1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
qemu-3.1.0-rc0: tcg.c crash in temp_load
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific illegal instructions. When running full OS emulation, both the guest system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached, and also in the following hexdump:
$ hexdump -C tcg_crash.elf
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 54 80 04 08 34 00 00 00 |........T...4...|
00000020 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 |........4. .....|
00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040 00 80 04 08 64 00 00 00 64 00 00 00 05 00 00 00 |....d...d.......|
00000050 00 10 00 00 d2 dc a8 45 31 ca f0 35 d9 4d 8f 18 |.......E1..5.M..|
00000060 05 2e 6f 9f |..o.|
Can you please re-test on the current master, I think this was fixed by:
commit e84fcd7f662a0d8198703f6f89416d7ac2c32767
Author: Richard Henderson <email address hidden>
Date: Tue Nov 13 20:35:10 2018 +0100
target/i386: Generate #UD when applying LOCK to a register destination
Testing on my box:
12:14:20 [alex@idun:~/l/qemu.git] master + ./i386-linux-user/qemu-i386 ~/tcg_crash.elf
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
fish: “./i386-linux-user/qemu-i386 ~/t…” terminated by signal SIGILL (Illegal instruction)
I've tested this again and I haven't been able to reproduce it anymore on the current master, it looks fixed.
Thanks! :)
Hello again,
After more testing I've been able to trigger this bug again using qemu from git master. Find attached a new ELF that will reproduce the problem:
$ qemu-i386 tcg_crash1.elf
/home/alberto/Documents/qemu/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ./qemu/build/i386-linux-user/qemu-i386 tcg_crash1.elf
Invalid instructions:
f0 invalid
40 inc eax
a7 cmpsd dword [esi], dword ptr es:[edi]
48 dec eax
GDB backtrace is the same as before.
This second crash is of course a different bug.
Hi Alberto,
Can you open another ticket for your new bug?
Thanks.
On Fri, Dec 7, 2018 at 6:22 PM Richard Henderson <email address hidden> wrote:
>
> This second crash is of course a different bug.
>
> --
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1803160
>
> Title:
> qemu-3.1.0-rc0: tcg.c crash in temp_load
>
> Status in QEMU:
> Fix Committed
>
> Bug description:
> QEMU version:
> -------------
>
> qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
>
> Summary:
> --------
>
> TCG crashes in i386 and x86_64 when it tries to execute some specific
> illegal instructions. When running full OS emulation, both the guest
> system and QEMU crash.
>
> The issue has been reproduced in two scenarios:
>
> Ubuntu x64 host running Debian x86 guest with the following command
> line: qemu-system-x86_64 -m 4G debian.qcow
>
> When the attached ELF file is executed inside the guest, QEMU crashes.
>
> It can also be reproduced from the command line:
>
> $ qemu-i386 tcg_crash.elf
> /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
> qemu: uncaught target signal 11 (Segmentation fault) - core dumped
> zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
>
> GDB backtrace:
>
> (gdb) bt
> #0 0x0000000060206488 in raise ()
> #1 0x0000000060206b8a in abort ()
> #2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
> at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
> #3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
> #4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
> #5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
> at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
> #6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
> #7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
> #8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
> #9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
> (gdb)
>
> Testcase:
> ---------
>
> Find ELF file attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
>
I've just opened #1807675 for the new bug.
Thanks!
|