summary refs log tree commit diff stats
path: root/results/classifier/118/none/1799
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--results/classifier/118/none/1799207
-rw-r--r--results/classifier/118/none/179920090
-rw-r--r--results/classifier/118/none/179976844
-rw-r--r--results/classifier/118/none/179979264
4 files changed, 405 insertions, 0 deletions
diff --git a/results/classifier/118/none/1799 b/results/classifier/118/none/1799
new file mode 100644
index 00000000..1bfea378
--- /dev/null
+++ b/results/classifier/118/none/1799
@@ -0,0 +1,207 @@
+register: 0.736
+user-level: 0.693
+debug: 0.680
+permissions: 0.662
+performance: 0.661
+device: 0.658
+boot: 0.628
+arm: 0.621
+architecture: 0.616
+ppc: 0.604
+vnc: 0.599
+files: 0.593
+graphic: 0.589
+KVM: 0.564
+TCG: 0.540
+network: 0.528
+PID: 0.526
+semantic: 0.516
+assembly: 0.504
+peripherals: 0.492
+kernel: 0.467
+socket: 0.466
+risc-v: 0.435
+x86: 0.424
+hypervisor: 0.421
+virtual: 0.409
+mistranslation: 0.379
+VMM: 0.334
+i386: 0.194
+
+Support running real-world Android on Arm by supporting one-register list for the POP (LDMIA) Thumb32 instruction.
+Steps to reproduce:
+1. Get any aarch64 Linux on QEMU for x86_64 running. Make sure that Wayland is running. (For example, build PostmarketOS with "phosh" for aarch64 and install it.)
+2. Install waydroid (e.g. `apk add waydroid`).
+3. Install the LineageOS 18.1 for waydroid image (e.g. `waydroid init`).
+4. Run the waydroid-container (e.g. `rc-service waydroid-container restart`).
+5. Start the waydroid session (e.g. click on the "Waydroid" symbol on the graphical user interface).
+6. Observe the waydroid log file (e.g. run `waydroid logcat`).
+Additional information:
+The output of the Android log (using `waydroid logcat`) will be akin:
+
+```
+23908 23908 D AndroidRuntime: >>>>>> START com.android.internal.os.ZygoteInit uid 0 <<<<<<
+23908 23908 I AndroidRuntime: Using default boot image
+23908 23908 I AndroidRuntime: Leaving lock profiling enabled
+23908 23908 E cutils-trace: Error opening trace file: No such file or directory (2)
+23908 23908 I zygote  : option[0]=-Xzygote
+23908 23908 I zygote  : option[1]=exit
+23908 23908 I zygote  : option[2]=vfprintf
+23908 23908 I zygote  : option[3]=sensitiveThread
+23908 23908 I zygote  : option[4]=-verbose:gc
+23908 23908 I zygote  : option[5]=-XX:PerfettoHprof=true
+23908 23908 I zygote  : option[6]=-Xms8m
+23908 23908 I zygote  : option[7]=-Xmx512m
+23908 23908 I zygote  : option[8]=-XX:HeapGrowthLimit=192m
+23908 23908 I zygote  : option[9]=-XX:HeapMinFree=8m
+23908 23908 I zygote  : option[10]=-XX:HeapMaxFree=16m
+23908 23908 I zygote  : option[11]=-XX:HeapTargetUtilization=0.6
+23908 23908 I zygote  : option[12]=-Xusejit:true
+23908 23908 I zygote  : option[13]=-Xjitsaveprofilinginfo
+23908 23908 I zygote  : option[14]=-XjdwpOptions:suspend=n,server=y
+23908 23908 I zygote  : option[15]=-XjdwpProvider:default
+23908 23908 I zygote  : option[16]=-Xopaque-jni-ids:swapable
+23908 23908 I zygote  : option[17]=-Xlockprofthreshold:500
+23908 23908 I zygote  : option[18]=-Xcompiler-option
+23908 23908 I zygote  : option[19]=--instruction-set-variant=generic
+23908 23908 I zygote  : option[20]=-Xcompiler-option
+23908 23908 I zygote  : option[21]=--instruction-set-features=default
+23908 23908 I zygote  : option[22]=-Xcompiler-option
+23908 23908 I zygote  : option[23]=--generate-mini-debug-info
+23908 23908 I zygote  : option[24]=-Ximage-compiler-option
+23908 23908 I zygote  : option[25]=--runtime-arg
+23908 23908 I zygote  : option[26]=-Ximage-compiler-option
+23908 23908 I zygote  : option[27]=-Xms64m
+23908 23908 I zygote  : option[28]=-Ximage-compiler-option
+23908 23908 I zygote  : option[29]=--runtime-arg
+23908 23908 I zygote  : option[30]=-Ximage-compiler-option
+23908 23908 I zygote  : option[31]=-Xmx64m
+23908 23908 I zygote  : option[32]=-Ximage-compiler-option
+23908 23908 I zygote  : option[33]=--dirty-image-objects=/system/etc/dirty-image-objects
+23908 23908 I zygote  : option[34]=-Ximage-compiler-option
+23908 23908 I zygote  : option[35]=--instruction-set-variant=generic
+23908 23908 I zygote  : option[36]=-Ximage-compiler-option
