diff options
Diffstat (limited to 'gitlab/issues/target_i386/host_missing/accel_TCG')
89 files changed, 3583 insertions, 0 deletions
diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1023.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1023.toml new file mode 100644 index 00000000..702ba1d8 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1023.toml @@ -0,0 +1,68 @@ +id = 1023 +title = "TCG & LA57 (5-level page tables) causes intermittent triple fault when setting %CR3" +state = "closed" +created_at = "2022-05-12T09:21:30.952Z" +closed_at = "2022-08-28T19:55:19.068Z" +labels = ["Closed::Invalid", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1023" +host-os = "Just SeaBIOS and the Linux kernel" +host-arch = "x86_64" +qemu-version = "qemu from git, also 6.2.0 and 7.0.0" +guest-os = "Just SeaBIOS and the Linux kernel" +guest-arch = "x86_64" +description = """Enabling LA57 (5-level page tables) + TCG causes an intermittent triple fault when the kernel loads %cr3 in preparation for jumping to protected mode. It is quite rare, only happening on perhaps 1 in 20 runs. + +The observed behaviour for most users is that we see SeaBIOS messages, and no kernel messages, and qemu exits. (Triple fault in TCG code causes qemu to reset the virtual CPU, and we are using `-no-reboot` so that causes qemu to exit). + +There's a simple reproducer below. I enabled qemu -d options to capture the full instruction traces which can be found here: + +http://oirase.annexia.org/tmp/fullexec-failed (error case) +http://oirase.annexia.org/tmp/fullexec-good (successful run) + +I also added an `abort()` into qemu after the triple fault message in order to capture a stack trace, which can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=2082806#c8""" +reproduce = """1. Save the following script into a file, adjusting the two variables at the top as appropriate: + +``` +#!/bin/bash - + +# Point this to any kernel in /boot: +kernel=/boot/vmlinuz-4.18.0-387.el8.x86_64 + +# Point this to qemu: +qemu=/usr/libexec/qemu-kvm +#qemu=/home/rjones/d/qemu/build/qemu-system-x86_64 + +log=/tmp/log + +cpu=max +#cpu=max,la57=off + +while $qemu \\ + -global virtio-blk-pci.scsi=off \\ + -no-user-config \\ + -nodefaults \\ + -display none \\ + -machine accel=tcg,graphics=off \\ + -cpu "$cpu" \\ + -m 2048 \\ + -no-reboot \\ + -rtc driftfix=slew \\ + -no-hpet \\ + -global kvm-pit.lost_tick_policy=discard \\ + -kernel $kernel \\ + -object rng-random,filename=/dev/urandom,id=rng0 \\ + -device virtio-rng-pci,rng=rng0 \\ + -device virtio-serial-pci \\ + -serial stdio \\ + -append "panic=1 console=ttyS0" >& $log && + grep -sq "Linux version" $log; do + echo -n . +done +``` + +2. Run the script. It will run qemu many times, checking that it reaches the kernel. +3. Eventually the script may exit. +4. Check `/tmp/log` and see if you only see SeaBIOS messages. +5. Modify the script to add `-cpu max,la57=off` and the error will stop happening.""" +additional = """Downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=2082806 +LA57 was enabled here: https://gitlab.com/qemu-project/qemu/-/issues/661""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1059.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1059.toml new file mode 100644 index 00000000..3e11e6e2 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1059.toml @@ -0,0 +1,18 @@ +id = 1059 +title = "qemu: uncaught target signal 6 (Aborted) - core dumped Issue" +state = "closed" +created_at = "2022-06-03T07:26:50.621Z" +closed_at = "2023-01-31T09:08:17.550Z" +labels = ["Closed::Duplicate", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1059" +host-os = "MacBook Pro (13-inch, M1, 2020)" +host-arch = "ARM" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = """When we are trying to use the docker images which is using Qemu internally in mac Os then we are getting the qemu: uncaught target signal 6 (Aborted) - core dumped Issue""" +reproduce = """1. https://botfront.io/docs/installation/local-machine install in local machine +2. run bot front run +3. Go to the docker dashboard and open the botfront-rasa. +4. """ +additional = """Looking forward to get some updates regarding how we can solve this or any hack we can apply here. Thanks in advance.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1143.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1143.toml new file mode 100644 index 00000000..6d3bf3a1 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1143.toml @@ -0,0 +1,90 @@ +id = 1143 +title = "Breakpoints missed when a function is split into two memory pages." +state = "closed" +created_at = "2022-08-04T12:12:30.418Z" +closed_at = "2022-08-22T09:17:09.374Z" +labels = ["accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1143" +host-os = "Ubuntu 20.04" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 7.0.50 (v7.0.0-1139-g78ac2eebba)" +guest-os = "n/a" +guest-arch = "n/a" +description = """Qemu seems to ignore some breakpoints when the start of a function is +in another page than where the breakpoint is set. + +In my case, I've a function `__gnat_debug_raise_exception` which starts at `0x10bff2` and I've set with gdb a breakpoint at `0x10c00e` (in another page). +While running with `qemu -d in_asm,exec`, I can see that the whole function is executed at once and that no breakpoint is fired. + +``` +(gdb) b *0x00108fbc +(gdb) b *0x0010c00e +(gdb) target remote :1234 +(gdb) c + +Trace 0: 0x7f277c0174c0 [0000000000000000/0000000000108fb9/0040c0b0/ff000201] ada__exceptions__complete_occurrence +---------------- + +// gdb hits first breakpoint here. +Breakpoint 3, 0x0000000000108fbc .... +(gdb) ni + +IN: ada__exceptions__complete_occurrence +0x00108fbc: e8 31 30 00 00 callq 0x10bff2 + +Trace 0: 0x7f277c000100 [0000000000000000/0000000000108fbc/0040c0b0/ff000e01] ada__exceptions__complete_occurrence +---------------- +IN: __gnat_debug_raise_exception +0x0010bff2: 55 pushq %rbp +0x0010bff3: 48 89 e5 movq %rsp, %rbp +0x0010bff6: 48 89 7d f8 movq %rdi, -8(%rbp) +0x0010bffa: 48 89 d1 movq %rdx, %rcx +0x0010bffd: 48 89 f0 movq %rsi, %rax +0x0010c000: 48 89 fa movq %rdi, %rdx +0x0010c003: 48 89 ca movq %rcx, %rdx +0x0010c006: 48 89 45 e0 movq %rax, -0x20(%rbp) +0x0010c00a: 48 89 55 e8 movq %rdx, -0x18(%rbp) +0x0010c00e: 48 8b 45 e0 movq -0x20(%rbp), %rax +0x0010c012: 90 nop +0x0010c013: 5d popq %rbp +0x0010c014: c3 retq + +Trace 0: 0x7f277c000100 [0000000000000000/000000000010bff2/0040c0b0/ff000000] __gnat_debug_raise_exception +Digging a bit more, it seems that it seems related to + +// gdb ni stop here. Breakpoints at 0x10c00e have been ignored. +``` + +Note that if I'm setting another breakpoint at `0x0010bffd` (thus not at the start of the function but still in the same page), the execution +will be executed step by step and the breakpoint at 0x10c00e will be triggered normally. + + +``` +IN: ada__exceptions__complete_occurrence +0x00108fbc: e8 31 30 00 00 callq 0x10bff2 + +Trace 0: 0x7f6af4000100 [0000000000000000/0000000000108fbc/0040c0b0/ff000e01] ada__exceptions__complete_occurrence +---------------- +IN: __gnat_debug_raise_exception +0x0010bff2: 55 pushq %rbp + +Trace 0: 0x7f6af4000100 [0000000000000000/000000000010bff2/0040c0b0/ff000201] __gnat_debug_raise_exception +---------------- +IN: __gnat_debug_raise_exception +0x0010bff3: 48 89 e5 movq %rsp, %rbp + +Trace 0: 0x7f6af4000280 [0000000000000000/000000000010bff3/0040c0b0/ff000201] __gnat_debug_raise_exception +---------------- +IN: __gnat_debug_raise_exception +0x0010bff6: 48 89 7d f8 movq %rdi, -8(%rbp) +... +``` + +I've dug a bit into qemu translator code and I guess `check_for_breakpoint` should check that the whole function is in the same page before skipping step by step. But I'm not sure if it's possible because the TB is created after `check_for_breakpoint` IIUC. + +Sadly as of now, I don't have a C reproducer. I can try to provide you my "foo" program which is an Ada program. But maybe if you've a better idea how to reproduce that or an idea of to fix that, I'll be glad to help you. + +Thanks, +Clément""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/125.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/125.toml new file mode 100644 index 00000000..391831ce --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/125.toml @@ -0,0 +1,15 @@ +id = 125 +title = "x86: ret, lret and iret with noncanonical IP saves wrong IP on the exception stack" +state = "opened" +created_at = "2021-05-04T08:04:56.533Z" +closed_at = "n/a" +labels = ["Launchpad", "accel: TCG", "kind::Bug", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/125" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1269.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1269.toml new file mode 100644 index 00000000..3895b3c0 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1269.toml @@ -0,0 +1,34 @@ +id = 1269 +title = "qemu-system-i386 no longer boots NetBSD" +state = "closed" +created_at = "2022-10-22T09:29:05.347Z" +closed_at = "2022-11-03T08:52:11.748Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1269" +host-os = "Debian GNU/Linux 11" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 7.1.50 (v7.1.0-1123-g0529245488)" +guest-os = "n/a" +guest-arch = "i386" +description = """Since qemu commit e3a79e0e87831602e41819591a8e6dcc70a2a231, NetBSD +no longer boots under qemu-system-i386.""" +reproduce = """1. `wget http://ftp.netbsd.org/pub/NetBSD/NetBSD-9.2/i386/installation/cdrom/boot-com.iso` +2. `qemu-system-i386 -nographic -cdrom boot-com.iso` + +Expected behavior: the system boots and prompts you for a terminal type with + + Terminal type (just hit ENTER for 'vt220'): + +Observed incorrect behavior: the guest kernel either hangs during boot at + + Loading /stand/i386/9.2/modules/cd9660/cd9660.kmod + WARNING: 1 module failed to load + +or panics during boot with + + kernel: supervisor trap page fault, code=0 + Stopped in pid 0.1 (system) at netbsd:idt_vec_reserve+0xa: cmpb $0,netbs + d:idt_allocmap(%ebx) + db{0}>""" +additional = """This regression is a critical issue to the NetBSD project as its automated +testing infrastructure is heavily dependent on qemu-system-i386.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/130.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/130.toml new file mode 100644 index 00000000..07f1c43f --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/130.toml @@ -0,0 +1,15 @@ +id = 130 +title = "QEmu translation is incorrect when using REX in combination with LAHF/SAHF" +state = "closed" +created_at = "2021-05-04T15:46:05.212Z" +closed_at = "2022-11-15T23:54:16.303Z" +labels = ["Closed::Fixed", "Launchpad", "Tests", "accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/130" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/132.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/132.toml new file mode 100644 index 00000000..adcfbcc7 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/132.toml @@ -0,0 +1,15 @@ +id = 132 +title = "AVX instruction VMOVDQU implementation error for YMM registers" +state = "closed" +created_at = "2021-05-04T19:28:59.844Z" +closed_at = "2022-10-19T04:39:36.895Z" +labels = ["Launchpad", "Tests", "accel: TCG", "kind::Bug", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/132" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1324.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1324.toml new file mode 100644 index 00000000..36a2b89a --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1324.toml @@ -0,0 +1,52 @@ +id = 1324 +title = "Unhandled exception when booting UEFI x86_64 system image" +state = "closed" +created_at = "2022-11-18T22:32:52.509Z" +closed_at = "2022-12-04T23:45:56.277Z" +labels = ["Closed::Fixed", "Regression", "accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1324" +host-os = "Ubuntu 20.04.4" +host-arch = "x86_64" +qemu-version = "7.2.0-rc1 (reports as \"QEMU emulator version 7.1.91\")" +guest-os = "Ubuntu 20.04" +guest-arch = "x86_64" +description = """I have a bootable Ubuntu 20.04-based operating system image that I typically flash to the internal storage of an embedded Intel Atom computer. When I try booting it under QEMU, I reach the GRUB boot menu, but when it attempts to start the kernel, it outputs: + +``` +ERROR:../target/i386/tcg/sysemu/excp_helper.c:517:raise_stage2: code should not be reached +Bail out! ERROR:../target/i386/tcg/sysemu/excp_helper.c:517:raise_stage2: code should not be reached +Aborted (core dumped) +``` + +The kernel settings configured in GRUB are: + +``` +linux /boot/vmlinuz-5.4.0-132-generic root=UUID=816fe083-fc26-4a0d-ae4a-68d1b16dfb66 ro console=uart,mmio32,0xd091c000 console=ttyS4,115200n8 console=tty0 ? +initrd /boot/initrd.img-5.4.0-132-generic +``` + +If I run an older QEMU 4.2.1 that ships with Ubuntu: + +``` +!!!! X64 Exception Type - 0D(#GP - General Protection) CPU Apic ID - 00000000 !!!! +ExceptionData - 0000000000000000 +RIP - 0000000007F2CD0E, CS - 0000000000000038, RFLAGS - 0000000000200206 +RAX - AFAFAFAFAFAFAFAF, RCX - 000000000657F408, RDX - AFAFAFAFAFAFAFAF +RBX - 0000000000000288, RSP - 0000000007F1BC48, RBP - 0000000007F336A0 +RSI - 0000000007F336F8, RDI - 0000000000001000 +R8 - 000000000657F408, R9 - 0000000000000320, R10 - 0000000000000000 +R11 - 0000000000000000, R12 - 0000000000000004, R13 - 000000000657F400 +R14 - 0000000000000000, R15 - 0000000000000000 +DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 +GS - 0000000000000030, SS - 0000000000000030 +CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000 +CR4 - 0000000000000668, CR8 - 0000000000000000 +DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 +DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 +GDTR - 0000000007BEEA98 0000000000000047, LDTR - 0000000000000000 +IDTR - 00000000072D1018 0000000000000FFF, TR - 0000000000000000 +FXSAVE_STATE - 0000000007F1B8A0 +!!!! Find image based on IP(0x7F2CD0E) /build/edk2-xUnmxG/edk2-0~20191122.bd85bf54/Build/OvmfX64/RELEASE_GCC5/X64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll (ImageBase=0000000007F1D000, EntryPoint=0000000007F2FAAE) !!!! +```""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1350.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1350.toml new file mode 100644 index 00000000..7b0f352c --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1350.toml @@ -0,0 +1,97 @@ +id = 1350 +title = "Regression in 7.2.0rc3: No snow by efi firmware in advent calendar 2020, door 15 anymore" +state = "closed" +created_at = "2022-11-30T12:50:47.024Z" +closed_at = "2022-12-04T23:45:56.256Z" +labels = ["accel: TCG", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1350" +host-os = "Debian Bullseye" +host-arch = "x86" +qemu-version = "QEMU emulator version 7.1.50 (v7.1.0-1022-g92ec056a6b) (after applying git bisect)" +guest-os = "n/a" +guest-arch = "x86" +description = """Advent calendar 2020, door 15 is expected to produce snow on the terminal while executing the provided efi firmware: + +> snow in micropython on slimbootloader by eldon +> ------------------------------------------- +> +> Today's advent is a custom efi firmware build of a new bootloader from intel called +> slimbootloader[1], a recent project by intel which has adapted micropython[2] as a +> utility for configuration and board testing. This build, however, will show snowfall on +> the console for a while. Eventually an exception drops the firmware into the micropython +> repl. +> +> [1] https://slimbootloader.github.io/supported-hardware/qemu.html +> [2] http://docs.micropython.org/en/latest/index.html + + +Snow does not fall anymore as it did with 7.1.0, it seems like execution is stopped/not started""" +reproduce = """- Build & Install from git source + ``` + /home/helge/qemu-project/qemu/configure --prefix=/home/helge/qemu-project/install \\ + --target-list=x86_64-softmmu --disable-linux-user + make -j2 + make install + ``` + - Execute + ``` + PATH="/home/helge/qemu-project/install/bin" qemu-system-x86_64 \\ + -m 256M -machine q35 -serial mon:stdio -vga none \\ + -drive if=pflash,format=raw,file=snow.bin -boot a + ```""" +additional = """Performing git bisect starting with tag v7.1.0 as good and tag v7.2.0-rc3 as bad reveals 92ec056a6b2fc5d5a5593121c5d9475d2a2461d6 as culprit: + ``` +$ git bisect start c4ffd91aba1c3d878e99a3e7ba8aad4826728ece 621da7789083b80d6f1ff1c0fb499334007b4f51 +binäre Suche: danach noch 965 Commits zum Testen übrig (ungefähr 10 Schritte) +[2ba341b3694cf3cff7b8a1df4cc765900d5c4f60] Merge tag 'kraxel-20221013-pull-request' of https://gitlab.com/kraxel/qemu into staging +$ git bisect good +binäre Suche: danach noch 482 Commits zum Testen übrig (ungefähr 9 Schritte) +[05c049f12b88370de7289bf39b14088c7d656caa] hw/isa/piix3: Remove extra ';' outside of functions +$ git bisect bad +binäre Suche: danach noch 228 Commits zum Testen übrig (ungefähr 8 Schritte) +[08a5d04606292b3cf6f5756bf2a095654a290626] Merge tag 'pull-tcg-20221026' of https://gitlab.com/rth7680/qemu into staging +$ git bisect bad +binäre Suche: danach noch 126 Commits zum Testen übrig (ungefähr 7 Schritte) +[168122419ed1c4087748e21131a523c6d9b632e1] target/arm: Change gen_goto_tb to work on displacements +$ git bisect bad +binäre Suche: danach noch 69 Commits zum Testen übrig (ungefähr 6 Schritte) +[2c65091fd9d387b8dca8115dbdd9c3c61f658a9e] Merge tag 'pull-ppc-20221017' of https://gitlab.com/danielhb/qemu into staging +$ git bisect good +binäre Suche: danach noch 34 Commits zum Testen übrig (ungefähr 5 Schritte) +[92ec056a6b2fc5d5a5593121c5d9475d2a2461d6] target/i386: reimplement 0x0f 0x60-0x6f, add AVX +$ git bisect bad +binäre Suche: danach noch 17 Commits zum Testen übrig (ungefähr 4 Schritte) +[8629e77be5f8106b3497cc197fbd57a12ae6333f] target/i386: Use probe_access_full for final stage2 translation +$ git bisect good +binäre Suche: danach noch 8 Commits zum Testen übrig (ungefähr 3 Schritte) +[20581aadec5e5a9d6836e4612b6f44a7cbda7d16] target/i386: validate VEX prefixes via the instructions' exception classes +$ git bisect good +binäre Suche: danach noch 4 Commits zum Testen übrig (ungefähr 2 Schritte) +[f05f9789f57d5394fc118fe31aa2a9f563311140] target/i386: extend helpers to support VEX.V 3- and 4- operand encodings +$ git bisect good +binäre Suche: danach noch 2 Commits zum Testen übrig (ungefähr 1 Schritt) +[620f75566a5d81d7b82b3788b83d0b95c7d21dcd] target/i386: provide 3-operand versions of unary scalar helpers +$ git bisect good +binäre Suche: danach noch 0 Commits zum Testen übrig (ungefähr 1 Schritt) +[b98f886c8f8661773047197d132efec97810b37a] target/i386: Introduce 256-bit vector helpers +$ git bisect good +92ec056a6b2fc5d5a5593121c5d9475d2a2461d6 is the first bad commit +commit 92ec056a6b2fc5d5a5593121c5d9475d2a2461d6 +Author: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue Sep 20 05:42:45 2022 -0400 + + target/i386: reimplement 0x0f 0x60-0x6f, add AVX + + These are both MMX and SSE/AVX instructions, except for vmovdqu. In both + cases the inputs and output is in s->ptr{0,1,2}, so the only difference + between MMX, SSE, and AVX is which helper to call. + + Reviewed-by: Richard Henderson <richard.henderson@linaro.org> + Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + + target/i386/tcg/decode-new.c.inc | 42 ++++++++ + target/i386/tcg/emit.c.inc | 202 +++++++++++++++++++++++++++++++++++++++ + target/i386/tcg/translate.c | 19 +++- + 3 files changed, 262 insertions(+), 1 deletion(-) + + ```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1370.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1370.toml new file mode 100644 index 00000000..59a7d890 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1370.toml @@ -0,0 +1,21 @@ +id = 1370 +title = "x86 BLSI and BLSR semantic bug" +state = "closed" +created_at = "2022-12-16T06:35:03.247Z" +closed_at = "2023-02-16T13:09:22.665Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1370" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """The result of instruction BLSI and BLSR is different from the CPU. The value of CF is different.""" +reproduce = """1. Compile this code +``` +void main() { + asm("blsi rax, rbx"); +} +``` +2. Execute and compare the result with the CPU. The value of `CF` is exactly the opposite. This problem happens with BLSR, too.""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1371.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1371.toml new file mode 100644 index 00000000..2bc9f2fc --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1371.toml @@ -0,0 +1,27 @@ +id = 1371 +title = "x86 BLSMSK semantic bug" +state = "closed" +created_at = "2022-12-16T06:43:29.794Z" +closed_at = "2023-03-01T01:08:38.844Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1371" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """The result of instruction BLSMSK is different with from the CPU. The value of CF is different.""" +reproduce = """1. Compile this code +``` +void main() { + asm("mov rax, 0x65b2e276ad27c67"); + asm("mov rbx, 0x62f34955226b2b5d"); + asm("blsmsk eax, ebx"); +} +``` +2. Execute and compare the result with the CPU. + - CPU + - CF = 0 + - QEMU + - CF = 1""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1372.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1372.toml new file mode 100644 index 00000000..ee7411c9 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1372.toml @@ -0,0 +1,28 @@ +id = 1372 +title = "x86 BEXTR semantic bug" +state = "closed" +created_at = "2022-12-16T06:51:11.166Z" +closed_at = "2023-02-16T13:09:22.647Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1372" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """The result of instruction BEXTR is different with from the CPU. The value of destination register is different. I think QEMU does not consider the operand size limit.""" +reproduce = """1. Compile this code +``` +void main() { + asm("mov rax, 0x17b3693f77fb6e9"); + asm("mov rbx, 0x8f635a775ad3b9b4"); + asm("mov rcx, 0xb717b75da9983018"); + asm("bextr eax, ebx, ecx"); +} +``` +2. Execute and compare the result with the CPU. + - CPU + - RAX = 0x5a + - QEMU + - RAX = 0x635a775a""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1373.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1373.toml new file mode 100644 index 00000000..491e6142 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1373.toml @@ -0,0 +1,28 @@ +id = 1373 +title = "x86 ADOX and ADCX semantic bug" +state = "closed" +created_at = "2022-12-16T06:58:59.266Z" +closed_at = "2023-02-24T15:06:58.959Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1373" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """The result of instruction ADOX and ADCX are different from the CPU. The value of one of EFLAGS is different.""" +reproduce = """1. Compile this code +``` +void main() { + asm("push 512; popfq;"); + asm("mov rax, 0xffffffff84fdbf24"); + asm("mov rbx, 0xb197d26043bec15d"); + asm("adox eax, ebx"); +} +``` +2. Execute and compare the result with the CPU. This problem happens with ADCX, too (with CF). + - CPU + - OF = 0 + - QEMU + - OF = 1""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1374.