diff options
Diffstat (limited to 'results/classifier/105/semantic/1920602')
| -rw-r--r-- | results/classifier/105/semantic/1920602 | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/results/classifier/105/semantic/1920602 b/results/classifier/105/semantic/1920602 new file mode 100644 index 000000000..186c7fe86 --- /dev/null +++ b/results/classifier/105/semantic/1920602 @@ -0,0 +1,95 @@ +semantic: 0.765 +instruction: 0.667 +mistranslation: 0.638 +assembly: 0.637 +device: 0.601 +graphic: 0.594 +boot: 0.593 +vnc: 0.568 +socket: 0.516 +network: 0.451 +KVM: 0.409 +other: 0.409 + +QEMU crash after a QuickBASIC program integer overflow + +A trivial program compiler with QuickBASIC 4.5 with integer overflow will crash QEMU when ran under MS-DOS 5.0 or FreeDOS 1.2: + +C:\KILLER>type killer.bas +A% = VAL("99999"):PRINT A% + +C:\KILLER>killer.exe +** + ERROR:../qemu-5.2.0/accel/tcg/tcg-cpus.c:541:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked()) +Aborted + +QEMU version v5.2, compiler for ARM, and started with command line: + +qemu-system-i386 -curses -cpu 486 -m 1 -drive dos.img + +The same test under Ubuntu QEMU and KVM/x86_64 (QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.14)) will just silently hang the QEMU. On DOSBOX, the machine does not die and program outputs the value -31073. + +The EXE to reproduce the issue is attached. + + + +The program works (in TCQ mode) with QEMU v5.0.0. + +QEMU starts crashing with the commit: + +commit 975af797f1e04e4d1b1a12f1731141d3770fdbce +Author: Joseph Myers <email address hidden> +Date: Fri May 15 21:21:24 2020 +0000 + + target/i386: fix IEEE x87 floating-point exception raising + + +For -enable-kvm I haven't been able to find a working commit. All versions since v3.1.0 just silently hang with the program. + +Attached is a minimal FreeDOS floppy disk to reproduce the TCG crash. Still reproducible with QEMU v6.0.0: + +WARNING: Image format was not specified for 'test-floppy.img' and probing guessed raw. + Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted. + Specify the 'raw' format explicitly to remove the restrictions. +SeaBIOS (version rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org) +Booting from Floppy... +................................................123 +FreeDOS kernel 2042 (build 2042 OEM:0xfd) [compiled May 11 2016] +Kernel compatibility 7.10 - WATCOMC - FAT32 support + +(C) Copyright 1995-2012 Pasquale J. Villani and The FreeDOS Project. +All Rights Reserved. This is free software and comes with ABSOLUTELY NO +WARRANTY; you can redistribute it and/or modify it under the terms of the +GNU General Public License as published by the Free Software Foundation; +either version 2, or (at your option) any later version. + - InitDiskno hard disks detected + +FreeCom version 0.84-pre2 XMS_Swap [Aug 28 2006 00:29:00] +A:\>KILLER.EXE +** +ERROR:../accel/tcg/tcg-accel-ops.c:80:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked()) +Bail out! ERROR:../accel/tcg/tcg-accel-ops.c:80:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked()) +Aborted + + +Since commit 975af797f1e helper_fist_ST0() sets float_flag_invalid. + +FErr# IRQ raise since bf13bfab084 ("i386: implement IGNNE"): + + Change the handling of port F0h writes and FPU exceptions to implement IGNNE. + + The implementation mixes a bit what the chipset and processor do in real + hardware, but the effect is the same as what happens with actual FERR# + and IGNNE# pins: writing to port F0h asserts IGNNE# in addition to lowering + FP_IRQ; while clearing the SE bit in the FPU status word deasserts IGNNE#. + + + + +This is an automated cleanup. This bug report has been moved to QEMU's +new bug tracker on gitlab.com and thus gets marked as 'expired' now. +Please continue with the discussion here: + + https://gitlab.com/qemu-project/qemu/-/issues/318 + + |