1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
peripherals: 0.937
register: 0.935
graphic: 0.925
device: 0.924
assembly: 0.912
performance: 0.912
ppc: 0.911
mistranslation: 0.908
semantic: 0.907
permissions: 0.903
hypervisor: 0.901
debug: 0.901
architecture: 0.899
vnc: 0.889
socket: 0.885
risc-v: 0.884
arm: 0.879
i386: 0.874
TCG: 0.865
boot: 0.856
KVM: 0.847
PID: 0.843
VMM: 0.841
virtual: 0.839
user-level: 0.835
kernel: 0.834
network: 0.832
x86: 0.811
files: 0.772
Single stepping Windows 10 bootloader results in Assertion `ret < cpu->num_ases && ret >= 0' failed.
Description of problem:
When I am trying to debug Windows bootloader, I see an assertion error in QEMU when single stepping some instructions in SeaBIOS.
```
qemu-system-i386: ../hw/core/cpu-sysemu.c:77: cpu_asidx_from_attrs: Assertion `ret < cpu->num_ases && ret >= 0' failed.
```
Steps to reproduce:
1. Download / construct `w.img`, see above
2. Start QEMU using `./qemu-system-i386 --drive media=disk,file=w.img,format=raw,index=1 -s -S -enable-kvm`
3. Start GDB using `gdb --ex 'target remote :::1234' --ex 'hb *0x7c00' --ex c --ex 'si 1000' --ex q`
4. See error message
Additional information:
The GDB script first breaks at 0x7c00, then tries to execute 1000 instructions using single step (`si`). On my machine, after executing around 772 instructions, the assertion error in QEMU happens.
Here is an interactive GDB session on my machine.
```
(gdb) hb *0x7c00
Hardware assisted breakpoint 1 at 0x7c00
(gdb) c
Continuing.
Breakpoint 1, 0x00007c00 in ?? ()
(gdb) d
Delete all breakpoints? (y or n) y
(gdb) si 770
0x000f7d7b in ?? ()
(gdb) x/10i $eip
=> 0xf7d7b: mov $0x7d85,%ebx
0xf7d80: out %al,$0xb2
0xf7d82: pause
0xf7d84: hlt
0xf7d85: mov %bp,%sp
0xf7d88: jmp 0xf7dd1
0xf7d8a: mov %cx,%si
0xf7d8d: mov $0x1,%ax
0xf7d91: add %al,(%eax)
0xf7d93: callw 0x6b66
(gdb) si
0x000f7d80 in ?? ()
(gdb) info reg
eax 0xb5 181
ecx 0x5678 22136
edx 0x0 0
ebx 0x7d85 32133
esp 0xe96d4 0xe96d4
ebp 0xfed4 0xfed4
esi 0xe0346 918342
edi 0xefd91 982417
eip 0xf7d80 0xf7d80
eflags 0x6 [ IOPL=0 PF ]
cs 0x8 8
ss 0x10 16
ds 0x10 16
es 0x10 16
fs 0x10 16
gs 0x10 16
fs_base 0x0 0
gs_base 0x0 0
k_gs_base 0x0 0
cr0 0x11 [ ET PE ]
cr2 0x0 0
cr3 0x0 [ PDBR=0 PCID=0 ]
cr4 0x0 [ ]
cr8 0x0 0
efer 0x0 [ ]
...
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
(gdb) si
0x000f7d82 in ?? ()
(gdb) info reg
eax 0xb5 181
ecx 0x5678 22136
edx 0x0 0
ebx 0x7d85 32133
esp 0xe96d4 0xe96d4
ebp 0xfed4 0xfed4
esi 0xe0346 918342
edi 0xefd91 982417
eip 0xf7d82 0xf7d82
eflags 0x6 [ IOPL=0 PF ]
cs 0x8 8
ss 0x10 16
ds 0x10 16
es 0x10 16
fs 0x10 16
gs 0x10 16
fs_base 0x0 0
gs_base 0x0 0
k_gs_base 0x0 0
cr0 0x11 [ ET PE ]
cr2 0x0 0
cr3 0x0 [ PDBR=0 PCID=0 ]
cr4 0x0 [ ]
cr8 0x0 0
efer 0x0 [ ]
...
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
(gdb) si
Remote connection closed
(gdb)
```
This bug was first incorrectly filed in KVM's bug tracker at <https://bugzilla.kernel.org/show_bug.cgi?id=216003>.
|