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1374.toml new file mode 100644 index 00000000..e3ff9a19 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1374.toml @@ -0,0 +1,30 @@ +id = 1374 +title = "x86 BZHI semantic bug" +state = "closed" +created_at = "2022-12-16T07:33:54.303Z" +closed_at = "2023-02-28T15:08:49.405Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1374" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different.""" +reproduce = """1. Compile this code +``` +void main() { + asm("mov rax, 0xb1aa9da2fe33fe3"); + asm("mov rbx, 0x80000000ffffffff"); + asm("mov rcx, 0xf3fce8829b99a5c6"); + asm("bzhi rax, rbx, rcx"); +} +``` +2. Execute and compare the result with the CPU. + - CPU + - RAX = 0x0x80000000ffffffff + - SF = 1 + - QEMU + - RAX = 0xffffffff + - SF = 0""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1375.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1375.toml new file mode 100644 index 00000000..d6d751c4 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1375.toml @@ -0,0 +1,27 @@ +id = 1375 +title = "x86 SSE/SSE2/SSE3 instruction semantic bugs with NaN" +state = "opened" +created_at = "2022-12-16T07:49:50.158Z" +closed_at = "n/a" +labels = ["Softfloat", "accel: TCG", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1375" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """The result of SSE/SSE2/SSE3 instructions with NaN is different from the CPU. From Intel manual Volume 1 Appendix D.4.2.2, they defined the behavior of such instructions with NaN. But I think QEMU did not implement this semantic exactly because the byte result is different.""" +reproduce = """1. Compile this code +``` +void main() { + asm("mov rax, 0x000000007fffffff; push rax; mov rax, 0x00000000ffffffff; push rax; movdqu XMM1, [rsp];"); + asm("mov rax, 0x2e711de7aa46af1a; push rax; mov rax, 0x7fffffff7fffffff; push rax; movdqu XMM2, [rsp];"); + asm("addsubps xmm1, xmm2"); +} +``` +2. Execute and compare the result with the CPU. This problem happens with other SSE/SSE2/SSE3 instructions specified in the manual, Volume 1 Appendix D.4.2.2. + - CPU + - xmm1[3] = 0xffffffff + - QEMU + - xmm1[3] = 0x7fffffff""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1376.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1376.toml new file mode 100644 index 00000000..1ce657b2 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1376.toml @@ -0,0 +1,23 @@ +id = 1376 +title = "x86 LSL and LAR fault" +state = "opened" +created_at = "2022-12-16T07:56:37.974Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1376" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """From the description of LSL and LAR instructions in manual, `If the segment descriptor cannot be accessed or is an invalid type for the instruction, the ZF flag is cleared and no value is loaded in the destination operand.`. When it happens at the CPU, it seems they do nothing (nop). However, in QEMU, it crashes.""" +reproduce = """1. Compile this code +``` +void main() { + asm("mov rax, 0xa02e698e741f5a6a"); + asm("mov rbx, 0x20959ddd7a0aef"); + asm("lsl ax, bx"); +} +``` +2. Execute. QEMU crashes but CPU does not. This problem happens with LAR, too.""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1377.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1377.toml new file mode 100644 index 00000000..c72ad849 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1377.toml @@ -0,0 +1,22 @@ +id = 1377 +title = "x86 CVT* series instructions fault" +state = "closed" +created_at = "2022-12-16T08:22:41.339Z" +closed_at = "2023-10-02T09:21:23.485Z" +labels = ["accel: TCG", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1377" +host-os = "Windows 10 20H2" +host-arch = "x86" +qemu-version = "7.1.90 (v7.2.0-rc0)" +guest-os = "None" +guest-arch = "x86" +description = """For example, CVTSD2SS instruction converts SRC[63:0] double precision floating point to DEST[31:0] single precision floating point. Although the CVTSD2SS instruction uses only 8 bytes, if it overlaps page boundary, I think QEMU tries to access over the valid memory and crashes.""" +reproduce = """1. Compile this code +``` +void main() { + mmap(0x555555559000, 0x1000, flag, ~~, 0); + asm("cvtsd2ss xmm1, qword ptr [0x555555559ff8]"); +} +``` +2. Execute. QEMU crashes but CPU does not.""" +additional = """This bug is discovered by research conducted by KAIST SoftSec.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1471.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1471.toml new file mode 100644 index 00000000..b4c24b9e --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1471.toml @@ -0,0 +1,26 @@ +id = 1471 +title = "16fc5726a6 breaks curl SSL connections" +state = "closed" +created_at = "2023-01-30T17:59:16.447Z" +closed_at = "2023-02-16T13:09:22.619Z" +labels = ["accel: TCG", "linux-user", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1471" +host-os = "Linux/Debian" +host-arch = "ARM" +qemu-version = "16fc5726a6" +guest-os = "n/a" +guest-arch = "n/a" +description = """`./qemu-x86_64 /path/to/curl-amd64 https://news.bbc.co.uk` should work, just as `./qemu-aarch64 /path/to/curl-aarch64 https://news.bbc.co.uk` does. However, commit 16fc5726a6e296b3f63acec537c299c1dc49d6c4 broke this (determined via `git bisect`).""" +reproduce = """1. Checkout and build `qemu` commit 16fc5726a6e296b3f63acec537c299c1dc49d6c4 +2. On an aarch64 host system, download the amd64 build of `curl` from https://github.com/moparisthebest/static-curl/releases/tag/v7.87.0 +3. Run `./qemu-x86_64 /path/to/curl-amd64 https://news.bbc.co.uk` +4. Observe the following error message: + +``` +curl: (35) error:1416D07B:SSL routines:tls_process_key_exchange:bad signature +``` + +Note that the `aarch64` equivalent works just fine. As does the previous commit using `amd64`. + +Also note, this bug is also present at current tip (13356edb87506c148b163b8c7eb0695647d00c2a).""" +additional = """n/a""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1478.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1478.toml new file mode 100644 index 00000000..4219b3b8 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1478.toml @@ -0,0 +1,74 @@ +id = 1478 +title = "Qemu 7.2.0 i386: core2: init crash (glibc)" +state = "closed" +created_at = "2023-02-08T13:28:08.056Z" +closed_at = "2023-02-11T08:18:32.410Z" +labels = ["accel: TCG", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1478" +host-os = "Fedora, Debian 11" +host-arch = "x86_64" +qemu-version = "7.2.0" +guest-os = "Buildroot" +guest-arch = "i386 with core2 optimisation" +description = """The toolchain-builder project (a side project of Buildroot to build pre-built toolchains) reported an issue with Qemu 7.2.0 for x86-core2--glibc--bleeding-edge toolchain, see: + +https://gitlab.com/buildroot.org/toolchains-builder/-/jobs/3731683337 + +Reverting back to Qemu 7.1.0, the system boot correctly with the same system image. +I reproduced the issue with the current Qemu master (6b433719eabf0abc74cff0cfd5687f0137c4198a) + +Here is the boot log obtained with Qemu 7.2.0: + ``` +Run /sbin/init as init process +random: fast init done +EXT4-fs (vda): warning: mounting unchecked fs, running e2fsck is recommended +EXT4-fs (vda): re-mounted. Opts: (null). Quota mode: disabled. +Starting syslogd: OK +traps: syslogd[52] general protection fault ip:b7e21465 sp:bfe59e6c error:0 in libc.so.6[b7d9b000+123000] +Starting klogd: OK +traps: klogd[56] general protection fault ip:b7e94465 sp:bf8f069c error:0 in libc.so.6[b7e0e000+123000] +Running sysctl: traps: logger[62] general protection fault ip:b7e48b6c sp:bfd7d194 error:0 in libc.so.6[b7e05000+123000] +Segmentation fault +traps: logger[64] general protection fault ip:b7dd3b6c sp:bf9b8604 error:0 in libc.so.6[b7d90000+123000] +Segmentation fault + +traps: init[100] general protection fault ip:b7dda465 sp:bfd5f42c error:0 in libc.so.6[b7d54000+123000] +Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +CPU: 0 PID: 1 Comm: init Not tainted 5.15.18 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + dump_stack_lvl+0x32/0x41 + dump_stack+0xd/0x10 + panic+0x90/0x206 + do_exit.cold+0xa9/0xa9 + do_group_exit+0x2a/0x90 + get_signal+0x115/0x7e0 + arch_do_signal_or_restart+0x90/0x5a0 + ? put_pid+0xc/0x20 + ? kernel_clone+0x10b/0x3d0 + exit_to_user_mode_prepare+0xf8/0x1c0 + syscall_exit_to_user_mode+0x1b/0x40 + do_int80_syscall_32+0x41/0x90 + entry_INT80_32+0xf0/0xf0 +EIP: 0xb7de5d88 +Code: 37 01 00 00 65 ff 15 10 00 00 00 89 d0 5a 5b 5e 5f 5d c3 66 90 66 90 66 90 66 90 66 90 66 90 66 90 90 59 b8 be 00 00 00 cd 80 <51> 3d 01 f0 ff ff 0f 83 06 e9 f6 ff c3 e8 81 a0 06 00 05 9a a0 0e +EAX: 00000064 EBX: 0059aa1c ECX: 00561f5b EDX: 00000008 +ESI: 0059cc20 EDI: bfd5fa64 EBP: 0059b138 ESP: bfd5fa20 +DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246 +Kernel Offset: disabled +---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- + ``` +I did a git bisect on qemu sources up to this commit: + +https://gitlab.com/qemu-project/qemu/-/commit/958e1dd1300f37f18b2161dfb4eb806fc8c19b44""" +reproduce = """Build the Buildroot qemu_x86_defconfig with BR2_x86_core2 target architecture variant added manually +1. git clone https://gitlab.com/buildroot.org/buildroot.git +2. git switch --detach c419ef62d84b5be65599452ab84f7ed719bbe470 +3. make qemu_x86_defconfig +4. make menuconfig (enable BR2_x86_core2) +5. make +6. ./output/images/start-qemu.sh""" +additional = """System built with gcc options: + ``` +i686-buildroot-linux-gnu-gcc.br_real' '--sysroot' 'output/host/i686-buildroot-linux-gnu/sysroot' '-fstack-protector-strong' '-fPIE' '-pie' '-Wl,-z,now' '-Wl,-z,relro' + ```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1506.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1506.toml new file mode 100644 index 00000000..09797b45 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1506.toml @@ -0,0 +1,15 @@ +id = 1506 +title = "QEMU not support 32-bit stack in unreal/flat/big 32-bit mode" +state = "opened" +created_at = "2023-02-24T22:09:37.399Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Feature Request", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1506" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1517.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1517.toml new file mode 100644 index 00000000..5d68ce2c --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1517.toml @@ -0,0 +1,15 @@ +id = 1517 +title = "TCG doesn't support requested feature: CPUID.80000001H:EDX.syscall [bit 11]/TCG doesn't support requested feature: CPUID.80000001H:EDX.lm [bit 29]" +state = "closed" +created_at = "2023-02-27T14:18:55.206Z" +closed_at = "2023-06-29T14:18:43.494Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Feature Request", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1517" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1637.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1637.toml new file mode 100644 index 00000000..34f5e2da --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1637.toml @@ -0,0 +1,15 @@ +id = 1637 +title = "Crash when executing `ucomiss` instructions emulating an x86-64 CPU on an AArch64 host" +state = "closed" +created_at = "2023-05-05T10:18:51.989Z" +closed_at = "2023-05-18T16:27:54.150Z" +labels = ["TestCase", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1637" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/164.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/164.toml new file mode 100644 index 00000000..dcafcb08 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/164.toml @@ -0,0 +1,15 @@ +id = 164 +title = "qemu x86 TCG doesn't support AVX insns" +state = "closed" +created_at = "2021-05-05T11:17:30.912Z" +closed_at = "2022-10-19T04:39:09.068Z" +labels = ["Launchpad", "accel: TCG", "kind::Feature Request", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/164" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1661.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1661.toml new file mode 100644 index 00000000..4853c949 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1661.toml @@ -0,0 +1,19 @@ +id = 1661 +title = "x86 cpu support request: LX Geode" +state = "opened" +created_at = "2023-05-18T13:10:22.857Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Feature Request", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1661" +host-os = "Debian GNU/Linux 12 (bookworm)" +host-arch = "x86" +qemu-version = "`" +guest-os = "Debian deriviatives (various)" +guest-arch = "x86" +description = """The Geode LX family of CPUs were used in early generations of the One Laptop Per Child (OLPC) systems (XO 1.0). + +They are _basically_ i686-compatible but they lack the 'long-nop' (0x0f 0x1f) instruction available on many other i686-class devices. + +Since i686 is a reasonably common baseline for toolchains and the software that is distributed using those toolchains, it would be convenient to be able to use QEMU to test boundary compatibility cases for this CPU.""" +reproduce = """N/A - feature does not currently exist""" +additional = """I'm not adding additional context here at the moment, but please let me know what else would be helpful to know (and/or if I'm off-track with this feature request for any reason). Thank you!""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1803.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1803.toml new file mode 100644 index 00000000..b53b731c --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1803.toml @@ -0,0 +1,22 @@ +id = 1803 +title = "8.x x86_64 system emulation/tcg regression (general protection fault)" +state = "closed" +created_at = "2023-08-02T06:23:23.995Z" +closed_at = "2024-01-20T17:48:37.390Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386", "workflow::Confirmed"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1803" +host-os = "Chimera Linux (also verified on Alpine Linux, Arch Linux)" +host-arch = "x86_64 (likely any, as TCG is affected)" +qemu-version = "8.0.3 (also tested 8.0.2)" +guest-os = "Chimera Linux GNOME x86_64 20230611" +guest-arch = "x86_64" +description = """Running the ISO available at https://repo.chimera-linux.org/live/20230611/chimera-linux-x86_64-LIVE-20230611-gnome.iso with the above qemu command line, the graphical environment fails to come up. The system boots, and login prompt shows up; then graphical environment startup is attempted, with Wayland (you can tell as the login prompt cursor no longer blinks, being "frozen" for possibly up to a few minutes due to emulation cost). Then the graphical startup crashes (you can tell because the cursor starts blinking again) and an X11-based startup is attempted (you can tell by the X11 cross cursor) which however never fully comes up either.""" +reproduce = """1. Download the ISO and run with the command line above. +2. See the issue.""" +additional = """It is possible to then switch to tty2 (View->compatmonitor0, `sendkey ctrl-alt-f2`), log in as `root:chimera` or `anon:chimera` as the console prompt instructs, and type in `dmesg` (as `root`) or `doas dmesg` (as `anon`) and see that the `dmesg` contains a number of general protection faults, like this: + + + +The system used to work, but I am not sure which is the last version of QEMU where this worked, I believe 7.x. In 8.0.3 (likewise running in a Chimera environment, but it was also tested on Alpine, and I had somebody on Arch Linux test it with 8.0.2 just to rule out possible issues caused by a musl-based host environment) it crashes. It only appears to affect the `x86_64` guest architecture, as the other-architecture ISOs have graphical environment come up fine after some minutes (e.g. `ppc64le` with `qemu-system-ppc64 -M pseries-2.11,cap-htm=off -m 2048 -boot d -cdrom chimera-linux-ppc64le-LIVE-20230611-gnome.iso` works just fine). It also appears to only affect TCG emulation, as KVM likewise works fine (same command line, just `-enable-kvm` added). + +Apologies for a large testcase, but it seems to need specific graphical-adjacent services to reproduce. It should be consistently reproducible though.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1808.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1808.toml new file mode 100644 index 00000000..0363e868 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1808.toml @@ -0,0 +1,79 @@ +id = 1808 +title = "qemu-system-i386: Crash in tcg_handle_interrupt on fpu_raise_exception call" +state = "closed" +created_at = "2023-08-04T01:01:55.540Z" +closed_at = "2023-09-13T14:20:04.736Z" +labels = ["Stable::to backport", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1808" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "8.0.92" +guest-os = "MCC Interim Linux 0.97-p2-12" +guest-arch = "x86" +description = """While I was messing with an old Linux system, QEMU crashed as I tried to run `make test` on a package: +``` +ERROR:../accel/tcg/tcg-accel-ops.c:83:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked()) +Bail out! ERROR:../accel/tcg/tcg-accel-ops.c:83:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked()) +``` +Running QEMU straight from the master branch (c167c80) didn't help either. The backtrace is as follows: +``` +(gdb) bt +#0 0x00007ffff55ac26c in () at /usr/lib/libc.so.6 +#1 0x00007ffff555ca08 in raise () at /usr/lib/libc.so.6 +#2 0x00007ffff5545538 in abort () at /usr/lib/libc.so.6 +#3 0x00007ffff6bae05e in g_assertion_message + (domain=domain@entry=0x0, file=file@entry=0x555555f90a98 "../accel/tcg/tcg-accel-ops.c", line=line@entry=83, func=func@entry=0x55555607a130 <__func__.3> "tcg_handle_interrupt", message=message@entry=0x7fff9c15ee10 "assertion failed: (qemu_mutex_iothread_locked())") at ../glib/glib/gtestutils.c:3450 +#4 0x00007ffff6c0ef40 in g_assertion_message_expr + (domain=domain@entry=0x0, file=file@entry=0x555555f90a98 "../accel/tcg/tcg-accel-ops.c", line=line@entry=83, func=func@entry=0x55555607a130 <__func__.3> "tcg_handle_interrupt", expr=expr@entry=0x555555f79cf8 "qemu_mutex_iothread_locked()") at ../glib/glib/gtestutils.c:3476 +#5 0x0000555555c97369 in tcg_handle_interrupt (cpu=0x555557434cb0, mask=2) at ../accel/tcg/tcg-accel-ops.c:83 +#6 tcg_handle_interrupt (cpu=0x555557434cb0, mask=2) at ../accel/tcg/tcg-accel-ops.c:81 +#7 0x0000555555b4d58b in pic_irq_request (opaque=<optimized out>, irq=<optimized out>, level=1) at ../hw/i386/x86.c:555 +#8 0x0000555555b4f218 in gsi_handler (opaque=0x5555579423d0, n=13, level=1) at ../hw/i386/x86.c:611 +#9 0x00007fffa42bde14 in code_gen_buffer () +#10 0x0000555555c724bb in cpu_tb_exec (cpu=cpu@entry=0x555557434cb0, itb=<optimized out>, tb_exit=tb_exit@entry=0x7fffe9bfd658) at ../accel/tcg/cpu-exec.c:457 +#11 0x0000555555c7298e in cpu_loop_exec_tb (tb_exit=0x7fffe9bfd658, last_tb=<synthetic pointer>, pc=3221283547, tb=<optimized out>, cpu=<optimized out>) at ../accel/tcg/cpu-exec.c:919 +#12 cpu_exec_loop (cpu=cpu@entry=0x555557434cb0, sc=sc@entry=0x7fffe9bfd6f0) at ../accel/tcg/cpu-exec.c:1040 +#13 0x0000555555c731dd in cpu_exec_setjmp (cpu=cpu@entry=0x555557434cb0, sc=sc@entry=0x7fffe9bfd6f0) at ../accel/tcg/cpu-exec.c:1057 +#14 0x0000555555c73810 in cpu_exec (cpu=cpu@entry=0x555557434cb0) at ../accel/tcg/cpu-exec.c:1083 +#15 0x0000555555c974ff in tcg_cpus_exec (cpu=cpu@entry=0x555557434cb0) at ../accel/tcg/tcg-accel-ops.c:75 +#16 0x0000555555c97657 in mttcg_cpu_thread_fn (arg=arg@entry=0x555557434cb0) at ../accel/tcg/tcg-accel-ops-mttcg.c:95 +#17 0x0000555555e283e8 in qemu_thread_start (args=0x5555574935f0) at ../util/qemu-thread-posix.c:541 +#18 0x00007ffff55aa44b in () at /usr/lib/libc.so.6 +#19 0x00007ffff562de40 in () at /usr/lib/libc.so.6 +``` + +After further testing, it seems related to inftest.awk. However, the crash doesn't occur right after I run the file, but only when I do specific operations afterwards. + +With `-accel kvm` +``` +> gawk -f test/inftest.awk +(output trimmed) +1e+305 1e+302 +1e+308 1e+305 +gawk: test/inftest.awk:3: fatal: floating point exception +> echo Test # No crash +Test +> cat test/inftest.awk # No crash +``` + +With `-accel tcg` +``` +> gawk -f test/inftest.awk +(output trimmed) +1e+308 1e+305 +Infinity 1e+308 +Infinity Infinity +loop terminated +> echo Test # No crash +Test +> cat test/inftest.awk # QEMU crash +```""" +reproduce = """1. Start the VM +2. Press any key except for enter to go through the SVGA prompt +3. Enter `root` to login. No password is required +4. Run `cd /usr/src2/gawk-2.14` +5. Run `gawk -f test/inftest.awk` +6. Run certain commands that interact with the kernel (ex. `ls`, `cat test/inftest.awk`, `whoami`) +7. Observe the crash""" +additional = """[00000-bootFloppy.raw](/uploads/379f6b601132980af4ea721fe77dbae4/00000-bootFloppy.raw) +[artifact.qcow2](/uploads/d721a35bc55e764e17087e8bc1a7531e/artifact.qcow2)""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1826.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1826.toml new file mode 100644 index 00000000..ada1e591 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1826.toml @@ -0,0 +1,37 @@ +id = 1826 +title = "Segfault in memory_region_dispatch_write()" +state = "closed" +created_at = "2023-08-11T14:27:26.551Z" +closed_at = "2023-08-30T16:22:37.489Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1826" +host-os = "WSL2 Ubuntu" +host-arch = "x86_64" +qemu-version = "v8.1.0-rc3 (plus a bit though this persists from yesterday at least)" +guest-os = "ubuntu" +guest-arch = "x86_64 (arm64 is fine)" +description = """Several possible outcomes +- Kernel freeze and rcu lockup messages. +- segfault + +For segfault, using gdb. +``` +in memory_region_dispatch_write (mr=mr@entry=0x130013001300013, addr=addr@entry=176, data=dat@entry=0, op=op@entry=M0_42, attrs=...) at ../../softwmmu/memory.c:1515 +1515 if (mr->alias) { + +in memory_region_dispatch_write( .. as above...) +in io_writex(env=env@entry=0x555556a84320, full=full@entry=0x7ffda010f630, mmu_idx=mmu_idx@entry=0, val=0, addr=addr@entry=18446744073699049648, retaddr=retaddr@entry=140736023420498, op=MO_32) at ../../accel/tcg/cputlb.c:1448 +in do_st_mmio_leN (env=env@entry=0x555556a84320, full=full@entry=0x7ffda010f630, val_le=<optmized out>, val_le@entry=0, addr=addr@entry=18446744073699049648, size=size@entry=4, mmu_idx=mmu_idx@entry=0, ra=140736023420498) at ../../accel/tcg/cputlb.c:2755 +in do_st_4 (ra=<optmized_out>, memop=<optimized out> mmu_idx=0, val=0, p=0x7ffff529c140, env=0x555556a84320) at ../../accel/tcg/cputbl.c:2921 +do_st4_mmu (env=0x555556a84320, addr=<optimized out> val=<optmized out>, oi=<otpmized out> ra=140736023420498) at ../../accel/tcg/cputlb.c:3006 +in code_gen_buffer() +in cpu_tb_exec(..) //getting lazy on typing as seems unlikely anything useful beyond here. +in cpu_loop_exec_tb() +cpu_exec_loop +in cpu_exec_setjmp() +in cpu_exec() +in tcg_cpus_exec() +```""" +reproduce = """1. Boot. +2. Use gdb to grab back trace after segfault.""" +additional = """Seems to segfault mid way through PCI enumeration in the kernel. Which device seems to vary between runs.