+23908 23908 I zygote  : option[37]=--instruction-set-features=default
+23908 23908 I zygote  : option[38]=-Ximage-compiler-option
+23908 23908 I zygote  : option[39]=--generate-mini-debug-info
+23908 23908 I zygote  : option[40]=-Duser.locale=en-US
+23908 23908 I zygote  : option[41]=--cpu-abilist=armeabi-v7a,armeabi
+23908 23908 I zygote  : option[42]=-Xcore-platform-api-policy:just-warn
+23908 23908 I zygote  : option[43]=-Xfingerprint:waydroid/lineage_waydroid_arm64/waydroid_arm64:11/RQ3A.211001.001/48:userdebug/test-keys
+23908 23908 I zygote  : Core platform API reporting enabled, enforcing=false
+23908 23908 D zygote  : Time zone APEX ICU file found: /apex/com.android.tzdata/etc/icu/icu_tzdata.dat
+23908 23908 D zygote  : I18n APEX ICU file found: /apex/com.android.i18n/etc/icu/icudt66l.dat
+23908 23908 I zygote  : Using memfd for future sealing
+23908 23908 W zygote  : Using default instruction set features for ARM CPU variant (generic) using conservative defaults
+   49    49 I tombstoned: received crash request for pid 23908
+23908 23908 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+23908 23908 F DEBUG   : LineageOS Version: '18.1-20230723-VANILLA-waydroid_arm64'
+23908 23908 F DEBUG   : Build fingerprint: 'waydroid/lineage_waydroid_arm64/waydroid_arm64:11/RQ3A.211001.001/48:userdebug/test-keys'
+23908 23908 F DEBUG   : Revision: '0'
+23908 23908 F DEBUG   : ABI: 'arm'
+23908 23908 F DEBUG   : Timestamp: 2023-07-28 14:13:34+0000
+23908 23908 F DEBUG   : pid: 23908, tid: 23908, name: main  >>> zygote <<<
+23908 23908 F DEBUG   : uid: 0
+23908 23908 F DEBUG   : signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x709443da (*pc=0x4000e8bd)
+23908 23908 F DEBUG   :     r0  54647764  r1  3fb9709b  r2  fffffe56  r3  4337ffff
+23908 23908 F DEBUG   :     r4  707184b0  r5  3fdaaaaa  r6  f295837e  r7  00000001
+23908 23908 F DEBUG   :     r8  00000000  r9  f7986e00  r10 ffa33320  r11 ffa332e4
+23908 23908 F DEBUG   :     ip  e9930ba4  sp  ffa332cc  lr  709443d5  pc  709443da
+23908 23908 F DEBUG   : 
+23908 23908 F DEBUG   : backtrace:
+23908 23908 F DEBUG   :       #00 pc 0007e3da  /apex/com.android.art/javalib/arm/boot.oat (art_jni_trampoline+34) (BuildId: 4af94ec040111dd87be55d34780e36769428675c)
+23908 23908 F DEBUG   :       #01 pc 000d39d5  /apex/com.android.art/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #02 pc 004f0759  /apex/com.android.art/lib/libart.so (art_quick_invoke_static_stub+276) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #03 pc 0012ca93  /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+166) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #04 pc 00240bbf  /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #05 pc 002388df  /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+746) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #06 pc 004e44db  /apex/com.android.art/lib/libart.so (MterpInvokeStatic+482) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #07 pc 000ce594  /apex/com.android.art/lib/libart.so (mterp_op_invoke_static+20) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #08 pc 003bdaa0  /system/framework/framework.jar
+23908 23908 F DEBUG   :       #09 pc 0023182b  /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #10 pc 00238109  /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+144) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #11 pc 00239581  /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<true, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+536) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #12 pc 004e7239  /apex/com.android.art/lib/libart.so (MterpInvokeStaticRange+372) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #13 pc 000ce894  /apex/com.android.art/lib/libart.so (mterp_op_invoke_static_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #14 pc 003bd9d4  /system/framework/framework.jar
