; 0xb8 + 0x1c: ldr pc, [pc, #152] ; 0xbc + 0x20: mov r0, #128 ; 0x80 + 0x24: b 0x2c + 0x28: mov r0, #129 ; 0x81 + 0x2c: ldr r1, [pc, #140] ; 0xc0 + 0x30: str r0, [r1] + 0x34: mrs lr, CPSR + 0x38: bic lr, lr, #31 + 0x3c: orr lr, lr, #211 ; 0xd3 + 0x40: msr CPSR_fc, lr +```""" +additional = """File with very tiny boot ROM: [c750-tiny.rom](/uploads/045852c8b353174bf0b7a4193d0d1be0/c750-tiny.rom)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/454.toml b/gitlab/issues/target_arm/host_missing/accel_missing/454.toml new file mode 100644 index 00000000..68275e58 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/454.toml @@ -0,0 +1,15 @@ +id = 454 +title = "edk2-aarch64-code.fd prints a lot of debug output" +state = "closed" +created_at = "2021-06-28T19:57:39.026Z" +closed_at = "2021-06-30T10:41:27.058Z" +labels = ["Closed::Invalid", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/454" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = """Currently running a QEMU version built from source with the last commit to pc-bios being 7a3d37a3f2335e18539e821d0c72abe0b22480bd (and I don't see any changes to edk2-aarch64-code since)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/459.toml b/gitlab/issues/target_arm/host_missing/accel_missing/459.toml new file mode 100644 index 00000000..a21f663c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/459.toml @@ -0,0 +1,43 @@ +id = 459 +title = "bcm2835_aux (raspi3) fails when the receive FIFO fills up" +state = "opened" +created_at = "2021-07-03T12:21:18.513Z" +closed_at = "n/a" +labels = ["TestCase", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/459" +host-os = "Linux" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.16)" +guest-os = "bare-metal _see below_" +guest-arch = "aarch64" +description = """When a bare-metal application on the `raspi3` board reads the `AUX_MU_STAT_REG` MMIO register while the device's buffer is at full receive FIFO capacity (i.e. `s->read_count == BCM2835_AUX_RX_FIFO_LEN`) the assertion `assert(s->read_count < BCM2835_AUX_RX_FIFO_LEN)` fails. + +The assertion in question is currently in line 141 of `hw/char/bcm2835_aux.c`: https://gitlab.com/qemu-project/qemu/-/blob/9c2647f75004c4f7d64c9c0ec55f8c6f0739a8b1/hw/char/bcm2835_aux.c#L141 +but in my current QEMU version, it seems that it was in line 140, but I don't think that has any implication on this error. If the below steps to reproduce are followed, the full output of a normal QEMU (no debugging output or anything) is simply: + +```text +$ echo abcdefgh | qemu-system-aarch64 -M raspi3 -kernel kernel8.elf -serial null -serial stdio +qemu-system-aarch64: /build/qemu-71DV4m/qemu-4.2/hw/char/bcm2835_aux.c:140: bcm2835_aux_read: Assertion `s->read_count < BCM2835_AUX_RX_FIFO_LEN' failed. +Aborted (core dumped) +``` + +Notice, that there is nothing really wrong with the implementation, if for instance an application that uses the `AUX_MU_LSR_REG` instead to check whether input is available, everything works as expected. It really seems that just this assertion is wrong. Also notice that the [BCM2835 manual](https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf) (page 18) explicitly allows values inclusive 8.""" +reproduce = """1. write a minimal bare-metal application for aarch64 using below main file +2. compile it with a decent aarch64 compiler, linker script and entry assembly as `kernel8.elf` +3. `echo abcdefgh | qemu-system-aarch64 -M raspi3 -kernel kernel8.elf -serial null -serial stdio` +4. QEMU crashes with the above state assertion error""" +additional = """Minimal bare-metal application (`main.c`): + +```c +#define MMIO_BASE 0x3F000000 +#define AUX_MU_STAT ((volatile unsigned int*)(MMIO_BASE+0x00215064)) + +void main() { + while (1) { + // Just read STAT register to trigger the assertion error + *AUX_MU_STAT; + } +} +``` + +Also see [kernel8.elf.zip](/uploads/b12ae2750d2df1bb8db2701f3145f653/kernel8.elf.zip) for a precompiled version of the above application.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/461.toml b/gitlab/issues/target_arm/host_missing/accel_missing/461.toml new file mode 100644 index 00000000..6271d44e --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/461.toml @@ -0,0 +1,15 @@ +id = 461 +title = "What's your plan of Raspberry 3/3B/4B" +state = "closed" +created_at = "2021-07-05T06:23:27.090Z" +closed_at = "2021-07-07T16:21:46.506Z" +labels = ["Closed::WontFix", "kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/461" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/467.toml b/gitlab/issues/target_arm/host_missing/accel_missing/467.toml new file mode 100644 index 00000000..77341520 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/467.toml @@ -0,0 +1,15 @@ +id = 467 +title = "savevm/loadvm/migration broken for 32-bit arm guests that use TrustZone" +state = "opened" +created_at = "2021-07-09T13:33:05.142Z" +closed_at = "n/a" +labels = ["Launchpad", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/467" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/468.toml b/gitlab/issues/target_arm/host_missing/accel_missing/468.toml new file mode 100644 index 00000000..b1ac23e1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/468.toml @@ -0,0 +1,15 @@ +id = 468 +title = "Zynq7000 UART clock reset initialization" +state = "closed" +created_at = "2021-07-11T05:47:46.932Z" +closed_at = "2022-02-21T15:02:48.860Z" +labels = ["Launchpad", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/468" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/470.toml b/gitlab/issues/target_arm/host_missing/accel_missing/470.toml new file mode 100644 index 00000000..49d0ba9d --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/470.toml @@ -0,0 +1,15 @@ +id = 470 +title = "qemu linux-user requires read permissions on memory passed to syscalls that should only need write access" +state = "opened" +created_at = "2021-07-11T10:01:30.838Z" +closed_at = "n/a" +labels = ["Launchpad", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/470" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/472.toml b/gitlab/issues/target_arm/host_missing/accel_missing/472.toml new file mode 100644 index 00000000..cbe46cb1 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/472.toml @@ -0,0 +1,15 @@ +id = 472 +title = "Device trees should specify `clock-frequency` property for `/cpus/cpu*` nodes" +state = "closed" +created_at = "2021-07-12T04:28:02.243Z" +closed_at = "2022-02-22T15:44:11.305Z" +labels = ["target: arm", "target: riscv"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/472" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/481.toml b/gitlab/issues/target_arm/host_missing/accel_missing/481.toml new file mode 100644 index 00000000..813c1297 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/481.toml @@ -0,0 +1,15 @@ +id = 481 +title = "Implement I2C for BCM2835 (raspi)" +state = "closed" +created_at = "2021-07-14T02:13:34.604Z" +closed_at = "2024-04-12T15:53:20.317Z" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/481" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/482.toml b/gitlab/issues/target_arm/host_missing/accel_missing/482.toml new file mode 100644 index 00000000..34ace783 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/482.toml @@ -0,0 +1,15 @@ +id = 482 +title = "Unable to set SVE VL to 1024 bits or above since 7b6a2198" +state = "closed" +created_at = "2021-07-14T14:27:53.543Z" +closed_at = "2021-07-27T17:06:03.180Z" +labels = ["Closed::Fixed", "Launchpad", "kind::Feature Request", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/482" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/518.toml b/gitlab/issues/target_arm/host_missing/accel_missing/518.toml new file mode 100644 index 00000000..b9e68db0 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/518.toml @@ -0,0 +1,15 @@ +id = 518 +title = "Android for arm guest" +state = "closed" +created_at = "2021-08-09T01:58:57.406Z" +closed_at = "2022-07-11T07:07:55.180Z" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/518" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/528.toml b/gitlab/issues/target_arm/host_missing/accel_missing/528.toml new file mode 100644 index 00000000..2a6b608f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/528.toml @@ -0,0 +1,15 @@ +id = 528 +title = "arm: trying to use KVM with an EL3-enabled CPU hits an assertion failure" +state = "closed" +created_at = "2021-08-16T13:06:03.454Z" +closed_at = "2021-08-26T19:44:30.804Z" +labels = ["kind::Bug", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/528" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/54.toml b/gitlab/issues/target_arm/host_missing/accel_missing/54.toml new file mode 100644 index 00000000..efb3d1b6 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/54.toml @@ -0,0 +1,15 @@ +id = 54 +title = "Attaching SD-Card to specific SD-Bus Sabrelite (ARM)" +state = "opened" +created_at = "2021-04-30T16:07:47.171Z" +closed_at = "n/a" +labels = ["Launchpad", "Storage", "kind::Bug", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/54" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/549.toml b/gitlab/issues/target_arm/host_missing/accel_missing/549.toml new file mode 100644 index 00000000..026c14e7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/549.toml @@ -0,0 +1,15 @@ +id = 549 +title = "FPE in npcm7xx_clk_update_pll" +state = "opened" +created_at = "2021-08-21T02:04:41.208Z" +closed_at = "n/a" +labels = ["Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/549" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/550.toml b/gitlab/issues/target_arm/host_missing/accel_missing/550.toml new file mode 100644 index 00000000..0c1c1a1f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/550.toml @@ -0,0 +1,15 @@ +id = 550 +title = "FPE in npcm7xx_adc_convert" +state = "opened" +created_at = "2021-08-21T02:06:04.316Z" +closed_at = "n/a" +labels = ["Fuzzer", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/550" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/555.toml b/gitlab/issues/target_arm/host_missing/accel_missing/555.toml new file mode 100644 index 00000000..8307b4cb --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/555.toml @@ -0,0 +1,15 @@ +id = 555 +title = "qemu user aarch64 crashes when giving the dynamic loader as argument" +state = "opened" +created_at = "2021-08-23T18:58:13.270Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/555" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/61.toml b/gitlab/issues/target_arm/host_missing/accel_missing/61.toml new file mode 100644 index 00000000..a09601ab --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/61.toml @@ -0,0 +1,15 @@ +id = 61 +title = "qemu-system-arm segfaults while servicing SYS_HEAPINFO" +state = "closed" +created_at = "2021-05-01T05:42:08.988Z" +closed_at = "2022-03-23T15:46:50.316Z" +labels = ["Launchpad", "kind::Bug", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/61" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/613.toml b/gitlab/issues/target_arm/host_missing/accel_missing/613.toml new file mode 100644 index 00000000..081c041c --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/613.toml @@ -0,0 +1,15 @@ +id = 613 +title = "ARM cortex-m55 LOB instructions make QEMU crash" +state = "closed" +created_at = "2021-09-10T13:10:03.572Z" +closed_at = "2021-09-21T17:22:58.814Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/613" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/620.toml b/gitlab/issues/target_arm/host_missing/accel_missing/620.toml new file mode 100644 index 00000000..f78787f6 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/620.toml @@ -0,0 +1,15 @@ +id = 620 +title = "QEMU gdbstub should add memtag support for aarch64 MTE" +state = "closed" +created_at = "2021-09-14T09:37:17.122Z" +closed_at = "2024-09-11T18:28:03.954Z" +labels = ["GDB", "kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/620" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/633.toml b/gitlab/issues/target_arm/host_missing/accel_missing/633.toml new file mode 100644 index 00000000..043d26dc --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/633.toml @@ -0,0 +1,42 @@ +id = 633 +title = "i686-arm-user-static - Allocating guest commpage: Operation not permitted" +state = "closed" +created_at = "2021-09-21T21:29:49.290Z" +closed_at = "2022-01-19T19:10:29.128Z" +labels = ["linux-user", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/633" +host-os = "Ubuntu 20.04.3 LTS" +host-arch = "amd64, **running i686 qemu build**" +qemu-version = "qemu-arm version 6.1.50 (v6.1.0-667-g0b6206b9c6)" +guest-os = "Raspberry Pi OS" +guest-arch = "armv6" +description = "n/a" +reproduce = """1. Run the test case linked earlier. +2. You'll see `apt update` failing: + +``` +Get:1 http://archive.raspberrypi.org/debian buster InRelease [32.6 kB] +Get:2 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB] +Err:1 http://archive.raspberrypi.org/debian buster InRelease + At least one invalid signature was encountered. +Err:2 http://raspbian.raspberrypi.org/raspbian buster InRelease + At least one invalid signature was encountered. +Reading package lists... Done +W: GPG error: http://archive.raspberrypi.org/debian buster InRelease: At least one invalid signature was encountered. +E: The repository 'http://archive.raspberrypi.org/debian buster InRelease' is not signed. +N: Updating from such a repository can't be done securely, and is therefore disabled by default. +N: See apt-secure(8) manpage for repository creation and user configuration details. +W: GPG error: http://raspbian.raspberrypi.org/raspbian buster InRelease: At least one invalid signature was encountered. +E: The repository 'http://raspbian.raspberrypi.org/raspbian buster InRelease' is not signed. +N: Updating from such a repository can't be done securely, and is therefore disabled by default. +N: See apt-secure(8) manpage for repository creation and user configuration details. +```""" +additional = """Setting `sysctl vm.mmap_min_addr=53248` makes it work (as opposed to the system default of 65536). + +Bisecting the bug linked earlier also breaks this in a slightly different way. Everything works at 87b74e8b6edd287ea2160caa0ebea725fa8f1ca1. After that, apt update appears to work, but the package lists end up empty, so nothing can be installed. Then after 975ac4559c4c00010e05f7a3e782eeb9497837ea, the output is as provided above. + +apt launches /usr/lib/apt/methods/gpgv and passes it some commands through stdin. gpgv launches /usr/bin/apt-key, which fails with `Allocating guest commpage: Operation not permitted`. Running gpgv directly and sending the same commands works without any issues. The problem only occurs when gpgv is run through apt. (I don't meant the normal system gpgv binary, but the transport method binary that comes with apt) + +Getting any output is tricky because by the time apt-key is launched, gpgv redirects stdout and stderr to /dev/null and communication takes place through fd 3. https://salsa.debian.org/apt-team/apt/-/blob/2.2.4/apt-pkg/contrib/gpgv.cc#L355 https://salsa.debian.org/apt-team/apt/-/blob/main/methods/gpgv.cc#L186 + +I had to do some ugly things with different versions of qemu and wrapper scripts to see the commpage error, but hopefully there's enough information provided here that it won't be necessary.