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1832.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1832.toml new file mode 100644 index 00000000..94b812d2 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1832.toml @@ -0,0 +1,15 @@ +id = 1832 +title = "i386 test registers are not handled" +state = "closed" +created_at = "2023-08-16T14:48:34.899Z" +closed_at = "2023-10-02T09:20:23.640Z" +labels = ["Closed::WontFix", "accel: TCG", "kind::Feature Request", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1832" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1834.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1834.toml new file mode 100644 index 00000000..70074078 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1834.toml @@ -0,0 +1,192 @@ +id = 1834 +title = "qemu-system-x86_64: ../hw/pci/msix.c:227: msix_table_mmio_write: Assertion `addr + size <= dev->msix_entries_nr * PCI_MSIX_ENTRY_SIZE' failed." +state = "closed" +created_at = "2023-08-17T07:27:46.515Z" +closed_at = "2023-08-30T16:22:37.509Z" +labels = ["Closed::Fixed", "accel: TCG", "device: PCI", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1834" +host-os = "Gentoo Linux" +host-arch = "x86_64" +qemu-version = "v8.1.0-rc4" +guest-os = "linux" +guest-arch = "x86_64" +description = """""" +reproduce = """1. Run qemu using the provided command line +2. linux kernel boot and qemu crashes at pci bus scan step +3.""" +additional = """``` +SeaBIOS (version rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org +iPXE (http://ipxe.org) 00:02.0 CA00 PCI2.10 PnP PMM+3EFD0CE0+3EF30CE0 CA00 +iPXE (http://ipxe.org) 00:05.0 CB00 PCI2.10 PnP PMM+3EF1FCE0 3EF30CE0 CB00 +Booting from ROM... +[ 0.000000] Linux version 6.1.38-yocto-standard (oe-user@oe-host) (x86_64-poky-linux-gcc (GCC) 12.3.0, GNU ld (GNU Binutils) 2.40.0.20230620) #1 SMP PREEMPT_DYNAMIC Thu Jul 6 18:52:54 UTC 2023 +[ 0.000000] Command line: console=ttyS0 +[ 0.000000] x86/fpu: x87 FPU will use FXSAVE +[ 0.000000] signal: max sigframe size: 1040 +[ 0.000000] BIOS-provided physical RAM map: +[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable +[ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved +[ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved +[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000003ffdefff] usable +[ 0.000000] BIOS-e820: [mem 0x000000003ffdf000-0x000000003fffffff] reserved +[ 0.000000] BIOS-e820: [mem 0x00000000b0000000-0x00000000bfffffff] reserved +[ 0.000000] BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed1ffff] reserved +[ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved +[ 0.000000] BIOS-e820: [mem 0x000000fd00000000-0x000000ffffffffff] reserved +[ 0.000000] NX (Execute Disable) protection: active +[ 0.000000] SMBIOS 3.0.0 present. +[ 0.000000] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 +[ 0.000000] last_pfn = 0x3ffdf max_arch_pfn = 0x400000000 +[ 0.000000] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT +[ 0.000000] found SMP MP-table at [mem 0x000f5b80-0x000f5b8f] +[ 0.000000] ACPI: Early table checksum verification disabled +[ 0.000000] ACPI: RSDP 0x00000000000F59A0 000014 (v00 BOCHS ) +[ 0.000000] ACPI: RSDT 0x000000003FFE238A 000038 (v01 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: FACP 0x000000003FFE217A 0000F4 (v03 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: DSDT 0x000000003FFE0040 00213A (v01 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: FACS 0x000000003FFE0000 000040 +[ 0.000000] ACPI: APIC 0x000000003FFE226E 000080 (v03 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: FACS 0x000000003FFE0000 000040 +[ 0.000000] ACPI: APIC 0x000000003FFE226E 000080 (v03 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: HPET 0x000000003FFE22EE 000038 (v01 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: MCFG 0x000000003FFE2326 00003C (v01 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: WAET 0x000000003FFE2362 000028 (v01 BOCHS BXPC 00000001 BXPC 00000001) +[ 0.000000] ACPI: Reserving FACP table memory at [mem 0x3ffe217a-0x3ffe226d] +[ 0.000000] ACPI: Reserving DSDT table memory at [mem 0x3ffe0040-0x3ffe2179] +[ 0.000000] ACPI: Reserving FACS table memory at [mem 0x3ffe0000-0x3ffe003f] +[ 0.000000] ACPI: Reserving APIC table memory at [mem 0x3ffe226e-0x3ffe22ed] +[ 0.000000] ACPI: Reserving HPET table memory at [mem 0x3ffe22ee-0x3ffe2325] +[ 0.000000] ACPI: Reserving MCFG table memory at [mem 0x3ffe2326-0x3ffe2361] +[ 0.000000] ACPI: Reserving WAET table memory at [mem 0x3ffe2362-0x3ffe2389] +[ 0.000000] Zone ranges: +[ 0.000000] DMA [mem 0x0000000000001000-0x0000000000ffffff] +[ 0.000000] DMA32 [mem 0x0000000001000000-0x000000003ffdefff] +[ 0.000000] Normal empty +[ 0.000000] Device empty +[ 0.000000] Movable zone start for each node +[ 0.000000] Early memory node ranges +[ 0.000000] node 0: [mem 0x0000000000001000-0x000000000009efff] +[ 0.000000] node 0: [mem 0x0000000000100000-0x000000003ffdefff] +[ 0.000000] Initmem setup node 0 [mem 0x0000000000001000-0x000000003ffdefff] +[ 0.000000] On node 0, zone DMA: 1 pages in unavailable ranges +[ 0.000000] On node 0, zone DMA: 97 pages in unavailable ranges +[ 0.000000] On node 0, zone DMA32: 33 pages in unavailable ranges +[ 0.000000] ACPI: PM-Timer IO Port: 0x608 +[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1]) +[ 0.000000] IOAPIC[0]: apic_id 0, version 32, address 0xfec00000, GSI 0-23 +[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) +[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level) +[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) +[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level) +[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level) +[ 0.000000] ACPI: Using ACPI (MADT) for SMP configuration information +[ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000 +[ 0.000000] smpboot: Allowing 2 CPUs, 0 hotplug CPUs +[ 0.000000] [mem 0x40000000-0xafffffff] available for PCI devices +[ 0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns +[ 0.000000] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:1 +[ 0.000000] percpu: Embedded 52 pages/cpu s173288 r8192 d31512 u1048576 +[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 257759 +[ 0.000000] Kernel command line: console=ttyS0 +[ 0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes, linear) +[ 0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes, linear) +[ 0.000000] mem auto-init: stack:all(zero), heap alloc:off, heap free:off +[ 0.000000] Memory: 1002116K/1048052K available (12294K kernel code, 1469K rwdata, 2600K rodata, 1488K init, 2040K bss, 45680K reserved, 0K cma-reserved) +[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1 +[ 0.000000] ftrace: allocating 31276 entries in 123 pages +[ 0.000000] ftrace: allocated 123 pages with 6 groups +[ 0.000000] ftrace: allocating 31276 entries in 123 pages +[ 0.000000] ftrace: allocated 123 pages with 6 groups +[ 0.000000] Dynamic Preempt: none +[ 0.000000] rcu: Preemptible hierarchical RCU implementation. +[ 0.000000] rcu: RCU event tracing is enabled. +[ 0.000000] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2. +[ 0.000000] Trampoline variant of Tasks RCU enabled. +[ 0.000000] Rude variant of Tasks RCU enabled. +[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies. +[ 0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2 +[ 0.000000] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16 +[ 0.000000] rcu: srcu_init: Setting srcu_struct sizes based on contention. +[ 0.000000] Console: colour VGA+ 80x25 +[ 0.000000] printk: console [ttyS0] enabled +[ 0.000000] ACPI: Core revision 20220331 +[ 0.000000] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns +[ 0.020000] APIC: Switch to symmetric I/O mode setup +[ 0.040000] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 +[ 0.120000] tsc: Unable to calibrate against PIT +[ 0.120000] tsc: using HPET reference calibration +[ 0.120000] tsc: Detected 2299.960 MHz processor +[ 0.001362] tsc: Marking TSC unstable due to TSCs unsynchronized +[ 0.002851] Calibrating delay loop (skipped), value calculated using timer frequency.. 4599.92 BogoMIPS (lpj=22999600) +[ 0.004441] pid_max: default: 32768 minimum: 301 +[ 0.019780] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes, linear) +[ 0.020332] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes, linear) +[ 0.078474] process: using AMD E400 aware idle routine +[ 0.079221] Last level iTLB entries: 4KB 512, 2MB 255, 4MB 127 +[ 0.079631] Last level dTLB entries: 4KB 512, 2MB 255, 4MB 127, 1GB 0 +[ 0.081092] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization +[ 0.082698] Spectre V2 : Mitigation: Retpolines +[ 0.083053] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch +[ 0.083616] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT +[ 0.348864] Freeing SMP alternatives memory: 32K +[ 0.514732] smpboot: CPU0: AMD QEMU Virtual CPU version 2.5+ (family: 0xf, model: 0x6b, stepping: 0x1) +[ 0.536546] cblist_init_generic: Setting adjustable number of callback queues. +[ 0.537604] cblist_init_generic: Setting shift to 1 and lim to 1. +[ 0.538995] cblist_init_generic: Setting shift to 1 and lim to 1. +[ 0.541338] Performance Events: PMU not available due to virtualization, using software events only. +[ 0.548504] rcu: Hierarchical SRCU implementation. +[ 0.548986] rcu: Max phase no-delay instances is 1000. +[ 0.563842] smp: Bringing up secondary CPUs ... +[ 0.583950] x86: Booting SMP configuration: +[ 0.584395] .... node #0, CPUs: #1 +[ 0.802667] smp: Brought up 1 node, 2 CPUs +[ 0.803300] smpboot: Max logical packages: 1 +[ 0.803821] smpboot: Total of 2 processors activated (9202.49 BogoMIPS) +[ 0.864556] devtmpfs: initialized +[ 0.897545] x86/mm: Memory block size: 128MB +[ 0.936982] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns +[ 0.938878] futex hash table entries: 512 (order: 3, 32768 bytes, linear) +[ 0.980994] NET: Registered PF_NETLINK/PF_ROUTE protocol family +[ 1.004001] thermal_sys: Registered thermal governor 'step_wise' +[ 1.004143] thermal_sys: Registered thermal governor 'user_space' +[ 1.009528] cpuidle: using governor menu +[ 1.022723] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5 +[ 1.043717] PCI: MMCONFIG for domain 0000 [bus 00-ff] at [mem 0xb0000000-0xbfffffff] (base 0xb0000000) +[ 1.050546] PCI: MMCONFIG at [mem 0xb0000000-0xbfffffff] reserved in E820 +[ 1.060576] PCI: Using configuration type 1 for base access +[ 1.074215] mtrr: your CPUs had inconsistent fixed MTRR settings +[ 1.075157] mtrr: your CPUs had inconsistent variable MTRR settings +[ 1.076043] mtrr: your CPUs had inconsistent MTRRdefType settings +[ 1.076840] mtrr: probably your BIOS does not setup all CPUs. +[ 1.077612] mtrr: corrected configuration. +[ 1.453630] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages +[ 1.454286] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page +[ 1.467152] raid6: skipped pq benchmark and selected sse2x4 +[ 1.467152] raid6: using intx1 recovery algorithm +[ 1.485004] ACPI: Added _OSI(Module Device) +[ 1.485539] ACPI: Added _OSI(Processor Device) +[ 1.485909] ACPI: Added _OSI(3.0 _SCP Extensions) +[ 1.486309] ACPI: Added _OSI(Processor Aggregator Device) +[ 1.578101] ACPI: 1 ACPI AML tables successfully acquired and loaded +[ 1.670966] ACPI: Interpreter enabled +[ 1.676848] ACPI: PM: (supports S0 S3 S5) +[ 1.677404] ACPI: Using IOAPIC for interrupt routing +[ 1.683268] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug +[ 1.684107] PCI: Using E820 reservations for host bridge windows +[ 1.691382] ACPI: Enabled 2 GPEs in block 00 to 3F +[ 1.828171] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff]) +[ 1.831923] acpi PNP0A08:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI EDR HPX-Type3] +[ 1.839401] acpi PNP0A08:00: _OSC: platform does not support [PCIeHotplug LTR DPC] +[ 1.843631] acpi PNP0A08:00: _OSC: OS now controls [SHPCHotplug PME AER PCIeCapability] +[ 1.867627] PCI host bridge to bus 0000:00 +[ 1.868866] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window] +[ 1.870044] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window] +[ 1.870572] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window] +[ 1.871151] pci_bus 0000:00: root bus resource [mem 0x40000000-0xafffffff window] +[ 1.871719] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfffff window] +[ 1.872269] pci_bus 0000:00: root bus resource [mem 0x100000000-0x8ffffffff window] +[ 1.873668] pci_bus 0000:00: root bus resource [bus 00-ff] +[ 1.880983] pci 0000:00:00.0: [8086:29c0] type 00 class 0x060000 +[ 1.898659] pci 0000:00:01.0: [1234:1111] type 00 class 0x030000 +qemu-system-x86_64: ../hw/pci/msix.c:227: msix_table_mmio_write: Assertion `addr + size <= dev->msix_entries_nr * PCI_MSIX_ENTRY_SIZE' failed. +```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/184.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/184.toml new file mode 100644 index 00000000..14849797 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/184.toml @@ -0,0 +1,15 @@ +id = 184 +title = "SSE CMP ops with 8bit immediate throw sigill with oversized byte" +state = "closed" +created_at = "2021-05-05T15:33:23.070Z" +closed_at = "2022-03-25T13:03:05.373Z" +labels = ["Launchpad", "accel: TCG", "kind::Bug", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/184" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1864.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1864.toml new file mode 100644 index 00000000..6c6d5fc1 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1864.toml @@ -0,0 +1,31 @@ +id = 1864 +title = "x86 VM with TCG and SMP fails to start on 8.1.0" +state = "closed" +created_at = "2023-09-05T07:48:14.136Z" +closed_at = "2023-09-22T15:35:27.591Z" +labels = ["Stable::to backport", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1864" +host-os = "Mac OS Ventura" +host-arch = "ARM" +qemu-version = "8.1.0" +guest-os = "Linux" +guest-arch = "x86_64" +description = """I'm running Colima on MacOS to run Docker. After upgrading qemu to 8.1.0 my x86_64 VM fails to start. If I downgrade qemu to 8.0.4 everything runs normally. Relevant logs: + +``` +[ 60.976187] rcu: \t0-...!: (0 ticks this GP) idle=0d58/0/0x0 softirq=44/44 fqs=0 (false positive?) +[ 60.979262] \t(detected by 1, t=6005 jiffies, g=-1171, q=1981 ncpus=2) +[ 60.982317] Sending NMI from CPU 1 to CPUs 0: +[ 11.583693] NMI backtrace for cpu 0 skipped: idling at native_safe_halt+0xb/0x10 +[ 11.583693] INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 2.006 msecs +[ 60.982317] rcu: rcu_preempt kthread timer wakeup didn't happen for 6004 jiffies! g-1171 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 +[ 60.982317] rcu: \tPossible timer handling issue on cpu=0 timer-softirq=15 +[ 60.982317] rcu: rcu_preempt kthread starved for 6005 jiffies! g-1171 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=0 +[ 60.982317] rcu: \tUnless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. +[ 60.982317] rcu: RCU grace-period kthread stack dump: +[ 60.982317] task:rcu_preempt state:I stack:0 pid:15 ppid:2 flags:0x00004000 +``` + +[serial.log](/uploads/1039eceff37133504eb93401df1db137/serial.log)""" +reproduce = """1. `colima start --arch x86_64`""" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/1964.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/1964.toml new file mode 100644 index 00000000..884ea541 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/1964.toml @@ -0,0 +1,17 @@ +id = 1964 +title = "QEMU TCG faulted in RUNDLL32 at Windows 98SE Display Properties" +state = "closed" +created_at = "2023-10-27T10:20:27.896Z" +closed_at = "2024-01-19T16:40:58.350Z" +labels = ["accel: TCG", "guest: Windows", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/1964" +host-os = "Windows 10/11 x86_64, ArchLinux x86_64, Apple Silicon macOS Sonoma 14.1" +host-arch = "x86_64, AArch64" +qemu-version = "7.2.0 up to qemu-git 8.1.50 (v8.1.0-2294-gc60be6e3e-dirty)" +guest-os = "Windows 98SE 4.10.2222B" +guest-arch = "x86" +description = """QEMU TCG faulted in RUNDLL32 at Windows 98SE Display Properties. 100% consistently reproducible across multiple host operating systems and CPU architectures and all types of QEMU emulated display controllers supported by Windows 98SE (`VGA, cirrus-vga and vmware-svga`). It is a user-mode fault so the OS simply terminated the faulting process, OS remains fully functional after the fault and the same fault can be repeated. Should be extremely helpful in debugging. Last known good QEMU version without this bug is 7.1.0. For x86_64, KVM and WHPX do not have the issue and can be used to gain access to Display Properties. On AArch64, last known good QEMU version is the only way to gain access to Display Properties.""" +reproduce = """See attached recorded video. + +""" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2022.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2022.toml new file mode 100644 index 00000000..c7bdd85c --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2022.toml @@ -0,0 +1,19 @@ +id = 2022 +title = "Win32s crashes qemu (regression, bisected)" +state = "closed" +created_at = "2023-12-08T08:11:09.560Z" +closed_at = "2023-12-13T15:28:35.938Z" +labels = ["Closed::Fixed", "Regression", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2022" +host-os = "Fedora 39" +host-arch = "x86_64" +qemu-version = "8.0.50" +guest-os = "DOS 6.22/WfW 3.11" +guest-arch = "n/a" +description = """Whenever I start a Win32s application (FREECELL.EXE), qemu says "qemu: Bad ram pointer 0x7f4b13a80000" and aborts. I tried a few different versions of Win32s (I specifically remember 1.15a and 1.25a), but it does not seem to matter. I am using only the standard VGA driver and nothing else that would not be present in a standard install of the guest components.""" +reproduce = """1. Run any Win32s application +2. +3.""" +additional = """It worked fine before this commit, both on stable-8.1 as well as the master branch: + +4f8f41272e accel: Replace target_ulong with vaddr in probe_*()""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2040.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2040.toml new file mode 100644 index 00000000..1c2a76e6 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2040.toml @@ -0,0 +1,34 @@ +id = 2040 +title = "x86 TCG incorrectly truncates physical addresses to 32 bits when PAE is enabled" +state = "closed" +created_at = "2023-12-18T11:47:58.138Z" +closed_at = "2024-02-28T17:26:27.403Z" +labels = ["Stable::to backport", "accel: TCG", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2040" +host-os = "Fedora 39" +host-arch = "x86" +qemu-version = "Latest master (039afc5ef7367fbc8fb475580c291c2655e856cb)" +guest-os = "Windows 10" +guest-arch = "x86" +description = """Originally observed as 32-bit Windows failing to boot on systems with RAM above 4G when using TCG (but working fine under KVM). Windows kernel debugger showed the kernel allocating a block of memory but somehow failing to create a page table mapping for it. + +Bisection in QEMU produced the first bad commit as 4a1e9d4 ("target/i386: Use atomic operations for pte updates"), which changed the PTE accessing code from using e.g. `x86_ldq_phys()` to using `probe_access_full()` and `ldq_p()`. + +Further deconstruction of the changes in this commit found that at some point during the boot, the value obtained from `ldq_p()` was completely different to the value obtained from `x86_ldq_phys()`. Debugging revealed that the underlying host addresses used by each method were exactly 4G apart, with the new method (`ldq_p()`) accessing a host location 4G below the correct address. + +Inspection of the code revealed one place where addresses are truncated to 32 bits, which would cause this 4G offset: in `get_physical_address()` we have the code: + +``` + if (!(env->hflags & HF_LMA_MASK)) { + /* Without long mode we can only address 32bits in real mode */ + out->paddr = (uint32_t)out->paddr; + } +``` + +This looks wrong, since PAE allows for physical addresses above 4G to be accessed without long mode. (This is the whole point of PAE.) + +A quick experiment shows that commenting out the above block of code fixes the symptom and allows Windows 10 to boot with RAM above 4G. + +I suspect that the test should be checking for PAE being enabled rather than long mode being enabled. (Enabling PAE is part of setting up the CPU for long mode, so it is impossible to be in long mode without PAE already enabled.)""" +reproduce = """Run the command given above.""" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2092.