+23908 23908 F DEBUG   :       #15 pc 0023182b  /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #16 pc 00238109  /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+144) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #17 pc 00239581  /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<true, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+536) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #18 pc 004e7239  /apex/com.android.art/lib/libart.so (MterpInvokeStaticRange+372) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #19 pc 000ce894  /apex/com.android.art/lib/libart.so (mterp_op_invoke_static_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #20 pc 003bc286  /system/framework/framework.jar
+23908 23908 F DEBUG   :       #21 pc 0023182b  /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #22 pc 00238109  /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+144) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #23 pc 002388c7  /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+722) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #24 pc 004e44db  /apex/com.android.art/lib/libart.so (MterpInvokeStatic+482) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #25 pc 000ce594  /apex/com.android.art/lib/libart.so (mterp_op_invoke_static+20) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #26 pc 003b1c7c  /system/framework/framework.jar
+23908 23908 F DEBUG   :       #27 pc 0023182b  /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #28 pc 0023803d  /apex/com.android.art/lib/libart.so (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+120) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #29 pc 004d321b  /apex/com.android.art/lib/libart.so (artQuickToInterpreterBridge+686) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #30 pc 000d8561  /apex/com.android.art/lib/libart.so (art_quick_to_interpreter_bridge+32) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #31 pc 0042dbaf  /system/framework/arm/boot-framework.oat (android.graphics.ColorSpace$Rgb.isSrgb+446) (BuildId: 7ce3c24f3f20164927036fc8f58e1baa2a8f4020)
+23908 23908 F DEBUG   :       #32 pc 0042cddf  /system/framework/arm/boot-framework.oat (android.graphics.ColorSpace$Rgb.<init>+822) (BuildId: 7ce3c24f3f20164927036fc8f58e1baa2a8f4020)
+23908 23908 F DEBUG   :       #33 pc 000d39d5  /apex/com.android.art/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #34 pc 004f0627  /apex/com.android.art/lib/libart.so (art_quick_invoke_stub+282) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #35 pc 0012ca81  /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+148) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #36 pc 00240bbf  /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #37 pc 00239597  /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<true, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+558) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #38 pc 004e6b7d  /apex/com.android.art/lib/libart.so (MterpInvokeDirectRange+392) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #39 pc 000ce814  /apex/com.android.art/lib/libart.so (mterp_op_invoke_direct_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #40 pc 003bce74  /system/framework/framework.jar
+23908 23908 F DEBUG   :       #41 pc 004e6cdd  /apex/com.android.art/lib/libart.so (MterpInvokeDirectRange+744) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #42 pc 000ce814  /apex/com.android.art/lib/libart.so (mterp_op_invoke_direct_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #43 pc 003bce8c  /system/framework/framework.jar
+23908 23908 F DEBUG   :       #44 pc 004e6cdd  /apex/com.android.art/lib/libart.so (MterpInvokeDirectRange+744) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #45 pc 000ce814  /apex/com.android.art/lib/libart.so (mterp_op_invoke_direct_range+20) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #46 pc 003be6b6  /system/framework/framework.jar
+23908 23908 F DEBUG   :       #47 pc 0023182b  /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.10727712076471079728)+254) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #48 pc 0023803d  /apex/com.android.art/lib/libart.so (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+120) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #49 pc 004d321b  /apex/com.android.art/lib/libart.so (artQuickToInterpreterBridge+686) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #50 pc 000d8561  /apex/com.android.art/lib/libart.so (art_quick_to_interpreter_bridge+32) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #51 pc 000d39d5  /apex/com.android.art/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #52 pc 004f0759  /apex/com.android.art/lib/libart.so (art_quick_invoke_static_stub+276) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+23908 23908 F DEBUG   :       #53 pc 0012ca93  /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+166) (BuildId: d0f40e4862987997ffa9c0a264e61174)
