diff options
Diffstat (limited to 'results/classifier/deepseek-1/output/QEMU.')
| -rw-r--r-- | results/classifier/deepseek-1/output/QEMU./1151986 | 302 | ||||
| -rw-r--r-- | results/classifier/deepseek-1/output/QEMU./1243639 | 115 | ||||
| -rw-r--r-- | results/classifier/deepseek-1/output/QEMU./1574246 | 81 | ||||
| -rw-r--r-- | results/classifier/deepseek-1/output/QEMU./1818937 | 247 | ||||
| -rw-r--r-- | results/classifier/deepseek-1/output/QEMU./1910941 | 131 | ||||
| -rw-r--r-- | results/classifier/deepseek-1/output/QEMU./757702 | 842 |
6 files changed, 1718 insertions, 0 deletions
diff --git a/results/classifier/deepseek-1/output/QEMU./1151986 b/results/classifier/deepseek-1/output/QEMU./1151986 new file mode 100644 index 000000000..77ae30be1 --- /dev/null +++ b/results/classifier/deepseek-1/output/QEMU./1151986 @@ -0,0 +1,302 @@ + +buffer overflow after block-stream via QMP + +When a block-stream is initiated via QMP and the QMP socket is closed on client side before the job is finished, QEMU crashes with a buffer overflow. + +Afterwards I cannot boot from the last active image anymore. + +I was able to reproduce this with qemu-kvm and qemu-system-x86_64 on two different machines. + +Version: +QEMU emulator version 1.2.0 (qemu-kvm-1.2.0), Copyright (c) 2003-2008 Fabrice Bellard + +I started QEMU with the following script: + +qemu-kvm \ + -monitor vc \ + -m 512 \ + -hda "$1" \ + -net nic,vlan=0 \ + -net user,vlan=0 \ + -localtime \ + -smp 2 \ + -qmp tcp:localhost:4444,server,nowait + + +Backtrace: + +Formatting '/home/helge/images/vm01.2013-03-07_11:30:13.qcow2', fmt=qcow2 size=10485760000 backing_file='/home/helge/images/vm01.qcow2' backing_fmt='qcow2' encryption=off cluster_size=65536 lazy_refcounts=off +*** buffer overflow detected ***: qemu-kvm terminated +======= Backtrace: ========= +/usr/lib/libc.so.6(__fortify_fail+0x37)[0x7f054e91a8c7] +/usr/lib/libc.so.6(+0xfc9a0)[0x7f054e9189a0] +/usr/lib/libc.so.6(+0xfe837)[0x7f054e91a837] +qemu-kvm(+0xdb0dc)[0x7f055220b0dc] +qemu-kvm(+0x15f581)[0x7f055228f581] +qemu-kvm(main+0xf93)[0x7f05521a3e93] +/usr/lib/libc.so.6(__libc_start_main+0xf5)[0x7f054e83da15] +qemu-kvm(+0x77e8d)[0x7f05521a7e8d] +======= Memory map: ======== +7f051bdff000-7f051be00000 rw-p 00000000 00:00 0 +7f051be00000-7f053be00000 rw-p 00000000 00:00 0 +7f053be00000-7f053c000000 rw-p 00000000 00:00 0 +7f053c000000-7f053c021000 rw-p 00000000 00:00 0 +7f053c021000-7f0540000000 ---p 00000000 00:00 0 +7f05421e2000-7f05421f7000 r-xp 00000000 08:12 1175478 /usr/lib/libgcc_s.so.1 +7f05421f7000-7f05423f6000 ---p 00015000 08:12 1175478 /usr/lib/libgcc_s.so.1 +7f05423f6000-7f05423f7000 rw-p 00014000 08:12 1175478 /usr/lib/libgcc_s.so.1 +7f05423f7000-7f05423f8000 ---p 00000000 00:00 0 +7f05423f8000-7f0542bf8000 rw-p 00000000 00:00 0 [stack:27848] +7f0542bf8000-7f0542bfd000 r-xp 00000000 08:12 1198566 /usr/lib/libXfixes.so.3.1.0 +7f0542bfd000-7f0542dfd000 ---p 00005000 08:12 1198566 /usr/lib/libXfixes.so.3.1.0 +7f0542dfd000-7f0542dfe000 r--p 00005000 08:12 1198566 /usr/lib/libXfixes.so.3.1.0 +7f0542dfe000-7f0542dff000 rw-p 00006000 08:12 1198566 /usr/lib/libXfixes.so.3.1.0 +7f0542dff000-7f0542e00000 rw-p 00000000 00:00 0 +7f0542e00000-7f0543e00000 rw-p 00000000 00:00 0 +7f0543e00000-7f0544000000 rw-p 00000000 00:00 0 +7f0544000000-7f0544139000 rw-p 00000000 00:00 0 +7f0544139000-7f0548000000 ---p 00000000 00:00 0 +7f0548014000-7f054801e000 r-xp 00000000 08:12 1198746 /usr/lib/libXrender.so.1.3.0 +7f054801e000-7f054821d000 ---p 0000a000 08:12 1198746 /usr/lib/libXrender.so.1.3.0 +7f054821d000-7f054821e000 r--p 00009000 08:12 1198746 /usr/lib/libXrender.so.1.3.0 +7f054821e000-7f054821f000 rw-p 0000a000 08:12 1198746 /usr/lib/libXrender.so.1.3.0 +7f054821f000-7f0548228000 r-xp 00000000 08:12 1199189 /usr/lib/libXcursor.so.1.0.2 +7f0548228000-7f0548427000 ---p 00009000 08:12 1199189 /usr/lib/libXcursor.so.1.0.2 +7f0548427000-7f0548428000 r--p 00008000 08:12 1199189 /usr/lib/libXcursor.so.1.0.2 +7f0548428000-7f0548429000 rw-p 00009000 08:12 1199189 /usr/lib/libXcursor.so.1.0.2 +7f0548429000-7f0548721000 r--p 00000000 08:12 1175421 /usr/lib/locale/locale-archive +7f0548721000-7f0548733000 r-xp 00000000 08:12 1198126 /usr/lib/libXext.so.6.4.0 +7f0548733000-7f0548932000 ---p 00012000 08:12 1198126 /usr/lib/libXext.so.6.4.0 +7f0548932000-7f0548933000 r--p 00011000 08:12 1198126 /usr/lib/libXext.so.6.4.0 +7f0548933000-7f0548934000 rw-p 00012000 08:12 1198126 /usr/lib/libXext.so.6.4.0 +7f054895d000-7f05489c0000 rw-p 00000000 00:00 0 +7f054895d000-7f05489c0000 rw-p 00000000 00:00 0 [118/1982] +7f05489d3000-7f0548aed000 rw-s 00000000 00:04 69697543 /SYSV00000000 (deleted) +7f0548aed000-7f0548aee000 ---p 00000000 00:00 0 +7f0548aee000-7f05492ee000 rw-p 00000000 00:00 0 [stack:27612] +7f05492ee000-7f05492ef000 ---p 00000000 00:00 0 +7f05492ef000-7f0549aef000 rw-p 00000000 00:00 0 [stack:27611] +7f0549cef000-7f0549cf0000 rw-p 00000000 00:00 0 +7f0549cf0000-7f0549cf1000 ---p 00000000 00:00 0 +7f0549cf1000-7f054a4f1000 rw-p 00000000 00:00 0 [stack:27858] +7f054a4f1000-7f054a4fd000 r-xp 00000000 08:12 1175139 /usr/lib/libnss_files-2.17.so +7f054a4fd000-7f054a6fc000 ---p 0000c000 08:12 1175139 /usr/lib/libnss_files-2.17.so +7f054a6fc000-7f054a6fd000 r--p 0000b000 08:12 1175139 /usr/lib/libnss_files-2.17.so +7f054a6fd000-7f054a6fe000 rw-p 0000c000 08:12 1175139 /usr/lib/libnss_files-2.17.so +7f054a6fe000-7f054a704000 rw-p 00000000 00:00 0 +7f054a704000-7f054a719000 r-xp 00000000 08:12 1175108 /usr/lib/libnsl-2.17.so +7f054a719000-7f054a918000 ---p 00015000 08:12 1175108 /usr/lib/libnsl-2.17.so +7f054a918000-7f054a919000 r--p 00014000 08:12 1175108 /usr/lib/libnsl-2.17.so +7f054a919000-7f054a91a000 rw-p 00015000 08:12 1175108 /usr/lib/libnsl-2.17.so +7f054a91a000-7f054a91d000 rw-p 00000000 00:00 0 +7f054a91d000-7f054a923000 r-xp 00000000 08:12 1203255 /usr/lib/libogg.so.0.8.0 +7f054a923000-7f054ab22000 ---p 00006000 08:12 1203255 /usr/lib/libogg.so.0.8.0 +7f054ab22000-7f054ab23000 rw-p 00005000 08:12 1203255 /usr/lib/libogg.so.0.8.0 +7f054ab23000-7f054ab4f000 r-xp 00000000 08:12 1203266 /usr/lib/libvorbis.so.0.4.6 +7f054ab4f000-7f054ad4e000 ---p 0002c000 08:12 1203266 /usr/lib/libvorbis.so.0.4.6 +7f054ad4e000-7f054ad4f000 r--p 0002b000 08:12 1203266 /usr/lib/libvorbis.so.0.4.6 +7f054ad4f000-7f054ad50000 rw-p 0002c000 08:12 1203266 /usr/lib/libvorbis.so.0.4.6 +7f054ad50000-7f054b003000 r-xp 00000000 08:12 1203269 /usr/lib/libvorbisenc.so.2.0.9 +7f054b003000-7f054b202000 ---p 002b3000 08:12 1203269 /usr/lib/libvorbisenc.so.2.0.9 +7f054b202000-7f054b21e000 r--p 002b2000 08:12 1203269 /usr/lib/libvorbisenc.so.2.0.9 +7f054b21e000-7f054b21f000 rw-p 002ce000 08:12 1203269 /usr/lib/libvorbisenc.so.2.0.9 +7f054b21f000-7f054b269000 r-xp 00000000 08:12 1203337 /usr/lib/libFLAC.so.8.2.0 +7f054b269000-7f054b468000 ---p 0004a000 08:12 1203337 /usr/lib/libFLAC.so.8.2.0 +7f054b468000-7f054b46a000 rw-p 00049000 08:12 1203337 /usr/lib/libFLAC.so.8.2.0 +7f054b46a000-7f054b46f000 r-xp 00000000 08:12 1196541 /usr/lib/libXdmcp.so.6.0.0 +7f054b46f000-7f054b66e000 ---p 