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2092.toml new file mode 100644 index 00000000..bacc74ea --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2092.toml @@ -0,0 +1,78 @@ +id = 2092 +title = "i386: TCG + virtiofs fails to boot Fedora/CentOS/OpenSUSE since QEMU v7.2" +state = "opened" +created_at = "2024-01-11T08:48:37.907Z" +closed_at = "n/a" +labels = ["Hard", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2092" +host-os = "Fedora 39" +host-arch = "x86-64" +qemu-version = "8.1.3" +guest-os = "Fedora 39" +guest-arch = "x86-64" +description = """When booting from virtiofs with TCG acceleration, after switch root from initramfs to rootfs, the system crashes horribly, see logs below. The failures only happen when TCG acceleration is used with a virtiofs rootfs. Switching TCG for KVM acceleration or virtiofs for a disk image makes the issue disappear. This has started happening since QEMU version 7.2. Using any qemu version before QEMU version 7.2 works fine. Additionally, it only seems to happen with CentOS Stream, Fedora and OpenSUSE. Using Debian, Ubuntu or Arch Linux, this combination boots fine. + +cc @bonzini since you made quite a few changes to TCG acceleration in QEMU v7.2.""" +reproduce = """1. `git clone https://github.com/systemd/mkosi` +2. `cd mkosi` +3. `bin/mkosi -d fedora -t directory --tools-tree=default --qemu-kvm=no --debug qemu` (this will build an image first so will take a while. Depending on your distribution you might need to install `dnf` and `bubblewrap`)""" +additional = """``` +<initramfs boot logs skipped for brevity> +Welcome to Fedora Linux 39 (Thirty Nine)! + +[ 37.137287] systemd[1]: Initializing machine ID from random generator. +[ 37.209193] kauditd_printk_skb: 9 callbacks suppressed +[ 37.209227] audit: type=1334 audit(1704961693.242:45): prog-id=16 op=LOAD +[ 37.210718] audit: type=1334 audit(1704961693.243:46): prog-id=16 op=UNLOAD +[ 37.211491] audit: type=1334 audit(1704961693.244:47): prog-id=17 op=LOAD +[ 37.212766] audit: type=1334 audit(1704961693.245:48): prog-id=17 op=UNLOAD +[ 37.241136] audit: type=1334 audit(1704961693.274:49): prog-id=18 op=LOAD +[ 37.242803] audit: type=1334 audit(1704961693.275:50): prog-id=18 op=UNLOAD +[ 37.244114] audit: type=1334 audit(1704961693.277:51): prog-id=19 op=LOAD +[ 37.245790] audit: type=1334 audit(1704961693.278:52): prog-id=19 op=UNLOAD +[ 37.259849] audit: type=1334 audit(1704961693.291:53): prog-id=20 op=LOAD +[ 37.260072] audit: type=1334 audit(1704961693.292:54): prog-id=20 op=UNLOAD +[ 37.870091] systemd[1]: bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported +[ 38.074465] Process 299(false) has RLIMIT_CORE set to 1 +[ 38.074793] Aborting core +[ 38.077885] Process 297(false) has RLIMIT_CORE set to 1 +[ 38.078066] Aborting core +[ 38.079360] Process 298(false) has RLIMIT_CORE set to 1 +[ 38.079516] Aborting core +[ 38.114888] Process 301(false) has RLIMIT_CORE set to 1 +[ 38.115072] Aborting core +[ 38.217830] Process 305(false) has RLIMIT_CORE set to 1 +[ 38.218038] Aborting core +[ 38.219161] Process 304(false) has RLIMIT_CORE set to 1 +[ 38.219337] Aborting core +[ 38.287937] Process 308(false) has RLIMIT_CORE set to 1 +[ 38.288169] Aborting core +[ 38.323829] Process 309(false) has RLIMIT_CORE set to 1 +[ 38.324045] Aborting core +[ 38.325457] Process 310(false) has RLIMIT_CORE set to 1 +[ 38.325811] Aborting core +[ 38.447773] Process 315(false) has RLIMIT_CORE set to 1 +[ 38.447934] Aborting core +[ 38.449525] Process 314(false) has RLIMIT_CORE set to 1 +[ 38.449768] Aborting core +[ 38.462210] (sd-execu[291]: /usr/lib/systemd/system-generators/systemd-integritysetup-generator terminated by signal SEGV. +[ 38.478826] Process 316(false) has RLIMIT_CORE set to 1 +[ 38.479001] Aborting core +[ 42.397416] systemd[1]: Populated /etc with preset unit settings. +[ 42.532156] show_signal_msg: 68 callbacks suppressed +[ 42.535164] systemd[1]: segfault at b0 ip 00007f3ca95074ed sp 00007ffc7aa5f1c0 error 4 in libsystemd-core-254.7-1.fc39.so[7f3ca944c000+135000] likely on CPU 0 (core 0, socket 0) +[ 42.536289] Code: 00 48 89 fb 75 6f c6 87 88 04 00 00 01 48 8b 7f 70 45 31 ed 48 85 ff 75 1e e9 7f 00 00 00 0f 1f 80 00 00 00 00 e8 f3 24 f5 ff <48> 8b 7b 70 41 83 c5 01 48 85 ff 74 66 f6 87 63 04 00 00 01 75 e5 +[ 42.543019] systemd[1]: Caught <SEGV> from PID 176. +[ 42.543516] audit: type=1701 audit(1704961698.576:99): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=317 comm="systemd" exe="/usr/lib/systemd/systemd" sig=11 res=1 +[ 42.593878] traps: false[318] general protection fault ip:7fcccd942fa0 sp:7ffd528a8020 error:0 in libc.so.6[7fcccd928000+160000] +[ 42.594494] Process 318(false) has RLIMIT_CORE set to 1 +[ 42.594831] Aborting core +[ 42.595808] audit: type=1701 audit(1704961698.627:100): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=318 comm="false" exe="/usr/bin/false" sig=11 res=1 +[ 42.603224] systemd[1]: Caught <SEGV>, dumped core as pid 317. +[ 42.604202] systemd[1]: Freezing execution. +[ 42.656248] audit: type=1335 audit(1704961698.689:101): pid=1 uid=0 auid=4294967295 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" nl-mcgrp=1 op=disconnect res=1 +[ 42.657685] audit: type=1334 audit(1704961698.690:102): prog-id=14 op=UNLOAD +[ 42.657852] audit: type=1334 audit(1704961698.690:103): prog-id=15 op=UNLOAD +[ 42.658011] audit: type=1334 audit(1704961698.690:104): prog-id=11 op=UNLOAD +[ 42.658201] audit: type=1334 audit(1704961698.690:105): prog-id=12 op=UNLOAD +```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2096.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2096.toml new file mode 100644 index 00000000..13a890d4 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2096.toml @@ -0,0 +1,15 @@ +id = 2096 +title = "test-x86-cpuid-compat qtest produces warnings on TCG" +state = "closed" +created_at = "2024-01-12T13:39:02.542Z" +closed_at = "2024-02-25T11:52:04.153Z" +labels = ["Tests", "accel: TCG", "kind::Bug", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2096" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/215.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/215.toml new file mode 100644 index 00000000..ecaf10c7 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/215.toml @@ -0,0 +1,15 @@ +id = 215 +title = "x86 Floating point exceptions - incorrect support?" +state = "opened" +created_at = "2021-05-08T05:37:19.033Z" +closed_at = "n/a" +labels = ["Launchpad", "accel: TCG", "kind::Feature Request", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/215" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2170.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2170.toml new file mode 100644 index 00000000..94a4312d --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2170.toml @@ -0,0 +1,52 @@ +id = 2170 +title = "qemu-x86_64 crashes when the application calls pthread_getattr_np()" +state = "closed" +created_at = "2024-02-15T17:26:24.890Z" +closed_at = "2024-03-05T11:17:44.566Z" +labels = ["Closed::Fixed", "accel: TCG", "linux-user", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2170" +host-os = "Debian Bookworm" +host-arch = "x86_64" +qemu-version = "8.2.0 and later" +guest-os = "-" +guest-arch = "x86_64" +description = """QEMU user emulation crashes with this program: +``` +#define _GNU_SOURCE +#include <stdio.h> +#include <pthread.h> + +int main() +{ + pthread_attr_t attr; + int error = pthread_getattr_np(pthread_self(), &attr); + + printf("%d\\n", error); + return 0; +} +```""" +reproduce = """1. Compile the program above +2. Run QEMU""" +additional = """QEMU crashes with: +``` +qemu-x86_64: QEMU internal SIGSEGV {code=MAPERR, addr=0x20} +Segmentation fault (core dumped) + +``` + +In gdb I get this backtrace: +``` +#0 0x0000555555627d6d in open_self_maps_2 (opaque=0x7fffffffc020, guest_start=18446744073699065856, guest_end=<optimized out>, flags=12) at ../linux-user/syscall.c:8089 +#1 0x000055555560ce67 in walk_memory_regions (priv=priv@entry=0x7fffffffc020, fn=fn@entry=0x555555627d30 <open_self_maps_2>) at ../accel/tcg/user-exec.c:176 +#2 0x0000555555628b3a in open_self_maps_1 (smaps=<optimized out>, fd=<optimized out>, env=<optimized out>) at ../linux-user/syscall.c:8112 +#3 open_self_maps (cpu_env=<optimized out>, fd=3) at ../linux-user/syscall.c:8122 +#4 0x0000555555631e24 in do_guest_openat (cpu_env=cpu_env@entry=0x55555583ae20, dirfd=dirfd@entry=-100, fname=fname@entry=0x2aaaab496eb4 "/proc/self/maps", flags=524288, mode=mode@entry=0, safe=safe@entry=true) at ../linux-user/syscall.c:8381 +#5 0x0000555555638f71 in do_syscall1 (cpu_env=cpu_env@entry=0x55555583ae20, num=num@entry=257, arg1=arg1@entry=4294967196, arg2=arg2@entry=46912506523316, arg3=arg3@entry=524288, arg4=arg4@entry=0, arg5=<optimized out>, arg6=<optimized out>, arg8=0, arg7=0) at ../linux-user/syscall.c:9075 +#6 0x000055555563b659 in do_syscall (cpu_env=cpu_env@entry=0x55555583ae20, num=257, arg1=4294967196, arg2=46912506523316, arg3=524288, arg4=0, arg5=8, arg6=1, arg7=0, arg8=0) at ../linux-user/syscall.c:13658 +#7 0x000055555558db19 in cpu_loop (env=env@entry=0x55555583ae20) at ../linux-user/x86_64/../i386/cpu_loop.c:242 +#8 0x00005555555898d8 in main (argc=<optimized out>, argv=0x7fffffffdd38, envp=<optimized out>) at ../linux-user/main.c:1012 + +``` + +This bug was introduced in the rewrite of `open_self_maps` in 7b7a3366e142d3baeb3fd1d3660a50e7956c19eb. +The current master (5767815218efd3cbfd409505ed824d5f356044ae) is still affected.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2175.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2175.toml new file mode 100644 index 00000000..283cf6c4 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2175.toml @@ -0,0 +1,46 @@ +id = 2175 +title = "Intel BLSI CF computation bug" +state = "closed" +created_at = "2024-02-19T05:00:51.360Z" +closed_at = "2024-08-21T05:08:10.856Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2175" +host-os = "Ubuntu 23.10" +host-arch = "x86_64" +qemu-version = "qemu-x86_64 version 8.2.1" +guest-os = "None" +guest-arch = "x86_64" +description = """CF flag computation of BLSI instruction is wrong. It seems #1370 was not completely fixed.""" +reproduce = """1. Compile `example.c` using this command: `gcc -o example.bin example.c`. My gcc version is 12.3.0, but other versions may work. +``` +int main() { + __asm__ ( + "movq $0x1, %r8\\n" + "mov $0xedbf530a, %r9\\n" + "push $0x1\\n" + "popf\\n" + "blsi %r9d, %r8d\\n" + "pushf\\n" + "pop %rax\\n" + "pop %rbp\\n" + "ret\\n" + ); + + return 0; +} +``` +2. Run `./example.bin`. Then check the return code using `echo $?`. It should be 3. +``` +$ ./example.bin +$ echo $? +3 +``` +3. Run `./qemu-x86_64 ./example.bin`. Then check the return code using `echo $?`. It should be 2. +``` +$ ./qemu-x86_64 ./example.bin +$ echo $? +2 +``` + +The return code of `./example.bin` contains the value of the `RFLAGS` register after executing the `BLSI` instruction.""" +additional = """""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml new file mode 100644 index 00000000..51070d52 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml @@ -0,0 +1,44 @@ +id = 2180 +title = "QEMU crashes when an interrupt is triggered whose descriptor is not in physical memory" +state = "closed" +created_at = "2024-02-20T16:08:18.466Z" +closed_at = "2024-03-26T19:46:03.207Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2180" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "8.2.50 (built from Git commit da96ad4a6a2ef26c83b15fa95e7fceef5147269c)" +guest-os = "Custom, see additional information section." +guest-arch = "x86" +description = """When an interrupt is triggered whose descriptor is mapped but not in physical memory, QEMU crashes with the following message: +``` +** +ERROR:../system/cpus.c:524:bql_lock_impl: assertion failed: (!bql_locked()) +Bail out! ERROR:../system/cpus.c:524:bql_lock_impl: assertion failed: (!bql_locked()) +Aborted (core dumped) +``` + +The given code triggers the bug by moving the IDT's base address, but it can also be triggered by any other method of moving the IDT's physical memory location, f.ex paging. With KVM enabled, this specific example loops forever instead of crashing, but if the code is altered to use paging, an internal KVM error is reported and the VM is paused.""" +reproduce = """1. Assemble the code listed below using NASM: `nasm test.asm -o test.bin` +2. Run the code using `qemu-system-i386 -drive format=raw,file=test.bin`. Note that the given code only triggers the bug if the guest has 2 gigabytes or less of physical memory. +3. QEMU crashes.""" +additional = """NASM assembly of the code used: +``` +bits 16 +org 0x7c00 + +_start: + ; Disable interrupts and load new IDT + cli + o32 lidt [idtdesc] + ; Descriptor for INT 0 is in nonexistent physical memory, which crashes QEMU. + int 0x00 + +idtdesc: + dw 0x3ff ; Limit: 1 KiB for IDT + dd 0x80000000 ; Base: 2 GiB + +; Like most BIOSes, SeaBIOS requires this magic number to boot +times 510-($-$$) db 0 +dw 0xaa55 +```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2195.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2195.toml new file mode 100644 index 00000000..66a8b4c6 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2195.toml @@ -0,0 +1,49 @@ +id = 2195 +title = "qemu-system-x86_64 : cannot resume from S3 suspend for Q35 + OVMF" +state = "opened" +created_at = "2024-02-26T22:28:59.119Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2195" +host-os = "Ubuntu 24.04, Debian Sid" +host-arch = "x86" +qemu-version = "8.2.50" +guest-os = "Linux" +guest-arch = "x86" +description = """There is a specific configuration where the resume from S3 does not work: + +- Q35 machine + OVMF.fd (https://retrage.github.io/edk2-nightly/) +- TCG acceleration (it works when --accel=kvm is set) + +The output at resume is: + +``` +!!!! X64 Exception Type - 05(#BR - BOUND Range Exceeded) CPU Apic ID - 00000000 !!!! +RIP - 0000000000006237, CS - 0000000000000028, RFLAGS - 0000000000000002 +RAX - 0000000080000027, RCX - 0000000000000000, RDX - 0000000000000000 +RBX - 0000000099200000, RSP - 000000000FF96236, RBP - 000000000FF96320 +RSI - 000000000F74E000, RDI - 0000000000833F31 +R8 - 0000002800000000, R9 - 0000000000000000, R10 - 000000000FF968F0 +R11 - 0000000000828B30, R12 - 000000000FF9ACD0, R13 - 000000000F76B000 +R14 - 000000000F76A000, R15 - 0000000000000000 +DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 +GS - 0000000000000030, SS - 0000000000000030 +CR0 - 0000000080000033, CR2 - 0000000000000000, CR3 - 000000000F75B000 +CR4 - 0000000000000668, CR8 - 0000000000000000 +DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 +DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 +GDTR - 0000000000833DE0 0000000000000047, LDTR - 0000000000000000 +IDTR - 000000000FF97D70 000000000000021F, TR - 0000000000000000 +FXSAVE_STATE - 000000000FF95E90 +!!!! Can't find image information. !!!! +``` + +After bisecting, this is caused by commit : 18a536f1f8d6222e562f59179e837fdfd8b92718 If i revert this comment, the resume works nicely. + +I used a script to generate a tiny initrd to test but i think the problem can be reproduced with any guest kernel + rootfs. I also verify that this problem can be reproduced with different host kernels (6.5) than the one i used (6.8)""" +reproduce = """1. Use https://gitlab.com/berrange/tiny-vm-tools/-/blob/master/make-tiny-image.py to generate tiny-initrd.img +2. Run qemu and drop into shell +3. Put machine into S3 (echo mem \\> /sys/power/state) +4. Use socat to connect to QEMU monitor and wake up the machine (system_wakeup) +5. The machine does not resume correctly""" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2198.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2198.toml new file mode 100644 index 00000000..60eebde7 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2198.toml @@ -0,0 +1,33 @@ +id = 2198 +title = "Unable to run OS/2 Warp4.52" +state = "closed" +created_at = "2024-02-28T09:01:27.043Z" +closed_at = "2024-06-08T20:18:43.735Z" +labels = ["accel: TCG", "guest::os2", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2198" +host-os = "OS/2 Warp4.52 (or Warp4 + fixpack15)" +host-arch = "x86 (Linux Debian) and ARM (Android)" +qemu-version = "8.0.2 (Android/Termux) and 5.0.2 (Debian 1:5.2+dfsg-11+deb11u3)" +guest-os = "OS/2 Warp4.52 (or Warp4 + fixpack15)" +guest-arch = "x86" +description = """Operating system crashes upon boot.""" +reproduce = """1. Install OS/2 Warp4 +2. Apply Fixpack15 +3. Try to boot the system""" +additional = """This is a very old bug that seems to render a whole family of Operating Systems (OS/2 Warp4 and eComStation) unusable under Qemu. +Warp4 works, in the sense that it does install and run, but just until it is updated to 4.52 (which is necessary to get a useable guest) + +I found traces of its existence as far as: +https://bugs.launchpad.net/qemu/+bug/1743441 +https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg02337.html + +And i found the issue brieffly commented at https://www.os2world.com/forum/index.php?topic=2346.0 +I quote: + +'Regarding QEMU/KVM, OS/2 runs in QEMU mostly fine. Except the trap in os2lvm.dmd and non-working netbeui.os2 and +tcpbeui.os2. The problem with os2lvm.dmd is because QEMU closely follows the intel spec, which is incorrect. The spec says +that 16-bit SGDT instruction behaves the same like in i286 processor. But it's not true, it behaves like i386 instruction. So, QEMU +emulates SGDT 16-bit instruction incorrectly. OS2LVM.DMD uses 16-bit SGDT instruction and it hits the problem.' + +After a brief discussion on the Warp4 group at groups.io where I was told that this is indeed a Qemu bug, I thought someone has +to report on that.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2206.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2206.toml new file mode 100644 index 00000000..40822dc4 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2206.toml @@ -0,0 +1,18 @@ +id = 2206 +title = "PAGE_FAULT_IN_NONPAGED_AREA in Windows 7 x64." +state = "closed" +created_at = "2024-03-03T18:15:32.965Z" +closed_at = "2024-03-20T16:57:58.557Z" +labels = ["accel: TCG", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2206" +host-os = "Windows 11 Insider Preview Build 26058.1000 (Dev Channel)" +host-arch = "x86-64" +qemu-version = "8.2.50 (v8.2.0-1947-ge1007b6bab-dirty)" +guest-os = "Windows 7" +guest-arch = "x86-64" +description = """When trying to install Windows 7, it always crashes with PAGE_FAULT_IN_NONPAGED_AREA. This also impacts Windows 8.1, but crashes when it tries to start up the installation disc.""" +reproduce = """1. Create A VM with the Windows 7 installation disc inside the cdrom. +2. Go through the installation +3. At some point, it will pull a blue screen with a PAGE_FAULT_IN_NONPAGED_AREA. (around expanding windows files or completing installation)""" +additional = """It looks like this bsod is relating to some non-canonical (illegal) virtual address being referenced. (It's just my guess based on the stop code) +""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2207.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2207.toml new file mode 100644 index 00000000..b4e4b3b8 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2207.toml @@ -0,0 +1,19 @@ +id = 2207 +title = "WerFault.exe – Application Error. The memory could not be read in Win7 i386" +state = "opened" +created_at = "2024-03-05T06:23:11.850Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2207" +host-os = "Ubuntu 22.04 LTS" +host-arch = "aarch64" +qemu-version = "QEMU emulator version 8.2.0 (v8.2.0)" +guest-os = "Win7 Service Pack 1 7601" +guest-arch = "i386" +description = """WerFault Application Errors always occur when I open IE or even control panel. It's OK on QEMU 7.2 & 8.0 version according to my debug experience about qemu-system-i386 flavor in the last few months.""" +reproduce = """1. pulling _tag: v8.2.0_ code +2. emulating Windows 7 OS on aarch64 Host with TCG acceleration mechanism +3. just opening IE for maybe two or three times after the virtual machine has started""" +additional = """The error is displayed by Chinese. It says _WerFault.exe – Application Error. The instruction at 0x779f77b2 referenced memory at 0x6d0f6d20. The memory could not be read._ in English + +""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2220.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2220.toml new file mode 100644 index 00000000..c8da1319 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2220.toml @@ -0,0 +1,536 @@ +id = 2220 +title = "Intermittent QEMU segfaults on x86_64 with TCG accelerator" +state = "opened" +created_at = "2024-03-11T11:43:03.254Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2220" +host-os = "CentOS Stream 9, Fedora Rawhide, Ubuntu Noble" +host-arch = "x86_64" +qemu-version = "8.2.0 (C9S, Fedora Rawhide*) & 8.2.1 (Ubuntu Noble)" +guest-os = "same as above" +guest-arch = "x86_64" +description = """Recently(-ish) in our upstream systemd CI we started seeing an uptrend of QEMU segfaults when running our integration tests. This was first observed in CentOS Stream 9 runs, but was later followed by Fedora Rawhide and Ubuntu Noble, once they picked up the QEMU 8.x branch. I filed a RHEL-only ticked first (before we started seeing it on other distros as well), so I'll share the same information here as well. + +This seems to happen only with TCG - in the CentOS CI infrastructure, where this was first observed, we run two jobs - one on a baremetal, that runs the test VMs with KVM, and one already on VMs that runs the same jobs using TCG; only the TCG job suffer from this issue. The same goes for the Fedora Rawhide and Ubuntu Noble jobs - they also use TCG. + +I managed to get a stack trace from one of the segmentation faults on CentOS Stream 9: +```gdb +[coredumpctl_collect] Collecting coredumps for '/usr/libexec/qemu-kvm' + PID: 1154719 (qemu-system-x86) + UID: 0 (root) + GID: 0 (root) + Signal: 11 (SEGV) + Timestamp: Thu 2024-02-01 21:50:04 UTC (1min 23s ago) + Command Line: /bin/qemu-system-x86_64 -smp 8 -net none -m 768M -nographic -kernel /boot/vmlinuz-5.14.0-412.el9.x86_64 -drive format=raw,cache=unsafe,file=/var/tmp/systemd-test-TEST-63-PATH_1/default.img -device virtio-rng-pci,max-bytes=1024,period=1000 -cpu max -initrd /var/tmp/ci-initramfs-5.14.0-412.el9.x86_64.img -append $'root=LABEL=systemd_boot rw raid=noautodetect rd.luks=0 loglevel=2 init=/usr/lib/systemd/systemd console=ttyS0 SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/testsuite-63.units:/usr/lib/systemd/tests/testdata/units: systemd.unit=testsuite.target systemd.wants=testsuite-63.service noresume oops=panic panic=1 softlockup_panic=1 systemd.wants=end.service enforcing=0 watchdog_thresh=60 workqueue.watchdog_thresh=120' + Executable: /usr/libexec/qemu-kvm + Control Group: /user.slice/user-0.slice/session-1.scope + Unit: session-1.scope + Slice: user-0.slice + Session: 1 + Owner UID: 0 (root) + Boot ID: 011f8fd0783c464184955c281ce2c1b7 + Machine ID: af8d424897a0479fa2fc0e5afcff3198 + Hostname: n27-39-6.pool.ci.centos.org + Storage: /var/lib/systemd/coredump/core.qemu-system-x86.0.011f8fd0783c464184955c281ce2c1b7.1154719.1706824204000000.zst (present) + Size on Disk: 124.7M + Message: Process 1154719 (qemu-system-x86) of user 0 dumped core. + + Stack trace of thread 1154728: + #0 0x0000557669385a13 address_space_translate_for_iotlb (qemu-kvm + 0x73ba13) + #1 0x00005576693d149f tlb_set_page_full (qemu-kvm + 0x78749f) + #2 0x0000557669248a18 x86_cpu_tlb_fill (qemu-kvm + 0x5fea18) + #3 0x00005576693db519 mmu_lookup1 (qemu-kvm + 0x791519) + #4 0x00005576693db31b mmu_lookup.llvm.5973256065011438912 (qemu-kvm + 0x79131b) + #5 0x00005576693d3173 do_ld4_mmu.llvm.5973256065011438912 (qemu-kvm + 0x789173) + #6 0x00005576692d44cf do_interrupt_all (qemu-kvm + 0x68a4cf) + #7 0x000055766924f605 x86_cpu_exec_interrupt (qemu-kvm + 0x605605) + #8 0x00005576693bdc25 cpu_exec_loop (qemu-kvm + 0x773c25) + #9 0x00005576693bcee1 cpu_exec_setjmp (qemu-kvm + 0x772ee1) + #10 0x00005576693bcd64 cpu_exec (qemu-kvm + 0x772d64) + #11 0x00007fe0c5e4011c mttcg_cpu_thread_fn (accel-tcg-x86_64.so + 0x411c) + #12 0x0000557669662ada qemu_thread_start.llvm.13264588188580115644 (qemu-kvm + 0xa18ada) + #13 0x00007fe0c68a1912 start_thread (libc.so.6 + 0xa1912) + #14 0x00007fe0c683f450 __clone3 (libc.so.6 + 0x3f450) + + Stack trace of thread 1154721: + #0 0x00007fe0c69159e5 clock_nanosleep@GLIBC_2.2.5 (libc.so.6 + 0x1159e5) + #1 0x00007fe0c691a597 __nanosleep (libc.so.6 + 0x11a597) + #2 0x00007fe0c6b70c87 g_usleep (libglib-2.0.so.0 + 0x7ec87) + #3 0x0000557669670c18 call_rcu_thread (qemu-kvm + 0xa26c18) + #4 0x0000557669662ada qemu_thread_start.llvm.13264588188580115644 (qemu-kvm + 0xa18ada) + #5 0x00007fe0c68a1912 start_thread (libc.so.6 + 0xa1912) + #6 0x00007fe0c683f450 __clone3 (libc.so.6 + 0x3f450) + + Stack trace of thread 1154727: + #0 0x00007fe0c689e4aa __futex_abstimed_wait_common (libc.so.6 + 0x9e4aa) + #1 0x00007fe0c68a0cb0 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0xa0cb0) + #2 0x00005576696620c6 