+```
+
+
+Analyzing with `gdb` (by repeatedly calling `gdb -p "$(ps xua | grep zygote | grep -v grep | grep -v zygote64 | awk {'print $2'})"` until `gdb` attaches earlier to the current `zygote` process than the offending instruction is reached) reveals that the crash happens here:
+
+```
+   0x6fc373b0 <+944>:   cmp     r3, #223        @ 0xdf
+   0x6fc373b2 <+946>:   movs    r6, r0
+   0x6fc373b4 <+948>:   movs    r0, r5
+   0x6fc373b6 <+950>:   movs    r0, r0
+   0x6fc373b8 <+952>:   push    {lr}
+   0x6fc373ba <+954>:   sub     sp, #4
+   0x6fc373bc <+956>:   vstr    d0, [sp, #12]
+   0x6fc373c0 <+960>:   vstr    d1, [sp, #20]
+   0x6fc373c4 <+964>:   mov     r4, r0
+   0x6fc373c6 <+966>:   ldr     r2, [sp, #20]
+   0x6fc373c8 <+968>:   ldr     r3, [sp, #24]
+   0x6fc373ca <+970>:   ldr     r0, [sp, #12]
+   0x6fc373cc <+972>:   ldr     r1, [sp, #16]
+   0x6fc373ce <+974>:   ldr.w   r12, [r4, #20]
+   0x6fc373d2 <+978>:   blx     r12
+   0x6fc373d4 <+980>:   vmov    d0, r0, r1
+   0x6fc373d8 <+984>:   add     sp, #4
+=> 0x6fc373da <+986>:   ldmia.w sp!, {lr}
+   0x6fc373de <+990>:   bx      lr
+```
+
+(note that the actual address changes for every instance of `zygote`, probably due to address-space layout randomization)
+
+The instruction at this location is 0xe8bd4000, as evidenced by:
+
+```
+(gdb) x/16hx 0x6fc373da
+0x6fc373da <oatexec+986>:       0xe8bd  0x4000  0x4770  0x2c0f  0x0006  0x0020  0x0000  0xb500
+0x6fc373ea <oatexec+1002>:      0xb081  0xed8d  0x0b03  0x4604  0x9803  0x9904  0xf8d4  0xc014
+```
+
+The disassembly into `ldmia.w sp!, {lr}` is indeed correct. However, such an instruction [would be assembled](https://developer.arm.com/documentation/ddi0308/d/Thumb-Instructions/Alphabetical-list-of-Thumb-instructions/POP?lang=en) into `pop lr` and then into `ldr.w lr,[sp,#-4]`, which would be encoded differently. Hence, the assembly into this instruction was incorrect in the first place.
+
+It turns out that the assembly error is due to an error in the [`vixl` ARMv8 Runtime Code Generation Library](https://github.com/Linaro/vixl), which is also used by Android. This error [has been fixed by Feb 9, 2021](https://github.com/Linaro/vixl/commit/b0a2e281aebbf93e6ee521dcc40ba6dd2aa5124d). However, this fix has [not made it into Android 13](https://android.googlesource.com/platform/external/vixl/+log/02ab12aafeb5278d89184ae6a3ff3a7883b34c5e). Thus, at least Android 11, Android 12, Android 13 cannot run on current `qemu-system-aarch64`, while it should.
+
+Users of the Android emulator (also based on QEMU) do not seem to suffer from this bug because the Android QEMU [has bitrotted since the year 2018](https://android.googlesource.com/platform/external/qemu/+log/e7390f2265257d66093dfe858ce3a47b2e1de539/target/arm/translate.c) and hence has not seen any Arm emulation modernization in QEMU (e.g. the Tiny Code Generator) since, and only this modernization has exposed this bug in the first place.
diff --git a/results/classifier/118/none/1799200 b/results/classifier/118/none/1799200
new file mode 100644
index 00000000..f6e2d995
--- /dev/null
+++ b/results/classifier/118/none/1799200
@@ -0,0 +1,90 @@
+user-level: 0.541
+TCG: 0.541
+mistranslation: 0.512
+KVM: 0.508
+VMM: 0.503
+risc-v: 0.491
+i386: 0.489
+x86: 0.477
+ppc: 0.473
+peripherals: 0.456
+vnc: 0.454
+register: 0.453
+hypervisor: 0.450
+device: 0.435
+debug: 0.432
+graphic: 0.429
+permissions: 0.416
+performance: 0.410
+semantic: 0.404
+arm: 0.398
+socket: 0.395
+virtual: 0.395
+PID: 0.392
+assembly: 0.386
+network: 0.386
+architecture: 0.378
+kernel: 0.377
+files: 0.365
+boot: 0.351
+
+null pointer dereference in tcg_emit_op
+
+I am insert a custom  tcg helper function in i386_tr_insn_start for trace the instructions.