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/636.toml b/gitlab/issues/target_arm/host_missing/accel_missing/636.toml new file mode 100644 index 00000000..9fdf5877 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/636.toml @@ -0,0 +1,364 @@ +id = 636 +title = "tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd can not perform graceful shutdown" +state = "closed" +created_at = "2021-09-24T18:20:29.733Z" +closed_at = "2022-11-01T20:03:07.939Z" +labels = ["kind::Bug", "target: arm", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/636" +host-os = "Fedora 34" +host-arch = "x86" +qemu-version = "QEMU emulator version 6.1.50 (v6.1.0-808-g73257aa023)" +guest-os = "Debian" +guest-arch = "ARM" +description = """Roughly once every 20 times, the [`halt`](https://gitlab.com/qemu-project/qemu/-/blob/73257aa02376829f724357094e252fc3e5dd1363/tests/acceptance/boot_linux_console.py#L522) command will not produce the desired effect, and [wait()ing](https://gitlab.com/qemu-project/qemu/-/blob/73257aa02376829f724357094e252fc3e5dd1363/tests/acceptance/boot_linux_console.py#L524) on the QEMU process to gracefully shutdown will fail. + +I was not able to see any other failure in what the test covers, except the `halt` command and the `wait()`ing. That is, the booting of the kernel and initrd, and the execution of commands to inspect the system all run without problems.""" +reproduce = """1. make check-venv +2. ./tests/venv/bin/avocado run tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd""" +additional = """``` +13:48:01 DEBUG| PARAMS (key=arch, path=*, default=arm) => 'arm' +13:48:01 DEBUG| PARAMS (key=cpu, path=*, default=None) => None +13:48:01 DEBUG| PARAMS (key=machine, path=*, default=raspi2b) => 'raspi2b' +13:48:01 DEBUG| PARAMS (key=qemu_bin, path=*, default=./qemu-system-arm) => './qemu-system-arm' +13:48:01 DEBUG| Test workdir initialized at: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd +13:48:08 DEBUG| QEMUMachine "default" created +13:48:08 DEBUG| QEMUMachine "default" temp_dir: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/qemu-machine-5pavn9gy +13:48:08 DEBUG| QEMUMachine "default" log_dir: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd +13:48:08 DEBUG| VM launch command: './qemu-system-arm -display none -vga none -chardev socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock -mon chardev=mon,mode=control -machine raspi2b -chardev socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off -serial chardev:console -kernel /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img -dtb /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb -initrd /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio -append printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 -no-reboot' +13:48:08 DEBUG| >>> {'execute': 'qmp_capabilities'} +13:48:08 DEBUG| <<< {'return': {}} +13:48:08 DEBUG| [ 0.000000] Booting Linux on physical CPU 0xf00 +13:48:08 DEBUG| [ 0.000000] Linux version 4.14.98-v7+ (dom@dom-XPS-13-9370) (gcc version 4.9.3 (crosstool-NG crosstool-ng-1.22.0-88-g8460611)) #1200 SMP Tue Feb 12 20:27:48 GMT 2019 +13:48:08 DEBUG| [ 0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d +13:48:08 DEBUG| [ 0.000000] CPU: div instructions available: patching division code +13:48:08 DEBUG| [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache +13:48:08 DEBUG| [ 0.000000] OF: fdt: Machine model: Raspberry Pi 2 Model B +13:48:08 DEBUG| [ 0.000000] earlycon: pl11 at MMIO 0x3f201000 (options '') +13:48:08 DEBUG| [ 0.000000] bootconsole [pl11] enabled +13:48:08 DEBUG| [ 0.000000] Memory policy: Data cache writealloc +13:48:08 DEBUG| [ 0.000000] cma: Reserved 8 MiB at 0x3b800000 +13:48:08 DEBUG| [ 0.000000] percpu: Embedded 17 pages/cpu @baf2e000 s38720 r8192 d22720 u69632 +13:48:08 DEBUG| [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 243600 +13:48:08 DEBUG| [ 0.000000] Kernel command line: printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 +13:48:08 DEBUG| PID hash table entries: 4096 (order: 2, 16384 bytes) +13:48:08 DEBUG| Dentry cache hash table entries: 131072 (order: 7, 524288 bytes) +13:48:08 DEBUG| Inode-cache hash table entries: 65536 (order: 6, 262144 bytes) +13:48:08 DEBUG| Memory: 949120K/983040K available (7168K kernel code, 577K rwdata, 2080K rodata, 1024K init, 698K bss, 25728K reserved, 8192K cma-reserved) +13:48:08 DEBUG| Virtual kernel memory layout: +13:48:08 DEBUG| vector : 0xffff0000 - 0xffff1000 ( 4 kB) +13:48:08 DEBUG| fixmap : 0xffc00000 - 0xfff00000 (3072 kB) +13:48:08 DEBUG| vmalloc : 0xbc800000 - 0xff800000 (1072 MB) +13:48:08 DEBUG| lowmem : 0x80000000 - 0xbc000000 ( 960 MB) +13:48:08 DEBUG| modules : 0x7f000000 - 0x80000000 ( 16 MB) +13:48:08 DEBUG| .text : 0x80008000 - 0x80800000 (8160 kB) +13:48:08 DEBUG| .init : 0x80b00000 - 0x80c00000 (1024 kB) +13:48:08 DEBUG| .data : 0x80c00000 - 0x80c906d4 ( 578 kB) +13:48:08 DEBUG| .bss : 0x80c97ef8 - 0x80d468f0 ( 699 kB) +13:48:08 DEBUG| SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1 +13:48:08 DEBUG| ftrace: allocating 25298 entries in 75 pages +13:48:09 DEBUG| Hierarchical RCU implementation. +13:48:09 DEBUG| NR_IRQS: 16, nr_irqs: 16, preallocated irqs: 16 +13:48:09 DEBUG| arch_timer: cp15 timer(s) running at 62.50MHz (virt). +13:48:09 DEBUG| clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1cd42e208c, max_idle_ns: 881590405314 ns +13:48:09 DEBUG| sched_clock: 56 bits at 62MHz, resolution 16ns, wraps every 4398046511096ns +13:48:09 DEBUG| Switching to timer-based delay loop, resolution 16ns +13:48:09 DEBUG| Console: colour dummy device 80x30 +13:48:09 DEBUG| Calibrating delay loop (skipped), value calculated using timer frequency.. 125.00 BogoMIPS (lpj=625000) +13:48:09 DEBUG| pid_max: default: 32768 minimum: 301 +13:48:09 DEBUG| Mount-cache hash table entries: 2048 (order: 1, 8192 bytes) +13:48:09 DEBUG| Mountpoint-cache hash table entries: 2048 (order: 1, 8192 bytes) +13:48:09 DEBUG| Disabling memory control group subsystem +13:48:09 DEBUG| CPU: Testing write buffer coherency: ok +13:48:09 DEBUG| CPU0: update cpu_capacity 1024 +13:48:09 DEBUG| CPU0: thread -1, cpu 0, socket 15, mpidr 80000f00 +13:48:09 DEBUG| Setting up static identity map for 0x100000 - 0x10003c +13:48:09 DEBUG| Hierarchical SRCU implementation. +13:48:09 DEBUG| smp: Bringing up secondary CPUs ... +13:48:09 DEBUG| CPU1: update cpu_capacity 1024 +13:48:09 DEBUG| CPU1: thread -1, cpu 1, socket 15, mpidr 80000f01 +13:48:09 DEBUG| CPU2: update cpu_capacity 1024 +13:48:09 DEBUG| CPU2: thread -1, cpu 2, socket 15, mpidr 80000f02 +13:48:09 DEBUG| CPU3: update cpu_capacity 1024 +13:48:09 DEBUG| CPU3: thread -1, cpu 3, socket 15, mpidr 80000f03 +13:48:09 DEBUG| smp: Brought up 1 node, 4 CPUs +13:48:09 DEBUG| SMP: Total of 4 processors activated (500.00 BogoMIPS). +13:48:09 DEBUG| CPU: All CPU(s) started in SVC mode. +13:48:09 DEBUG| devtmpfs: initialized +13:48:09 DEBUG| random: get_random_u32 called from bucket_table_alloc+0xfc/0x24c with crng_init=0 +13:48:09 DEBUG| VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5 +13:48:09 DEBUG| clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns +13:48:09 DEBUG| futex hash table entries: 1024 (order: 4, 65536 bytes) +13:48:09 DEBUG| pinctrl core: initialized pinctrl subsystem +13:48:09 DEBUG| NET: Registered protocol family 16 +13:48:09 DEBUG| DMA: preallocated 1024 KiB pool for atomic coherent allocations +13:48:09 DEBUG| hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers. +13:48:09 DEBUG| hw-breakpoint: maximum watchpoint size is 8 bytes. +13:48:09 DEBUG| Serial: AMBA PL011 UART driver +13:48:09 DEBUG| bcm2835-mbox 3f00b880.mailbox: mailbox enabled +13:48:09 DEBUG| bcm2835-dma 3f007000.dma: DMA legacy API manager at bc813000, dmachans=0x1 +13:48:09 DEBUG| SCSI subsystem initialized +13:48:09 DEBUG| usbcore: registered new interface driver usbfs +13:48:09 DEBUG| usbcore: registered new interface driver hub +13:48:09 DEBUG| usbcore: registered new device driver usb +13:48:09 DEBUG| raspberrypi-firmware soc:firmware: Attached to firmware from 1970-01-05 00:12 +13:48:09 DEBUG| clocksource: Switched to clocksource arch_sys_counter +13:48:09 DEBUG| VFS: Disk quotas dquot_6.6.0 +13:48:09 DEBUG| VFS: Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) +13:48:09 DEBUG| FS-Cache: Loaded +13:48:09 DEBUG| CacheFiles: Loaded +13:48:09 DEBUG| NET: Registered protocol family 2 +13:48:09 DEBUG| TCP established hash table entries: 8192 (order: 3, 32768 bytes) +13:48:09 DEBUG| TCP bind hash table entries: 8192 (order: 4, 65536 bytes) +13:48:09 DEBUG| TCP: Hash tables configured (established 8192 bind 8192) +13:48:09 DEBUG| UDP hash table entries: 512 (order: 2, 16384 bytes) +13:48:09 DEBUG| UDP-Lite hash table entries: 512 (order: 2, 16384 bytes) +13:48:09 DEBUG| NET: Registered protocol family 1 +13:48:09 DEBUG| RPC: Registered named UNIX socket transport module. +13:48:09 DEBUG| RPC: Registered udp transport module. +13:48:09 DEBUG| RPC: Registered tcp transport module. +13:48:09 DEBUG| RPC: Registered tcp NFSv4.1 backchannel transport module. +13:48:09 DEBUG| Trying to unpack rootfs image as initramfs... +13:48:09 DEBUG| Freeing initrd memory: 3256K +13:48:09 DEBUG| hw perfevents: enabled with armv7_cortex_a7 PMU driver, 5 counters available +13:48:09 DEBUG| workingset: timestamp_bits=14 max_order=18 bucket_order=4 +13:48:09 DEBUG| FS-Cache: Netfs 'nfs' registered for caching +13:48:09 DEBUG| NFS: Registering the id_resolver key type +13:48:09 DEBUG| Key type id_resolver registered +13:48:09 DEBUG| Key type id_legacy registered +13:48:09 DEBUG| nfs4filelayout_init: NFSv4 File Layout Driver Registering... +13:48:09 DEBUG| Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251) +13:48:09 DEBUG| io scheduler noop registered +13:48:09 DEBUG| io scheduler deadline registered +13:48:09 DEBUG| io scheduler cfq registered (default) +13:48:09 DEBUG| io scheduler mq-deadline registered +13:48:09 DEBUG| io scheduler kyber registered +13:48:09 DEBUG| BCM2708FB: allocated DMA memory fb900000 +13:48:09 DEBUG| BCM2708FB: allocated DMA channel 0 @ bc813000 +13:48:09 DEBUG| Console: switching to colour frame buffer device 100x30 +13:48:09 DEBUG| bcm2835-rng 3f104000.rng: hwrng registered +13:48:09 DEBUG| vc-mem: phys_addr:0x00000000 mem_base=0x00000000 mem_size:0x00000000(0 MiB) +13:48:09 DEBUG| vc-sm: Videocore shared memory driver +13:48:09 DEBUG| gpiomem-bcm2835 3f200000.gpiomem: Initialised: Registers at 0x3f200000 +13:48:09 DEBUG| brd: module loaded +13:48:09 DEBUG| loop: module loaded +13:48:09 DEBUG| Loading iSCSI transport class v2.0-870. +13:48:09 DEBUG| libphy: Fixed MDIO Bus: probed +13:48:09 DEBUG| usbcore: registered new interface driver lan78xx +13:48:09 DEBUG| usbcore: registered new interface driver smsc95xx +13:48:09 DEBUG| dwc_otg: version 3.00a 10-AUG-2012 (platform bus) +13:48:09 DEBUG| dwc_otg 3f980000.usb: base=0xf0980000 +13:48:10 DEBUG| Core Release: 2.94a +13:48:10 DEBUG| Setting default values for core params +13:48:10 DEBUG| Finished setting default values for core params +13:48:10 DEBUG| Using Buffer DMA mode +13:48:10 DEBUG| Periodic Transfer Interrupt Enhancement - disabled +13:48:10 DEBUG| Multiprocessor Interrupt Enhancement - disabled +13:48:10 DEBUG| OTG VER PARAM: 0, OTG VER FLAG: 0 +13:48:10 DEBUG| Shared Tx FIFO mode +13:48:10 DEBUG| WARN::dwc_otg_hcd_init:1046: FIQ DMA bounce buffers: virt = 0xbb914000 dma = 0xfb914000 len=9024 +13:48:10 DEBUG| WARN::hcd_init_fiq:459: FIQ on core 1 at 0x805edb88 +13:48:10 DEBUG| WARN::hcd_init_fiq:460: FIQ ASM at 0x805edcb4 length 36 +13:48:10 DEBUG| WARN::hcd_init_fiq:486: MPHI regs_base at 0xf0006000 +13:48:10 DEBUG| dwc_otg 3f980000.usb: DWC OTG Controller +13:48:10 DEBUG| dwc_otg 3f980000.usb: new USB bus registered, assigned bus number 1 +13:48:10 DEBUG| dwc_otg 3f980000.usb: irq 62, io mem 0x00000000 +13:48:10 DEBUG| Init: Port Power? op_state=1 +13:48:10 DEBUG| Init: Power Port (1) +13:48:10 DEBUG| usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 +13:48:10 DEBUG| usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 +13:48:10 DEBUG| usb usb1: Product: DWC OTG Controller +13:48:10 DEBUG| usb usb1: Manufacturer: Linux 4.14.98-v7+ dwc_otg_hcd +13:48:10 DEBUG| usb usb1: SerialNumber: 3f980000.usb +13:48:10 DEBUG| hub 1-0:1.0: USB hub found +13:48:10 DEBUG| hub 1-0:1.0: 1 port detected +13:48:10 DEBUG| usbcore: registered new interface driver usb-storage +13:48:10 DEBUG| mousedev: PS/2 mouse device common for all mice +13:48:10 DEBUG| IR NEC protocol handler initialized +13:48:10 DEBUG| IR RC5(x/sz) protocol handler initialized +13:48:10 DEBUG| IR RC6 protocol handler initialized +13:48:10 DEBUG| IR JVC protocol handler initialized +13:48:10 DEBUG| IR Sony protocol handler initialized +13:48:10 DEBUG| IR SANYO protocol handler initialized +13:48:10 DEBUG| IR Sharp protocol handler initialized +13:48:10 DEBUG| IR MCE Keyboard/mouse protocol handler initialized +13:48:10 DEBUG| IR XMP protocol handler initialized +13:48:10 DEBUG| bcm2835-wdt 3f100000.watchdog: Broadcom BCM2835 watchdog