diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:07 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:17 +0200 |
| commit | 9260319e7411ff8281700a532caa436f40120ec4 (patch) | |
| tree | 2f6bfe5f3458dd49d328d3a9eb508595450adec0 /gitlab/issues_text/target_arm/host_missing/accel_missing | |
| parent | 225caa38269323af1bfc2daadff5ec8bd930747f (diff) | |
| download | qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.tar.gz qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.zip | |
gitlab scraper: download in toml and text format
Diffstat (limited to 'gitlab/issues_text/target_arm/host_missing/accel_missing')
188 files changed, 5451 insertions, 0 deletions
diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1039 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1039 new file mode 100644 index 000000000..17962290b --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1039 @@ -0,0 +1 @@ +Building qemu in MSYS2 clangarm64 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/105 b/gitlab/issues_text/target_arm/host_missing/accel_missing/105 new file mode 100644 index 000000000..437741354 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/105 @@ -0,0 +1 @@ +Gdb hangs when trying to single-step after an invalid instruction diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1056 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1056 new file mode 100644 index 000000000..91437af9e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1056 @@ -0,0 +1 @@ +Bad Performance of Windows 11 ARM64 VM on Windows 11 Qemu 7.0 Host System diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1078 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1078 new file mode 100644 index 000000000..3d737eaee --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1078 @@ -0,0 +1,44 @@ +qemu-system-arm: unable to use LPAE +Description of problem: +Failed to run qemu: qemu-system-arm: Addressing limited to 32 bits, +but memory exceeds it by 1073741824 bytes +Steps to reproduce: +1. ./configure --target-list=arm-softmmu +2. make +3. +./qemu-system-arm \ +-machine virt,highmem=on \ +-cpu cortex-a15 -smp 4 \ +-m 4096 \ +-kernel ./zImage \ +-drive id=disk0,file=./rootfs.ext4,if=none,format=raw \ +-object rng-random,filename=/dev/urandom,id=rng0 \ +-device virtio-rng-pci,rng=rng0 \ +-device virtio-blk-device,drive=disk0 \ +-device virtio-gpu-pci \ +-serial mon:stdio -serial null \ +-nographic \ +-append 'root=/dev/vda rw mem=4096M ip=dhcp console=ttyAMA0 console=hvc0' +Additional information: +We set physical address bits to 40 if ARM_FEATURE_LPAE is enabled. But ARM_FEATURE_V7VE also implies ARM_FEATURE_LPAE as set later in arm_cpu_realizefn. + +We should add condition for ARM_FEATURE_V7VE, otherwise we would not be able to use highmem larger than 3GB even though we have enabled highmem, since we would fail and return right from machvirt_init. + +I have already made a patch to fix this issue. +https://gitlab.com/realhezhe/qemu/-/commit/4dad8167c1c1a7695af88d8929e8d7f6399177de +`hw/arm/virt.c` +```c + if (object_property_get_bool(cpuobj, "aarch64", NULL)) { + pa_bits = arm_pamax(armcpu); + } else if (arm_feature(&armcpu->env, ARM_FEATURE_LPAE)) { + } else if (arm_feature(&armcpu->env, ARM_FEATURE_LPAE) + || arm_feature(&armcpu->env, ARM_FEATURE_V7VE)) { + /* v7 with LPAE */ + pa_bits = 40; + } else { +``` + +After applying the patch, I can make sure that the pa_bits has already been set to 40, but qemu hangs later. By bisecting I found if the following commit is reverted qemu can boot up successfully.. +39a1fd2528 ("target/arm: Fix handling of LPAE block descriptors") + +It can't be quickly determined what's going on here at my side. Maybe the author can help give some hints. Thanks. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1103 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1103 new file mode 100644 index 000000000..0f257a840 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1103 @@ -0,0 +1 @@ +VTCR fields are not checked when building parameters for aarch64 secure EL2 page table walk diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1104 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1104 new file mode 100644 index 000000000..2ea425d41 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1104 @@ -0,0 +1 @@ +PAN support for AArch32 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1105 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1105 new file mode 100644 index 000000000..0f7d4d0d5 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1105 @@ -0,0 +1,3 @@ +QEMU gdbstub should support PAC for aarch64 +Additional information: +The fix should probably be in gdbstub.c diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1109 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1109 new file mode 100644 index 000000000..1fd78cf1a --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1109 @@ -0,0 +1,42 @@ +rpi3b frame buffer segfault +Description of problem: +I'm compiling a series of bare metal Raspberry Pi labs for the RPi 3B. One particular lab that I tried to compile and run, which makes use of the framebuffer, causes QEMU to segfault when trying to draw to the framebuffer. It looks like the value of `dst` passed into `draw_line_s16` is bogus and this causes the segfault. I'm not familiar enough with the code in QEMU to immediately know why `dst` is bogus. + +The lab I'm trying to run (the code compiled to `kernel8.img`) is here: https://github.com/bztsrc/raspi3-tutorial/tree/master/09_framebuffer + +A gdb stacktrace of the segfault is here: + +``` +Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault. +0x00005555559580c0 in rgb_to_pixel32 (b=<optimized out>, g=<optimized out>, r=<optimized out>) + at /home/rhett/qemu/include/ui/pixel_ops.h:46 +46 return (r << 16) | (g << 8) | b; +(gdb) bt +#0 0x00005555559580c0 in rgb_to_pixel32 (b=<optimized out>, g=<optimized out>, r=<optimized out>) + at /home/rhett/qemu/include/ui/pixel_ops.h:46 +#1 draw_line_src16 + (opaque=opaque@entry=0x7fffe84d1c30, dst=dst@entry=0x7fffe8235010 <error: Cannot access memory at address 0x7fffe8235010>, src=0x7fff94300004 "", src@entry=0x7fff94300000 "", width=639, width@entry=640, deststep=deststep@entry=0) at ../hw/display/bcm2835_fb.c:131 +#2 0x0000555555953977 in framebuffer_update_display + (ds=<optimized out>, mem_section=<optimized out>, cols=640, rows=480, src_width=1280, dest_row_pitch=2560, dest_col_pitch=0, invalidate=1, fn=0x555555957fe0 <draw_line_src16>, opaque=0x7fffe84d1c30, first_row=0x7fffffffdb90, last_row=0x7fffffffdb94) + at ../hw/display/framebuffer.c:107 +#3 0x0000555555957eeb in fb_update_display (opaque=0x7fffe84d1c30) at ../hw/display/bcm2835_fb.c:203 +#4 0x00005555558a9146 in graphic_hw_update (con=0x555556b9bc00) at ../ui/console.c:230 +#5 0x00005555558a7fea in dpy_refresh (s=0x5555571c6aa0) at ../ui/console.c:1842 +#6 gui_update (opaque=opaque@entry=0x5555571c6aa0) at ../ui/console.c:165 +#7 0x0000555556068ecd in timerlist_run_timers (timer_list=0x555556b15350) at ../util/qemu-timer.c:576 +#8 timerlist_run_timers (timer_list=0x555556b15350) at ../util/qemu-timer.c:501 +#9 0x00005555560690c0 in qemu_clock_run_timers (type=<optimized out>) at ../util/qemu-timer.c:672 +#10 qemu_clock_run_all_timers () at ../util/qemu-timer.c:672 +#11 0x0000555556064bf6 in main_loop_wait (nonblocking=nonblocking@entry=0) at ../util/main-loop.c:607 +#12 0x0000555555b0a4f9 in qemu_main_loop () at ../softmmu/runstate.c:726 +#13 0x000055555589ec74 in qemu_main (envp=0x0, argv=<optimized out>, argc=<optimized out>) at ../softmmu/main.c:36 +#14 main (argc=<optimized out>, argv=<optimized out>) at ../softmmu/main.c:45 +``` +Steps to reproduce: +1. Clone the git repo for the labs I linked above +2. `cd raspi3-tutorial/09_framebuffer` +3. `make` +4. `make run` +5. Segfault + +I have found this on QEMU 5.2, QEMU 7.0, and the bleeding edge of the github repo diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1121 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1121 new file mode 100644 index 000000000..26f893652 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1121 @@ -0,0 +1,70 @@ +Segmentation fault in aspeed-hace +Description of problem: + +Steps to reproduce: +1. run qemu-machine nf5280m7-bmc +2. it will seg falult when load fitimage +Additional information: +Captured by gdb + +``` +0x00007ffff6e08a06 in has_padding (pad_offset=<synthetic pointer>, total_msg_len=<synthetic pointer>, req_len=17, total_req_len=56476, iov=0x7ffff5e973c0) at ../hw/misc/aspeed_hace.c:129 +129 if (padding[*pad_offset] == 0x80) { +(gdb) p padding_size +$1 = 45 +(gdb) p *padding_offset +No symbol "padding_offset" in current context. +(gdb) p *pad_offset +$2 = 4294967268 +(gdb) bt +#0 0x00007ffff6e08a06 in has_padding (pad_offset=<synthetic pointer>, total_msg_len=<synthetic pointer>, req_len=17, total_req_len=56476, + iov=0x7ffff5e973c0) at ../hw/misc/aspeed_hace.c:129 +#1 gen_acc_mode_iov (cache=0x7ffff7fd5600 <iov_cache>, total_req_len=0x7ffff7fd55e4 <total_len>, count=0x7ffff7fd55e0 <count>, + req_len=0x7ffff5e973a8, id=<optimized out>, iov=0x7ffff5e973b0) at ../hw/misc/aspeed_hace.c:176 +#2 do_hash_operation (s=s@entry=0x7ffff60077b0, algo=3, sg_mode=sg_mode@entry=true, acc_mode=acc_mode@entry=true) + at ../hw/misc/aspeed_hace.c:235 +#3 0x00007ffff6e09001 in aspeed_hace_write (opaque=<optimized out>, addr=12, data=262488, size=<optimized out>) + at ../hw/misc/aspeed_hace.c:372 +#4 0x00007ffff706ad54 in memory_region_write_accessor (mr=mr@entry=0x7ffff6007ad0, addr=48, value=value@entry=0x7ffff5e98548, + size=size@entry=4, shift=<optimized out>, mask=mask@entry=4294967295, attrs=...) at ../softmmu/memory.c:492 +#5 0x00007ffff7068266 in access_with_adjusted_size_aligned (addr=addr@entry=48, value=value@entry=0x7ffff5e98548, size=size@entry=4, + access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=0x7ffff706acd0 <memory_region_write_accessor>, + mr=0x7ffff6007ad0, attrs=...) at ../softmmu/memory.c:553 +#6 0x00007ffff706c948 in memory_region_dispatch_write (mr=mr@entry=0x7ffff6007ad0, addr=addr@entry=48, data=<optimized out>, + data@entry=262488, op=op@entry=MO_32, attrs=...) at ../softmmu/memory.c:1650 +#7 0x00007ffff7157ea9 in io_writex (env=env@entry=0x7ffff5fe7f10, iotlbentry=0x7fff6803f200, mmu_idx=mmu_idx@entry=7, val=val@entry=262488, + addr=addr@entry=510459952, retaddr=retaddr@entry=140736149505328, op=MO_32) at ../accel/tcg/cputlb.c:1429 +#8 0x00007ffff715c7dc in store_helper (op=MO_32, retaddr=140736149505328, oi=<optimized out>, val=262488, addr=510459952, + env=0x7ffff5fe7f10) at ../accel/tcg/cputlb.c:2363 +#9 full_le_stl_mmu (env=0x7ffff5fe7f10, addr=<optimized out>, val=262488, oi=<optimized out>, retaddr=140736149505328) + at ../accel/tcg/cputlb.c:2451 +#10 0x00007fffb032c530 in code_gen_buffer () +#11 0x00007ffff714eace in cpu_tb_exec (cpu=cpu@entry=0x7ffff5fde1b0, itb=itb@entry=0x7fffb033e7c0 <code_gen_buffer+3401619>, + tb_exit=tb_exit@entry=0x7ffff5e98c2c) at ../accel/tcg/cpu-exec.c:357 +#12 0x00007ffff714fc68 in cpu_loop_exec_tb (tb_exit=0x7ffff5e98c2c, last_tb=<synthetic pointer>, + tb=0x7fffb033e7c0 <code_gen_buffer+3401619>, cpu=0x7ffff5fde1b0) at ../accel/tcg/cpu-exec.c:847 +#13 cpu_exec (cpu=cpu@entry=0x7ffff5fde1b0) at ../accel/tcg/cpu-exec.c:1006 +#14 0x00007ffff7163d54 in tcg_cpus_exec (cpu=cpu@entry=0x7ffff5fde1b0) at ../accel/tcg/tcg-accel-ops.c:68 +#15 0x00007ffff7163ea7 in mttcg_cpu_thread_fn (arg=arg@entry=0x7ffff5fde1b0) at ../accel/tcg/tcg-accel-ops-mttcg.c:96 +#16 0x00007ffff7344c31 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:556 +#17 0x00007ffff74c74eb in start_thread () +#18 0x00007ffff75649c0 in clone3 () +``` +the uboot: https://github.com/openbmc/u-boot/commit/0f245563c2cb3a6b4f1206db4f1a9f0325406094 + +we should remove the hash check, otherwise, the boot will stop at uboot-cli +``` +diff --git a/common/image-fit.c b/common/image-fit.c +index 3c8667f93d..c655b297e5 100644 +--- a/common/image-fit.c ++++ b/common/image-fit.c +@@ -1193,7 +1193,7 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data, + return -1; + } else if (memcmp(value, fit_value, value_len) != 0) { + *err_msgp = "Bad hash value"; +- return -1; ++ return 0; + } + + return 0; +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1122 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1122 new file mode 100644 index 000000000..c47102c5c --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1122 @@ -0,0 +1,128 @@ +ARMv7M (Cortex M) NVIC does not make number of priority bits a board/SoC-configurable parameter +Description of problem: +In FreeRTOS code for function of `xPortStartScheduler()` in [`main/portable/GCC/ARM_CM4F/port.c`](https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/portable/GCC/ARM_CM4F/port.c#L293) file code sets the value of 0x400 register of NVIC to the maximum bits and expect to read back only maximum priority bits that are supported by the platform. The QEMU code doesn't unset these bits (same 0xff value written is read back): +``` +NVIC: priority [0x400] = 0x00 +NVIC[NS]: [0x400] -> 0x00000000 +NVIC: priority [0x400] = 0xff +NVIC[NS]: [0x400] <- 0x000000ff +nvic_recompute_state NVIC state recomputed: vectpending 0 vectpending_prio 256 exception_prio 256 +NVIC: priority [0x400] = 0x00 +NVIC[NS]: [0x400] -> 0x000000ff +``` +Logging function for reading and writing added in `hw/intc/armv7_nvic.c` like these: +writing: +```c + case 0x400 ... 0x5ef: /* NVIC Priority */ + startvec = (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */ + + for (i = 0; i < size && startvec + i < s->num_irq; i++) { + if (attrs.secure || s->itns[startvec + i]) { + qemu_log("NVIC: priority [0x%03x] = 0x%02llx\n", offset, (value >> (i * 8)) & 0xff); + set_prio(s, startvec + i, false, (value >> (i * 8)) & 0xff); + } + } + qemu_log("NVIC[%s]: [0x%03x] <- 0x%08llx\n", attrs.secure ? "S" : "NS", offset, value); + + nvic_irq_update(s); + goto exit_ok; +``` +reading: +```c + case 0x400 ... 0x5ef: /* NVIC Priority */ + val = 0; + startvec = offset - 0x400 + NVIC_FIRST_IRQ; /* vector # */ + + // TODO: should return either 0x70 or 0x78 + for (i = 0; i < size && startvec + i < s->num_irq; i++) { + qemu_log("NVIC: priority [0x%03x] = 0x%02x\n", offset, 8 * i); + if (attrs.secure || s->itns[startvec + i]) { + val |= s->vectors[startvec + i].prio << (8 * i); + } + } + qemu_log("NVIC[%s]: [0x%03x] -> 0x%08x\n", attrs.secure ? "S" : "NS", offset, val); + break; +``` +Steps to reproduce: +1. Run FreeRTOS for any ARMv7 Cortex-M platform with NVIC +2. Observe failure to proceed to `prvPortStartFirstTask();` function. +Additional information: +Here is the piece of standard FreeRTOS code that runs that check: +```c + /* configMAX_SYSCALL_INTERRUPT_PRIORITY must not be set to 0. + * See https://www.FreeRTOS.org/RTOS-Cortex-M3-M4.html */ + configASSERT( configMAX_SYSCALL_INTERRUPT_PRIORITY ); + + /* This port can be used on all revisions of the Cortex-M7 core other than + * the r0p1 parts. r0p1 parts should use the port from the + * /source/portable/GCC/ARM_CM7/r0p1 directory. */ + configASSERT( portCPUID != portCORTEX_M7_r0p1_ID ); + configASSERT( portCPUID != portCORTEX_M7_r0p0_ID ); + + #if ( configASSERT_DEFINED == 1 ) + { + volatile uint32_t ulOriginalPriority; + volatile uint8_t * const pucFirstUserPriorityRegister = ( volatile uint8_t * const ) ( portNVIC_IP_REGISTERS_OFFSET_16 + portFIRST_USER_INTERRUPT_NUMBER ); + volatile uint8_t ucMaxPriorityValue; + + /* Determine the maximum priority from which ISR safe FreeRTOS API + * functions can be called. ISR safe functions are those that end in + * "FromISR". FreeRTOS maintains separate thread and ISR API functions to + * ensure interrupt entry is as fast and simple as possible. + * + * Save the interrupt priority value that is about to be clobbered. */ + ulOriginalPriority = *pucFirstUserPriorityRegister; + + /* Determine the number of priority bits available. First write to all + * possible bits. */ + *pucFirstUserPriorityRegister = portMAX_8_BIT_VALUE; + + /* Read the value back to see how many bits stuck. */ + ucMaxPriorityValue = *pucFirstUserPriorityRegister; + + /* Use the same mask on the maximum system call priority. */ + ucMaxSysCallPriority = configMAX_SYSCALL_INTERRUPT_PRIORITY & ucMaxPriorityValue; + + /* Calculate the maximum acceptable priority group value for the number + * of bits read back. */ + ulMaxPRIGROUPValue = portMAX_PRIGROUP_BITS; + + while( ( ucMaxPriorityValue & portTOP_BIT_OF_BYTE ) == portTOP_BIT_OF_BYTE ) + { + ulMaxPRIGROUPValue--; + ucMaxPriorityValue <<= ( uint8_t ) 0x01; + } + + #ifdef __NVIC_PRIO_BITS + { + /* Check the CMSIS configuration that defines the number of + * priority bits matches the number of priority bits actually queried + * from the hardware. */ + configASSERT( ( portMAX_PRIGROUP_BITS - ulMaxPRIGROUPValue ) == __NVIC_PRIO_BITS ); + } + #endif + + #ifdef configPRIO_BITS + { + /* Check the FreeRTOS configuration that defines the number of + * priority bits matches the number of priority bits actually queried + * from the hardware. */ + configASSERT( ( portMAX_PRIGROUP_BITS - ulMaxPRIGROUPValue ) == configPRIO_BITS ); + } + #endif + + /* Shift the priority group value back to its position within the AIRCR + * register. */ + ulMaxPRIGROUPValue <<= portPRIGROUP_SHIFT; + ulMaxPRIGROUPValue &= portPRIORITY_GROUP_MASK; + + /* Restore the clobbered interrupt priority register to its original + * value. */ + *pucFirstUserPriorityRegister = ulOriginalPriority; + } + #endif /* configASSERT_DEFINED */ +``` + +See also these pages: +- https://www.freertos.org/RTOS-Cortex-M3-M4.html +- https://www.freertos.org/freertos-on-qemu-mps2-an385-model.html diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1123 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1123 new file mode 100644 index 000000000..8e960cf38 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1123 @@ -0,0 +1,91 @@ +Xilinx ZynqMP CAN controller logical error - mixed RX and TX channels +Description of problem: +In the code of CAN controller of Xilinx ZynqMP board (`hw/net/can/xlnx-zynqmp-can.c`) in function `update_rx_fifo()` there seems to be a typo or logical error mixing RX and TX buffers: +```c + /* Store the message in fifo if it passed through any of the filters. */ + if (filter_pass && frame->can_dlc <= MAX_DLC) { + + if (fifo32_is_full(&s->rx_fifo)) { + ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOFLW, 1); + } else { + timestamp = CAN_TIMER_MAX - ptimer_get_count(s->can_timer); + + fifo32_push(&s->rx_fifo, frame->can_id); + + fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DLC_DLC_SHIFT, + R_RXFIFO_DLC_DLC_LENGTH, + frame->can_dlc) | + deposit32(0, R_RXFIFO_DLC_RXT_SHIFT, + R_RXFIFO_DLC_RXT_LENGTH, + timestamp)); + + /* First 32 bit of the data. */ + fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA1_DB3_SHIFT, + R_TXFIFO_DATA1_DB3_LENGTH, + frame->data[0]) | + deposit32(0, R_TXFIFO_DATA1_DB2_SHIFT, + R_TXFIFO_DATA1_DB2_LENGTH, + frame->data[1]) | + deposit32(0, R_TXFIFO_DATA1_DB1_SHIFT, + R_TXFIFO_DATA1_DB1_LENGTH, + frame->data[2]) | + deposit32(0, R_TXFIFO_DATA1_DB0_SHIFT, + R_TXFIFO_DATA1_DB0_LENGTH, + frame->data[3])); +``` +Additional information: +Possible fix: +```diff + git diff 12:29:23 +diff --git a/hw/net/can/xlnx-zynqmp-can.c b/hw/net/can/xlnx-zynqmp-can.c +index 82ac48cee2..e93e6c5e19 100644 +--- a/hw/net/can/xlnx-zynqmp-can.c ++++ b/hw/net/can/xlnx-zynqmp-can.c +@@ -696,30 +696,30 @@ static void update_rx_fifo(XlnxZynqMPCANState *s, const qemu_can_frame *frame) + timestamp)); + + /* First 32 bit of the data. */ +- fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA1_DB3_SHIFT, +- R_TXFIFO_DATA1_DB3_LENGTH, ++ fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DATA1_DB3_SHIFT, ++ R_RXFIFO_DATA1_DB3_LENGTH, + frame->data[0]) | +- deposit32(0, R_TXFIFO_DATA1_DB2_SHIFT, +- R_TXFIFO_DATA1_DB2_LENGTH, ++ deposit32(0, R_RXFIFO_DATA1_DB2_SHIFT, ++ R_RXFIFO_DATA1_DB2_LENGTH, + frame->data[1]) | +- deposit32(0, R_TXFIFO_DATA1_DB1_SHIFT, +- R_TXFIFO_DATA1_DB1_LENGTH, ++ deposit32(0, R_RXFIFO_DATA1_DB1_SHIFT, ++ R_RXFIFO_DATA1_DB1_LENGTH, + frame->data[2]) | +- deposit32(0, R_TXFIFO_DATA1_DB0_SHIFT, +- R_TXFIFO_DATA1_DB0_LENGTH, ++ deposit32(0, R_RXFIFO_DATA1_DB0_SHIFT, ++ R_RXFIFO_DATA1_DB0_LENGTH, + frame->data[3])); + /* Last 32 bit of the data. */ +- fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA2_DB7_SHIFT, +- R_TXFIFO_DATA2_DB7_LENGTH, ++ fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DATA2_DB7_SHIFT, ++ R_RXFIFO_DATA2_DB7_LENGTH, + frame->data[4]) | +- deposit32(0, R_TXFIFO_DATA2_DB6_SHIFT, +- R_TXFIFO_DATA2_DB6_LENGTH, ++ deposit32(0, R_RXFIFO_DATA2_DB6_SHIFT, ++ R_RXFIFO_DATA2_DB6_LENGTH, + frame->data[5]) | +- deposit32(0, R_TXFIFO_DATA2_DB5_SHIFT, +- R_TXFIFO_DATA2_DB5_LENGTH, ++ deposit32(0, R_RXFIFO_DATA2_DB5_SHIFT, ++ R_RXFIFO_DATA2_DB5_LENGTH, + frame->data[6]) | +- deposit32(0, R_TXFIFO_DATA2_DB4_SHIFT, +- R_TXFIFO_DATA2_DB4_LENGTH, ++ deposit32(0, R_RXFIFO_DATA2_DB4_SHIFT, ++ R_RXFIFO_DATA2_DB4_LENGTH, + frame->data[7])); + + ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOK, 1); +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1141 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1141 new file mode 100644 index 000000000..f9a37b4d6 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1141 @@ -0,0 +1,10 @@ +virtio-gpu-gl-pci not working with arm/aarch64 +Description of problem: +Since migration to using virtio-gpu-gl-pci instead of virtio-gpu-pci (commit 17cdac0b51bc4ad7a68c3e5e0b1718729b74d512, used git-bisect to find the problem) my arm guests fail to load. If I use -device virtio-gpu-gl-pci, I don't get any image on the virtual guest screen. If I use -device virtio-gpu-pci, I can boot the guest and get the image, but GL acceleration is not working. Changing sdl to gtk doesn't help. +Steps to reproduce: +1. Download debian netinstall boot iso for arm (https://cdimage.debian.org/debian-cd/current/armhf/iso-cd/debian-11.4.0-armhf-netinst.iso) +2. Copy edk2-arm-code.fd and edk2-arm-vars.fd files from build dir. +3. Run command line ```qemu-system-arm -machine virt -m 512 -cdrom debian.iso -device virtio-gpu-gl-pci -display sdl,gl=on,show-cursor=on -pflash edk2-arm-code.fd -pflash edk2-arm-vars.fd```, get a black virtual screen. +4. Run command line ```qemu-system-arm -machine virt -m 512 -cdrom debian.iso -device virtio-gpu-pci -display sdl,gl=on,show-cursor=on -pflash edk2-arm-code.fd -pflash edk2-arm-vars.fd```, get an image on the virtual screen. +Additional information: +I have an x86_64 guest which uses virgl, and it runs fine after 17cdac0b51bc4ad7a68c3e5e0b1718729b74d512 with only changing virtio-gpu-pci to virtio-gpu-gl-pci diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1145 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1145 new file mode 100644 index 000000000..40bfd02bb --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1145 @@ -0,0 +1,27 @@ +Support register name resolution in debugger part of monitor for `x` commands for ARM platforms +Additional information: +From the looks of `get_monitor_def()` function from `monitor/misc.c` it seems to be cross-target but somehow still doesn't work for some targets anyway. + +Then grepping for the actual target implementation, it seems only i386, PPC, SPARC, and M68K support it, but nor ARM, MIPS, RISC V, etc: +``` +[i] ℤ rg monitor_defs +target/sparc/monitor.c +59:const MonitorDef monitor_defs[] = { +162:const MonitorDef *target_monitor_defs(void) +164: return monitor_defs; + +target/ppc/monitor.c +86:const MonitorDef monitor_defs[] = { +102:const MonitorDef *target_monitor_defs(void) +104: return monitor_defs; + +target/i386/monitor.c +611:const MonitorDef monitor_defs[] = { +647:const MonitorDef *target_monitor_defs(void) +649: return monitor_defs; + +target/m68k/monitor.c +25:static const MonitorDef monitor_defs[] = { +59:const MonitorDef *target_monitor_defs(void) +61: return monitor_defs; +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1230 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1230 new file mode 100644 index 000000000..3d412e233 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1230 @@ -0,0 +1,23 @@ +qtest-aarch64/migration-test non-deterministic test failure +Description of problem: +The test suite fails: +``` +Summary of Failures: + + 32/619 qemu:qtest+qtest-aarch64 / qtest-aarch64/migration-test ERROR 161.19s killed by signal 6 SIGABRT + + +Ok: 552 +Expected Fail: 0 +Fail: 1 +Unexpected Pass: 0 +Skipped: 66 +Timeout: 0 + +Full log written to /tmp/guix-build-qemu-7.1.0.drv-0/qemu-7.1.0/b/qemu/meson-logs/testlog.txt +make: *** [Makefile.mtest:25: do-meson-check] Error 1 +``` + +See the full build log below. +Additional information: +[qt60pm4fcc63jcbwfgz86z6cwqgx4zgm-qemu-7.1.0.txt.gz](/uploads/6d7f0da152193213a7fe694e2d535879/qt60pm4fcc63jcbwfgz86z6cwqgx4zgm-qemu-7.1.0.txt.gz) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/124 b/gitlab/issues_text/target_arm/host_missing/accel_missing/124 new file mode 100644 index 000000000..6a98bd5f1 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/124 @@ -0,0 +1 @@ +SIGSEGV when reading ARM GIC registers through GDB stub diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1245 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1245 new file mode 100644 index 000000000..3f0cbbf4f --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1245 @@ -0,0 +1 @@ +arm: cp15 support diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1255 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1255 new file mode 100644 index 000000000..438f1af46 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1255 @@ -0,0 +1,11 @@ +32bit qemu-arm fails to run systemctl "Allocating guest commpage: Cannot allocate memory" +Description of problem: +I am using a bare minimal install of the latest 32 bit version of debian with only ssh installed. I have compiled qemu from the latest git with "./configure --target-list=arm-linux-user --static --disable-pie". When I try to run systemctl from the latest version of raspbian, I experience the error: "Allocating guest commpage: Cannot allocate memory". +Steps to reproduce: +1. Download and extract the included systemctl and required libs. [systemctl+libs.tgz](/uploads/a2834ed651a981fded4bcc19ea9ca31b/systemctl+libs.tgz) +2. run "qemu-arm -L ./ systemctl --version" +Additional information: +- I think this is related to [Issue 690](https://gitlab.com/qemu-project/qemu/-/issues/690). +- When I run "qemu-arm -L ./ -B 0x20000 systemctl --version" there is no error. +- The error still happens when setting vm.mmap_min_addr to 0. +- The error does not occur on v5.0.0, but does occur on v5.1.0 and v6.1.0. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1263 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1263 new file mode 100644 index 000000000..831ea183d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1263 @@ -0,0 +1 @@ +arm/imx EPIT timer interrupt does not fire properly on sabrelight diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/127 b/gitlab/issues_text/target_arm/host_missing/accel_missing/127 new file mode 100644 index 000000000..7d5855459 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/127 @@ -0,0 +1 @@ +linux-user missing cmsg IP_PKTINFO support ("Unsupported ancillary data: 0/8") diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1280 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1280 new file mode 100644 index 000000000..a32e7733b --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1280 @@ -0,0 +1,8 @@ +qemu-system-arm 7.1 can not boot my cortex-m55 image +Steps to reproduce: +``` +1.qemu-system-arm -cpu cortex-m55 -machine mps3-an547 -nographic -vga none -monitor none -semihosting -semihosting-config enable=on,target=native -kernel qemu_simu.elf +2.arm-none-eabi-gdb -ex "target extended-remote localhost:1234" qemu_simu.elf +``` +Additional information: +[qemu_simu.tar.gz](/uploads/b8b3bf0f4868fdbb22b19027f685b4f0/qemu_simu.tar.gz) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1297 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1297 new file mode 100644 index 000000000..812e914b3 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1297 @@ -0,0 +1 @@ +qemu: fatal: Lockup: can't escalate 3 to HardFault (current priority -1) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1326 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1326 new file mode 100644 index 000000000..f8e3cec76 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1326 @@ -0,0 +1,58 @@ +qemu-system-aarch64: piix3 or ehci usb controller and usb kbd don't work +Description of problem: +the usb device initialization failed in vm, and can not input in vnc console + +message for virtual machine: + +``` +root@localhost ~]# dmesg | grep -i usb +[ 0.925798] ACPI: bus type USB registered +[ 0.927204] usbcore: registered new interface driver usbfs +[ 0.928980] usbcore: registered new interface driver hub +[ 0.930746] usbcore: registered new device driver usb +[ 2.329004] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver +[ 2.332659] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver +[ 2.336069] uhci_hcd: USB Universal Host Controller Interface driver +[ 2.342659] uhci_hcd 0000:02:02.0: new USB bus registered, assigned bus number 1 +[ 2.348905] usb usb1: New USB device found, idVendor=1d6b, idProduct=0001, bcdDevice= 4.18 +[ 2.352268] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 +[ 2.354598] usb usb1: Product: UHCI Host Controller +[ 2.356194] usb usb1: Manufacturer: Linux 4.18.0-305.3.1.el8.aarch64 uhci_hcd +[ 2.358474] usb usb1: SerialNumber: 0000:02:02.0 +[ 2.360228] hub 1-0:1.0: USB hub found +[ 2.363347] usbcore: registered new interface driver usbserial_generic +[ 2.365456] usbserial: USB Serial support registered for generic +[ 2.384154] usbcore: registered new interface driver usbhid +[ 2.385962] usbhid: USB HID core driver +[ 2.730277] usb 1-1: new full-speed USB device number 2 using uhci_hcd +[ 18.509908] usb 1-1: device descriptor read/64, error -110 +[ 34.509908] usb 1-1: device descriptor read/64, error -110 +[ 34.779906] usb 1-1: new full-speed USB device number 3 using uhci_hcd +[ 50.509910] usb 1-1: device descriptor read/64, error -110 +[ 66.509907] usb 1-1: device descriptor read/64, error -110 +[ 66.629982] usb usb1-port1: attempt power cycle +[ 67.119904] usb 1-1: new full-speed USB device number 4 using uhci_hcd +[ 78.079921] usb 1-1: device not accepting address 4, error -110 +[ 78.229962] usb 1-1: new full-speed USB device number 5 using uhci_hcd +[ 89.079917] usb 1-1: device not accepting address 5, error -110 +[ 89.082006] usb usb1-port1: unable to enumerate USB device +[ 89.229908] usb 1-2: new full-speed USB device number 6 using uhci_hcd +[ 105.009910] usb 1-2: device descriptor read/64, error -110 +[ 121.009910] usb 1-2: device descriptor read/64, error -110 +[ 121.279907] usb 1-2: new full-speed USB device number 7 using uhci_hcd +[ 137.009910] usb 1-2: device descriptor read/64, error -110 +[ 153.009925] usb 1-2: device descriptor read/64, error -110 +[ 153.129984] usb usb1-port2: attempt power cycle +[ 153.619917] usb 1-2: new full-speed USB device number 8 using uhci_hcd +[ 164.579912] usb 1-2: device not accepting address 8, error -110 +[ 164.729913] usb 1-2: new full-speed USB device number 9 using uhci_hcd +[ 175.329921] usb 1-2: device not accepting address 9, error -110 +[ 175.331973] usb usb1-port2: unable to enumerate USB device +``` +Steps to reproduce: +1. ./configure +2. make -j60 +3.virsh create vm.xml +[vm.xml](/uploads/9f946b3637f68c9cd029dfb650f5bd57/vm.xml) +Additional information: +the commit "1c2cb7e0b3" cause the problem, but i don't know the reason diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1327 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1327 new file mode 100644 index 000000000..5c86b640e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1327 @@ -0,0 +1,90 @@ +vhost-user-test outputs scary messages +Description of problem: +The qos-test seems to output failure messages when run in verbose mode, see e.g.: + +https://gitlab.com/qemu-project/qemu/-/jobs/3340919275#L5615 + +``` +――――――――――――――――――――――――――――――――――――― ✀ ――――――――――――――――――――――――――――――――――――― +stderr: +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: -chardev socket,id=chr-reconnect,path=/tmp/vhost-test-9B51V1/reconnect.sock,server=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-9B51V1/reconnect.sock,server=on +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: -chardev socket,id=chr-connect-fail,path=/tmp/vhost-test-49UUV1/connect-fail.sock,server=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-49UUV1/connect-fail.sock,server=on +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: Failed to read msg header. Read 0 instead of 12. Original request 1. +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: vhost_backend_init failed: Protocol error +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: failed to init vhost_net for queue 0 +qemu-system-aarch64: -netdev vhost-user,id=hs0,chardev=chr-connect-fail,vhostforce=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-49UUV1/connect-fail.sock,server=on +qemu-system-aarch64: Failed to write msg. Wrote -1 instead of 20. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: -chardev socket,id=chr-flags-mismatch,path=/tmp/vhost-test-LTKOV1/flags-mismatch.sock,server=on: info: QEMU waiting for connection on: disconnected:unix:/tmp/vhost-test-LTKOV1/flags-mismatch.sock,server=on +qemu-system-aarch64: Failed to write msg. Wrote -1 instead of 52. +qemu-system-aarch64: vhost_set_mem_table failed: Invalid argument (22) +qemu-system-aarch64: unable to start vhost net: 22: falling back on userspace virtio +vhost lacks feature mask 0x40000000 for backend +qemu-system-aarch64: failed to init vhost_net for queue 0 +qemu-system-aarch64: Failed to write msg. Wrote -1 instead of 20. +qemu-system-aarch64: vhost_set_vring_num failed: Invalid argument (22) +qemu-system-aarch64: unable to start vhost net: 22: falling back on userspace virtio +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 2 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 3 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_endian failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 0 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost VQ 1 ring restore failed: -22: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_call failed: Invalid argument (22) +qemu-system-aarch64: Failed to set msg fds. +qemu-system-aarch64: vhost_set_vring_call failed: Invalid argument (22) +―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1399 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1399 new file mode 100644 index 000000000..fc0dcd7f6 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1399 @@ -0,0 +1,72 @@ +Early faults when direct booting large Linux kernel images on x86_64 and aarch64 guests. +Description of problem: +When attempting to load a Linux kernel image for direct boot via the `-kernel` command line option, a triple fault occurs shortly after attempting to hand off execution to the kernel if the kernel image is ‘large’ in size (this can be easily reproduced with a custom kernel build by embedding an initramfs in the kernel that includes a few large but mostly incompressible files). I’m not certain of the exact cutoff, but a 75 MB kernel image on x86_64, and a 67 MB kernel image on AArch64 both exhibit the issue, while a 13 MB kernel image on x86_64 does not. +Steps to reproduce: +1. Attempt to direct boot an exceptionally large kernel image as an x86_64 or aarch64 guest. +Additional information: +I have not yet been able to track down exactly where the initial fault is happening, and am not even certain that it’s in Linux’s early boot code, but the fact that this is reproducible across multiple architectures and is unaffected by things like KASLR and the exact compression algorithm for the guest kernel suggests to me that it’s more likely to be an issue in QEMU’s loader code for direct kernel boot than in the Linux kernel itself. + +Running on x86_64, the initial fault appears to be a general protection fault, followed by a double and then triple fault. Output from running QEMU as above with `-d int,guest_error -no-reboot’: + +``` +check_exception old: 0xffffffff new 0xd + 0: v=0d e=0000 i=0 cpl=0 IP=0010:000000000789f7f0 pc=000000000789f7f0 SP=0018:00000000078e6fd8 env->regs[R_EAX]=0000000000000000 +RAX=0000000000000000 RBX=6fb84fe3052f53e2 RCX=00000000fb600000 RDX=00000000078fbed0 +RSI=00000000078f6000 RDI=00000000078e80e0 RBP=00000000078e80e0 RSP=00000000078e6fd8 +R8 =00000000078fb000 R9 =00000000fb600000 R10=000fffffffe00000 R11=0000000000000000 +R12=0000000000000000 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000 +RIP=000000000789f7f0 RFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 +ES =0000 0000000000000000 00000000 00000000 +CS =0010 0000000000000000 ffffffff 00af9a00 DPL=0 CS64 [-R-] +SS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +DS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +FS =0000 0000000000000000 00000000 00000000 +GS =0000 0000000000000000 00000000 00000000 +LDT=0000 0000000000000000 00000000 00008200 DPL=0 LDT +TR =0020 0000000000000000 00000fff 00808900 DPL=0 TSS64-avl +GDT= 00000000078b1030 0000002f +IDT= 00000000078b1070 000001ff +CR0=80050033 CR2=6fb84fe3052f53ee CR3=00000000078f6000 CR4=00000020 +DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 +DR6=00000000ffff0ff0 DR7=0000000000000400 +CCS=0000000000000018 CCD=6fb84fe3052f53e2 CCO=LOGICQ +EFER=0000000000000500 +check_exception old: 0xd new 0xd + 1: v=08 e=0000 i=0 cpl=0 IP=0010:000000000789f7f0 pc=000000000789f7f0 SP=0018:00000000078e6fd8 env->regs[R_EAX]=0000000000000000 +RAX=0000000000000000 RBX=6fb84fe3052f53e2 RCX=00000000fb600000 RDX=00000000078fbed0 +RSI=00000000078f6000 RDI=00000000078e80e0 RBP=00000000078e80e0 RSP=00000000078e6fd8 +R8 =00000000078fb000 R9 =00000000fb600000 R10=000fffffffe00000 R11=0000000000000000 +R12=0000000000000000 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000 +RIP=000000000789f7f0 RFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 +ES =0000 0000000000000000 00000000 00000000 +CS =0010 0000000000000000 ffffffff 00af9a00 DPL=0 CS64 [-R-] +SS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +DS =0018 0000000000000000 ffffffff 00cf9300 DPL=0 DS [-WA] +FS =0000 0000000000000000 00000000 00000000 +GS =0000 0000000000000000 00000000 00000000 +LDT=0000 0000000000000000 00000000 00008200 DPL=0 LDT +TR =0020 0000000000000000 00000fff 00808900 DPL=0 TSS64-avl +GDT= 00000000078b1030 0000002f +IDT= 00000000078b1070 000001ff +CR0=80050033 CR2=6fb84fe3052f53ee CR3=00000000078f6000 CR4=00000020 +DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 +DR6=00000000ffff0ff0 DR7=0000000000000400 +CCS=0000000000000018 CCD=6fb84fe3052f53e2 CCO=LOGICQ +EFER=0000000000000500 +check_exception old: 0x8 new 0xd +``` + +Running on AArch64, the emulated CPU gets stuck in a loop trying to handle ‘exception 5’, showing the following output when run as above with `-d int, guest_error -no-reboot`, repeated infinitely until the emulator gets killed: + +``` +Taking exception 5 [IRQ] on CPU 0 +...from EL1 to EL1 +...with ESR 0x15/0x56000000 +...with ELR 0xffffffef0dee4098 +...to EL1 PC 0xffffffef0d810a80 PSTATE 0x3c5 +Exception return from AArch64 EL1 to AArch64 EL1 PC 0xffffffef0dee4098 +``` + +I have also attempted to reproduce this on 64-bit little-endian POWER using qemu-system-ppc64 and an equivalent kernel config, and was _not_ able to reproduce it there with a 69 MB kernel image. + +I can provide Linux kernel configs for the affected kernels upon request, but am not (currently) able to provide full system images (the project I was working on when I came across this is not yet public). diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1407 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1407 new file mode 100644 index 000000000..f73a860d0 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1407 @@ -0,0 +1,76 @@ +Assertion failure in fimd_update_memory_section() +Description of problem: +It seems the frame buffer is not properly initialized before usage. +Steps to reproduce: +``` +export QEMU=/path/to/qemu-system-arm + +cat << EOF | $QEMU \ +-machine smdkc210 -monitor none -serial none \ +-display none -nodefaults -qtest stdio +writel 0x11c00020 0x3454d403 +writel 0x11c00000 0x61988eaf +EOF +``` +Additional information: +``` +==13250==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x5590b12d2240). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 3376651198 +INFO: Loaded 1 modules (583356 inline 8-bit counters): 583356 [0x5590b4672000, 0x5590b47006bc), +INFO: Loaded 1 PC tables (583356 PCs): 583356 [0x5590b3d8b3b0,0x5590b4671f70), +/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *exynos4210.fimd* +This process will fuzz the following MemoryRegions: + * exynos4210.fimd[0] (size 4114) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * exynos4210.fimd, EVENT_TYPE_MMIO_READ, 0x11c00000 +0x4114, 4,4 + * exynos4210.fimd, EVENT_TYPE_MMIO_WRITE, 0x11c00000 +0x4114, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 227Mb +Running: poc-qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd-crash-eda3de9b6941dd8c14e22959b56dbe5d8d07dae3 +qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd: ../hw/display/exynos4210_fimd.c:1152: void fimd_update_memory_section(Exynos4210fimdState *, unsigned int): Assertion `w->mem_section.mr' failed. +==13250== ERROR: libFuzzer: deadly signal + #0 0x5590acce30ee in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x5590acc31d61 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x5590acc0ac96 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x5590acc0ad62 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x5590acc0ad62 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f9ed33c741f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f9ed31d900a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f9ed31d900a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f9ed31b8858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7f9ed31b8728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7f9ed31c9fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x5590ad56dce3 in fimd_update_memory_section /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/exynos4210_fimd.c:1152:5 + #12 0x5590ad565fb7 in exynos4210_fimd_enable /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/exynos4210_fimd.c:1198:13 + #13 0x5590ad5590a3 in exynos4210_fimd_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/exynos4210_fimd.c:1387:13 + #14 0x5590b03e7bc3 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:493:5 + #15 0x5590b03e7501 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #16 0x5590b03e5e26 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1515:16 + #17 0x5590b047669e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2825:23 + #18 0x5590b046444b in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2867:12 + #19 0x5590b0463f08 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2963:18 + #20 0x5590acd23d38 in qemu_writel /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1096:5 + #21 0x5590acd220a3 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1245:28 + #22 0x5590b12cd6bf in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #23 0x5590b12c4a3d in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #24 0x5590b12c47e4 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #25 0x5590acd2b07c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #26 0x5590b12d250b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #27 0x5590acc0b806 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #28 0x5590acbee434 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #29 0x5590acbf93de in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #30 0x5590acbe59c6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #31 0x7f9ed31ba082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #32 0x5590acbe5a1d in _start (/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-arm-target-videzzo-fuzz-exynos4210-fimd+0x31cea1d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1408 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1408 new file mode 100644 index 000000000..f07cb933e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1408 @@ -0,0 +1,87 @@ +Out of bounds in imx_usbphy_read() +Description of problem: +The size of the memory region of imx-usb-phy is 0x1000. + +``` +memory_region_init_io(&s->iomem, OBJECT(s), &imx_usbphy_ops, s, + "imx-usbphy", 0x1000); +``` + +A read to s->usbphy[33] will easily overflow. + +``` +static uint64_t imx_usbphy_read(void *opaque, hwaddr offset, unsigned size) +{ + // ... + default: + value = s->usbphy[index]; + break; + } +``` + +Maybe we should drop this read in default branch. +Steps to reproduce: +``` +export QEMU=/path/to/qemu-system-arm + +cat << EOF | $QEMU \ +-machine sabrelite -monitor none -serial none \ +-display none -nodefaults -qtest stdio +readl 0x20c9870 +EOF +``` +Additional information: +``` ++ DEFAULT_INPUT_MAXSIZE=10000000 ++ ./qemu-videzzo-arm-target-videzzo-fuzz-imx-usb-phy -max_len=10000000 -detect_leaks=0 ./crash-2f5e9c8ec69dd69f8db69aaa84dde878482b8690.minimized +==14370==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x561837db1240). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 1679742864 +INFO: Loaded 1 modules (583356 inline 8-bit counters): 583356 [0x56183b151000, 0x56183b1df6bc), +INFO: Loaded 1 PC tables (583356 PCs): 583356 [0x56183a86a3b0,0x56183b150f70), +./qemu-videzzo-arm-target-videzzo-fuzz-imx-usb-phy: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *imx-usbphy* +This process will fuzz the following MemoryRegions: + * imx-usbphy[0] (size 1000) + * imx-usbphy[0] (size 1000) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * imx-usbphy, EVENT_TYPE_MMIO_READ, 0x20c9000 +0x1000, 4,4 + * imx-usbphy, EVENT_TYPE_MMIO_WRITE, 0x20c9000 +0x1000, 4,4 + * imx-usbphy, EVENT_TYPE_MMIO_READ, 0x20ca000 +0x1000, 4,4 + * imx-usbphy, EVENT_TYPE_MMIO_WRITE, 0x20ca000 +0x1000, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 222Mb +Running: ./crash-2f5e9c8ec69dd69f8db69aaa84dde878482b8690.minimized +../hw/usb/imx-usb-phy.c:93:17: runtime error: index 540 out of bounds for type 'uint32_t [33]' + #0 0x5618357ddb2a in imx_usbphy_read /root/videzzo/videzzo_qemu/qemu/out-san/../hw/usb/imx-usb-phy.c:93:17 + #1 0x561836f07a0b in memory_region_read_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:441:11 + #2 0x561836ec6501 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #3 0x561836ec38cc in memory_region_dispatch_read1 /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1425:16 + #4 0x561836ec3008 in memory_region_dispatch_read /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1458:9 + #5 0x561836f415ad in flatview_read_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2892:23 + #6 0x561836f42bb8 in flatview_read /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2934:12 + #7 0x561836f42678 in address_space_read_full /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2947:18 + #8 0x5618337f4b41 in address_space_read /root/videzzo/videzzo_qemu/qemu/include/exec/memory.h:2873:18 + #9 0x5618337f4b41 in qemu_readl /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1037:5 + #10 0x5618337f2c06 in dispatch_mmio_read /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1051:35 + #11 0x561837dac6bf in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #12 0x561837da3a3d in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #13 0x561837da37e4 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #14 0x56183380a07c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #15 0x561837db150b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #16 0x5618336ea806 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #17 0x5618336cd434 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #18 0x5618336d83de in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #19 0x5618336c49c6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #20 0x7f74d2914082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #21 0x5618336c4a1d in _start (/root/bugs/metadata/imx_usb_phy-00/qemu-videzzo-arm-target-videzzo-fuzz-imx-usb-phy+0x31cea1d) + +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/usb/imx-usb-phy.c:93:17 in +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +0x0,0x8,0x70,0x98,0xc,0x2,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0, +\x00\x08p\x98\x0c\x02\x00\x00\x00\x00\x04\x00\x00\x00 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1415 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1415 new file mode 100644 index 000000000..e97c1cb49 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1415 @@ -0,0 +1,89 @@ +Abort in xlnx_dp_change_graphic_fmt() +Description of problem: +xlnx_dp_change_graphic_fmt() will directly abort if either graphic format or the +video format is not supported. + +Replacing abort() in xlnx_dp_change_graphic_fmt() to `return` might be OK but I +am not sure what side effect there is. +Steps to reproduce: +``` +export QEMU=/path/to/to/qemu-system-aarch64 + +cat << EOF | $QEMU \ +-machine xlnx-zcu102 -monitor none -serial none \ +-display none -nodefaults -qtest stdio +writel 0xfd4ab000 0xcf6e998 +EOF +``` +Additional information: +``` +==20455==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x564934146c90). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 4022227410 +INFO: Loaded 1 modules (618619 inline 8-bit counters): 618619 [0x5649372a5000, 0x56493733c07b), +INFO: Loaded 1 PC tables (618619 PCs): 618619 [0x564936933f40,0x5649372a46f0), +./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes +Matching objects by name , *.core*, *.v_blend*, *.av_buffer_manager*, *.audio* +This process will fuzz the following MemoryRegions: + * xlnx.v-dp.audio[0] (size 50) + * xlnx.v-dp.av_buffer_manager[0] (size 238) + * xlnx.v-dp.core[0] (size 3b0) + * xlnx.v-dp.v_blend[0] (size 1e0) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_READ, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_WRITE, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_READ, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_WRITE, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_READ, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_WRITE, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_READ, 0xfd4ac000 +0x50, 1,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_WRITE, 0xfd4ac000 +0x50, 1,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 489Mb +Running: crash-8b178268936b24c569a421d702ef5b6d911c99e7 +aarch64: xlnx_dp_change_graphic_fmt: unsupported graphic format 2304 +==20455== ERROR: libFuzzer: deadly signal + #0 0x56492f51f10e in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x56492f46dd81 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x56492f446cb6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x56492f446d82 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x56492f446d82 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f7a315a641f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f7a313b800a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f7a313b800a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f7a31397858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x56492f54f65a in __wrap_abort /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/less_crashes_wrappers.c:24:12 + #10 0x56492fe7e0d7 in xlnx_dp_change_graphic_fmt /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/display/xlnx_dp.c:644:9 + #11 0x56492fe7be58 in xlnx_dp_avbufm_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/display/xlnx_dp.c:1046:9 + #12 0x5649330fa313 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:492:5 + #13 0x5649330f9c51 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:554:18 + #14 0x5649330f8576 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:1514:16 + #15 0x56493318672e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2825:23 + #16 0x56493317486b in flatview_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2867:12 + #17 0x564933174328 in address_space_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2963:18 + #18 0x56492f55f0cb in qemu_writel /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1088:5 + #19 0x56492f55d544 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1229:28 + #20 0x56493414264f in videzzo_dispatch_event /root/videzzo/videzzo.c:1122:5 + #21 0x5649341399cb in __videzzo_execute_one_input /root/videzzo/videzzo.c:272:9 + #22 0x5649341398a0 in videzzo_execute_one_input /root/videzzo/videzzo.c:313:9 + #23 0x56492f56610c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1504:12 + #24 0x564934146f32 in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1891:18 + #25 0x56492f447826 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #26 0x56492f42a454 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #27 0x56492f4353fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #28 0x56492f4219e6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #29 0x7f7a31399082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #30 0x56492f421a3d in _start (/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp+0x3291a3d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +0x0,0xc,0x1c,0xb0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x4,0x2,0x48,0x40,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0xa,0x20,0xa1,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x0,0xe,0x8,0xc0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x8,0x0,0x0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x4,0x2,0x3e,0xc6,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0xc,0x78,0xb1,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x1,0x9,0x4,0x2,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0xc2,0x1b,0xe,0x7b,0x0,0x0,0x0,0x0,0x1,0xb,0x84,0xa1,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0xd8,0x1f,0x9a,0x30,0x0,0x0,0x0,0x0,0x0,0x8,0x70,0x0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x1,0x9,0xec,0x2,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x50,0x62,0xd6,0x13,0x0,0x0,0x0,0x0,0x0,0xa,0x18,0xa0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x1,0xd,0x0,0xb0,0x4a,0xfd,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x98,0xe9,0xf6,0xc,0x0,0x0,0x0,0x0, +\x00\x0c\x1c\xb0J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\x04\x02H@\x01\x00\x00\x00\x00\x00\x00\x0a \xa1J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\x00\x0e\x08\xc0J\xfd\x00\x00\x00\x00\x02\x00\x00\x00\x00\x08\x00\x00J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\x04\x02>\xc6\x01\x00\x00\x00\x00\x00\x00\x0cx\xb1J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\x01\x09\x04\x02J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\xc2\x1b\x0e{\x00\x00\x00\x00\x01\x0b\x84\xa1J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\xd8\x1f\x9a0\x00\x00\x00\x00\x00\x08p\x00J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\x01\x09\xec\x02J\xfd\x00\x00\x00\x00\x04\x00\x00\x00Pb\xd6\x13\x00\x00\x00\x00\x00\x0a\x18\xa0J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\x01\x0d\x00\xb0J\xfd\x00\x00\x00\x00\x04\x00\x00\x00\x98\xe9\xf6\x0c\x00\x00\x00\x00 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1421 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1421 new file mode 100644 index 000000000..3cbdc1e4d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1421 @@ -0,0 +1,19 @@ +GDB memory reads fail on Cortex-M33 +Description of problem: +GDB fails to read memory from the guest. There appear to be at least two problems: + +1. In `arm_cpu_get_phys_page_attrs_debug`, `arm_is_secure(env)` returns false, because the implementation doesn't seem to know about Armv7-M or Armv8-M secure states. However, `arm_mmu_idx(env)` does know how to check `env->v7m.secure`, so it returns `ARMMMUIdx_MSPriv` (the S stands for secure). The mismatch between an apparently non-secure access to a secure MMU seems to cause the read to fail laster. +2. With the MPU enabled (not the case in this repro, but I can provide one), `cpu_memory_rw_debug` computes `page = addr & TARGET_PAGE_MASK`, and uses the page to compute permissions. However, TARGET_PAGE_MASK is based on 4K pages on this platform, but the MPU granularity is 32 bytes. So the wrong page is used for checking. +Steps to reproduce: +``` +# Sorry for the large clone. It's mostly unused files in CMSIS. +git clone --recursive -b qemu-repro-1 https://github.com/dreiss/mpu_experiments +cd mpu_experiments +git checkout origin/qemu-repro-1 +cmake -S . -B build -DBOARD=qemu-mps2-an505 -DAPP=mpu_stacktrace -DCMAKE_BUILD_TYPE=Debug +cmake --build build +/path/to/qemu-system-arm -machine mps2-an505 -nographic -kernel build/kernel.elf -s -S -d int +# Open a separate terminal and cd into mpu_experiments +gdb build/kernel.elf -ex 'target remote :1234' -ex 'break base_case' -ex continue -ex backtrace -ex quit +# Note the memory read failures in the backtrace. +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1424 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1424 new file mode 100644 index 000000000..7203ffc68 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1424 @@ -0,0 +1,103 @@ +Overflow in xlnx_dp_aux_push_tx_fifo() +Description of problem: +Invoking xlnx_dp_aux_push_tx_fifo() 17 times overflow the s->tx_fifo. +Steps to reproduce: +``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \ +-machine xlnx-zcu102 -monitor none -serial none \ +-display none -nodefaults -qtest stdio +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x666e0fa2 +writel 0xfd4a0104 0x666e0fa2 +writel 0xfd4a0104 0x666e0fa2 +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x66554466 +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +writel 0xfd4a0104 0x6fed53ba +EOF +``` +Additional information: +``` +root@621cbd136b6f:~/bugs/metadata/xlnx_dp-07# bash -x xlnx_dp-07.videzzo ++ DEFAULT_INPUT_MAXSIZE=10000000 ++ ./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp -max_len=10000000 -detect_leaks=0 ./poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp-crash-8070de484ac8d4d9bfff9b439311058e05b8b40f.minimized +==47609==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x564c9e37c2b0). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 2128347645 +INFO: Loaded 1 modules (600768 inline 8-bit counters): 600768 [0x564ca198f000, 0x564ca1a21ac0), +INFO: Loaded 1 PC tables (600768 PCs): 600768 [0x564ca1063b10,0x564ca198e710), +./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *.core*, *.v_blend*, *.av_buffer_manager*, *.audio* +This process will fuzz the following MemoryRegions: + * xlnx.v-dp.core[0] (size 3b0) + * xlnx.v-dp.v_blend[0] (size 1e0) + * xlnx.v-dp.audio[0] (size 50) + * xlnx.v-dp.av_buffer_manager[0] (size 238) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_READ, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.core, EVENT_TYPE_MMIO_WRITE, 0xfd4a0000 +0x3b0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_READ, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.v_blend, EVENT_TYPE_MMIO_WRITE, 0xfd4aa000 +0x1e0, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_READ, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.av_buffer_manager, EVENT_TYPE_MMIO_WRITE, 0xfd4ab000 +0x238, 4,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_READ, 0xfd4ac000 +0x50, 1,4 + * xlnx.v-dp.audio, EVENT_TYPE_MMIO_WRITE, 0xfd4ac000 +0x50, 1,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 510Mb +Running: ./poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp-crash-8070de484ac8d4d9bfff9b439311058e05b8b40f.minimized +qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp: ../util/fifo8.c:43: void fifo8_push_all(Fifo8 *, const uint8_t *, uint32_t): Assertion `fifo->num + num <= fifo->capacity' failed. +==47609== ERROR: libFuzzer: deadly signal + #0 0x564c998420fe in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x564c99790d71 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x564c99769ca6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x564c99769d72 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x564c99769d72 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f8ef929941f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f8ef90ab00a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f8ef90ab00a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f8ef908a858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7f8ef908a728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7f8ef909bfd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x564c9e1cdbb3 in fifo8_push_all /root/videzzo/videzzo_qemu/qemu/out-san/../util/fifo8.c:43:5 + #12 0x564c9a189c13 in xlnx_dp_aux_push_tx_fifo /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/xlnx_dp.c:467:5 + #13 0x564c9a1842f2 in xlnx_dp_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/display/xlnx_dp.c:857:9 + #14 0x564c9d491e93 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:493:5 + #15 0x564c9d4917d1 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #16 0x564c9d4900f6 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1515:16 + #17 0x564c9d5209ce in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2825:23 + #18 0x564c9d50e77b in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2867:12 + #19 0x564c9d50e238 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2963:18 + #20 0x564c99882d48 in qemu_writel /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1096:5 + #21 0x564c998810b3 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1245:28 + #22 0x564c9e37772f in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #23 0x564c9e36eaad in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #24 0x564c9e36e854 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #25 0x564c9988a08c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #26 0x564c9e37c57b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #27 0x564c9976a816 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #28 0x564c9974d444 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #29 0x564c997583ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #30 0x564c997449d6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #31 0x7f8ef908c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #32 0x564c99744a2d in _start (/root/bugs/metadata/xlnx_dp-07/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-dp+0x3453a2d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1425 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1425 new file mode 100644 index 000000000..152cf474d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1425 @@ -0,0 +1,84 @@ +Assertion failed in transfer_fifo() +Description of problem: +In transfer_fifo(), fifo32_pop() fails since less than 32 bytes are in the fifo. +Steps to reproduce: +``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \ +-machine xlnx-zcu102 -monitor none -serial none \ +-display none -nodefaults -qtest stdio -audio none +writel 0xff070000 0x0f73720a +writel 0xff07003c 0x1f37ee63 +EOF +``` +Additional information: +``` +==31717==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x55871da359f0). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 1734665286 +INFO: Loaded 1 modules (618606 inline 8-bit counters): 618606 [0x558720b94000, 0x558720c2b06e), +INFO: Loaded 1 PC tables (618606 PCs): 618606 [0x558720222e60,0x558720b93540), +/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *xlnx.zynqmp-can* +This process will fuzz the following MemoryRegions: + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff060000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff060000 +0x84, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 491Mb +Running: poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can-crash-97ef02583c679111ba6ad823f573f139fac7c72e +qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: ../util/fifo8.c:62: uint8_t fifo8_pop(Fifo8 *): Assertion `fifo->num > 0' failed. +==31717== ERROR: libFuzzer: deadly signal + #0 0x558718e0e10e in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x558718d5cd81 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x558718d35cb6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x558718d35d82 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x558718d35d82 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7f3ad4eba41f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7f3ad4ccc00a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7f3ad4ccc00a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7f3ad4cab858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7f3ad4cab728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7f3ad4cbcfd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x55871d6eeac9 in fifo8_pop /root/videzzo/videzzo_qemu/qemu/build-san-6/../util/fifo8.c:62:5 + #12 0x55871a33f303 in fifo32_pop /root/videzzo/videzzo_qemu/qemu/include/qemu/fifo32.h:137:17 + #13 0x55871a334bb5 in transfer_fifo /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/net/can/xlnx-zynqmp-can.c:455:23 + #14 0x55871a32d4c0 in can_tx_post_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/net/can/xlnx-zynqmp-can.c:830:9 + #15 0x558719393dcb in register_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/core/register.c:122:9 + #16 0x558719397de8 in register_write_memory /root/videzzo/videzzo_qemu/qemu/build-san-6/../hw/core/register.c:203:5 + #17 0x55871c9e9073 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:492:5 + #18 0x55871c9e89b1 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:554:18 + #19 0x55871c9e72d6 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/memory.c:1514:16 + #20 0x55871ca7548e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2825:23 + #21 0x55871ca635cb in flatview_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2867:12 + #22 0x55871ca63088 in address_space_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../softmmu/physmem.c:2963:18 + #23 0x558718e4e0cb in qemu_writel /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1081:5 + #24 0x558718e4c544 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1222:28 + #25 0x55871da313af in videzzo_dispatch_event /root/videzzo/videzzo.c:1122:5 + #26 0x55871da2872b in __videzzo_execute_one_input /root/videzzo/videzzo.c:272:9 + #27 0x55871da28600 in videzzo_execute_one_input /root/videzzo/videzzo.c:313:9 + #28 0x558718e5510c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/build-san-6/../tests/qtest/videzzo/videzzo_qemu.c:1497:12 + #29 0x55871da35c92 in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1891:18 + #30 0x558718d36826 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #31 0x558718d19454 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #32 0x558718d243fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #33 0x558718d109e6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #34 0x7f3ad4cad082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #35 0x558718d10a3d in _start (/root/videzzo/videzzo_qemu/out-san/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can+0x3291a3d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1427 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1427 new file mode 100644 index 000000000..5ac891d30 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1427 @@ -0,0 +1,374 @@ +Fifo overflow in transfer_fifo() +Description of problem: +In transfer_fifo(), fifo32_push() fails since less than 32 bytes are free in the +fifo. +Steps to reproduce: +``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \ +-machine xlnx-zcu102 -monitor none -serial none \ +-display none -nodefaults -qtest stdio +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x554439e4 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x7439dad1 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x554439e4 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x7439dad1 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070030 0x5b33c2da +writel 0xff070004 0x6847773b +writel 0xff070030 0x5b33c2da +writel 0xff070000 0x7a9e77fa +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x0bbac0b1 +readl 0xff070054 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +writel 0xff070038 0x3730c1d8 +writel 0xff07003c 0x1f9c3bcd +EOF +``` +Additional information: +``` +==60953==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x55c4943a85f0). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 1771329340 +INFO: Loaded 1 modules (600781 inline 8-bit counters): 600781 [0x55c4979bb000, 0x55c497a4dacd), +INFO: Loaded 1 PC tables (600781 PCs): 600781 [0x55c49708fbf0,0x55c4979ba8c0), +./qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *xlnx.zynqmp-can* +This process will fuzz the following MemoryRegions: + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) + * xlnx.zynqmp-can[1] (size 84) + * xlnx.zynqmp-can[0] (size 84) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff070000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_READ, 0xff060000 +0x84, 4,4 + * xlnx.zynqmp-can, EVENT_TYPE_MMIO_WRITE, 0xff060000 +0x84, 4,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 509Mb +Running: poc-qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can-crash-8c83f08fb7643e6eb55af43e76de522c6f5fcef2.minimized.minimized +qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can: ../util/fifo8.c:34: void fifo8_push(Fifo8 *, uint8_t): Assertion `fifo->num < fifo->capacity' failed. +==60953== ERROR: libFuzzer: deadly signal + #0 0x55c48f86e0fe in __sanitizer_print_stack_trace /root/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3 + #1 0x55c48f7bcd71 in fuzzer::PrintStackTrace() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38 + #2 0x55c48f795ca6 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18 + #3 0x55c48f795d72 in fuzzer::Fuzzer::CrashCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1 + #4 0x55c48f795d72 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19 + #5 0x7fe36599541f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) + #6 0x7fe3657a700a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #7 0x7fe3657a700a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #8 0x7fe365786858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 + #9 0x7fe365786728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3 + #10 0x7fe365797fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3 + #11 0x55c4941f98ef in fifo8_push /root/videzzo/videzzo_qemu/qemu/out-san/../util/fifo8.c:34:5 + #12 0x55c490d83bb0 in fifo32_push /root/videzzo/videzzo_qemu/qemu/include/qemu/fifo32.h:94:9 + #13 0x55c490d79d17 in transfer_fifo /root/videzzo/videzzo_qemu/qemu/out-san/../hw/net/can/xlnx-zynqmp-can.c:476:21 + #14 0x55c490d71a00 in can_tx_post_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/net/can/xlnx-zynqmp-can.c:836:9 + #15 0x55c48fdfaf9b in register_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/core/register.c:122:9 + #16 0x55c48fdfefb8 in register_write_memory /root/videzzo/videzzo_qemu/qemu/out-san/../hw/core/register.c:203:5 + #17 0x55c4934be1d3 in memory_region_write_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:493:5 + #18 0x55c4934bdb11 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #19 0x55c4934bc436 in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1515:16 + #20 0x55c49354cd0e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2825:23 + #21 0x55c49353aabb in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2867:12 + #22 0x55c49353a578 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2963:18 + #23 0x55c48f8aed48 in qemu_writel /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1096:5 + #24 0x55c48f8ad0b3 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1245:28 + #25 0x55c4943a3a6f in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #26 0x55c49439aded in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #27 0x55c49439ab94 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #28 0x55c48f8b608c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1520:12 + #29 0x55c4943a88bb in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #30 0x55c48f796816 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #31 0x55c48f779444 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #32 0x55c48f7843ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #33 0x55c48f7709d6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #34 0x7fe365788082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #35 0x55c48f770a2d in _start (/root/bugs/metadata/xlnx_zynqmp_can-01/qemu-videzzo-aarch64-target-videzzo-fuzz-xlnx-zynqmp-can+0x3454a2d) + +NOTE: libFuzzer has rudimentary signal handlers. + Combine libFuzzer with AddressSanitizer or similar for better crash reports. +SUMMARY: libFuzzer: deadly signal +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1436 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1436 new file mode 100644 index 000000000..77e7be07d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1436 @@ -0,0 +1,61 @@ +Out of memory in hw/omap-dss for ARM +Description of problem: +In omap-dss, g_realloc() can allocate a large buffer using out of the memory. + +- [1] set pixels to any value +- [2] double pixels +- [3] allocate a large buffer + +``` +static void omap_rfbi_write(...) { + switch (addr) { + case 0x44: /* RFBI_PIXELCNT */ + s->rfbi.pixels = value; // ------------------------------------> [1] + break; + +static void omap_rfbi_transfer_start(struct omap_dss_s *s) { + len = s->rfbi.pixels * 2; // -------------------------------------> [2] + if (!data) { + if (len > bounce_len) { + bounce_buffer = g_realloc(bounce_buffer, len); // ---------> [3] + } +``` +Steps to reproduce: +``` +export QEMU=/path/to/qemu-system-arm + +cat << EOF | $QEMU \ +-machine n810,accel=qtest -m 128M -qtest stdio -monitor none -serial none \ +-display none -nodefaults -qtest stdio +writel 0x48050440 0x74a57907 +writel 0x48050858 0x34982d63 +writel 0x48050840 0x65a61a51 +EOF +``` +Additional information: +``` + +================================================================= +==1029323==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffe (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0) + #0 0x7f4650b4ec3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 + #1 0x7f464fa27f3f in g_realloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57f3f) + #2 0x55cf6212c85b in omap_rfbi_write ../hw/display/omap_dss.c:761 + #3 0x55cf636b9c9b in memory_region_write_accessor ../softmmu/memory.c:493 + #4 0x55cf636ba132 in access_with_adjusted_size ../softmmu/memory.c:555 + #5 0x55cf636c76f8 in memory_region_dispatch_write ../softmmu/memory.c:1515 + #6 0x55cf637049b9 in flatview_write_continue ../softmmu/physmem.c:2825 + #7 0x55cf63704ddc in flatview_write ../softmmu/physmem.c:2867 + #8 0x55cf637057c4 in address_space_write ../softmmu/physmem.c:2963 + #9 0x55cf63716261 in qtest_process_command ../softmmu/qtest.c:533 + #10 0x55cf6371ac52 in qtest_process_inbuf ../softmmu/qtest.c:802 + #11 0x55cf6371ad43 in qtest_read ../softmmu/qtest.c:814 + #12 0x55cf63d4d5e5 in qemu_chr_be_write_impl ../chardev/char.c:201 + #13 0x55cf63d4d68c in qemu_chr_be_write ../chardev/char.c:213 + #14 0x55cf63d544c9 in fd_chr_read ../chardev/char-fd.c:72 + #15 0x55cf63938b9b in qio_channel_fd_source_dispatch ../io/channel-watch.c:84 + #16 0x7f464fa2204d in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) + +==1029323==HINT: if you don't care about these errors you may set allocator_may_return_null=1 +SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 in __interceptor_realloc +==1029323==ABORTING +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1444 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1444 new file mode 100644 index 000000000..20912d483 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1444 @@ -0,0 +1,42 @@ +ld.so on aarch64 crashes (SIGSEGV) qemu-aarch64-static to verify attached executable +Description of problem: +I'm currently managing an automation to build a linux distribution from nothing. +The issues is when I try to cross compile gobject-introspection for aarch64 (it is currently working on arm) because the g-ir-compile phase requires a binary verification using ld-linux-aarch64-so-1 --verify GLib-2.0 process used by ldd, that crashes qemu-aarch64-static. +Original command is: ${SYSROOT}/lib/ld-linux-aarch64-so-1 --verify ${HOME}/builds/gobject-introspection_1.75.4/tmp-introspectnpyrhpje/GLib-2.0. +I simplified the problem bringing out the ld.so and GLib-2.0 binary to obtain the same result. + +This happens with glibc 2.35 and glibc 2.36 on aarch64 built with a gcc-12.2 cross compiler (x86 -> aarch64). + +[GLib-2.0](/uploads/47932b18278835fb13ef0de4c34872fa/GLib-2.0) + +[ld-linux-aarch64.so.1](/uploads/0ee01949285bea8ccfcebdc88a1d5b33/ld-linux-aarch64.so.1) + +I tried to debug the SIGSEGV but it's out completely out of my capacity. +Steps to reproduce: +1. Copy the 2 attached files in a directory: +2. Run: qemu-aarch64-static ./ld-linux-aarch64.so.1 --verify ./GLib-2.0 +3. Result: Segmentation fault. +Additional information: +I attach the output of gdb after install qemu debug symbols: + +``` +Thread 1 "qemu-aarch64-st" received signal SIGSEGV, Segmentation fault. +0x0000000000401088 in ?? () +(gdb) bt +#0 0x0000000000401088 in ?? () +#1 0x00000000006aa439 in g_malloc0 () +#2 0x000000000061bb4b in page_find_alloc (index=index@entry=1024, alloc=alloc@entry=1) + at ../accel/tcg/translate-all.c:494 +#3 0x000000000061db12 in page_set_flags (start=start@entry=4194304, end=end@entry=4206592, flags=9, flags@entry=73) + at ../accel/tcg/translate-all.c:2288 +#4 0x0000000000629f10 in target_mmap (start=<optimized out>, start@entry=4194304, len=<optimized out>, + len@entry=12288, target_prot=target_prot@entry=1, flags=2066, fd=fd@entry=3, offset=offset@entry=0) + at ../linux-user/mmap.c:629 +#5 0x0000000000641e1d in do_syscall1 (cpu_env=0x9e8c10, num=222, arg1=4194304, arg2=12288, arg3=1, + arg4=<optimized out>, arg5=3, arg6=0, arg8=<optimized out>, arg7=<optimized out>) at ../linux-user/syscall.c:9961 +#6 0x0000000000644c8c in do_syscall (cpu_env=cpu_env@entry=0x9e8c10, num=222, arg1=4194304, arg2=12288, arg3=1, + arg4=2066, arg5=3, arg6=0, arg7=0, arg8=0) at ../linux-user/syscall.c:13203 +#7 0x000000000040fca8 in cpu_loop (env=env@entry=0x9e8c10) at ../linux-user/aarch64/cpu_loop.c:93 +#8 0x000000000040267f in main (argc=<optimized out>, argv=0x7fffffffdfc8, envp=<optimized out>) + at ../linux-user/main.c:897 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1488 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1488 new file mode 100644 index 000000000..286f8dfad --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1488 @@ -0,0 +1,35 @@ +Memory not accessible from GDB when using mps3-an547 +Description of problem: +Memory (including variables) is not accessible when connecting to the emulated machine via GDB +Steps to reproduce: +1. Create minimal program `main.c`: + ```c + int main(void) { + int myvar = 42; + for(;;) + } + ``` +2. Compile + ```bash + arm-none-eabi-gcc -c -o build/main.o -c -mcpu=cortex-m55 -mfloat-abi=hard -mthumb -funsigned-char -mlittle-endian -O0 -g -std=c11 main.c + ``` + (ARM startup files and include directories omitted for brevity) +3. Link + ```bash + arm-none-eabi-g++ -o build/test.elf build/main.o -mcpu=cortex-m55 -mfloat-abi=hard -mthumb -funsigned-char -mlittle-endian --entry=Reset_Handler -static -T./platform.ld -O0 -g + ``` + (ARM startup files omitted for brevity) +4. Run binary in QEMU: + ```bash + qemu-system-arm --machine mps3-an547 -serial mon:stdio -kernel test.elf -gdb tcp::1234 -S + ``` +5. Attach using GDB `arm-none-eabi-gdb build/test.elf` and set break point to infinite loop + ```gdb + target remote :1234 + break main.c:18 + continue + print myvar + ``` + +Expected Output: 42 +Actual Output: `Cannot access memory at address 0x11fffe4` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1491 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1491 new file mode 100644 index 000000000..37d0f2983 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1491 @@ -0,0 +1 @@ +imx_epit will stop unexpectedly when couter rollover diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1493 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1493 new file mode 100644 index 000000000..39f94a695 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1493 @@ -0,0 +1,85 @@ +Devision by zero in uart_parameters_setup() +Description of problem: +s->r[R_BRGR] could be zero but there is no check[1]. + +``` +static void uart_parameters_setup(CadenceUARTState *s) +{ + QEMUSerialSetParams ssp; + unsigned int baud_rate, packet_size, input_clk; + input_clk = clock_get_hz(s->refclk); + + baud_rate = (s->r[R_MR] & UART_MR_CLKS) ? input_clk / 8 : input_clk; + baud_rate /= (s->r[R_BRGR] * (s->r[R_BDIV] + 1)); // ----> [1] +``` +Steps to reproduce: +Build with ASan. + +``` +export QEMU=/path/to/qemu-system-aarch64 + +cat << EOF | $QEMU \ +-machine xlnx-zcu102 -monitor none -serial none \ +-display none -nodefaults -qtest stdio +writel 0xff000018 0x12330000 +writew 0xff000004 0xbcc4 +EOF +``` +Additional information: +``` +==23==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! +INFO: found LLVMFuzzerCustomMutator (0x55555d6bab70). Disabling -len_control by default. +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 4102190864 +INFO: Loaded 1 modules (603606 inline 8-bit counters): 603606 [0x555560d6e000, 0x555560e015d6), +INFO: Loaded 1 PC tables (603606 PCs): 603606 [0x5555604379b0,0x555560d6d710), +./qemu-videzzo-aarch64-target-videzzo-fuzz-cadence-uart: Running 1 inputs 1 time(s) each. +INFO: Reading pre_seed_input if any ... +INFO: Executing pre_seed_input if any ... +Matching objects by name , *uart* +This process will fuzz the following MemoryRegions: + * uart[0] (size 1000) + * uart[0] (size 1000) +This process will fuzz through the following interfaces: + * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255 + * uart, EVENT_TYPE_MMIO_READ, 0xff000000 +0x1000, 1,4 + * uart, EVENT_TYPE_MMIO_WRITE, 0xff000000 +0x1000, 1,4 + * uart, EVENT_TYPE_MMIO_READ, 0xff010000 +0x1000, 1,4 + * uart, EVENT_TYPE_MMIO_WRITE, 0xff010000 +0x1000, 1,4 +INFO: A corpus is not provided, starting from an empty corpus +#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 512Mb +Running: ./poc-qemu-videzzo-aarch64-target-videzzo-fuzz-cadence-uart-crash-cef41ca061384b94899472d8e2e6b5a86b62d259.minimized +../hw/char/cadence_uart.c:181:15: runtime error: division by zero +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/char/cadence_uart.c:181:15 in +AddressSanitizer:DEADLYSIGNAL +================================================================= +==23==ERROR: AddressSanitizer: FPE on unknown address 0x555558fee913 (pc 0x555558fee913 bp 0x7fffffffb5f0 sp 0x7fffffffb220 T0) + #0 0x555558fee913 in uart_parameters_setup /root/videzzo/videzzo_qemu/qemu/out-san/../hw/char/cadence_uart.c:181:15 + #1 0x555558fe8165 in uart_write /root/videzzo/videzzo_qemu/qemu/out-san/../hw/char/cadence_uart.c:471:9 + #2 0x55555c7bee3e in memory_region_write_with_attrs_accessor /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:514:12 + #3 0x55555c7be051 in access_with_adjusted_size /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:555:18 + #4 0x55555c7bcd1e in memory_region_dispatch_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/memory.c:1522:13 + #5 0x55555c84ce1e in flatview_write_continue /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2826:23 + #6 0x55555c83abcb in flatview_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2868:12 + #7 0x55555c83a688 in address_space_write /root/videzzo/videzzo_qemu/qemu/out-san/../softmmu/physmem.c:2964:18 + #8 0x555558b3e91e in qemu_writew /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1101:5 + #9 0x555558b3d173 in dispatch_mmio_write /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1253:28 + #10 0x55555d6b5fef in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5 + #11 0x55555d6ad36d in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9 + #12 0x55555d6ad114 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9 + #13 0x555558b4646c in videzzo_qemu /root/videzzo/videzzo_qemu/qemu/out-san/../tests/qtest/videzzo/videzzo_qemu.c:1530:12 + #14 0x55555d6bae3b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18 + #15 0x555558a26bf6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17 + #16 0x555558a09824 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21 + #17 0x555558a147ce in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19 + #18 0x555558a00db6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30 + #19 0x7ffff607a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #20 0x555558a00e0d in _start (/root/bugs/metadata/cadence_uart-00/qemu-videzzo-aarch64-target-videzzo-fuzz-cadence-uart+0x34ace0d) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: FPE /root/videzzo/videzzo_qemu/qemu/out-san/../hw/char/cadence_uart.c:181:15 in uart_parameters_setup +==23==ABORTING +MS: 0 ; base unit: 0000000000000000000000000000000000000000 +0x1,0x9,0x18,0x0,0x0,0xff,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x33,0x12,0x0,0x0,0x0,0x0,0x1,0x9,0x4,0x0,0x0,0xff,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xc4,0xbc,0x4e,0x4c,0x0,0x0,0x0,0x0, +\x01\x09\x18\x00\x00\xff\x00\x00\x00\x00\x04\x00\x00\x00\x00\x003\x12\x00\x00\x00\x00\x01\x09\x04\x00\x00\xff\x00\x00\x00\x00\x02\x00\x00\x00\xc4\xbcNL\x00\x00\x00\x00 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1514 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1514 new file mode 100644 index 000000000..cffca6434 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1514 @@ -0,0 +1 @@ +Cpu flags for ARM is surprising diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1552 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1552 new file mode 100644 index 000000000..5cdca23bc --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1552 @@ -0,0 +1,15 @@ +newer version(>=5.2.0) of qemu-system-aarch64 cannot debug arm64 linux kernel +Description of problem: + +Steps to reproduce: +1. Run QEMU in on teminal. +2. Run gdb-multiarch in another terminal, for example: gdb-multiarch ./linux-5.10.4/vmlinux +3. In gdb-multiarch, enter three commands in sequence:"target remote localhost:1234"、"b do_sys_open"、"continue" +4. GDB breakpoint cannot take effect +5. If using qemu-system-aarch64 5.0.0(manually compiled),GDB breakpoint can take effect. +Additional information: +I tested this problem using different combinations: +Host Os:Ubuntu18/Ubuntu20/Ubuntu22 +ARM64 Linux Kernel: 5.4.50/5.10.4 +QEMU:qemu 2.11/qemu 4.2/qemu 5.0/qemu 5.2/qemu 6.2/qemu 7 +Finally, I found out that arm64 linux kernel cannot be debugged since qemu-system-aarch64 5.2.0. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1575 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1575 new file mode 100644 index 000000000..3cfd69883 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1575 @@ -0,0 +1 @@ +how to implement a heterogeneous machine(several sysbus/mem map)? diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1600 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1600 new file mode 100644 index 000000000..08747c631 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1600 @@ -0,0 +1,25 @@ +Aarch64/FEAT_SEL2 secure S1 translation for a NS page resolves to the secure IPA space +Description of problem: +Follow up to https://lists.trustedfirmware.org/archives/list/hafnium@lists.trustedfirmware.org/thread/ZUHRGWVDPUQ5CK6SRWZ7AMI5IKVS6J47/ + +In context of Hafnium project (SEL2 / SPM firmware), implementing secure/non-secure page tables split rooted by VTTBR/VSTTBR in TZ secure world. +Observing transactions always resolve to the secure IPA space (hence to the page tables rooted to by VSTTBR) whichever the state of the S1 MMU translation NS bit. +Access to a page mapped NS from the SEL1 Trusted OS, causes a S2 page fault even though mapped in page tables rooted to by VTTBR. + +The VTCR_EL2/VSTCR_EL2 settings at SEL2 are as follows: +VTCR_EL2.NSA/NSW=10b +VSTCR_EL2.SA/SW=00b + +Note the same set of changes (https://review.trustedfirmware.org/q/topic:%2522od/split-vttbr%2522+status:open) run fine for the same scenario on FVP. +Steps to reproduce: +1. build qemu master 60ca584b8af0de525656f959991a440f8c191f12 +2. unzip [qemu-sel2-vttbr-fail.zip](/uploads/ec556347c32d97f79c140c5bccf45c6b/qemu-sel2-vttbr-fail.zip) +3. Run + +``` +<...>/qemu/build/aarch64-softmmu/qemu-system-aarch64 -nographic -serial file:uart0.log -serial file:uart1.log -smp 2 -machine virt,secure=on,mte=on,gic-version=3,virtualization=true -cpu max,sme=off,pauth-impdef=on -d unimp -semihosting-config enable=on,target=native -m 1057 -bios bl1.bin -initrd rootfs.cpio.gz -kernel Image -no-acpi -append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2 nokaslr' -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0,max-bytes=1024,period=1000 -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic +``` +Additional information: +[qemu-60ca58-qemu-tfa-hf-linux-fail.txt](/uploads/1db0155fc49140cf52913cd75b7494c1/qemu-60ca58-qemu-tfa-hf-linux-fail.txt) illustrates the failure, linux boot stops, after sharing a NS page to the TOS, and the TOS retrieving the page, mapping as NS and accessing it (ends in a dead loop, because of the S2 PF in the TOS). + +[qemu-tfa-hf-linux-pass.txt](/uploads/4e672617838e40fe3614c127531443b5/qemu-tfa-hf-linux-pass.txt) shows the expected output where the NS mem sharing operation succeeds. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1608 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1608 new file mode 100644 index 000000000..1cc934a43 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1608 @@ -0,0 +1 @@ +QEMU gives wrong MPIDR value for Arm CPU types with MT=1 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1627 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1627 new file mode 100644 index 000000000..2f84a165d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1627 @@ -0,0 +1,39 @@ +Aarch64: VTCR.T0SZ / iasize test for Aarch32 guests wrong +Description of problem: +With QEMU 8 we are no longer able to execute Aarch32 guest code on an Aarch64 host. We use virtualization for the QEMU guest: +- The QEMU guest kernel (L4Re kernel) runs at EL2 in AArch64 mode. +- The L4Re guest code runs at EL1 in AAarch32 mode. + +It seems that the check for T0SZ / iasize in `ptw.c` / `check_s2_mmu_setup()` is too strict: +``` +if (is_aa64) { + /* + * AArch64.S2InvalidTxSZ: While we checked tsz_oob near the top of + * get_phys_addr_lpae, that used aa64_va_parameters which apply + * to aarch64. If Stage1 is aarch32, the min_txsz is larger. + * See AArch64.S2MinTxSZ, where min_tsz is 24, translated to + * inputsize is 64 - 24 = 40. + */ + if (iasize < 40 && !arm_el_is_aa64(&cpu->env, 1)) { + goto fail; + } +``` +The above test fails for us when executing Aarch32 EL1 code on Aarch64 EL2. + +Please note that the comment talks about `S2MinTxSZ` / `min_tsz`, so if the **minimum** value of `T0SZ` is 24, then the **maximum** value of `iasize` is `64-24=40` so the following comparison would be more appropriate (I replaces `<` by `>`): +``` +if (iasize > 40 && !arm_el_is_aa64(&cpu->env, 1)) { + goto fail; +} +``` +However, the minimum value of `VTCR_EL2.T0SZ` is either 16 or 12, see `VTCR_EL2.DS`: +- `VTCR_EL2.DS=0b0`: **minimum** value of `VTCR_EL2.T0SZ` is 16 => **maximum** value of `iasize` is 48, +- `VTCR_EL2.DS=0b1`: **minimum** value of `VTCR_EL2.T0SZ` is 12 => **maximum** value of `iasize` is 52. + +Regarding the minimum of `iasize` / maximum of `VTCR_EL2.T0SZ`, see `ID_AA64MMFR_EL1.ST`: +- `ID_AA64MMFR2_EL1.ST=0b0000`: **maximum** value of `VTCR_EL2.T0SZ` is 39 => **minimum** value of `iasize` is 25, +- `ID_AA64MMFR2_EL1.ST=0b0001`: **maximum** value of `VTCR_EL2.T0SZ` is 48 => **minimum** value of `iasize` is 16 (or 47/17 for 64KiB granules). + +Our system executes Aarch32 EL1 code fine on Aarch64 EL2 if I weaken the comparison. +Additional information: +Sorry for not providing a test build but I'm not sure if it's worth to provide a custom build of our L4Re system, but I will happily provide one if you insist. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1640 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1640 new file mode 100644 index 000000000..5284aa9eb --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1640 @@ -0,0 +1,25 @@ +aarch64: usb_mtp_get_data: Assertion `(s->dataset.size == 0xFFFFFFFF) || (s->dataset.size == d->offset)' failed +Description of problem: +When attempting to write to an MTP device in QEMU 8.0.0 on arm64, QEMU will crash at runtime with the following error: +`qemu-system-aarch64: ../hw/usb/dev-mtp.c:1819: usb_mtp_get_data: Assertion '(s->dataset.size == 0xFFFFFFFF) || (s->dataset.size == d->offset)' failed.` + +This was observed in Nixpkgs where we use QEMU to provide automated testing of MTP devices for GVFS and jmtpfs, the full log for that test run that crashes due to this QEMU regression on arm64 is available here https://hydra.nixos.org/build/218858556/nixlog/1 +Steps to reproduce: +1. Launch a QEMU virtual machine with `-usb -device usb-mtp,rootdir=/tmp,readonly=false` using any QEMU version above 6.0.0 +2. Mount the MTP device using something like: + ``` + mkdir mtpDevice && jmtpfs mtpDevice + ``` +3. Try to write to the mtp device: + ``` + dd if=/dev/urandom of=./mtpDevice/file + ``` +4. Observe that QEMU will crash when trying to write to the device, like this: + ``` + client # 10+0 records in + client # 10+0 records out + client # 10485760 bytes (10 MB, 10 MiB) copied, 0.0318363 s, 329 MB/s + client # qemu-system-aarch64: ../hw/usb/dev-mtp.c:1819: usb_mtp_get_data: Assertion '(s->dataset.size == 0xFFFFFFFF) || (s->dataset.size == d->offset)' failed.error + ``` +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1651 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1651 new file mode 100644 index 000000000..46563620f --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1651 @@ -0,0 +1 @@ +bcm2835 timer jumps to max delay diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1657 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1657 new file mode 100644 index 000000000..d019c9cd7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1657 @@ -0,0 +1,33 @@ +Unable to use ide hard drive when using xlnx-zcu102 board +Description of problem: +I have only recently started using qemu and am reading content related to ahci. When I started QEMU using the above command line (I did not specify the Linux kernel because I only wanted to see which devices were initialized on the motherboard), I found the following devices in the device tree: + ``` +dev: sysbus-ahci, id "" + +gpio-out "sysbus-irq" 1 + +num-ports = 2 (0x2) + +mmio 00000000fd0c0000/0000000000001000 + +bus: ide.1 + +type IDE + +bus: ide.0 + +type IDE + ``` + +I think this is similar to the ICH9 ahci device, so I tried to mount an IDE hard drive(using command line:-drive file=./testide.img)but failed. QEMU shows + ``` +qemu-system-aarch64: -drive file=./ testide.img: machine type does not support if=ide,bus=0,unit=0 + ``` +So if the ide bus generated by sysbus ahci cannot mount a hard drive, what device should it mount? +It will be grateful if anyone can answer this question. +Steps to reproduce: +1. +2. +3. +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/172 b/gitlab/issues_text/target_arm/host_missing/accel_missing/172 new file mode 100644 index 000000000..8e5363ed8 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/172 @@ -0,0 +1 @@ +qemu seems to lack support for pid namespace. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1761 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1761 new file mode 100644 index 000000000..86a42eb1f --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1761 @@ -0,0 +1 @@ +vexpress-a9 board maps both RAM and flash at address 0 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1763 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1763 new file mode 100644 index 000000000..b168399b8 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1763 @@ -0,0 +1,12 @@ +ldd fails with qemu-aarch64 +Description of problem: +see the original issue for full details https://github.com/multiarch/qemu-user-static/issues/172 +Steps to reproduce: +1. docker run --rm -it arm64v8/ubuntu:16.04 ldd /bin/ls + +Also possible on other newer OSs (eg: Ubuntu:18.04) with different compiled binaries. +Additional information: +``` +WARNING: The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64) and no specific platform was requested +ldd: exited with unknown exit code (139) +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1772 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1772 new file mode 100644 index 000000000..82135aef2 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1772 @@ -0,0 +1,12 @@ +MPS2 AN521 has the wrong number of MPU region defined +Description of problem: +The AN521 is integrating SSE-200 on the MPS2+ FPGA prototyping board. +The current implementation in qemu behaves as though there are 16MPU regions when it really only has 8, as describes as `MPU_NS` and `MPU_S` core configuration parameters in the SSE-200's [Techincal Reference Manual](https://developer.arm.com/documentation/101104/0200/functional-description/cpu-elements/cortex-m33-configurations?lang=en). +Steps to reproduce: +1. Prepare your Zephyr dev environment +2. fix `boards/arm/mps2_an521/mps2_an521.dts` to set `arm,num-mpu-regions` to the appropriate value of 8. +3. build a Zephyr test such as `west build -p -b mps2_an521 -T tests/kernel/interrupt/arch.interrupt` +4. run `qemu-system-arm -machine mps2-an521 -chardev stdio,id=con,mux=on -serial chardev:con -kernel ./build/zephyr/zephyr.elf` +Additional information: +With matching MPU region number in QEMU and Zephyr's DTS, the application shows the test suite's progress & outcome. +If there's a mismatch, the application will enter a fault and not display the expected traces. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1802 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1802 new file mode 100644 index 000000000..9389dd8e5 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1802 @@ -0,0 +1,9 @@ +windows serial COM PollingFunc don't sleep if guest uart can't write +Description of problem: +If two or more characters are sent from the host to the guest via Windows Com/Serial, everything freezes. +Steps to reproduce: +1. +2. +3. +Additional information: +I fix it in qemu/chardev/char-win.c see attached file diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1819 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1819 new file mode 100644 index 000000000..5346c9b47 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1819 @@ -0,0 +1,10 @@ +segmentation fault for rpm -qa command on centos:centos7 linux/arm/v7 architecture for docker container in shell. +Description of problem: + +Steps to reproduce: +1. docker pull centos:centos7@sha256:6887440ab977f751d6675157b73e42428d8ac05cf244c5d09ba036cc22d40d13 //pull an image centos:centos7 linux/arm/v7 tag +2. docker run -it b22fdcc90005 //docker run in interactive mode just pulled image +3. on shell run command -\> rpm -qa. +4. docker run -it b22fdcc90005 + + WARNING: The requested image's platform (linux/arm/v7) does not match the detected host platform (linux/amd64) and no specific platform was requested \[root@e23bc92686e8 /\]# rpm -qa Segmentation fault (core dumped) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1825 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1825 new file mode 100644 index 000000000..7fc19af7b --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1825 @@ -0,0 +1,14 @@ +pigz crashes when running in an aarch64 chroot (entered through qemu-binfmt) with qemu 8.1.0-rc*, qemu 8.0.3 is ok +Description of problem: +If qemu 8.1.0-rc1, -rc2 or -rc3 is used, pigz crashes. +``` +# chroot /chroot/aarch64 pigz /tmp/test +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +Segmentation fault +``` +With qemu 8.0.3 on the same chroot enviroment, it works and produces the expected /chroot/aarch64/tmp/test.gz +Steps to reproduce: +1. Install an aarch64 chroot environment on x86_64 +2. Try using pigz to compress a file inside the chroot environment using qemu-binfmt +Additional information: +Unfortunately `git bisect`-ing the issue isn't easy because many snapshots between 8.0.0 (good) and 8.1.0-rc1 (first known bad) don't compile. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1850 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1850 new file mode 100644 index 000000000..ceda953ab --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1850 @@ -0,0 +1,29 @@ +AARCH64 Illegal Instruction (CurrentEL) +Description of problem: +While emulating Aarch64 in QEMU, whenever the instruction `CurrentEL` is executed, +QEMU crashes with the following message. + +`qemu: uncaught target signal 4 (Illegal instruction) - core dumped +Illegal instruction (core dumped)` + +I've tried both QEMU user space translation (qemu-aarch64-static) and QEMU emulation (qemu-system-aarch64), +and both fail with the above message. + +C Code to reproduce bug, courtesy of https://github.com/cirosantilli/linux-kernel-module-cheat/blob/35684b1b7e0a04a68987056cb15abd97e3d2f0cc/baremetal/arch/aarch64/el.c +``` +#include <stdio.h> +#include <inttypes.h> + +int main(void) { + register uint64_t x0 __asm__ ("x0"); + __asm__ ("mrs x0, CurrentEL;" : : : "%x0"); + printf("%" PRIu64 "\n", x0 >> 2); + return 0; +} +``` +Steps to reproduce: +1. Copy C code above into file. +2. Compile code `gcc ./main.c --static` +3. Execute elf bin `./a.out` +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1852 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1852 new file mode 100644 index 000000000..5046531a5 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1852 @@ -0,0 +1,110 @@ +aarch64: crash failed to analyze vmcore of dump-guest-memory +Description of problem: +``` +1、 dump guest memory +virsh qemu-monitor-command 3 --hmp "dump-guest-memory /home/ecs3.kdump" +2、crash kdump failed +[root@ceasphere-node-1 home]# ./crash ./vmlinux ./ecs3.kdump + +crash 7.2.9-2.el8 +Copyright (C) 2002-2020 Red Hat, Inc. +Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation +Copyright (C) 1999-2006 Hewlett-Packard Co +Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited +Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. +Copyright (C) 2005, 2011 NEC Corporation +Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. +Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. +This program is free software, covered by the GNU General Public License, +and you are welcome to change it and/or distribute copies of it under +certain conditions. Enter "help copying" to see the conditions. +This program has absolutely no warranty. Enter "help warranty" for details. + +crash: read error: kernel virtual address: ffff000010e0ba48 type: "vabits_user" +GNU gdb (GDB) 7.6 +Copyright (C) 2013 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. Type "show copying" +and "show warranty" for details. +This GDB was configured as "aarch64-unknown-linux-gnu"... + +crash: read error: kernel virtual address: ffff000011a609b8 type: "possible" +WARNING: cannot read cpu_possible_map +crash: read error: kernel virtual address: ffff000011a60bb8 type: "present" +WARNING: cannot read cpu_present_map +crash: read error: kernel virtual address: ffff000011a607b8 type: "online" +WARNING: cannot read cpu_online_map +crash: read error: kernel virtual address: ffff000011a60db8 type: "active" +WARNING: cannot read cpu_active_map +crash: read error: kernel virtual address: ffff0000123da120 type: "shadow_timekeeper xtime_sec" +crash: read error: kernel virtual address: ffff000011a6a6ac type: "init_uts_ns" +crash: ./vmlinux and ./ecs3.kdump do not match! + +Usage: + + crash [OPTION]... NAMELIST MEMORY-IMAGE[@ADDRESS] (dumpfile form) + crash [OPTION]... [NAMELIST] (live system form) + +Enter "crash -h" for details. +``` +Steps to reproduce: +1. virsh create vm.xml +2. virsh qemu-monitor-command 3 --hmp "dump-guest-memory /home/ecs3.kdump" +3. crash ./vmlinux ./ecs3.kdump +Additional information: +The vmcore by 'echo c > /proc/sysrq-trigger' in guest is ok, crash work. + +``` +[root@ceasphere-node-1 home]# crash ./vmlinux ./vmcore + +crash 8.0.3-1.el9 +Copyright (C) 2002-2022 Red Hat, Inc. +Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation +Copyright (C) 1999-2006 Hewlett-Packard Co +Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited +Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. +Copyright (C) 2005, 2011, 2020-2022 NEC Corporation +Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. +Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. +Copyright (C) 2015, 2021 VMware, Inc. +This program is free software, covered by the GNU General Public License, +and you are welcome to change it and/or distribute copies of it under +certain conditions. Enter "help copying" to see the conditions. +This program has absolutely no warranty. Enter "help warranty" for details. + +GNU gdb (GDB) 10.2 +Copyright (C) 2021 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +Type "show copying" and "show warranty" for details. +This GDB was configured as "aarch64-unknown-linux-gnu". +Type "show configuration" for configuration details. +Find the GDB manual and other documentation resources online at: + <http://www.gnu.org/software/gdb/documentation/>. + +For help, type "help". +Type "apropos word" to search for commands related to "word"... + + KERNEL: ./vmlinux + DUMPFILE: ./vmcore [PARTIAL DUMP] + CPUS: 4 + DATE: Wed Aug 30 09:06:01 CST 2023 + UPTIME: 00:01:08 +LOAD AVERAGE: 0.91, 0.34, 0.12 + TASKS: 158 + NODENAME: localhost + RELEASE: 4.18.0-305.3.1.el8.aarch64 + VERSION: #1 SMP Tue Jun 1 16:22:50 UTC 2021 + MACHINE: aarch64 (unknown Mhz) + MEMORY: 16 GB + PANIC: "sysrq: SysRq : Trigger a crash" + PID: 1310 + COMMAND: "bash" + TASK: ffff8003d47d3200 [THREAD_INFO: ffff8003d47d3200] + CPU: 1 + STATE: TASK_RUNNING (SYSRQ) + +crash> +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1874 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1874 new file mode 100644 index 000000000..9537a951e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1874 @@ -0,0 +1,17 @@ +QGA:Whether arm windows VMS are supported? +Description of problem: +Whether qga can be used within an arm windows virtual machine? + +Windows reports an error (Failed to pCatalog->InstallComponent.(Error: 80110401) Errors occurred accessing one or more objects - the ErrorInfo collection may have more detail) when I try to install msi. Windows reports a warning(Catalog Event ID 5488: Unable to load DLL qga-vss.dll) (Unable to validate DLL entry points) in Event Viewer. + +I get msi from https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-qemu-ga/qemu-ga-win-105.0.2-1.el9/qemu-ga-x86_64.msi +Either gqa does not support ARM or this msi is only for X86 architecture? + + + + +Steps to reproduce: +1. Start arm windows 11 vm. +2. Install qemu guest agent. +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1878 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1878 new file mode 100644 index 000000000..ec7eef55a --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1878 @@ -0,0 +1,29 @@ +QEMU doesn't implement ARMv4/v5 legacy SCTLR.U==0 load-and-rotate unaligned access handling +Description of problem: +**ldr r7, \[r0, r1\]** works differently on real device and QEMU. Probably all **ldr Rd, \[Rs\]** commands works wrongly in QEMU with Raspberry Pi emulation. +Steps to reproduce: +1. Launch the attached software **kernel_qemu.img** in QEMU. +2. Launch the attached software **kerenel.img** on real Raspberry Pi 1B+. +3. Look at the r7. It contains different data. +Additional information: +**kernel_qemu.img** and **kerenel.img** are the same program. It just compiled with different origins - 0x8000 for real device and 0x10000 for QEMU. But code inside the program works at the same addresses. + +r0 = 0x183a4 + +r1 = 0x817 + +**\[r0, r1\]** points to byte 0x42 in memory with such data: + +**0x80 0x15 0x22 \[0x42\] 0x03 0x21 0x87** + +After **ldr r7, \[r0, r1\]** execution real device puts to r7: **0x22158042** + +After **ldr r7, \[r0, r1\]** execution QEMU puts to r7: **0x87210342** + +QEMU: + + + +Real Raspberry Pi 1B+:  + +[kernel_qemu.img](/uploads/ae6a7490660569d5fe56adc9f4dde85d/kernel_qemu.img) [kernel.img](/uploads/48c94a66370c1fe8720fe89603c45c7b/kernel.img) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1899 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1899 new file mode 100644 index 000000000..f2989b171 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1899 @@ -0,0 +1,41 @@ +AArch64: Wrong SCR_EL3 after turning on secondary cores via PSCI +Description of problem: +The system fails to boot when using "direct kernel boot" with EL3 enabled. After the guest OS enables secondary cores via PSCI, those have an incorrectly set up `SCR_EL3`. When the OS then executes an intruction which traps into (QEMU provided fake) EL3, the core ends up in an endless loop of "Undefined Instruction" exceptions. + +This is nicely visible with `-serial stdio -append "earlycon=pl011,0x9000000 console=/dev/ttyAMA0" -d int`: + +```plaintext +[ 0.173173][ T1] smp: Bringing up secondary CPUs ... +(...) +Taking exception 11 [Hypervisor Call] on CPU 0 +...from EL1 to EL2 +...with ESR 0x16/0x5a000000 +...handled as PSCI call +Taking exception 5 [IRQ] on CPU 0 +...from EL1 to EL1 +...with ESR 0x16/0x5a000000 +...with ELR 0xffffa9ff8b593438 +...to EL1 PC 0xffffa9ff8aa11280 PSTATE 0x3c5 +Exception return from AArch64 EL1 to AArch64 EL1 PC 0xffffa9ff8b593438 +Exception return from AArch64 EL1 to AArch64 EL1 PC 0x41f7832c +Taking exception 1 [Undefined Instruction] on CPU 1 +...from EL1 to EL3 +...with ESR 0x18/0x62300882 +...with ELR 0xffffa9ff8aa3d0d8 +...to EL3 PC 0x400 PSTATE 0x3cd +Taking exception 1 [Undefined Instruction] on CPU 1 +...from EL3 to EL3 +...with ESR 0x0/0x2000000 +...with ELR 0x400 +...to EL3 PC 0x200 PSTATE 0x3cd +(repeats forever, CPU 1 is stuck) +``` +Steps to reproduce: +1. `qemu-system-aarch64 -M virt,secure=on -cpu max -smp 1 -kernel linux` works +2. `qemu-system-aarch64 -M virt,secure=on -cpu max -smp 2 -kernel linux` does not +Additional information: +The setup for `SCR_EL3` is done by `do_cpu_reset` in hw/arm/boot.c, but this is only called on full system reset. The PSCI call ends up in `arm_set_cpu_on_async_work` (target/arm/arm-powerctl.c) which calls `cpu_reset`. This clears `SCR_EL3` to the architectural reset value, not the one needed for direct kernel boot. + +`arm_set_cpu_on_async_work` has code for `SCR_HCE`, but none of the other flags handled by `do_cpu_reset`. It would probably work after copying all of `do_cpu_reset` into `arm_set_cpu_on_async_work`, but that seems wrong. I prepared a patch which makes `do_cpu_reset` public such that `arm_set_cpu_on_async_work` can call it (works here), but I'm not sure whether that's the right way. + +CC @pm215 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1909 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1909 new file mode 100644 index 000000000..37d2e5a67 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1909 @@ -0,0 +1,50 @@ +regression: 8.0.0 segfaults on coverage counter increment +Description of problem: +With qemu 8.0.0, my test program segfaults while incrementing a gcov counter: + +``` +Breakpoint 2, 0x00000000004bc9a8 in __CortexA53843419_464004 () +(gdb) x/2i $pc +=> 0x4bc9a8 <__CortexA53843419_464004>: str x8, [x9, #2512] + 0x4bc9ac <__CortexA53843419_464004+4>: b 0x464008 <mock_hyp_params_Destroy+24> +(gdb) p $x8 +$10 = 1 +(gdb) p $x9 +$11 = 5234688 +(gdb) x/x $x9+2512 +0x4fe9d0 <__llvm_gcov_ctr.5>: 0x00000000 +(gdb) stepi + +Program received signal SIGSEGV, Segmentation fault. +0x00000000004bc9a8 in __CortexA53843419_464004 () +(gdb) x/x $x9+2512 +0x4fe9d0 <__llvm_gcov_ctr.5>: 0x00000000 +(gdb) shell llvm-objdump --syms --arch-name=aarch64 ./build/gcov/out/test_hyp-props.out | grep 4fe9d0 +00000000004fe9d0 l O .bss 0000000000000008 __llvm_gcov_ctr.5 +(gdb) shell qemu-aarch64 --version +qemu-aarch64 version 8.0.0 +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +(gdb) +``` + +With qemu 6.2.0, it doesn't segfault (at least not at this point, you +may ignore the segfault at the end due to a bug in the test program). +``` +$ /usr/bin/qemu-aarch64 --version +qemu-aarch64 version 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.12) +Copyright (c) 2003-2021 Fabrice Bellard and the QEMU Project developers + +$ /usr/bin/qemu-aarch64 ./build/gcov/out/test_hyp-props.out +test_hyp-props.c:13:test__setup_str_prop:PASS +test_hyp-props.c:14:test__log_print_handler:PASS +test_hyp-props.c:15:test__setup_log_print_prop:PASS +test_hyp-props.c:16:test__vm_vcpu_abort_reset_handler:PASS +test_hyp-props.c:17:test__vm_info_alloc:PASS +test_hyp-props.c:18:test__memory_status_get:PASS +test_hyp-props.c:19:test__memory_status_get_fail:PASS +Segmentation fault (core dumped) +``` +Steps to reproduce: +1. Compile and link statically (with ld.lld) a test program, with clang, targetting aarch64 with: -target aarch64-linux-android -mcpu=cortex-a53, using --coverage option to generate gcov coverage. +2. Run it with qemu-aarch64 8.0.0 +3. Hopefully, it will segfault early for no good reason. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1913 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1913 new file mode 100644 index 000000000..21f7fbfbc --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1913 @@ -0,0 +1,19 @@ +Regression in 8.1.1: qemu-aarch64-static running ldconfig +Description of problem: +Since updating to 8.1.1, qemu crashes when running ldconfig in my sysroot (It's a more or less default Ubuntu 22.04 arm64 rootfs) +Steps to reproduce: +1. Download the arm64 ubuntu base from https://cdimage.ubuntu.com/ubuntu-base/releases/jammy/release/ +2. Extract it +3. Run `qemu-aarch64-static rootfs/sbin/ldconfig.real -r rootfs` where `rootfs` is where you extracted it with qemu 8.1.1 + +```bash +$ qemu-aarch64-static --version +qemu-aarch64 version 8.1.0 +$ qemu-aarch64-static rootfs/sbin/ldconfig.real -r rootfs +<works> +$ sudo pacman -U /var/cache/pacman/pkg/qemu-user-static*-8.1.1*.zst +$ qemu-aarch64-static --version +qemu-aarch64 version 8.1.1 +$ qemu-aarch64-static rootfs/sbin/ldconfig.real -r rootfs +<segfault> +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1920 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1920 new file mode 100644 index 000000000..393bda777 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1920 @@ -0,0 +1,11 @@ +regrssion on 8.1.x: java/maven fails to run on qemu-aarch64 +Description of problem: +Java process crashes when running simple "mvn -version" command inside qemu-aarch64. "java -version" works. +Last known working version: 8.0.3 (qemu-8.0.3-4.fc39) +Failing versions: 8.1.1 (qemu-8.1.1-1.fc39) and 8.1.0 (qemu-8.1.0-1.fc39) +The same image works on native arm64 machine. +Steps to reproduce: +1. podman run --platform linux/arm64 docker.io/library/maven:3.9-eclipse-temurin-20 mvn -version +2. should display few lines of version information and not a NullPointerException +Additional information: +podman version 4.7.0 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1938 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1938 new file mode 100644 index 000000000..32f6ed76c --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1938 @@ -0,0 +1,36 @@ +[ARM/PL011] Wrong UART register spacing reported in DBG2/SPCR +Description of problem: +QEMU reports the UART address on aarch64 (for PL011 UART) via the ACPI DBG2 and SPCR tables using the ACPI GAS structure. According to MSFT documentation at https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/acpi-debug-port-table: + +> * The Register Bit Width field contains the register stride and must be a power of 2 that is at least as large as the access size. On 32-bit platforms this value cannot exceed 32. On 64-bit platforms this value cannot exceed 64. +> * The Access Size field is used to determine whether byte, WORD, DWORD, or QWORD accesses are to be used. QWORD accesses are only valid on 64-bit architectures. + +For the PL011, the MMIO registers are: +* spaced 4 bytes apart; therefore the reported bit width should be 32 instead of 8. +* 16 bits wide; therefore the access width should be 2 instead of 1. + +In other words: +``` +diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c +index 6b674231c2..cd284676d7 100644 +--- a/hw/arm/virt-acpi-build.c ++++ b/hw/arm/virt-acpi-build.c +@@ -482,7 +482,7 @@ build_spcr(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + build_append_int_noprefix(table_data, 3, 1); /* ARM PL011 UART */ + build_append_int_noprefix(table_data, 0, 3); /* Reserved */ + /* Base Address */ +- build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 8, 0, 1, ++ build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 32, 0, 2, + vms->memmap[VIRT_UART].base); + /* Interrupt Type */ + build_append_int_noprefix(table_data, +@@ -673,7 +673,7 @@ build_dbg2(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + build_append_int_noprefix(table_data, 34, 2); + + /* BaseAddressRegister[] */ +- build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 8, 0, 1, ++ build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 32, 0, 2, + vms->memmap[VIRT_UART].base); + + /* AddressSize[] */ +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1948 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1948 new file mode 100644 index 000000000..7caef5c3d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1948 @@ -0,0 +1,3 @@ +ARM GICv3 cannot support irq number > 992 +Description of problem: +If we want to create a gic with supported irq number 992, we need to set the `num-irq` property to 992 + 32 while 32 is the extra SGI number. But there is a problem, when QEMU initialize GICv3, it will check the variable `num_irq <= 1020 && (num_irq & 32) == 0`, which will lead to error abort. So there is no way to bypass the ```num_irq <= 1020``` check and we cannot use irq number bigger than 992 while in ARM GIC specification, irq number < 1020 should all be aviliable to use. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1950 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1950 new file mode 100644 index 000000000..288f81714 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1950 @@ -0,0 +1,9 @@ +[AARCH64] GP bit (BTI) lost during two stages translation +Description of problem: +I noticed that the BTI faults were not reported. +That's because the GP (guarded page) information is lost during the two stages translation in get_phys_addr_twostage(). +The "guarded" information is correctly retrieved by the first call to get_phys_addr_nogpc() but overwritten by the the second call to get_phys_addr_nogpc(). +The call to combine_cacheattrs() copies cacheattrs1.guarded but this field is never modified. + +The attached patch fixes the issue for me. +[get_phys_addr_twostage_bti_gp_bit_lost_master.patch](/uploads/2fbe8090f92c43a63e39ee66ab2daf47/get_phys_addr_twostage_bti_gp_bit_lost_master.patch) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1960 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1960 new file mode 100644 index 000000000..0d329165a --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1960 @@ -0,0 +1,22 @@ +Invalid pmu interrupt id in arm virt machine device-tree +Description of problem: +commit 9036e917f8357f4e5965ebfecdab5964d40e6a40 changes the definition of PPI interrupt ID, but forgets to modify the PMU device tree. +The following patch can solve this problem: +``` +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index dd6bb80ce2..1d118974ee 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -663,7 +663,7 @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms) + qemu_fdt_setprop(ms->fdt, "/pmu", "compatible", + compat, sizeof(compat)); + qemu_fdt_setprop_cells(ms->fdt, "/pmu", "interrupts", +- GIC_FDT_IRQ_TYPE_PPI, VIRTUAL_PMU_IRQ, irqflags); ++ GIC_FDT_IRQ_TYPE_PPI, INTID_TO_PPI(VIRTUAL_PMU_IRQ), irqflags); + } + } +``` +Steps to reproduce: +NA +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/198 b/gitlab/issues_text/target_arm/host_missing/accel_missing/198 new file mode 100644 index 000000000..b93ca3d81 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/198 @@ -0,0 +1 @@ +USB Ethernet device (RNDIS) does not work on several tested operating systems diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1985 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1985 new file mode 100644 index 000000000..735f0199b --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1985 @@ -0,0 +1 @@ +Possible infinite loop in target/arm/sme_helper.c: helper_sme_fmopa_h diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/1993 b/gitlab/issues_text/target_arm/host_missing/accel_missing/1993 new file mode 100644 index 000000000..deb3caf11 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/1993 @@ -0,0 +1,50 @@ +test-hmp fails on aarch64 target when CFI is enabled +Description of problem: +QEMU crashes during test-hmp when CFI is enabled +Steps to reproduce: +1. ../qemu/configure --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug --enable-safe-stack --disable-slirp --target-list=aarch64-softmmu --disable-docs +2. make -j$(nproc) +3. V=2 QTEST_QEMU_BINARY=./qemu-system-aarch64 tests/qtest/test-hmp --verbose +Additional information: +The error messages look like this: +``` + info qtree +UndefinedBehaviorSanitizer:DEADLYSIGNAL +==677987==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address (pc 0x55fec2a3b7ce bp 0x7feef35ff970 sp 0x7fffbc8acd20 T677987) +==677987==The signal is caused by a READ memory access. +==677987==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. + #0 0x55fec2a3b7ce in start_list.83665.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/string-output-visitor.c:291:18 + #1 0x55fec2a34dbe in visit_start_list /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/qapi-visit-core.c:80:10 + #2 0x55fec27dcb58 in get_prop_array.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/hw/core/qdev-properties.c:698:10 + #3 0x55fec27e7173 in object_property_get /tmp/qemu-cfi/../../home/thuth/devel/qemu/qom/object.c:1415:5 + #4 0x55fec27e87a4 in object_property_print /tmp/qemu-cfi/../../home/thuth/devel/qemu/qom/object.c:1692:10 + #5 0x55fec224dd72 in qdev_print_props /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/qdev-monitor.c:761:21 + #6 0x55fec224dd72 in qdev_print /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/qdev-monitor.c:813:9 + #7 0x55fec224dd72 in qbus_print /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/qdev-monitor.c:831:9 + #8 0x55fec22bd945 in handle_hmp_command_exec /tmp/qemu-cfi/../../home/thuth/devel/qemu/monitor/hmp.c:1106:9 + #9 0x55fec22bcfeb in handle_hmp_command /tmp/qemu-cfi/../../home/thuth/devel/qemu/monitor/hmp.c:1158:9 + #10 0x55fec22c020e in qmp_human_monitor_command /tmp/qemu-cfi/../../home/thuth/devel/qemu/monitor/qmp-cmds.c:182:5 + #11 0x55fec29cfe0b in qmp_marshal_human_monitor_command.cfi /tmp/qemu-cfi/qapi/qapi-commands-misc.c:347:14 + #12 0x55fec2a3c470 in do_qmp_dispatch_bh.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/qmp-dispatch.c:128:5 + #13 0x55fec2a63fc4 in aio_bh_call /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/async.c:169:5 + #14 0x55fec2a6418f in aio_bh_poll /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/async.c:216:13 + #15 0x55fec2a49deb in aio_dispatch /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/aio-posix.c:423:5 + #16 0x55fec2a64ffa in aio_ctx_dispatch.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/async.c:358:5 + #17 0x7feef8d6ae5b (/lib64/libglib-2.0.so.0+0x5be5b) (BuildId: c5377a60d8282e2a61a4af1201dc10c9666139c2) + #18 0x7feef8d6b124 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x5c124) (BuildId: c5377a60d8282e2a61a4af1201dc10c9666139c2) + #19 0x55fec2a6656b in glib_pollfds_poll /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/main-loop.c:290:9 + #20 0x55fec2a6656b in os_host_main_loop_wait /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/main-loop.c:313:5 + #21 0x55fec2a6656b in main_loop_wait /tmp/qemu-cfi/../../home/thuth/devel/qemu/util/main-loop.c:592:11 + #22 0x55fec22553e6 in qemu_main_loop /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/runstate.c:782:9 + #23 0x55fec27da3f5 in qemu_default_main.cfi /tmp/qemu-cfi/../../home/thuth/devel/qemu/system/main.c:37:14 + #24 0x7feef7aff149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 651b2bed7ecaf18098a63b8f10299821749766e6) + #25 0x7feef7aff20a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2820a) (BuildId: 651b2bed7ecaf18098a63b8f10299821749766e6) + #26 0x55fec1e865b4 in _start (/tmp/qemu-cfi/qemu-system-aarch64+0x5435b4) (BuildId: c8a2f51d83ddef5c97f11783d94381f60c82c2ac) + +UndefinedBehaviorSanitizer can not provide additional info. +SUMMARY: UndefinedBehaviorSanitizer: SEGV /tmp/qemu-cfi/../../home/thuth/devel/qemu/qapi/string-output-visitor.c:291:18 in start_list.83665.cfi +==677987==ABORTING +Broken pipe +../../home/thuth/devel/qemu/tests/qtest/libqtest.c:195: kill_qemu() tried to terminate QEMU process but encountered exit status 1 (expected 0) +Aborted (core dumped) +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2053 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2053 new file mode 100644 index 000000000..472aff3ce --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2053 @@ -0,0 +1 @@ +virtio is broken in qemu-system-arm diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2066 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2066 new file mode 100644 index 000000000..b63dcd167 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2066 @@ -0,0 +1 @@ +Feature Request: UART 8250 Support in QEMU Virt Machine for aarch64 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2084 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2084 new file mode 100644 index 000000000..63aefda59 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2084 @@ -0,0 +1 @@ +"qemu-system-arm -machine virt -cpu cortex-a9" error message includes a lot of "(null)"s diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2106 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2106 new file mode 100644 index 000000000..d79e0ff84 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2106 @@ -0,0 +1,55 @@ +QEMU build fail on Solaris 11.4 because "FSCALE" #defined by sys/param.h +Description of problem: +Building `target/arm/tcg/translate-sve.c` fails on Solaris 11.4 because system's +`/usr/include/sys/param.h` has `#define FSCALE (1 << FSHIFT)` which results +in `DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn)` at `translate-sve.c:3864` +attempting to expand the `#define` substitution instead of the text `FSCALE`.<p>I have not determined what the sequence of includes was that brought in `sys/param.h`<p>A workaround is to `#undef FSCALE`, but that may not be an appropriate long-term fix. +Steps to reproduce: +1. mkdir build && cd build +2. ../configure --disable-docs --disable-rdma --enable-slirp +3. gmake +Additional information: +Full diagnostic output: +``` +[1865/5402] Compiling C object libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o +FAILED: libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o +cc -Ilibqemu-aarch64-softmmu.fa.p -I. -I.. -Itarget/arm -I../target/arm -Isubprojects/dtc/libfdt -I../subprojects/dtc/libfdt -Iqapi -Itrace -Iui -Iui/shader -I/usr/include/pixman-1 -I/usr/include/libdrm -I/usr/include/glib-2.0 -I/usr/lib/sparcv9/glib-2.0/include -I/usr/include/pcre -fdiagnostics-color=auto -Wall -Winvalid-pch -std=gnu11 -O2 -g -fstack-protector-strong -Wundef -Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wmissing-format-attribute -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -Wshadow=local -iquote . -iquote /opt/qemu -iquote /opt/qemu/include -iquote /opt/qemu/host/include/generic -iquote /opt/qemu/tcg/sparc64 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -D_XOPEN_SOURCE=600 -D__EXTENSIONS__ -fPIE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNEED_CPU_H '-DCONFIG_TARGET="aarch64-softmmu-config-target.h"' '-DCONFIG_DEVICES="aarch64-softmmu-config-devices.h"' -MD -MQ libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o -MF libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o.d -o libqemu-aarch64-softmmu.fa.p/target_arm_tcg_translate-sve.c.o -c ../target/arm/tcg/translate-sve.c +In file included from ../target/arm/tcg/translate-sve.c:21: +../target/arm/tcg/translate.h:728:17: error: pasting "trans_" and "(" does not give a valid preprocessing token + 728 | static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \ + | ^~~~~~ +../target/arm/tcg/translate-sve.c:3854:5: note: in expansion of macro ‘TRANS_FEAT’ + 3854 | TRANS_FEAT(NAME, FEAT, gen_gvec_fpst_arg_zpzz, name##_zpzz_fns[a->esz], a) + | ^~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:1: note: in expansion of macro ‘DO_ZPZZ_FP’ + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:12: error: expected declaration specifiers or ‘...’ before numeric constant + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~ +../target/arm/tcg/translate.h:728:25: note: in definition of macro ‘TRANS_FEAT’ + 728 | static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \ + | ^~~~ +../target/arm/tcg/translate-sve.c:3864:1: note: in expansion of macro ‘DO_ZPZZ_FP’ + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~ +../target/arm/tcg/translate.h:728:47: error: pasting "arg_" and "(" does not give a valid preprocessing token + 728 | static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \ + | ^~~~ +../target/arm/tcg/translate-sve.c:3854:5: note: in expansion of macro ‘TRANS_FEAT’ + 3854 | TRANS_FEAT(NAME, FEAT, gen_gvec_fpst_arg_zpzz, name##_zpzz_fns[a->esz], a) + | ^~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:1: note: in expansion of macro ‘DO_ZPZZ_FP’ + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~ +In file included from ../target/arm/tcg/translate-sve.c:86: +libqemu-aarch64-softmmu.fa.p/decode-sve.c.inc:1112:13: warning: ‘trans_FSCALE’ used but never defined + 1112 | static bool trans_FSCALE(DisasContext *ctx, arg_FSCALE *a); + | ^~~~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3864:30: warning: ‘sve_fscalbn_zpzz_fns’ defined but not used [-Wunused-const-variable=] + 3864 | DO_ZPZZ_FP(FSCALE, aa64_sve, sve_fscalbn) + | ^~~~~~~~~~~ +../target/arm/tcg/translate-sve.c:3850:42: note: in definition of macro ‘DO_ZPZZ_FP’ + 3850 | static gen_helper_gvec_4_ptr * const name##_zpzz_fns[4] = { \ + | ^~~~ +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/211 b/gitlab/issues_text/target_arm/host_missing/accel_missing/211 new file mode 100644 index 000000000..7f5c32d6d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/211 @@ -0,0 +1 @@ +qemu-aarch64-static segfault if /proc not mounted inside chroot diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2120 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2120 new file mode 100644 index 000000000..7aff62024 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2120 @@ -0,0 +1 @@ +arm64: Typo in isar_feature_aa64_tidcp1 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2155 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2155 new file mode 100644 index 000000000..3d2f8e4ef --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2155 @@ -0,0 +1,23 @@ +LoadVM assert on ARM_FEATURE_M for Cortex M3 +Description of problem: +This appears to be a similar issue to https://gitlab.com/qemu-project/qemu/-/issues/1775 and https://gitlab.com/qemu-project/qemu/-/issues/1658 + +When running `loadvm` qemu aborts with this error: + +"qemu/target/arm/helper.c:12383: arm_security_space_below_el3: Assertion `!arm_feature(env, ARM_FEATURE_M)' failed." + +I've traced the error to `pmu_counter_enabled` in `qemu\target\arm\helper.c:1172` + [uint64_t mdcr_el2 = arm_mdcr_el2_eff(env)](https://gitlab.com/qemu-project/qemu/-/blob/v8.2.0/target/arm/helper.c?ref_type=tags#L1172) (link is to 8.2.0 release tag) + + +The issue is caused by attempting to get the MDCR_EL2 register prior to checking if the CPU has ARM_FEATURE_PMU support. + +A simple fix seems to be to check for `ARM_PMU_ENABLED` and returning early if it is not enabled. +Steps to reproduce: +1. Start emulation and connect monitor +2. savevm <snapshot-name> +3. Loadvm <snapshot-name> +Additional information: +See screenshot for stack trace + + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2213 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2213 new file mode 100644 index 000000000..8719a0632 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2213 @@ -0,0 +1,15 @@ +QEMU fails with duplicate SaveStateEntry when using two legacy virtio input devices +Description of problem: +QEMU bails out when it is started with two virtio-input devices running in legacy virtio mode, using two different transports (like PCI and CCW on s390x). +Steps to reproduce: +``` +qemu-system-s390x -M s390-ccw-virtio-2.6 -cpu max -nographic -device virtio-multitouch-pci -device virtio-tablet-ccw +``` +fails with: +``` +qemu-system-s390x: -device virtio-tablet-ccw: savevm_state_handler_insert: Detected duplicate SaveStateEntry: id=virtio-input, instance_id=0x0 +``` +Additional information: +The problem does *not* occur if using modern virtio devices (which automatically happens for -M s390-ccw-virtio-2.7 and newer) or if using virtio-input devices with the same transport (e.g. two PCI devices instead of one PCI and one CCW). + +Also note that the problem only occurs since QEMU 8.1 since older versions did not check for duplicate SaveStateEntries (see commit caa91b3c44cdb2d2921e25 ). diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2226 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2226 new file mode 100644 index 000000000..59c8bcc69 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2226 @@ -0,0 +1,56 @@ +arm HSTR trap settings routed to EL1 instead of EL2 +Description of problem: +ARM's HSTR register is used to trap CP15 access from EL1/0. qemu's implementation seems to be inconsistent with ARM's documentation. + +Take the system register VBAR for example, the following pseudo code is grabbed from ARM DDI 0487J.a ID042523 G8-10651, which is the logics behind when reading VBAR. +``` +if PSTATE.EL == EL0 then + UNDEFINED; +elsif PSTATE.EL == EL1 then + if EL2Enabled() && !ELUsingAArch32(EL2) && HSTR_EL2.T12 == '1' then + AArch64.AArch32SystemAccessTrap(EL2, 0x03); + elsif EL2Enabled() && ELUsingAArch32(EL2) && HSTR.T12 == '1' then + AArch32.TakeHypTrapException(0x03); + elsif HaveEL(EL3) && ELUsingAArch32(EL3) then + R[t] = VBAR_NS; + else + R[t] = VBAR; +elsif PSTATE.EL == EL2 then + if HaveEL(EL3) && ELUsingAArch32(EL3) then + R[t] = VBAR_NS; + else + R[t] = VBAR; +elsif PSTATE.EL == EL3 then + if SCR.NS == '0' then + R[t] = VBAR_S; + else + R[t] = VBAR_NS; +``` + +The main logics in my attached test program are: +1. Setting EL2 and EL1's exception table +2. Set HSTR.T12 +3. ERET to EL1, and read VBAR from EL1 + +As the document mentions, when CPU running on EL1 && HSTR.T12 is set, HypTrapException 0x3 should be taken, which is EL2. But the test program shows, on such circumstances, CPU is being routed to EL1's undefined exception. +Steps to reproduce: +1. Clone this repo https://github.com/roolrz/reproduce-qemu-arm-hstr-issue +2. Use make to build the test program +3. Use following command to launch it +``` +qemu-system-arm \ + -nographic \ + -cpu cortex-a7 \ + -M virt,virtualization=on \ + -m 1G \ + -kernel el2.elf +``` +4. The following message is printed by the program, problem reproduced +``` +EL2 Booted +Jumping to el1 +el1 reached, triggering trap +EL1 undefined sync triggered +``` +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2227 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2227 new file mode 100644 index 000000000..2e847d0b4 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2227 @@ -0,0 +1,36 @@ +Crash when using the ast2600-a3 device with the "virt" aarch64 machine +Description of problem: +QEMU crashes with a segmentation fault when trying to use the "ast2600-a3" device with the "virt" machine. +Steps to reproduce: +1. Run ``./qemu-system-aarch64 -display none -machine virt -device ast2600-a3`` +Additional information: +Backtrace indicates that it is crashing in the aspeed_soc_ast2600_realize() function: + +``` +#0 memory_region_update_container_subregions (subregion=0x555558c4b630) at ../../devel/qemu/system/memory.c:2637 +#1 memory_region_add_subregion_common (mr=<optimized out>, offset=<optimized out>, subregion=0x555558c4b630) at ../../devel/qemu/system/memory.c:2661 +#2 0x0000555555d1bd40 in aspeed_soc_ast2600_realize (dev=<optimized out>, errp=0x7fffffffd870) at ../../devel/qemu/hw/arm/aspeed_ast2600.c:301 +#3 0x0000555555ff26ab in device_set_realized (obj=<optimized out>, value=<optimized out>, errp=0x7fffffffda00) at ../../devel/qemu/hw/core/qdev.c:510 +#4 0x0000555555ff6edd in property_set_bool (obj=0x555558c4b360, v=<optimized out>, name=<optimized out>, opaque=0x555557cd5b50, errp=0x7fffffffda00) + at ../../devel/qemu/qom/object.c:2358 +#5 0x0000555555ffa25b in object_property_set (obj=obj@entry=0x555558c4b360, name=name@entry=0x5555563794ed "realized", v=v@entry=0x555558ce0650, errp=errp@entry=0x7fffffffda00) + at ../../devel/qemu/qom/object.c:1472 +#6 0x0000555555ffdb9f in object_property_set_qobject + (obj=obj@entry=0x555558c4b360, name=name@entry=0x5555563794ed "realized", value=value@entry=0x555558cdf270, errp=errp@entry=0x7fffffffda00) + at ../../devel/qemu/qom/qom-qobject.c:28 +#7 0x0000555555ffa8c4 in object_property_set_bool (obj=obj@entry=0x555558c4b360, name=name@entry=0x5555563794ed "realized", value=value@entry=true, errp=errp@entry=0x7fffffffda00) + at ../../devel/qemu/qom/object.c:1541 +#8 0x0000555555ff319c in qdev_realize (dev=dev@entry=0x555558c4b360, bus=bus@entry=0x0, errp=errp@entry=0x7fffffffda00) at ../../devel/qemu/hw/core/qdev.c:292 +#9 0x0000555555c11be3 in qdev_device_add_from_qdict (opts=opts@entry=0x555558c4a2d0, from_json=from_json@entry=false, errp=0x7fffffffda00, errp@entry=0x55555725b478 <error_fatal>) + at ../../devel/qemu/system/qdev-monitor.c:718 +#10 0x0000555555c12051 in qdev_device_add (opts=0x555557cd2a10, errp=errp@entry=0x55555725b478 <error_fatal>) at ../../devel/qemu/system/qdev-monitor.c:737 +#11 0x0000555555c1720f in device_init_func (opaque=<optimized out>, opts=<optimized out>, errp=0x55555725b478 <error_fatal>) at ../../devel/qemu/system/vl.c:1200 +#12 0x00005555561a29c1 in qemu_opts_foreach + (list=<optimized out>, func=func@entry=0x555555c17200 <device_init_func>, opaque=opaque@entry=0x0, errp=errp@entry=0x55555725b478 <error_fatal>) + at ../../devel/qemu/util/qemu-option.c:1135 +#13 0x0000555555c19aea in qemu_create_cli_devices () at ../../devel/qemu/system/vl.c:2637 +#14 qmp_x_exit_preconfig (errp=<optimized out>) at ../../devel/qemu/system/vl.c:2705 +#15 0x0000555555c1d67f in qmp_x_exit_preconfig (errp=<optimized out>) at ../../devel/qemu/system/vl.c:2699 +#16 qemu_init (argc=<optimized out>, argv=<optimized out>) at ../../devel/qemu/system/vl.c:3736 +#17 0x00005555558f6f59 in main (argc=<optimized out>, argv=<optimized out>) at ../../devel/qemu/system/main.c:47 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2228 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2228 new file mode 100644 index 000000000..941a3d7fa --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2228 @@ -0,0 +1,8 @@ +hw/core/gpio.c:108: qdev_get_gpio_in_named: Assertion n >= 0 && n < gpio_list->num_in failed +Description of problem: +It's quite easy to trigger the assertion ``hw/core/gpio.c:108: qdev_get_gpio_in_named: Assertion n >= 0 && n < gpio_list->num_in failed`` +Steps to reproduce: +Run one of the following command lines: +1. ``./qemu-system-aarch64 -display none -machine qcom-dc-scm-v1-bmc -device max1111`` +2. ``./qemu-system-aarch64 -display none -machine fby35-bmc -device max1110`` +3. ``./qemu-system-aarch64 -display none -machine yosemitev2-bmc -device corgi-ssp`` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/224 b/gitlab/issues_text/target_arm/host_missing/accel_missing/224 new file mode 100644 index 000000000..337d21a83 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/224 @@ -0,0 +1 @@ +Wrong interrupts generated for I.MX6 FEC controller diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2279 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2279 new file mode 100644 index 000000000..c43e4e439 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2279 @@ -0,0 +1,25 @@ +Debugging with Lauterbach Trace32 -> Cortex-A76, no SP register update +Description of problem: +We do not see changes in the SP_EL1 register value when debugging the QEMU application with Lauterbach Trace32. +Steps to reproduce: +1. Compile bare metal code that uses push and pop instructions (stack). +2. Run QEMU with bare metal code. +3. Connect via Lauterbach Trace32 and check the displayed SP register value. +Additional information: + +This is a screenshot from QEMU 8.0.0, but updating to QEMU 8.2.0 does not resolve the problem. + +I have discussed this with Lauterbach Trace32 support with these results: +- Trace32 uses RSP protocol `p` packets to read some registers, including SP_EL1. GDB seems to use `g` packet. +- QEMU responds to `p` packet with an invalid value, which causes Trace32 to display invalid value. + +Some related RSP protocol logs from Trace32. + + + +Different part of RSP protocol log: +``` +Sending packet: $p20#d2 ... +receiving packet: ec00004000000000 +``` +So it looks like Trace32 can receive different values that zero as response to `p` packet. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2300 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2300 new file mode 100644 index 000000000..c8f3f060c --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2300 @@ -0,0 +1 @@ +Unintialized variable in double_cpdo.c diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2304 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2304 new file mode 100644 index 000000000..29de268d7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2304 @@ -0,0 +1,38 @@ +Disabling SVE via `-cpu max,sve=off` leaves SVE2 advertised by `getauxval` +Description of problem: +The documentation on https://qemu-project.gitlab.io/qemu/system/arm/cpu-features.html suggests that it should be possible to disable SVE support by passing `-cpu max,sve=off` on the command line, however this appears to only disable the SVE support advertised in the return value from `getauxval(AT_HWCAP)`. In particular it leaves SVE2 reported as enabled. This leaves the feature set advertised by `getauxval` in an inconsistent state since SVE is mandatory if SVE2 is available. + +This may also affect other feature dependencies for example FEAT_SVE_BITPerm also requiring SVE2 to be available, I've not checked exhaustively. + +For example, given the following code: + + #include <sys/auxv.h> + #include <stdio.h> + + int main() { + unsigned long hwcap = getauxval(AT_HWCAP); + unsigned long hwcap2 = getauxval(AT_HWCAP2); + + if (hwcap & HWCAP_SVE) { + printf("have sve!\n"); + } else { + printf("don't have sve!\n"); + } + if (hwcap2 & HWCAP2_SVE2) { + printf("have sve2!\n"); + } else { + printf("don't have sve2!\n"); + } + } + +We can observe the following: + + $ aarch64-linux-gnu-gcc test.c -static + $ ../qemu-aarch64 -cpu max ./a.out + have sve! + have sve2! + $ ../qemu-aarch64 -cpu max,sve=off ./a.out + don't have sve! + have sve2! + +I don't believe that there is a `-cpu ...,sve2=off` option, so I would expect that disabling SVE also prevents SVE2 from being advertised as available. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2309 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2309 new file mode 100644 index 000000000..d92a62cbb --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2309 @@ -0,0 +1,31 @@ +qemu-aarch64 hangs running cargo test after libc6 upgrade to 2.36-9+deb12u6 +Description of problem: +qemu-aarch64 seems to hang with 100% cpu usage without any indication. +with -p 12345 for gdb debugging, gdb could not interrupt the remote with ctrl-c. +Steps to reproduce: +1. Ensure the test env has 2.36-9+deb12u6 +2. Install the latest rust toolchain. +3. mkdir test_test && cargo init +4. ensure src/main.rs has +``` +fn main() { + println!("Hello, world!"); +} + +#[test] +fn test() { + println!("hAAA!"); +} +``` +5. create .cargo/config.toml +``` +[target.aarch64-unknown-linux-gnu] +linker = "aarch64-linux-gnu-gcc" +runner = "qemu-aarch64 -L /usr/aarch64-linux-gnu" +rustflags = ["-C", "target-cpu=neoverse-n1"] +``` +6. cargo test --target aarch64-unknown-linux-gnu +Additional information: +The issue does not seem to occur with libc6:2.36-9+deb12u4 + +The same binary runs fine on a real arm64 target with the upgraded libc6 version 2.36-9+deb12u6. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2333 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2333 new file mode 100644 index 000000000..ffd0f3714 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2333 @@ -0,0 +1,45 @@ +VDSO on armeb seems broken +Description of problem: +I'm seeing the VDSO method for `__clock_gettime64()` crashing under `qemu-armeb` (stack trace under Additional information, below). + +I rebuilt glibc with VDSO globally kludged off, and all was well. +Steps to reproduce: +``` +#include <time.h> +#include <stdlib.h> +#include <stdio.h> + +int main(int argc, char **argv) { + time_t ts; + printf("%ld\n", time(&ts)); + exit(0); +} +``` + +Results, first with VDSO active via a system snapshot, second with the patched glibc: +``` +$ armeb-linux-gnueabihf-gcc -o /tmp/time /tmp/time.c +$ qemu-armeb -L /.mirrorsnaps/.rootsnap.prev/usr/armeb-linux-gnueabihf /tmp/time +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +Segmentation fault +$ qemu-armeb -L /usr/armeb-linux-gnueabihf /tmp/time +1715123280 +``` +Additional information: +``` +Program received signal SIGSEGV, Segmentation fault. +0x4082b462 in ?? () +(gdb) bt +#0 0x4082b462 in ?? () +#1 0x40bf64a4 in __GI___clock_gettime64 (clock_id=clock_id@entry=5, tp=tp@entry=0x407fe9c0) + at ../sysdeps/unix/sysv/linux/clock_gettime.c:42 +#2 0x40be9f58 in __GI___time64 (timer=0x0) at ../sysdeps/unix/sysv/linux/time.c:60 +#3 __time (timer=0x407fea04) at ../sysdeps/unix/sysv/linux/time.c:73 +``` + +`clock_gettime.c:42` is +``` + r = INTERNAL_VSYSCALL_CALL (vdso_time64, 2, clock_id, tp); +``` + +Interestingly, the problem doesn't occur on qemu-arm (little endian), all else equal. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2351 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2351 new file mode 100644 index 000000000..0a73da123 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2351 @@ -0,0 +1,15 @@ +Raspberry Pi: Unable to start raspios bookworm +Description of problem: +I am able to start RaspiOS bullseye (2023-05-03-raspios-bullseye-arm64-lite) in both, the rpi3 and rpi4 configurations, by first extracting the DTB and the kernel from the downloaded image (see the command lines). + +When I attempt to start RaspiOS bookworm (2024-03-15-raspios-bookworm-arm64-lite), I only get the following messages on the host's terminal: + +``` +usbnet: failed control transaction: request 0x8006 value 0x600 index 0x0 length 0xa +usbnet: failed control transaction: request 0x8006 value 0x600 index 0x0 length 0xa +usbnet: failed control transaction: request 0x8006 value 0x600 index 0x0 length 0xa +``` + +[start-raspios.sh](/uploads/041fb113d1d0d920e52f3b11a9f51290/start-raspios.sh) +Steps to reproduce: +To reproduce, adapt the attached script, download the raspios images and run it. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2355 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2355 new file mode 100644 index 000000000..09b261e55 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2355 @@ -0,0 +1,79 @@ +buffer overflow in aspeed gpio +Description of problem: +The following log reveals it: + +``` +==2602930==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a5da29e128 at pc 0x55a5d700dc62 bp 0x7fff096c4e90 sp 0x7fff096c4e88 +READ of size 2 at 0x55a5da29e128 thread T0 + #0 0x55a5d700dc61 in aspeed_gpio_read /home/joey/repo/qemu/build/../hw/gpio/aspeed_gpio.c:564:14 + #1 0x55a5d933f3ab in memory_region_read_accessor /home/joey/repo/qemu/build/../system/memory.c:445:11 + #2 0x55a5d92fba40 in access_with_adjusted_size /home/joey/repo/qemu/build/../system/memory.c:573:18 + #3 0x55a5d92f842c in memory_region_dispatch_read1 /home/joey/repo/qemu/build/../system/memory.c:1426:16 + #4 0x55a5d92f7b68 in memory_region_dispatch_read /home/joey/repo/qemu/build/../system/memory.c:1459:9 + #5 0x55a5d9376ad1 in flatview_read_continue_step /home/joey/repo/qemu/build/../system/physmem.c:2836:18 + #6 0x55a5d9376399 in flatview_read_continue /home/joey/repo/qemu/build/../system/physmem.c:2877:19 + #7 0x55a5d93775b8 in flatview_read /home/joey/repo/qemu/build/../system/physmem.c:2907:12 + #8 0x55a5d9377078 in address_space_read_full /home/joey/repo/qemu/build/../system/physmem.c:2920:18 + #9 0x55a5d8189aa2 in address_space_read /home/joey/repo/qemu/include/exec/memory.h:3100:18 + #10 0x55a5d8189aa2 in qtest_process_command /home/joey/repo/qemu/build/../system/qtest.c:597:13 + #11 0x55a5d818231d in qtest_process_inbuf /home/joey/repo/qemu/build/../system/qtest.c:811:9 + #12 0x55a5d81915ae in qtest_read /home/joey/repo/qemu/build/../system/qtest.c:823:5 + #13 0x55a5d9bc115d in qemu_chr_be_write_impl /home/joey/repo/qemu/build/../chardev/char.c:214:9 + #14 0x55a5d9bc1219 in qemu_chr_be_write /home/joey/repo/qemu/build/../chardev/char.c:226:9 + #15 0x55a5d9bccd25 in fd_chr_read /home/joey/repo/qemu/build/../chardev/char-fd.c:72:9 + #16 0x55a5d95d958c in qio_channel_fd_source_dispatch /home/joey/repo/qemu/build/../io/channel-watch.c:84:12 + #17 0x7f8909babc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #18 0x55a5d9f62319 in glib_pollfds_poll /home/joey/repo/qemu/build/../util/main-loop.c:287:9 + #19 0x55a5d9f60c53 in os_host_main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:310:5 + #20 0x55a5d9f6081c in main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:589:11 + #21 0x55a5d8198807 in qemu_main_loop /home/joey/repo/qemu/build/../system/runstate.c:796:9 + #22 0x55a5d9544c6c in qemu_default_main /home/joey/repo/qemu/build/../system/main.c:37:14 + #23 0x55a5d9544cb7 in main /home/joey/repo/qemu/build/../system/main.c:48:12 + #24 0x7f8909229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + #25 0x7f8909229e3f in __libc_start_main csu/../csu/libc-start.c:392:3 + #26 0x55a5d671ed34 in _start (/home/joey/repo/qemu/build/qemu-system-aarch64+0x2773d34) + +0x55a5da29e128 is located 24 bytes to the left of global variable '<string literal>' defined in '../hw/gpio/aspeed_gpio.c:1180:23' (0x55a5da29e140) of size 20 + '<string literal>' is ascii string 'aspeed.gpio-ast2500' +0x55a5da29e128 is located 22 bytes to the right of global variable '<string literal>' defined in '/home/joey/repo/qemu/include/hw/gpio/aspeed_gpio.h:17:1' (0x55a5da29e100) of size 18 + '<string literal>' is ascii string 'ASPEED_GPIO_CLASS' +SUMMARY: AddressSanitizer: global-buffer-overflow /home/joey/repo/qemu/build/../hw/gpio/aspeed_gpio.c:564:14 in aspeed_gpio_read +Shadow bytes around the buggy address: + 0x0ab53b44bbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bc00: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0ab53b44bc10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 +=>0x0ab53b44bc20: 00 00 02 f9 f9[f9]f9 f9 00 00 04 f9 f9 f9 f9 f9 + 0x0ab53b44bc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bc40: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 04 f9 + 0x0ab53b44bc50: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 00 00 + 0x0ab53b44bc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ab53b44bc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +``` +Steps to reproduce: +``` +cat << EOF | qemu-system-aarch64 -display \ +none -machine accel=qtest, -m 512M -machine ast1030-evb -qtest stdio +readq 0x7e780272 +EOF +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2356 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2356 new file mode 100644 index 000000000..d73581806 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2356 @@ -0,0 +1,15 @@ +assert in stm32l4x5_rcc +Description of problem: +The following log reveals it: + +``` +qemu-system-aarch64: ../hw/misc/stm32l4x5_rcc.c:546: void rcc_update_cfgr_register(Stm32l4x5RccState *): Assertion `val <= 0b100' failed. +Aborted +``` +Steps to reproduce: +``` +cat << EOF | qemu-system-aarch64 -display \ +none -machine accel=qtest, -m 512M -machine b-l475e-iot01a -qtest stdio +writeq 0x40021008 0xffffffff +EOF +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2358 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2358 new file mode 100644 index 000000000..1b3dc7706 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2358 @@ -0,0 +1,50 @@ +null-pointer-dereference in a9gtimer +Description of problem: +The following log reveals it: + +``` +../hw/timer/a9gtimer.c:51:22: runtime error: member access within null pointer of type 'CPUState' (aka 'struct CPUState') +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/timer/a9gtimer.c:51:22 in +AddressSanitizer:DEADLYSIGNAL +================================================================= +==2624453==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002d0 (pc 0x55df9673422f bp 0x7fff7310e930 sp 0x7fff7310e8a0 T0) +==2624453==The signal is caused by a READ memory access. +==2624453==Hint: address points to the zero page. + #0 0x55df9673422f in a9_gtimer_get_current_cpu /home/joey/repo/qemu/build/../hw/timer/a9gtimer.c:51:22 + #1 0x55df9673408c in a9_gtimer_this_write /home/joey/repo/qemu/build/../hw/timer/a9gtimer.c:246:14 + #2 0x55df97e00353 in memory_region_write_accessor /home/joey/repo/qemu/build/../system/memory.c:497:5 + #3 0x55df97dffa40 in access_with_adjusted_size /home/joey/repo/qemu/build/../system/memory.c:573:18 + #4 0x55df97dfd986 in memory_region_dispatch_write /home/joey/repo/qemu/build/../system/memory.c:1521:16 + #5 0x55df97ea8973 in flatview_write_continue_step /home/joey/repo/qemu/build/../system/physmem.c:2755:18 + #6 0x55df97ea81df in flatview_write_continue /home/joey/repo/qemu/build/../system/physmem.c:2785:19 + #7 0x55df97e7be4b in flatview_write /home/joey/repo/qemu/build/../system/physmem.c:2816:12 + #8 0x55df97e7b908 in address_space_write /home/joey/repo/qemu/build/../system/physmem.c:2936:18 + #9 0x55df96c8b041 in qtest_process_command /home/joey/repo/qemu/build/../system/qtest.c:559:13 + #10 0x55df96c8631d in qtest_process_inbuf /home/joey/repo/qemu/build/../system/qtest.c:811:9 + #11 0x55df96c955ae in qtest_read /home/joey/repo/qemu/build/../system/qtest.c:823:5 + #12 0x55df986c515d in qemu_chr_be_write_impl /home/joey/repo/qemu/build/../chardev/char.c:214:9 + #13 0x55df986c5219 in qemu_chr_be_write /home/joey/repo/qemu/build/../chardev/char.c:226:9 + #14 0x55df986d0d25 in fd_chr_read /home/joey/repo/qemu/build/../chardev/char-fd.c:72:9 + #15 0x55df980dd58c in qio_channel_fd_source_dispatch /home/joey/repo/qemu/build/../io/channel-watch.c:84:12 + #16 0x7f76346edc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #17 0x55df98a66319 in glib_pollfds_poll /home/joey/repo/qemu/build/../util/main-loop.c:287:9 + #18 0x55df98a64c53 in os_host_main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:310:5 + #19 0x55df98a6481c in main_loop_wait /home/joey/repo/qemu/build/../util/main-loop.c:589:11 + #20 0x55df96c9c807 in qemu_main_loop /home/joey/repo/qemu/build/../system/runstate.c:796:9 + #21 0x55df98048c6c in qemu_default_main /home/joey/repo/qemu/build/../system/main.c:37:14 + #22 0x55df98048cb7 in main /home/joey/repo/qemu/build/../system/main.c:48:12 + #23 0x7f7633e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + #24 0x7f7633e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3 + #25 0x55df95222d34 in _start (/home/joey/repo/qemu/build/qemu-system-aarch64+0x2773d34) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/joey/repo/qemu/build/../hw/timer/a9gtimer.c:51:22 in a9_gtimer_get_current_cpu +==2624453==ABORTING +``` +Steps to reproduce: +``` +cat << EOF | /home/joey/repo/qemu/build/qemu-system-aarch64 -display \ +none -machine accel=qtest, -m 512M -machine npcm750-evb -qtest stdio +writel 0xf03fe20c 0x26d7468c +EOF +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/236 b/gitlab/issues_text/target_arm/host_missing/accel_missing/236 new file mode 100644 index 000000000..6b5d85f2d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/236 @@ -0,0 +1 @@ +CPU fetch from unpopulated ROM on reset diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2377 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2377 new file mode 100644 index 000000000..a16ae1f16 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2377 @@ -0,0 +1,25 @@ +Debootstrapping debian-bullseye arm64 segfaults with qemu >=8.1 +Steps to reproduce: +1. Use qemu >= 8.1 (version <= 8.0.x work well) +2. Install `debootstrap` package +3. Run `sudo debootstrap --arch=arm64 bullseye root11-arm64` + +This fails to chroot into the system being debootstrapped: + +``` +$ sudo debootstrap --arch=arm64 bullseye root11-arm64 +... +W: Failure trying to run: chroot "/home/3/root11" /sbin/ldconfig +W: See /home/3/root11/debootstrap/debootstrap.log for details +$ tail -n2 /home/3/root11/debootstrap/debootstrap.log +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +/usr/share/debootstrap/functions: line 1092: 3869 Segmentation fault chroot "/home/3/root11" "$@" +``` +Additional information: +Failure happens only when debootstrapping "bullseye" with "arm64" architecture. +Older (e.g. <= "buster") and newer (e.g. > "bookworm") distros are deboostrapped OK. +Other (e.g. "armhf" and others) architectures are debootstrapped OK. + +Qemu version <8.1 (e.g. 8.0.5 I use in Gentoo or versions in Debian <= bookworm) don't have the bug. + +Originally faced the issue with Gentoo host. Recently rechecked with Debian Trixie host. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2382 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2382 new file mode 100644 index 000000000..5675ddef2 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2382 @@ -0,0 +1,14 @@ +QEMU occurs an Error when testing my DIY UEFI aarch64 kernel:Synchronous Exception at 0x00000000E46CCEAC +Description of problem: +Shows Synchronous Exception at 0x00000000E46CCEAC and the program halts. +Steps to reproduce: +1.Download the UEFIPascalOS on github. +2.run the bash buildaarch64.sh to build the kernel iso. +3.Go through the installer guide and enter the kernel. +4.Enter the account's name and password and press enter,now you can got an error that shows Synchronous Exception at 0x00000000E46CCEAC +Additional information: +(no logs,stack traces was shown for the error because logs and stack traces are not exists.) +screenshots: + +If I create two accounts,it will halt on sentence "Welcome to TYDQ System!" and give me Synchronous Exception at other numbers. +If I change the memory in virt-machine,the Synchronous Exception showing number will be changed. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/239 b/gitlab/issues_text/target_arm/host_missing/accel_missing/239 new file mode 100644 index 000000000..9e5b942f6 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/239 @@ -0,0 +1 @@ +Confusing error message when KVM can not start requested ARM CPU diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/247 b/gitlab/issues_text/target_arm/host_missing/accel_missing/247 new file mode 100644 index 000000000..2c02673c8 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/247 @@ -0,0 +1 @@ +qemu-system-arm segmentation fault using pmemsave on the interrupt controller registers diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2473 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2473 new file mode 100644 index 000000000..1633eb588 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2473 @@ -0,0 +1,3 @@ +qemu-system-aarch64: Stop execution on unhandled exceptions +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2484 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2484 new file mode 100644 index 000000000..bb57f05fc --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2484 @@ -0,0 +1 @@ +Confusing query-gic-capabilities output in --without-default-devices config diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2533 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2533 new file mode 100644 index 000000000..935c69d44 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2533 @@ -0,0 +1 @@ +Black screen while I'm trying to emulate Android using "-machine raspi4b" diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2536 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2536 new file mode 100644 index 000000000..ef331ea58 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2536 @@ -0,0 +1 @@ +Dynamic translation issue of arm instruction VFNMA and VFNMS diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2540 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2540 new file mode 100644 index 000000000..b4d72e1b3 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2540 @@ -0,0 +1,17 @@ +Machine B-L475E-IOT01A USART devices not functional +Description of problem: +The B-L475E-IOT01A claims to support STM32L4x5 USARTs, UARTs and LPUART (Serial ports) but does not appear to actually function. + +I created a minimal bare metal binary that attempts to write to UART (via printf) but it does not succeed. While debugging it appears that all UART registers for USART1 are zero despite code that is writing to those registers and USART_ISR should have the default value of 0x020000C0 per STM documentation RM0351. The code ends up in an infinite loop waiting for the USART module to become ready but it never does. + +For comparison an almost identical program compiled for the netduino-plus-2 (also an STM32 Cortex-M4 CPU) is able to use USART succesfully. +Steps to reproduce: +1. Clone https://github.com/satur9nine/arm-cortex-qemu-demo/tree/STM_b-l475e-iot01a (note branch is STM_b-l475e-iot01a) +2. Obtain arm-none-eabi-gcc version 13.3.rel1 or higher from ARM or linux package manager and install +3. Go to `STM_b-l475e-iot01a_Build` and run `make all` to produce arm-cortex-qemu-demo.bin +4. Run command provided above (optionally run with additional `-gdb tcp::1234,ipv4 -S` options and attach debugger), observe there is no UART output +5. Repeat steps but with `STM_netduino-plus-2_Build` and observe UART output is produced for comparison +Additional information: +Notice memory located at 0x40013800 which is where USART1 is located shows all zeros. + + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2546 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2546 new file mode 100644 index 000000000..f54a2dbbc --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2546 @@ -0,0 +1 @@ +Troubleshooting Data Abort Error While Debugging U-Boot on mcimx6ul-evk in QEMU diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2547 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2547 new file mode 100644 index 000000000..4a03dad74 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2547 @@ -0,0 +1,3 @@ +Raspberry 4B Ethernet support +Additional information: +There is available WIP patch https://patchew.org/QEMU/20240226000259.2752893-1-sergey.kambalin@auriga.com/ diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2549 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2549 new file mode 100644 index 000000000..882d5778d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2549 @@ -0,0 +1,3 @@ +qemu-system-arm, ast2400-a1, The ECC_TEST_CTRL register of aspeed_2400_sdmc_write is not implemented +Additional information: +The ast2400-a1 has a few more memory test modes compared to the ast2500-a2 (1xxb in 8:6 and 11b in 2:1), but I think it should be enough to always return a test pass result. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2554 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2554 new file mode 100644 index 000000000..e5721821e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2554 @@ -0,0 +1,11 @@ +qemu-system-arm: thumb2: vector table branch instruction not followed +Description of problem: +When an undefined instruction is hit and causes an exception that causes a jump to the undef vector at 0x04; translation of the branch instruction found there appears to fail since instead of branching to the handler it steps to the next instruction - the next entry in the vector table, translates that, and on stepping once again moves to the next entry in the vector table. Eventually it steps out of the table and (re)enters the _start subroutine pointed to by vector 0x0. +Steps to reproduce: +This is related to issue #2542 in as much as I am hunting down failures in the picolibc 1.8.6 test suite on Debian. After fixing issues such as the failure to enable the MMU and some others via incorporating upstream commits I'm left with 10 tests, all for exception handling, that result in meson (build system) TIMEOUT instead of EXPECTEDFAIL. All of these tests should fail instantly and cause Qemu to exit but it continues - apparently spinning in an endless loop as described above until meson kills it. + +Creating a small reproducer has proved challenging and nigh impossible (for me) - even identifying the crux as described here has taken 4 days. However with the help of `qemu-system-arm -d in_asm,op,out_asm ...` and `gdb-multiarch` I believe I may have produced a focused report that will help figure this out. + +# +Additional information: +Since this is hard to debug I can give remote ssh access via `tmate` to directly control the debug session if necessary. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2577 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2577 new file mode 100644 index 000000000..569303783 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2577 @@ -0,0 +1 @@ +buildx: Illegal instruction, exit code: 132 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2580 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2580 new file mode 100644 index 000000000..a70985046 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2580 @@ -0,0 +1,12 @@ +qemu-aarch64_be 9.1.0 fails to run any Linux programs due to unreachable in gdb_find_static_feature() +Description of problem: +``` +❯ cat empty.c +void _start() {} +❯ clang empty.c -target aarch64_be-linux -nostdlib -fuse-ld=lld +❯ qemu-aarch64_be ./a.out +** +ERROR:../gdbstub/gdbstub.c:493:gdb_find_static_feature: code should not be reached +Bail out! ERROR:../gdbstub/gdbstub.c:493:gdb_find_static_feature: code should not be reached +fish: Job 1, 'qemu-aarch64_be ./a.out' terminated by signal SIGABRT (Abort) +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2588 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2588 new file mode 100644 index 000000000..1a2840ddb --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2588 @@ -0,0 +1,43 @@ +qemu-system-arm regression: NonSecure World can change Secure World MMU mapping. +Description of problem: +A NonSecure execution context is able to override MMU L1 translation table +flags set by Secure context on Secure World memory. + +This is not consistent with the same code running on real hardware and it's a +regression over past qemu releases as 9.0.0 behaves correctly. +Steps to reproduce: +This has been tested with +[GoTEE-example](https://github.com/usbarmory/GoTEE-example) as follows: + +``` +# building tamago +wget https://github.com/usbarmory/tamago-go/archive/refs/tags/latest.zip +unzip latest.zip +cd tamago-go-latest/src && ./all.bash +cd ../bin && export TAMAGO=`pwd`/go + +# building and running GoTEE-example +wget https://github.com/usbarmory/GoTEE-example/archive/refs/heads/master.zip +unzip master.zip +cd GoTEE-example +export TARGET=usbarmory && make clean && make nonsecure_os_go && make trusted_applet_go && make trusted_os && make qemu +``` + +# +Additional information: +The issue relates to the fact that the NonSecure World, at startup, configures +the MMU with the NX bit for the entire address space not belonging to its +firmware .text area. + +On real hardware this MMU configuration by NonSecure world does not affect the +Secure World translation tables. + +On qemu 9.1.0, however it does and this is inconsistent with real hardware +behavior. On qemu 9.0.0 the behaviour is correct so the issue has been +introduced between these two releases. + +The switch between Secure and NonSecure is done +[here](https://github.com/usbarmory/GoTEE/blob/7e62563c0628fed3ee0aebb4702e22be9bb636e3/monitor/exec_arm.s#L73). + +The MMU first level address table which sets the NX bit is done +[here](https://github.com/usbarmory/tamago/blob/273d67cd811dfcb1782c0fe596ac14d43d0ce117/arm/mmu.go#L85). diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2591 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2591 new file mode 100644 index 000000000..783d23bcf --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2591 @@ -0,0 +1 @@ +Black screen and DTB errors while trying to emulate the kernel of the RaspiOS (based on Debian Bookworm) using the parameter -machine raspi4b diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2595 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2595 new file mode 100644 index 000000000..f7baf0336 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2595 @@ -0,0 +1,135 @@ +Incorrect behavior with 64-bit element SDOT and UDOT instructions on ARM SVE when sve-default-vector-length>=64 +Description of problem: +The behavior of SDOT and UDOT instructions are incorrect when the Zresult.D register is used, which is the 64-bit svdot_lane\_{s,u}64 intrinsic in ACLE. + +I have tested the same code using [Arm Instruction Emulator](https://developer.arm.com/Tools%20and%20Software/Arm%20Instruction%20Emulator) (which is deprecated though) and gem5 which produced correct result, I believe that the SDOT and UDOT implementation in qemu is incorrect. +Steps to reproduce: +1. Get Arm Gnu toolchain from [Arm GNU Toolchain Downloads – Arm Developer](https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads), for x86 Linux hosts, download arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu.tar.xz and extract it. Alternatively, use any compiler that is able to cross compile for armv8.2-a+sve targets. +2. Compile the following program with these compiler arguments + + ``` + arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-gcc -O3 -march=armv8.2-a+sve dot_lane.c -o dot_lane + ``` + + ```c + #include <stdio.h> + #include <arm_sve.h> + + int64_t a[32] = { 0 }; + int16_t b[128]; + int16_t c[128]; + int64_t r[32]; + int64_t expected_r[32]; + + #define IMM 0 + + int main(void) + { + for (size_t i = 0; i < 128; i++) { + b[i] = 1; + c[i] = i / 4; + } + + svint64_t av = svld1(svptrue_b64(), a); + svint16_t bv = svld1(svptrue_b16(), b); + svint16_t cv = svld1(svptrue_b16(), c); + + svint64_t result = svdot_lane_s64(av, bv, cv, IMM); + + svst1(svptrue_b64(), r, result); + + for (size_t i = 0; i < svcntd(); i++) { + expected_r[i] = + (int64_t)b[i * 4 + 0] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 0] + + (int64_t)b[i * 4 + 1] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 1] + + (int64_t)b[i * 4 + 2] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 2] + + (int64_t)b[i * 4 + 3] * (int64_t)c[(i - i % 2) * 4 + IMM * 4 + 3] + + a[i]; + } + + printf("%12s", "r: "); + for (size_t i = 0; i < svcntd(); i++) { + printf("%4ld", r[i]); + } + printf("\n"); + printf("%12s", "expected_r: "); + for (size_t i = 0; i < svcntd(); i++) { + printf("%4ld", expected_r[i]); + } + printf("\n\t\t"); + for (size_t i = 0; i < svcntd(); i++) { + if (r[i] != expected_r[i]) { + printf("%4c", '^'); + } else { + printf("%4c", ' '); + } + } + printf("\n"); + printf("idx:\t\t"); + for (size_t i = 0; i < svcntd(); i++) { + if (r[i] != expected_r[i]) { + printf("%4d", i); + } else { + printf("%4c", ' '); + } + } + printf("\n"); + + return 0; + } + ``` +3. Execute it with the following commands: + + ``` + qemu-aarch64 -cpu max,sve-default-vector-length=16 -L arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/bin/../aarch64-none-linux-gnu/libc dot_lane + ``` + + Change the value of `sve-default-vector-length` to 32, 64, 128, 256 and observe the outputs, we should see that for `sve-default-vector-length` \>= 64, the result is incorrect. + + `sve-default-vector-length=16` + + ``` + r: 0 0 + expected_r: 0 0 + + idx: + ``` + + `sve-default-vector-length=32` + + ``` + r: 0 0 8 8 + expected_r: 0 0 8 8 + + idx: + ``` + + `sve-default-vector-length=64` + + ``` + r: 0 0 8 8 8 8 24 24 + expected_r: 0 0 8 8 16 16 24 24 + ^ ^ + idx: 4 5 + ``` + + `sve-default-vector-length=128` + + ``` + r: 0 0 8 8 8 8 24 24 24 24 40 40 40 40 56 56 + expected_r: 0 0 8 8 16 16 24 24 32 32 40 40 48 48 56 56 + ^ ^ ^ ^ ^ ^ + idx: 4 5 8 9 12 13 + ``` + + `sve-default-vector-length=256` + + ``` + r: 0 0 8 8 8 8 24 24 24 24 40 40 40 40 56 56 56 56 72 72 72 72 88 88 88 88 104 104 104 104 120 120 + expected_r: 0 0 8 8 16 16 24 24 32 32 40 40 48 48 56 56 64 64 72 72 80 80 88 88 96 96 104 104 112 112 120 120 + ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ + idx: 4 5 8 9 12 13 16 17 20 21 24 25 28 29 + ``` +4. By passing `-S` to the compiler, we can see that sdot (or udot if using `svdot_lane_u64()`) is produced in assembly (`sdot z0.d, z1.h, z2.h[0]`), which is correct behavior according to [Intrinsics – Arm Developer](https://developer.arm.com/architectures/instruction-sets/intrinsics/svdot_lane%5B_s64%5D). +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2604 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2604 new file mode 100644 index 000000000..54593f0c0 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2604 @@ -0,0 +1,44 @@ +qemu-user-static crash when executing generated NEON code due to failure to detect invalidation +Description of problem: +`qemu-arm-static` crashes 100% of times when attempting to run NEON code. The same executable, when run in `system` emulation mode, works without issue. + +I experience this particular issue when attempting to test GStreamer's Orc library with NEON codegen with QEMU user emulation. +Steps to reproduce: +1. Clone https://gitlab.freedesktop.org/gstreamer/orc.git +2. Build with `meson setup build -Ddefault_library=static; meson compile -C build` +3. Run `qemu-arm-static ./build/tools/orc-bugreport` +Additional information: +The crash always happens inside the same JIT code. It is not a memory access, so there is no reason for QEMU to report SIGSEGV: + +``` +Program received signal SIGSEGV, Segmentation fault. +0x409e503c in ?? () +(gdb) bt +#0 0x409e503c in ?? () +#1 0x00408bc6 in orc_executor_run (ex=0x51cfc0) at ../orc/orcexecutor.c:51 +#2 0x00489692 in orc_test_compare_output_full_for_target (program=0x4bcd90, flags=0, + target_name=0x0) at ../orc-test/orctest.c:800 +#3 0x00489004 in orc_test_compare_output_full (program=0x4bcd90, flags=0) + at ../orc-test/orctest.c:664 +#4 0x00404826 in test_opcode_src (opcode=0x4b098c <opcodes+2400>) + at ../tools/orc-bugreport.c:252 +#5 0x004045d8 in test_opcodes () at ../tools/orc-bugreport.c:188 +#6 0x004043f2 in main (argc=1, argv=0x40800704) at ../tools/orc-bugreport.c:118 +(gdb) disas 0x409e5030 +No function contains specified address. +(gdb) disas 0x409e5030, +10 +Dump of assembler code from 0x409e5030 to 0x409e503a: + 0x409e5030: vld1.8 {d4-d5}, [r3] + 0x409e5034: vst1.8 {d4-d5}, [r2] + 0x409e5038: add r2, r2, #16 +End of assembler dump. +(gdb) disas 0x409e5030, +20 +Dump of assembler code from 0x409e5030 to 0x409e5044: + 0x409e5030: vld1.8 {d4-d5}, [r3] + 0x409e5034: vst1.8 {d4-d5}, [r2] + 0x409e5038: add r2, r2, #16 +=> 0x409e503c: add r3, r3, #16 + 0x409e5040: subs r12, r12, #1 +End of assembler dump. +(gdb) +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2610 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2610 new file mode 100644 index 000000000..b2d0b6024 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2610 @@ -0,0 +1 @@ +pl011: incorrect IBRD_MASK and FBRD_MASK diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2625 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2625 new file mode 100644 index 000000000..a87f5d177 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2625 @@ -0,0 +1,83 @@ +Adding TPM support for ARM SBSA-Ref machine +Additional information: +Here is a proposed change where a new memory region is added to the machine initialization routine: + +```diff +diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c +index e3195d5449..84bc7d9adb 100644 +--- a/hw/arm/sbsa-ref.c ++++ b/hw/arm/sbsa-ref.c +@@ -28,6 +28,8 @@ + #include "sysemu/numa.h" + #include "sysemu/runstate.h" + #include "sysemu/sysemu.h" ++#include "sysemu/tpm.h" ++#include "sysemu/tpm_backend.h" + #include "exec/hwaddr.h" + #include "kvm_arm.h" + #include "hw/arm/boot.h" +@@ -94,6 +96,7 @@ enum { + SBSA_SECURE_MEM, + SBSA_AHCI, + SBSA_XHCI, ++ SBSA_TPM, + }; + + struct SBSAMachineState { +@@ -132,6 +135,7 @@ static const MemMapEntry sbsa_ref_memmap[] = { + /* Space here reserved for more SMMUs */ + [SBSA_AHCI] = { 0x60100000, 0x00010000 }, + [SBSA_XHCI] = { 0x60110000, 0x00010000 }, ++ [SBSA_TPM] = { 0x60120000, 0x00010000 }, + /* Space here reserved for other devices */ + [SBSA_PCIE_PIO] = { 0x7fff0000, 0x00010000 }, + /* 32-bit address PCIE MMIO space */ +@@ -629,6 +633,24 @@ static void create_smmu(const SBSAMachineState *sms, PCIBus *bus) + } + } + ++static void create_tpm(SBSAMachineState *sbsa, PCIBus *bus) ++{ ++ Error *errp = NULL; ++ DeviceState *dev; ++ ++ TPMBackend *be = qemu_find_tpm_be("tpm0"); ++ if (be == NULL) { ++ error_report("Couldn't find tmp0 backend"); ++ return; ++ } ++ ++ dev = qdev_new(TYPE_TPM_TIS_SYSBUS); ++ object_property_set_link(OBJECT(dev), "tpmdev", OBJECT(be), &errp); ++ object_property_set_str(OBJECT(dev), "tpmdev", be->id, &errp); ++ sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); ++ sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, sbsa_ref_memmap[SBSA_TPM].base); ++} ++ + static void create_pcie(SBSAMachineState *sms) + { + hwaddr base_ecam = sbsa_ref_memmap[SBSA_PCIE_ECAM].base; +@@ -686,6 +708,8 @@ static void create_pcie(SBSAMachineState *sms) + pci_create_simple(pci->bus, -1, "bochs-display"); + + create_smmu(sms, pci->bus); ++ ++ create_tpm(sms, pci->bus); + } + + static void *sbsa_ref_dtb(const struct arm_boot_info *binfo, int *fdt_size) +``` + +With such, the tpm can get used when setting the TPM base address to be 0x60120000 with the following launching command: + +```bash +qemu-system-aarch64 -machine sbsa-ref,gic-version=3,acpi=off \ + -cpu host -m 4G \ + -nographic -accel kvm \ + -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device virtio-blk-pci,drive=drv0 \ + -drive format=qcow2,file=hda.qcow2,if=none,id=drv0 \ + -drive if=pflash,format=raw,file=flash0.img,readonly=on \ + -drive if=pflash,format=raw,file=flash1.img +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2636 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2636 new file mode 100644 index 000000000..1cbec4bc7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2636 @@ -0,0 +1 @@ +ast2600 fails to run u-boot diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2652 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2652 new file mode 100644 index 000000000..a1d6bc5ac --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2652 @@ -0,0 +1 @@ +qemu-user please allow to emulate aarch64 cpu in 32bits mode diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2656 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2656 new file mode 100644 index 000000000..2a28ab90d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2656 @@ -0,0 +1 @@ +impossible to specify pauth-impdef=on when specifying multiple accelerators diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/268 b/gitlab/issues_text/target_arm/host_missing/accel_missing/268 new file mode 100644 index 000000000..328c1ca9d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/268 @@ -0,0 +1 @@ +arm gic: gic_acknowledge_irq doesn't clear line level for other cores for 1-n level-sensitive interrupts and gic_clear_pending uses GIC_DIST_TEST_MODEL (even on v2 where it always read 0 - "N-N") diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2689 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2689 new file mode 100644 index 000000000..47c0c583d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2689 @@ -0,0 +1 @@ +arm64be tuxrun test is sometimes failing with I/O errors diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2698 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2698 new file mode 100644 index 000000000..0b7f0a126 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2698 @@ -0,0 +1,9 @@ +virtualization not working with TCG mode on macOS +Description of problem: +TCG is supposed to work with virtualization=on option but it stops without priting anything. +if I set it to off, I can get to the prompt. +Steps to reproduce: +1. Execute the qemu +2. Hung. +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2702 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2702 new file mode 100644 index 000000000..42af8bd86 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2702 @@ -0,0 +1,53 @@ +qtest-arm/sse-timer-test sometimes fails on s390x host +Description of problem: +The sse-timer-test sometimes fails on the s390x runner in Travis, see: + +https://app.travis-ci.com/github/huth/qemu/jobs/628508770#L6337 : + +``` +>>> G_TEST_DBUS_DAEMON=/home/travis/build/huth/qemu/tests/dbus-vmstate-daemon.sh MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MESON_TEST_ITERATION=1 UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 PYTHON=/home/travis/build/huth/qemu/build/pyvenv/bin/python3 MALLOC_PERTURB_=165 QTEST_QEMU_BINARY=./qemu-system-arm /home/travis/build/huth/qemu/build/tests/qtest/sse-timer-test --tap -k + +▶ 70/287 ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) ERROR + + 70/287 qemu:qtest+qtest-arm / qtest-arm/sse-timer-test ERROR 0.71s killed by signal 6 SIGABRT + +――――――――――――――――――――――――――――――――――――― ✀ ――――――――――――――――――――――――――――――――――――― + +stderr: + +** + +ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) + +(test program exited with status code -6) + +―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― +``` + +https://app.travis-ci.com/github/huth/qemu/jobs/628373181#L6336 : + +``` +>>> G_TEST_DBUS_DAEMON=/home/travis/build/huth/qemu/tests/dbus-vmstate-daemon.sh PYTHON=/home/travis/build/huth/qemu/build/pyvenv/bin/python3 UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 QTEST_QEMU_BINARY=./qemu-system-arm MALLOC_PERTURB_=250 MESON_TEST_ITERATION=1 /home/travis/build/huth/qemu/build/tests/qtest/sse-timer-test --tap -k + +▶ 70/287 ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) ERROR + + 70/287 qemu:qtest+qtest-arm / qtest-arm/sse-timer-test ERROR 0.95s killed by signal 6 SIGABRT + +――――――――――――――――――――――――――――――――――――― ✀ ――――――――――――――――――――――――――――――――――――― + +stderr: + +** + +ERROR:../tests/qtest/sse-timer-test.c:91:test_counter: assertion failed (readl(COUNTER_BASE + CNTCV_LO) == 100): (0 == 100) + +(test program exited with status code -6) + +―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― +``` +Steps to reproduce: +1. Run the QEMU CI on Travis +Additional information: +It seems to be a new or intermittent problem, two weeks ago it was still working fine: + +https://app.travis-ci.com/github/huth/qemu/jobs/627999506#L6325 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2708 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2708 new file mode 100644 index 000000000..1df2c73af --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2708 @@ -0,0 +1 @@ +aarch64 register MDCCINT_EL1 exhibits bizzare behavior diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2715 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2715 new file mode 100644 index 000000000..fb05256c7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2715 @@ -0,0 +1 @@ +QEMU AARCH64 only supports canonical addresses running on x64. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2718 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2718 new file mode 100644 index 000000000..72c4019c3 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2718 @@ -0,0 +1,102 @@ +9.2.0 build failure: FAILED: libcommon.a.p/hw_intc_arm_gicv3_its.c.o +Description of problem: +Unable to build 9.2.0 via our docker container based builder inside a ChromeOS M97 based Docker container (using glibc 2.32). +Steps to reproduce: +1. See build logs. (I thought this was a vte issue, but libvte is the current version, `0.78.2`.) +Additional information: +``` +FAILED: libcommon.a.p/hw_intc_arm_gicv3_its.c.o +cc -m64 -Ilibcommon.a.p -I../common-user/host/x86_64 -I../linux-user/include/host/x86_64 -I../linux-user/include -Isubprojects/dtc/libfdt -I../subprojects/dtc/libfdt -Isubprojects/libvduse -I../subprojects/libvduse -I/usr/local/include/p11-kit-1 -I/usr/local/include/pixman-1 -I/usr/local/include/libpng16 -I/usr/local/include/libusb-1.0 -I/usr/local/include/SDL2 -I/usr/local/include/libmount -I/usr/local/include/blkid -I/usr/local/include/glib-2.0 -I/usr/local/lib64/glib-2.0/include -I/usr/local/include/gio-unix-2.0 -I/usr/local/include/slirp -I/usr/local/include/ncursesw -I/usr/local/include/gtk-3.0 -I/usr/local/include/at-spi2-atk/2.0 -I/usr/local/include/at-spi-2.0 -I/usr/local/include/dbus-1.0 -I/usr/local/lib64/dbus-1.0/include -I/usr/local/include/pango-1.0 -I/usr/local/include/harfbuzz -I/usr/local/include/fribidi -I/usr/local/include/atk-1.0 -I/usr/local/include/cairo -I/usr/local/include/freetype2 -I/usr/local/include/gdk-pixbuf-2.0 -I/usr/local/include/webp -I/usr/local/include/vte-2.91 -I/usr/local/include/pipewire-0.3 -I/usr/local/include/spa-0.2 -flto=auto -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -fstack-protector-strong -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /usr/local/tmp/crew/qemu.20241211185452.dir/linux-headers -isystem linux-headers -iquote . -iquote /usr/local/tmp/crew/qemu.20241211185452.dir -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/include -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/host/include/x86_64 -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/host/include/generic -iquote /usr/local/tmp/crew/qemu.20241211185452.dir/tcg/i386 -pthread -mcx16 -msse2 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -O3 -pipe -ffat-lto-objects -fPIC -fuse-ld=mold -flto=auto -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR=1 -D_REENTRANT -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.a.p/hw_intc_arm_gicv3_its.c.o -MF libcommon.a.p/hw_intc_arm_gicv3_its.c.o.d -o libcommon.a.p/hw_intc_arm_gicv3_its.c.o -c ../hw/intc/arm_gicv3_its.c +In file included from ../hw/intc/trace.h:1, + from ../hw/intc/arm_gicv3_its.c:16: +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_vmapti’ at ../hw/intc/arm_gicv3_its.c:680:9: +../hw/intc/trace-events:222:13: error: ‘dte.ittaddr’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_vmapti’: +../hw/intc/arm_gicv3_its.c:654:13: note: ‘dte.ittaddr’ was declared here + 654 | DTEntry dte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_vmapti’ at ../hw/intc/arm_gicv3_its.c:680:9: +../hw/intc/trace-events:222:13: error: ‘dte.size’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_vmapti’: +../hw/intc/arm_gicv3_its.c:654:13: note: ‘dte.size’ was declared here + 654 | DTEntry dte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_mapti’ at ../hw/intc/arm_gicv3_its.c:608:9: +../hw/intc/trace-events:222:13: error: ‘dte.ittaddr’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_mapti’: +../hw/intc/arm_gicv3_its.c:586:13: note: ‘dte.ittaddr’ was declared here + 586 | DTEntry dte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_dte_read’, + inlined from ‘trace_gicv3_its_dte_read’ at trace/trace-hw_intc.h:6634:9, + inlined from ‘get_dte’ at ../hw/intc/arm_gicv3_its.c:312:9, + inlined from ‘process_mapti’ at ../hw/intc/arm_gicv3_its.c:608:9: +../hw/intc/trace-events:222:13: error: ‘dte.size’ may be used uninitialized [-Werror=maybe-uninitialized] + 222 | gicv3_its_dte_read(uint32_t devid, int valid, uint32_t size, uint64_t ittaddr) "GICv3 ITS: Device Table read for DeviceID 0x%x: valid %d size 0x%x ITTaddr 0x%" PRIx64 + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘process_mapti’: +../hw/intc/arm_gicv3_its.c:586:13: note: ‘dte.size’ was declared here + 586 | DTEntry dte; + | ^~~ +In function ‘lookup_vte’, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1036:14: +../hw/intc/arm_gicv3_its.c:459:8: error: ‘vte.rdbase’ may be used uninitialized [-Werror=maybe-uninitialized] + 459 | if (vte->rdbase >= s->gicv3->num_cpu) { + | ^ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘vte.rdbase’ was declared here + 1033 | VTEntry vte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_vte_write’, + inlined from ‘trace_gicv3_its_vte_write’ at trace/trace-hw_intc.h:6789:9, + inlined from ‘update_vte’ at ../hw/intc/arm_gicv3_its.c:944:5, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1051:10: +../hw/intc/trace-events:227:13: error: ‘vte.vptaddr’ may be used uninitialized [-Werror=maybe-uninitialized] + 227 | gicv3_its_vte_write(uint32_t vpeid, int valid, uint32_t vptsize, uint64_t vptaddr, uint32_t rdbase) "GICv3 ITS: vPE Table write for vPEID 0x%x: valid %d VPTsize 0x%x VPTaddr 0x%" PRIx64 " RDbase 0x%x" + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘vte.vptaddr’ was declared here + 1033 | VTEntry vte; + | ^~~ +In function ‘_nocheck__trace_gicv3_its_vte_write’, + inlined from ‘trace_gicv3_its_vte_write’ at trace/trace-hw_intc.h:6789:9, + inlined from ‘update_vte’ at ../hw/intc/arm_gicv3_its.c:944:5, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1051:10: +../hw/intc/trace-events:227:13: error: ‘vte.vptsize’ may be used uninitialized [-Werror=maybe-uninitialized] + 227 | gicv3_its_vte_write(uint32_t vpeid, int valid, uint32_t vptsize, uint64_t vptaddr, uint32_t rdbase) "GICv3 ITS: vPE Table write for vPEID 0x%x: valid %d VPTsize 0x%x VPTaddr 0x%" PRIx64 " RDbase 0x%x" + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘vte.vptsize’ was declared here + 1033 | VTEntry vte; + | ^~~ +In function ‘lookup_vte’, + inlined from ‘vmovp_callback’ at ../hw/intc/arm_gicv3_its.c:1036:14: +../hw/intc/arm_gicv3_its.c:453:13: error: ‘MEM <unsigned char> [(struct VTEntry *)&vte]’ may be used uninitialized [-Werror=maybe-uninitialized] + 453 | if (!vte->valid) { + | ~~~^~~~~~~ +../hw/intc/arm_gicv3_its.c: In function ‘vmovp_callback’: +../hw/intc/arm_gicv3_its.c:1033:13: note: ‘MEM <unsigned char> [(struct VTEntry *)&vte]’ was declared here + 1033 | VTEntry vte; + | ^~~ +cc1: all warnings being treated as errors + +``` + +Full Build log: + +[qemu-build-log.zip](/uploads/db227e4a6bbbcfccd0e1e3ccaacf1aec/qemu-build-log.zip) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2721 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2721 new file mode 100644 index 000000000..99e8e301a --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2721 @@ -0,0 +1 @@ +Failure with macOS 15.2 on ARM64: Property 'host-arm-cpu.sme' not found diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2725 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2725 new file mode 100644 index 000000000..3fe904ba7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2725 @@ -0,0 +1 @@ +multi-arch build at AMD64 for ARM64 fails without flag "F" diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2729 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2729 new file mode 100644 index 000000000..cebbfa182 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2729 @@ -0,0 +1,74 @@ +qemu-system-aarch64 -M raspi4b -- no valid DTB provided in x0 register +Description of problem: +When starting `qemu-system-aarch64 -M raspi4b`, no valid DTB is provided in x0. +Steps to reproduce: +Make a simple binary to loop forever + +``` +$ cat loop.c +void _start(void) +{ + for(;;) + ; +} +$ aarch64-linux-gnu-gcc loop.c -nostdlib +$ aarch64-linux-gnu-objcopy -O binary a.out loop.bin +``` + +Start qemu for debugging and start gdb + +``` +$ qemu-system-aarch64 -S -s -M raspi4b -kernel loop.bin +# in another terminal +$ aarch64-linux-gnu-gdb +(gdb) target remote :1234 +Remote debugging using :1234 +warning: No executable has been specified and target does not support +determining executable automatically. Try using the "file" command. +0x0000000000000000 in ?? () +(gdb) watch *$x0 +Watchpoint 3: *$x0 +(gdb) watch $x0 +Watchpoint 4: $x0 +(gdb) x/2x$x0 +0x0: 0x580000c0 0xaa1f03e1 +(gdb) si + +Thread 1 hit Watchpoint 3: *$x0 + +Old value = 1476395200 +New value = 5 + +Thread 1 hit Watchpoint 4: $x0 + +Old value = 0 +New value = 256 +0x0000000000000004 in ?? () +(gdb) x/2x$x0 +0x100: 0x00000005 0x54410001 +(gdb) si +0x0000000000000008 in ?? () +(gdb) si +0x000000000000000c in ?? () +(gdb) si +0x000000000000000c in ?? () +(gdb) si +0x0000000000000010 in ?? () +(gdb) si +0x0000000000000014 in ?? () +(gdb) si +0x0000000000080000 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) si +0x0000000000000200 in ?? () +(gdb) x/2x$x0 +0x100: 0x00000005 0x54410001 +(gdb) +``` + +Note that at no time is a valid DTB provided in x0. I expected to see the DTB magic 0xd00dfeed (or 0xedfe0dd0) at the memory pointed to by x0 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2733 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2733 new file mode 100644 index 000000000..e4bfaf96c --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2733 @@ -0,0 +1,12 @@ +-machine raspi4b won't dump dtb +Description of problem: +the raspi4b machine won't dump tdb +Steps to reproduce: +``` +$ qemu-system-aarch64 -machine virt -machine dumpdtb=p.dmp +qemu-system-aarch64: info: dtb dumped to p.dmp. Exiting. +$ qemu-system-aarch64 -machine raspi4b -machine dumpdtb=p.dmp +``` +notice no dtb is dumped for the raspi4b machine +Additional information: +see also https://gitlab.com/qemu-project/qemu/-/issues/2729 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2734 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2734 new file mode 100644 index 