+
+most of time the qemu runed ok ,but when execute some special software  will lead to crash.
+
+
+the below is the insert code:
+=======================================================================================
+
+ 8514 static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
+ 8515 {
+ 8516     DisasContext *dc = container_of(dcbase, DisasContext, base);
+ 8517     TCGv_ptr ptr= tcg_const_ptr((void*)cpu); // inserted hepler code
+ 8518     gen_helper_mad_exec(ptr);// insert helper code
+ 8519     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
+ 8520 }
+======================================================================================
+
+below is the callstack 
+
+#0  0x000055555581df5e in tcg_emit_op (opc=opc@entry=INDEX_op_movi_i64) at /root/qemu/tcg/tcg.c:2205
+#1  0x0000555555825911 in tcg_gen_op2 (opc=opc@entry=INDEX_op_movi_i64, a1=140734736923704, a2=a2@entry=792) at /root/qemu/tcg/tcg-op.c:53
+#2  0x000055555581d713 in tcg_const_i64 (opc=INDEX_op_movi_i64, a2=792, a1=0x7378) at /root/qemu/tcg/tcg-op.h:109
+#3  0x000055555581d713 in tcg_const_i64 (arg=792, ret=<optimized out>) at /root/qemu/tcg/tcg-op.h:579
+#4  0x000055555581d713 in tcg_const_i64 (val=val@entry=792) at /root/qemu/tcg/tcg.c:1314
+#5  0x000055555582732d in tcg_gen_addi_i64 (ret=0xd18, arg1=0x378, arg2=arg2@entry=792) at /root/qemu/tcg/tcg-op.c:1200
+#6  0x000055555590ffaf in gen_sse (b=792, a=<optimized out>, r=<optimized out>) at /root/qemu/tcg/tcg-op.h:1258
+#7  0x000055555590ffaf in gen_sse (env=env@entry=0x5555567424d0, s=s@entry=0x7fffea99a610, b=b@entry=366, pc_start=pc_start@entry=4513509698, rex_r=rex_r@entry=0) at /root/qemu/target/i386/translate.c:3150
+#8  0x0000555555911d7f in disas_insn (s=s@entry=0x7fffea99a610, cpu=<optimized out>) at /root/qemu/target/i386/translate.c:8336
+#9  0x00005555559207a0 in i386_tr_translate_insn (dcbase=0x7fffea99a610, cpu=<optimized out>) at /root/qemu/target/i386/translate.c:8543
+#10 0x0000555555892649 in translator_loop (ops=0x55555622dee0 <i386_tr_ops>, db=0x7fffea99a610, cpu=0x55555673a220, tb=<optimized out>) at /root/qemu/accel/tcg/translator.c:110
+#11 0x00005555559209ef in gen_intermediate_code (cpu=cpu@entry=0x55555673a220, tb=tb@entry=0x7fff70682040 <code_gen_buffer+208150547>) at /root/qemu/target/i386/translate.c:8605
+#12 0x0000555555891437 in tb_gen_code (cpu=cpu@entry=0x55555673a220, pc=pc@entry=4513506448, cs_base=cs_base@entry=0, flags=flags@entry=4244147, cflags=cflags@entry=0) at /root/qemu/accel/tcg/translate-all.c:1728
+#13 0x000055555588f97b in cpu_exec (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /root/qemu/accel/tcg/cpu-exec.c:410
+#14 0x000055555588f97b in cpu_exec (cpu=cpu@entry=0x55555673a220) at /root/qemu/accel/tcg/cpu-exec.c:734
+#15 0x000055555584b152 in tcg_cpu_exec (cpu=0x55555673a220) at /root/qemu/cpus.c:1405
+#16 0x000055555584d1b8 in qemu_tcg_rr_cpu_thread_fn (arg=<optimized out>) at /root/qemu/cpus.c:1505
+#17 0x00007ffff2585e25 in start_thread () at /lib64/libpthread.so.0
+#18 0x00007ffff22afbad in clone () at /lib64/libc.so.6
+
+Does this bug occur with a normal build of QEMU or only with your changes to it?