00005000 08:12 1196541 /usr/lib/libXdmcp.so.6.0.0 +7f054b66e000-7f054b66f000 r--p 00004000 08:12 1196541 /usr/lib/libXdmcp.so.6.0.0 +7f054b66f000-7f054b670000 rw-p 00005000 08:12 1196541 /usr/lib/libXdmcp.so.6.0.0 +7f054b670000-7f054b672000 r-xp 00000000 08:12 1196554 /usr/lib/libXau.so.6.0.0 +7f054b672000-7f054b872000 ---p 00002000 08:12 1196554 /usr/lib/libXau.so.6.0.0 +7f054b872000-7f054b873000 r--p 00002000 08:12 1196554 /usr/lib/libXau.so.6.0.0 +7f054b873000-7f054b874000 rw-p 00003000 08:12 1196554 /usr/lib/libXau.so.6.0.0 +7f054b874000-7f054b879000 r-xp 00000000 08:12 1203313 /usr/lib/libasyncns.so.0.3.1 +7f054b879000-7f054ba78000 ---p 00005000 08:12 1203313 /usr/lib/libasyncns.so.0.3.1 +7f054ba78000-7f054ba79000 r--p 00004000 08:12 1203313 /usr/lib/libasyncns.so.0.3.1 +7f054ba79000-7f054ba7a000 rw-p 00005000 08:12 1203313 /usr/lib/libasyncns.so.0.3.1 +7f054ba7a000-7f054bad9000 r-xp 00000000 08:12 1203348 /usr/lib/libsndfile.so.1.0.25 +7f054bad9000-7f054bcd9000 ---p 0005f000 08:12 1203348 /usr/lib/libsndfile.so.1.0.25 +7f054bcd9000-7f054bcdb000 r--p 0005f000 08:12 1203348 /usr/lib/libsndfile.so.1.0.25 +7f054bcdb000-7f054bcdc000 rw-p 00061000 08:12 1203348 /usr/lib/libsndfile.so.1.0.25 +7f054bcdc000-7f054bce0000 rw-p 00000000 00:00 0 +7f054bce0000-7f054bcfe000 r-xp 00000000 08:12 1216246 /usr/lib/libxcb.so.1.1.0 +7f054bcfe000-7f054befd000 ---p 0001e000 08:12 1216246 /usr/lib/libxcb.so.1.1.0 +7f054befd000-7f054befe000 r--p 0001d000 08:12 1216246 /usr/lib/libxcb.so.1.1.0 +7f054befe000-7f054beff000 rw-p 0001e000 08:12 1216246 /usr/lib/libxcb.so.1.1.0 +7f054beff000-7f054bf6c000 r-xp 00000000 08:12 1182009 /usr/lib/libgmp.so.10.1.1 +7f054bf6c000-7f054c16b000 ---p 0006d000 08:12 1182009 /usr/lib/libgmp.so.10.1.1 +7f054c16b000-7f054c16c000 r--p 0006c000 08:12 1182009 /usr/lib/libgmp.so.10.1.1 +7f054c16c000-7f054c175000 rw-p 0006d000 08:12 1182009 /usr/lib/libgmp.so.10.1.1 +7f054c175000-7f054c187000 r-xp 00000000 08:12 1195339 /usr/lib/libhogweed.so.2.3 +7f054c187000-7f054c386000 ---p 00012000 08:12 1195339 /usr/lib/libhogweed.so.2.3 +7f054c386000-7f054c387000 r--p 00011000 08:12 1195339 /usr/lib/libhogweed.so.2.3 +7f054c387000-7f054c388000 rw-p 00012000 08:12 1195339 /usr/lib/libhogweed.so.2.3 +7f054c388000-7f054c3b1000 r-xp 00000000 08:12 1195342 /usr/lib/libnettle.so.4.5 +7f054c3b1000-7f054c5b1000 ---p 00029000 08:12 1195342 /usr/lib/libnettle.so.4.5 +7f054c5b1000-7f054c5b2000 r--p 00029000 08:12 1195342 /usr/lib/libnettle.so.4.5 +7f054c5b2000-7f054c5b3000 rw-p 0002a000 08:12 1195342 /usr/lib/libnettle.so.4.5 +7f054c5b3000-7f054c5c5000 r-xp 00000000 08:12 1195333 /usr/lib/libtasn1.so.6.1.1 +7f054c5c5000-7f054c7c4000 ---p 00012000 08:12 1195333 /usr/lib/libtasn1.so.6.1.1 +7f054c7c4000-7f054c7c5000 r--p 00011000 08:12 1195333 /usr/lib/libtasn1.so.6.1.1 +7f054c7c5000-7f054c7c6000 rw-p 00012000 08:12 1195333 /usr/lib/libtasn1.so.6.1.1 +7f054c7c6000-7f054c7d9000 r-xp 00000000 08:12 1195353 /usr/lib/libp11-kit.so.0.0.0 +7f054c7d9000-7f054c9d8000 ---p 00013000 08:12 1195353 /usr/lib/libp11-kit.so.0.0.0 +7f054c9d8000-7f054c9d9000 r--p 00012000 08:12 1195353 /usr/lib/libp11-kit.so.0.0.0 +7f054c9d9000-7f054c9da000 rw-p 00013000 08:12 1195353 /usr/lib/libp11-kit.so.0.0.0 +7f054c9da000-7f054c9ed000 r-xp 00000000 08:12 1175130 /usr/lib/libresolv-2.17.so +7f054c9ed000-7f054cbed000 ---p 00013000 08:12 1175130 /usr/lib/libresolv-2.17.so +7f054cbed000-7f054cbee000 r--p 00013000 08:12 1175130 /usr/lib/libresolv-2.17.so +7f054cbee000-7f054cbef000 rw-p 00014000 08:12 1175130 /usr/lib/libresolv-2.17.so +7f054cbef000-7f054cbf1000 rw-p 00000000 00:00 0 +7f054cbf1000-7f054cbf9000 r-xp 00000000 08:12 1175116 /usr/lib/libcrypt-2.17.so +7f054cbf9000-7f054cdf8000 ---p 00008000 08:12 1175116 /usr/lib/libcrypt-2.17.so +7f054cdf8000-7f054cdf9000 r--p 00007000 08:12 1175116 /usr/lib/libcrypt-2.17.so +7f054cdf9000-7f054cdfa000 rw-p 00008000 08:12 1175116 /usr/lib/libcrypt-2.17.so +7f054cdfa000-7f054ce28000 rw-p 00000000 00:00 0 +7f054ce28000-7f054ce6c000 r-xp 00000000 08:12 1193776 /usr/lib/libdbus-1.so.3.7.2 +7f054ce6c000-7f054d06c000 ---p 00044000 08:12 1193776 /usr/lib/libdbus-1.so.3.7.2 +7f054d06c000-7f054d06d000 r--p 00044000 08:12 1193776 /usr/lib/libdbus-1.so.3.7.2 +7f054d06d000-7f054d06e000 rw-p 00045000 08:12 1193776 /usr/lib/libdbus-1.so.3.7.2 +7f054d06e000-7f054d0d4000 r-xp 00000000 08:12 792323 /usr/lib/pulseaudio/libpulsecommon-3.0.so +7f054d0d4000-7f054d2d3000 ---p 00066000 08:12 792323 /usr/lib/pulseaudio/libpulsecommon-3.0.so +7f054d2d3000-7f054d2d4000 r--p 00065000 08:12 792323 /usr/lib/pulseaudio/libpulsecommon-3.0.so +7f054d0d4000-7f054d2d3000 ---p 00066000 08:12 792323 /usr/lib/pulseaudio/libpulsecommon-3.0.so +7f054d2d3000-7f054d2d4000 r--p 00065000 08:12 792323 /usr/lib/pulseaudio/libpulsecommon-3.0.so +7f054d2d4000-7f054d2d6000 rw-p 00066000 08:12 792323 /usr/lib/pulseaudio/libpulsecommon-3.0.so +7f054d2d6000-7f054d2df000 r-xp 00000000 08:12 1184982 /usr/lib/libjson.so.0.1.0 +7f054d2df000-7f054d4de000 ---p 00009000 08:12 1184982 /usr/lib/libjson.so.0.1.0 +7f054d4de000-7f054d4df000 r--p 00008000 08:12 1184982 /usr/lib/libjson.so.0.1.0 +7f054d4df000-7f054d4e0000 rw-p 00009000 08:12 1184982 /usr/lib/libjson.so.0.1.0 +7f054d4e0000-7f054d6c0000 r-xp 00000000 08:12 1216755 /usr/lib/libcrypto.so.1.0.0 +7f054d6c0000-7f054d8c0000 ---p 001e0000 08:12 1216755 /usr/lib/libcrypto.so.1.0.0 +7f054d8c0000-7f054d8db000 r--p 001e0000 08:12 1216755 /usr/lib/libcrypto.so.1.0.0 +7f054d8db000-7f054d8e6000 rw-p 001fb000 08:12 1216755 /usr/lib/libcrypto.so.1.0.0 +7f054d8e6000-7f054d8ea000 rw-p 00000000 00:00 0 +7f054d8ea000-7f054d94c000 r-xp 00000000 08:12 1216754 /usr/lib/libssl.so.1.0.0 +7f054d94c000-7f054db4b000 ---p 00062000 08:12 1216754 /usr/lib/libssl.so.1.0.0 +7f054db4b000-7f054db4f000 r--p 00061000 08:12 1216754 /usr/lib/libssl.so.1.0.0 +7f054db4f000-7f054db56000 rw-p 00065000 08:12 1216754 /usr/lib/libssl.so.1.0.0 +7f054db56000-7f054db7d000 r-xp 00000000 08:12 1192299 /usr/lib/libssh2.so.1.0.1 +7f054db7d000-7f054dd7d000 ---p 00027000 08:12 1192299 /usr/lib/libssh2.so.1.0.1 +7f054dd7d000-7f054dd7e000 r--p 00027000 08:12 1192299 /usr/lib/libssh2.so.1.0.1 +7f054dd7e000-7f054dd7f000 rw-p 00028000 08:12 1192299 /usr/lib/libssh2.so.1.0.1 +7f054dd7f000-7f054dd80000 rw-p 00000000 00:00 0 +7f054dd80000-7f054dd83000 r-xp 00000000 08:12 1175118 /usr/lib/libdl-2.17.so +7f054dd83000-7f054df82000 ---p 00003000 08:12 1175118 /usr/lib/libdl-2.17.so +7f054df82000-7f054df83000 r--p 00002000 08:12 1175118 /usr/lib/libdl-2.17.so +7f054df83000-7f054df84000 rw-p 00003000 08:12 1175118 /usr/lib/libdl-2.17.so +7f054df84000-7f054df87000 r-xp 00000000 08:12 1195020 /usr/lib/libplds4.so +7f054df87000-7f054e186000 ---p 00003000 08:12 1195020 /usr/lib/libplds4.so +7f054e186000-7f054e187000 r--p 00002000 08:12 1195020 /usr/lib/libplds4.so +7f054e187000-7f054e188000 rw-p 00003000 08:12 1195020 /usr/lib/libplds4.so +7f054e188000-7f054e18c000 r-xp 00000000 08:12 1195021 /usr/lib/libplc4.so +7f054e18c000-7f054e38b000 ---p 00004000 08:12 1195021 /usr/lib/libplc4.so +7f054e38b000-7f054e38c000 