000000000..3ff97dc76 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2734 @@ -0,0 +1,24 @@ +many aarch64 machines exit with "fatal: Lockup: can't escalate 3 to HardFault" +Description of problem: +`-machine netduino2` and `-machine microbit` and many others dump core +Steps to reproduce: +``` +qemu-system-aarch64 -machine netduino2 +qemu-system-aarch64 -machine microbit +... +$ for x in microbit netduino2 b-l475e-iot01a emcraft-sf2 fby35-bmc lm3s6965evb lm3s811evb musca-a musca-b1 netduinoplus2 olimex-stm32-h405 stm32vldiscovery +do qemu-system-aarch64 -machine $x +done +``` +and all the `mps2-*` machines all result in +``` +qemu: fatal: Lockup: can't escalate 3 to HardFault (current priority -1) + +R00=00000000 R01=00000000 R02=00000000 R03=00000000 +R04=00000000 R05=00000000 R06=00000000 R07=00000000 +R08=00000000 R09=00000000 R10=00000000 R11=00000000 +R12=00000000 R13=ffffffe0 R14=fffffff9 R15=00000000 +XPSR=40000003 -Z-- A handler +FPSCR: 00000000 +Aborted (core dumped) +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2760 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2760 new file mode 100644 index 000000000..c352d97c5 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2760 @@ -0,0 +1 @@ +Some Aarch64 system registers not available via the debugger diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2792 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2792 new file mode 100644 index 000000000..260321ab2 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2792 @@ -0,0 +1,70 @@ +qemu-system-aarch64 segfault at startup with --enable-rust +Description of problem: +The following commit breaks type class initialization for `pl011_luminary`: + +``` +d9434f29ca83e114fe02ed24c8ad2ccfa7ac3fe9 is the first bad commit +commit d9434f29ca83e114fe02ed24c8ad2ccfa7ac3fe9 +Author: Paolo Bonzini <pbonzini@redhat.com> +Date: Fri Nov 29 11:38:59 2024 +0100 + + rust: qom: move device_id to PL011 class side + + There is no need to monkeypatch DeviceId::Luminary into the already-initialized + PL011State. Instead, now that we can define a class hierarchy, we can define + PL011Class and make device_id a field in there. + + There is also no need anymore to have "Arm" as zero, so change DeviceId into a + wrapper for the array; all it does is provide an Index<hwaddr> implementation + because arrays can only be indexed by usize. + + Reviewed-by: Zhao Liu <zhao1.liu@intel.com> + Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + + rust/hw/char/pl011/src/device.rs | 59 +++++++++++++++++++--------------------- + 1 file changed, 28 insertions(+), 31 deletions(-) +bisect found first bad commit +``` + +It results in a segmentation fault during type initialization at startup: + +``` +$ ./build/qemu-system-aarch64 -machine help +zsh: segmentation fault (core dumped) ./build/qemu-system-aarch64 -machine help +``` + +Because the class is uninitialized on the `pl011_luminary` TypeInfo (I think): + +``` +$ gdb --args ./build/qemu-system-aarch64 -machine help +... +Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault. +0x0000555555fc0fcf in object_class_dynamic_cast (class=class@entry=0x5555575ca128, typename=typename@entry=0x5555562650cd "resettable") at ../qom/object.c:966 +966 if (type->class->interfaces && +(gdb) p type->class +$1 = (ObjectClass *) 0x0 +(gdb) bt +#0 0x0000555555fc0fcf in object_class_dynamic_cast (class=class@entry=0x5555575ca128, typename=typename@entry=0x5555562650cd "resettable") at ../qom/object.c:966 +#1 0x0000555555fc1473 in object_class_dynamic_cast_assert (class=class@entry=0x5555575ca128, typename=typename@entry=0x5555562650cd "resettable", + file=file@entry=0x5555562651a0 "/home/pdel/qemu/include/hw/resettable.h", line=line@entry=21, func=func@entry=0x55555643d2b0 <__func__.13> "RESETTABLE_CLASS") at ../qom/object.c:1016 +#2 0x0000555555fbc61b in RESETTABLE_CLASS (klass=0x5555575ca128) at /home/pdel/qemu/include/hw/resettable.h:21 +#3 device_class_set_legacy_reset (dc=0x5555575ca128, dev_reset=0x5555560dacb0 <qemu_api::qdev::rust_reset_fn>) at ../hw/core/qdev.c:790 +#4 0x00005555560dac03 in qemu_api::qdev::<impl qemu_api::qom::ClassInitImpl<qemu_api::bindings::DeviceClass> for T>::class_init (dc=0x5555575ca128) + at rust/qemu-api/libqemu_api.rlib.p/structured/qdev.rs:84 +#5 qemu_api::sysbus::<impl qemu_api::qom::ClassInitImpl<qemu_api::bindings::SysBusDeviceClass> for T>::class_init (sdc=0x5555575ca128) at rust/qemu-api/libqemu_api.rlib.p/structured/sysbus.rs:31 +#6 <pl011::device::PL011State as qemu_api::qom::ClassInitImpl<pl011::device::PL011Class>>::class_init (klass=0x5555575ca120) at ../rust/hw/char/pl011/src/device.rs:140 +#7 qemu_api::qom::rust_class_init (klass=0x5555575ca120, _data=<optimized out>) at rust/qemu-api/libqemu_api.rlib.p/structured/qom.rs:176 +#8 0x0000555555fc0930 in type_initialize (ti=0x555557555eb0) at ../qom/object.c:359 +#9 type_initialize (ti=ti@entry=0x555557556070) at ../qom/object.c:365 +#10 0x0000555555fc1190 in type_initialize (ti=0x555557556070) at ../qom/object.c:1122 +#11 object_class_foreach_tramp (key=<optimized out>, value=0x555557556070, opaque=0x7fffffffdd00) at ../qom/object.c:1110 +#12 0x00007ffff7528668 in g_hash_table_foreach () from /lib64/libglib-2.0.so.0 +#13 0x0000555555fc1931 in object_class_foreach (opaque=0x7fffffffdcf8, include_abstract=false, implements_type=<optimized out>, fn=0x555555fbf810 <object_class_get_list_tramp>) at ../qom/object.c:87 +#14 object_class_get_list (implements_type=implements_type@entry=0x5555562c5440 "machine", include_abstract=include_abstract@entry=false) at ../qom/object.c:1189 +#15 0x0000555555bf53ac in machine_help_func (qdict=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../system/vl.c:1559 +#16 qemu_init (argc=3, argv=<optimized out>) at ../system/vl.c:3319 +#17 0x00005555558f1a89 in main (argc=<optimized out>, argv=<optimized out>) at ../system/main.c:68 +``` +Steps to reproduce: +1. Checkout cf86770c7aa31ebd6e56f4eeb25c34107f92c51e +2. `./configure --target-list=aarch64-softmmu --enable-rust && ninja -C build && ./build/qemu-system-aarch64 -machine help` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2797 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2797 new file mode 100644 index 000000000..c25aa1e15 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2797 @@ -0,0 +1,3 @@ +arm/raspi.c - incease memory limit +Additional information: +I can attempt to make a PR that increases this limit, but not sure if others would find it useful. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2861 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2861 new file mode 100644 index 000000000..f34d3e7b8 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2861 @@ -0,0 +1,7 @@ +hw/pci-host/designware.c incorrect write to DESIGNWARE_PCIE_ATU_UPPER_TARGET register +Description of problem: +I think this is a obvious bug + +https://gitlab.com/qemu-project/qemu/-/blob/master/hw/pci-host/designware.c?ref_type=heads#L374 + +Write to register DESIGNWARE_PCIE_ATU_UPPER_TARGET, val should be shifted left to update upper 32 bit part. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2870 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2870 new file mode 100644 index 000000000..9c2bcb73d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2870 @@ -0,0 +1 @@ +How to Create BE32-Type Instruction Emulation diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2886 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2886 new file mode 100644 index 000000000..3c58f990a --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2886 @@ -0,0 +1,15 @@ +ACPI MADT advertises GITS even when disabled +Description of problem: +As per the command line given above, QEMU shall emulate a GICv4 without GIC Interrupt Translation Service (GITS). + +The following happens: +- ACPI **incorrectly** lists a GITS (type 0xf) structure in the MADT with GITS MMIO Base = 0x8080000 +- The OS reads that structure and interprets it to mean a GITS is present at the given MMIO address +- Subsequent access to GITS MMIO causes a data abort (0x25) because QEMU doesn't emulate a GITS (as requested) + +The bug is thus that QEMU wrongly advertises GITS as present (via the MADT) when it is in fact absent. +Steps to reproduce: +1. Disable GITS emulation by passing `its=off` on the QEMU command line +2. Check if a GITS structure is listed in the ACPI MADT (must be present in ACPI MADT only if GITS is enabled and absent otherwise) +Additional information: +When booting with `its=on` (default), everything works as expected. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2896 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2896 new file mode 100644 index 000000000..4abb80cf0 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2896 @@ -0,0 +1 @@ +How to enable MPU support on Cortex-R5F? diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2898 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2898 new file mode 100644 index 000000000..6f0618fb7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2898 @@ -0,0 +1,115 @@ +-M virt,dumpdtb is missing information from the device tree +Description of problem: +dumpdtb no longer produces a device tree with the full system described. + + +``` +$ dtc -I dtb -O dts test.dtb +<stdout>: Warning (unit_address_vs_reg): /soc/pci@30000000: node has a unit name, but no reg or ranges property +<stdout>: Warning (simple_bus_reg): /soc/pci@30000000: missing or empty reg/ranges property +/dts-v1/; + +/ { + #address-cells = <0x02>; + #size-cells = <0x02>; + compatible = "riscv-virtio"; + model = "riscv-virtio,qemu"; + + pmu { + riscv,event-to-mhpmcounters = <0x01 0x01 0x7fff9 0x02 0x02 0x7fffc 0x10019 0x10019 0x7fff8 0x1001b 0x1001b 0x7fff8 0x10021 0x10021 0x7fff8>; + compatible = "riscv,pmu"; + }; + + fw-cfg@10100000 { + dma-coherent; + reg = <0x00 0x10100000 0x00 0x18>; + compatible = "qemu,fw-cfg-mmio"; + }; + + flash@20000000 { + bank-width = <0x04>; + reg = <0x00 0x20000000 0x00 0x2000000 0x00 0x22000000 0x00 0x2000000>; + compatible = "cfi-flash"; + }; + + aliases { + }; + + chosen { + rng-seed = <0xd4266784 0xc7a7c66f 0xd5b7347d 0x862188f3 0x78065a8e 0xebdedae5 0xd77c47b0 0x34d31eff>; + }; + + soc { + #address-cells = <0x02>; + #size-cells = <0x02>; + compatible = "simple-bus"; + ranges; + + pci@30000000 { + }; + }; +}; +``` +Steps to reproduce: +1. qemu-system-riscv64 -machine virt,dumpdtb=test.dtb +2. dtc -I dtb -O dts test.dtb +Additional information: +The regression was introduced in https://gitlab.com/qemu-project/qemu/-/commit/8fd2518ef2f8d. If this commit is reverted, the expected behavior returns. + +``` +dtc -I dtb -O dts test.dtb | grep "@" + platform-bus@4000000 { + memory@80000000 { + cpu@0 { + fw-cfg@10100000 { + flash@20000000 { + serial0 = "/soc/serial@10000000"; + stdout-path = "/soc/serial@10000000"; + rtc@101000 { + serial@10000000 { + clock-frequency = "", "8@"; + test@100000 { + virtio_mmio@10008000 { + virtio_mmio@10007000 { + virtio_mmio@10006000 { + virtio_mmio@10005000 { + virtio_mmio@10004000 { + virtio_mmio@10003000 { + virtio_mmio@10002000 { + virtio_mmio@10001000 { + plic@c000000 { + clint@2000000 { + pci@30000000 { +``` + +Other machines are affected to a lesser degree. The arm virt machine: + +qemu-system-arm -machine virt,dumpdtb=test.dtb +``` +@@ -8,28 +8,6 @@ + #address-cells = <0x02>; + compatible = "linux,dummy-virt"; + +- psci { +- migrate = <0x84000005>; +- cpu_on = <0x84000003>; +- cpu_off = <0x84000002>; +- cpu_suspend = <0x84000001>; +- method = "hvc"; +- compatible = "arm,psci-1.0", "arm,psci-0.2", "arm,psci"; +- }; +- +- memory@40000000 { +- reg = <0x00 0x40000000 0x00 0x8000000>; +- device_type = "memory"; +- }; +- +- platform-bus@c000000 { +- interrupt-parent = <0x8002>; +- ranges = <0x00 0x00 0xc000000 0x2000000>; +- #address-cells = <0x01>; +- #size-cells = <0x01>; +- compatible = "qemu,platform", "simple-bus"; +- }; +- +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2910 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2910 new file mode 100644 index 000000000..8d8fa6da5 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2910 @@ -0,0 +1,5 @@ +SME2 support for aarch64? +Additional information: +We've noticed that most `SME2` instructions work, despite `ARM_HWCAP2_A64_SME2` not being set. + +Cheers, Pedro diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2916 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2916 new file mode 100644 index 000000000..92a0df13d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2916 @@ -0,0 +1,26 @@ +qemu-system-arm hangs when attempting to enable MMU on Cortex-A7 +Description of problem: +QEMU 9.x.x+ hangs when attempting to do enable the MMU from SCTLRL - M bit: https://developer.arm.com/documentation/ddi0601/2025-03/AArch32-Registers/SCTLR--System-Control-Register + +The instruction that hangs is the writing of the SCTLR register: + +``` +mrc p15, 0, r0, c1, c0, 0 +orr r0, r0, 1 +mcr p15, 0, r0, c1, c0, 0 +``` + +I am attempting to enable unaligned accesses and SCTLR-A bit doesn't seem to have any effect if the SCTLR-M is not enabled. Doing an unaligned access on cortex-a7 should be supported but it always trigger a Fault. +Steps to reproduce: +1. add the mrc/orr/mcr instruction sequence in the ResetHandler +2. link the elf +3. attempt to execute it +Additional information: +The unaligned access looked like it was working in QEMU 8.x.x but it might not have been emulated(?). I also am facing the same issues with MCR hanging and unaligned access not supported with latest 10.0.0-RC2. + +When it hangs, QEMU has to be killed and terminal reset. + +There might be two separate issues here: + +1. writing SCTLR register +2. emulated cortex-a7 not supporting unaligned access (hardware supports it) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2917 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2917 new file mode 100644 index 000000000..be87e11a0 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2917 @@ -0,0 +1,22 @@ +build failure because of warnings when -O3 is used +Description of problem: +qemu build fails when -O3 is enabled and the build is done either from a git cloned qemu or with -Werror enabled (qemu build enables -Werror automatically when it detects the .git folder) +Steps to reproduce: +1. git clone qemu && install appropriate dependencies for qemu build +2. mkdir build +3. ../configure --extra-cflags="-O3" +4. make -j$(nbproc) + +``` +cc -m64 -Ilibcommon.a.p -I../common-user/host/x86_64 -I../linux-user/include/host/x86_64 -I../linux-user/include -Isubprojects/libvduse -I../subprojects/libvduse -I/usr/include/p11-kit-1 -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/spice-server -I/usr/include/spice-1 -I/usr/include/libusb-1.0 -I/usr/include/SDL2 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/sysprof-6 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/include/slirp -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/x86_64-linux-gnu -I/usr/include/webp -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/at-spi-2.0 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/vte-2.91 -I/usr/include/virgl -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr -I/usr/include/PCSC -I/usr/include/pipewire-0.3 -I/usr/include/spa-0.2 -I/usr/include/fuse3 -I/usr/include/uuid -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -fstack-protector-strong -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /home/ubuntu/qemu/linux-headers -isystem linux-headers -iquote . -iquote /home/ubuntu/qemu -iquote /home/ubuntu/qemu/include -iquote /home/ubuntu/qemu/host/include/x86_64 -iquote /home/ubuntu/qemu/host/include/generic -iquote /home/ubuntu/qemu/tcg/i386 -pthread -mcx16 -msse2 -D_GNU_SOURCE -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -O3 -fPIE -D_FILE_OFFSET_BITS=64 -D__USE_FILE_OFFSET64 -D__USE_LARGEFILE64 -DUSE_POSIX_ACLS=1 -isystem /usr/include/mit-krb5 -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR=1 -D_REENTRANT -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.a.p/hw_ssi_xilinx_spips.c.o -MF libcommon.a.p/hw_ssi_xilinx_spips.c.o.d -o libcommon.a.p/hw_ssi_xilinx_spips.c.o -c ../hw/ssi/xilinx_spips.c +../hw/ssi/xilinx_spips.c: In function ‘xilinx_spips_flush_txfifo’: +../hw/ssi/xilinx_spips.c:624:30: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] + 624 | tx_rx[i] = fifo8_pop(&s->tx_fifo); + | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~ +../hw/ssi/xilinx_spips.c:613:17: note: at offset 2 into destination object ‘tx_rx’ of size 2 + 613 | uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 }; + | ^~~~~ +cc1: all warnings being treated as errors +``` +Additional information: +I fixed this warning locally on my build however it is only a start of several build warnings that happen down the road (\~6 warnings in total) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2921 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2921 new file mode 100644 index 000000000..b08ad225f --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2921 @@ -0,0 +1,368 @@ +Aarch64 reverse debugging test is unreliable +Description of problem: +The reverse-debugging test for the aarch64 target is not working reliably, especially if the host system is under load, approx. 1 or 2 out of 10 test runs fail. The log looks like this: + +``` +2025-04-14 10:24:35,042 test L0310 INFO | INIT 1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:35,043 parameters L0142 DEBUG| PARAMS (key=timeout, path=*, default=10) => 10 +2025-04-14 10:24:35,043 test L0338 DEBUG| Test metadata: +2025-04-14 10:24:35,043 test L0340 DEBUG| filename: /.../tmp/qemu-build/tests/avocado/reverse_debugging.py +2025-04-14 10:24:35,044 test L0346 DEBUG| teststmpdir: /var/tmp/avocado_w5d2bkam +2025-04-14 10:24:35,044 test L0536 INFO | START 1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:35,044 test L0207 DEBUG| DATA (filename=output.expected) => NOT FOUND (data sources: variant, test, file) +2025-04-14 10:24:35,045 parameters L0142 DEBUG| PARAMS (key=arch, path=*, default=aarch64) => 'aarch64' +2025-04-14 10:24:35,045 parameters L0142 DEBUG| PARAMS (key=cpu, path=*, default=cortex-a53) => 'cortex-a53' +2025-04-14 10:24:35,046 parameters L0142 DEBUG| PARAMS (key=qemu_bin, path=*, default=./qemu-system-aarch64) => './qemu-system-aarch64' +2025-04-14 10:24:35,272 parameters L0142 DEBUG| PARAMS (key=machine, path=*, default=virt) => 'virt' +2025-04-14 10:24:35,290 test L0465 DEBUG| Test workdir initialized at: /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:35,290 process L0658 INFO | Running '/.../tmp/qemu-build/qemu-img create -f qcow2 /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/disk.qcow2 128M' +2025-04-14 10:24:35,347 process L0470 DEBUG| [stdout] Formatting '/var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/disk.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=134217728 lazy_refcounts=off refcount_bits=16 +2025-04-14 10:24:35,393 process L0739 INFO | Command '/.../tmp/qemu-build/qemu-img create -f qcow2 /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/disk.qcow2 128M' finished with 0 after 0.100170269s +2025-04-14 10:24:35,475 __init__ L0314 DEBUG| QEMUMachine "28fc0d7d-bd0a-44c0-afa8-f24a1800132f" created +2025-04-14 10:24:35,475 __init__ L0315 DEBUG| QEMUMachine "28fc0d7d-bd0a-44c0-afa8-f24a1800132f" temp_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/qemu-machine-052_8e_k +2025-04-14 10:24:35,475 __init__ L0316 DEBUG| QEMUMachine "28fc0d7d-bd0a-44c0-afa8-f24a1800132f" log_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:36,195 __init__ L0314 DEBUG| QEMUMachine "3f348d83-7aa3-4381-9919-389bc85ed85b" created +2025-04-14 10:24:36,196 __init__ L0315 DEBUG| QEMUMachine "3f348d83-7aa3-4381-9919-389bc85ed85b" temp_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/tmp_dir56wqq7g0/1-ReverseDebugging_AArch64.test_aarch64_virt/qemu-machine-vxlortdq +2025-04-14 10:24:36,196 __init__ L0316 DEBUG| QEMUMachine "3f348d83-7aa3-4381-9919-389bc85ed85b" log_dir: /var/tmp/.avocado-taskky_yb2qf/test-results/1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:37,623 stacktrace L0039 ERROR| +2025-04-14 10:24:37,628 stacktrace L0041 ERROR| Reproduced traceback from: /usr/lib/python3.13/site-packages/avocado/core/test.py:793 +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/decorators.py", line 90, in wrapper +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| return function(obj, *args, **kwargs) +2025-04-14 10:24:37,643 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 239, in test_aarch64_virt +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| self.reverse_debugging( +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~^ +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| args=('-kernel', kernel_path)) +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 179, in reverse_debugging +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| if self.vm_get_icount(vm) == last_icount - 1: +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~^^^^ +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 100, in vm_get_icount +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| return vm.qmp('query-replay')['return']['icount'] +2025-04-14 10:24:37,644 stacktrace L0045 ERROR| ~~~~~~^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ret = self._qmp.cmd_raw(cmd, args=qmp_args) +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| return self.cmd_obj(qmp_cmd) +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 186, in cmd_obj +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| self._sync( +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ~~~~~~~~~~^ +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| # pylint: disable=protected-access +2025-04-14 10:24:37,645 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ...<5 lines>... +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| self._timeout +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ^^^^^^^^^^^^^ +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync +2025-04-14 10:24:37,646 stacktrace L0045 ERROR| return self._aloop.run_until_complete( +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| asyncio.wait_for(future, timeout=timeout) +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| return future.result() +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| ~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,647 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| return await fut +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| ^^^^^^^^^ +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 547, in _raw +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| return await self._execute(msg, assign_id=assign_id) +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 496, in _execute +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| return await self._reply(exec_id) +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 463, in _reply +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| raise result +2025-04-14 10:24:37,648 stacktrace L0045 ERROR| qemu.qmp.qmp_client.ExecInterruptedError: Disconnected +2025-04-14 10:24:37,649 stacktrace L0046 ERROR| +2025-04-14 10:24:37,649 test L0798 DEBUG| Local variables: +2025-04-14 10:24:37,671 test L0801 DEBUG| -> obj <class 'reverse_debugging.ReverseDebugging_AArch64'>: 1-ReverseDebugging_AArch64.test_aarch64_virt +2025-04-14 10:24:37,671 test L0801 DEBUG| -> args <class 'tuple'>: () +2025-04-14 10:24:37,671 test L0801 DEBUG| -> kwargs <class 'dict'>: {} +2025-04-14 10:24:37,671 test L0801 DEBUG| -> condition <class 'str'>: 1 +2025-04-14 10:24:37,671 test L0801 DEBUG| -> function <class 'function'>: <function ReverseDebugging_AArch64.test_aarch64_virt at 0x7fc6d4cc87c0> +2025-04-14 10:24:37,672 test L0801 DEBUG| -> message <class 'str'>: Test is unstable on GitLab +2025-04-14 10:24:37,672 test L0801 DEBUG| -> negate <class 'bool'>: True +2025-04-14 10:24:37,673 stacktrace L0039 ERROR| +2025-04-14 10:24:37,673 stacktrace L0041 ERROR| Reproduced traceback from: /usr/lib/python3.13/site-packages/avocado/core/test.py:819 +2025-04-14 10:24:37,678 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 580, in _soft_shutdown +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| self.qmp('quit') +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| ~~~~~~~~^^^^^^^^ +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| ret = self._qmp.cmd_raw(cmd, args=qmp_args) +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| return self.cmd_obj(qmp_cmd) +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| ~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,679 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 192, in cmd_obj +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| self._qmp._raw(qmp_cmd, assign_id=False), +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 155, in _wrapper +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| raise StateError(emsg, proto.runstate, required_state) +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| qemu.qmp.protocol.StateError: QMPClient is disconnecting. Call disconnect() to return to IDLE state. +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| During handling of the above exception, another exception occurred: +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,680 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 611, in _do_shutdown +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._soft_shutdown(timeout) +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 583, in _soft_shutdown +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._close_qmp_connection() +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 501, in _close_qmp_connection +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._qmp.close() +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 281, in close +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| self._sync( +2025-04-14 10:24:37,681 stacktrace L0045 ERROR| ~~~~~~~~~~^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| self._qmp.disconnect() +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| return self._aloop.run_until_complete( +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| asyncio.wait_for(future, timeout=timeout) +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ) +2025-04-14 10:24:37,682 stacktrace L0045 ERROR| ^ +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| return future.result() +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| ~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| return await fut +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| ^^^^^^^^^ +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 399, in disconnect +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| await self._wait_disconnect() +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 719, in _wait_disconnect +2025-04-14 10:24:37,683 stacktrace L0045 ERROR| await all_defined_tasks # Raise Exceptions from the bottom half. +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 870, in _bh_loop_forever +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| await async_fn() +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 908, in _bh_recv_message +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| msg = await self._recv() +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 1009, in _recv +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| message = await self._do_recv() +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 402, in _do_recv +2025-04-14 10:24:37,684 stacktrace L0045 ERROR| msg_bytes = await self._readline() +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| ^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 977, in _readline +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| raise EOFError +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| EOFError +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| The above exception was the direct cause of the following exception: +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| File "/.../tmp/qemu-build/tests/avocado/avocado_qemu/__init__.py", line 372, in tearDown +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| vm.shutdown() +2025-04-14 10:24:37,685 stacktrace L0045 ERROR| ~~~~~~~~~~~^^ +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 648, in shutdown +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| self._do_shutdown(timeout) +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| ~~~~~~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 618, in _do_shutdown +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| raise AbnormalShutdown("Could not perform graceful shutdown") \ +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| from exc +2025-04-14 10:24:37,686 stacktrace L0045 ERROR| qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown +2025-04-14 10:24:37,686 stacktrace L0046 ERROR| +2025-04-14 10:24:37,694 test L0941 ERROR| Traceback (most recent call last): +2025-04-14 10:24:37,694 test L0941 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/test.py", line 881, in _run_avocado + raise test_exception +2025-04-14 10:24:37,694 test L0941 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/test.py", line 788, in _run_avocado + testMethod() + ~~~~~~~~~~^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/usr/lib/python3.13/site-packages/avocado/core/decorators.py", line 90, in wrapper + return function(obj, *args, **kwargs) +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 239, in test_aarch64_virt + self.reverse_debugging( + ~~~~~~~~~~~~~~~~~~~~~~^ + args=('-kernel', kernel_path)) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 179, in reverse_debugging + if self.vm_get_icount(vm) == last_icount - 1: + ~~~~~~~~~~~~~~~~~~^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../tmp/qemu-build/tests/avocado/reverse_debugging.py", line 100, in vm_get_icount + return vm.qmp('query-replay')['return']['icount'] + ~~~~~~^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp + ret = self._qmp.cmd_raw(cmd, args=qmp_args) +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw + return self.cmd_obj(qmp_cmd) + ~~~~~~~~~~~~^^^^^^^^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 186, in cmd_obj + self._sync( + ~~~~~~~~~~^ + # pylint: disable=protected-access + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ...<5 lines>... + self._timeout + ^^^^^^^^^^^^^ + ) + ^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync + return self._aloop.run_until_complete( + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ + asyncio.wait_for(future, timeout=timeout) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete + return future.result() + ~~~~~~~~~~~~~^^ +2025-04-14 10:24:37,695 test L0941 ERROR| File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for + return await fut + ^^^^^^^^^ +2025-04-14 10:24:37,696 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 547, in _raw + return await self._execute(msg, assign_id=assign_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,696 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 496, in _execute + return await self._reply(exec_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^ +2025-04-14 10:24:37,696 test L0941 ERROR| File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 463, in _reply + raise result +2025-04-14 10:24:37,696 test L0941 ERROR| qemu.qmp.qmp_client.ExecInterruptedError: Disconnected +2025-04-14 10:24:37,696 test L0956 ERROR| ERROR 1-ReverseDebugging_AArch64.test_aarch64_virt -> ExecInterruptedError: Disconnected +2025-04-14 10:24:37,696 test L0948 INFO | +``` +Steps to reproduce: +1. ``make check-venv`` +2. Run something in the background that keeps all CPUs busy +3. ``for ((x=0;x<20;x++)); do QEMU_TEST_FLAKY_TESTS=1 pyvenv/bin/avocado run tests/avocado/reverse_debugging.py:ReverseDebugging_AArch64.test_aarch64_virt ; done`` +Additional information: +The problem can be reproduced with the test converted to the functional framework, too (that's where I noticed it first). In that case the stack trace looked like this: + +``` +$ QEMU_TEST_ALLOW_SLOW=1 QEMU_TEST_ALLOW_UNTRUSTED_CODE=1 QEMU_TEST_FLAKY_TESTS=1 QEMU_TEST_ALLOW_LARGE_STORAGE=1 ~/devel/qemu/tests/functional/test_aarch64_reverse_debug.py +TAP version 13 +Traceback (most recent call last): + File "/.../devel/qemu/tests/functional/test_aarch64_reverse_debug.py", line 33, in test_aarch64_virt + self.reverse_debugging(args=('-kernel', kernel_path)) + ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 147, in reverse_debugging + pc = self.get_pc(g) + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 82, in get_pc + return self.get_reg(g, self.REG_PC) + ~~~~~~~~~~~~^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 77, in get_reg + return self.get_reg_le(g, reg) + ~~~~~~~~~~~~~~~^^^^^^^^ + File "/.../devel/qemu/tests/functional/reverse_debugging.py", line 63, in get_reg_le + res = g.cmd(b'p%x' % reg) + File "/usr/lib/python3.13/site-packages/avocado/utils/gdb.py", line 783, in cmd + response_payload = self.decode(result) + File "/usr/lib/python3.13/site-packages/avocado/utils/gdb.py", line 738, in decode + raise InvalidPacketError +avocado.utils.gdb.InvalidPacketError + +not ok 1 test_aarch64_reverse_debug.ReverseDebugging_AArch64.test_aarch64_virt +Traceback (most recent call last): + File "/.../devel/qemu/python/qemu/machine/machine.py", line 580, in _soft_shutdown + self.qmp('quit') + ~~~~~~~~^^^^^^^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 711, in qmp + ret = self._qmp.cmd_raw(cmd, args=qmp_args) + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 208, in cmd_raw + return self.cmd_obj(qmp_cmd) + ~~~~~~~~~~~~^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 186, in cmd_obj + self._sync( + ~~~~~~~~~~^ + # pylint: disable=protected-access + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ...<5 lines>... + self._timeout + ^^^^^^^^^^^^^ + ) + ^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync + return self._aloop.run_until_complete( + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ + asyncio.wait_for(future, timeout=timeout) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ + File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete + return future.result() + ~~~~~~~~~~~~~^^ + File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for + return await fut + ^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 547, in _raw + return await self._execute(msg, assign_id=assign_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 496, in _execute + return await self._reply(exec_id) + ^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/qmp_client.py", line 463, in _reply + raise result +qemu.qmp.qmp_client.ExecInterruptedError: Disconnected + +During handling of the above exception, another exception occurred: + +Traceback (most recent call last): + File "/.../devel/qemu/python/qemu/machine/machine.py", line 611, in _do_shutdown + self._soft_shutdown(timeout) + ~~~~~~~~~~~~~~~~~~~^^^^^^^^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 583, in _soft_shutdown + self._close_qmp_connection() + ~~~~~~~~~~~~~~~~~~~~~~~~~~^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 501, in _close_qmp_connection + self._qmp.close() + ~~~~~~~~~~~~~~~^^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 281, in close + self._sync( + ~~~~~~~~~~^ + self._qmp.disconnect() + ^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ + File "/.../devel/qemu/python/qemu/qmp/legacy.py", line 102, in _sync + return self._aloop.run_until_complete( + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ + asyncio.wait_for(future, timeout=timeout) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ + File "/usr/lib64/python3.13/asyncio/base_events.py", line 725, in run_until_complete + return future.result() + ~~~~~~~~~~~~~^^ + File "/usr/lib64/python3.13/asyncio/tasks.py", line 507, in wait_for + return await fut + ^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 399, in disconnect + await self._wait_disconnect() + File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 719, in _wait_disconnect + await all_defined_tasks # Raise Exceptions from the bottom half. + ^^^^^^^^^^^^^^^^^^^^^^^ + File "/.../devel/qemu/python/qemu/qmp/protocol.py", line 834, in _bh_close_stream + await wait_closed(self._writer) + File "/.../devel/qemu/python/qemu/qmp/util.py", line 130, in wait_closed + await writer.wait_closed() + File "/usr/lib64/python3.13/asyncio/streams.py", line 358, in wait_closed + await self._protocol._get_close_waiter(self) + File "/usr/lib64/python3.13/asyncio/selector_events.py", line 1067, in write + n = self._sock.send(data) +BrokenPipeError: [Errno 32] Broken pipe + +The above exception was the direct cause of the following exception: + +Traceback (most recent call last): + File "/.../devel/qemu/tests/functional/qemu_test/testcase.py", line 398, in tearDown + vm.shutdown() + ~~~~~~~~~~~^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 648, in shutdown + self._do_shutdown(timeout) + ~~~~~~~~~~~~~~~~~^^^^^^^^^ + File "/.../devel/qemu/python/qemu/machine/machine.py", line 618, in _do_shutdown + raise AbnormalShutdown("Could not perform graceful shutdown") \ + from exc +qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown + +not ok 1 test_aarch64_reverse_debug.ReverseDebugging_AArch64.test_aarch64_virt +1..1 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/2944 b/gitlab/issues_text/target_arm/host_missing/accel_missing/2944 new file mode 100644 index 000000000..69334651b --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/2944 @@ -0,0 +1,21 @@ +Commit 59754f85 introduces regression with U-Boot on Cortex-A9 platforms +Description of problem: +In U-Boot CI, we started to update from v8.2.0 to v9.2.3 and found that the vexpress_ca9x4 platform was now failing one of the CI tests. I have reconfirmed the problem on top of tree QEMU, and bisected the failure to commit [59754f85("target/arm: Do memory type alignment check when translation disabled +")](https://gitlab.com/qemu-project/qemu/-/commit/59754f85ed35cbd5f4bf2663ca2136c78d5b2413). I have also re-verified the test is fine on a physical platform with a Cortex-A9 that is as follows (per the RM): +``` +Table 12-2. Cortex-A9 revision +Core MP004-BU-50000-r2p10-0rel0 +NEON AT397-BU-50001- r2p0-00rel0 +PL310 PL310-BU-00000-r3p2-50rel0 +``` +Steps to reproduce: +1. git clone https://source.denx.de/u-boot/u-boot.git; cd u-boot +2. make O=/tmp/vexpress_ca9x4 CROSS_COMPILE=arm-linux-gnueabi- vexpress_ca9x4_config +3. make O=/tmp/vexpress_ca9x4 CROSS_COMPILE=arm-linux-gnueabi- -sj$(nproc) +4. qemu-system-arm -nographic -m 1G -audio none -net user,tftp=/tmp/vexpress_ca9x4 -net nic -M vexpress-a9 -kernel /tmp/vexpress_ca9x4/u-boot +5. Stop autoboot with any key +6. setenv autoload no +7. dhcp +8. tftpboot 60200000 lib/efi_loader/helloworld.efi +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/340 b/gitlab/issues_text/target_arm/host_missing/accel_missing/340 new file mode 100644 index 000000000..38ec006cb --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/340 @@ -0,0 +1 @@ +qemu: uncaught target signal 6 (Aborted) - core dumped on Apple Silicon M1 arm64 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/373 b/gitlab/issues_text/target_arm/host_missing/accel_missing/373 new file mode 100644 index 000000000..cc7310c45 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/373 @@ -0,0 +1 @@ +Indentation should be done with spaces, not with TABs, in the ARM subsystem diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/386 b/gitlab/issues_text/target_arm/host_missing/accel_missing/386 new file mode 100644 index 000000000..2add76918 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/386 @@ -0,0 +1 @@ +raspi0 machine has incorrect memory mapping for devices diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/410 b/gitlab/issues_text/target_arm/host_missing/accel_missing/410 new file mode 100644 index 000000000..bf9c3239f --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/410 @@ -0,0 +1 @@ +Abort in audio_bug triggered in sb16/pl041 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/411 b/gitlab/issues_text/target_arm/host_missing/accel_missing/411 new file mode 100644 index 000000000..185c6722c --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/411 @@ -0,0 +1 @@ +Abort when runs into unsupported AUXCommand in xlnx_dp_aux_set_command diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/447 b/gitlab/issues_text/target_arm/host_missing/accel_missing/447 new file mode 100644 index 000000000..0e21ab562 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/447 @@ -0,0 +1 @@ +qemu-arm: Unable to reserve 0xffff0000 bytes of virtual address space at 0x1000 (Success) for use as guest address space (check yourvirtual memory ulimit setting, min_mmap_addr or reserve less using -R option) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/448 b/gitlab/issues_text/target_arm/host_missing/accel_missing/448 new file mode 100644 index 000000000..de9f7f6c7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/448 @@ -0,0 +1 @@ +raspi0 machine leads to kernel panic of latest raspberry pi os kernel diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/45 b/gitlab/issues_text/target_arm/host_missing/accel_missing/45 new file mode 100644 index 000000000..1f8040946 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/45 @@ -0,0 +1 @@ +qemu-system-aarch64: no function defined to set boot device list for this architecture diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/452 b/gitlab/issues_text/target_arm/host_missing/accel_missing/452 new file mode 100644 index 000000000..5ff54aea3 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/452 @@ -0,0 +1,56 @@ +Akita (and probably all Spitz-like / PXA270) platform does not load BIOS binary +Description of problem: +QEMU does not appear to load a binary file passed with the "-bios" argument for the "akita" target. This probably extends to other spitz-type systems. + +Exptected behavior: qemu loads the binary into address 0x0000. +Actual behavior: address space at 0x0000 contains only zeros. +Steps to reproduce: +Terminal 1: +``` +qemu-system-arm -M akita -bios c750.rom -s -S +``` + +Terminal 2: +``` +gdb-multiarch +target remote localhost:1234 +x/64i $pc +``` + +Result: +``` +=> 0x0: andeq r0, r0, r0 + 0x4: andeq r0, r0, r0 + 0x8: andeq r0, r0, r0 + 0xc: andeq r0, r0, r0 + 0x10: andeq r0, r0, r0 +``` + +Correct behavior (can demonstrate with virt machine): +Same as before, but start Terminal 1 with: +``` +qemu-system-arm -M akita -bios c750.rom -s -S +``` + +Result: +``` +=> 0x0: b 0x34 + 0x4: ldr pc, [pc, #156] ; 0xa8 + 0x8: ldr pc, [pc, #156] ; 0xac + 0xc: ldr pc, [pc, #156] ; 0xb0 + 0x10: ldr pc, [pc, #156] ; 0xb4 + 0x14: nop ; (mov r0, r0) + 0x18: ldr pc, [pc, #152] ; 0xb8 + 0x1c: ldr pc, [pc, #152] ; 0xbc + 0x20: mov r0, #128 ; 0x80 + 0x24: b 0x2c + 0x28: mov r0, #129 ; 0x81 + 0x2c: ldr r1, [pc, #140] ; 0xc0 + 0x30: str r0, [r1] + 0x34: mrs lr, CPSR + 0x38: bic lr, lr, #31 + 0x3c: orr lr, lr, #211 ; 0xd3 + 0x40: msr CPSR_fc, lr +``` +Additional information: +File with very tiny boot ROM: [c750-tiny.rom](/uploads/045852c8b353174bf0b7a4193d0d1be0/c750-tiny.rom) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/454 b/gitlab/issues_text/target_arm/host_missing/accel_missing/454 new file mode 100644 index 000000000..041f2b30d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/454 @@ -0,0 +1,3 @@ +edk2-aarch64-code.fd prints a lot of debug output +Additional information: +Currently running a QEMU version built from source with the last commit to pc-bios being 7a3d37a3f2335e18539e821d0c72abe0b22480bd (and I don't see any changes to edk2-aarch64-code since) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/459 b/gitlab/issues_text/target_arm/host_missing/accel_missing/459 new file mode 100644 index 000000000..ab940ce38 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/459 @@ -0,0 +1,35 @@ +bcm2835_aux (raspi3) fails when the receive FIFO fills up +Description of problem: +When a bare-metal application on the `raspi3` board reads the `AUX_MU_STAT_REG` MMIO register while the device's buffer is at full receive FIFO capacity (i.e. `s->read_count == BCM2835_AUX_RX_FIFO_LEN`) the assertion `assert(s->read_count < BCM2835_AUX_RX_FIFO_LEN)` fails. + +The assertion in question is currently in line 141 of `hw/char/bcm2835_aux.c`: https://gitlab.com/qemu-project/qemu/-/blob/9c2647f75004c4f7d64c9c0ec55f8c6f0739a8b1/hw/char/bcm2835_aux.c#L141 +but in my current QEMU version, it seems that it was in line 140, but I don't think that has any implication on this error. If the below steps to reproduce are followed, the full output of a normal QEMU (no debugging output or anything) is simply: + +```text +$ echo abcdefgh | qemu-system-aarch64 -M raspi3 -kernel kernel8.elf -serial null -serial stdio +qemu-system-aarch64: /build/qemu-71DV4m/qemu-4.2/hw/char/bcm2835_aux.c:140: bcm2835_aux_read: Assertion `s->read_count < BCM2835_AUX_RX_FIFO_LEN' failed. +Aborted (core dumped) +``` + +Notice, that there is nothing really wrong with the implementation, if for instance an application that uses the `AUX_MU_LSR_REG` instead to check whether input is available, everything works as expected. It really seems that just this assertion is wrong. Also notice that the [BCM2835 manual](https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf) (page 18) explicitly allows values inclusive 8. +Steps to reproduce: +1. write a minimal bare-metal application for aarch64 using below main file +2. compile it with a decent aarch64 compiler, linker script and entry assembly as `kernel8.elf` +3. `echo abcdefgh | qemu-system-aarch64 -M raspi3 -kernel kernel8.elf -serial null -serial stdio` +4. QEMU crashes with the above state assertion error +Additional information: +Minimal bare-metal application (`main.c`): + +```c +#define MMIO_BASE 0x3F000000 +#define AUX_MU_STAT ((volatile unsigned int*)(MMIO_BASE+0x00215064)) + +void main() { + while (1) { + // Just read STAT register to trigger the assertion error + *AUX_MU_STAT; + } +} +``` + +Also see [kernel8.elf.zip](/uploads/b12ae2750d2df1bb8db2701f3145f653/kernel8.elf.zip) for a precompiled version of the above application. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/461 b/gitlab/issues_text/target_arm/host_missing/accel_missing/461 new file mode 100644 index 000000000..4454222f0 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/461 @@ -0,0 +1 @@ +What's your plan of Raspberry 3/3B/4B diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/467 b/gitlab/issues_text/target_arm/host_missing/accel_missing/467 new file mode 100644 index 000000000..8c5fafa3f --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/467 @@ -0,0 +1 @@ +savevm/loadvm/migration broken for 32-bit arm guests that use TrustZone diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/468 b/gitlab/issues_text/target_arm/host_missing/accel_missing/468 new file mode 100644 index 000000000..58ebd5667 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/468 @@ -0,0 +1 @@ +Zynq7000 UART clock reset initialization diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/470 b/gitlab/issues_text/target_arm/host_missing/accel_missing/470 new file mode 100644 index 000000000..d9d59a0e7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/470 @@ -0,0 +1 @@ +qemu linux-user requires read permissions on memory passed to syscalls that should only need write access diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/472 b/gitlab/issues_text/target_arm/host_missing/accel_missing/472 new file mode 100644 index 000000000..fab3bb00d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/472 @@ -0,0 +1 @@ +Device trees should specify `clock-frequency` property for `/cpus/cpu*` nodes diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/481 b/gitlab/issues_text/target_arm/host_missing/accel_missing/481 new file mode 100644 index 000000000..49f1aa157 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/481 @@ -0,0 +1 @@ +Implement I2C for BCM2835 (raspi) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/482 b/gitlab/issues_text/target_arm/host_missing/accel_missing/482 new file mode 100644 index 000000000..6192b7b3c --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/482 @@ -0,0 +1 @@ +Unable to set SVE VL to 1024 bits or above since 7b6a2198 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/518 b/gitlab/issues_text/target_arm/host_missing/accel_missing/518 new file mode 100644 index 000000000..8b40e942a --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/518 @@ -0,0 +1 @@ +Android for arm guest diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/528 b/gitlab/issues_text/target_arm/host_missing/accel_missing/528 new file mode 100644 index 000000000..c84f406b5 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/528 @@ -0,0 +1 @@ +arm: trying to use KVM with an EL3-enabled CPU hits an assertion failure diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/54 b/gitlab/issues_text/target_arm/host_missing/accel_missing/54 new file mode 100644 index 000000000..eccc61b72 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/54 @@ -0,0 +1 @@ +Attaching SD-Card to specific SD-Bus Sabrelite (ARM) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/549 b/gitlab/issues_text/target_arm/host_missing/accel_missing/549 new file mode 100644 index 000000000..69ba2f5ac --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/549 @@ -0,0 +1 @@ +FPE in npcm7xx_clk_update_pll diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/550 b/gitlab/issues_text/target_arm/host_missing/accel_missing/550 new file mode 100644 index 000000000..3ad9b9d7e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/550 @@ -0,0 +1 @@ +FPE in npcm7xx_adc_convert diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/555 b/gitlab/issues_text/target_arm/host_missing/accel_missing/555 new file mode 100644 index 000000000..a811b7b79 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/555 @@ -0,0 +1 @@ +qemu user aarch64 crashes when giving the dynamic loader as argument diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/61 b/gitlab/issues_text/target_arm/host_missing/accel_missing/61 new file mode 100644 index 000000000..91c26884b --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/61 @@ -0,0 +1 @@ +qemu-system-arm segfaults while servicing SYS_HEAPINFO diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/613 b/gitlab/issues_text/target_arm/host_missing/accel_missing/613 new file mode 100644 index 000000000..4f58eb699 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/613 @@ -0,0 +1 @@ +ARM cortex-m55 LOB instructions make QEMU crash diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/620 b/gitlab/issues_text/target_arm/host_missing/accel_missing/620 new file mode 100644 index 000000000..bbcd808a3 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/620 @@ -0,0 +1 @@ +QEMU gdbstub should add memtag support for aarch64 MTE diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/633 b/gitlab/issues_text/target_arm/host_missing/accel_missing/633 new file mode 100644 index 000000000..91be580e2 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/633 @@ -0,0 +1,32 @@ +i686-arm-user-static - Allocating guest commpage: Operation not permitted +Steps to reproduce: +1. Run the test case linked earlier. +2. You'll see `apt update` failing: + +``` +Get:1 http://archive.raspberrypi.org/debian buster InRelease [32.6 kB] +Get:2 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB] +Err:1 http://archive.raspberrypi.org/debian buster InRelease + At least one invalid signature was encountered. +Err:2 http://raspbian.raspberrypi.org/raspbian buster InRelease + At least one invalid signature was encountered. +Reading package lists... Done +W: GPG error: http://archive.raspberrypi.org/debian buster InRelease: At least one invalid signature was encountered. +E: The repository 'http://archive.raspberrypi.org/debian buster InRelease' is not signed. +N: Updating from such a repository can't be done securely, and is therefore disabled by default. +N: See apt-secure(8) manpage for repository creation and user configuration details. +W: GPG error: http://raspbian.raspberrypi.org/raspbian buster InRelease: At least one invalid signature was encountered. +E: The repository 'http://raspbian.raspberrypi.org/raspbian buster InRelease' is not signed. +N: Updating from such a repository can't be done securely, and is therefore disabled by default. +N: See apt-secure(8) manpage for repository creation and user configuration details. +``` +Additional information: +Setting `sysctl vm.mmap_min_addr=53248` makes it work (as opposed to the system default of 65536). + +Bisecting the bug linked earlier also breaks this in a slightly different way. Everything works at 87b74e8b6edd287ea2160caa0ebea725fa8f1ca1. After that, apt update appears to work, but the package lists end up empty, so nothing can be installed. Then after 975ac4559c4c00010e05f7a3e782eeb9497837ea, the output is as provided above. + +apt launches /usr/lib/apt/methods/gpgv and passes it some commands through stdin. gpgv launches /usr/bin/apt-key, which fails with `Allocating guest commpage: Operation not permitted`. Running gpgv directly and sending the same commands works without any issues. The problem only occurs when gpgv is run through apt. (I don't meant the normal system gpgv binary, but the transport method binary that comes with apt) + +Getting any output is tricky because by the time apt-key is launched, gpgv redirects stdout and stderr to /dev/null and communication takes place through fd 3. https://salsa.debian.org/apt-team/apt/-/blob/2.2.4/apt-pkg/contrib/gpgv.cc#L355 https://salsa.debian.org/apt-team/apt/-/blob/main/methods/gpgv.cc#L186 + +I had to do some ugly things with different versions of qemu and wrapper scripts to see the commpage error, but hopefully there's enough information provided here that it won't be necessary. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/636 b/gitlab/issues_text/target_arm/host_missing/accel_missing/636 new file mode 100644 index 000000000..73a12814e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/636 @@ -0,0 +1,356 @@ +tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd can not perform graceful shutdown +Description of problem: +Roughly once every 20 times, the [`halt`](https://gitlab.com/qemu-project/qemu/-/blob/73257aa02376829f724357094e252fc3e5dd1363/tests/acceptance/boot_linux_console.py#L522) command will not produce the desired effect, and [wait()ing](https://gitlab.com/qemu-project/qemu/-/blob/73257aa02376829f724357094e252fc3e5dd1363/tests/acceptance/boot_linux_console.py#L524) on the QEMU process to gracefully shutdown will fail. + +I was not able to see any other failure in what the test covers, except the `halt` command and the `wait()`ing. That is, the booting of the kernel and initrd, and the execution of commands to inspect the system all run without problems. +Steps to reproduce: +1. make check-venv +2. ./tests/venv/bin/avocado run tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd +Additional information: +``` +13:48:01 DEBUG| PARAMS (key=arch, path=*, default=arm) => 'arm' +13:48:01 DEBUG| PARAMS (key=cpu, path=*, default=None) => None +13:48:01 DEBUG| PARAMS (key=machine, path=*, default=raspi2b) => 'raspi2b' +13:48:01 DEBUG| PARAMS (key=qemu_bin, path=*, default=./qemu-system-arm) => './qemu-system-arm' +13:48:01 DEBUG| Test workdir initialized at: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd +13:48:08 DEBUG| QEMUMachine "default" created +13:48:08 DEBUG| QEMUMachine "default" temp_dir: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/qemu-machine-5pavn9gy +13:48:08 DEBUG| QEMUMachine "default" log_dir: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd +13:48:08 DEBUG| VM launch command: './qemu-system-arm -display none -vga none -chardev socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock -mon chardev=mon,mode=control -machine raspi2b -chardev socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off -serial chardev:console -kernel /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img -dtb /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb -initrd /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio -append printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 -no-reboot' +13:48:08 DEBUG| >>> {'execute': 'qmp_capabilities'} +13:48:08 DEBUG| <<< {'return': {}} +13:48:08 DEBUG| [ 0.000000] Booting Linux on physical CPU 0xf00 +13:48:08 DEBUG| [ 0.000000] Linux version 4.14.98-v7+ (dom@dom-XPS-13-9370) (gcc version 4.9.3 (crosstool-NG crosstool-ng-1.22.0-88-g8460611)) #1200 SMP Tue Feb 12 20:27:48 GMT 2019 +13:48:08 DEBUG| [ 0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d +13:48:08 DEBUG| [ 0.000000] CPU: div instructions available: patching division code +13:48:08 DEBUG| [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache +13:48:08 DEBUG| [ 0.000000] OF: fdt: Machine model: Raspberry Pi 2 Model B +13:48:08 DEBUG| [ 0.000000] earlycon: pl11 at MMIO 0x3f201000 (options '') +13:48:08 DEBUG| [ 0.000000] bootconsole [pl11] enabled +13:48:08 DEBUG| [ 0.000000] Memory policy: Data cache writealloc +13:48:08 DEBUG| [ 0.000000] cma: Reserved 8 MiB at 0x3b800000 +13:48:08 DEBUG| [ 0.000000] percpu: Embedded 17 pages/cpu @baf2e000 s38720 r8192 d22720 u69632 +13:48:08 DEBUG| [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 243600 +13:48:08 DEBUG| [ 0.000000] Kernel command line: printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 +13:48:08 DEBUG| PID hash table entries: 4096 (order: 2, 16384 bytes) +13:48:08 DEBUG| Dentry cache hash table entries: 131072 (order: 7, 524288 bytes) +13:48:08 DEBUG| Inode-cache hash table entries: 65536 (order: 6, 262144 bytes) +13:48:08 DEBUG| Memory: 949120K/983040K available (7168K kernel code, 577K rwdata, 2080K rodata, 1024K init, 698K bss, 25728K reserved, 8192K cma-reserved) +13:48:08 DEBUG| Virtual kernel memory layout: +13:48:08 DEBUG| vector : 0xffff0000 - 0xffff1000 ( 4 kB) +13:48:08 DEBUG| fixmap : 0xffc00000 - 0xfff00000 (3072 kB) +13:48:08 DEBUG| vmalloc : 0xbc800000 - 0xff800000 (1072 MB) +13:48:08 DEBUG| lowmem : 0x80000000 - 0xbc000000 ( 960 MB) +13:48:08 DEBUG| modules : 0x7f000000 - 0x80000000 ( 16 MB) +13:48:08 DEBUG| .text : 0x80008000 - 0x80800000 (8160 kB) +13:48:08 DEBUG| .init : 0x80b00000 - 0x80c00000 (1024 kB) +13:48:08 DEBUG| .data : 0x80c00000 - 0x80c906d4 ( 578 kB) +13:48:08 DEBUG| .bss : 0x80c97ef8 - 0x80d468f0 ( 699 kB) +13:48:08 DEBUG| SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1 +13:48:08 DEBUG| ftrace: allocating 25298 entries in 75 pages +13:48:09 DEBUG| Hierarchical RCU implementation. +13:48:09 DEBUG| NR_IRQS: 16, nr_irqs: 16, preallocated irqs: 16 +13:48:09 DEBUG| arch_timer: cp15 timer(s) running at 62.50MHz (virt). +13:48:09 DEBUG| clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1cd42e208c, max_idle_ns: 881590405314 ns +13:48:09 DEBUG| sched_clock: 56 bits at 62MHz, resolution 16ns, wraps every 4398046511096ns +13:48:09 DEBUG| Switching to timer-based delay loop, resolution 16ns +13:48:09 DEBUG| Console: colour dummy device 80x30 +13:48:09 DEBUG| Calibrating delay loop (skipped), value calculated using timer frequency.. 125.00 BogoMIPS (lpj=625000) +13:48:09 DEBUG| pid_max: default: 32768 minimum: 301 +13:48:09 DEBUG| Mount-cache hash table entries: 2048 (order: 1, 8192 bytes) +13:48:09 DEBUG| Mountpoint-cache hash table entries: 2048 (order: 1, 8192 bytes) +13:48:09 DEBUG| Disabling memory control group subsystem +13:48:09 DEBUG| CPU: Testing write buffer coherency: ok +13:48:09 DEBUG| CPU0: update cpu_capacity 1024 +13:48:09 DEBUG| CPU0: thread -1, cpu 0, socket 15, mpidr 80000f00 +13:48:09 DEBUG| Setting up static identity map for 0x100000 - 0x10003c +13:48:09 DEBUG| Hierarchical SRCU implementation. +13:48:09 DEBUG| smp: Bringing up secondary CPUs ... +13:48:09 DEBUG| CPU1: update cpu_capacity 1024 +13:48:09 DEBUG| CPU1: thread -1, cpu 1, socket 15, mpidr 80000f01 +13:48:09 DEBUG| CPU2: update cpu_capacity 1024 +13:48:09 DEBUG| CPU2: thread -1, cpu 2, socket 15, mpidr 80000f02 +13:48:09 DEBUG| CPU3: update cpu_capacity 1024 +13:48:09 DEBUG| CPU3: thread -1, cpu 3, socket 15, mpidr 80000f03 +13:48:09 DEBUG| smp: Brought up 1 node, 4 CPUs +13:48:09 DEBUG| SMP: Total of 4 processors activated (500.00 BogoMIPS). +13:48:09 DEBUG| CPU: All CPU(s) started in SVC mode. +13:48:09 DEBUG| devtmpfs: initialized +13:48:09 DEBUG| random: get_random_u32 called from bucket_table_alloc+0xfc/0x24c with crng_init=0 +13:48:09 DEBUG| VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5 +13:48:09 DEBUG| clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns +13:48:09 DEBUG| futex hash table entries: 1024 (order: 4, 65536 bytes) +13:48:09 DEBUG| pinctrl core: initialized pinctrl subsystem +13:48:09 DEBUG| NET: Registered protocol family 16 +13:48:09 DEBUG| DMA: preallocated 1024 KiB pool for atomic coherent allocations +13:48:09 DEBUG| hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers. +13:48:09 DEBUG| hw-breakpoint: maximum watchpoint size is 8 bytes. +13:48:09 DEBUG| Serial: AMBA PL011 UART driver +13:48:09 DEBUG| bcm2835-mbox 3f00b880.mailbox: mailbox enabled +13:48:09 DEBUG| bcm2835-dma 3f007000.dma: DMA legacy API manager at bc813000, dmachans=0x1 +13:48:09 DEBUG| SCSI subsystem initialized +13:48:09 DEBUG| usbcore: registered new interface driver usbfs +13:48:09 DEBUG| usbcore: registered new interface driver hub +13:48:09 DEBUG| usbcore: registered new device driver usb +13:48:09 DEBUG| raspberrypi-firmware soc:firmware: Attached to firmware from 1970-01-05 00:12 +13:48:09 DEBUG| clocksource: Switched to clocksource arch_sys_counter +13:48:09 DEBUG| VFS: Disk quotas dquot_6.6.0 +13:48:09 DEBUG| VFS: Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) +13:48:09 DEBUG| FS-Cache: Loaded +13:48:09 DEBUG| CacheFiles: Loaded +13:48:09 DEBUG| NET: Registered protocol family 2 +13:48:09 DEBUG| TCP established hash table entries: 8192 (order: 3, 32768 bytes) +13:48:09 DEBUG| TCP bind hash table entries: 8192 (order: 4, 65536 bytes) +13:48:09 DEBUG| TCP: Hash tables configured (established 8192 bind 8192) +13:48:09 DEBUG| UDP hash table entries: 512 (order: 2, 16384 bytes) +13:48:09 DEBUG| UDP-Lite hash table entries: 512 (order: 2, 16384 bytes) +13:48:09 DEBUG| NET: Registered protocol family 1 +13:48:09 DEBUG| RPC: Registered named UNIX socket transport module. +13:48:09 DEBUG| RPC: Registered udp transport module. +13:48:09 DEBUG| RPC: Registered tcp transport module. +13:48:09 DEBUG| RPC: Registered tcp NFSv4.1 backchannel transport module. +13:48:09 DEBUG| Trying to unpack rootfs image as initramfs... +13:48:09 DEBUG| Freeing initrd memory: 3256K +13:48:09 DEBUG| hw perfevents: enabled with armv7_cortex_a7 PMU driver, 5 counters available +13:48:09 DEBUG| workingset: timestamp_bits=14 max_order=18 bucket_order=4 +13:48:09 DEBUG| FS-Cache: Netfs 'nfs' registered for caching +13:48:09 DEBUG| NFS: Registering the id_resolver key type +13:48:09 DEBUG| Key type id_resolver registered +13:48:09 DEBUG| Key type id_legacy registered +13:48:09 DEBUG| nfs4filelayout_init: NFSv4 File Layout Driver Registering... +13:48:09 DEBUG| Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251) +13:48:09 DEBUG| io scheduler noop registered +13:48:09 DEBUG| io scheduler deadline registered +13:48:09 DEBUG| io scheduler cfq registered (default) +13:48:09 DEBUG| io scheduler mq-deadline registered +13:48:09 DEBUG| io scheduler kyber registered +13:48:09 DEBUG| BCM2708FB: allocated DMA memory fb900000 +13:48:09 DEBUG| BCM2708FB: allocated DMA channel 0 @ bc813000 +13:48:09 DEBUG| Console: switching to colour frame buffer device 100x30 +13:48:09 DEBUG| bcm2835-rng 3f104000.rng: hwrng registered +13:48:09 DEBUG| vc-mem: phys_addr:0x00000000 mem_base=0x00000000 mem_size:0x00000000(0 MiB) +13:48:09 DEBUG| vc-sm: Videocore shared memory driver +13:48:09 DEBUG| gpiomem-bcm2835 3f200000.gpiomem: Initialised: Registers at 0x3f200000 +13:48:09 DEBUG| brd: module loaded +13:48:09 DEBUG| loop: module loaded +13:48:09 DEBUG| Loading iSCSI transport class v2.0-870. +13:48:09 DEBUG| libphy: Fixed MDIO Bus: probed +13:48:09 DEBUG| usbcore: registered new interface driver lan78xx +13:48:09 DEBUG| usbcore: registered new interface driver smsc95xx +13:48:09 DEBUG| dwc_otg: version 3.00a 10-AUG-2012 (platform bus) +13:48:09 DEBUG| dwc_otg 3f980000.usb: base=0xf0980000 +13:48:10 DEBUG| Core Release: 2.94a +13:48:10 DEBUG| Setting default values for core params +13:48:10 DEBUG| Finished setting default values for core params +13:48:10 DEBUG| Using Buffer DMA mode +13:48:10 DEBUG| Periodic Transfer Interrupt Enhancement - disabled +13:48:10 DEBUG| Multiprocessor Interrupt Enhancement - disabled +13:48:10 DEBUG| OTG VER PARAM: 0, OTG VER FLAG: 0 +13:48:10 DEBUG| Shared Tx FIFO mode +13:48:10 DEBUG| WARN::dwc_otg_hcd_init:1046: FIQ DMA bounce buffers: virt = 0xbb914000 dma = 0xfb914000 len=9024 +13:48:10 DEBUG| WARN::hcd_init_fiq:459: FIQ on core 1 at 0x805edb88 +13:48:10 DEBUG| WARN::hcd_init_fiq:460: FIQ ASM at 0x805edcb4 length 36 +13:48:10 DEBUG| WARN::hcd_init_fiq:486: MPHI regs_base at 0xf0006000 +13:48:10 DEBUG| dwc_otg 3f980000.usb: DWC OTG Controller +13:48:10 DEBUG| dwc_otg 3f980000.usb: new USB bus registered, assigned bus number 1 +13:48:10 DEBUG| dwc_otg 3f980000.usb: irq 62, io mem 0x00000000 +13:48:10 DEBUG| Init: Port Power? op_state=1 +13:48:10 DEBUG| Init: Power Port (1) +13:48:10 DEBUG| usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 +13:48:10 DEBUG| usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 +13:48:10 DEBUG| usb usb1: Product: DWC OTG Controller +13:48:10 DEBUG| usb usb1: Manufacturer: Linux 4.14.98-v7+ dwc_otg_hcd +13:48:10 DEBUG| usb usb1: SerialNumber: 3f980000.usb +13:48:10 DEBUG| hub 1-0:1.0: USB hub found +13:48:10 DEBUG| hub 1-0:1.0: 1 port detected +13:48:10 DEBUG| usbcore: registered new interface driver usb-storage +13:48:10 DEBUG| mousedev: PS/2 mouse device common for all mice +13:48:10 DEBUG| IR NEC protocol handler initialized +13:48:10 DEBUG| IR RC5(x/sz) protocol handler initialized +13:48:10 DEBUG| IR RC6 protocol handler initialized +13:48:10 DEBUG| IR JVC protocol handler initialized +13:48:10 DEBUG| IR Sony protocol handler initialized +13:48:10 DEBUG| IR SANYO protocol handler initialized +13:48:10 DEBUG| IR Sharp protocol handler initialized +13:48:10 DEBUG| IR MCE Keyboard/mouse protocol handler initialized +13:48:10 DEBUG| IR XMP protocol handler initialized +13:48:10 DEBUG| bcm2835-wdt 3f100000.watchdog: Broadcom BCM2835 watchdog timer +13:48:10 DEBUG| bcm2835-cpufreq: min=700000 max=700000 +13:48:10 DEBUG| sdhci: Secure Digital Host Controller Interface driver +13:48:10 DEBUG| sdhci: Copyright(c) Pierre Ossman +13:48:10 DEBUG| sdhost-bcm2835 3f202000.mmc: could not get clk, deferring probe +13:48:10 DEBUG| sdhci-pltfm: SDHCI platform and OF driver helper +13:48:10 DEBUG| ledtrig-cpu: registered to indicate activity on CPUs +13:48:10 DEBUG| hidraw: raw HID events driver (C) Jiri Kosina +13:48:10 DEBUG| usbcore: registered new interface driver usbhid +13:48:10 DEBUG| usbhid: USB HID core driver +13:48:10 DEBUG| vchiq: vchiq_init_state: slot_zero = bb980000, is_master = 0 +13:48:10 DEBUG| bcm2835_vchiq 3f00b840.vchiq: failed to set channelbase +13:48:10 DEBUG| vchiq: could not load vchiq +13:48:10 DEBUG| Initializing XFRM netlink socket +13:48:10 DEBUG| NET: Registered protocol family 17 +13:48:10 DEBUG| Key type dns_resolver registered +13:48:10 DEBUG| Registering SWP/SWPB emulation handler +13:48:10 DEBUG| registered taskstats version 1 +13:48:10 DEBUG| uart-pl011 3f201000.serial: cts_event_workaround enabled +13:48:10 DEBUG| 3f201000.serial: ttyAMA0 at MMIO 0x3f201000 (irq = 87, base_baud = 0) is a PL011 rev2 +13:48:10 DEBUG| console [ttyAMA0] enabled +13:48:10 DEBUG| console [ttyAMA0] enabled +13:48:10 DEBUG| bootconsole [pl11] disabled +13:48:10 DEBUG| bootconsole [pl11] disabled +13:48:10 DEBUG| bcm2835_thermal 3f212000.thermal: Not able to read trip_temp: -33 +13:48:10 DEBUG| bcm2835-clk 3f101000.cprman: tsens: couldn't lock PLL +13:48:10 DEBUG| bcm2835_thermal: probe of 3f212000.thermal failed with error -33 +13:48:10 DEBUG| sdhost: log_buf @ bb913000 (fb913000) +13:48:10 DEBUG| mmc0: sdhost-bcm2835 loaded - DMA enabled (>1) +13:48:10 DEBUG| of_cfs_init +13:48:10 DEBUG| of_cfs_init: OK +13:48:10 DEBUG| uart-pl011 3f201000.serial: no DMA platform data +13:48:10 DEBUG| Freeing unused kernel memory: 1024K +13:48:11 DEBUG| mount: mounting devtmpfs on /dev failed: Device or resource busy +13:48:11 DEBUG| Starting logging: OK +13:48:11 DEBUG| Initializing random number generator... random: dd: uninitialized urandom read (512 bytes read) +13:48:11 DEBUG| done. +13:48:12 DEBUG| Starting network: OK +13:48:12 DEBUG| Found console ttyAMA0 +13:48:12 DEBUG| Linux version 4.14.98-v7+ (dom@dom-XPS-13-9370) (gcc version 4.9.3 (crosstool-NG crosstool-ng-1.22.0-88-g8460611)) #1200 SMP Tue Feb 12 20:27:48 GMT 2019 +13:48:12 DEBUG| Boot successful. +13:48:12 DEBUG| cat /proc/cpuinfo +13:48:12 DEBUG| / # cat /proc/cpuinfo +13:48:12 DEBUG| processor : 0 +13:48:12 DEBUG| model name : ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS : 125.00 +13:48:12 DEBUG| Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer : 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant : 0x0 +13:48:12 DEBUG| CPU part : 0xc07 +13:48:12 DEBUG| CPU revision : 5 +13:48:12 DEBUG| processor : 1 +13:48:12 DEBUG| model name : ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS : 125.00 +13:48:12 DEBUG| Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer : 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant : 0x0 +13:48:12 DEBUG| CPU part : 0xc07 +13:48:12 DEBUG| CPU revision : 5 +13:48:12 DEBUG| processor : 2 +13:48:12 DEBUG| model name : ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS : 125.00 +13:48:12 DEBUG| Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer : 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant : 0x0 +13:48:12 DEBUG| CPU part : 0xc07 +13:48:12 DEBUG| CPU revision : 5 +13:48:12 DEBUG| processor : 3 +13:48:12 DEBUG| model name : ARMv7 Processor rev 5 (v7l) +13:48:12 DEBUG| BogoMIPS : 125.00 +13:48:12 DEBUG| Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm +13:48:12 DEBUG| CPU implementer : 0x41 +13:48:12 DEBUG| CPU architecture: 7 +13:48:12 DEBUG| CPU variant : 0x0 +13:48:12 DEBUG| CPU part : 0xc07 +13:48:12 DEBUG| CPU revision : 5 +13:48:12 DEBUG| Hardware : BCM2835 +13:48:12 DEBUG| Revision : 0000 +13:48:12 DEBUG| Serial : 0000000000000000 +13:48:12 DEBUG| cat /proc/iomem +13:48:12 DEBUG| / # cat /proc/iomem +13:48:12 DEBUG| 00000000-3bffffff : System RAM +13:48:12 DEBUG| 00008000-00afffff : Kernel code +13:48:12 DEBUG| 00c00000-00d468ef : Kernel data +13:48:12 DEBUG| 3f006000-3f006fff : dwc_otg +13:48:12 DEBUG| 3f007000-3f007eff : /soc/dma@7e007000 +13:48:12 DEBUG| 3f00b880-3f00b8bf : /soc/mailbox@7e00b880 +13:48:12 DEBUG| 3f100000-3f100027 : /soc/watchdog@7e100000 +13:48:12 DEBUG| 3f101000-3f102fff : /soc/cprman@7e101000 +13:48:12 DEBUG| 3f200000-3f2000b3 : /soc/gpio@7e200000 +13:53:12 WARNI| qemu received signal 9; command: "./qemu-system-arm -display none -vga none -chardev socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock -mon chardev=mon,mode=control -machine raspi2b -chardev socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off -serial chardev:console -kernel /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img -dtb /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb -initrd /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio -append printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 -no-reboot" +13:53:12 ERROR| +13:53:12 ERROR| Reproduced traceback from: /var/lib/users/cleber/build/qemu/tests/venv/lib64/python3.9/site-packages/avocado/core/test.py:794 +13:53:12 ERROR| Traceback (most recent call last): +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 514, in _do_shutdown +13:53:12 ERROR| self._soft_shutdown(timeout, has_quit) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 497, in _soft_shutdown +13:53:12 ERROR| self._subp.wait(timeout=timeout) +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1189, in wait +13:53:12 ERROR| return self._wait(timeout=timeout) +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1909, in _wait +13:53:12 ERROR| raise TimeoutExpired(self.args, timeout) +13:53:12 ERROR| subprocess.TimeoutExpired: Command '('./qemu-system-arm', '-display', 'none', '-vga', 'none', '-chardev', 'socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock', '-mon', 'chardev=mon,mode=control', '-machine', 'raspi2b', '-chardev', 'socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off', '-serial', 'chardev:console', '-kernel', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img', '-dtb', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb', '-initrd', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio', '-append', 'printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0', '-no-reboot')' timed out after 300 seconds +13:53:12 ERROR| +13:53:12 ERROR| The above exception was the direct cause of the following exception: +13:53:12 ERROR| +13:53:12 ERROR| Traceback (most recent call last): +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/acceptance/boot_linux_console.py", line 502, in test_arm_raspi2_initrd +13:53:12 ERROR| self.vm.wait(300) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 561, in wait +13:53:12 ERROR| self.shutdown(has_quit=True, timeout=timeout) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 544, in shutdown +13:53:12 ERROR| self._do_shutdown(timeout, has_quit) +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 517, in _do_shutdown +13:53:12 ERROR| raise AbnormalShutdown("Could not perform graceful shutdown") \ +13:53:12 ERROR| qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown +13:53:12 ERROR| +13:53:12 DEBUG| Local variables: +13:53:12 DEBUG| -> self <class 'boot_linux_console.BootLinuxConsole'>: 01-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd +13:53:12 DEBUG| -> deb_url <class 'str'>: http://archive.raspberrypi.org/debian/pool/main/r/raspberrypi-firmware/raspberrypi-kernel_1.20190215-1_armhf.deb +13:53:12 DEBUG| -> deb_hash <class 'str'>: cd284220b32128c5084037553db3c482426f3972 +13:53:12 DEBUG| -> deb_path <class 'str'>: /home/cleber/avocado/data/cache/by_location/c813ab2b9e4f63b2aa876075ad70d638a31a25b7/raspberrypi-kernel_1.20190215-1_armhf.deb +13:53:12 DEBUG| -> kernel_path <class 'str'>: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img +13:53:12 DEBUG| -> dtb_path <class 'str'>: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb +13:53:12 DEBUG| -> initrd_url <class 'str'>: https://github.com/groeck/linux-build-test/raw/2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/arm/rootfs-armv7a.cpio.gz +13:53:12 DEBUG| -> initrd_hash <class 'str'>: 604b2e45cdf35045846b8bbfbf2129b1891bdc9c +13:53:12 DEBUG| -> initrd_path_gz <class 'str'>: /home/cleber/avocado/data/cache/by_location/d100d022b257e2c8f0c0c97434576ed642f9afe5/rootfs-armv7a.cpio.gz +13:53:12 DEBUG| -> initrd_path <class 'str'>: /home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio +13:53:12 DEBUG| -> kernel_command_line <class 'str'>: printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0 +13:53:12 DEBUG| DATA (filename=output.expected) => NOT FOUND (data sources: variant, test, file) +13:53:12 DEBUG| DATA (filename=stdout.expected) => NOT FOUND (data sources: variant, test, file) +13:53:12 DEBUG| DATA (filename=stderr.expected) => NOT FOUND (data sources: variant, test, file) +13:53:12 ERROR| Traceback (most recent call last): + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 514, in _do_shutdown + self._soft_shutdown(timeout, has_quit) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 497, in _soft_shutdown + self._subp.wait(timeout=timeout) + +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1189, in wait + return self._wait(timeout=timeout) + +13:53:12 ERROR| File "/usr/lib64/python3.9/subprocess.py", line 1909, in _wait + raise TimeoutExpired(self.args, timeout) + +13:53:12 ERROR| subprocess.TimeoutExpired: Command '('./qemu-system-arm', '-display', 'none', '-vga', 'none', '-chardev', 'socket,id=mon,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-monitor.sock', '-mon', 'chardev=mon,mode=control', '-machine', 'raspi2b', '-chardev', 'socket,id=console,path=/var/tmp/avo_qemu_sock_hd3upfg6/qemu-2435532-console.sock,server=on,wait=off', '-serial', 'chardev:console', '-kernel', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/kernel7.img', '-dtb', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/boot/bcm2709-rpi-2-b.dtb', '-initrd', '/home/cleber/avocado/job-results/job-2021-09-24T13.48-0890f76/test-results/tmp_dirdikw83mj/01-tests_acceptance_boot_linux_console.py_BootLinuxConsole.test_arm_raspi2_initrd/rootfs.cpio', '-append', 'printk.time=0 earlycon=pl011,0x3f201000 console=ttyAMA0 panic=-1 noreboot dwc_otg.fiq_fsm_enable=0', '-no-reboot')' timed out after 300 seconds + +13:53:12 ERROR| +The above exception was the direct cause of the following exception: + + +13:53:12 ERROR| Traceback (most recent call last): + +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/venv/lib64/python3.9/site-packages/avocado/core/test.py", line 882, in _run_avocado + raise test_exception + +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/venv/lib64/python3.9/site-packages/avocado/core/test.py", line 789, in _run_avocado + testMethod() + +13:53:12 ERROR| File "/var/lib/users/cleber/build/qemu/tests/acceptance/boot_linux_console.py", line 502, in test_arm_raspi2_initrd + self.vm.wait(300) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 561, in wait + self.shutdown(has_quit=True, timeout=timeout) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 544, in shutdown + self._do_shutdown(timeout, has_quit) + +13:53:12 ERROR| File "/home/cleber/src/qemu/python/qemu/machine/machine.py", line 517, in _do_shutdown + raise AbnormalShutdown("Could not perform graceful shutdown") \ + +13:53:12 ERROR| qemu.machine.machine.AbnormalShutdown: Could not perform graceful shutdown + +13:53:12 ERROR| ERROR 01-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd -> AbnormalShutdown: Could not perform graceful shutdown +13:53:12 INFO | +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/638 b/gitlab/issues_text/target_arm/host_missing/accel_missing/638 new file mode 100644 index 000000000..9080a4e38 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/638 @@ -0,0 +1,13 @@ +exynos4210_uart.c: SIGSEGV when loadvm +Description of problem: +Line 619 of hw/char/exynos4210_uart.c cast the object incorrectly. + +The function will be called with Exynos4210UartFIFO as opaque because it is set as `vmstate_exynos4210_uart_fifo.post_load` + +# +Steps to reproduce: +1. Create a VM with exynos4210_uart +2. savevm +3. loadvm +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/64 b/gitlab/issues_text/target_arm/host_missing/accel_missing/64 new file mode 100644 index 000000000..e42ddbe5d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/64 @@ -0,0 +1 @@ +raspi3 machine can not shutdown diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/656 b/gitlab/issues_text/target_arm/host_missing/accel_missing/656 new file mode 100644 index 000000000..2a8fcd401 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/656 @@ -0,0 +1,7 @@ +qemu-system-arm sabrelite does not use sd card +Description of problem: +I have build qemu from source. Furthermore I build Uboot from source following [this Link](https://qemu.readthedocs.io/en/latest/system/arm/sabrelite.html). With the provided command lines I am able to create and image and start the sabrelite board and see Uboot console Output. The problem I am facing is, that I am not able to interact with the provided tmp.img. + +I was also using the -driver option instead of the -blockdev option, but did not get any different results with that. +Additional information: +I provide the console output in the attached file. [console.out](/uploads/996b8c07310ec3b008477e3e70a2e629/console.out) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/690 b/gitlab/issues_text/target_arm/host_missing/accel_missing/690 new file mode 100644 index 000000000..8bf9c3bee --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/690 @@ -0,0 +1,19 @@ +32bit qemu-arm can't run GCC due to failure to allocate memory range for guest (Allocating guest commpage error) +Description of problem: +I'm running ARM binaries using 32 bit qemu-arm-static on x86_64 host. Since version 5.1 (include latest 6.1), QEMU cannot run GCC and some other things with an error `Allocating guest commpage: Operation not permitted`. The problem is NOT reproducible on QEMU 5.0, so probably the problem was caused by a [rework of init_guest_space or the following commits](https://gitlab.com/qemu-project/qemu/-/commit/ee94743034bfb443cf246eda4971bdc15d8ee066) a year ago. + +Also the problem is not reproducible for all users. It is known that it is reproduced on all Arch Linux host machines and some Debian, and probably depends on some kernel build parameters. + +The sysctl `vm.mmap_min_addr` parameter also affects the problem. The error varies depending on its value: +``` +[0 ... 