+
+1. You're leaking the "ptr" TCG temp. Fix it, and also test your code with the --enable-debug-tcg configure flag.
+2. Don't insert your helper in .insn_start; you'll have better luck in .translate_insn.
+
+
+Hi Emilio G. Cota (cota),
+ for point 1, I don't know what you mean about leaking the ptr TCG temp
+ for point 2. what I want to do is call callback function when execute  every guest instructions
+ so I think it's not should inset code in .translate_insn. what do you think about it?
+
+
+
+
+
+Hi Emilio G. Cota (cota),
+  thank you,
+  after I free the "ptr",there is no crash occur :) 
+
diff --git a/results/classifier/118/none/1799768 b/results/classifier/118/none/1799768
new file mode 100644
index 00000000..904ba03a
--- /dev/null
+++ b/results/classifier/118/none/1799768
@@ -0,0 +1,44 @@
+mistranslation: 0.769
+device: 0.714
+network: 0.520
+socket: 0.427
+semantic: 0.384
+graphic: 0.312
+vnc: 0.308
+register: 0.305
+architecture: 0.297
+PID: 0.242
+risc-v: 0.238
+boot: 0.237
+virtual: 0.222
+kernel: 0.218
+ppc: 0.215
+TCG: 0.174
+files: 0.170
+hypervisor: 0.164
+user-level: 0.162
+peripherals: 0.158
+VMM: 0.149
+i386: 0.121
+permissions: 0.110
+KVM: 0.096
+arm: 0.093
+performance: 0.091
+x86: 0.081
+debug: 0.076
+assembly: 0.050
+
+-nodefaults has unclear documentation
+
+-nodefaults has an unclear documentation, I believe it should states it does not applies to devices created by a machine model.
+
+See https://stackoverflow.com/questions/52908614/qemu-s-nodefaults-not-working-as-expected-to-me to read how I came to this.
+
+
+This is an automated cleanup. This bug report has been moved to QEMU's
+new bug tracker on gitlab.com and thus gets marked as 'expired' now.
+Please continue with the discussion here:
+
+ https://gitlab.com/qemu-project/qemu/-/issues/156
+
+
diff --git a/results/classifier/118/none/1799792 b/results/classifier/118/none/1799792
new file mode 100644
index 00000000..4ff4d139
--- /dev/null
+++ b/results/classifier/118/none/1799792
@@ -0,0 +1,64 @@
+architecture: 0.611
+graphic: 0.599
+device: 0.539
+user-level: 0.493
+performance: 0.459
+arm: 0.357
+ppc: 0.356
+mistranslation: 0.355
+semantic: 0.302
+debug: 0.291
+x86: 0.290
+boot: 0.259
+i386: 0.236
+network: 0.231
+PID: 0.224
+vnc: 0.223
+hypervisor: 0.214
+risc-v: 0.197
+permissions: 0.194
+kernel: 0.192
+peripherals: 0.192
+files: 0.190
+VMM: 0.189
+register: 0.188
+TCG: 0.186
+socket: 0.182
+virtual: 0.179
+assembly: 0.158
+KVM: 0.088
+
+Broken scaling with gtk,gl=on on a hidpi display
+
+Tested on QEMU 3.0.0 on Arch Linux.
+
+I'm using a hidpi screen, and therefore use those environment variables in order to have GTK+ apps properly scaled:
+
+GDK_SCALE=2
+GDK_DPI_SCALE=0.5
+
+However, QEMU, when launched with "-display gtk,gl=on" option, doesn't scale the window content properly, as seen on the attached screenshot.
+
+Switching to "-display gtk,gl=off" and "-display sdl,gl=on" makes it work fine.
+
+
+
+Also happens on Ubuntu 19.10
+
+The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now.
+If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience.
+
+Still happening in QEMU 5.1.0
+
+I have the same issue, but unfortunately I cannot work around it: gl=off doesn't work with vfio-display-dmabuf, and sdl segfaults when the guest OS tries to enter GUI.
+
+unset GDK_SCALE GDK_DPI_SCALE works for me. It was GDK_SCALE=2 GDK_DPI_SCALE=0.5 as KDE would have set.
+
+
+This is an automated cleanup. This bug report has been moved to QEMU's
+new bug tracker on gitlab.com and thus gets marked as 'expired' now.
+Please continue with the discussion here:
+
+ https://gitlab.com/qemu-project/qemu/-/issues/262
+
+