timer +13:48:10 DEBUG| bcm2835-cpufreq: min=700000 max=700000 +13:48:10 DEBUG| sdhci: Secure Digital Host Controller Interface driver +13:48:10 DEBUG| sdhci: Copyright(c) Pierre Ossman +13:48:10 DEBUG| sdhost-bcm2835 3f202000.mmc: could not get clk, deferring probe +13:48:10 DEBUG| sdhci-pltfm: SDHCI platform and OF driver helper +13:48:10 DEBUG| ledtrig-cpu: registered to indicate activity on CPUs +13:48:10 DEBUG| hidraw: raw HID events driver (C) Jiri Kosina +13:48:10 DEBUG| usbcore: registered new interface driver usbhid +13:48:10 DEBUG| usbhid: USB HID core driver +13:48:10 DEBUG| vchiq: vchiq_init_state: slot_zero = bb980000, is_master = 0 +13:48:10 DEBUG| bcm2835_vchiq 3f00b840.vchiq: failed to set channelbase +13:48:10 DEBUG| vchiq: could not load vchiq +13:48:10 DEBUG| Initializing XFRM netlink socket +13:48:10 DEBUG| NET: Registered protocol family 17 +13:48:10 DEBUG| Key type dns_resolver registered +13:48:10 DEBUG| Registering SWP/SWPB emulation handler +13:48:10 DEBUG| registered taskstats version 1 +13:48:10 DEBUG| uart-pl011 3f201000.serial: cts_event_workaround enabled +13:48:10 DEBUG| 3f201000.serial: ttyAMA0 at MMIO 0x3f201000 (irq = 87, base_baud = 0) is a PL011 rev2 +13:48:10 DEBUG| console [ttyAMA0] enabled +13:48:10 DEBUG| console [ttyAMA0] enabled +13:48:10 DEBUG| bootconsole [pl11] disabled +13:48:10 DEBUG| bootconsole [pl11] disabled +13:48:10 DEBUG| bcm2835_thermal 3f212000.thermal: Not able to read trip_temp: -33 +13:48:10 DEBUG| bcm2835-clk 3f101000.cprman: tsens: couldn't lock PLL +13:48:10 DEBUG| bcm2835_thermal: probe of 3f212000.thermal failed with error -33 +13:48:10 DEBUG| sdhost: log_buf @ bb913000 (fb913000) +13:48:10 DEBUG| mmc0: sdhost-bcm2835 loaded - DMA enabled (>1) +13:48:10 DEBUG| of_cfs_init +13:48:10 DEBUG| of_cfs_init: OK +13:48:10 DEBUG| uart-pl011 3f201000.serial: no DMA platform data +13:48:10 DEBUG| Freeing unused kernel memory: 1024K +13:48:11 DEBUG| mount: mounting devtmpfs on /dev failed: Device or resource busy +13:48:11 DEBUG| Starting logging: OK +13:48:11 DEBUG| Initializing random number generator... random: dd: uninitialized urandom read (512 bytes read) +13:48:11 DEBUG| done. +13:48:12 DEBUG| Starting network: OK +13:48:12 DEBUG| Found console ttyAMA0 +13:48:12 DEBUG| Linux version 4.14.98-v7+ (dom@dom-XPS-13-9370) (gcc version 4.9.3 (crosstool-NG crosstool-ng-1.22.0-88-g8460611)) #1200 SMP Tue Feb 12 20:27:48 GMT 2019 +13:48:12 DEBUG| Boot successful. +13:48:12 DEBUG| cat /proc/cpuinfo +13:48:12 DEBUG| / # cat /proc/cpuinfo +13:48:12 DEBUG| processor\t: 0 +13:48:12 DEBUG| model name\t: ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS\t: 125.00 +13:48:12 DEBUG| Features\t: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer\t: 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant\t: 0x0 +13:48:12 DEBUG| CPU part\t: 0xc07 +13:48:12 DEBUG| CPU revision\t: 5 +13:48:12 DEBUG| processor\t: 1 +13:48:12 DEBUG| model name\t: ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS\t: 125.00 +13:48:12 DEBUG| Features\t: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer\t: 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant\t: 0x0 +13:48:12 DEBUG| CPU part\t: 0xc07 +13:48:12 DEBUG| CPU revision\t: 5 +13:48:12 DEBUG| processor\t: 2 +13:48:12 DEBUG| model name\t: ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS\t: 125.00 +13:48:12 DEBUG| Features\t: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer\t: 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant\t: 0x0 +13:48:12 DEBUG| CPU part\t: 0xc07 +13:48:12 DEBUG| CPU revision\t: 5 +13:48:12 DEBUG| processor\t: 3 +13:48:12 DEBUG| model name\t: ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS\t: 125.00 +13:48:12 DEBUG| Features\t: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer\t: 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant\t: 0x0 +13:48:12 DEBUG| CPU part\t: 0xc07 +13:48:12 DEBUG| CPU revision\t: 5 +13:48:12 DEBUG| Hardware\t: BCM2835 +13:48:12 DEBUG| Revision\t: 0000 +13:48:12 DEBUG| Serial\t\t: 0000000000000000 +13:48:12 DEBUG| cat /proc/iomem +13:48:12 DEBUG| / # cat /proc/iomem +13:48:12 DEBUG| 00000000-3bffffff : System RAM +13:48:12 DEBUG| 00008000-00afffff : Kernel code +13:48:12 DEBUG| 00c00000-00d468ef : Kernel data +13:48:12 DEBUG| 3f006000-3f006fff : dwc_otg +13:48:12 DEBUG| 3f007000-3f007eff : /soc/dma@7e007000 +13:48:12 DEBUG| 3f00b880-3f00b8bf : /soc/mailbox@7e00b880 +13:48:12 DEBUG| 3f100000-3f100027 : /soc/watchdog@7e100000 +13:48:12 DEBUG| 3f101000-3f102fff : /soc/cprman@7e101000 +13:48:12 DEBUG| 3f200000-3f2000b3 : /soc/gpio@7e200000 +13:53:12 WARNI| qemu received signal 9; command: "./qemu-system-arm -display none -vga none -chardev socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock -mon chardev=mon,mode=control -machine raspi2b -chardev socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off -serial chardev:console -kernel /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img -dtb /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb -initrd /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio -append printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 -no-reboot" +13:53:12 ERROR| +13:53:12 ERROR| Reproduced traceback from: /var/lib/users/cleber/build/qemu/tests/venv/lib64/python3.9/site-packages/avocado/core/test.py:794 +13:53:12 ERROR| Traceback (most recent call last): +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 514, in _do_shutdown +13:53:12 ERROR| self._soft_shutdown(timeout, has_quit) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 497, in _soft_shutdown +13:53:12 ERROR| self._subp.wait(timeout=timeout) +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1189, in wait +13:53:12 ERROR| return self._wait(timeout=timeout) +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1909, in _wait +13:53:12 ERROR| raise TimeoutExpired(self.args, timeout) +13:53:12 ERROR| subprocess.TimeoutExpired: Command '('./qemu-system-arm', '-display', 'none', '-vga', 'none', '-chardev', 'socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock', '-mon', 'chardev=mon,mode=control', '-machine', 'raspi2b', '-chardev', 'socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off', '-serial', 'chardev:console', '-kernel', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img', '-dtb', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb', '-initrd', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio', '-append', 'printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0', '-no-reboot')' timed out after 300 seconds +13:53:12 ERROR| +13:53:12 ERROR| The above exception was the direct cause of the following exception: +13:53:12 ERROR| +13:53:12 ERROR| Traceback (most recent call last): +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/acceptance/boot_linux_console.py", line 502, in test_arm_raspi2_initrd +13:53:12 ERROR| self.vm.wait(300) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 561, in wait +13:53:12 ERROR| self.shutdown(has_quit=True, timeout=timeout) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 544, in shutdown +13:53:12 ERROR| self._do_shutdown(timeout, has_quit) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 517, in _do_shutdown +13:53:12 ERROR| raise AbnormalShutdown("Could not perform graceful shutdown") \\ +13:53:12 ERROR| qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown +13:53:12 ERROR| +13:53:12 DEBUG| Local variables: +13:53:12 DEBUG| -> self <class 'boot_linux_console.BootLinuxConsole'>: 01-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd +13:53:12 DEBUG| -> deb_url <class 'str'>: http://archive.raspberrypi.org/debian/pool/main/r/raspberrypi-firmware/raspberrypi-kernel_1.20190215-1_armhf.deb +13:53:12 DEBUG| -> deb_hash <class 'str'>: cd284220b32128c5084037553db3c482426f3972 +13:53:12 DEBUG| -> deb_path <class 'str'>: /home/cleber/avocado/data/cache/by_location/c813ab2b9e4f63b2aa876075ad70d638a31a25b7/raspberrypi-kernel_1.20190215-1_armhf.deb +13:53:12 DEBUG| -> kernel_path <class 'str'>: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img +13:53:12 DEBUG| -> dtb_path <class 'str'>: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb +13:53:12 DEBUG| -> initrd_url <class 'str'>: https://github.com/groeck/linux-build-test/raw/2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/arm/rootfs-armv7a.cpio.gz +13:53:12 DEBUG| -> initrd_hash <class 'str'>: 604b2e45cdf35045846b8bbfbf2129b1891bdc9c +13:53:12 DEBUG| -> initrd_path_gz <class 'str'>: /home/cleber/avocado/data/cache/by_location/d100d022b257e2c8f0c0c97434576ed642f9afe5/rootfs-armv7a.cpio.gz +13:53:12 DEBUG| -> initrd_path <class 'str'>: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio +13:53:12 DEBUG| -> kernel_command_line <class 'str'>: printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 +13:53:12 DEBUG| DATA (filename=output.expected) => NOT FOUND (data sources: variant, test, file) +13:53:12 DEBUG| DATA (filename=stdout.expected) => NOT FOUND (data sources: variant, test, file) +13:53:12 DEBUG| DATA (filename=stderr.expected) => NOT FOUND (data sources: variant, test, file) +13:53:12 ERROR| Traceback (most recent call last): + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 514, in _do_shutdown + self._soft_shutdown(timeout, has_quit) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 497, in _soft_shutdown + self._subp.wait(timeout=timeout) + +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1189, in wait + return self._wait(timeout=timeout) + +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1909, in _wait + raise TimeoutExpired(self.args, timeout) + +13:53:12 ERROR| subprocess.TimeoutExpired: Command '('./qemu-system-arm', '-display', 'none', '-vga', 'none', '-chardev', 'socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock', '-mon', 'chardev=mon,mode=control', '-machine', 'raspi2b', '-chardev', 'socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off', '-serial', 'chardev:console', '-kernel', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img', '-dtb', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb', '-initrd', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio', '-append', 'printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0', '-no-reboot')' timed out after 300 seconds + +13:53:12 ERROR| +The above exception was the direct cause of the following exception: + + +13:53:12 ERROR| Traceback (most recent call last): + +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/venv/lib64/python3.9/site-packages/avocado/core/test.py", line 882, in _run_avocado + raise test_exception + +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/venv/lib64/python3.9/site-packages/avocado/core/test.py", line 789, in _run_avocado + testMethod() + +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/acceptance/boot_linux_console.py", line 502, in test_arm_raspi2_initrd + self.vm.wait(300) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 561, in wait + self.shutdown(has_quit=True, timeout=timeout) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 544, in shutdown + self._do_shutdown(timeout, has_quit) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 517, in _do_shutdown + raise AbnormalShutdown("Could not perform graceful shutdown") \\ + +13:53:12 ERROR| qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown + +13:53:12 ERROR| ERROR 01-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd -> AbnormalShutdown: Could not perform graceful shutdown +13:53:12 INFO | +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/638.toml b/gitlab/issues/target_arm/host_missing/accel_missing/638.toml new file mode 100644 index 00000000..f6c3cb07 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/638.toml @@ -0,0 +1,21 @@ +id = 638 +title = "exynos4210_uart.c: SIGSEGV when loadvm" +state = "closed" +created_at = "2021-09-25T04:27:16.677Z" +closed_at = "2022-01-29T15:55:19.698Z" +labels = ["target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/638" +host-os = "macOS 11.6" +host-arch = "(x86, ARM, s390x, etc.): ARM64" +qemu-version = "(e.g. `qemu-system-x86_64 --version`): v6.1.0" +guest-os = "(Windows 10 21H1, Fedora 34, etc.)" +guest-arch = "(x86, ARM, s390x, etc.) ARM64" +description = """Line 619 of hw/char/exynos4210_uart.c cast the object incorrectly. + +The function will be called with Exynos4210UartFIFO as opaque because it is set as `vmstate_exynos4210_uart_fifo.post_load` + +#""" +reproduce = """1. Create a VM with exynos4210_uart +2. savevm +3. loadvm""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/64.toml b/gitlab/issues/target_arm/host_missing/accel_missing/64.toml new file mode 100644 index 00000000..e6076cb7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/64.toml @@ -0,0 +1,15 @@ +id = 64 +title = "raspi3 machine can not shutdown" +state = "closed" +created_at = "2021-05-01T05:57:49.252Z" +closed_at = "2021-07-04T13:03:36.739Z" +labels = ["Launchpad", "kind::Feature Request", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/64" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/656.toml b/gitlab/issues/target_arm/host_missing/accel_missing/656.toml new file mode 100644 index 00000000..7291fa04 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/656.toml @@ -0,0 +1,17 @@ +id = 656 +title = "qemu-system-arm sabrelite does not use sd card" +state = "opened" +created_at = "2021-10-01T13:53:25.165Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/656" +host-os = "Ubuntu" +host-arch = "x86_64" +qemu-version = "v6.1.0-1-g52220271fe-dirty" +guest-os = "n/a" +guest-arch = "n/a" +description = """I have build qemu from source. Furthermore I build Uboot from source following [this Link](https://qemu.readthedocs.io/en/latest/system/arm/sabrelite.html). With the provided command lines I am able to create and image and start the sabrelite board and see Uboot console Output. The problem I am facing is, that I am not able to interact with the provided tmp.img. + +I was also using the -driver option instead of the -blockdev option, but did not get any different results with that.""" +reproduce = "n/a" +additional = """I provide the console output in the attached file. [console.out](/uploads/996b8c07310ec3b008477e3e70a2e629/console.out)""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/690.toml b/gitlab/issues/target_arm/host_missing/accel_missing/690.toml new file mode 100644 index 00000000..f757a86f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/690.toml @@ -0,0 +1,27 @@ +id = 690 +title = "32bit qemu-arm can't run GCC due to failure to allocate memory range for guest (Allocating guest commpage error)" +state = "closed" +created_at = "2021-10-26T02:24:22.863Z" +closed_at = "2022-01-19T16:37:25.307Z" +labels = ["linux-user", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/690" +host-os = "Arch Linux" +host-arch = "i386 (32 bit)" +qemu-version = "qemu-arm version 6.1.0 (Debian 1:6.1+dfsg-6)" +guest-os = "Linux" +guest-arch = "ARM" +description = """I'm running ARM binaries using 32 bit qemu-arm-static on x86_64 host. Since version 5.1 (include latest 6.1), QEMU cannot run GCC and some other things with an error `Allocating guest commpage: Operation not permitted`. The problem is NOT reproducible on QEMU 5.0, so probably the problem was caused by a [rework of init_guest_space or the following commits](https://gitlab.com/qemu-project/qemu/-/commit/ee94743034bfb443cf246eda4971bdc15d8ee066) a year ago. + +Also the problem is not reproducible for all users. It is known that it is reproduced on all Arch Linux host machines and some Debian, and probably depends on some kernel build parameters. + +The sysctl `vm.mmap_min_addr` parameter also affects the problem. The error varies depending on its value: +``` +[0 ... 