53248] - No error at all +[53249 ... 61440] - Cannot allocate memory +[61441 ... 65536 and higher] - Operation not permitted +``` +Steps to reproduce: +1. Download and extract attached tarball: [qemu-test-gcc.tgz](/uploads/0031fdf6705183626f646b78a281dd2a/qemu-test-gcc.tgz) +2. `$ make # will build the docker container` +3. `$ make run # will enter the container` +4. Once in the container, run: `# /qemu-arm-static-50 /bin/bash /runme.sh` +Additional information: +A detailed description of the problem and feedback from other users is here: https://bugs.launchpad.net/qemu/+bug/1891748 diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/714 b/gitlab/issues_text/target_arm/host_missing/accel_missing/714 new file mode 100644 index 000000000..eb5290a58 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/714 @@ -0,0 +1,43 @@ +Command line arguments are not passed correctly with user-space semihosting +Description of problem: +The emulated process always receives a value of 1 for `argc`, with `argv[0]` returning seemingly random characters (in Ubuntu packaged qemu 5.2), but correlating with command-line input (output below from master built qemu 6.1): +``` +$ qemu-arm -cpu cortex-m7 ./a.out 123 test +argc: 1 +argv: + - @@@ + +$ qemu-arm -cpu cortex-m7 ./a.out +argc: 1 +argv: + [0] @ +``` +Steps to reproduce: +1. Compile the following program with [ARM embedded toolchain](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads): +```cpp +#include <iostream> + +int main(int argc, char* argv[]) { + std::cout << "argc: " << argc << "\n"; + std::cout << "argv: \n"; + + for (int i = 0; i < argc; i++) + std::cout << " [" << i << "] " << argv[i] << "\n"; + return 0; +} +``` + +``` +$ $CXX --version +arm-none-eabi-g++ (GNU Arm Embedded Toolchain 10-2020-q4-major) 10.2.1 20201103 (release) +Copyright (C) 2020 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +$ $CXX main.cpp --specs=rdimon.specs -mcpu=cortex-m7 +``` + +2. Run in user-space (semihosted): +``` +$ qemu-arm -cpu cortex-m7 ./a.out +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/717 b/gitlab/issues_text/target_arm/host_missing/accel_missing/717 new file mode 100644 index 000000000..e56c66b3d --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/717 @@ -0,0 +1,3 @@ +using the "scsi-cd" option on arm64 platform +Description of problem: +When using OpenStack to create a virtual machine instance, I need to configure the password of the root user through cloud-init. I use the ConfigDriver method, in which OpenStack will mount a virtual disk in iso9660 format to the virtual machine instance. The command line generated by OpenStack is shown above. You can see that this ConfigDrive virtual disk is mounted via "--device scsi-cd". But when I entered the virtual machine instance and used lsblk, blkid and searched in /dev/disk/by-label, I did not find the virtual disk that should be mounted. In addition, I don't have more debugging messages or error messages. I want to know if the "scsi-cd" is not fully adapted to arm64 platform. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/725 b/gitlab/issues_text/target_arm/host_missing/accel_missing/725 new file mode 100644 index 000000000..6d7b10def --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/725 @@ -0,0 +1,14 @@ +GICv3 ITS CTLR[Enabled] bit can not be cleared +Description of problem: +ITS CTLR[Enabled] can not be cleared, + + `s->ctlr |= (value & ~(s->ctlr));` + +Link: +https://gitlab.com/qemu-project/qemu/-/blob/master/hw/intc/arm_gicv3_its.c#L899 +Steps to reproduce: +1. +2. +3. +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/729 b/gitlab/issues_text/target_arm/host_missing/accel_missing/729 new file mode 100644 index 000000000..bf2aac172 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/729 @@ -0,0 +1,34 @@ +Environment variables are not passed with user-space semihosting +Description of problem: +Environment variables are not passed to the emulated process, either inherited (as I might expect it to work in user-space?) or by specifying the values through the QEMU command-line. Note that setting the environment variable from within the app before calling `getenv` does work, so it isn't just a case of some system no-ops for the platform. +Steps to reproduce: +1. Compile the following program with [ARM embedded toolchain](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads): +```cpp +#include <iostream> +#include <cstdlib> + +int main(int argc, char* argv[]) { + char* env = std::getenv("TEST"); + if (env) + std::cout << "Env TEST: " << env << "\n"; + else + std::cout << "Env TEST not set.\n"; + return 0; +} +``` + +``` +$ $CXX --version +arm-none-eabi-g++ (GNU Arm Embedded Toolchain 10-2020-q4-major) 10.2.1 20201103 (release) +Copyright (C) 2020 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +$ $CXX main.cpp --specs=rdimon.specs -mcpu=cortex-m7 +``` + +2. Run in user-space (semihosted): +``` +$ qemu-arm -cpu cortex-m7 -E TEST=val123 ./a.out +Env TEST not set. +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/736 b/gitlab/issues_text/target_arm/host_missing/accel_missing/736 new file mode 100644 index 000000000..3e1f0eac4 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/736 @@ -0,0 +1,47 @@ +qemu-system-arm crash (hardware error: tsc210x_txrx: FIXME: bad SPI word width 24) +Description of problem: +The `tests/avocado/machine_arm_n8x0.py:N8x0Machine.test_n800` will sometimes trigger situation where the test does not progress and ends up interrupted. One example is [here](https://gitlab.com/qemu-project/qemu/-/jobs/1796742618#L242): + +``` +(075/171) tests/avocado/machine_arm_n8x0.py:N8x0Machine.test_n800: INTERRUPTED: Test interrupted by SIGTERM\nRunner error occurred: Timeout reached\nOriginal status: ERROR\n{'name': '075-tests/avocado/machine_arm_n8x0.py:N8x0Machine.test_n800', 'logdir': '/builds/qem +``` +Steps to reproduce: +1. ./tests/venv/bin/avocado assets fetch tests/avocado/machine_arm_n8x0.py +2. nc -l -U /var/tmp/qemu-monitor.sock +3. ./qemu-system-arm -display none -vga none -chardev socket,id=mon,path=/var/tmp/qemu-monitor.sock -mon chardev=mon,mode=control -machine n800 -serial null -chardev socket,id=console,path=/var/tmp/qemu-51887-console.sock,server=on,wait=off -serial chardev:console -kernel $HOME/avocado/data/cache/by_location/07af9de13713c2905e8c6a88d6600eb1bc885c5c/meego-arm-n8x0-1.0.80.20100712.1431-vmlinuz-2.6.35~rc4-129.1-n8x0 -append 'printk.time=0 console=ttyS1' +Additional information: +``` +#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 +#1 0x00007ffff4d498c3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 +#2 0x00007ffff4cfc6b6 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 +#3 0x00007ffff4ce67d3 in __GI_abort () at abort.c:79 +#4 0x0000555555e544b3 in hw_error (fmt=0x555556264da8 "%s: FIXME: bad SPI word width %i\n") at ../../src/qemu/softmmu/cpus.c:126 +#5 0x0000555555a8f4b8 in tsc210x_txrx (opaque=0x5555579e9820, value=6468416, len=24) at ../../src/qemu/hw/input/tsc210x.c:913 +#6 0x0000555555bf49c1 in omap_mcspi_transfer_run (s=0x555557757d10, chnum=0) at ../../src/qemu/hw/ssi/omap_spi.c:93 +#7 0x0000555555bf536b in omap_mcspi_write (opaque=0x555557757d10, addr=56, value=6468416, size=4) at ../../src/qemu/hw/ssi/omap_spi.c:335 +#8 0x0000555555e68f05 in memory_region_write_accessor + (mr=0x555557757d10, addr=56, value=0x7fffe7034cc8, size=4, shift=0, mask=4294967295, attrs=...) at ../../src/qemu/softmmu/memory.c:492 +#9 0x0000555555e6914b in access_with_adjusted_size (addr=56, value=0x7fffe7034cc8, size=4, access_size_min=1, access_size_max=4, access_fn= + 0x555555e68e0f <memory_region_write_accessor>, mr=0x555557757d10, attrs=...) at ../../src/qemu/softmmu/memory.c:554 +#10 0x0000555555e6c1e4 in memory_region_dispatch_write (mr=0x555557757d10, addr=56, data=6468416, op=MO_32, attrs=...) + at ../../src/qemu/softmmu/memory.c:1504 +#11 0x0000555555fa9936 in io_writex + (env=0x555556e419f0, iotlbentry=0x7fff581ad800, mmu_idx=10, val=6468416, addr=4194926648, retaddr=140734913962650, op=MO_32) + at ../../src/qemu/accel/tcg/cputlb.c:1420 +#12 0x0000555555fac1b1 in store_helper (env=0x555556e419f0, addr=4194926648, val=6468416, oi=42, retaddr=140734913962650, op=MO_32) + at ../../src/qemu/accel/tcg/cputlb.c:2355 +#13 0x0000555555fac571 in full_le_stl_mmu (env=0x555556e419f0, addr=4194926648, val=6468416, oi=42, retaddr=140734913962650) + at ../../src/qemu/accel/tcg/cputlb.c:2443 +#14 0x0000555555fac5a9 in helper_le_stl_mmu (env=0x555556e419f0, addr=4194926648, val=6468416, oi=42, retaddr=140734913962650) + at ../../src/qemu/accel/tcg/cputlb.c:2449 +#15 0x00007fff668de29a in code_gen_buffer () +#16 0x0000555555f95c5d in cpu_tb_exec (cpu=0x555556e37c60, itb=0x7fffa3aae140, tb_exit=0x7fffe703540c) at ../../src/qemu/accel/tcg/cpu-exec.c:357 +#17 0x0000555555f96afe in cpu_loop_exec_tb (cpu=0x555556e37c60, tb=0x7fffa3aae140, last_tb=0x7fffe7035420, tb_exit=0x7fffe703540c) + at ../../src/qemu/accel/tcg/cpu-exec.c:833 +#18 0x0000555555f96ed7 in cpu_exec (cpu=0x555556e37c60) at ../../src/qemu/accel/tcg/cpu-exec.c:992 +#19 0x0000555555fb9682 in tcg_cpus_exec (cpu=0x555556e37c60) at ../../src/qemu/accel/tcg/tcg-accel-ops.c:67 +#20 0x0000555555fb9a13 in mttcg_cpu_thread_fn (arg=0x555556e37c60) at ../../src/qemu/accel/tcg/tcg-accel-ops-mttcg.c:95 +#21 0x0000555556179831 in qemu_thread_start (args=0x55555700dbc0) at ../../src/qemu/util/qemu-thread-posix.c:556 +#22 0x00007ffff4d47b17 in start_thread (arg=<optimized out>) at pthread_create.c:435 +#23 0x00007ffff4dcc6c0 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/789 b/gitlab/issues_text/target_arm/host_missing/accel_missing/789 new file mode 100644 index 000000000..51fc2dca6 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/789 @@ -0,0 +1,12 @@ +QEMU arm (not arm64) crashes on apple silicon when run via docker desktop +Description of problem: +docker build of the simple Dockerfile here causes QEMU to crash in arm +emulation. It is perfectly reproducible. + +FROM balenalib/rpi-raspbian:bullseye-20210925 + +USER root + +RUN apt-get update -y && apt-get upgrade -y +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/803 b/gitlab/issues_text/target_arm/host_missing/accel_missing/803 new file mode 100644 index 000000000..aca99ef7e --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/803 @@ -0,0 +1,20 @@ +v6.2.0 armv7m: savevm fails assertion +Description of problem: +Trying to take a snapshot on some arm machines just fails an assertion, while some work fine. +e.g. mps2-an385 and stm32vldiscovery don't work, while e.g. raspi0 does. +``` +$ build/qemu-system-arm -machine mps2-an385 -monitor stdio -drive file=dummy.qcow2 -S +QEMU 6.1.50 monitor - type 'help' for more information +(qemu) VNC server running on ::1:5900 +savevm test +qemu-system-arm: ../migration/vmstate.c:363: vmstate_save_state_v: Assertion `first_elem || !n_elems || !size' failed. +[1] 631940 IOT instruction (core dumped) build/qemu-system-arm -machine mps2-an385 -monitor stdio -drive -S +``` +This happens with or without a kernel (so -S is optional, if a kernel is present). +Steps to reproduce: +1. Create some image for snapshots (once): ``qemu-img create -f qcow2 dummy.qcow2 32M`` +2. ``qemu-system-arm -machine mps2-an385 -monitor stdio -drive file=dummy.qcow2 -S`` +3. In monitor: ``savevm something`` +Additional information: +Bisect indicates the Problem first presented itself in commit d5093d961585f02126191951ded9b90dbc52883b by @pm215. +This led me to test stm32vldiscovery, which also includes armv7m.h and fails, while some others don't. diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/838 b/gitlab/issues_text/target_arm/host_missing/accel_missing/838 new file mode 100644 index 000000000..97d7b42ed --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/838 @@ -0,0 +1 @@ +qemu-system-arm, ast2600-evb, the address mapping of ASPEED_DEV_SPI2 is different from datasheet diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/903 b/gitlab/issues_text/target_arm/host_missing/accel_missing/903 new file mode 100644 index 000000000..fc880ec9c --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/903 @@ -0,0 +1,355 @@ +m1 MacOS panic testing lima with qemu HEAD/7.0.0 +Description of problem: +I'm trying to help the `lima` project test the latest version of lima on m1 with the latest qemu https://github.com/lima-vm/lima/issues/713 and I got a panic and was told to report back in the qemu issue tracker. + +I created a VM with 8GiB memory, and got a panic. + + +lima version: +``` +⎈ |rancher-desktop:default) ~ ❯❯❯ limactl --version ✘ 1 +limactl version HEAD-1164273 +``` + +qemu version: +``` +(⎈ |rancher-desktop:default) ~ ❯❯❯ qemu-system-aarch64 --version +QEMU emulator version 6.2.50 (v6.2.0-2380-g1416688c53) +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +``` + +MacOS panic: + +``` +panic(cpu 3 caller 0xfffffe001db6ea58): vm_fault() KERN_FAILURE from guest fault on state 0xfffffe6032c98000 @sleh.c:3091 +Debugger message: panic +Memory ID: 0x6 +OS release type: User +OS version: 21A559 +Kernel version: Darwin Kernel Version 21.1.0: Wed Oct 13 17:33:01 PDT 2021; root:xnu-8019.41.5~1/RELEASE_ARM64_T6000 +Fileset Kernelcache UUID: 3B2CA3833A09A383D66FB36667ED9CBF +Kernel UUID: 67BCB41B-BAA4-3634-8E51-B0210457E324 +iBoot version: iBoot-7429.41.5 +secure boot?: YES +Paniclog version: 13 +KernelCache slide: 0x00000000160d8000 +KernelCache base: 0xfffffe001d0dc000 +Kernel slide: 0x0000000016900000 +Kernel text base: 0xfffffe001d904000 +Kernel text exec slide: 0x00000000169e8000 +Kernel text exec base: 0xfffffe001d9ec000 +mach_absolute_time: 0x1661a3f15fc +Epoch Time: sec usec + Boot : 0x622a7219 0x00029f9b + Sleep : 0x622ba92c 0x00061dca + Wake : 0x622ba9d3 0x000ae46d + Calendar: 0x622bc0fb 0x000caf67 + +Zone info: +Foreign : 0xfffffe0025c14000 - 0xfffffe0025c28000 +Native : 0xfffffe10003bc000 - 0xfffffe30003bc000 +Readonly : 0 - 0 +Metadata : 0xfffffe64105d0000 - 0xfffffe641c53c000 +Bitmaps : 0xfffffe641c53c000 - 0xfffffe6433f6c000 +CORE 0 PVH locks held: None +CORE 1 PVH locks held: None +CORE 2 PVH locks held: None +CORE 3 PVH locks held: None +CORE 4 PVH locks held: None +CORE 5 PVH locks held: None +CORE 6 PVH locks held: None +CORE 7 PVH locks held: None +CORE 8 PVH locks held: None +CORE 9 PVH locks held: None +CORE 0: PC=0xfffffe001da72c6c, LR=0xfffffe001da72c6c, FP=0xfffffe6110abbef0 +CORE 1: PC=0xfffffe001f2cdbe0, LR=0xfffffe001f2ceb54, FP=0xfffffe611027b600 +CORE 2: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe603778bef0 +CORE 3 is the one that panicked. Check the full backtrace for details. +CORE 4: PC=0xfffffe001da72c6c, LR=0xfffffe001da72c6c, FP=0xfffffe61166fbef0 +CORE 5: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe6110a6bef0 +CORE 6: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe61121cbef0 +CORE 7: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe60b4be3ef0 +CORE 8: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe6032af3ef0 +CORE 9: PC=0xfffffe001da72c70, LR=0xfffffe001da72c6c, FP=0xfffffe6090a4bef0 +Panicked task 0xfffffe150e4ccd50: 17757 pages, 10 threads: pid 21141: qemu-system-aarc +Panicked thread: 0xfffffe1515ae87d8, backtrace: 0xfffffe60d51e3300, tid: 979402 + lr: 0xfffffe001da3e488 fp: 0xfffffe60d51e3370 + lr: 0xfffffe001da3e158 fp: 0xfffffe60d51e33e0 + lr: 0xfffffe001db7a558 fp: 0xfffffe60d51e3400 + lr: 0xfffffe001db6d2d4 fp: 0xfffffe60d51e3480 + lr: 0xfffffe001db6ac9c fp: 0xfffffe60d51e3540 + lr: 0xfffffe001d9f37f8 fp: 0xfffffe60d51e3550 + lr: 0xfffffe001da3ddcc fp: 0xfffffe60d51e38f0 + lr: 0xfffffe001da3ddcc fp: 0xfffffe60d51e3960 + lr: 0xfffffe001e23c748 fp: 0xfffffe60d51e3980 + lr: 0xfffffe001db6ea58 fp: 0xfffffe60d51e39e0 + lr: 0xfffffe001db6e5dc fp: 0xfffffe60d51e3a50 + lr: 0xfffffe001d9fe828 fp: 0xfffffe60d51e3a60 + lr: 0xfffffe001db823f4 fp: 0xfffffe60d51e3e50 + lr: 0xfffffe001db6b140 fp: 0xfffffe60d51e3f10 + lr: 0xfffffe001d9f37f8 fp: 0xfffffe60d51e3f20 + +last started kext at 1368960011: com.apple.filesystems.smbfs 4.0 (addr 0xfffffe001d8ea490, size 64483) +loaded kexts: +com.apple.filesystems.smbfs 4.0 +com.apple.filesystems.autofs 3.0 +com.apple.fileutil 20.036.15 +com.apple.UVCService 1 +com.apple.driver.AppleUSBTopCaseDriver 5010.1 +com.apple.iokit.SCSITaskUserClient 452.30.4 +com.apple.driver.AppleIntelI210Ethernet 2.3.1 +com.apple.driver.AppleBiometricServices 1 +com.apple.driver.CoreKDL 1 +com.apple.driver.AppleTopCaseHIDEventDriver 5010.1 +com.apple.driver.SEPHibernation 1 +com.apple.driver.BCMWLANFirmware4387.Hashstore 1 +com.apple.driver.DiskImages.ReadWriteDiskImage 493.0.0 +com.apple.driver.DiskImages.UDIFDiskImage 493.0.0 +com.apple.driver.DiskImages.RAMBackingStore 493.0.0 +com.apple.driver.DiskImages.FileBackingStore 493.0.0 +com.apple.filesystems.apfs 1933.41.2 +com.apple.driver.AppleUSBDeviceNCM 5.0.0 +com.apple.driver.AppleThunderboltIP 4.0.3 +com.apple.driver.AppleFileSystemDriver 3.0.1 +com.apple.nke.l2tp 1.9 +com.apple.filesystems.tmpfs 1 +com.apple.filesystems.lifs 1 +com.apple.IOTextEncryptionFamily 1.0.0 +com.apple.filesystems.hfs.kext 582.40.4 +com.apple.security.BootPolicy 1 +com.apple.BootCache 40 +com.apple.AppleFSCompression.AppleFSCompressionTypeZlib 1.0.0 +com.apple.AppleFSCompression.AppleFSCompressionTypeDataless 1.0.0d1 +com.apple.driver.AppleCS42L84Audio 502.6 +com.apple.driver.ApplePMP 1 +com.apple.driver.AppleSmartIO2 1 +com.apple.driver.AppleSN012776Amp 502.6 +com.apple.AppleEmbeddedSimpleSPINORFlasher 1 +com.apple.driver.AppleT6000SOCTuner 1 +com.apple.driver.AppleT6000CLPCv3 1 +com.apple.driver.AppleSmartBatteryManager 161.0.0 +com.apple.driver.AppleALSColorSensor 1.0.0d1 +com.apple.driver.AppleAOPVoiceTrigger 100.1 +com.apple.driver.ApplePMPFirmware 1 +com.apple.driver.AppleMCDP29XXUpdateSupport 1 +com.apple.driver.AppleM68Buttons 1.0.0d1 +com.apple.driver.AppleSamsungSerial 1.0.0d1 +com.apple.driver.AppleSerialShim 1 +com.apple.driver.usb.AppleSynopsysUSB40XHCI 1 +com.apple.driver.AppleSDXC 3.1.1 +com.apple.driver.AppleSPMIPMU 1.0.1 +com.apple.AGXG13X 187.57 +com.apple.driver.AppleAVD 415 +com.apple.driver.AppleAVE2 501.6.9 +com.apple.driver.AppleJPEGDriver 4.7.8 +com.apple.driver.AppleProResHW 126.2.0 +com.apple.driver.AppleMobileDispT600X-DCP 140.0 +com.apple.driver.AppleDPDisplayTCON 1 +com.apple.driver.AppleEventLogHandler 1 +com.apple.driver.AppleS5L8960XNCO 1 +com.apple.driver.AppleT6001PMGR 1 +com.apple.driver.AppleS8000AES 1 +com.apple.driver.AppleS8000DWI 1.0.0d1 +com.apple.driver.AppleInterruptControllerV2 1.0.0d1 +com.apple.driver.AppleT8110DART 1 +com.apple.driver.AppleBluetoothModule 1 +com.apple.driver.AppleBCMWLANBusInterfacePCIe 1 +com.apple.driver.AppleS5L8920XPWM 1.0.0d1 +com.apple.driver.AudioDMAController-T600x 100.51 +com.apple.driver.AppleT6000DART 1 +com.apple.driver.AppleSPIMC 1 +com.apple.driver.AppleS5L8940XI2C 1.0.0d2 +com.apple.driver.AppleT6000 1 +com.apple.iokit.IOUserEthernet 1.0.1 +com.apple.driver.usb.AppleUSBUserHCI 1 +com.apple.iokit.IOKitRegistryCompatibility 1 +com.apple.iokit.EndpointSecurity 1 +com.apple.driver.AppleDiskImages2 126.40.1 +com.apple.AppleSystemPolicy 2.0.0 +com.apple.nke.applicationfirewall 402 +com.apple.kec.InvalidateHmac 1 +com.apple.kec.AppleEncryptedArchive 1 +com.apple.driver.driverkit.serial 6.0.0 +com.apple.kext.triggers 1.0 +com.apple.driver.AppleUSBMergeNub 900.4.2 +com.apple.driver.usb.cdc.ecm 5.0.0 +com.apple.driver.usb.cdc.acm 5.0.0 +com.apple.driver.usb.serial 6.0.0 +com.apple.driver.usb.cdc.ncm 5.0.0 +com.apple.iokit.IOAVBFamily 1010.2 +com.apple.plugin.IOgPTPPlugin 1000.11 +com.apple.driver.usb.IOUSBHostHIDDevice 1.2 +com.apple.driver.usb.cdc 5.0.0 +com.apple.driver.AppleUSBAudio 412.8 +com.apple.iokit.IOAudioFamily 300.10 +com.apple.vecLib.kext 1.2.0 +com.apple.iokit.IOEthernetAVBController 1.1.0 +com.apple.driver.usb.AppleUSBXHCIPCI 1.2 +com.apple.driver.AppleMesaSEPDriver 100.99 +com.apple.iokit.IOBiometricFamily 1 +com.apple.driver.AppleHIDKeyboard 228 +com.apple.driver.AppleHSBluetoothDriver 5010.1 +com.apple.driver.IOBluetoothHIDDriver 9.0.0 +com.apple.driver.AppleActuatorDriver 5400.25 +com.apple.driver.AppleMultitouchDriver 5400.25 +com.apple.driver.AppleThunderboltPCIUpAdapter 4.1.1 +com.apple.driver.AppleThunderboltDPOutAdapter 8.5.0 +com.apple.driver.AppleSEPHDCPManager 1.0.1 +com.apple.driver.AppleTrustedAccessory 1 +com.apple.iokit.AppleSEPGenericTransfer 1 +com.apple.driver.DiskImages.KernelBacked 493.0.0 +com.apple.driver.AppleXsanScheme 3 +com.apple.driver.usb.networking 5.0.0 +com.apple.driver.AppleThunderboltUSBDownAdapter 1.0.4 +com.apple.driver.AppleThunderboltPCIDownAdapter 4.1.1 +com.apple.driver.AppleThunderboltDPInAdapter 8.5.0 +com.apple.driver.AppleThunderboltDPAdapterFamily 8.5.0 +com.apple.nke.ppp 1.9 +com.apple.driver.AppleHIDTransportSPI 5400.30 +com.apple.driver.AppleHIDTransport 5400.30 +com.apple.driver.AppleInputDeviceSupport 5400.30 +com.apple.driver.AppleBSDKextStarter 3 +com.apple.filesystems.hfs.encodings.kext 1 +com.apple.driver.AppleConvergedIPCOLYBTControl 1 +com.apple.driver.AppleConvergedPCI 1 +com.apple.driver.AppleBluetoothDebug 1 +com.apple.driver.AppleBTM 1.0.1 +com.apple.driver.AppleDiagnosticDataAccessReadOnly 1.0.0 +com.apple.driver.AppleCSEmbeddedAudio 502.6 +com.apple.driver.AppleDCPDPTXProxy 1.0.0 +com.apple.driver.DCPDPFamilyProxy 1 +com.apple.driver.ApplePassthroughPPM 3.0 +com.apple.driver.AppleAOPAudio 102.2 +com.apple.driver.AppleEmbeddedAudio 502.6 +com.apple.iokit.AppleARMIISAudio 100.1 +com.apple.driver.AppleSPU 1 +com.apple.iokit.IONVMeFamily 2.1.0 +com.apple.driver.AppleNANDConfigAccess 1.0.0 +com.apple.AGXFirmwareKextG13XRTBuddy 187.57 +com.apple.AGXFirmwareKextRTBuddy64 187.57 +com.apple.driver.AppleHPM 3.4.4 +com.apple.driver.DCPAVFamilyProxy 1 +com.apple.driver.AppleStockholmControl 1.0.0 +com.apple.driver.AppleT6000TypeCPhy 1 +com.apple.driver.AppleT8103TypeCPhy 1 +com.apple.driver.AppleUSBXDCIARM 1.0 +com.apple.driver.AppleUSBXDCI 1.0 +com.apple.iokit.IOUSBDeviceFamily 2.0.0 +com.apple.driver.usb.AppleSynopsysUSBXHCI 1 +com.apple.driver.usb.AppleUSBXHCI 1.2 +com.apple.driver.AppleEmbeddedUSBHost 1 +com.apple.driver.usb.AppleUSBHub 1.2 +com.apple.driver.usb.AppleUSBHostCompositeDevice 1.2 +com.apple.driver.AppleDialogPMU 1.0.1 +com.apple.driver.AppleSPMI 1.0.1 +com.apple.driver.usb.AppleUSBHostPacketFilter 1.0 +com.apple.iokit.IOGPUFamily 35.11 +com.apple.iokit.IOMobileGraphicsFamily-DCP 343.0.0 +com.apple.driver.AppleDCP 1 +com.apple.driver.AppleFirmwareKit 1 +com.apple.iokit.IOMobileGraphicsFamily 343.0.0 +com.apple.driver.AppleSART 1 +com.apple.driver.ApplePMGR 1 +com.apple.driver.AppleARMWatchdogTimer 1 +com.apple.driver.AppleDisplayCrossbar 1.0.0 +com.apple.iokit.IODisplayPortFamily 1.0.0 +com.apple.driver.AppleTypeCPhy 1 +com.apple.driver.AppleThunderboltNHI 7.2.8 +com.apple.driver.AppleT6000PCIeC 1 +com.apple.iokit.IOThunderboltFamily 9.3.2 +com.apple.driver.ApplePIODMA 1 +com.apple.driver.AppleT600xPCIe 1 +com.apple.driver.AppleMultiFunctionManager 1 +com.apple.driver.AppleBluetoothDebugService 1 +com.apple.driver.AppleBCMWLANCore 1.0.0 +com.apple.iokit.IO80211Family 1200.12.2b1 +com.apple.driver.IOImageLoader 1.0.0 +com.apple.driver.AppleOLYHAL 1 +com.apple.driver.corecapture 1.0.4 +com.apple.driver.AppleEmbeddedPCIE 1 +com.apple.driver.AppleMCA2-T600x 600.95 +com.apple.driver.AppleEmbeddedAudioLibs 100.9.1 +com.apple.driver.AppleFirmwareUpdateKext 1 +com.apple.driver.AppleH13CameraInterface 4.79.0 +com.apple.driver.AppleH10PearlCameraInterface 17.0.3 +com.apple.driver.AppleGPIOICController 1.0.2 +com.apple.driver.AppleFireStormErrorHandler 1 +com.apple.driver.AppleMobileApNonce 1 +com.apple.iokit.IOTimeSyncFamily 1000.11 +com.apple.driver.DiskImages 493.0.0 +com.apple.iokit.IOGraphicsFamily 593 +com.apple.iokit.IOBluetoothSerialManager 9.0.0 +com.apple.iokit.IOBluetoothHostControllerUSBTransport 9.0.0 +com.apple.iokit.IOBluetoothHostControllerUARTTransport 9.0.0 +com.apple.iokit.IOBluetoothHostControllerTransport 9.0.0 +com.apple.driver.IOBluetoothHostControllerPCIeTransport 9.0.0 +com.apple.iokit.IOBluetoothFamily 9.0.0 +com.apple.driver.FairPlayIOKit 68.13.0 +com.apple.iokit.CoreAnalyticsFamily 1 +com.apple.iokit.CSRBluetoothHostControllerUSBTransport 9.0.0 +com.apple.iokit.BroadcomBluetoothHostControllerUSBTransport 9.0.0 +com.apple.driver.AppleSSE 1.0 +com.apple.driver.AppleSEPKeyStore 2 +com.apple.driver.AppleUSBTDM 532.40.7 +com.apple.iokit.IOUSBMassStorageDriver 209.40.6 +com.apple.iokit.IOPCIFamily 2.9 +com.apple.iokit.IOSCSIBlockCommandsDevice 452.30.4 +com.apple.iokit.IOSCSIArchitectureModelFamily 452.30.4 +com.apple.driver.AppleIPAppender 1.0 +com.apple.driver.AppleFDEKeyStore 28.30 +com.apple.driver.AppleEffaceableStorage 1.0 +com.apple.driver.AppleCredentialManager 1.0 +com.apple.driver.KernelRelayHost 1 +com.apple.iokit.IOUSBHostFamily 1.2 +com.apple.driver.AppleUSBHostMergeProperties 1.2 +com.apple.driver.usb.AppleUSBCommon 1.0 +com.apple.driver.AppleSMC 3.1.9 +com.apple.driver.RTBuddy 1.0.0 +com.apple.driver.AppleEmbeddedTempSensor 1.0.0 +com.apple.driver.AppleARMPMU 1.0 +com.apple.iokit.IOAccessoryManager 1.0.0 +com.apple.driver.AppleOnboardSerial 1.0 +com.apple.iokit.IOSkywalkFamily 1.0 +com.apple.driver.mDNSOffloadUserClient 1.0.1b8 +com.apple.iokit.IONetworkingFamily 3.4 +com.apple.iokit.IOSerialFamily 11 +com.apple.driver.AppleSEPManager 1.0.1 +com.apple.driver.AppleA7IOP 1.0.2 +com.apple.driver.IOSlaveProcessor 1 +com.apple.driver.AppleBiometricSensor 2 +com.apple.iokit.IOHIDFamily 2.0.0 +com.apple.driver.AppleANELoadBalancer 5.33.2 +com.apple.driver.AppleH11ANEInterface 5.33.0 +com.apple.AUC 1.0 +com.apple.iokit.IOAVFamily 1.0.0 +com.apple.iokit.IOHDCPFamily 1.0.0 +com.apple.iokit.IOCECFamily 1 +com.apple.iokit.IOAudio2Family 1.0 +com.apple.driver.AppleIISController 100.1 +com.apple.driver.AppleAudioClockLibs 100.9.1 +com.apple.driver.AppleM2ScalerCSCDriver 265.0.0 +com.apple.iokit.IOSurface 302.9 +com.apple.driver.IODARTFamily 1 +com.apple.security.quarantine 4 +com.apple.security.sandbox 300.0 +com.apple.kext.AppleMatch 1.0.0d1 +com.apple.driver.AppleMobileFileIntegrity 1.0.5 +com.apple.security.AppleImage4 4.1.0 +com.apple.kext.CoreTrust 1 +com.apple.iokit.IOCryptoAcceleratorFamily 1.0.1 +com.apple.driver.AppleARMPlatform 1.0.2 +com.apple.iokit.IOStorageFamily 2.1 +com.apple.iokit.IOSlowAdaptiveClockingFamily 1.0.0 +com.apple.iokit.IOReportFamily 47 +com.apple.kec.pthread 1 +com.apple.kec.Libm 1 +com.apple.kec.corecrypto 12.0 + + + +** Stackshot Succeeded ** Bytes Traced 478480 (Uncompressed 1208976) ** +``` +Steps to reproduce: +1. See https://github.com/lima-vm/lima/issues/713 +Additional information: + diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/914 b/gitlab/issues_text/target_arm/host_missing/accel_missing/914 new file mode 100644 index 000000000..b19793dc7 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/914 @@ -0,0 +1 @@ +Raspi4 emulation diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/920 b/gitlab/issues_text/target_arm/host_missing/accel_missing/920 new file mode 100644 index 000000000..de409ec56 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/920 @@ -0,0 +1,12 @@ +Aarch64 QEMU+KVM+OVMF RAM Bug +Description of problem: +OVMF EDK2 does not recognize any amount of RAM. It always detects as 0 MB and causes operating systems to crash. +Steps to reproduce: +1. +2. +3. +Additional information: +There was a problem with the Redmi Note 10S device via Termux. +  + + ovmf diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/922 b/gitlab/issues_text/target_arm/host_missing/accel_missing/922 new file mode 100644 index 000000000..6f3e7dc82 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/922 @@ -0,0 +1,20 @@ +QEMU 7.0.0-rc0: Random segfaults when running grep using qemu-arm-static +Description of problem: +I'm running ARM binaries using 32 bit qemu-arm-static on x86_64 host. Sometimes when running grep via qemu, I get a random segmentation fault. Sometimes it happens faster, sometimes it takes several thousand iterations, but sooner or later it happens and really annoying. + +This problem is also reproduced on 6.2, 5.2 and 5.1 releases, and NOT reproduced on 5.0 + +I wrote small test to demonstrate this bug. +Steps to reproduce: +1. Download the test environment: [qemu-test-segfault.tar.bz2](/uploads/8f52617d46ba1e5bf29fc273cd07131d/qemu-test-segfault.tar.bz2) +2. `$ make # To build the docker container` +3. `$ make shell # To run ARM bash` +4. Inside a container, run `while true; do /qemu /bin/grep -E f text > /dev/null; [ $? -ne 0 ] && break; done`. After a while you will get segfault: +``` +[root@0d81b08f032b /]# /qemu --version +qemu-arm version 6.2.90 +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +[root@0d81b08f032b /]# while true; do /qemu /bin/grep -E f text > /dev/null; [ $? -ne 0 ] && break; done +Segmentation fault (core dumped) +[root@0d81b08f032b /]# +``` diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/923 b/gitlab/issues_text/target_arm/host_missing/accel_missing/923 new file mode 100644 index 000000000..85ada2625 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/923 @@ -0,0 +1 @@ +Kernel OOPS on SBSA-ref due to missing watchdog register diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/924 b/gitlab/issues_text/target_arm/host_missing/accel_missing/924 new file mode 100644 index 000000000..928d0d97a --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/924 @@ -0,0 +1 @@ +AHCI IRQ lost running Fedora on SBSA-ref diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/95 b/gitlab/issues_text/target_arm/host_missing/accel_missing/95 new file mode 100644 index 000000000..5f2052642 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/95 @@ -0,0 +1 @@ +linux-user mode can't handle guest setting a very small RLIMIT_AS (hangs running gnutls28, coreutils configure check code) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/952 b/gitlab/issues_text/target_arm/host_missing/accel_missing/952 new file mode 100644 index 000000000..82ad1b5ca --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/952 @@ -0,0 +1,97 @@ +qemu: uncaught target signal 5 (Trace/breakpoint trap) +Description of problem: +I'm getting core dumped when running the attached a.out_err binary in qemu, but when using Gdb to remote-debug the program, it exited normally. will appreciate if you can help look into this qemu issue. + +And I found that QEMU's 32-bit arm linux-user mode doesn't correctly turn guest BKPT insns into SIGTRAP signal. + +0xa602 <_start> movs r0, #22 + 0xa604 <_start+2> addw r1, pc, #186 ; 0xba +0xa608 <_start+6> bkpt 0x00ab + +$readelf -h hello + +ELF Header: + Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 + Class: ELF32 + Data: 2's complement, little endian + Version: 1 (current) + OS/ABI: UNIX - System V + ABI Version: 0 + Type: EXEC (Executable file) + Machine: ARM + Version: 0x1 + Entry point address: 0xa603 + Start of program headers: 52 (bytes into file) + Start of section headers: 144128 (bytes into file) + Flags: 0x5000200, Version5 EABI, soft-float ABI + Size of this header: 52 (bytes) + Size of program headers: 32 (bytes) + Number of program headers: 5 + Size of section headers: 40 (bytes) + Number of section headers: 16 + Section header string table index: 14 + +And I have check that the bug(https://bugs.launchpad.net/qemu/+bug/1873898) is fixed. + +But it's coredump. + +I found that bkpt instruction is not recognized, the bkpt is in 0x0000a608. + +host: +``` +$qemu-arm -g 12345 hello +``` +service: +``` +$gdb-multiarch hello +(gdb) target remote localhost:12345 +Remote debugging using localhost:12345 +0x0000a602 in _start () +(gdb) ni +0x0000a604 in _start () +(gdb) +0x0000a608 in _start () +(gdb) +0x0000a608 in _start () +``` +Another way to check: +``` +$gdb qemu-arm +(gdb) run hello +(gdb) bt +#0 0x00007ffff79474ba in __GI___sigsuspend (set=set@entry=0x7fffffffd9d8) at ../sysdeps/unix/sysv/linux/sigsuspend.c:26 +#1 0x000055555573bfff in dump_core_and_abort (target_sig=target_sig@entry=5) at ../linux-user/signal.c:772 +#2 0x000055555573c3c8 in handle_pending_signal (cpu_env=cpu_env@entry=0x555555da5940, sig=sig@entry=5, k=k@entry=0x555555e60e00) at ../linux-user/signal.c:1099 +#3 0x000055555573de8c in process_pending_signals (cpu_env=cpu_env@entry=0x555555da5940) at ../linux-user/signal.c:1175 +#4 0x0000555555622070 in cpu_loop (env=0x555555da5940) at ../linux-user/arm/cpu_loop.c:472 +#5 0x0000555555603cf4 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ../linux-user/main.c:883 +(gdb) up +#1 0x000055555573bfff in dump_core_and_abort (target_sig=target_sig@entry=5) at ../linux-user/signal.c:772 +772 sigsuspend(&act.sa_mask); +(gdb) +#2 0x000055555573c3c8 in handle_pending_signal (cpu_env=cpu_env@entry=0x555555da5940, sig=sig@entry=5, k=k@entry=0x555555e60e00) at ../linux-user/signal.c:1099 +1099 dump_core_and_abort(sig); +(gdb) +#3 0x000055555573de8c in process_pending_signals (cpu_env=cpu_env@entry=0x555555da5940) at ../linux-user/signal.c:1175 +1175 handle_pending_signal(cpu_env, sig, &ts->sync_signal); +(gdb) +#4 0x0000555555622070 in cpu_loop (env=0x555555da5940) at ../linux-user/arm/cpu_loop.c:472 +472 process_pending_signals(env); +(gdb) l +467 default: +468 error: +469 EXCP_DUMP(env, "qemu: unhandled CPU exception 0x%x - aborting\n", trapnr); +470 abort(); +471 } +472 process_pending_signals(env); +473 } +474 } +475 +476 void target_cpu_copy_regs(CPUArchState *env, struct target_pt_regs *regs) +(gdb) p cpu_exec(cs) +$2 = 7 +``` +Here process_pending_signals(env) gives SIGTRAP?? + +Here is my binary: +[hello](/uploads/7225e1f1c5a61ace40f90d5d2401a758/hello) diff --git a/gitlab/issues_text/target_arm/host_missing/accel_missing/970 b/gitlab/issues_text/target_arm/host_missing/accel_missing/970 new file mode 100644 index 000000000..c6890f824 --- /dev/null +++ b/gitlab/issues_text/target_arm/host_missing/accel_missing/970 @@ -0,0 +1,33 @@ +ARM SCTLR allows writes to "write ignore" bits +Description of problem: +The firmware I have executed in qemu sets up pagetables and then enables the MMU. +A few instructions later, a prefetch abort was occurring. After debugging it turned out the problem was because get_phys_addr_v5 was being used to walk the pagetable instead of get_phys_addr_v6. +qemu has this code: +```c +regime_sctlr(env, mmu_idx) & SCTLR_XP +// where SCTLR_XP is commented as +#define SCTLR_XP (1U << 23) /* up to v6; v7 onward RAO */ +``` +Somewhat interestingly, A5 has a lot of bits marked as `/WI`: https://developer.arm.com/documentation/ddi0433/c/system-control/register-descriptions/system-control-register + +A9 has less, but still a few which qemu is not handling: https://developer.arm.com/documentation/ddi0388/e/the-system-control-coprocessors/summary-of-system-control-coprocessor-registers/system-control-register +I've made this hacky patch to fix it for myself: +```diff +diff --git a/qemu/target/arm/helper.c b/qemu/target/arm/helper.c +index 60c9db9e..d8fd5a7d 100644 +--- a/qemu/target/arm/helper.c ++++ b/qemu/target/arm/helper.c +@@ -4306,6 +4306,11 @@ static void sctlr_write(CPUARMState *env, const ARMCPRegInfo *ri, + { + ARMCPU *cpu = env_archcpu(env); + ++ // for cortex-a5 specifically ++ value |= (0b11 << 22) | (1 << 18) | (1 << 16) | (0b1111 << 3); ++ value &= ~((1 << 31) | (0b11 << 26) | (1 << 24) | (0b111 << 19) | ++ (1 << 17) | (0b11 << 14) | (0b111 << 7)); ++ + if (raw_read(env, ri) == value) { + /* Skip the TLB flush if nothing actually changed; Linux likes + * to do a lot of pointless SCTLR writes. +``` +I think the real fix would allow expressing the ones/zeros mask as part of `ARMCPU` per-arch. |