r--p 00003000 08:12 1195021 /usr/lib/libplc4.so +7f054e38c000-7f054e38d000 rw-p 00004000 08:12 1195021 /usr/lib/libplc4.so +7f054e38d000-7f054e38e000 rw-p 00000000 00:00 0 +7f054e38e000-7f054e3b3000 r-xp 00000000 08:12 1195095 /usr/lib/libnssutil3.so +7f054e3b3000-7f054e5b2000 ---p 00025000 08:12 1195095 /usr/lib/libnssutil3.so +7f054e5b2000-7f054e5b8000 r--p 00024000 08:12 1195095 /usr/lib/libnssutil3.so +7f054e5b8000-7f054e5b9000 rw-p 0002a000 08:12 1195095 /usr/lib/libnssutil3.so +7f054e5b9000-7f054e61a000 r-xp 00000000 08:12 1183254 /usr/lib/libpcre.so.1.2.0 +7f054e61a000-7f054e81a000 ---p 00061000 08:12 1183254 /usr/lib/libpcre.so.1.2.0 +7f054e81a000-7f054e81b000 r--p 00061000 08:12 1183254 /usr/lib/libpcre.so.1.2.0 +7f054e81b000-7f054e81c000 rw-p 00062000 08:12 1183254 /usr/lib/libpcre.so.1.2.0 +7f054e81c000-7f054e9c0000 r-xp 00000000 08:12 1175073 /usr/lib/libc-2.17.so +7f054e9c0000-7f054ebbf000 ---p 001a4000 08:12 1175073 /usr/lib/libc-2.17.so +7f054ebbf000-7f054ebc3000 r--p 001a3000 08:12 1175073 /usr/lib/libc-2.17.so +7f054ebc3000-7f054ebc5000 rw-p 001a7000 08:12 1175073 /usr/lib/libc-2.17.so +7f054ebc5000-7f054ebca000 rw-p 00000000 00:00 0 +7f054ebca000-7f054ebdf000 r-xp 00000000 08:12 1181365 /usr/lib/libz.so.1.2.7 +7f054ebdf000-7f054edde000 ---p 00015000 08:12 1181365 /usr/lib/libz.so.1.2.7 +7f054edde000-7f054eddf000 r--p 00014000 08:12 1181365 /usr/lib/libz.so.1.2.7 +7f054eddf000-7f054ede0000 rw-p 00015000 08:12 1181365 /usr/lib/libz.so.1.2.7 +7f054ede0000-7f054eedd000 r-xp 00000000 08:12 1175074 /usr/lib/libm-2.17.so +7f054eedd000-7f054f0dc000 ---p 000fd000 08:12 1175074 /usr/lib/libm-2.17.so +7f054f0dc000-7f054f0dd000 r--p 000fc000 08:12 1175074 /usr/lib/libm-2.17.so +7f054f0dd000-7f054f0de000 rw-p 000fd000 08:12 1175074 /usr/lib/libm-2.17.so +7f054f0de000-7f054f211000 r-xp 00000000 08:12 1197495 /usr/lib/libX11.so.6.3.0 +7f054f211000-7f054f411000 ---p 00133000 08:12 1197495 /usr/lib/libX11.so.6.3.0 +7f054f411000-7f054f412000 r--p 00133000 08:12 1197495 /usr/lib/libX11.so.6.3.0 +7f054f412000-7f054f417000 rw-p 00134000 08:12 1197495 /usr/lib/libX11.so.6.3.0 +7f054f417000-7f054f47f000 r-xp 00000000 08:12 1207484 /usr/lib/libSDL-1.2.so.0.11.4 +7f054f47f000-7f054f67f000 ---p 00068000 08:12 1207484 /usr/lib/libSDL-1.2.so.0.11.4 +7f054f67f000-7f054f680000 r--p 00068000 08:12 1207484 /usr/lib/libSDL-1.2.so.0.11.4 +7f054f680000-7f054f681000 rw-p 00069000 08:12 1207484 /usr/lib/libSDL-1.2.so.0.11.4 +7f054f681000-7f054f6af000 rw-p 00000000 00:00 0 +7f054f6af000-7f054f7b1000 r-xp 00000000 08:12 1200422 /usr/lib/libgnutls.so.28.16.1 +7f054f7b1000-7f054f9b1000 ---p 00102000 08:12 1200422 /usr/lib/libgnutls.so.28.16.1 +7f054f9b1000-7f054f9b9000 r--p 00102000 08:12 1200422 /usr/lib/libgnutls.so.28.16.1 +7f054f9b9000-7f054f9bb000 rw-p 0010a000 08:12 1200422 /usr/lib/libgnutls.so.28.16.1 + +On Thu, Mar 07, 2013 at 11:02:07AM -0000, Helge Rausch wrote: +> When a block-stream is initiated via QMP and the QMP socket is closed on +> client side before the job is finished, QEMU crashes with a buffer +> overflow, somewhere at the end of the streaming process. +> +> Without QMP I can stream via the HMP without problems. After crashing, I +> cannot boot from the active image anymore. +> +> I was able to reproduce this with qemu-kvm and qemu-system-x86_64 on two +> different machines. +> +> Version: +> QEMU emulator version 1.2.0 (qemu-kvm-1.2.0), Copyright (c) 2003-2008 Fabrice Bellard + +I cannot reproduce this with qemu-system-x86-1.2.2-6.fc18.x86_64. + +> I started QEMU with