53248] - No error at all +[53249 ... 61440] - Cannot allocate memory +[61441 ... 65536 and higher] - Operation not permitted +```""" +reproduce = """1. Download and extract attached tarball: [qemu-test-gcc.tgz](/uploads/0031fdf6705183626f646b78a281dd2a/qemu-test-gcc.tgz) +2. `$ make # will build the docker container` +3. `$ make run # will enter the container` +4. Once in the container, run: `# /qemu-arm-static-50 /bin/bash /runme.sh`""" +additional = """A detailed description of the problem and feedback from other users is here: https://bugs.launchpad.net/qemu/+bug/1891748""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/714.toml b/gitlab/issues/target_arm/host_missing/accel_missing/714.toml new file mode 100644 index 00000000..deda9d88 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/714.toml @@ -0,0 +1,53 @@ +id = 714 +title = "Command line arguments are not passed correctly with user-space semihosting" +state = "closed" +created_at = "2021-11-10T17:03:25.288Z" +closed_at = "2022-05-25T18:15:55.187Z" +labels = ["Closed::Fixed", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/714" +host-os = "Ubuntu 20.04 WSL2 on Windows 10 (also experienced on native Ubuntu 20.04 and containerised)" +host-arch = "x86_64" +qemu-version = "qemu-arm version 6.1.90 (v6.2.0-rc0-10-gb30187ef02d)" +guest-os = "n/a" +guest-arch = "n/a" +description = """The emulated process always receives a value of 1 for `argc`, with `argv[0]` returning seemingly random characters (in Ubuntu packaged qemu 5.2), but correlating with command-line input (output below from master built qemu 6.1): +``` +$ qemu-arm -cpu cortex-m7 ./a.out 123 test +argc: 1 +argv: + - @@@ + +$ qemu-arm -cpu cortex-m7 ./a.out +argc: 1 +argv: + [0] @ +```""" +reproduce = """1. Compile the following program with [ARM embedded toolchain](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads): +```cpp +#include <iostream> + +int main(int argc, char* argv[]) { +\tstd::cout << "argc: " << argc << "\\n"; +\tstd::cout << "argv: \\n"; + +\tfor (int i = 0; i < argc; i++) +\t\tstd::cout << " [" << i << "] " << argv[i] << "\\n"; +\treturn 0; +} +``` + +``` +$ $CXX --version +arm-none-eabi-g++ (GNU Arm Embedded Toolchain 10-2020-q4-major) 10.2.1 20201103 (release) +Copyright (C) 2020 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +$ $CXX main.cpp --specs=rdimon.specs -mcpu=cortex-m7 +``` + +2. Run in user-space (semihosted): +``` +$ qemu-arm -cpu cortex-m7 ./a.out +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/717.toml b/gitlab/issues/target_arm/host_missing/accel_missing/717.toml new file mode 100644 index 00000000..8e65c639 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/717.toml @@ -0,0 +1,15 @@ +id = 717 +title = "using the \"scsi-cd\" option on arm64 platform" +state = "closed" +created_at = "2021-11-11T09:23:28.821Z" +closed_at = "2023-03-16T13:45:53.888Z" +labels = ["Documentation", "Storage", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/717" +host-os = "openEuler release 21.03" +host-arch = "arm64" +qemu-version = "4.1.0" +guest-os = "ubuntu server 18.04" +guest-arch = "arm64" +description = """When using OpenStack to create a virtual machine instance, I need to configure the password of the root user through cloud-init. I use the ConfigDriver method, in which OpenStack will mount a virtual disk in iso9660 format to the virtual machine instance. The command line generated by OpenStack is shown above. You can see that this ConfigDrive virtual disk is mounted via "--device scsi-cd". But when I entered the virtual machine instance and used lsblk, blkid and searched in /dev/disk/by-label, I did not find the virtual disk that should be mounted. In addition, I don't have more debugging messages or error messages. I want to know if the "scsi-cd" is not fully adapted to arm64 platform.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/725.toml b/gitlab/issues/target_arm/host_missing/accel_missing/725.toml new file mode 100644 index 00000000..78488c5f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/725.toml @@ -0,0 +1,22 @@ +id = 725 +title = "GICv3 ITS CTLR[Enabled] bit can not be cleared" +state = "closed" +created_at = "2021-11-14T04:22:34.184Z" +closed_at = "2022-03-03T17:06:55.177Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/725" +host-os = "Ubuntu" +host-arch = "Intel" +qemu-version = "QEMU emulator version 6.1.50 (v6.1.0-1735-gc52d69e7db-dirty)" +guest-os = "N/A" +guest-arch = "(ARM)" +description = """ITS CTLR[Enabled] can not be cleared, + + `s->ctlr |= (value & ~(s->ctlr));` + +Link: +https://gitlab.com/qemu-project/qemu/-/blob/master/hw/intc/arm_gicv3_its.c#L899""" +reproduce = """1. +2. +3.""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/729.toml b/gitlab/issues/target_arm/host_missing/accel_missing/729.toml new file mode 100644 index 00000000..b461a3d3 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/729.toml @@ -0,0 +1,44 @@ +id = 729 +title = "Environment variables are not passed with user-space semihosting" +state = "closed" +created_at = "2021-11-16T12:40:37.854Z" +closed_at = "2022-03-16T00:21:05.331Z" +labels = ["Closed::Invalid", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/729" +host-os = "Ubuntu 20.04 WSL2 on Windows 10 (also experienced on native Ubuntu 20.04 and containerised)" +host-arch = "x86_64" +qemu-version = "qemu-arm version 6.1.90 (v6.2.0-rc0-10-gb30187ef02d)" +guest-os = "n/a" +guest-arch = "n/a" +description = """Environment variables are not passed to the emulated process, either inherited (as I might expect it to work in user-space?) or by specifying the values through the QEMU command-line. Note that setting the environment variable from within the app before calling `getenv` does work, so it isn't just a case of some system no-ops for the platform.""" +reproduce = """1. Compile the following program with [ARM embedded toolchain](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads): +```cpp +#include <iostream> +#include <cstdlib> + +int main(int argc, char* argv[]) { +\tchar* env = std::getenv("TEST"); +\tif (env) +\t\tstd::cout << "Env TEST: " << env << "\\n"; +\telse +\t\tstd::cout << "Env TEST not set.\\n"; +\treturn 0; +} +``` + +``` +$ $CXX --version +arm-none-eabi-g++ (GNU Arm Embedded Toolchain 10-2020-q4-major) 10.2.1 20201103 (release) +Copyright (C) 2020 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +$ $CXX main.cpp --specs=rdimon.specs -mcpu=cortex-m7 +``` + +2. Run in user-space (semihosted): +``` +$ qemu-arm -cpu cortex-m7 -E TEST=val123 ./a.out +Env TEST not set. +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/736.toml b/gitlab/issues/target_arm/host_missing/accel_missing/736.toml new file mode 100644 index 00000000..7f7a0da6 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/736.toml @@ -0,0 +1,55 @@ +id = 736 +title = "qemu-system-arm crash (hardware error: tsc210x_txrx: FIXME: bad SPI word width 24)" +state = "closed" +created_at = "2021-11-19T01:52:15.308Z" +closed_at = "2022-03-03T19:57:08.161Z" +labels = ["kind::Bug", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/736" +host-os = "Fedora 35" +host-arch = "x86" +qemu-version = "QEMU emulator version 6.2.91 (v6.2.0-rc1-25-g44a3aa0608)" +guest-os = "Meego (Linux)" +guest-arch = "ARM" +description = """The `tests/avocado/machine_arm_n8x0.py:N8x0Machine.test_n800` will sometimes trigger situation where the test does not progress and ends up interrupted. One example is [here](https://gitlab.com/qemu-project/qemu/-/jobs/1796742618#L242): + +``` +(075/171) tests/avocado/machine_arm_n8x0.py:N8x0Machine.test_n800: INTERRUPTED: Test interrupted by SIGTERM\\nRunner error occurred: Timeout reached\\nOriginal status: ERROR\\n{'name': '075-tests/avocado/machine_arm_n8x0.py:N8x0Machine.test_n800', 'logdir': '/builds/qem +```""" +reproduce = """1. ./tests/venv/bin/avocado assets fetch tests/avocado/machine_arm_n8x0.py +2. nc -l -U /var/tmp/qemu-monitor.sock +3. ./qemu-system-arm -display none -vga none -chardev socket,id=mon,path=/var/tmp/qemu-monitor.sock -mon chardev=mon,mode=control -machine n800 -serial null -chardev socket,id=console,path=/var/tmp/qemu-51887-console.sock,server=on,wait=off -serial chardev:console -kernel $HOME/avocado/data/cache/by_location/07af9de13713c2905e8c6a88d6600eb1bc885c5c/meego-arm-n8x0-1.0.80.20100712.1431-vmlinuz-2.6.35~rc4-129.1-n8x0 -append 'printk.time=0 console=ttyS1'""" +additional = """``` +#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 +#1 0x00007ffff4d498c3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 +#2 0x00007ffff4cfc6b6 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 +#3 0x00007ffff4ce67d3 in __GI_abort () at abort.c:79 +#4 0x0000555555e544b3 in hw_error (fmt=0x555556264da8 "%s: FIXME: bad SPI word width %i\\n") at ../../src/qemu/softmmu/cpus.c:126 +#5 0x0000555555a8f4b8 in tsc210x_txrx (opaque=0x5555579e9820, value=6468416, len=24) at ../../src/qemu/hw/input/tsc210x.c:913 +#6 0x0000555555bf49c1 in omap_mcspi_transfer_run (s=0x555557757d10, chnum=0) at ../../src/qemu/hw/ssi/omap_spi.c:93 +#7 0x0000555555bf536b in omap_mcspi_write (opaque=0x555557757d10, addr=56, value=6468416, size=4) at ../../src/qemu/hw/ssi/omap_spi.c:335 +#8 0x0000555555e68f05 in memory_region_write_accessor + (mr=0x555557757d10, addr=56, value=0x7fffe7034cc8, size=4, shift=0, mask=4294967295, attrs=...) at ../../src/qemu/softmmu/memory.c:492 +#9 0x0000555555e6914b in access_with_adjusted_size (addr=56, value=0x7fffe7034cc8, size=4, access_size_min=1, access_size_max=4, access_fn= + 0x555555e68e0f <memory_region_write_accessor>, mr=0x555557757d10, attrs=...) at ../../src/qemu/softmmu/memory.c:554 +#10 0x0000555555e6c1e4 in memory_region_dispatch_write (mr=0x555557757d10, addr=56, data=6468416, op=MO_32, attrs=...) + at ../../src/qemu/softmmu/memory.c:1504 +#11 0x0000555555fa9936 in io_writex + (env=0x555556e419f0, iotlbentry=0x7fff581ad800, mmu_idx=10, val=6468416, addr=4194926648, retaddr=140734913962650, op=MO_32) + at ../../src/qemu/accel/tcg/cputlb.c:1420 +#12 0x0000555555fac1b1 in store_helper (env=0x555556e419f0, addr=4194926648, val=6468416, oi=42, retaddr=140734913962650, op=MO_32) + at ../../src/qemu/accel/tcg/cputlb.c:2355 +#13 0x0000555555fac571 in full_le_stl_mmu (env=0x555556e419f0, addr=4194926648, val=6468416, oi=42, retaddr=140734913962650) + at ../../src/qemu/accel/tcg/cputlb.c:2443 +#14 0x0000555555fac5a9 in helper_le_stl_mmu (env=0x555556e419f0, addr=4194926648, val=6468416, oi=42, retaddr=140734913962650) + at ../../src/qemu/accel/tcg/cputlb.c:2449 +#15 0x00007fff668de29a in code_gen_buffer () +#16 0x0000555555f95c5d in cpu_tb_exec (cpu=0x555556e37c60, itb=0x7fffa3aae140, tb_exit=0x7fffe703540c) at ../../src/qemu/accel/tcg/cpu-exec.c:357 +#17 0x0000555555f96afe in cpu_loop_exec_tb (cpu=0x555556e37c60, tb=0x7fffa3aae140, last_tb=0x7fffe7035420, tb_exit=0x7fffe703540c) + at ../../src/qemu/accel/tcg/cpu-exec.c:833 +#18 0x0000555555f96ed7 in cpu_exec (cpu=0x555556e37c60) at ../../src/qemu/accel/tcg/cpu-exec.c:992 +#19 0x0000555555fb9682 in tcg_cpus_exec (cpu=0x555556e37c60) at ../../src/qemu/accel/tcg/tcg-accel-ops.c:67 +#20 0x0000555555fb9a13 in mttcg_cpu_thread_fn (arg=0x555556e37c60) at ../../src/qemu/accel/tcg/tcg-accel-ops-mttcg.c:95 +#21 0x0000555556179831 in qemu_thread_start (args=0x55555700dbc0) at ../../src/qemu/util/qemu-thread-posix.c:556 +#22 0x00007ffff4d47b17 in start_thread (arg=<optimized out>) at pthread_create.c:435 +#23 0x00007ffff4dcc6c0 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 +```""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/789.toml b/gitlab/issues/target_arm/host_missing/accel_missing/789.toml new file mode 100644 index 00000000..381f62c7 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/789.toml @@ -0,0 +1,22 @@ +id = 789 +title = "QEMU arm (not arm64) crashes on apple silicon when run via docker desktop" +state = "closed" +created_at = "2021-12-20T15:47:42.823Z" +closed_at = "2021-12-21T23:28:34.616Z" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/789" +host-os = "macOS 15.1" +host-arch = "ARM64" +qemu-version = "6.1 according to the docker release notes" +guest-os = "rpi-raspian" +guest-arch = "arm" +description = """docker build of the simple Dockerfile here causes QEMU to crash in arm +emulation. It is perfectly reproducible. + +FROM balenalib/rpi-raspbian:bullseye-20210925 + +USER root + +RUN apt-get update -y && apt-get upgrade -y""" +reproduce = "n/a" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/803.toml b/gitlab/issues/target_arm/host_missing/accel_missing/803.toml new file mode 100644 index 00000000..2e2432f2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/803.toml @@ -0,0 +1,28 @@ +id = 803 +title = "v6.2.0 armv7m: savevm fails assertion" +state = "closed" +created_at = "2022-01-06T00:46:59.919Z" +closed_at = "2022-01-29T19:36:32.085Z" +labels = ["Migration", "target: arm", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/803" +host-os = "NixOS 21.11" +host-arch = "x86_64" +qemu-version = "6.2.50 (v6.2.0-538-g7d4ae4d497)" +guest-os = "any/none" +guest-arch = "ARM (armv7m)" +description = """Trying to take a snapshot on some arm machines just fails an assertion, while some work fine. +e.g. mps2-an385 and stm32vldiscovery don't work, while e.g. raspi0 does. +``` +$ build/qemu-system-arm -machine mps2-an385 -monitor stdio -drive file=dummy.qcow2 -S +QEMU 6.1.50 monitor - type 'help' for more information +(qemu) VNC server running on ::1:5900 +savevm test +qemu-system-arm: ../migration/vmstate.c:363: vmstate_save_state_v: Assertion `first_elem || !n_elems || !size' failed. +[1] 631940 IOT instruction (core dumped) build/qemu-system-arm -machine mps2-an385 -monitor stdio -drive -S +``` +This happens with or without a kernel (so -S is optional, if a kernel is present).""" +reproduce = """1. Create some image for snapshots (once): ``qemu-img create -f qcow2 dummy.qcow2 32M`` +2. ``qemu-system-arm -machine mps2-an385 -monitor stdio -drive file=dummy.qcow2 -S`` +3. In monitor: ``savevm something``""" +additional = """Bisect indicates the Problem first presented itself in commit d5093d961585f02126191951ded9b90dbc52883b by @pm215. +This led me to test stm32vldiscovery, which also includes armv7m.h and fails, while some others don't.""