semantic: 0.931
network: 0.925
other: 0.924
device: 0.915
instruction: 0.906
boot: 0.902
graphic: 0.902
vnc: 0.900
assembly: 0.881
KVM: 0.877
mistranslation: 0.867
socket: 0.826

QEMU S/390x sqxbr (128-bit IEEE 754 square root) crashes qemu-system-s390x

In porting software to guest Ubuntu 18.04 and 20.04 VMs for S/390x, I discovered
that some of my own numerical programs, and also a GNU configure script for at
least one package with CC=clang, would cause an instant crash of the VM, sometimes
also destroying recently opened files, and producing long strings of NUL characters
in /var/log/syslog in the S/390 guest O/S.

Further detective work narrowed the cause of the crash down to a single IBM S/390
instruction: sqxbr (128-bit IEEE 754 square root).  Here is a one-line program
that when compiled and run on a VM hosted on QEMUcc emulator version 4.2.0 
(Debian 1:4.2-3ubuntu6.1) [hosted on Ubuntu 20.04 on a Dell Precision 7920 
workstation with an Intel Xeon Platinum 8253 CPU],  and also on QEMU emulator 
version 5.0.0, reproducibly produces a VM crash under qemu-system-s390x.

% cat bug-sqrtl-one-line.c
int main(void) { volatile long double x, r; x = 4.0L; __asm__ __volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}

% cc bug-sqrtl-one-line.c && ./a.out
Segmentation fault (core dumped)

The problem code may be the function float128_sqrt() defined in qemu-5.0.0/fpu/softfloat.c
starting at line 7619.  I have NOT attempted to run the qemu-system-s390x executable
under a debugger.  However, I observe that S/390 is the only CPU family that I know of,
except possibly for a Fujitsu SPARC-64, that has a 128-bit square root in hardware.
Thus, this instruction bug may not have been seen before.

Another way to reproduce this bug is with qemu-s390x and a cross-compiled binary:

$ s390x-linux-gnu-gcc-5 -static -o bug-sqrtl-one-line.s390x bug-sqrtl-one-line.c
$ qemu-s390x bug-sqrtl-one-line.s390x
Segmentation fault (core dumped)

Find attached the binary.

With --enable-debug,

qemu-s390x: /home/rth/qemu/qemu/include/tcg/tcg.h:687: temp_idx: Assertion `n >= 0 && n < tcg_ctx->nb_temps' failed.

which turns out to be related to a null-pointer temporary.

I confirm that the patch https://lists.gnu.org/archive/html/qemu-s390x/2020-06/msg00213.html fixes the issue, both for qemu-s390x and qemu-system-s390x.

Thanks Richard!

This bug was fixed in the package qemu - 1:5.0-5ubuntu4

---------------
qemu (1:5.0-5ubuntu4) groovy; urgency=medium

  * xen: provide compat links to what libxen-dev reports where to find
    the binaries (LP: #1890005)
  * d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
    SQXBR (LP: #1883984)
  * d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP: #1890154)

 -- Christian Ehrhardt <email address hidden>  Mon, 03 Aug 2020 07:15:28 +0200

Note: final upstream commit link https://git.qemu.org/?p=qemu.git;a=commit;h=9bf728a09bf7509b27543664f9cca6f4f337f608

Hello Nelson, or anyone else affected,

Accepted qemu into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.  Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted qemu (1:4.2-3ubuntu6.5) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-image/1.9+20.04ubuntu1 (amd64)
systemd/245.4-4ubuntu3.2 (amd64, armhf, s390x, ppc64el)
livecd-rootfs/2.664.4 (amd64, arm64, s390x, ppc64el)


Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#qemu

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!


old version
sudo apt install qemu-system-s390x=1:4.2-3ubuntu6.4
...test as listed in the test instructions ...

ubuntu@focal-sqxbr:~$ ./a.out 
Segmentation fault
(qemu is dead at this point)

$ sudo apt install qemu-system-s390x=1:4.2-3ubuntu6.5
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  qemu-system-s390x
1 upgraded, 0 newly installed, 0 to remove and 315 not upgraded.
Need to get 2334 kB of archives.
After this operation, 4096 B of additional disk space will be used.
Get:1 http://ports.ubuntu.com focal-proposed/main s390x qemu-system-s390x s390x 1:4.2-3ubuntu6.5 [2334 kB]
Fetched 2334 kB in 1s (3927 kB/s)      
(Reading database ... 203254 files and directories currently installed.)
Preparing to unpack .../qemu-system-s390x_1%3a4.2-3ubuntu6.5_s390x.deb ...
Unpacking qemu-system-s390x (1:4.2-3ubuntu6.5) over (1:4.2-3ubuntu6.4) ...
Setting up qemu-system-s390x (1:4.2-3ubuntu6.5) ...
Processing triggers for man-db (2.9.3-2) ...
ubuntu@s1lp05:~$ 

ubuntu@focal-sqxbr:~$ ./a.out 
(no crash)


Setting verified

The verification of the Stable Release Update for qemu has completed successfully and the package is now being released to -updates.  Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report.  In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package qemu - 1:4.2-3ubuntu6.5

---------------
qemu (1:4.2-3ubuntu6.5) focal; urgency=medium

  * further stabilize qemu by importing patches of qemu v4.2.1
    Fixes (LP: #1891203) and (LP: #1891877)
    - d/p/stable/lp-1891877-*
    - as part of the stabilization this also fixes an
      riscv emulation issue due to the CVE-2020-13754 fixes via
      d/p/ubuntu/hw-riscv-Allow-64-bit-access-to-SiFive-CLINT.patch
  * fix s390x SQXBR emulation (LP: #1883984)
    - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
  * fix -no-reboot for s390x protvirt guests (LP: #1890154)
    - d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-*

 -- Christian Ehrhardt <email address hidden>  Wed, 19 Aug 2020 13:40:49 +0200