the following script: +> +> qemu-kvm \ +> -monitor vc \ +> -m 512 \ +> -hda "$1" \ +> -net nic,vlan=0 \ +> -net user,vlan=0 \ +> -localtime \ +> -smp 2 \ +> -qmp tcp:localhost:4444,server,nowait + +I used your command-line and the following QMP commands: + +$ QMP/qmp-shell localhost:4444 +(QEMU) blockdev-snapshot-sync device=ide0-hd0 snapshot-file=test2.qcow2 +(QEMU) block-stream ide0-hd0 +(QEMU) query-block-jobs +...output shows the job running... +(QEMU) Ctrl+D + +The block job completes successfully and I get no crash. + +Please try qemu.git/master to see if the bug is still there for you: + +$ git clone git://git.qemu-project.org/qemu.git +$ cd qemu +$ ./configure --target-list=x86_64-softmmu +$ make +$ x86_64-softmmu/qemu-system-x86_64-softmmu -enable-kvm ... + +Stefan + + +I cannot reproduce it anymore on master. One option we now have without building it ourselves is using 1.4.0 from Ubuntu's raring derivate. Would you consider that stable enough for production use (the qemu package, not raring)? + +On Thu, Mar 07, 2013 at 06:14:27PM -0000, Helge Rausch wrote: +> I cannot reproduce it anymore on master. One option we now have without +> building it ourselves is using 1.4.0 from Ubuntu's raring derivate. +> Would you consider that stable enough for production use (the qemu +> package, not raring)? + +QEMU 1.4.0 is a stable release, it is intended for production use. + +I can't speak for Ubuntu packaging of QEMU 1.4.0, perhaps check the bug +tracker to see if there are known issues with the package. + +Stefan + + +Alright. Thank you! + +1.4.0 is the intended stable release for Ubuntu raring. + diff --git a/results/classifier/deepseek-1/output/QEMU./1243639 b/results/classifier/deepseek-1/output/QEMU./1243639 new file mode 100644 index 000000000..03ff20e37 --- /dev/null +++ b/results/classifier/deepseek-1/output/QEMU./1243639 @@ -0,0 +1,115 @@ + +qemu-1.5.3 segment fault with -vga qxl + +execute " qemu-system-x86_64 -enable-kvm -machine accel=kvm:tcg -m 1G -drive file=/dev/sda --full-screen -spice addr=127.0.0.1,port=5900,disable-ticketing -vga qxl " on shell will get segment fault after a few seconds if I don't connect to it with spicec client immediately. + +IF excute "spicec -h 127.0.0.1 -p 5900 " immediately !!!! after the qemu-system-x86_64 execution, then no segment fault happens and it runs well. + +===================== + +GDB output: + +root@kali-john:~# gdb /usr/local/bin/qemu-system-x86_64 +GNU gdb (GDB) 7.4.1-debian +(gdb) run -enable-kvm -machine accel=kvm:tcg -m 1G -drive file=/dev/sda --full-screen -spice addr=127.0.0.1,port=5900,disable-ticketing -vga qxl + +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". +[New Thread 0x7ffff3737700 (LWP 14797)] +[New Thread 0x7ffff2d54700 (LWP 14798)] +[New Thread 0x7ffff0fff700 (LWP 14799)] + +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff683ad70 in pixman_image_get_data () from /usr/lib/x86_64-linux-gnu/libpixman-1.so.0 +(gdb) bt +#0 0x00007ffff683ad70 in pixman_image_get_data () from /usr/lib/x86_64-linux-gnu/libpixman-1.so.0 +#1 0x000055555581060a in surface_data (s=0x5555566183a0) at /zh-download/QEMU/qemu-1.5.3/include/ui/console.h:235 +#2 0x0000555555818616 in vga_draw_graphic (s=0x55555662c778, full_update=1) at /zh-download/QEMU/qemu-1.5.3/hw/display/vga.c:1788 +#3 0x0000555555818c6a in vga_update_display (opaque=0x55555662c778) at /zh-download/QEMU/qemu-1.5.3/hw/display/vga.c:1917 +#4 0x000055555580eb15 in qxl_hw_update (opaque=0x55555662bd70) at /zh-download/QEMU/qemu-1.5.3/hw/display/qxl.c:1766 +#5 0x00005555557bd6bc in graphic_hw_update (con=0x555556618d00) at ui/console.c:254 +#6 0x00005555557c8426 in qemu_spice_display_refresh (ssd=0x55555662c418) at ui/spice-display.c:417 +#7 0x000055555580eff0 in display_refresh (dcl=0x55555662c420) at /zh-download/QEMU/qemu-1.5.3/hw/display/qxl.c:1886 +#8 0x00005555557c0cb1 in dpy_refresh (s=0x555556618370) at ui/console.c:1436 +#9 0x00005555557bd3af in gui_update (opaque=0x555556618370) at ui/console.c:192 +#10 0x0000555555797f20 in qemu_run_timers (clock=0x5555565b5a30) at qemu-timer.c:394 +#11 0x0000555555798183 in qemu_run_all_timers () at qemu-timer.c:453 +#12 0x0000555555760bb7 in main_loop_wait (nonblocking=0) at main-loop.c:470 +#13 0x00005555557cd19c in main_loop () at vl.c:2029 +#14 0x00005555557d43f2 in main (argc=13, argv=0x7fffffffe2b8, envp=0x7fffffffe328) at vl.c:4419 +(gdb) + + +====================== + +http://www.spice-space.org/download/releases/spice-0.12.4.tar.bz2 +http://www.spice-space.org/download/releases/spice-protocol-0.12.6.tar.bz2 +spice compiling + ./configure --enable-smartcard=no && make + +qemu-1.5.3 +compiling + ./configure \ +--disable-strip --enable-debug \ +--target-list=x86_64-softmmu,x86_64-linux-user \ +--disable-sdl --audio-drv-list=alsa --disable-vnc --disable-xen --disable-libiscsi \ + --disable-seccomp --disable-glusterfs --disable-libssh2 --disable-smartcard-nss \ + --disable-usb-redir --disable-brlapi --disable-curl --disable-bsd-user \ + \ +--enable-kvm --enable-spice --enable-system --enable-guest-agent --enable-vhost-net + + +root@kali-john:~# qemu-system-x86_64 -version +QEMU emulator version 1.5.3, Copyright (c) 2003-2008 Fabrice Bellard + +/usr/local/bin/qemu-system-x86_64 -enable-kvm -machine accel=kvm:tcg -m 1G -drive file=/dev/sda -vga qxl + +will give same error + +a funny thing: + +if I change the "-drive file=/dev/sda" to "-drive file=/dev/sdb" , it will not run into "segment fault". + +The different between sda & sdb is as following: + linux is installed on /dev/sda and /dev/sdb is another physical hard driver. + +================================================================= + +When change /dev/sda to /dev/sdb , it works well as following: + +(gdb) run -enable-kvm -machine accel=kvm:tcg -m 1G -drive file=/dev/sdb --full-screen -spice addr=127.0.0.1,port=5900,disable-ticketing -vga qxl +The program being debugged has been started already. +Start it from the beginning? (y or n) y + +Starting program: /usr/local/bin/qemu-system-x86_64 -enable-kvm -machine accel=kvm:tcg -m 1G -drive file=/dev/sdb --full-screen -spice addr=127.0.0.1,port=5900,disable-ticketing -vga qxl +warning: Could not load shared library symbols for linux-vdso.so.1. +Do you need "set solib-search-path" or "set sysroot"? +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". +[New Thread 0x7ffff3737700 (LWP 15056)] +[New Thread 0x7ffff2d54700 (LWP 15057)] +[New Thread 0x7ffff0fff700 (LWP 15058)] +[Thread 0x7ffff3737700 (LWP 15056) exited] + +--- No segment fault error any more !! + +It will run into segment fault with /dev/sda but without -vga qxl + + +The qemu & the Host linux OS is iinstalled on /dev/sda + +sorry to mistake + +======== + +The truth is that + +t will NOT run into segment fault with /dev/sda but without -vga qxl + +The qemu & the Host linux OS is iinstalled on /dev/sda + + +Triaging old bug tickets ... QEMU 1.5 is quite old already - can you still reproduce the crash with the latest version of QEMU? + +[Expired for QEMU because there has been no activity for 60 