qemu_cond_wait_impl (qemu-kvm + 0xa180c6) + #3 0x000055766919425b qemu_wait_io_event (qemu-kvm + 0x54a25b) + #4 0x00007fe0c5e40180 mttcg_cpu_thread_fn (accel-tcg-x86_64.so + 0x4180) + #5 0x0000557669662ada qemu_thread_start.llvm.13264588188580115644 (qemu-kvm + 0xa18ada) + #6 0x00007fe0c68a1912 start_thread (libc.so.6 + 0xa1912) + #7 0x00007fe0c683f450 __clone3 (libc.so.6 + 0x3f450) + + Stack trace of thread 1154719: + #0 0x00007fe0c689e670 __GI___lll_lock_wait (libc.so.6 + 0x9e670) + #1 0x00007fe0c68a4d02 __pthread_mutex_lock@GLIBC_2.2.5 (libc.so.6 + 0xa4d02) + #2 0x0000557669661b76 qemu_mutex_lock_impl (qemu-kvm + 0xa17b76) + #3 0x000055766967c937 main_loop_wait (qemu-kvm + 0xa32937) + #4 0x00005576691a30c7 qemu_main_loop (qemu-kvm + 0x5590c7) + #5 0x0000557668fe3cca qemu_default_main (qemu-kvm + 0x399cca) + #6 0x00007fe0c683feb0 __libc_start_call_main (libc.so.6 + 0x3feb0) + #7 0x00007fe0c683ff60 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3ff60) + #8 0x0000557668fe33e5 _start (qemu-kvm + 0x3993e5) + + Stack trace of thread 1154725: + #0 0x00007fe0c689e670 __GI___lll_lock_wait (libc.so.6 + 0x9e670) + #1 0x00007fe0c68a4d02 __pthread_mutex_lock@GLIBC_2.2.5 (libc.so.6 + 0xa4d02) + #2 0x0000557669661b76 qemu_mutex_lock_impl (qemu-kvm + 0xa17b76) + #3 0x00005576693dc514 do_st_mmio_leN.llvm.5973256065011438912 (qemu-kvm + 0x792514) + #4 0x00005576693d3d22 do_st4_mmu.llvm.5973256065011438912 (qemu-kvm + 0x789d22) + #5 0x00007fe07cbfe35b n/a (n/a + 0x0) + ELF object binary architecture: AMD x86-64 + + +[coredumpctl_collect] Trying to run gdb with 'set print pretty on\\nbt full' for '/usr/libexec/qemu-kvm' +GNU gdb (GDB) Red Hat Enterprise Linux 10.2-13.el9 +Copyright (C) 2021 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +Type "show copying" and "show warranty" for details. +This GDB was configured as "x86_64-redhat-linux-gnu". +Type "show configuration" for configuration details. +For bug reporting instructions, please see: +<https://www.gnu.org/software/gdb/bugs/>. +Find the GDB manual and other documentation resources online at: + <http://www.gnu.org/software/gdb/documentation/>. + +For help, type "help". +Type "apropos word" to search for commands related to "word"... +/root/.gdbinit:1: Error in sourced command file: +No symbol table is loaded. Use the "file" command. +Reading symbols from /usr/libexec/qemu-kvm... +Downloading separate debug info for /usr/libexec/qemu-kvm... +Reading symbols from /root/.cache/debuginfod_client/6fdfad7763b68956a31a335edd490cef23088a9a/debuginfo... +Downloading separate debug info for /root/.cache/debuginfod_client/6fdfad7763b68956a31a335edd490cef23088a9a/debuginfo... +[New LWP 1154728] +[New LWP 1154721] +[New LWP 1154727] +[New LWP 1154719] +[New LWP 1154725] +[New LWP 1154729] +[New LWP 1154726] +[New LWP 1154723] +[New LWP 1154730] +[New LWP 1154724] +[New LWP 1154722] +Downloading separate debug info for /lib64/libpixman-1.so.0... +Downloading separate debug info for /lib64/libcapstone.so.4... +Downloading separate debug info for /root/.cache/debuginfod_client/fabd9508a8df77430d74e376fc1853545deaa9a4/debuginfo... +Downloading separate debug info for /lib64/libgnutls.so.30... +Downloading separate debug info for /root/.cache/debuginfod_client/3ca805ea0a9583fc8272d443181745507c6c1391/debuginfo... +Downloading separate debug info for /lib64/libpng16.so.16... +Downloading separate debug info for /lib64/libz.so.1... +Downloading separate debug info for /lib64/libsasl2.so.3... +Downloading separate debug info for /root/.cache/debuginfod_client/d5669a4356bbdf6b9dba9d25fe4674098af42f8d/debuginfo... +Downloading separate debug info for /lib64/libsnappy.so.1... +Downloading separate debug info for /lib64/liblzo2.so.2... +Downloading separate debug info for /lib64/libpmem.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/571e30ee251154a37d94e8c45def4e0b40fdaa92/debuginfo... +Downloading separate debug info for /lib64/libseccomp.so.2... +Downloading separate debug info for /lib64/libfdt.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/31a56e0009a8824c7a09267c8205034c91cb4095/debuginfo... +Downloading separate debug info for /lib64/libnuma.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/e78797386b6fc540350223e432c3bfee6034d2e1/debuginfo... +Downloading separate debug info for /lib64/libgio-2.0.so.0... +Downloading separate debug info for /root/.cache/debuginfod_client/56c6122b97d5e4dd5fdf68756bdc02058ce02bbf/debuginfo... +Downloading separate debug info for /lib64/libgobject-2.0.so.0... +Downloading separate debug info for /lib64/libglib-2.0.so.0... +Downloading separate debug info for /lib64/librdmacm.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/7714785fff3ebddc1077a3fad30fffa35283766f/debuginfo... +Downloading separate debug info for /lib64/libibverbs.so.1... +Downloading separate debug info for /lib64/libslirp.so.0... +Downloading separate debug info for /lib64/liburing.so.2... +Downloading separate debug info for /root/.cache/debuginfod_client/8f52f15e8dff019c877c3c25083ef4a459429b99/debuginfo... +Downloading separate debug info for /lib64/libgmodule-2.0.so.0... +Downloading separate debug info for /lib64/libaio.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/9b75d21282f8e17ddfa06aff78dae4f8dcce4106/debuginfo... +Downloading separate debug info for /lib64/libm.so.6... +Downloading separate debug info for /lib64/libresolv.so.2... +Downloading separate debug info for /root/.cache/debuginfod_client/8a914905acea217452c928c2e200afceb83341c5/debuginfo... +Downloading separate debug info for /lib64/libgcc_s.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/ef4c928f1372ad155fea761f0e840ecd264fb153/debuginfo... +Downloading separate debug info for /lib64/libc.so.6... +Downloading separate debug info for /lib64/libp11-kit.so.0... +Downloading separate debug info for /root/.cache/debuginfod_client/b935d795aaf6f8cbc392c922b6c97a4c8db44c41/debuginfo... +Downloading separate debug info for /lib64/libidn2.so.0... +Downloading separate debug info for /root/.cache/debuginfod_client/958c50fc94ecb196b24f3619762e7ec3f28a5b40/debuginfo... +Downloading separate debug info for /lib64/libunistring.so.2... +Downloading separate debug info for /lib64/libtasn1.so.6... +Downloading separate debug info for /lib64/libnettle.so.8... +Downloading separate debug info for /root/.cache/debuginfod_client/0dd622456d9a5330679490d3bd9d812582d9f9d3/debuginfo... +Downloading separate debug info for /lib64/libhogweed.so.6... +Downloading separate debug info for /lib64/libcrypt.so.2... +Downloading separate debug info for /root/.cache/debuginfod_client/6ce4e5eb200e61d07398af52f8bcb316cf8466e0/debuginfo... +Downloading separate debug info for /lib64/libgssapi_krb5.so.2... +Downloading separate debug info for /root/.cache/debuginfod_client/5ce5f00c8b502e99ab96853950db60f97a710b28/debuginfo... +Downloading separate debug info for /lib64/libkrb5.so.3... +Downloading separate debug info for /lib64/libk5crypto.so.3... +Downloading separate debug info for /lib64/libcom_err.so.2... +Downloading separate debug info for /root/.cache/debuginfod_client/2313e22f074e5b67e97bb22e01a722cc727512b1/debuginfo... +Downloading separate debug info for /lib64/libstdc++.so.6... +Downloading separate debug info for /lib64/libndctl.so.6... +Downloading separate debug info for /root/.cache/debuginfod_client/e2e24fd2c7061434b2a0cc849cdcd2854a4a0557/debuginfo... +Downloading separate debug info for /lib64/libdaxctl.so.1... +Downloading separate debug info for /lib64/libmount.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/98bababfe2b3d1d0ca128831439521f2b5b7aa95/debuginfo... +Downloading separate debug info for /lib64/libselinux.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/bdc4adbb0901b548f448d6f0d92b49c352e3b9f6/debuginfo... +Downloading separate debug info for /lib64/libffi.so.8... +Downloading separate debug info for /lib64/libpcre.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/cffb947bcc416dca3cd249cdb0a1c6f614549c30/debuginfo... +Downloading separate debug info for /lib64/libnl-3.so.200... +Downloading separate debug info for /root/.cache/debuginfod_client/22262a5a1956360f9f4c1daa89e592b1be03cd14/debuginfo... +Downloading separate debug info for /lib64/libnl-route-3.so.200... +Downloading separate debug info for /lib64/libkrb5support.so.0... +Downloading separate debug info for /lib64/libkeyutils.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/5f6459dcec3e266d994b8d4e5b23507c4c0df11e/debuginfo... +Downloading separate debug info for /lib64/libcrypto.so.3... +Downloading separate debug info for /root/.cache/debuginfod_client/fb8a738ffca8bdbe3172c842ee9d56f969516473/debuginfo... +Downloading separate debug info for /lib64/libuuid.so.1... +Downloading separate debug info for /lib64/libkmod.so.2... +Downloading separate debug info for /root/.cache/debuginfod_client/9057cef69769e25914be12563e5d821aef1bd9cb/debuginfo... +Downloading separate debug info for /lib64/libblkid.so.1... +Downloading separate debug info for /lib64/libpcre2-8.so.0... +Downloading separate debug info for /root/.cache/debuginfod_client/10357f8fa75891b03cd08344d56efa49ad9d607f/debuginfo... +Downloading separate debug info for /lib64/libcap.so.2... +Downloading separate debug info for /root/.cache/debuginfod_client/94e5c930fa02b381df948b2d2909d96da9f31407/debuginfo... +Downloading separate debug info for /lib64/libzstd.so.1... +Downloading separate debug info for /root/.cache/debuginfod_client/f0c68ad1b3f8941857af47c6887736d835317ccc/debuginfo... +Downloading separate debug info for /lib64/liblzma.so.5... +Downloading separate debug info for /usr/libexec/../lib64/qemu-kvm/accel-tcg-x86_64.so... +Downloading separate debug info for /root/systemd/system-supplied DSO at 0x7ffd4cb6b000... +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". +Core was generated by `/bin/qemu-system-x86_64 -smp 8 -net none -m 768M -nographic -kernel /boot/vmlin'. +Program terminated with signal SIGSEGV, Segmentation fault. +#0 memory_region_get_iommu (mr=0x418c0fdb85f05d8b) + at /usr/src/debug/qemu-kvm-8.2.0-2.el9.x86_64/include/exec/memory.h:1715 +Downloading source file /usr/src/debug/qemu-kvm-8.2.0-2.el9.x86_64/include/exec/memory.h... +1715\t if (mr->alias) { +[Current thread is 1 (Thread 0x7fe033fff640 (LWP 1154728))] +(gdb) (gdb) #0 memory_region_get_iommu (mr=0x418c0fdb85f05d8b) + at /usr/src/debug/qemu-kvm-8.2.0-2.el9.x86_64/include/exec/memory.h:1715 + addr = 18446603473123421792 + d = 0x7fe03c135150 + section = 0x7fe03c621e70 + imrc = <optimized out> + iommu_idx = <optimized out> + iotlb = { + target_as = <optimized out>, + iova = <optimized out>, + translated_addr = <optimized out>, + addr_mask = <optimized out>, + perm = <optimized out> + } +#1 address_space_translate_for_iotlb + (cpu=0x55766c32c480, asidx=<optimized out>, orig_addr=472023040, xlat=0x7fe048df9ea0, plen=0x7fe048df9e98, attrs=..., prot=0x7fe048df9e94) + at ../system/physmem.c:688 + addr = 18446603473123421792 + d = 0x7fe03c135150 + section = 0x7fe03c621e70 + imrc = <optimized out> + iommu_idx = <optimized out> + iotlb = { + target_as = <optimized out>, + iova = <optimized out>, + translated_addr = <optimized out>, + addr_mask = <optimized out>, + perm = <optimized out> + } +#2 0x00005576693d149f in tlb_set_page_full + (cpu=0x55766c32c480, mmu_idx=<optimized out>, addr=18446741874686296064, full=0x7fe048df9ed8) at ../accel/tcg/cputlb.c:1140 + sz = 4096 + addr_page = 18446741874686296064 + paddr_page = 472023040 + prot = 1 + asidx = -536727968 + xlat = 18599936 + section = <optimized out> + read_flags = <optimized out> + is_romd = <optimized out> + addend = <optimized out> + write_flags = <optimized out> + iotlb = <optimized out> + wp_flags = <optimized out> + index = <optimized out> + te = <optimized out> + tn = { + { + addr_read = <optimized out>, + addr_write = <optimized out>, + addr_code = <optimized out>, + addend = <optimized out> + }, + addr_idx = {<optimized out>, <optimized out>, <optimized out>, <optimized out>} + } +#3 0x0000557669248a18 in tlb_set_page_with_attrs + (cpu=0x55766c32c480, addr=18446741874686296064, paddr=<optimized out>, attrs=..., prot=<optimized out>, mmu_idx=0, size=<optimized out>) + at ../accel/tcg/cputlb.c:1290 + out = { + paddr = 472027056, + prot = 1, + page_size = 4096 + } + err = { + exception_index = 472064000, + error_code = 0, + cr2 = 13915309287368685568, + stage2 = (unknown: 0x1c232b28) + } + env = <optimized out> +#4 x86_cpu_tlb_fill + (cs=0x55766c32c480, addr=<optimized out>, size=<optimized out>, access_type=MMU_DATA_LOAD, mmu_idx=0, probe=<optimized out>, retaddr=0) + at ../target/i386/tcg/sysemu/excp_helper.c:610 + out = { + paddr = 472027056, + prot = 1, + page_size = 4096 + } + err = { + exception_index = 472064000, + error_code = 0, + cr2 = 13915309287368685568, + stage2 = (unknown: 0x1c232b28) + } + env = <optimized out> +#5 0x00005576693db519 in tlb_fill + (addr=18446741874686300080, size=-2047844981, access_type=MMU_DATA_LOAD, mmu_idx=0, retaddr=0, cpu=<optimized out>) at ../accel/tcg/cputlb.c:1315 + ok = <optimized out> + addr = 18446741874686300080 + index = <optimized out> + entry = 0x7fe028017080 + tlb_addr = <optimized out> + maybe_resized = false + full = <optimized out> + flags = <optimized out> +#6 mmu_lookup1 + (cpu=<optimized out>, data=0x7fe048df9f00, mmu_idx=0, access_type=MMU_DATA_LOAD, ra=0) at ../accel/tcg/cputlb.c:1713 + addr = 18446741874686300080 + index = <optimized out> + entry = 0x7fe028017080 + tlb_addr = <optimized out> + maybe_resized = false + full = <optimized out> + flags = <optimized out> +#7 0x00005576693db31b in mmu_lookup + (cpu=0x55766c32c480, addr=18446741874686300080, oi=<optimized out>, ra=0, type=MMU_DATA_LOAD, l=0x7fe048df9f00) at ../accel/tcg/cputlb.c:1803 + a_bits = <optimized out> + flags = <optimized out> +#8 0x00005576693d3173 in do_ld4_mmu + (cpu=0x7fe03c135150, addr=18446603473123421792, oi=2247122315, ra=140601056453952, access_type=MMU_DATA_LOAD) at ../accel/tcg/cputlb.c:2416 + l = { + page = {{ + full = 0x1c232000, + haddr = 0xc0700000000, + addr = 18446741874686300080, + flags = 88995840, + size = 4 + }, { + full = 0x7fe033fff458, + haddr = 0xc11d1c12054df800, + addr = 18446741874686296064, + flags = 88995840, + size = 0 + }}, + memop = MO_32, + mmu_idx = 0 + } + crosspage = <optimized out> + ret = <optimized out> +#9 0x00005576692d44cf in cpu_ldl_mmu + (env=0x55766c32ec30, addr=18446741874686300080, oi=2247122315, ra=0) + at ../accel/tcg/ldst_common.c.inc:158 + oi = 2247122315 + has_error_code = <optimized out> + old_eip = 18446744072005078059 + dt = 0x55766c32edc0 + ptr = 18446741874686300080 + e1 = <optimized out> + e2 = <optimized out> + e3 = <optimized out> + type = <optimized out> + dpl = <optimized out> + cpl = <optimized out> + selector = <optimized out> + offset = <optimized out> + ist = <optimized out> + new_stack = <optimized out> + esp = <optimized out> + ss = <optimized out> + count = 0 + env = 0x55766c32ec30 +#10 cpu_ldl_le_mmuidx_ra + (env=0x55766c32ec30, addr=18446741874686300080, mmu_idx=<optimized out>, ra=0) at ../accel/tcg/ldst_common.c.inc:294 + oi = 2247122315 + has_error_code = <optimized out> + old_eip = 18446744072005078059 + dt = 0x55766c32edc0 + ptr = 18446741874686300080 + e1 = <optimized out> + e2 = <optimized out> + e3 = <optimized out> + type = <optimized out> + dpl = <optimized out> + cpl = <optimized out> + selector = <optimized out> + offset = <optimized out> + ist = <optimized out> + new_stack = <optimized out> + esp = <optimized out> + ss = <optimized out> + count = 0 + env = 0x55766c32ec30 +#11 do_interrupt64 + (env=0x55766c32ec30, intno=251, is_int=0, error_code=0, next_eip=<optimized out>, is_hw=<optimized out>) at ../target/i386/tcg/seg_helper.c:889 + has_error_code = <optimized out> + old_eip = 18446744072005078059 + dt = 0x55766c32edc0 + ptr = 18446741874686300080 + e1 = <optimized out> + e2 = <optimized out> + e3 = <optimized out> + type = <optimized out> + dpl = <optimized out> + cpl = <optimized out> + selector = <optimized out> + offset = <optimized out> + ist = <optimized out> + new_stack = <optimized out> + esp = <optimized out> + ss = <optimized out> + count = 0 + env = 0x55766c32ec30 +#12 do_interrupt_all + (cpu=0x55766c32c480, intno=251, is_int=0, error_code=0, next_eip=<optimized out>, is_hw=<optimized out>) at ../target/i386/tcg/seg_helper.c:1130 + count = 0 + env = 0x55766c32ec30 +#13 0x000055766924f605 in do_interrupt_x86_hardirq + (env=<optimized out>, intno=<optimized out>, is_hw=<optimized out>) + at ../target/i386/tcg/seg_helper.c:1162 + cpu = 0x55766c32c480 + env = <optimized out> + intno = <optimized out> +#14 0x000055766924f605 in x86_cpu_exec_interrupt () +#15 0x00005576693bdc25 in cpu_handle_interrupt + (cpu=0x55766c32c480, last_tb=<optimized out>) + at ../accel/tcg/cpu-exec.c:865 + cc = <optimized out> + interrupt_request = 2 + last_tb = <optimized out> + tb_exit = <optimized out> + ret = <optimized out> +#16 cpu_exec_loop (cpu=0x55766c32c480, sc=0x7fe048df9fb0) + at ../accel/tcg/cpu-exec.c:974 + last_tb = <optimized out> + tb_exit = <optimized out> + ret = <optimized out> +#17 0x00005576693bcee1 in cpu_exec_setjmp + (cpu=0x55766c32c480, sc=0x7fe048df9fb0) at ../accel/tcg/cpu-exec.c:1058 +#18 0x00005576693bcd64 in cpu_exec (cpu=0x55766c32c480) + at ../accel/tcg/cpu-exec.c:1084 + sc = { + diff_clk = 0, + last_cpu_icount = 0, + realtime_clock = 0 + } + ret = <optimized out> +#19 0x00007fe0c5e4011c in tcg_cpus_exec (cpu=0x55766c32c480) + at ../accel/tcg/tcg-accel-ops.c:76 + ret = <optimized out> + r = <optimized out> + force_rcu = { + notifier = { + notify = 0x7fe0c5e40250 <mttcg_force_rcu>, + node = { + le_next = 0x0, + le_prev = 0x7fe033fff478 + } + }, + cpu = 0x55766c32c480 + } +#20 mttcg_cpu_thread_fn (arg=0x55766c32c480) + at ../accel/tcg/tcg-accel-ops-mttcg.c:95 + r = <optimized out> + force_rcu = { + notifier = { + notify = 0x7fe0c5e40250 <mttcg_force_rcu>, + node = { + le_next = 0x0, + le_prev = 0x7fe033fff478 + } + }, + cpu = 0x55766c32c480 + } +#21 0x0000557669662ada in qemu_thread_start (args=0x55766c3a1870) + at ../util/qemu-thread-posix.c:541 + __clframe = { + __cancel_routine = <optimized out>, + __cancel_arg = 0x0, + __do_it = 1, + __cancel_type = <synthetic pointer> + } + qemu_thread_args = 0x55766c3a1870 + start_routine = 0x7fe0c5e40000 <mttcg_cpu_thread_fn> + arg = 0x55766c32c480 + r = <optimized out> +#22 0x00007fe0c68a1912 in start_thread (arg=<optimized out>) + at pthread_create.c:443 + ret = <optimized out> + pd = <optimized out> + unwind_buf = { + cancel_jmp_buf = {{ + jmp_buf = {140725889877392, 270352123062618637, 140600921814592, 0, 140603380340288, 0, -288199396121933299, -287677566653593075}, + mask_was_saved = 0 + }}, + priv = { + pad = {0x0, 0x0, 0x0, 0x0}, + data = { + prev = 0x0, + cleanup = 0x0, + canceltype = 0 + } + } + } + not_first_call = <optimized out> +#23 0x00007fe0c683f450 in clone3 () + at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 +``` + +Also, a couple runs failed with: +``` ++ /usr/libexec/qemu-kvm -smp 8 -net none -m 768M -nographic -kernel /boot/vmlinuz-5.14.0-427.el9.x86_64 -drive format=raw,cache=unsafe,file=/var/tmp/systemd-test.7FKAS9/basic.img -device virtio-rng-pci,max-bytes=1024,period=1000 -cpu Nehalem -initrd /var/tmp/ci-sanity-initramfs-5.14.0-390.el9.x86_64.img -append 'root=LABEL=systemd_boot rw raid=noautodetect rd.luks=0 loglevel=2 init=/usr/lib/systemd/systemd console=ttyS0 SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/testsuite-01.units:/usr/lib/systemd/tests/testdata/units: systemd.unit=testsuite.target systemd.wants=testsuite-01.service oops=panic panic=1 softlockup_panic=1 systemd.wants=end.service debug systemd.log_level=debug rd.systemd.log_target=console systemd.default_standard_output=journal+console systemd.unified_cgroup_hierarchy=1 systemd.legacy_systemd_cgroup_controller=0 +' +Could not access KVM kernel module: No such file or directory +qemu-kvm: failed to initialize kvm: No such file or directory +qemu-kvm: falling back to tcg +qemu-kvm: warning: Machine type 'pc-i440fx-rhel7.6.0' is deprecated: machine types for previous major releases are deprecated +\u001bc\u001b[?7l\u001b[2J\u001b[0mSeaBIOS (version 1.16.3-2.el9) +Booting from ROM... +early console in setup codae +Probing EDD (edd=off to disable)... o\u001bc\u001b[?7l\u001b[2J\u001b[0mk +[ 0.000000] Linux version 5.14.0-427.el9.x86_64 (mockbuild@x86-05.stream.rdu2.redhat.com) (gcc (GCC) 11.4.1 20231218 (Red Hat 11.4.1-3), GNU ld version 2.35.2-42.el9) #1 SMP PREEMPT_DYNAMIC Fri Feb 23 04:45:07 UTC 2024 +... +[ 2.152522] pci 0000:00:02.0: reg 0x30: [mem 0xfebe0000-0xfebeffff pref] +[ 2.153914] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff] +[ 2.156615] pci 0000:00:03.0: [1af4:1005] type 00 class 0x00ff00 +[ 2.159388] pci 0000:00:03.0: reg 0x10: [io 0xc000-0xc01f] +qemu-kvm: ../system/memory.c:2424: void *memory_region_get_ram_ptr(MemoryRegion *): Assertion `mr->ram_block' failed. +/bin/qemu-system-x86_64: line 4: 137172 Aborted (core dumped) "/usr/libexec/qemu-kvm" "$@" +``` + +I'm not sure if the two issues are related, or if the assertion is something completely different.""" +reproduce = """I, unfortunately, don't have any concrete steps to reproduce the issue, it happens randomly throughout CI runs. However, when needed, I can reproduce the issue in some reliable-ish manner by running the integration tests in a loop (the issue manifests itself usually in a couple of hours in this case).""" +additional = """""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2302.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2302.toml new file mode 100644 index 00000000..133f91de --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2302.toml @@ -0,0 +1,33 @@ +id = 2302 +title = "qemu-x86_64 crashes with \"Illegal Instruction\" on SPECCPU2017 Benchmarks" +state = "closed" +created_at = "2024-04-23T06:44:19.463Z" +closed_at = "2024-04-23T14:31:35.606Z" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2302" +host-os = "Ubuntu 22.04.1" +host-arch = "x86_64" +qemu-version = "8.2.2" +guest-os = "n/a" +guest-arch = "n/a" +description = """I am running qemu-x86_64 with SPEC CPU 2017 benchmarks, and the compiled benchmarks such as Perlbench will crash unexpectedly. I have changed to three other machines to run it and still get crashes on two of them, I don't know what's the problem and want some help.""" +reproduce = """1. Compile SPEC CPU 2017 basic Perlbench binary. +2. Use the above command line to run it.""" +additional = """I have added some debugging flags to qemu-x86_64 to test it. The "-d in_asm" flag gives me the instructions before the crash like this: +``` +---------------- +IN: Perl_lex_start +0x555555678a79: 48 89 83 a8 00 00 00 movq %rax, 0xa8(%rbx) +0x555555678a80: e9 01 ff ff ff jmp 0x555555678986 + +---------------- +IN: Perl_lex_start +0x555555678986: 48 8b 50 10 movq 0x10(%rax), %rdx +0x55555567898a: 41 83 e4 16 andl $0x16, %r12d +0x55555567898e: 48 89 93 d0 00 00 00 movq %rdx, 0xd0(%rbx) +0x555555678995: 48 89 93 c0 00 00 00 movq %rdx, 0xc0(%rbx) +0x55555567899c: 62 .byte 0x62 + +qemu: uncaught target signal 4 (Illegal instruction) - core dumped +Illegal instruction (core dumped) +```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2380.