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/838.toml b/gitlab/issues/target_arm/host_missing/accel_missing/838.toml new file mode 100644 index 00000000..033f4363 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/838.toml @@ -0,0 +1,15 @@ +id = 838 +title = "qemu-system-arm, ast2600-evb, the address mapping of ASPEED_DEV_SPI2 is different from datasheet" +state = "closed" +created_at = "2022-01-24T07:10:26.240Z" +closed_at = "2022-01-29T15:55:19.692Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/838" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/903.toml b/gitlab/issues/target_arm/host_missing/accel_missing/903.toml new file mode 100644 index 00000000..fbba2724 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/903.toml @@ -0,0 +1,363 @@ +id = 903 +title = "m1 MacOS panic testing lima with qemu HEAD/7.0.0" +state = "closed" +created_at = "2022-03-11T21:49:51.871Z" +closed_at = "2022-03-17T10:29:24.191Z" +labels = ["hostos: macOS", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/903" +host-os = "MacOS" +host-arch = "ARM" +qemu-version = "QEMU emulator version 6.2.50 (v6.2.0-2380-g1416688c53)" +guest-os = "Ubuntu 21.10 server" +guest-arch = "ARM" +description = """I'm trying to help the `lima` project test the latest version of lima on m1 with the latest qemu https://github.com/lima-vm/lima/issues/713 and I got a panic and was told to report back in the qemu issue tracker. + +I created a VM with 8GiB memory, and got a panic. + + +lima version: +``` +⎈ |rancher-desktop:default) ~ ❯❯❯ limactl --version ✘ 1 +limactl version HEAD-1164273 +``` + +qemu version: +``` +(⎈ |rancher-desktop:default) ~ ❯❯❯ qemu-system-aarch64 --version +QEMU emulator version 6.2.50 (v6.2.0-2380-g1416688c53) +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +``` + +MacOS panic: + +``` +panic(cpu 3 caller 0xfffffe001db6ea58): vm_fault() KERN_FAILURE from guest fault on state 0xfffffe6032c98000 @sleh.c:3091 +Debugger message: panic +Memory ID: 0x6 +OS release type: User +OS version: 21A559 +Kernel version: Darwin Kernel Version 21.1.0: Wed Oct 13 17:33:01 PDT 2021; root:xnu-8019.41.5~1/RELEASE_ARM64_T6000 +Fileset Kernelcache UUID: 3B2CA3833A09A383D66FB36667ED9CBF +Kernel UUID: 67BCB41B-BAA4-3634-8E51-B0210457E324 +iBoot version: iBoot-7429.41.5 +secure boot?: YES +Paniclog version: 13 +KernelCache slide: 0x00000000160d8000 +KernelCache base: 0xfffffe001d0dc000 +Kernel slide: 0x0000000016900000 +Kernel text base: 0xfffffe001d904000 +Kernel text exec slide: 0x00000000169e8000 +Kernel text exec base: 0xfffffe001d9ec000 +mach_absolute_time: 0x1661a3f15fc +Epoch Time: sec usec + Boot : 0x622a7219 0x00029f9b + Sleep : 0x622ba92c 0x00061dca + Wake : 0x622ba9d3 0x000ae46d + Calendar: 0x622bc0fb 0x000caf67 + +Zone info: +Foreign : 0xfffffe0025c14000 - 0xfffffe0025c28000 +Native : 0xfffffe10003bc000 - 0xfffffe30003bc000 +Readonly : 0 - 0 +Metadata : 0xfffffe64105d0000 - 0xfffffe641c53c000 +Bitmaps : 0xfffffe641c53c000 - 0xfffffe6433f6c000 +CORE 0 PVH locks held: None +CORE 1 PVH locks held: None +CORE 2 PVH locks held: None +CORE 3 PVH locks held: None +CORE 4 PVH locks held: None +CORE 5 PVH locks held: None +CORE 6 PVH locks held: None +CORE 7 PVH locks held: None +CORE 8 PVH locks held: None +CORE 9 PVH locks held: None +CORE 0: PC=0xfffffe001da72c6c, LR=0xfffffe001da72c6c, FP=0xfffffe6110abbef0 +CORE 1: PC=0xfffffe001f2cdbe0, LR=0xfffffe001f2ceb54, FP=0xfffffe611027b600 +CORE 2: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe603778bef0 +CORE 3 is the one that panicked. Check the full backtrace for details. +CORE 4: PC=0xfffffe001da72c6c, LR=0xfffffe001da72c6c, FP=0xfffffe61166fbef0 +CORE 5: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe6110a6bef0 +CORE 6: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe61121cbef0 +CORE 7: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe60b4be3ef0 +CORE 8: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe6032af3ef0 +CORE 9: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe6090a4bef0 +Panicked task 0xfffffe150e4ccd50: 17757 pages, 10 threads: pid 21141: qemu-system-aarc +Panicked thread: 0xfffffe1515ae87d8, backtrace: 0xfffffe60d51e3300, tid: 979402 +\t\t lr: 0xfffffe001da3e488 fp: 0xfffffe60d51e3370 +\t\t lr: 0xfffffe001da3e158 fp: 0xfffffe60d51e33e0 +\t\t lr: 0xfffffe001db7a558 fp: 0xfffffe60d51e3400 +\t\t lr: 0xfffffe001db6d2d4 fp: 0xfffffe60d51e3480 +\t\t lr: 0xfffffe001db6ac9c fp: 0xfffffe60d51e3540 +\t\t lr: 0xfffffe001d9f37f8 fp: 0xfffffe60d51e3550 +\t\t lr: 0xfffffe001da3ddcc fp: 0xfffffe60d51e38f0 +\t\t lr: 0xfffffe001da3ddcc fp: 0xfffffe60d51e3960 +\t\t lr: 0xfffffe001e23c748 fp: 0xfffffe60d51e3980 +\t\t lr: 0xfffffe001db6ea58 fp: 0xfffffe60d51e39e0 +\t\t lr: 0xfffffe001db6e5dc fp: 0xfffffe60d51e3a50 +\t\t lr: 0xfffffe001d9fe828 fp: 0xfffffe60d51e3a60 +\t\t lr: 0xfffffe001db823f4 fp: 0xfffffe60d51e3e50 +\t\t lr: 0xfffffe001db6b140 fp: 0xfffffe60d51e3f10 +\t\t lr: 0xfffffe001d9f37f8 fp: 0xfffffe60d51e3f20 + +last started kext at 1368960011: com.apple.filesystems.smbfs\t4.0 (addr 0xfffffe001d8ea490, size 64483) +loaded kexts: +com.apple.filesystems.smbfs\t4.0 +com.apple.filesystems.autofs\t3.0 +com.apple.fileutil\t20.036.15 +com.apple.UVCService\t1 +com.apple.driver.AppleUSBTopCaseDriver\t5010.1 +com.apple.iokit.SCSITaskUserClient\t452.30.4 +com.apple.driver.AppleIntelI210Ethernet\t2.3.1 +com.apple.driver.AppleBiometricServices\t1 +com.apple.driver.CoreKDL\t1 +com.apple.driver.AppleTopCaseHIDEventDriver\t5010.1 +com.apple.driver.SEPHibernation\t1 +com.apple.driver.BCMWLANFirmware4387.Hashstore\t1 +com.apple.driver.DiskImages.ReadWriteDiskImage\t493.0.0 +com.apple.driver.DiskImages.UDIFDiskImage\t493.0.0 +com.apple.driver.DiskImages.RAMBackingStore\t493.0.0 +com.apple.driver.DiskImages.FileBackingStore\t493.0.0 +com.apple.filesystems.apfs\t1933.41.2 +com.apple.driver.AppleUSBDeviceNCM\t5.0.0 +com.apple.driver.AppleThunderboltIP\t4.0.3 +com.apple.driver.AppleFileSystemDriver\t3.0.1 +com.apple.nke.l2tp\t1.9 +com.apple.filesystems.tmpfs\t1 +com.apple.filesystems.lifs\t1 +com.apple.IOTextEncryptionFamily\t1.0.0 +com.apple.filesystems.hfs.kext\t582.40.4 +com.apple.security.BootPolicy\t1 +com.apple.BootCache\t40 +com.apple.AppleFSCompression.AppleFSCompressionTypeZlib\t1.0.0 +com.apple.AppleFSCompression.AppleFSCompressionTypeDataless\t1.0.0d1 +com.apple.driver.AppleCS42L84Audio\t502.6 +com.apple.driver.ApplePMP\t1 +com.apple.driver.AppleSmartIO2\t1 +com.apple.driver.AppleSN012776Amp\t502.6 +com.apple.AppleEmbeddedSimpleSPINORFlasher\t1 +com.apple.driver.AppleT6000SOCTuner\t1 +com.apple.driver.AppleT6000CLPCv3\t1 +com.apple.driver.AppleSmartBatteryManager\t161.0.0 +com.apple.driver.AppleALSColorSensor\t1.0.0d1 +com.apple.driver.AppleAOPVoiceTrigger\t100.1 +com.apple.driver.ApplePMPFirmware\t1 +com.apple.driver.AppleMCDP29XXUpdateSupport\t1 +com.apple.driver.AppleM68Buttons\t1.0.0d1 +com.apple.driver.AppleSamsungSerial\t1.0.0d1 +com.apple.driver.AppleSerialShim\t1 +com.apple.driver.usb.AppleSynopsysUSB40XHCI\t1 +com.apple.driver.AppleSDXC\t3.1.1 +com.apple.driver.AppleSPMIPMU\t1.0.1 +com.apple.AGXG13X\t187.57 +com.apple.driver.AppleAVD\t415 +com.apple.driver.AppleAVE2\t501.6.9 +com.apple.driver.AppleJPEGDriver\t4.7.8 +com.apple.driver.AppleProResHW\t126.2.0 +com.apple.driver.AppleMobileDispT600X-DCP\t140.0 +com.apple.driver.AppleDPDisplayTCON\t1 +com.apple.driver.AppleEventLogHandler\t1 +com.apple.driver.AppleS5L8960XNCO\t1 +com.apple.driver.AppleT6001PMGR\t1 +com.apple.driver.AppleS8000AES\t1 +com.apple.driver.AppleS8000DWI\t1.0.0d1 +com.apple.driver.AppleInterruptControllerV2\t1.0.0d1 +com.apple.driver.AppleT8110DART\t1 +com.apple.driver.AppleBluetoothModule\t1 +com.apple.driver.AppleBCMWLANBusInterfacePCIe\t1 +com.apple.driver.AppleS5L8920XPWM\t1.0.0d1 +com.apple.driver.AudioDMAController-T600x\t100.51 +com.apple.driver.AppleT6000DART\t1 +com.apple.driver.AppleSPIMC\t1 +com.apple.driver.AppleS5L8940XI2C\t1.0.0d2 +com.apple.driver.AppleT6000\t1 +com.apple.iokit.IOUserEthernet\t1.0.1 +com.apple.driver.usb.AppleUSBUserHCI\t1 +com.apple.iokit.IOKitRegistryCompatibility\t1 +com.apple.iokit.EndpointSecurity\t1 +com.apple.driver.AppleDiskImages2\t126.40.1 +com.apple.AppleSystemPolicy\t2.0.0 +com.apple.nke.applicationfirewall\t402 +com.apple.kec.InvalidateHmac\t1 +com.apple.kec.AppleEncryptedArchive\t1 +com.apple.driver.driverkit.serial\t6.0.0 +com.apple.kext.triggers\t1.0 +com.apple.driver.AppleUSBMergeNub\t900.4.2 +com.apple.driver.usb.cdc.ecm\t5.0.0 +com.apple.driver.usb.cdc.acm\t5.0.0 +com.apple.driver.usb.serial\t6.0.0 +com.apple.driver.usb.cdc.ncm\t5.0.0 +com.apple.iokit.IOAVBFamily\t1010.2 +com.apple.plugin.IOgPTPPlugin\t1000.11 +com.apple.driver.usb.IOUSBHostHIDDevice\t1.2 +com.apple.driver.usb.cdc\t5.0.0 +com.apple.driver.AppleUSBAudio\t412.8 +com.apple.iokit.IOAudioFamily\t300.10 +com.apple.vecLib.kext\t1.2.0 +com.apple.iokit.IOEthernetAVBController\t1.1.0 +com.apple.driver.usb.AppleUSBXHCIPCI\t1.2 +com.apple.driver.AppleMesaSEPDriver\t100.99 +com.apple.iokit.IOBiometricFamily\t1 +com.apple.driver.AppleHIDKeyboard\t228 +com.apple.driver.AppleHSBluetoothDriver\t5010.1 +com.apple.driver.IOBluetoothHIDDriver\t9.0.0 +com.apple.driver.AppleActuatorDriver\t5400.25 +com.apple.driver.AppleMultitouchDriver\t5400.25 +com.apple.driver.AppleThunderboltPCIUpAdapter\t4.1.1 +com.apple.driver.AppleThunderboltDPOutAdapter\t8.5.0 +com.apple.driver.AppleSEPHDCPManager\t1.0.1 +com.apple.driver.AppleTrustedAccessory\t1 +com.apple.iokit.AppleSEPGenericTransfer\t1 +com.apple.driver.DiskImages.KernelBacked\t493.0.0 +com.apple.driver.AppleXsanScheme\t3 +com.apple.driver.usb.networking\t5.0.0 +com.apple.driver.AppleThunderboltUSBDownAdapter\t1.0.4 +com.apple.driver.AppleThunderboltPCIDownAdapter\t4.1.1 +com.apple.driver.AppleThunderboltDPInAdapter\t8.5.0 +com.apple.driver.AppleThunderboltDPAdapterFamily\t8.5.0 +com.apple.nke.ppp\t1.9 +com.apple.driver.AppleHIDTransportSPI\t5400.30 +com.apple.driver.AppleHIDTransport\t5400.30 +com.apple.driver.AppleInputDeviceSupport\t5400.30 +com.apple.driver.AppleBSDKextStarter\t3 +com.apple.filesystems.hfs.encodings.kext\t1 +com.apple.driver.AppleConvergedIPCOLYBTControl\t1 +com.apple.driver.AppleConvergedPCI\t1 +com.apple.driver.AppleBluetoothDebug\t1 +com.apple.driver.AppleBTM\t1.0.1 +com.apple.driver.AppleDiagnosticDataAccessReadOnly\t1.0.0 +com.apple.driver.AppleCSEmbeddedAudio\t502.6 +com.apple.driver.AppleDCPDPTXProxy\t1.0.0 +com.apple.driver.DCPDPFamilyProxy\t1 +com.apple.driver.ApplePassthroughPPM\t3.0 +com.apple.driver.AppleAOPAudio\t102.2 +com.apple.driver.AppleEmbeddedAudio\t502.6 +com.apple.iokit.AppleARMIISAudio\t100.1 +com.apple.driver.AppleSPU\t1 +com.apple.iokit.IONVMeFamily\t2.1.0 +com.apple.driver.AppleNANDConfigAccess\t1.0.0 +com.apple.AGXFirmwareKextG13XRTBuddy\t187.57 +com.apple.AGXFirmwareKextRTBuddy64\t187.57 +com.apple.driver.AppleHPM\t3.4.4 +com.apple.driver.DCPAVFamilyProxy\t1 +com.apple.driver.AppleStockholmControl\t1.0.0 +com.apple.driver.AppleT6000TypeCPhy\t1 +com.apple.driver.AppleT8103TypeCPhy\t1 +com.apple.driver.AppleUSBXDCIARM\t1.0 +com.apple.driver.AppleUSBXDCI\t1.0 +com.apple.iokit.IOUSBDeviceFamily\t2.0.0 +com.apple.driver.usb.AppleSynopsysUSBXHCI\t1 +com.apple.driver.usb.AppleUSBXHCI\t1.2 +com.apple.driver.AppleEmbeddedUSBHost\t1 +com.apple.driver.usb.AppleUSBHub\t1.2 +com.apple.driver.usb.AppleUSBHostCompositeDevice\t1.2 +com.apple.driver.AppleDialogPMU\t1.0.1 +com.apple.driver.AppleSPMI\t1.0.1 +com.apple.driver.usb.AppleUSBHostPacketFilter\t1.0 +com.apple.iokit.IOGPUFamily\t35.11 +com.apple.iokit.IOMobileGraphicsFamily-DCP\t343.0.0 +com.apple.driver.AppleDCP\t1 +com.apple.driver.AppleFirmwareKit\t1 +com.apple.iokit.IOMobileGraphicsFamily\t343.0.0 +com.apple.driver.AppleSART\t1 +com.apple.driver.ApplePMGR\t1 +com.apple.driver.AppleARMWatchdogTimer\t1 +com.apple.driver.AppleDisplayCrossbar\t1.0.0 +com.apple.iokit.IODisplayPortFamily\t1.0.0 +com.apple.driver.AppleTypeCPhy\t1 +com.apple.driver.AppleThunderboltNHI\t7.2.8 +com.apple.driver.AppleT6000PCIeC\t1 +com.apple.iokit.IOThunderboltFamily\t9.3.2 +com.apple.driver.ApplePIODMA\t1 +com.apple.driver.AppleT600xPCIe\t1 +com.apple.driver.AppleMultiFunctionManager\t1 +com.apple.driver.AppleBluetoothDebugService\t1 +com.apple.driver.AppleBCMWLANCore\t1.0.0 +com.apple.iokit.IO80211Family\t1200.12.2b1 +com.apple.driver.IOImageLoader\t1.0.0 +com.apple.driver.AppleOLYHAL\t1 +com.apple.driver.corecapture\t1.0.4 +com.apple.driver.AppleEmbeddedPCIE\t1 +com.apple.driver.AppleMCA2-T600x\t600.95 +com.apple.driver.AppleEmbeddedAudioLibs\t100.9.1 +com.apple.driver.AppleFirmwareUpdateKext\t1 +com.apple.driver.AppleH13CameraInterface\t4.79.0 +com.apple.driver.AppleH10PearlCameraInterface\t17.0.3 +com.apple.driver.AppleGPIOICController\t1.0.2 +com.apple.driver.AppleFireStormErrorHandler\t1 +com.apple.driver.AppleMobileApNonce\t1 +com.apple.iokit.IOTimeSyncFamily\t1000.11 +com.apple.driver.DiskImages\t493.0.0 +com.apple.iokit.IOGraphicsFamily\t593 +com.apple.iokit.IOBluetoothSerialManager\t9.0.0 +com.apple.iokit.IOBluetoothHostControllerUSBTransport\t9.0.0 +com.apple.iokit.IOBluetoothHostControllerUARTTransport\t9.0.0 +com.apple.iokit.IOBluetoothHostControllerTransport\t9.0.0 +com.apple.driver.IOBluetoothHostControllerPCIeTransport\t9.0.0 +com.apple.iokit.IOBluetoothFamily\t9.0.0 +com.apple.driver.FairPlayIOKit\t68.13.0 +com.apple.iokit.CoreAnalyticsFamily\t1 +com.apple.iokit.CSRBluetoothHostControllerUSBTransport\t9.0.0 +com.apple.iokit.BroadcomBluetoothHostControllerUSBTransport\t9.0.0 +com.apple.driver.AppleSSE\t1.0 +com.apple.driver.AppleSEPKeyStore\t2 +com.apple.driver.AppleUSBTDM\t532.40.7 +com.apple.iokit.IOUSBMassStorageDriver\t209.40.6 +com.apple.iokit.IOPCIFamily\t2.9 +com.apple.iokit.IOSCSIBlockCommandsDevice\t452.30.4 +com.apple.iokit.IOSCSIArchitectureModelFamily\t452.30.4 +com.apple.driver.AppleIPAppender\t1.0 +com.apple.driver.AppleFDEKeyStore\t28.30 +com.apple.driver.AppleEffaceableStorage\t1.0 +com.apple.driver.AppleCredentialManager\t1.0 +com.apple.driver.KernelRelayHost\t1 +com.apple.iokit.IOUSBHostFamily\t1.2 +com.apple.driver.AppleUSBHostMergeProperties\t1.2 +com.apple.driver.usb.AppleUSBCommon\t1.0 +com.apple.driver.AppleSMC\t3.1.9 +com.apple.driver.RTBuddy\t1.0.0 +com.apple.driver.AppleEmbeddedTempSensor\t1.0.0 +com.apple.driver.AppleARMPMU\t1.0 +com.apple.iokit.IOAccessoryManager\t1.0.0 +com.apple.driver.AppleOnboardSerial\t1.0 +com.apple.iokit.IOSkywalkFamily\t1.0 +com.apple.driver.mDNSOffloadUserClient\t1.0.1b8 +com.apple.iokit.IONetworkingFamily\t3.4 +com.apple.iokit.IOSerialFamily\t11 +com.apple.driver.AppleSEPManager\t1.0.1 +com.apple.driver.AppleA7IOP\t1.0.2 +com.apple.driver.IOSlaveProcessor\t1 +com.apple.driver.AppleBiometricSensor\t2 +com.apple.iokit.IOHIDFamily\t2.0.0 +com.apple.driver.AppleANELoadBalancer\t5.33.2 +com.apple.driver.AppleH11ANEInterface\t5.33.0 +com.apple.AUC\t1.0 +com.apple.iokit.IOAVFamily\t1.0.0 +com.apple.iokit.IOHDCPFamily\t1.0.0 +com.apple.iokit.IOCECFamily\t1 +com.apple.iokit.IOAudio2Family\t1.0 +com.apple.driver.AppleIISController\t100.1 +com.apple.driver.AppleAudioClockLibs\t100.9.1 +com.apple.driver.AppleM2ScalerCSCDriver\t265.0.0 +com.apple.iokit.IOSurface\t302.9 +com.apple.driver.IODARTFamily\t1 +com.apple.security.quarantine\t4 +com.apple.security.sandbox\t300.0 +com.apple.kext.AppleMatch\t1.0.0d1 +com.apple.driver.AppleMobileFileIntegrity\t1.0.5 +com.apple.security.AppleImage4\t4.1.0 +com.apple.kext.CoreTrust\t1 +com.apple.iokit.IOCryptoAcceleratorFamily\t1.0.1 +com.apple.driver.AppleARMPlatform\t1.0.2 +com.apple.iokit.IOStorageFamily\t2.1 +com.apple.iokit.IOSlowAdaptiveClockingFamily\t1.0.0 +com.apple.iokit.IOReportFamily\t47 +com.apple.kec.pthread\t1 +com.apple.kec.Libm\t1 +com.apple.kec.corecrypto\t12.0 + + + +** Stackshot Succeeded ** Bytes Traced 478480 (Uncompressed 1208976) ** +```""" +reproduce = """1. See https://github.com/lima-vm/lima/issues/713""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/914.toml b/gitlab/issues/target_arm/host_missing/accel_missing/914.toml new file mode 100644 index 00000000..17764bc0 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/914.toml @@ -0,0 +1,15 @@ +id = 914 +title = "Raspi4 emulation" +state = "closed" +created_at = "2022-03-16T07:51:04.078Z" +closed_at = "2022-03-16T08:39:27.898Z" +labels = ["kind::Feature Request", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/914" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/920.toml b/gitlab/issues/target_arm/host_missing/accel_missing/920.toml new file mode 100644 index 00000000..c037ab81 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/920.toml @@ -0,0 +1,20 @@ +id = 920 +title = "Aarch64 QEMU+KVM+OVMF RAM Bug" +state = "opened" +created_at = "2022-03-19T12:47:33.608Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/920" +host-os = "Android 11 (R)" +host-arch = "Aarch64 (ARMv8)" +qemu-version = "6.1.0" +guest-os = "Windows 11 Pro" +guest-arch = "Aarch64" +description = """OVMF EDK2 does not recognize any amount of RAM. It always detects as 0 MB and causes operating systems to crash.""" +reproduce = """1. +2. +3.""" +additional = """There was a problem with the Redmi Note 10S device via Termux. +  + + ovmf""" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/922.toml b/gitlab/issues/target_arm/host_missing/accel_missing/922.toml new file mode 100644 index 00000000..d1caf31f --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/922.toml @@ -0,0 +1,30 @@ +id = 922 +title = "QEMU 7.0.0-rc0: Random segfaults when running grep using qemu-arm-static" +state = "opened" +created_at = "2022-03-20T21:01:38.001Z" +closed_at = "n/a" +labels = ["linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/922" +host-os = "Arch Linux" +host-arch = "i386 (32 bit)" +qemu-version = "qemu-arm version 6.2.90 (7.0.0 rc 0 from the qemu.org)" +guest-os = "Linux" +guest-arch = "ARM" +description = """I'm running ARM binaries using 32 bit qemu-arm-static on x86_64 host. Sometimes when running grep via qemu, I get a random segmentation fault. Sometimes it happens faster, sometimes it takes several thousand iterations, but sooner or later it happens and really annoying. + +This problem is also reproduced on 6.2, 5.2 and 5.1 releases, and NOT reproduced on 5.0 + +I wrote small test to demonstrate this bug.""" +reproduce = """1. Download the test environment: [qemu-test-segfault.tar.bz2](/uploads/8f52617d46ba1e5bf29fc273cd07131d/qemu-test-segfault.tar.bz2) +2. `$ make # To build the docker container` +3. `$ make shell # To run ARM bash` +4. Inside a container, run `while true; do /qemu /bin/grep -E f text > /dev/null; [ $? -ne 0 ] && break; done`. After a while you will get segfault: +``` +[root@0d81b08f032b /]# /qemu --version +qemu-arm version 6.2.90 +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +[root@0d81b08f032b /]# while true; do /qemu /bin/grep -E f text > /dev/null; [ $? -ne 0 ] && break; done +Segmentation fault (core dumped) +[root@0d81b08f032b /]# +```""" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/923.toml b/gitlab/issues/target_arm/host_missing/accel_missing/923.toml new file mode 100644 index 00000000..a204f1ff --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/923.toml @@ -0,0 +1,15 @@ +id = 923 +title = "Kernel OOPS on SBSA-ref due to missing watchdog register" +state = "closed" +created_at = "2022-03-21T15:03:15.513Z" +closed_at = "2024-05-02T14:12:32.979Z" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/923" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/924.toml b/gitlab/issues/target_arm/host_missing/accel_missing/924.toml new file mode 100644 index 00000000..01e126d2 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/924.toml @@ -0,0 +1,15 @@ +id = 924 +title = "AHCI IRQ lost running Fedora on SBSA-ref" +state = "opened" +created_at = "2022-03-21T15:26:43.223Z" +closed_at = "n/a" +labels = ["Storage", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/924" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/95.toml b/gitlab/issues/target_arm/host_missing/accel_missing/95.toml new file mode 100644 index 00000000..54bc2c01 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/95.toml @@ -0,0 +1,15 @@ +id = 95 +title = "linux-user mode can't handle guest setting a very small RLIMIT_AS (hangs running gnutls28, coreutils configure check code)" +state = "opened" +created_at = "2021-05-03T12:37:08.495Z" +closed_at = "n/a" +labels = ["Launchpad", "kind::Bug", "linux-user", "target: arm", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/95" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/952.toml b/gitlab/issues/target_arm/host_missing/accel_missing/952.toml new file mode 100644 index 00000000..6bf85253 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/952.toml @@ -0,0 +1,109 @@ +id = 952 +title = "qemu: uncaught target signal 5 (Trace/breakpoint trap)" +state = "closed" +created_at = "2022-03-31T09:08:00.588Z" +closed_at = "2023-03-14T14:56:06.221Z" +labels = ["linux-user", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/952" +host-os = "n/a" +host-arch = "X86_64" +qemu-version = "qemu-arm version 6.2.0" +guest-os = "n/a" +guest-arch = "n/a" +description = """I'm getting core dumped when running the attached a.out_err binary in qemu, but when using Gdb to remote-debug the program, it exited normally. will appreciate if you can help look into this qemu issue. + +And I found that QEMU's 32-bit arm linux-user mode doesn't correctly turn guest BKPT insns into SIGTRAP signal. + +0xa602 <_start> movs r0, #22 + 0xa604 <_start+2> addw r1, pc, #186 ; 0xba +0xa608 <_start+6> bkpt 0x00ab + +$readelf -h hello + +ELF Header: + Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 + Class: ELF32 + Data: 2's complement, little endian + Version: 1 (current) + OS/ABI: UNIX - System V + ABI Version: 0 + Type: EXEC (Executable file) + Machine: ARM + Version: 0x1 + Entry point address: 0xa603 + Start of program headers: 52 (bytes into file) + Start of section headers: 144128 (bytes into file) + Flags: 0x5000200, Version5 EABI, soft-float ABI + Size of this header: 52 (bytes) + Size of program headers: 32 (bytes) + Number of program headers: 5 + Size of section headers: 40 (bytes) + Number of section headers: 16 + Section header string table index: 14 + +And I have check that the bug(https://bugs.launchpad.net/qemu/+bug/1873898) is fixed. + +But it's coredump. + +I found that bkpt instruction is not recognized, the bkpt is in 0x0000a608. + +host: +``` +$qemu-arm -g 12345 hello +``` +service: +``` +$gdb-multiarch hello +(gdb) target remote localhost:12345 +Remote debugging using localhost:12345 +0x0000a602 in _start () +(gdb) ni +0x0000a604 in _start () +(gdb) +0x0000a608 in _start () +(gdb) +0x0000a608 in _start () +``` +Another way to check: +``` +$gdb qemu-arm +(gdb) run hello +(gdb) bt +#0 0x00007ffff79474ba in __GI___sigsuspend (set=set@entry=0x7fffffffd9d8) at ../sysdeps/unix/sysv/linux/sigsuspend.c:26 +#1 0x000055555573bfff in dump_core_and_abort (target_sig=target_sig@entry=5) at ../linux-user/signal.c:772 +#2 0x000055555573c3c8 in handle_pending_signal (cpu_env=cpu_env@entry=0x555555da5940, sig=sig@entry=5, k=k@entry=0x555555e60e00) at ../linux-user/signal.c:1099 +#3 0x000055555573de8c in process_pending_signals (cpu_env=cpu_env@entry=0x555555da5940) at ../linux-user/signal.c:1175 +#4 0x0000555555622070 in cpu_loop (env=0x555555da5940) at ../linux-user/arm/cpu_loop.c:472 +#5 0x0000555555603cf4 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ../linux-user/main.c:883 +(gdb) up +#1 0x000055555573bfff in dump_core_and_abort (target_sig=target_sig@entry=5) at ../linux-user/signal.c:772 +772 sigsuspend(&act.sa_mask); +(gdb) +#2 0x000055555573c3c8 in handle_pending_signal (cpu_env=cpu_env@entry=0x555555da5940, sig=sig@entry=5, k=k@entry=0x555555e60e00) at ../linux-user/signal.c:1099 +1099 dump_core_and_abort(sig); +(gdb) +#3 0x000055555573de8c in process_pending_signals (cpu_env=cpu_env@entry=0x555555da5940) at ../linux-user/signal.c:1175 +1175 handle_pending_signal(cpu_env, sig, &ts->sync_signal); +(gdb) +#4 0x0000555555622070 in cpu_loop (env=0x555555da5940) at ../linux-user/arm/cpu_loop.c:472 +472 process_pending_signals(env); +(gdb) l +467 default: +468 error: +469 EXCP_DUMP(env, "qemu: unhandled CPU exception 0x%x - aborting\\n", trapnr); +470 abort(); +471 } +472 process_pending_signals(env); +473 } +474 } +475 +476 void target_cpu_copy_regs(CPUArchState *env, struct target_pt_regs *regs) +(gdb) p cpu_exec(cs) +$2 = 7 +``` +Here process_pending_signals(env) gives SIGTRAP?? + +Here is my binary: +[hello](/uploads/7225e1f1c5a61ace40f90d5d2401a758/hello)""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_missing/accel_missing/970.toml b/gitlab/issues/target_arm/host_missing/accel_missing/970.toml new file mode 100644 index 00000000..e9eafec9 --- /dev/null +++ b/gitlab/issues/target_arm/host_missing/accel_missing/970.toml @@ -0,0 +1,45 @@ +id = 970 +title = "ARM SCTLR allows writes to \"write ignore\" bits" +state = "opened" +created_at = "2022-04-08T10:02:27.346Z" +closed_at = "n/a" +labels = ["target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/970" +host-os = "Windows 11" +host-arch = "x64" +qemu-version = "5.0.1" +guest-os = "arm firmware" +guest-arch = "firmware compiled for arm cortex-a5 (qemu set to cortex-a9)" +description = """The firmware I have executed in qemu sets up pagetables and then enables the MMU. +A few instructions later, a prefetch abort was occurring. After debugging it turned out the problem was because get_phys_addr_v5 was being used to walk the pagetable instead of get_phys_addr_v6. +qemu has this code: +```c +regime_sctlr(env, mmu_idx) & SCTLR_XP +// where SCTLR_XP is commented as +#define SCTLR_XP (1U << 23) /* up to v6; v7 onward RAO */ +``` +Somewhat interestingly, A5 has a lot of bits marked as `/WI`: https://developer.arm.com/documentation/ddi0433/c/system-control/register-descriptions/system-control-register + +A9 has less, but still a few which qemu is not handling: https://developer.arm.com/documentation/ddi0388/e/the-system-control-coprocessors/summary-of-system-control-coprocessor-registers/system-control-register +I've made this hacky patch to fix it for myself: +```diff +diff --git a/qemu/target/arm/helper.c b/qemu/target/arm/helper.c +index 60c9db9e..d8fd5a7d 100644 +--- a/qemu/target/arm/helper.c ++++ b/qemu/target/arm/helper.c +@@ -4306,6 +4306,11 @@ static void sctlr_write(CPUARMState *env, const ARMCPRegInfo *ri, + { + ARMCPU *cpu = env_archcpu(env); + ++ // for cortex-a5 specifically ++ value |= (0b11 << 22) | (1 << 18) | (1 << 16) | (0b1111 << 3); ++ value &= ~((1 << 31) | (0b11 << 26) | (1 << 24) | (0b111 << 19) | ++ (1 << 17) | (0b11 << 14) | (0b111 << 7)); ++ + if (raw_read(env, ri) == value) { + /* Skip the TLB flush if nothing actually changed; Linux likes + * to do a lot of pointless SCTLR writes. +``` +I think the real fix would allow expressing the ones/zeros mask as part of `ARMCPU` per-arch.