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2380.toml new file mode 100644 index 00000000..53c4f666 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2380.toml @@ -0,0 +1,113 @@ +id = 2380 +title = "Crash on x86_64 vm launch" +state = "closed" +created_at = "2024-06-03T11:56:48.151Z" +closed_at = "2024-06-15T21:55:09.107Z" +labels = ["accel: TCG", "hostos: Windows", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2380" +host-os = "Windows 11 pro 23H2" +host-arch = "x86_64" +qemu-version = "any version" +guest-os = "n/a" +guest-arch = "n/a" +description = """When I started using QEMU for x86 OS programming about a year or 2 ago it ran fine until about a year ago where it just does not launch for more than a few seconds, it always crashes with no output at all, even when running with debug options enabled, it still outputs normal values before just crashing or exiting, this happens when running with an OS image or not, I have tried everything possible (wiping the whole system of anything including "qemu" including the registry, disabling all AV including windows defender, using SFC and DISM to repair corrupt files, installing the oldest versions of qemu up to the newest, running the program in different compatibility modes, running as admin, changing install directories, disabling overclocking, and many more) the only way it runs is if I use a VM to run qemu or reinstall windows, I am not reinstalling windows and im not running a vm to run another vm, my OS is very stable apart from this one program, I need to use QEMU as it is very important for my OS builds as it allows me to automate many things.""" +reproduce = """1. launch qemu-system-x86_64 + +unable to reproduce on other clean OS installs""" +additional = """upon clean building QEMU from latest build using MSYS2 and running GDB here is the output + +``` +(gdb) run +Starting program: C:\\qemu\\build\\qemu-system-x86_64.exe +[New Thread 22292.0x250c] +[New Thread 22292.0x2004] +[New Thread 22292.0x1d2c] +[New Thread 22292.0x5614] +[New Thread 22292.0x5b3c] +[New Thread 22292.0x5ae8] +[New Thread 22292.0x2d04] +[New Thread 22292.0x5588] +[New Thread 22292.0x3ce8] +gdb: unknown target exception 0xc0000409 at 0x7ffac8f83e74 + +Thread 8 received signal ?, Unknown signal. +[Switching to Thread 22292.0x2d04] +0x00007ffac8f83e74 in strerror_s () from C:\\Windows\\System32\\msvcrt.dll + +``` + +the error code leads to STATUS_STACK_BUFFER_OVERRUN + +upon back tracing this it leads to this output + +``` +(gdb) bt +#0 0x00007ffac8f83e74 in strerror_s () from C:\\Windows\\System32\\msvcrt.dll +#1 0x00007ffac8f82c04 in msvcrt!longjmp () from C:\\Windows\\System32\\msvcrt.dll +#2 0x00007ff670af2b8e in advance_pc (env=0x34d3c60, s=0x4beff8d0, num_bytes=4) + at ../target/i386/tcg/translate.c:2131 +#3 0x00007ff670af2d33 in x86_ldl_code (env=0x34d3c60, s=0x4beff8d0) + at ../target/i386/tcg/translate.c:2169 +#4 0x00007ff670af3939 in insn_get (env=0x34d3c60, s=0x4beff8d0, ot=MO_32) + at ../target/i386/tcg/translate.c:2454 +#5 0x00007ff670b0c4ca in disas_insn (s=0x4beff8d0, cpu=0x34d1450) + at ../target/i386/tcg/translate.c:5148 +#6 0x00007ff670b1253f in i386_tr_translate_insn (dcbase=0x4beff8d0, cpu=0x34d1450) + at ../target/i386/tcg/translate.c:7023 +#7 0x00007ff670ba30b2 in translator_loop (cpu=0x34d1450, tb=0x3b3a280, max_insns=0x4beffba4, + pc=954352, host_pc=0x43de8ff0, ops=0x7ff671a9b480 <i386_tr_ops>, db=0x4beff8d0) + at ../accel/tcg/translator.c:164 +#8 0x00007ff670b127ef in gen_intermediate_code (cpu=0x34d1450, tb=0x3b3a280, + max_insns=0x4beffba4, pc=954352, host_pc=0x43de8ff0) at ../target/i386/tcg/translate.c:7099 +#9 0x00007ff670ba1abd in setjmp_gen_code (env=0x34d3c60, tb=0x3b3a280, pc=954352, + host_pc=0x43de8ff0, max_insns=0x4beffba4, ti=0x4beffbc0) at ../accel/tcg/translate-all.c:278 +#10 0x00007ff670ba1de3 in tb_gen_code (cpu=0x34d1450, pc=954352, cs_base=0, flags=176, + cflags=-16646144) at ../accel/tcg/translate-all.c:358 +#11 0x00007ff670b96508 in cpu_exec_loop (cpu=0x34d1450, sc=0x4beffd60) + at ../accel/tcg/cpu-exec.c:989 +#12 0x00007ff670b96689 in cpu_exec_setjmp (cpu=0x34d1450, sc=0x4beffd60) + at ../accel/tcg/cpu-exec.c:1035 +#13 0x00007ff670b96728 in cpu_exec (cpu=0x34d1450) at ../accel/tcg/cpu-exec.c:1061 +--Type <RET> for more, q to quit, c to continue without paging-- +#14 0x00007ff670bc1fb7 in tcg_cpu_exec (cpu=0x34d1450) at ../accel/tcg/tcg-accel-ops.c:76 +#15 0x00007ff670bc28a2 in mttcg_cpu_thread_fn (arg=0x34d1450) + at ../accel/tcg/tcg-accel-ops-mttcg.c:95 +#16 0x00007ff670de8587 in win32_start_routine (arg=0x3537c60) at ../util/qemu-thread-win32.c:411 +#17 0x00007ffac8f8e634 in msvcrt!_beginthreadex () from C:\\Windows\\System32\\msvcrt.dll +#18 0x00007ffac8f8e70c in msvcrt!_endthreadex () from C:\\Windows\\System32\\msvcrt.dll +#19 0x00007ffac901257d in KERNEL32!BaseThreadInitThunk () from C:\\Windows\\System32\\kernel32.dll +#20 0x00007ffacae0aa48 in ntdll!RtlUserThreadStart () from C:\\Windows\\SYSTEM32\\ntdll.dll +#21 0x0000000000000000 in ?? () + +``` + +if I am reading the output correctly qemu/target/i386/tcg/translate.c:2131 is the last file (in source) it accesses before moving to msvcrt.dll, inside of the advance_pc function + + +this is the function + +``` +static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes) { + uint64_t pc = s->pc; + + if (s->base.num_insns > 1 && !is_same_page(&s->base, s->pc + num_bytes - 1)) { + siglongjmp(s->jmpbuf, 2); <-------------------------------------------------- The line is the last function call + } + + s->pc += num_bytes; + + if (unlikely(cur_insn_len(s) > X86_MAX_INSN_LENGTH)) { + if (((s->pc - 1) ^ (pc - 1)) & TARGET_PAGE_MASK) { + volatile uint8_t unused = cpu_ldub_code(env, (s->pc - 1) & TARGET_PAGE_MASK); + (void)unused; + } + siglongjmp(s->jmpbuf, 1); + } + + return pc; +} +``` + +if I had to guess this problem could be caused by some windows configuration, something to do with memory, or maybe some corrupt files, but I am unsure + +I am not a c programmer so I don't know much about the code but I can debug more if needed""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2474.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2474.toml new file mode 100644 index 00000000..35aaa3d8 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2474.toml @@ -0,0 +1,104 @@ +id = 2474 +title = "x86_64: strange translation of \"vpgatherqq\"" +state = "closed" +created_at = "2024-08-01T14:30:53.757Z" +closed_at = "2024-08-05T23:54:55.105Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2474" +host-os = "Linux" +host-arch = "x86" +qemu-version = "9.0.2" +guest-os = "n/a" +guest-arch = "n/a" +description = """The translate of instruction "vpgatherqq" is confusing. + +It happens when register xmm4 is in the middle, like "vpgatherqq %xmmi,0x0(,%xmm4,1),%xmmj".""" +reproduce = """1. Make a simple embedded assembly code named test.c: +``` +int main() +{ + asm("vpgatherqq %xmm6,0x123(,%xmm2,4),%xmm7"); + asm("vpgatherqq %xmm6,0x123(,%xmm3,4),%xmm7"); + asm("vpgatherqq %xmm6,0x123(,%xmm4,4),%xmm7"); + asm("vpgatherqq %xmm6,0x123(,%xmm5,4),%xmm7"); + return 0; +} +``` +and compile it: +``` +gcc -o test test.c -static +``` + +2. Run it with QEMU, print the micro ops: +``` +qemu-x86_64 -d op -D a.out test +``` +We can get output like this (only contain vpgatherqq): +``` + ---- 000000000040174d 0000000000000000 + mov_i64 loc2,$0x123 + add_i64 loc14,env,$0x3d0 #This is xmm2 + add_i64 loc16,env,$0x4d0 + add_i64 loc18,env,$0x510 + call vpgatherqq_xmm,$0x0,$0,env,loc18,loc16,loc14,loc2,$0x2 + mov_vec v128,e8,tmp20,v128$0x0 + st_vec v128,e8,tmp20,env,$0x4e0 + mov_vec v128,e8,tmp22,v128$0x0 + st_vec v128,e8,tmp22,env,$0x520 + + ---- 0000000000401757 0000000000000000 + mov_i64 loc2,$0x123 + add_i64 loc23,env,$0x410 #This is xmm3 + add_i64 loc25,env,$0x4d0 + add_i64 loc26,env,$0x510 + call vpgatherqq_xmm,$0x0,$0,env,loc26,loc25,loc23,loc2,$0x2 + mov_vec v128,e8,tmp27,v128$0x0 + st_vec v128,e8,tmp27,env,$0x4e0 + mov_vec v128,e8,tmp28,v128$0x0 + st_vec v128,e8,tmp28,env,$0x520 + + ---- 0000000000401761 0000000000000000 + mov_i64 loc2,$0x123 + add_i64 loc29,env,$0x310 #This is xmm4 ??? + add_i64 loc31,env,$0x4d0 + add_i64 loc32,env,$0x510 + call vpgatherqq_xmm,$0x0,$0,env,loc32,loc31,loc29,loc2,$0x2 + mov_vec v128,e8,tmp33,v128$0x0 + st_vec v128,e8,tmp33,env,$0x4e0 + mov_vec v128,e8,tmp34,v128$0x0 + st_vec v128,e8,tmp34,env,$0x520 + + ---- 000000000040176b 0000000000000000 + mov_i64 loc2,$0x123 + add_i64 loc35,env,$0x490 #This is xmm5 + add_i64 loc37,env,$0x4d0 + add_i64 loc38,env,$0x510 + call vpgatherqq_xmm,$0x0,$0,env,loc38,loc37,loc35,loc2,$0x2 + mov_vec v128,e8,tmp39,v128$0x0 + st_vec v128,e8,tmp39,env,$0x4e0 + mov_vec v128,e8,tmp40,v128$0x0 + st_vec v128,e8,tmp40,env,$0x520 +``` +3. + +Since the register xmms are continuous within the structure CPUArchState, the offset of xmm2, xmm3, xmm4, xmm5 should be a arithmetic sequence. + +From the output, we can infer that the common difference should be 0x40 and the offset of xmm4 should be 0x450 but not 0x310. + +I used GDB to track it, the location where the change occurred is: + +target/i386/tcg/translate.c, gen_lea_modrm_0(), line 2215: +``` + if (rm == 4) { + int code = x86_ldub_code(env, s); + scale = (code >> 6) & 3; + index = ((code >> 3) & 7) | REX_X(s); + if (index == 4) { + index = -1; /* no index */ + } + base = (code & 7) | REX_B(s); + havesib = 1; + } +``` +This code turned 4 into -1, and -1 do explain the offset 0x310 (xmm0 has offset 0x350).""" +additional = """Monitoring the function "helper_vpgatherqq_xmm" can draw similar conclusions: it used wrong value but not xmm4.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2489.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2489.toml new file mode 100644 index 00000000..8e24df52 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2489.toml @@ -0,0 +1,100 @@ +id = 2489 +title = "qemu-system-x86_64 TCG coredumps when using qemu_plugin_register_vcpu_mem_cb" +state = "closed" +created_at = "2024-08-07T14:13:16.777Z" +closed_at = "2024-08-17T22:04:10.282Z" +labels = ["TCG plugins", "accel: TCG", "guest: Windows", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2489" +host-os = "NixOS 24.05, build environment is `nix develop nixpkgs#qemu" +host-arch = "x86" +qemu-version = "QEMU emulator version 9.0.90, commit 6d00c6f982562222adbd0613966285792125abe5" +guest-os = "Windows 7 Professional SP1 x64, freshly installed" +guest-arch = "x86" +description = """QEMU freezes, then exits with `Segmentation fault (core dumped)`.""" +reproduce = """1. Install Windows 7 SP1 into `disk.qcow2`. +2. Start the machine, and use `savevm snapshot` at the login screen, then exit. +3. `./qemu-system-x86_64 -m 1G -M q35 -drive file=disk.qcow2 -nic none -loadvm snapshot -plugin contrib/plugins/libexeclog.so`""" +additional = """QEMU runs normally without the plugin. + +This bug can also be reproduced with a simpler plugin just calling `qemu_plugin_register_vcpu_mem_cb` once per instruction: +[minimal_plugin.diff](/uploads/6e6c1af21df90379e726e693a53f7b8f/minimal_plugin.diff). + +Log using `-d op,in_asm,out_asm,plugin -D log`: [log.gz](/uploads/ccfd26c4845422d63f72a357f8fc1137/log.gz) + +GDB full backtrace: +``` +(gdb) bt f +#0 stw_he_p (v=0, ptr=0x2) at /REDACTED/qemu/include/qemu/bswap.h:265 +No locals. +#1 stw_le_p (v=0, ptr=0x2) at /REDACTED/qemu/include/qemu/bswap.h:319 +No locals. +#2 access_stw (ac=ac@entry=0x7f1652dfec70, addr=addr@entry=18446735827410705922, val=val@entry=0) at ../target/i386/tcg/access.c:143 + p = 0x2 +#3 0x000055dfca88534e in do_xsave_fpu (ac=ac@entry=0x7f1652dfec70, ptr=ptr@entry=18446735827410705920) at ../target/i386/tcg/fpu_helper.c:2537 + env = 0x55dff34fe630 + fpus = 0 + fptag = <optimized out> + i = <optimized out> + addr = <optimized out> +#4 0x000055dfca88caf8 in do_fxsave (ptr=18446735827410705920, ac=0x7f1652dfec70) at ../target/i386/tcg/fpu_helper.c:2632 + env = 0x55dff34fe630 + env = <optimized out> +#5 helper_fxsave (env=<optimized out>, ptr=18446735827410705920) at ../target/i386/tcg/fpu_helper.c:2656 + ra = <optimized out> + ac = {vaddr = 18446735827410705920, haddr1 = 0x0, haddr2 = 0x0, size = 512, size1 = 512, mmu_idx = 4, env = 0x55dff34fe630, + ra = 139732667533971} +#6 0x00007f160c030a93 in code_gen_buffer () +No locals. +#7 0x000055dfca979986 in cpu_tb_exec (cpu=cpu@entry=0x55dff34fbe70, itb=itb@entry=0x7f160c030940 <code_gen_buffer+198931>, + tb_exit=tb_exit@entry=0x7f1652dff228) at ../accel/tcg/cpu-exec.c:458 + ret = <optimized out> + last_tb = <optimized out> + tb_ptr = 0x7f160c030a00 <code_gen_buffer+199123> + __PRETTY_FUNCTION__ = "cpu_tb_exec" +#8 0x000055dfca979edd in cpu_loop_exec_tb (tb_exit=0x7f1652dff228, last_tb=<synthetic pointer>, pc=<optimized out>, + tb=0x7f160c030940 <code_gen_buffer+198931>, cpu=0x55dff34fbe70) at ../accel/tcg/cpu-exec.c:908 + insns_left = <optimized out> + __PRETTY_FUNCTION__ = "cpu_loop_exec_tb" + insns_left = <optimized out> + _a15 = <optimized out> + _b16 = <optimized out> +#9 cpu_exec_loop (cpu=cpu@entry=0x55dff34fbe70, sc=sc@entry=0x7f1652dff2c0) at ../accel/tcg/cpu-exec.c:1022 + tb = 0x7f160c030940 <code_gen_buffer+198931> + flags = <optimized out> + cflags = 4278321152 + pc = <optimized out> + cs_base = <optimized out> + last_tb = <optimized out> + tb_exit = 1 + ret = <optimized out> +#10 0x000055dfca97a6fd in cpu_exec_setjmp (cpu=cpu@entry=0x55dff34fbe70, sc=sc@entry=0x7f1652dff2c0) at ../accel/tcg/cpu-exec.c:1039 +No locals. +#11 0x000055dfca97ae79 in cpu_exec (cpu=cpu@entry=0x55dff34fbe70) at ../accel/tcg/cpu-exec.c:1065 + ret = <optimized out> + sc = {diff_clk = 0, last_cpu_icount = 0, realtime_clock = 0} + _rcu_read_auto = 0x1 +#12 0x000055dfca9a35af in tcg_cpu_exec (cpu=cpu@entry=0x55dff34fbe70) at ../accel/tcg/tcg-accel-ops.c:78 +--Type <RET> for more, q to quit, c to continue without paging--c + ret = <optimized out> + __PRETTY_FUNCTION__ = "tcg_cpu_exec" +#13 0x000055dfca9a3703 in mttcg_cpu_thread_fn (arg=arg@entry=0x55dff34fbe70) at ../accel/tcg/tcg-accel-ops-mttcg.c:95 + r = <optimized out> + force_rcu = {notifier = {notify = 0x55dfca9a37f0 <mttcg_force_rcu>, node = {le_next = 0x0, le_prev = 0x7f1652e00528}}, cpu = 0x55dff34fbe70} + cpu = 0x55dff34fbe70 + __PRETTY_FUNCTION__ = "mttcg_cpu_thread_fn" + __func__ = "mttcg_cpu_thread_fn" +#14 0x000055dfcab7e898 in qemu_thread_start (args=0x55dff355dd80) at ../util/qemu-thread-posix.c:541 + __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {94420348558720, 3438567870158976394, -1656, 0, 140727865026624, 139734089805824, + 8803266606146106762, 3438582454403577226}, __mask_was_saved = 0}}, __pad = {0x7f1652dff430, 0x0, 0x0, 0x0}} + __cancel_routine = 0x55dfcab7e8f0 <qemu_thread_atexit_notify> + __cancel_arg = <optimized out> + __not_first_call = <optimized out> + qemu_thread_args = <optimized out> + start_routine = 0x55dfca9a3600 <mttcg_cpu_thread_fn> + arg = 0x55dff34fbe70 + r = <optimized out> +#15 0x00007f165e090272 in start_thread () from /nix/store/dbcw19dshdwnxdv5q2g6wldj6syyvq7l-glibc-2.39-52/lib/libc.so.6 +No symbol table info available. +#16 0x00007f165e10bdec in clone3 () from /nix/store/dbcw19dshdwnxdv5q2g6wldj6syyvq7l-glibc-2.39-52/lib/libc.so.6 +No symbol table info available. +```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/249.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/249.toml new file mode 100644 index 00000000..9835208a --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/249.toml @@ -0,0 +1,15 @@ +id = 249 +title = "guest OS catches a page fault bug when running dotnet" +state = "closed" +created_at = "2021-05-10T07:43:49.677Z" +closed_at = "2024-08-01T08:33:46.644Z" +labels = ["Closed::Fixed", "Launchpad", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/249" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2495.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2495.toml new file mode 100644 index 00000000..2b373c2a --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2495.toml @@ -0,0 +1,80 @@ +id = 2495 +title = "A bug in x86-64 MMX instructions" +state = "closed" +created_at = "2024-08-11T14:42:09.034Z" +closed_at = "2024-08-14T02:52:58.775Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2495" +host-os = "Ubuntu 22.04" +host-arch = "x86-64" +qemu-version = "qemu-x86_64 version 9.0.91 (v9.1.0-rc1-6-g0f397dcfec)" +guest-os = "N/A (qemu-user)" +guest-arch = "x86_64" +description = """It seems QEMU emits invalid TCG when lifting MMX instructions with redundant REX prefixes. For example, when lifting `490f7ec0 (movq r8, mm0)`, QEMU generates the following valid TCG. + +``` + ---- 00000000004011f2 0000000000000000 + call enter_mmx,$0x0,$0,env + ld_i64 loc0,env,$0x270 + mov_i64 r8,loc0 + mov_i64 rip,$0x4011f6 + exit_tb $0x0 + set_label $L0 + exit_tb $0x7f84f82ec143 +``` + +However, after changing the value of the rex prefix to `4f` , so the instruction becomes `4f0f7ec0 (rex.WRXB movq r8, mm0)`, the lifted TCG is changed to: + +``` + ---- 00000000004011f2 0000000000000000 + call enter_mmx,$0x0,$0,env + ld_i64 loc0,env,$0x2f0 // The offset to MM0 is changed + mov_i64 r8,loc0 + mov_i64 rip,$0x4011f6 + exit_tb $0x0 + set_label $L0 + exit_tb $0x7f98e82ec143 +``` + +I have observed this bug in numerous MMX instructions. For example, `410fdaff (rex.B pminub mm7, mm7)` is lifted to the wrong TCGs. + +It seems this bug looks similar to #2474.""" +reproduce = """1. Write `test.c` +``` +#include <stdint.h> +#include <stdio.h> +#include <string.h> + +uint8_t i_R8[8] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; +uint8_t i_MM0[8] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; +uint8_t o_R8[8]; + +void __attribute__ ((noinline)) show_state() { + printf("R8: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", o_R8[i]); + } + printf("\\n"); +} + +void __attribute__ ((noinline)) run() { + __asm__ ( + ".intel_syntax noprefix\\n" + "mov r8, qword ptr [rip + i_R8]\\n" + "movq mm0, qword ptr [rip + i_MM0]\\n" + ".byte 0x4f, 0x0f, 0x7e, 0xc0\\n" + "mov qword ptr [rip + o_R8], r8\\n" + ".att_syntax\\n" + ); +} + +int main(int argc, char **argv) { + run(); + show_state(); + return 0; +} +``` +2. Compile `test.bin` using this command: `gcc-12 -O2 -no-pie ./test.c -o ./test.bin` +3. Run QEMU using this command: `qemu-x86_64 ./test.bin` +4. The program, runs on top of the buggy QEMU, prints the value of R8 as `00 00 00 00 00 00 00 00`. It should print `ff ff ff ff ff ff ff ff` after the bug is fixed.""" +additional = """""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2511.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2511.toml new file mode 100644 index 00000000..0d5cf080 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2511.toml @@ -0,0 +1,40 @@ +id = 2511 +title = "Regression 9.1.0rc2: target/i386/tcg/access.c:18: access_prepare_mmu: Assertion '...' failed." +state = "closed" +created_at = "2024-08-17T09:13:46.277Z" +closed_at = "2024-08-21T05:08:10.955Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2511" +host-os = "Linux" +host-arch = "x86_64" +qemu-version = "QEMU emulator version 9.0.50 (v9.0.0-2240-g8b13106508-dirty)" +guest-os = "Visopsys" +guest-arch = "x86_64" +description = """Executing QEMU command line crashes with + ``` +qemu-system-x86_64: ../target/i386/tcg/access.c:18: access_prepare_mmu: Assertion `size > 0 && size <= TARGET_PAGE_SIZE' failed. + ```""" +reproduce = """1. Download https://www.qemu-advent-calendar.org/2020/download/day07.tar.gz +2. Execute with QEMU command line""" +additional = """git bisect finishes with: + ``` +8b131065080af3cf2dda04e4e190c5a74fec2f31 is the first bad commit +commit 8b131065080af3cf2dda04e4e190c5a74fec2f31 +Author: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue Jun 18 09:13:49 2024 +0200 + + target/i386/tcg: use X86Access for TSS access + + This takes care of probing the vaddr range in advance, and is also faster + because it avoids repeated TLB lookups. It also matches the Intel manual + better, as it says "Checks that the current (old) TSS, new TSS, and all + segment descriptors used in the task switch are paged into system memory"; + note however that it's not clear how the processor checks for segment + descriptors, and this check is not included in the AMD manual. + + Reviewed-by: Richard Henderson <richard.henderson@linaro.org> + Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + + target/i386/tcg/seg_helper.c | 110 +++++++++++++++++++++++-------------------- + 1 file changed, 58 insertions(+), 52 deletions(-) + ```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2567.