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_ppc/accel_missing/1528.toml b/gitlab/issues/target_arm/host_ppc/accel_missing/1528.toml new file mode 100644 index 00000000..eebf3234 --- /dev/null +++ b/gitlab/issues/target_arm/host_ppc/accel_missing/1528.toml @@ -0,0 +1,17 @@ +id = 1528 +title = "ppc64le: qemu-arm: basic hello world fails with \"user-exec.c:492: page_set_flags: Assertion `start < end' failed.\"" +state = "closed" +created_at = "2023-03-02T17:35:46.611Z" +closed_at = "2023-03-29T13:01:28.900Z" +labels = ["Closed::Fixed", "host: ppc", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1528" +host-os = "Red Hat Enterprise Linux 8.7 (Ootpa)" +host-arch = "ppc64le" +qemu-version = "qemu-arm version 7.2.50 (v7.2.0-1702-g33dc95d032)" +guest-os = "n/a" +guest-arch = "n/a" +description = """Trying to utilize a RH8 enterprise POWER9 based server to build OpenBMC which utilizes qemu under the covers to validate cross compiles. After some debug, I found that a basic hello-world cross compiled application does not work on POWER9 hardware.""" +reproduce = """1. Create basic hello world .c file, cross compile it for arm (arm-linux-gnueabi-gcc hello.c -o hello) +2. Build latest qemu-arm from master +3. Run qemu-arm against hello world binary""" +additional = """""" diff --git a/gitlab/issues/target_arm/host_s390/accel_TCG/1751.toml b/gitlab/issues/target_arm/host_s390/accel_TCG/1751.toml new file mode 100644 index 00000000..93b17bf5 --- /dev/null +++ b/gitlab/issues/target_arm/host_s390/accel_TCG/1751.toml @@ -0,0 +1,15 @@ +id = 1751 +title = "s390 host: helper_st16_mmu: Assertion `(get_memop(oi) & MO_SIZE) == MO_128' failed" +state = "closed" +created_at = "2023-07-06T16:07:03.608Z" +closed_at = "2023-07-16T16:48:48.273Z" +labels = ["Closed::Fixed", "accel: TCG", "host: s390", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1751" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_s390/accel_TCG/187.toml b/gitlab/issues/target_arm/host_s390/accel_TCG/187.toml new file mode 100644 index 00000000..a7ba876b --- /dev/null +++ b/gitlab/issues/target_arm/host_s390/accel_TCG/187.toml @@ -0,0 +1,15 @@ +id = 187 +title = "Cannot boot arm kernel images on s390x" +state = "closed" +created_at = "2021-05-06T08:19:43.644Z" +closed_at = "2023-07-31T12:24:25.433Z" +labels = ["Launchpad", "accel: TCG", "host: s390", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/187" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_s390/accel_missing/1333.toml b/gitlab/issues/target_arm/host_s390/accel_missing/1333.toml new file mode 100644 index 00000000..a6c722a1 --- /dev/null +++ b/gitlab/issues/target_arm/host_s390/accel_missing/1333.toml @@ -0,0 +1,23 @@ +id = 1333 +title = "vhost-user-test qos-test fails on s390x host" +state = "closed" +created_at = "2022-11-22T18:09:34.151Z" +closed_at = "2022-12-04T23:45:56.250Z" +labels = ["host: s390", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1333" +host-os = "Ubuntu 20.04" +host-arch = "s390x" +qemu-version = "commit 16a550bdc0e49fcda0e6a6c55d648700ad33c8a4" +guest-os = "n/a" +guest-arch = "n/a" +description = """The qos-test is now definitely failing in the ubuntu-20.04-s390x-all CI job. See https://gitlab.com/qemu-project/qemu/-/jobs/3363173491 , then click on "Complete Raw" to see the full log. Quoting: + +``` +ERROR:../tests/qtest/vhost-user-test.c:248:wait_for_fds: assertion failed: (s->fds_num) +** +ERROR:../tests/qtest/qos-test.c:191:subprocess_run_one_test: child process (/arm/virt/virtio-mmio/virtio-bus/vhost-user-gpio-device/vhost-user-gpio/vhost-user-gpio-tests/read-guest-mem/memfile/subprocess [274051]) failed unexpectedly + +(test program exited with status code -6) +```""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_arm/host_x86/accel_TCG/1581.toml b/gitlab/issues/target_arm/host_x86/accel_TCG/1581.toml new file mode 100644 index 00000000..05ded13b --- /dev/null +++ b/gitlab/issues/target_arm/host_x86/accel_TCG/1581.toml @@ -0,0 +1,22 @@ +id = 1581 +title = "QEMU TCG crashes when running on windows" +state = "closed" +created_at = "2023-04-06T02:34:59.134Z" +closed_at = "2023-04-11T09:20:30.558Z" +labels = ["Closed::Fixed", "accel: TCG", "host: x86", "hostos: Windows", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1581" +host-os = "Windows 10 22H2" +host-arch = "x86" +qemu-version = "v8.0.0-rc2" +guest-os = "linux buildroot" +guest-arch = "arm64" +description = """QEMU crashes immediately after startup and shows an assertion failure: + +ERROR:C:/msys64/home/xxx/qemu/tcg/i386/tcg-target.c.inc:1085:tcg_out_addi_ptr: assertion failed: (64 == 32) + +Bail out! ERROR:C:/msys64/home/xxx/qemu/tcg/i386/tcg-target.c.inc:1085:tcg_out_addi_ptr: assertion failed: (64 == + 32)""" +reproduce = """NA""" +additional = """1. This problem only occurs when the host system is windows, and the same QEMU configuration does not have this problem when the host system is Linux. +2. This problem is related to the -smp parameter of QEMU. If the smp parameter is 1, this problem will not occur. +3. This problem does not exist in the QEMU version 7.2.""" diff --git a/gitlab/issues/target_arm/host_x86/accel_TCG/1592.toml b/gitlab/issues/target_arm/host_x86/accel_TCG/1592.toml new file mode 100644 index 00000000..ce2d0c43 --- /dev/null +++ b/gitlab/issues/target_arm/host_x86/accel_TCG/1592.toml @@ -0,0 +1,24 @@ +id = 1592 +title = "QEMU v8.0.0 crashes when running in TCG mode on windows OS" +state = "closed" +created_at = "2023-04-12T01:40:09.942Z" +closed_at = "2023-05-17T06:20:02.268Z" +labels = ["Closed::Fixed", "accel: TCG", "host: x86", "hostos: Windows", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1592" +host-os = "Windows 10 22H2" +host-arch = "x86_64" +qemu-version = "v8.0.0" +guest-os = "linux buildroot" +guest-arch = "arm64" +description = """This bug is a follow-up to issue #1581. +After the patch 7d9e1ee424b06a43708be02474e6714962cfee92 is merged, QEMU segfaults at startup. +And the location where the segfault occurs here(from coredump): +``` +atomic_common.c.inc:60 +CMPXCHG_HELPER(cmpxchgo_le, Int128) +```""" +reproduce = """NA""" +additional = """1. This problem only occurs when the host system is windows, and the same QEMU configuration does not have this problem when the host system is Linux. +2. This problem is related to the -smp parameter of QEMU. If the smp parameter is 1, this problem will not occur. +3. This problem does not exist in the QEMU version 7.2. +4. What is even more confusing is that if you use gdb to load qemu and run it, this issue cannot be reproduced.""" diff --git a/gitlab/issues/target_arm/host_x86/accel_TCG/1642.toml b/gitlab/issues/target_arm/host_x86/accel_TCG/1642.toml new file mode 100644 index 00000000..6b6010e7 --- /dev/null +++ b/gitlab/issues/target_arm/host_x86/accel_TCG/1642.toml @@ -0,0 +1,30 @@ +id = 1642 +title = "Qemu aarch64 tcg crashes when emulating an STXP instruction but only on a Windows host" +state = "closed" +created_at = "2023-05-10T16:55:29.637Z" +closed_at = "2023-05-17T06:20:02.276Z" +labels = ["Closed::Fixed", "accel: TCG", "host: x86", "hostos: Windows", "kind::Bug", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1642" +host-os = "Windows 10 22H2" +host-arch = "x86" +qemu-version = "8.0.0" +guest-os = "Windows Server 2022" +guest-arch = "arm64" +description = """Qemu segfaults when trying to emulate an STXP instruction, but only when running natively on a windows host (msys2 build). This is not the same as https://gitlab.com/qemu-project/qemu/-/issues/1581. + +I've managed to git-bisect it to this change: https://github.com/qemu/qemu/commit/546789c7df8866c55cae8d3195e8e58328a35d51 +Sadly i cannot investigate it further and contribute a fix, but it seems like a problem with one of the I128 arguments to `helper_atomic_cmpxchgo_le ` + +UPD: Issue is also in master (as of `caa9cbd566877b34e9abcc04d936116fc5e0ab28`)""" +reproduce = """N/A""" +additional = """``` +Thread 9 received signal SIGSEGV, Segmentation fault. +0x00007ff67efc32dc in helper_atomic_cmpxchgo_le (env=0x24796b08c10, addr=18446684150325987376, oldv=46236672343829145701101521005152, newv=2595395441251766838621186119693696, oi=3650) at ../accel/tcg/atomic_common.c.inc:60 +60 CMPXCHG_HELPER(cmpxchgo_le, Int128) +(gdb) bt +#0 0x00007ff67efc32dc in helper_atomic_cmpxchgo_le (env=0x24796b08c10, + addr=18446684150325987376, oldv=46236672343829145701101521005152, + newv=2595395441251766838621186119693696, oi=3650) at ../accel/tcg/atomic_common.c.inc:60 +#1 0x00000247a124f73d in ?? () + +```""" diff --git a/gitlab/issues/target_arm/host_x86/accel_missing/1325.toml b/gitlab/issues/target_arm/host_x86/accel_missing/1325.toml new file mode 100644 index 00000000..50d80e0a --- /dev/null +++ b/gitlab/issues/target_arm/host_x86/accel_missing/1325.toml @@ -0,0 +1,89 @@ +id = 1325 +title = "c++: internal compiler error: Segmentation fault signal terminated program cc1plus when running in qemu-aarch64-static chroot on x86_64" +state = "opened" +created_at = "2022-11-20T02:07:43.120Z" +closed_at = "n/a" +labels = ["host: x86", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1325" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "7.1.0 and 7.2.0-rc0 (reports as 7.1.90)" +guest-os = "Arch Linux ARM" +guest-arch = "aarch64" +description = """After a moment of compiling the `src/emoji/Provider.cpp` file, `cc1plus` (I assume the compiler program itself) throws a segfault when running in the emulated chroot environment. The error is shown below. +``` +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +c++: internal compiler error: Segmentation fault signal terminated program cc1plus +Please submit a full bug report, with preprocessed source (by using -freport-bug). +See <https://github.com/archlinuxarm/PKGBUILDs/issues> for instructions. +``` + +This does not happen if you enter the chroot environment on a real ARM device (like a Raspberry PI 3 or 4 or PinePhone). The ARM device does not need to have `qemu-user-static`, nor `qemu-user-static-binfmt` installed because it does not need to emulate an aarch64 CPU.""" +reproduce = """There are two ways to replicate this. Either use (1) my preconfigured ARM chroot or (2) setup the chroot environment yourself. These instructions assume you are running on Arch Linux (x86_64). +1. You can use my aarch64 chroot environment provided. (This is the easy way) + - 1) Clone the repo I provided and then change into that directory. +```bash +git clone https://github.com/i3Craig/Temp-aarch64-chroot-for-nheko-compile-issues-in-qemu.git +cd Temp-aarch64-chroot-for-nheko-compile-issues-in-qemu +``` + - 2) On your PC, install `qemu-user-static` and `qemu-user-static-binfmt` and `arch-install-scripts`. This will allow us to `chroot` into the Arch Linux ARM image (technically `chroot` will work since we don't need to use `pacman` for anything with this method, so you could skip `arch-install-scripts` if you prefer). `sudo pacman -S qemu-user-static qemu-user-static-binfmt arch-install-scripts`. + - 3) I put the chroot environment in a state where you can simply run the following command to build the one file that fails. Run the following command. + ```bash +sudo chroot chroot/ /usr/bin/c++ -DFMT_SHARED -DGSTREAMER_AVAILABLE -DNHEKO_DBUS_SYS -DQAPPLICATION_CLASS=QApplication -DQT_CONCURRENT_LIB -DQT_CORE_LIB -DQT_DBUS_LIB -DQT_GUI_LIB -DQT_MULTIMEDIA_LIB -DQT_NETWORK_LIB -DQT_NO_DEBUG -DQT_QMLMODELS_LIB -DQT_QML_LIB -DQT_QUICKCONTROLS2_LIB -DQT_QUICKWIDGETS_LIB -DQT_QUICK_LIB -DQT_SVG_LIB -DQT_WIDGETS_LIB -DSPDLOG_COMPILED_LIB -DSPDLOG_FMT_EXTERNAL -DSPDLOG_SHARED_LIB -DXCB_AVAILABLE -Dnheko_EXPORTS -I/home/builder/packages/nheko/src/build -I/home/builder/packages/nheko/src/nheko-0.10.2 -I/home/builder/packages/nheko/src/build/nheko_autogen/include -I/home/builder/packages/nheko/src/nheko-0.10.2/src -I/home/builder/packages/nheko/src/nheko-0.10.2/includes -I/home/builder/packages/nheko/src/nheko-0.10.2/third_party/blurhash -I/home/builder/packages/nheko/src/nheko-0.10.2/third_party/cpp-httplib-0.5.12 -I/home/builder/packages/nheko/src/nheko-0.10.2/third_party/SingleApplication-3.3.2 -isystem /usr/include/qt -isystem /usr/include/qt/QtDBus -isystem /usr/include/qt/QtCore -isystem /usr/lib/qt/mkspecs/linux-g++ -isystem /usr/include/qt/QtWidgets -isystem /usr/include/qt/QtGui -isystem /usr/include/qt/QtSvg -isystem /usr/include/qt/QtConcurrent -isystem /usr/include/qt/QtMultimedia -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtQml -isystem /usr/include/qt/QtQuickControls2 -isystem /usr/include/qt/QtQuick -isystem /usr/include/qt/QtQmlModels -isystem /usr/include/qt/QtQuickWidgets -isystem /usr/include/gstreamer-1.0 -isystem /usr/include/glib-2.0 -isystem /usr/lib/glib-2.0/include -isystem /usr/include/sysprof-4 -isystem /usr/include/orc-0.4 -isystem /usr/include/libmount -isystem /usr/include/blkid -march=armv8-a -O2 -pipe -fstack-protector-strong -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Wextra -pedantic -fsized-deallocation -fdiagnostics-color=always -Wunreachable-code -Wno-attributes -fPIE -fPIC -DSPDLOG_SHARED_LIB -DSPDLOG_COMPILED_LIB -DSPDLOG_FMT_EXTERNAL -pthread -std=gnu++17 -Winvalid-pch -include /home/builder/packages/nheko/src/build/CMakeFiles/nheko.dir/cmake_pch.hxx -MD -MT /home/builder/packages/nheko/src/build/CMakeFiles/nheko.dir/src/emoji/Provider.cpp.o -MF /home/builder/packages/nheko/src/build/CMakeFiles/nheko.dir/src/emoji/Provider.cpp.o.d -o /home/builder/packages/nheko/src/build/CMakeFiles/nheko.dir/src/emoji/Provider.cpp.o -c /home/builder/packages/nheko/src/nheko-0.10.2/src/emoji/Provider.cpp + ``` +- 4) The above command will fail with a segfault error. If you copy your `chroot` over to a real ARM device (like an Raspberry PI 3 or 4 or PinePhone) and run the compile command from step (3), it will be successful. This suggests that everything is setup correctly, but there is a bug in QEMU that causes the c++ compiler to fail. + +2. You can download an Arch Linux ARM image from archlinuxarm.org and chroot into that. Then attempt to build the `nheko` AUR package. (This way