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2567.toml new file mode 100644 index 00000000..d975e12b --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2567.toml @@ -0,0 +1,86 @@ +id = 2567 +title = "crash in target/i386/tcg/translate.c on loongarch64 Linux debian 6.11.0-rc7" +state = "closed" +created_at = "2024-09-11T02:32:15.726Z" +closed_at = "2024-10-05T23:10:42.299Z" +labels = ["Closed::Duplicate", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2567" +host-os = "Debian Linux" +host-arch = "loongarch64/loong64" +qemu-version = "QEMU emulator version 9.1.0 (Debian 1:9.1.0+ds-3)" +guest-os = "Windows 7 x64" +guest-arch = "x64" +description = """``` + ERROR:target/i386/tcg/translate.c:748:gen_helper_out_func: code should not be reached + Bail out! ERROR:target/i386/tcg/translate.c:748:gen_helper_out_func: code should not be reached + 已中止(核心已转储) + ```""" +reproduce = """1. windows x64 has been installed into win7_x64.qcow2 +2. windows x64 in win7_x64.qcow2 has been run for several times by the same command line +3. crash occurred when windows was starting up""" +additional = """``` +Hint: You are currently not seeing messages from other users and the system. + Users in groups 'adm', 'systemd-journal' can see all messages. + Pass -q to turn off this notice. + PID: 61627 (qemu-system-x86) + UID: 1000 (tsingkong) + GID: 1001 (tsingkong) + Signal: 6 (ABRT) + Timestamp: Tue 2024-09-10 15:59:05 CST (18h ago) + Command Line: qemu-system-x86_64 -name win7_x64 -hda /SATA/QEMU/win7_x64.qcow2 -boot c -cpu qemu64 -smp sockets=1,cores=4,threads=1 -m 8G -device VGA -netdev user,id=lan -device rtl8139,netdev=lan -usb -device usb-tablet -rtc base=localtime -monitor stdio + Executable: /usr/bin/qemu-system-x86_64 + Control Group: /user.slice/user-1000.slice/user@1000.service/app.slice/app-org.kde.konsole-353cf168c0a84fbe8cdc2b8b72cba71e.scope + Unit: user@1000.service + User Unit: app-org.kde.konsole-353cf168c0a84fbe8cdc2b8b72cba71e.scope + Slice: user-1000.slice + Owner UID: 1000 (tsingkong) + Boot ID: 49cf5288d7af4b97be341fe599f0c8df + Machine ID: 3ab0590011874c2e916d2eeef4585dfb + Hostname: debian + Storage: /var/lib/systemd/coredump/core.qemu-system-x86.1000.49cf5288d7af4b97be341fe599f0c8df.61627.1725955145000000.zst (present) + Size on Disk: 285.9M + Message: Process 61627 (qemu-system-x86) of user 1000 dumped core. + + Module libsystemd.so.0 from deb systemd-256.5-2.loong64 + Module libgcc_s.so.1 from deb gcc-14-14.2.0-4.loong64 + Module libstdc++.so.6 from deb gcc-14-14.2.0-4.loong64 + Module libblkid.so.1 from deb util-linux-2.40.2-8.loong64 + Module libatomic.so.1 from deb gcc-14-14.2.0-4.loong64 + Module libmount.so.1 from deb util-linux-2.40.2-8.loong64 + Module libzstd.so.1 from deb libzstd-1.5.6+dfsg-1.loong64 + Module libudev.so.1 from deb systemd-256.5-2.loong64 + Stack trace of thread 61637: + #0 0x00007ffff2536968 __pthread_kill_implementation (libc.so.6 + 0x76968) + #1 0x00007ffff24f17dc __GI_raise (libc.so.6 + 0x317dc) + #2 0x00007ffff24dd238 __GI_abort (libc.so.6 + 0x1d238) + #3 0x00007ffff2ccf704 g_assertion_message (libglib-2.0.so.0 + 0x93704) + #4 0x00007ffff2ccf768 g_assertion_message_expr (libglib-2.0.so.0 + 0x93768) + #5 0x000055555630c440 n/a (qemu-system-x86_64 + 0x830440) + #6 0x00005555563286e8 n/a (qemu-system-x86_64 + 0x84c6e8) + #7 0x000055555632ef0c n/a (qemu-system-x86_64 + 0x852f0c) + #8 0x00005555563f9108 translator_loop (qemu-system-x86_64 + 0x91d108) + #9 0x0000555556332474 gen_intermediate_code (qemu-system-x86_64 + 0x856474) + #10 0x00005555563f7c08 n/a (qemu-system-x86_64 + 0x91bc08) + #11 0x00005555563f8204 tb_gen_code (qemu-system-x86_64 + 0x91c204) + #12 0x00005555563ecd54 n/a (qemu-system-x86_64 + 0x910d54) + #13 0x00005555563ed288 n/a (qemu-system-x86_64 + 0x911288) + #14 0x00005555563edb98 cpu_exec (qemu-system-x86_64 + 0x911b98) + #15 0x00007fffdc006c5c tcg_cpu_exec (accel-tcg-x86_64.so + 0x2c5c) + #16 0x00007fffdc006df4 n/a (accel-tcg-x86_64.so + 0x2df4) + #17 0x0000555556636000 n/a (qemu-system-x86_64 + 0xb5a000) + #18 0x00007ffff2534ca4 start_thread (libc.so.6 + 0x74ca4) + #19 0x00007ffff259cbcc __thread_start3 (libc.so.6 + 0xdcbcc) + + Stack trace of thread 61640: + #0 0x00005555563fd620 n/a (qemu-system-x86_64 + 0x921620) + #1 0x0000555556401b44 get_page_addr_code_hostp (qemu-system-x86_64 + 0x925b44) + #2 0x00005555563ebda8 n/a (qemu-system-x86_64 + 0x90fda8) + #3 0x00005555563ed5f0 helper_lookup_tb_ptr (qemu-system-x86_64 + 0x9115f0) + #4 0x00007fff8d39309c n/a (n/a + 0x0) + ELF object binary architecture: LoongArch + +``` + +core.qemu-system-x86.1000.49cf5288d7af4b97be341fe599f0c8df.61627.1725955145000000.zst + +https://mega.nz/file/M9ZVzQYS#Z8kw6_cul56nd_p2iwz2SRb4Yb_1K8gqH2YlBBjKk6U""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2578.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2578.toml new file mode 100644 index 00000000..220963fc --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2578.toml @@ -0,0 +1,22 @@ +id = 2578 +title = "x86: exception during hardware interrupt pushes wrong error code" +state = "opened" +created_at = "2024-09-19T09:09:25.955Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2578" +host-os = "- OS/kernel version:" +host-arch = "- QEMU flavor: qemu-system-x86_64 qemu-system-i386" +qemu-version = "all" +guest-os = "- OS/kernel version:" +guest-arch = "x86" +description = """Exceptions during IDT traversal push the wrong error code when triggered by a hardware interrupt. +The EXT bit in TCG mode is never set. However, it works fine in KVM mode as hardware is generating the number.""" +reproduce = """1. load a short IDT e.g. with 64 entries +2. trigger a self IPI through the LAPIC with a vector 100 +3. the pushed error code is 802 instead of 803.""" +additional = """It can be fixed in the lines `raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);` in `seg_helper.c` +which must include the `is_hw` field when calculating the error number. Something like `intno * 8 + 2 + (is_hw != 0)` +works here. + +Nevertheless, all the other exception cases in the `do_interrupt_*` functions have to set the same bit as well.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2581.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2581.toml new file mode 100644 index 00000000..69ca29a4 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2581.toml @@ -0,0 +1,20 @@ +id = 2581 +title = "Assert failure \"target/i386/tcg/translate.c:748:gen_helper_out_func\" when emulating Windows" +state = "closed" +created_at = "2024-09-20T16:10:29.448Z" +closed_at = "2024-10-18T12:47:57.946Z" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2581" +host-os = "macOS" +host-arch = "arm64" +qemu-version = "9.1.0" +guest-os = "Windows 10 22H2" +guest-arch = "x86_64" +description = """qemu crashes with: +``` +ERROR:../target/i386/tcg/translate.c:748:gen_helper_out_func: code should not be reached +```""" +reproduce = """1. Run the command listed above +2. Wait a random amount of time (anywhere between 30mins to 2hours) +3. Qemu will crash at some point""" +additional = """- Relevant part of the macOS crash log: [qemu-crash.txt](/uploads/5cc296fd0e8c603ba08379749a67071d/qemu-crash.txt)""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2599.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2599.toml new file mode 100644 index 00000000..30b901c2 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2599.toml @@ -0,0 +1,15 @@ +id = 2599 +title = "[x86] RET imm16 not align with native machine" +state = "opened" +created_at = "2024-09-29T07:04:16.519Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2599" +host-os = "Linux yikarus 6.5.0-18-generic #18\\~22.04.1-Ubuntu SMP" +host-arch = "n/a" +qemu-version = "latest" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2605.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2605.toml new file mode 100644 index 00000000..f1844dcc --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2605.toml @@ -0,0 +1,15 @@ +id = 2605 +title = "amd64/v4 support" +state = "opened" +created_at = "2024-10-03T09:00:45.346Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Feature Request", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2605" +host-os = "OS X 14.5" +host-arch = "ARM64" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/265.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/265.toml new file mode 100644 index 00000000..3da81e5e --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/265.toml @@ -0,0 +1,15 @@ +id = 265 +title = "x86: retf or iret pagefault sets wrong error code" +state = "opened" +created_at = "2021-05-11T05:36:44.498Z" +closed_at = "n/a" +labels = ["Launchpad", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/265" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/279.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/279.toml new file mode 100644 index 00000000..de9d232b --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/279.toml @@ -0,0 +1,15 @@ +id = 279 +title = "x86-64 MTTCG Does not update page table entries atomically" +state = "closed" +created_at = "2021-05-12T18:48:46.105Z" +closed_at = "2022-10-18T20:00:59.712Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/279" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2821.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2821.toml new file mode 100644 index 00000000..5153968d --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2821.toml @@ -0,0 +1,31 @@ +id = 2821 +title = "Emulated newer x86 chipsets are noticably slower on cpu-bound loads than \"-cpu qemu64\"" +state = "closed" +created_at = "2025-02-19T08:56:07.163Z" +closed_at = "2025-02-20T08:44:22.235Z" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2821" +host-os = "Fedora 41 x86 (issue also observed on Asahi Linux (Fedora41 based), so aarch64)" +host-arch = "x86, ARM" +qemu-version = "qemu-system-x86-9.1.2-3.fc41.x86_64" +guest-os = "Fedora 41" +guest-arch = "x86" +description = """I noticed that "-cpu qemu64" is much faster than "-cpu max" or "-cpu Icelake-Server-noTSX" for cpu bound loads, and with more than one cpu under load.""" +reproduce = """1. Run a guest as per "qemu-system-x86_64 -cpu max [..]" command from above. Any linux distro should do. +2. run through the setup questions if you use Fedora-Server-KVM-41-1.4.x86_64.qcow2 from the example command line above +3. log into the guest via ssh, i.e. "ssh chris@amd64" here +4. cd /dev/shm; wget http://archive.apache.org/dist/httpd/httpd-2.4.57.tar.bz2; wget https://fluxcoil.net/files/tmp/job_httpd_extract_cpu.sh +6. bash ./job_httpd_extract_cpu.sh 4 300 +8. cat /tmp/counter + +Step 6 is executing a script which simply uses 4 parallel loops, where each loop runs "bzcat httpd-2.4.57.tar.bz2" constantly. After 300sec, the successful uncompressions over all 4 loops are summed up and stored in /tmp/counter. + +- result with "-cpu qemu64": 96 +- result with "-cpu max": 84 +- result with "-cpu Icelake-Server-noTSX": 44""" +additional = """- For "-cpu Icelake-Server-noTSX" on this Thinkpad T590 I get these warnings, I think they are not relevant: + qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.pcid [bit 17] + qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.tsc-deadline [bit 24] + [..] +- I also looked at Broadwell etc, and all of them seem in the same ballpark. + Graph over some emulated architectures: https://fluxcoil.net/files/tmp/gnuplot_cpu-performance-emulated-only.png""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/286.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/286.toml new file mode 100644 index 00000000..e4b73cdd --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/286.toml @@ -0,0 +1,15 @@ +id = 286 +title = "Performance degradation for WinXP boot time after b55f54bc" +state = "closed" +created_at = "2021-05-13T15:32:51.153Z" +closed_at = "2021-07-22T15:10:33.583Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/286" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2878.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2878.toml new file mode 100644 index 00000000..7d53c7e0 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2878.toml @@ -0,0 +1,15 @@ +id = 2878 +title = "Support for avx512 in qemu user space emulation." +state = "opened" +created_at = "2025-03-23T12:00:27.265Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2878" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2891.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2891.toml new file mode 100644 index 00000000..d20cc198 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2891.toml @@ -0,0 +1,15 @@ +id = 2891 +title = "qemu-system-x86_64 segfaults when executing ipxe selftests" +state = "closed" +created_at = "2025-03-30T07:35:55.298Z" +closed_at = "2025-04-04T17:07:31.786Z" +labels = ["Regression", "accel: TCG", "kind::Bug", "target: i386", "workflow::Patch available"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2891" +host-os = "Linux" +host-arch = "x86_64" +qemu-version = "456709db50f424d112bc5f07260fdc51555f3a24 up to 10.0.0-rc1" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/314.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/314.toml new file mode 100644 index 00000000..82b585f1 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/314.toml @@ -0,0 +1,15 @@ +id = 314 +title = "qemu-user vm86() segfaults handling interrupt with ss:sp in same page as cs:ip" +state = "opened" +created_at = "2021-05-15T10:53:32.687Z" +closed_at = "n/a" +labels = ["Launchpad", "TestCase", "accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/314" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/318.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/318.toml new file mode 100644 index 00000000..c6a94e51 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/318.toml @@ -0,0 +1,15 @@ +id = 318 +title = "QEMU crash after a QuickBASIC program integer overflow" +state = "opened" +created_at = "2021-05-15T14:04:19.798Z" +closed_at = "n/a" +labels = ["Launchpad", "TestCase", "accel: TCG", "kind::Bug", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/318" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/330.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/330.toml new file mode 100644 index 00000000..0c3643e7 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/330.toml @@ -0,0 +1,15 @@ +id = 330 +title = "TCG does not support x2APIC emulation" +state = "opened" +created_at = "2021-05-17T13:45:06.175Z" +closed_at = "n/a" +labels = ["accel: TCG", "kind::Feature Request", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/330" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/380.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/380.toml new file mode 100644 index 00000000..a7f42e8e --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/380.toml @@ -0,0 +1,15 @@ +id = 380 +title = "Windows 7 fails to boot" +state = "closed" +created_at = "2021-05-31T22:11:55.098Z" +closed_at = "2021-06-05T10:25:28.677Z" +labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/380" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/382.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/382.toml new file mode 100644 index 00000000..9f3ff699 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/382.toml @@ -0,0 +1,15 @@ +id = 382 +title = "target/i386/seg_helper.c: 16-bit TSS struct format wrong?" +state = "closed" +created_at = "2021-06-01T10:33:32.171Z" +closed_at = "2021-06-05T10:25:28.680Z" +labels = ["Launchpad", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/382" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/394.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/394.toml new file mode 100644 index 00000000..f746f6af --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/394.toml @@ -0,0 +1,15 @@ +id = 394 +title = "Windows 7 crashing due to PAGE_FAULT_IN_NONPAGED_AREA" +state = "closed" +created_at = "2021-06-07T15:33:12.008Z" +closed_at = "2021-11-04T15:08:06.838Z" +labels = ["Closed::Duplicate", "accel: TCG", "hostos: Windows", "kind::Bug", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/394" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/404.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/404.toml new file mode 100644 index 00000000..55d2cf66 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/404.toml @@ -0,0 +1,15 @@ +id = 404 +title = "Windows XP takes much longer to boot in TCG mode since 5.0" +state = "closed" +created_at = "2021-06-10T13:53:40.164Z" +closed_at = "2021-07-22T15:10:33.902Z" +labels = ["Closed::Fixed", "Launchpad", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/404" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/420.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/420.toml new file mode 100644 index 00000000..49241a88 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/420.toml @@ -0,0 +1,15 @@ +id = 420 +title = "Some x86_64 SSE operations have incorrect/erratic behaviours" +state = "closed" +created_at = "2021-06-15T18:02:58.026Z" +closed_at = "2022-04-11T16:15:40.097Z" +labels = ["TestCase", "accel: TCG", "linux-user", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/420" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/427.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/427.toml new file mode 100644 index 00000000..d7471e5c --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/427.toml @@ -0,0 +1,15 @@ +id = 427 +title = "TCG: QEMU incorrectly raises exception on SSE4.2 CRC32 instruction" +state = "closed" +created_at = "2021-06-17T10:33:20.027Z" +closed_at = "2023-01-31T08:58:08.031Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/427" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/505.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/505.toml new file mode 100644 index 00000000..1d19c575 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/505.toml @@ -0,0 +1,22 @@ +id = 505 +title = "QEMU crashes when reaching a hardware watchpoint" +state = "closed" +created_at = "2021-07-27T15:14:17.907Z" +closed_at = "2021-12-09T18:25:20.156Z" +labels = ["Closed::Fixed", "Regression", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/505" +host-os = "Ubuntu 18.04" +host-arch = "x86" +qemu-version = "6.0.90" +guest-os = "Debian live cd - see command line for details" +guest-arch = "i386" +description = """When using hardware watchpoints, qemu crashes when it hits the watch point. +See https://github.com/zephyrproject-rtos/zephyr/issues/28613 for the same problem""" +reproduce = """1. Download https://download.qemu.org/qemu-6.1.0-rc0.tar.xz +2. Download debian-live-10.10.0-i386-standard.iso from https://cdimage.debian.org/debian-cd/current-live/i386/iso-hybrid/ +3. Build qemu with /configure --target-list=i386-softmmu +4. Run build/qemu-system-i386 -boot d -cdrom debian-live-10.10.0-i386-standard.iso -m 512 -icount auto -gdb tcp:localhost:1234 -S -display none +5. Run gdb and inside gdb run "target remote localhost:1234" +6. In gdb, run "watch *0x0000fff0" and "cont" +7. qemu will crash with ```qemu: fatal: Raised interrupt while not in I/O function```""" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/509.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/509.toml new file mode 100644 index 00000000..6a3b1882 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/509.toml @@ -0,0 +1,15 @@ +id = 509 +title = "Atomic test-and-set instruction does not work on qemu-user" +state = "closed" +created_at = "2021-07-28T15:38:41.276Z" +closed_at = "2021-07-28T17:30:14.364Z" +labels = ["Launchpad", "accel: TCG", "linux-user", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/509" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/601.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/601.toml new file mode 100644 index 00000000..7e6965f3 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/601.toml @@ -0,0 +1,28 @@ +id = 601 +title = "import tensorflow causes qemu: uncaught target signal 6 (Aborted) - core dumped" +state = "closed" +created_at = "2021-09-06T13:44:19.193Z" +closed_at = "2023-01-31T09:26:15.446Z" +labels = ["Closed::Fixed", "accel: TCG", "linux-user", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/601" +host-os = "Mac OS Big Sur 11.5.2" +host-arch = "ARM (M1)" +qemu-version = "6.1.0" +guest-os = "python:3.9-buster Docker image" +guest-arch = "x86_64" +description = """Crashes when importing tensorflow in Docker container under --platorm linux/amd64 on M1 Mac +``` +2021-09-06 13:35:24.435613: F tensorflow/core/lib/monitoring/sampler.cc:42] Check failed: bucket_limits_[i] > bucket_limits_[i - 1] (0 vs. 10) +qemu: uncaught target signal 6 (Aborted) - core dumped +```""" +reproduce = """See https://gitlab.com/ryan-feather/docker-tensorflow-qemu-bug/ for Dockerfile and description of steps repeating here. +1. Using the dockerfile +``` +FROM python:3.9-buster +RUN pip install tensorflow==2.6.0 + +``` +2. `docker buildx build --iidfile build.id --platform linux/amd64 . --progress=plain` +3. ``` docker run --platform linux/amd64 `cat build.id` python -c "import tensorflow"```""" +additional = """See +https://github.com/docker/for-mac/issues/5342 where the Docker team suggests this is a qemu bug. I couldn't find where anyone had opened one of these here, so hopefully this isn't a duplicate.""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/619.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/619.toml new file mode 100644 index 00000000..b7e44a0e --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/619.toml @@ -0,0 +1,15 @@ +id = 619 +title = "Move TCGCPUOps::fake_user_exception() to linux-user/i386/cpu_loop.c" +state = "opened" +created_at = "2021-09-13T08:05:59.787Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/619" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/661.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/661.toml new file mode 100644 index 00000000..901068b2 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/661.toml @@ -0,0 +1,52 @@ +id = 661 +title = "Unable to enable 5 level paging" +state = "closed" +created_at = "2021-10-10T20:46:52.187Z" +closed_at = "2022-08-03T14:55:39.489Z" +labels = ["Regression", "Stable::to backport", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/661" +host-os = "Arch Linux" +host-arch = "x86" +qemu-version = "QEMU emulator version 6.1.0" +guest-os = "https://github.com/ethan4984/rock https://github.com/limine-bootloader/limine" +guest-arch = "x86" +description = """When attempting to set cr4.LA57, qemu just freezes on that instruction. When I say freeze I mean literally freeze, no exceptions, nothing, it just halts forever on that instruction. When this happened, the first thing I did was + +``` +(qemu) info registers +EAX=00001000 EBX=00000001 ECX=80224f08 EDX=00000000 +ESI=8034a3a0 EDI=00026520 EBP=000079f8 ESP=000079c8 +EIP=00019648 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 +ES =0020 00000000 ffffffff 00c09300 DPL=0 DS [-WA] +CS =0018 00000000 ffffffff 00c09a00 DPL=0 CS32 [-R-] +SS =0020 00000000 ffffffff 00c09300 DPL=0 DS [-WA] +DS =0020 00000000 ffffffff 00c09300 DPL=0 DS [-WA] +FS =0020 00000000 ffffffff 00cf9300 DPL=0 DS [-WA] +GS =0020 00000000 ffffffff 00cf9300 DPL=0 DS [-WA] +LDT=0000 00000000 00000000 00008200 DPL=0 LDT +TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy +GDT= 0000e120 00000037 +IDT= 00000000 00000000 +CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000 +DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 +DR6=00000000ffff0ff0 DR7=0000000000000400 +EFER=0000000000000000 +... +``` + +then using gdb to figure out what instruction it is hanging on, I set a breakpoint at 0x19648 at and ran +``` +(gdb) x/1 0x19648 +=> 0x19648:\tmov %rax,%cr4 +(gdb) +``` + +This instruction corresponds to this LOC within limine https://github.com/limine-bootloader/limine/blob/trunk/stage23/protos/stivale.32.c#L33""" +reproduce = """1. Try to enable 5 level paging +2. qemu freezes when trying to set cr4.LA57 +3. cry""" +additional = """This never happened prior to version 6.1, I test this on multiple different machines and a few of my friends +experienced the same issue + +I have not tested this on linux, however I assume it will do the same on anything else. +Either way, qemu should not be just halting""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/67.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/67.toml new file mode 100644 index 00000000..e3d7e8bf --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/67.toml @@ -0,0 +1,15 @@ +id = 67 +title = "incomplete emulation of fstenv under TCG" +state = "closed" +created_at = "2021-05-01T06:07:49.216Z" +closed_at = "2024-10-07T20:56:44.465Z" +labels = ["Launchpad", "TestCase", "accel: TCG", "kind::Bug", "linux-user", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/67" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/676.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/676.toml new file mode 100644 index 00000000..7858697f --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/676.toml @@ -0,0 +1,64 @@ +id = 676 +title = "Throws a PF when it should throw a GF/SS" +state = "closed" +created_at = "2021-10-18T01:57:53.193Z" +closed_at = "2021-11-08T17:49:13.308Z" +labels = ["Regression", "accel: TCG", "kind::Bug", "target: i386", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/676" +host-os = "Arch Linux" +host-arch = "x86" +qemu-version = "QEMU emulator version 6.1.0" +guest-os = "Custom" +guest-arch = "x86" +description = """QEMU misreports what should be a #GP as a #PF +``` +check_exception old: 0xffffffff new 0xe + 0: v=0e e=0001 i=0 cpl=0 IP=0028:ffffffffb28fa53b pc=ffffffffb28fa53b SP=0030:ffffffffb2901210 CR2=1fbf7020000772a4 +RAX=1fbf7020000772a4 RBX=0000000000000000 RCX=ffff80000006a0a8 RDX=ffff80000006a038 +RSI=1fbff0200000d26c RDI=0000000000000080 RBP=ffffffffb2901230 RSP=ffffffffb2901210 +R8 =ffffffffb28fb37f R9 =0000000000000000 R10=0000000000000000 R11=0000000000000000 +R12=0000000000000000 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000 +RIP=ffffffffb28fa53b RFL=00000007 [-----PC] CPL=0 II=0 A20=1 SMM=0 HLT=0 +ES =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +CS =0028 0000000000000000 00000000 00209a00 DPL=0 CS64 [-R-] +SS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +DS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +FS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +GS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +LDT=0000 0000000000000000 00000000 00008200 DPL=0 LDT +TR =0000 0000000000000000 0000ffff 00008b00 DPL=0 TSS64-busy +GDT= 000000000000edc0 00000037 +IDT= 000000000002e6a0 000000ff +CR0=80000013 CR2=1fbf7020000772a4 CR3=0000000000058000 CR4=000006a0 +DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 +DR6=00000000ffff0ff0 DR7=0000000000000400 +CCS=3f7fe0400001a4d9 CCD=1fbff0200000d26c CCO=SARQ +EFER=0000000000000501 +``` + +Now, `CR2=1fbf7020000772a4` is of course a non-canonical address, and therefore should not generate a #PF, rather it should generate a #GP. I also tried to generate a #SS by dereferencing a non-canonical address through the stack, and that also throws a #PF instead of a #SS + +``` +check_exception old: 0xffffffff new 0xe + 0: v=0e e=0001 i=0 cpl=0 IP=0028:fffffffff4bda92a pc=fffffffff4bda92a SP=0030:1fbf7020000772a4 CR2=1fbf70200007729c +RAX=0000000000000000 RBX=0000000000000000 RCX=0000000000000000 RDX=fffffffff4bdb998 +RSI=0000000000000000 RDI=fffffffff4bdb998 RBP=fffffffff4bdf290 RSP=1fbf7020000772a4 +R8 =0000000000000000 R9 =0000000000000000 R10=0000000000000000 R11=0000000000000000 +R12=0000000000000000 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000 +RIP=fffffffff4bda92a RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 +ES =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +CS =0028 0000000000000000 00000000 00209a00 DPL=0 CS64 [-R-] +SS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +DS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +FS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +GS =0030 0000000000000000 00000000 00009300 DPL=0 DS [-WA] +LDT=0000 0000000000000000 00000000 00008200 DPL=0 LDT +TR =0000 0000000000000000 0000ffff 00008b00 DPL=0 TSS64-busy +GDT= 000000000000edc0 00000037 +IDT= 000000000002e6a0 000000ff +CR0=80000011 CR2=1fbf70200007729c CR3=00000000bffa5000 CR4=00000020 +```""" +reproduce = """1. Dereference a non-canonical address +2. QEMU gives you a page fault instead of a gpf +3. reconsider life""" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/683.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/683.toml new file mode 100644 index 00000000..64f7dcab --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/683.toml @@ -0,0 +1,15 @@ +id = 683 +title = "certain programs make QEMU crash with \"tcg fatal error\"" +state = "closed" +created_at = "2021-10-21T14:36:48.874Z" +closed_at = "2021-11-19T19:19:24.165Z" +labels = ["Launchpad", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/683" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/766.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/766.toml new file mode 100644 index 00000000..7351a45d --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/766.toml @@ -0,0 +1,35 @@ +id = 766 +title = "qemu-system-x86_64: Reboot loop after Machine->Reset" +state = "closed" +created_at = "2021-12-10T01:20:31.289Z" +closed_at = "2022-04-18T10:56:27.449Z" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/766" +host-os = "Arch Linux" +host-arch = "amd64" +qemu-version = "QEMU emulator version 6.1.94 (v6.2.0-rc4)" +guest-os = "Not needed." +guest-arch = "## Description of problem" +description = """When using tcg, the virtual machine goes into a reboot loop after the VM +is rebooted through UI->Machine->Reboot menu, or through outb(0xcf9, 0xf). +There might be other reboot mechanisms that result in the same loop. + +The loop doesn't occur when using kvm: +qemu-system-x86_64 -M q35 -enable-kvm""" +reproduce = """1. Run the command. (The one without -enable-kvm.) +2. From the UI, click on Machine->Reset. +3. See that the VM locks up, instead of resetting.""" +additional = """The reboot loop occurs because a variable defined by Seabios cannot be updated, possibly because the memory is read-only. + +The variable in question is [HaveRunPost](https://github.com/coreboot/seabios/blob/2dd4b9b3f84019668719344b40dba79d681be41c/src/fw/shadow.c#L194). If HaveRunPost is non-zero, the BIOS follows the resume path. When the reset is clicked, the BIOS does indeed gain control and follow the resume path because HaveRunPost is 2. The control ends up at qemu_reboot, which should reset HaveRunPost to 0 and trigger another reset, so that this second time around, the BIOS sees HaveRunPost as 0, and follows the initialization path instead. + +But, even though the instruction to update HaveRunPost seems to run, the value remains non-zero (2 to be exact). + +``` + // HaveRunPost has value 2 here. + barrier(); + HaveRunPost = 0; + barrier(); + // If a dprintf(1, "%x\\n", HaveRunPost); is placed here, the value printed is 2 and not 0! + // With kvm-enabled, this dprintf prints 0. +```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/824.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/824.toml new file mode 100644 index 00000000..3f84e63a --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/824.toml @@ -0,0 +1,24 @@ +id = 824 +title = "x86_64 Translation Block error (cmp eax, 0x6; jnle 0x524)" +state = "closed" +created_at = "2022-01-17T12:46:47.886Z" +closed_at = "2022-02-12T22:03:28.361Z" +labels = ["TCG plugins", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/824" +host-os = "n/a" +host-arch = "x86" +qemu-version = "6.1.50 (c52d69e7dbaaed0ffdef8125e79218672c30161d)" +guest-os = "n/a" +guest-arch = "x86" +description = """`Qemu` produces a Translation block of 4 instructions: +``` +0x0000558a53039ffc: 83f806 (cmp eax, 0x6) +0x0000558a53039fff: 0f (nothing) +0x0000558a53039ffc: 83f806 (cmp eax, 0x6) +0x0000558a53039fff: 0f8f1e050000 (jnle 0x524) +``` +This problem occurs several time with different addresses but the same pattern: +- 1st and 3th instructions are the same (both addresses and opcodes); +- 2nd is the prefix of the 4th (same addresses).""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/83.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/83.toml new file mode 100644 index 00000000..7981d2ee --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/83.toml @@ -0,0 +1,15 @@ +id = 83 +title = "QEMU x87 emulation of trig and other complex ops is only at 64-bit precision, not 80-bit" +state = "opened" +created_at = "2021-05-03T09:27:11.094Z" +closed_at = "n/a" +labels = ["Launchpad", "accel: TCG", "kind::Bug", "target: i386", "workflow::Triaged"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/83" +host-os = "n/a" +host-arch = "n/a" +qemu-version = "n/a" +guest-os = "n/a" +guest-arch = "n/a" +description = "n/a" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/844.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/844.toml new file mode 100644 index 00000000..5f2d4e7f --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/844.toml @@ -0,0 +1,56 @@ +id = 844 +title = "Close gap for x86_64-v3 ABI in TCG - CPU support for fma, f16c, avx, avx2 features required" +state = "closed" +created_at = "2022-01-28T16:39:28.785Z" +closed_at = "2022-10-25T13:57:03.940Z" +labels = ["accel: TCG", "kind::Feature Request", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/844" +host-os = "n/a" +host-arch = "x86_64" +qemu-version = "(e.g. `qemu-system-x86_64 --version`)" +guest-os = "n/a" +guest-arch = "x86_64" +description = """There are 3 additional ABIs defined by a collaboration of vendors for the `x86_64` architecture, over the original baseline: + +* https://gitlab.com/x86-psABIs/x86-64-ABI/-/blob/master/x86-64-ABI/low-level-sys-info.tex + +This is no problem for KVM assuming suitable host hardware, but TCG is currently unable to support more than the original baseline and the `x86_64-v2` step. + +For `x86_64-v3` there are some gaps in its emulation coverage. This can be seen by taking `Nehalem` which is a good fit for `x86_64-v2`, and requesting the extra v3 features: + +``` +$ qemu-system-x86_64 -accel tcg -cpu Nehalem,+avx,+avx2,+bmi1,+bmi2,+f16c,+fma,+abm,+movbe +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.fma [bit 12] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.avx [bit 28] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.f16c [bit 29] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.07H:EBX.avx2 [bit 5] +``` + +IOW, the strict bare minimum TCG needs in order to satisfy `x86_64-v3` is `fma`, `f16c`, `avx` and `avx2` support + +If we want to fully support a named CPU model satisfying v3, then `Haswell` is the closest and that has a few additional gaps + +``` +$ qemu-system-x86_64 -accel tcg -cpu Haswell-noTSX +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.fma [bit 12] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.pcid [bit 17] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.x2apic [bit 21] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.tsc-deadline [bit 24] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.avx [bit 28] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.f16c [bit 29] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.07H:EBX.avx2 [bit 5] +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.07H:EBX.invpcid [bit 10] + +``` + +Those additional gaps wouldn't impact ability to execute binaries build for the `x86_64-v3` ABI though, so not as important. + +The reason `x86_64-v3` compatibility in TCG matters is because sooner or later some Linux OS are going to set this as the baseline for their compiler toolchain. There is a proposal to set this in `Fedora ELN`, which is what feeds in to a possible future `RHEL-10`. + +I imagine adding these extra features would be non-negligible work in TCG / take some time to complete. + +Thus I file this bug for the purpose of suggesting these 4 specific missing features be considered a priority to address, compared to other missing CPU features in TCG that might be considered more of a 'nice to have'. + +eg looking further the `x86_64-v4` baseline brings in a requirement for `avx512f`, `avx512bw`, `avx512cd`, `avx512dq`, `avx512vl` which TCG also lacks, but I don't think they really need to be considered important at this point in time.""" +reproduce = "n/a" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/870.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/870.toml new file mode 100644 index 00000000..73bd8144 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/870.toml @@ -0,0 +1,20 @@ +id = 870 +title = "Throws a #GP when it should throw a #SS" +state = "closed" +created_at = "2022-02-14T04:08:24.583Z" +closed_at = "2022-03-15T16:28:26.904Z" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/870" +host-os = "Ubuntu 20.04.3 LTS" +host-arch = "x86" +qemu-version = "QEMU emulator version 6.2.0" +guest-os = "Custom" +guest-arch = "x86" +description = """When stacks are switched as part of a 64-bit mode privilege-level change (resulting from an interrupt), IA-32e mode loads only an inner-level RSP from the TSS. If the value of rsp from tss is a non-canonical form. It will trigger #SS. But when I test it in qemu it throws #GP instead of #SS""" +reproduce = """In order to confirm that it is the #SS triggered by the non-canonical address, We can verify on a real machine. +1. Set the value of the current core's `TSS.IST7` to the the non-canonical address. +2. Set the `ist` field of the interrupt 4 (Overflow Exception) descriptor to 7. +3. Execute the `INT 4` instruction in Ring 3 and it will be taken over by the #SS handler. + +Repeat the above steps in qemu this exception will be taken over by #GP""" +additional = """""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/888.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/888.toml new file mode 100644 index 00000000..458857a5 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/888.toml @@ -0,0 +1,17 @@ +id = 888 +title = "TCG <--> KVM behavior difference (TCG bug)" +state = "closed" +created_at = "2022-02-28T14:48:57.328Z" +closed_at = "2022-03-24T16:31:59.730Z" +labels = ["Softfloat", "accel: TCG", "target: i386", "workflow::In Progress"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/888" +host-os = "Ubuntu 18.04/20.04" +host-arch = "x86_64" +qemu-version = "6.2" +guest-os = "Windows XP SP2" +guest-arch = "x86" +description = """This app couldn't start in TCG mode in QEMU 6.2, but with KVM everything is good. Until version 6.0 it also works with TCG. +As I checked - problem git commit is 5f9529006ea37560c97b05661a84472431d25b91.""" +reproduce = """1. Install Allplayer +2. Try to run it in TCG and KVM mode with QEMU 6.2""" +additional = "n/a" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/973.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/973.toml new file mode 100644 index 00000000..f974b9e2 --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/973.toml @@ -0,0 +1,27 @@ +id = 973 +title = "qemu 6.2 memory leak when failed to boot and infinitely reboot" +state = "opened" +created_at = "2022-04-10T13:52:17.003Z" +closed_at = "n/a" +labels = ["accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/973" +host-os = "Linux (qemu 6.2.0 built from source at alpine 3.15)" +host-arch = "x86_64" +qemu-version = "6.2.0" +guest-os = "Linux" +guest-arch = "x86_64" +description = """qemu allocates tons of memory (very likely memory leak) in certain (rare) cases. + +When I misconfigured qemu so that I have run a bigger linux kernel within insufficient memory (for example 8M bzImage while 16M ram and no hdd), the kernel will obviously fail to boot. In this case qemu will reboot (likely the linux kernel reboots). However reboot does not solve the problem, causing qemu to repeatedly reboot. + +Memory usage of qemu raises sharply in the progress.""" +reproduce = """1. Get any linux kernel (tested with 5.15.33) +2. Run the kernel on qemu, with memory smaller than necessary""" +additional = """A reproducing dockerfile: +``` +FROM alpine:3.15 + +RUN apk add qemu-system-x86_64 linux-virt + +CMD ["/usr/bin/qemu-system-x86_64", "-kernel", "/boot/vmlinuz-virt", "-nographic", "-net", "none", "-m", "16M"] +```""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/984.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/984.toml new file mode 100644 index 00000000..f8b5a6da --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/984.toml @@ -0,0 +1,31 @@ +id = 984 +title = "QEMU i386 fldl instruction is affected by the precision control bits of the FPU control word" +state = "opened" +created_at = "2022-04-15T10:24:44.938Z" +closed_at = "n/a" +labels = ["Softfloat", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/984" +host-os = "Ubuntu 20.04" +host-arch = "x86_64" +qemu-version = "v6.1.0..v7.0.0-rc4" +guest-os = "n/a" +guest-arch = "n/a" +description = """~~The QEMU softfloat float64_to_floatx80 implementation is broken and does not produce correct results.~~ QEMU i386 fldl instruction is affected by the precision control bits of the FPU control word. + +``` +IN = 1234.567890 (0x40934a4584f4c6e7) +OUT = 1234.567871 (0x40099a522c0000000000) +``` + +This bug was introduced in the QEMU commit qemu/qemu@8ae5719 as part of the switchover to FloatParts, and is still present in the latest tag (v7.0.0-rc4 as of now). + +Prior to the offending commit: + +``` +IN = 1234.567890 (0x40934a4584f4c6e7) +OUT = 1234.567890 (0x40099a522c27a6373800) +``` + +This breaks the i386 emulation of `fldl st(0)` (`helper_fldl_ST0`).""" +reproduce = """Call `float64_to_floatx80` with the input value of `1234.567890 (0x40934a4584f4c6e7)` and see the returned result.""" +additional = """See https://github.com/zephyrproject-rtos/sdk-ng/issues/461""" diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/993.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/993.toml new file mode 100644 index 00000000..354f1dee --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/993.toml @@ -0,0 +1,93 @@ +id = 993 +title = "Invalid opcode vzeroupper" +state = "closed" +created_at = "2022-04-19T02:19:22.407Z" +closed_at = "2022-04-19T18:16:18.823Z" +labels = ["Cryptography", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/993" +host-os = "Windows 11" +host-arch = "x86_64 (AMD Ryzen™ 9 5950X)" +qemu-version = "QEMU emulator version 6.2.0 (v6.2.0-11889-g5b72bf03f5-dirty)" +guest-os = "Fedora 36" +guest-arch = "x86" +description = """Got many invalid opcode error with Fedora 36 +See fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2076410 + +Crash stack and disassemble. +``` +Downloading separate debug info for /lib64/liblzma.so.5... +Downloading separate debug info for /home/penghuang/Sources/system-supplied DSO at 0x7fff30f55000... +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". +Core was generated by `flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo'. +Program terminated with signal SIGILL, Illegal instruction. +#0 0x00007f89783cbe4a in sha512_block_data_order_avx2 () from /lib64/libgnutls.so.30 +[Current thread is 1 (Thread 0x7f8972ada640 (LWP 5083))] +(gdb) bt +#0 0x00007f89783cbe4a in sha512_block_data_order_avx2 () from /lib64/libgnutls.so.30 +#1 0x00007f89783bf042 in x86_sha512_update (ctx=0x7f8972ad9090, length=128, data=0x7f8972ad8f90 '\\\\' <repeats 128 times>, "@\\255") + at sha-x86-ssse3.c:215 +#2 0x00007f897810879b in nettle_hmac_set_key (outer=<optimized out>, inner=0x7f8972ad9168, state=<optimized out>, + hash=0x7f897848b6c0 <x86_sha384>, key_length=0, key=0x7f89783ff943 "") at /usr/src/debug/nettle-3.7.3-3.fc36.x86_64/hmac.c:83 +#3 0x00007f89783bce3a in wrap_x86_hmac_fast (algo=<optimized out>, nonce=<optimized out>, nonce_size=<optimized out>, key=0x7f89783ff943, + key_size=0, text=0x7f8972ad9430, text_size=48, digest=0x55a79d80b948) at hmac-x86-ssse3.c:294 +#4 0x00007f89782d4b57 in _gnutls_mac_fast (algorithm=GNUTLS_MAC_SHA384, key=0x7f89783ff943, keylen=0, text=0x7f8972ad9430, textlen=48, + digest=0x55a79d80b948) at hash_int.c:167 +#5 0x00007f89782f524d in gnutls_hmac_fast (algorithm=GNUTLS_MAC_SHA384, key=key@entry=0x7f89783ff943, keylen=keylen@entry=0, + ptext=0x7f8972ad9430, ptext_len=ptext_len@entry=48, digest=digest@entry=0x55a79d80b948) at crypto-api.c:640 +#6 0x00007f897830d2ff in _tls13_init_secret2 (prf=0x7f897848f888 <hash_algorithms+168>, psk=<optimized out>, psk@entry=0x0, psk_size=48, + psk_size@entry=0, out=out@entry=0x55a79d80b948) at secrets.c:59 +#7 0x00007f897830d3d0 in _tls13_init_secret (session=session@entry=0x55a79d80a1c0, psk=psk@entry=0x0, psk_size=psk_size@entry=0) at secrets.c:35 +#8 0x00007f89782c66c0 in read_server_hello (datalen=<optimized out>, data=<optimized out>, session=0x55a79d80a1c0) at handshake.c:2097 +#9 _gnutls_recv_handshake (session=session@entry=0x55a79d80a1c0, type=type@entry=GNUTLS_HANDSHAKE_SERVER_HELLO, optional=optional@entry=0, + buf=buf@entry=0x0) at handshake.c:1656 +#10 0x00007f89782c8dbb in handshake_client (session=0x55a79d80a1c0) at handshake.c:3072 +#11 gnutls_handshake (session=0x55a79d80a1c0) at handshake.c:2871 +#12 0x00007f89784a694f in g_tls_connection_gnutls_handshake_thread_handshake (tls=0x55a79d80c250, timeout=<optimized out>, + cancellable=<optimized out>, error=0x7f8972ad9b10) at ../tls/gnutls/gtlsconnection-gnutls.c:968 +#13 0x00007f89784a8942 in handshake_thread (task=0x7f8968007ec0, object=object@entry=0x55a79d80c250, task_data=task_data@entry=0x55a79d766e60, + cancellable=cancellable@entry=0x55a79d748760) at ../tls/base/gtlsconnection-base.c:1564 +#14 0x00007f89784a8c02 in async_handshake_thread (task=<optimized out>, object=0x55a79d80c250, task_data=0x55a79d766e60, + cancellable=0x55a79d748760) at ../tls/base/gtlsconnection-base.c:1848 +#15 0x00007f89882dbaf3 in g_task_thread_pool_thread (thread_data=0x7f8968007ec0, pool_data=<optimized out>) at ../gio/gtask.c:1441 +#16 0x00007f8988111b72 in g_thread_pool_thread_proxy (data=<optimized out>) at ../glib/gthreadpool.c:354 +#17 0x00007f898810f172 in g_thread_proxy (data=0x55a79d7e1360) at ../glib/gthread.c:827 +#18 0x00007f8987efdcc7 in start_thread (arg=<optimized out>) at pthread_create.c:442 +#19 0x00007f8987f82e00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 +(gdb) +(gdb) disassemble +Dump of assembler code for function sha512_block_data_order_avx2: + 0x00007f89783cbe00 <+0>: mov %rsp,%rax + 0x00007f89783cbe03 <+3>: push %rbx + 0x00007f89783cbe04 <+4>: push %rbp + 0x00007f89783cbe05 <+5>: push %r12 + 0x00007f89783cbe07 <+7>: push %r13 + 0x00007f89783cbe09 <+9>: push %r14 + 0x00007f89783cbe0b <+11>: push %r15 + 0x00007f89783cbe0d <+13>: sub $0x520,%rsp + 0x00007f89783cbe14 <+20>: shl $0x4,%rdx + 0x00007f89783cbe18 <+24>: and $0xfffffffffffff800,%rsp + 0x00007f89783cbe1f <+31>: lea (%rsi,%rdx,8),%rdx + 0x00007f89783cbe23 <+35>: add $0x480,%rsp + 0x00007f89783cbe2a <+42>: mov %rdi,0x80(%rsp) + 0x00007f89783cbe32 <+50>: mov %rsi,0x88(%rsp) + 0x00007f89783cbe3a <+58>: mov %rdx,0x90(%rsp) + 0x00007f89783cbe42 <+66>: mov %rax,0x98(%rsp) +=> 0x00007f89783cbe4a <+74>: vzeroupper + 0x00007f89783cbe4d <+77>: sub $0xffffffffffffff80,%rsi + 0x00007f89783cbe51 <+81>: mov (%rdi),%rax + 0x00007f89783cbe54 <+84>: mov %rsi,%r12 + 0x00007f89783cbe57 <+87>: mov 0x8(%rdi),%rbx + 0x00007f89783cbe5b <+91>: cmp %rdx,%rsi + 0x00007f89783cbe5e <+94>: mov 0x10(%rdi),%rcx + 0x00007f89783cbe62 <+98>: cmove %rsp,%r12 + 0x00007f89783cbe66 <+102>: mov 0x18(%rdi),%rdx + 0x00007f89783cbe6a <+106>: mov 0x20(%rdi),%r8 + 0x00007f89783cbe6e <+110>: mov 0x28(%rdi),%r9 + 0x00007f89783cbe72 <+114>: mov 0x30(%rdi),%r10 + 0x00007f89783cbe76 <+118>: mov 0x38(%rdi),%r11 + 0x00007f89783cbe7a <+122>: jmp 0x7f89783cbe80 <sha512_block_data_order_avx2+128> + 0x00007f89783cbe7c <+124>: nopl 0x0(%rax) +```""" +reproduce = "n/a" +additional = "n/a" |