requires extra work, but you can use this if you don't trust my chroot archive). + - 1) Download Arch Linux ARM to your X86_64 PC. The Raspberry PI 3/4 image should work. `http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-aarch64-latest.tar.gz`. Signatures are available on archlinuxarm.org. + - 2) Extract the tar archive: `mkdir chroot; sudo tar -xf ArchLinuxARM-rpi-aarch64-latest.tar.gz -C chroot` (this will extract to the `chroot` folder in your current working directory. + - 3) On your PC, install `qemu-user-static` and `qemu-user-static-binfmt` and `arch-install-scripts`. This will allow us to `chroot` into the Arch Linux ARM image (using the `arch-chroot` because we will need to install packages with pacman in the chroot environment). `sudo pacman -S qemu-user-static qemu-user-static-binfmt arch-install-scripts`. + - 4) Now, we can bindmount the `chroot` directory to itself so `arch-chroot` is happy. `sudo mount --bind chroot/ chroot/` + - 5) Enter the chroot: `sudo arch-chroot chroot/` + - 6) At this point, we need to get our build environment setup. Let's start by installing `git`, `base-devel`, `screen` and `vim`. `pacman -S git base-devel screen vim`. I use screen to have one terminal for the root user to install stuff and one for the `builder` user that we will create for building packages as `makepkg` does not particularly like to run as root. + - 7) Add the builder user and create its home folder: `useradd builder; mkdir /home/builder; chown builder:builder /home/builder`. + - 8) You could maybe use an AUR helper to build the following packages, but they don't have the 'aarch64' flag, so they will throw an error when you try to compile them. Thus, I use `makepkg` manually with the `--ignorearch` flag to ignore the architecture of the chroot environment (they are fully compatible with aarch64, just not marked as such). Thus, run `su -l builder` to switch to the builder user, `mkdir packages` to create the packages folder, and then clone the following AUR packages into this folder and build them: `coeurl lmdbxx mtxclient nheko tweeny`. These are dependencies for `nheko`. The process is `git clone https://aur.archlinux.org/<PACKAGENAME>.git`, then `cd PACKAGENAME`, then `makepkg --ignorearch`, then (as the root user in the chroot environment - can use sudo if you set it up) `pacman -U PACKAGENAME.PACKAGEVERSION.pkg.tar.xz` (you can type the package name and then use tab to autocomplete the exact package name). They will all compile just fine and install correctly. + - 9) Now, do the same for the AUR package `nheko`. Notice that it will start to compile, but the error shown above will be printed on the screen after a while. If you copy your `chroot` over to a real ARM device (like an Raspberry PI 3 or 4 or PinePhone) and `arch-chroot` into it and attempt the compile again, it will be successful. This suggests that everything is setup correctly, but there is a bug in qemu that causes the c++ compiler to fail. This is known to break in nheko version `0.10.2-1`. You can get to this by running `git checkout d83124fbffe86d7f875bf8e56834ae98cc21160c` after you clone the `nheko` AUR build script. This is the current latest version as of writing this, but this may change in the future and the bug may no longer show up. If it doesn't, run that `git checkout` command.""" +additional = """After using the `-strace` option in `qemu-aarch64-static` (which has to be copied from the host system to the chroot for this to work: `sudo cp /usr/bin/qemu-aarch64-static chroot/usr/bin/qemu-aarch64-static`), I determined that `c++` was running `/usr/lib/gcc/aarch64-unknown-linux-gnu/12.1.0/cc1plus`, which segfaulted. Note: have to run `sudo arch-chroot chroot/ /usr/bin/qemu-aarch64-static -strace <PUT LONG C++ COMPILE COMMAND HERE>`. +After manually running the `cc1plus` command with the `-strace` option outlined above, I get the following strace, which doesn't seem particularly interesting. +``` +1 brk(0x000000000320a000) = 0x000000000320a000 +1 brk(0x000000000324a000) = 0x000000000324a000 +1 brk(0x00000000032ca000) = 0x00000000032ca000 +1 brk(0x00000000033ca000) = 0x00000000033ca000 +1 brk(0x00000000035ca000) = 0x00000000035ca000 +1 brk(0x00000000031ca000) = 0x00000000031ca000 +1 mmap(NULL,131072,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000005520bc3000 +1 brk(0x000000000320a000) = 0x000000000320a000 +1 brk(0x000000000324a000) = 0x000000000324a000 +1 brk(0x00000000032ca000) = 0x00000000032ca000 +1 brk(0x00000000033ca000) = 0x00000000033ca000 +1 brk(0x00000000035ca000) = 0x00000000035ca000 +1 mmap(NULL,4198400,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000005520be3000 +1 brk(0x00000000031ca000) = 0x00000000031ca000 +1 munmap(0x0000005520be3000,4198400) = 0 +1 brk(0x000000000320a000) = 0x000000000320a000 +1 brk(0x000000000324a000) = 0x000000000324a000 +1 brk(0x00000000032ca000) = 0x00000000032ca000 +1 brk(0x00000000033ca000) = 0x00000000033ca000 +1 brk(0x00000000035ca000) = 0x00000000035ca000 +1 brk(0x00000000039ca000) = 0x00000000039ca000 +1 brk(0x00000000031ca000) = 0x00000000031ca000 +1 mmap(NULL,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000005520fe4000 +1 mmap(NULL,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x00000055211e4000 +1 mmap(NULL,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x00000055213e4000 +1 mmap(NULL,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x00000055215e4000 +1 brk(0x00000000031eb000) = 0x00000000031eb000 +1 mmap(NULL,131072,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x00000055217e4000 +1 brk(0x0000000003214000) = 0x0000000003214000 +1 brk(0x0000000003274000) = 0x0000000003274000 +1 brk(0x0000000003295000) = 0x0000000003295000 +1 brk(0x0000000003318000) = 0x0000000003318000 +1 brk(0x0000000003339000) = 0x0000000003339000 +1 brk(0x000000000335a000) = 0x000000000335a000 +--- SIGSEGV {si_signo=SIGSEGV, si_code=2, si_addr=0x0000005500000ff0} --- +--- SIGSEGV {si_signo=SIGSEGV, si_code=2, si_addr=0x0000005500000ff0} --- +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +``` + + +I haven't encountered this bug when compiling any other programs, which is good. However, it mea""" diff --git a/gitlab/issues/target_arm/host_x86/accel_missing/1858.toml b/gitlab/issues/target_arm/host_x86/accel_missing/1858.toml new file mode 100644 index 00000000..95aeff4c --- /dev/null +++ b/gitlab/issues/target_arm/host_x86/accel_missing/1858.toml @@ -0,0 +1,20 @@ +id = 1858 +title = "Block device read operation misses one byte(8 bit) per chip per SPI transaction" +state = "opened" +created_at = "2023-09-02T00:49:40.216Z" +closed_at = "n/a" +labels = ["host: x86", "hostos: Linux", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1858" +host-os = "RHEL7" +host-arch = "x86" +qemu-version = "5.0.50" +guest-os = "Windriver vxWorks" +guest-arch = "ARM" +description = """Block device Micron m25qu02gcbb (hw/block/m25p80.c) is emulated by the two -drive files. For block device read operation, device driver from Windriver vxWorks issues SPI commands. For read SPI command( 0x6b ) from device driver, there is a data length to be read is specified. For each SPI command call, m25p80_transfer8(SSISlave *ss, uint32_t tx) from hw/block/m25p80.c is called and read byte is returned to guest OS. It is observed that for more than one sequential SPI read commmands, first byte from the next read block is not returned back to guest OS. Traces within m25p80.c shows that all the data bytes are read however, first byte from the next read block is missing at guest OS. + +drive file content: 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 +SPI read command is set to read 4 bytes in one transaction, two transactions are needed from guest OS to read the entire data. +trace_m25p80_read_byte() shows that all bytes are read at m25p80_transfer8() call. +At guest OS following is received: 0x0 0x1 0x2 0x3 0x5 0x6 0x7 0x8 (Missing first byte of the second transaction, 0x4)""" +reproduce = "n/a" +additional = """Windriver is a proprietary OS so I can't attach the .bin files. However, any other guest OS should be able to demostrate this behavior. guest OS device driver is reading without errors on an actual Micron QSPI device.""" diff --git a/gitlab/issues/target_arm/host_x86/accel_missing/1890.toml b/gitlab/issues/target_arm/host_x86/accel_missing/1890.toml new file mode 100644 index 00000000..f1914ca4 --- /dev/null +++ b/gitlab/issues/target_arm/host_x86/accel_missing/1890.toml @@ -0,0 +1,33 @@ +id = 1890 +title = "qemu-arm 8.1.0 Error mapping file: Operation not permitted" +state = "opened" +created_at = "2023-09-14T12:47:15.480Z" +closed_at = "n/a" +labels = ["host: x86", "linux-user", "target: arm"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1890" +host-os = "ubuntu 22.04" +host-arch = "x86" +qemu-version = "version 8.1.0 (v8.1.0)" +guest-os = "bare matel" +guest-arch = "arm" +description = """failed to execute the cortex-m binary hello_world, and says: +qemu-arm: /home/user/work/tests/c/hello_world: Error mapping file: Operation not permitted""" +reproduce = """1. +``` +cat > hello_new.c <<EOF +#include <stdio.h> +int main() +{printf("hello world"); return 0;} +EOF +``` +2. +``` +arm-none-eabi-gcc -mcpu=cortex-m55 -g hello_world.c -o hello_world -specs=rdimon.specs +``` +3. +``` +qemu-arm -cpu cortex-m55 hello_world +qemu-arm: /home/user/work/tests/c/hello_world: Error mapping file: Operation not permitted +```""" +additional = """1, version 8.0.4 version is okay\\ +2, arm-none-eabi-gcc version is 10.3.1 20210824 (release)""" diff --git a/gitlab/issues/target_arm/host_x86/accel_missing/2146.toml b/gitlab/issues/target_arm/host_x86/accel_missing/2146.toml new file mode 100644 index 00000000..b133c708 --- /dev/null +++ b/gitlab/issues/target_arm/host_x86/accel_missing/2146.toml @@ -0,0 +1,122 @@ +id = 2146 +title = "qemu-system-aarch64 Segfaults" +state = "opened" +created_at = "2024-02-01T19:52:50.052Z" +closed_at = "n/a" +labels = ["host: x86", "target: arm", "workflow::Needs Info"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2146" +host-os = "Linux Mint 21.3 Cinnamon" +host-arch = "x86_64" +qemu-version = "8.2.50 (v8.2.0-924-gbd2e12310b), 8.2.1, 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.16)" +guest-os = "Debian GNU/Linux 12" +guest-arch = "aarch64" +description = """Never finishes the script below always segfaults after a few hours +in seemingly random functions.""" +reproduce = """This is what i did with qemu version 8.2.1 +inside test directory: +1. wget https://download.qemu.org/qemu-8.2.1.tar.xz +2. tar xvJf qemu-8.2.1.tar.xz +3. cd qemu-8.2.1 +4. ./configure --target-list="aarch64-linux-user, aarch64-softmmu" --enable-slirp (crashes with and without --enable-debug) +5. make -j$(nproc) +6. ln -sf "$PWD/build/qemu-system-aarch64" "../qemu-system-aarch64" +7. cd .. + +Now the VM +1. wget -O installer-linux https://deb.debian.org/debian/dists/bookworm/main/installer-arm64/current/images/netboot/debian-installer/arm64/linux +2. wget -O installer-initrd.gz https://deb.debian.org/debian/dists/bookworm/main/installer-arm64/current/images/netboot/debian-installer/arm64/initrd.gz +3. qemu-img create -f qcow2 hda.qcow2 15G +4. ./qemu-system-aarch64 -M virt -m 6G -cpu cortex-a72 \\ + -kernel installer-linux \\ + -initrd installer-initrd.gz \\ + -drive if=none,file=hda.qcow2,format=qcow2,id=hd \\ + -device virtio-blk-pci,drive=hd \\ + -netdev user,id=mynet \\ + -device virtio-net-pci,netdev=mynet \\ + -nographic -no-reboot \\ + -accel tcg,thread=multi \\ + -smp 8 +5. Install minimal debian inside the VM +6. sudo virt-copy-out -a hda.qcow2 /boot/vmlinuz-6.1.0-17-arm64 /boot/initrd.img-6.1.0-17-arm64 . +7. ./qemu-system-aarch64 -M virt -m 6G -cpu cortex-a72 \\ + -kernel vmlinuz-6.1.0-17-arm64 \\ + -initrd initrd.img-6.1.0-17-arm64 \\ + -append 'root=/dev/vda2' \\ + -drive if=none,file=hda.qcow2,format=qcow2,id=hd \\ + -device virtio-blk-pci,drive=hd \\ + -netdev user,id=mynet,hostfwd=tcp::10022-:22 \\ + -device virtio-net-pci,netdev=mynet \\ + -nographic \\ + -accel tcg,thread=multi \\ + -smp 8 +8. Now run this script inside some directory inside the VM(you might need to install gcc first) + +#!/bin/bash + +wget --no-clobber https://sourceware.org/pub/binutils/releases/binutils-2.41.tar.xz +wget --no-clobber https://ftp.gnu.org/gnu/mpfr/mpfr-4.2.0.tar.xz +wget --no-clobber https://ftp.gnu.org/gnu/gmp/gmp-6.3.0.tar.xz +wget --no-clobber https://ftp.gnu.org/gnu/mpc/mpc-1.3.1.tar.gz +wget --no-clobber https://ftp.gnu.org/gnu/gcc/gcc-13.2.0/gcc-13.2.0.tar.xz + +BUG_TARGET="$(uname -m)-bug-linux-gnu" + +tar -xf binutils-2.41.tar.xz +cd binutils-2.41 +mkdir -vp build +cd build +../configure --prefix=$PWD \\ + --with-sysroot=$PWD \\ + --target=$BUG_TARGET \\ + --disable-nls \\ + --enable-gprofng=no \\ + --disable-werror \\ + --disable-gdb +make --jobs $(nproc) +cd ../.. +rm -rf binutils + +tar -xf gcc-13.2.0.tar.xz +cd gcc-13.2.0 +tar -xf ../mpfr-4.2.0.tar.xz +tar -xf ../gmp-6.3.0.tar.xz +tar -xf ../mpc-1.3.1.tar.gz +mv mpfr-4.2.0 mpfr +mv gmp-6.3.0 gmp +mv mpc-1.3.1 mpc +mkdir -vp build +cd build +../configure --prefix=$PWD \\ + --with-sysroot=$PWD \\ + --target=$BUG_TARGET \\ + --with-glibc-version=2.38 \\ + --with-newlib \\ + --without-headers \\ + --enable-default-pie \\ + --enable-default-ssp \\ + --disable-nls \\ + --disable-shared \\ + --disable-multilib \\ + --disable-threads \\ + --disable-libatomic \\ + --disable-libgomp \\ + --disable-libquadmath \\ + --disable-libssp \\ + --disable-libvtv \\ + --disable-libstdcxx \\ + --enable-languages=c,c++ +make --jobs $(nproc) +cd ../.. +rm -rf gcc""" +additional = """I tried all the versions listed above, 6.2 usually segfaults in binutils while the other two run further. + +Example: +``` +Program terminated with signal SIGSEGV, Segmentation fault. +#0 0x000055555615dd37 in tlb_index (cpu=<Cannot access memory at address 0x7fffefffe1c8>, + mmu_idx=<Cannot access memory at address 0x7fffefffe1c0>, + addr=<Cannot access memory at address 0x7fffefffe1b8>) + at qemu-8.2.1/include/exec/cpu_ldst.h:367 +367\t uintptr_t size_mask = cpu->neg.tlb.f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS; +[Current thread is 1 (LWP 857562)] +```""" |