days.] + diff --git a/results/classifier/deepseek-1/output/QEMU./1574246 b/results/classifier/deepseek-1/output/QEMU./1574246 new file mode 100644 index 000000000..de0acb0be --- /dev/null +++ b/results/classifier/deepseek-1/output/QEMU./1574246 @@ -0,0 +1,81 @@ + +Drunken keyboard in go32v2 programs + +QEMU 2.5.0, SeaBIOS 1.9.1; I've been noticing this bug for quite a while, though. + +Steps to reproduce: + +# Create a VM image, install DOS in it (doesn't matter which) and launch it. +# Launch a "bare DOS" DPMI host (not an operating system) in it; I tested with CWSDPMI and HDPMI32. +# Run a go32v2 program which reads keyboard input (say, the Lua interpreter: <http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.1/repos/devel/lua.zip>; the Free Pascal IDE will also do; on the other hand, DOS/4GW programs seem unaffected). +# Quickly type in something random (e.g. alternate between hitting "p" and "q"), then optionally move the cursor left and right. +# Observe how some keystrokes are missed, and some are caught twice. + +The issue does NOT arise: +* on bare metal DOS, +* in VirtualBox, +* in Bochs with stock Plex86 BIOS, +* in Bochs with SeaBIOS, +* in DOSEMU, +* in DOSBox, +* in QEMU when the DPMI host is Windows 3.11/9x +so at this point I'm reasonably sure that it's the fault of either QEMU or SeaBIOS, and probably the former. The issue arises regardless of whether KVM is enabled. + +I compiled the latest git snapshot (tag: v2.6.0-rc4, calling itself 2.5.94; with GTK frontend) and could only half-reproduce the bug; keys do not longer "jam", but arrow keys are still captured twice. I woudn't make much of that difference; this bug seems very timing-sensitive. It could be that the GTK frontend adds sufficient latency to the interface to avoid triggering it. + +I enabled some debugging switches and recompiled both QEMU and the latest git snapshot of SeaBIOS (1.9.0-127; commit c8e105a4d5e52e8e7539ab1f2cd07ebe0ae9033a). This is what I got when running programs affected by this bug: + +(key press) +[qemu ] ps2_queue(0xe0) +[qemu ] ps2_queue(0x4d) +(IRQ1) +[qemu ] KBD: kbd: read data=0xe0 ← (***) +[seabios] handle_09 +[qemu ] KBD: kbd: read status=0x1d +[qemu ] KBD: kbd: read data=0x4d +[seabios] i8042_command cmd=ae +[seabios] i8042_wait_write +[qemu ] KBD: kbd: read status=0x1c +[qemu ] KBD: kbd: write cmd=0xae +(IRQ1) +[qemu ] KBD: kbd: read data=0x4d ← (***) +[seabios] handle_09 +[qemu ] KBD: kbd: read status=0x1c +[qemu ] KBD: kbd: read data=0x4d +[seabios] i8042_command cmd=ae +[seabios] i8042_wait_write +[qemu ] KBD: kbd: read status=0x1c +[qemu ] KBD: kbd: write cmd=0xae + +Reads marked (***) do not appear when running unaffected programs. So it appears something is making reads from the keyboard controller before SeaBIOS has a chance to put scancodes in the ring buffer. And indeed: DJGPP libc installs a custom IRQ1 handler which does it to detect whether it should raise SIGINT in response to Ctrl+C; it can be found in the file src/libc/go32/exceptn.S in the djcrx package[1]. Free Pascal incorporates this handler into its RTL with almost no changes; it's found in rtl/go32v2/exceptn.as[2]. I also noticed I can reproduce this bug with Borland Pascal 7; lo and behold, the Turbo Vision library does something similar. + +SeaBIOS gets extra confused when I send some mouse events to QEMU (grab the mouse, move it around, ungrab); it reacts with a "ps2 keyboard irq but found mouse data?!" message and refuses to put keys in the ring buffer until the queue of mouse events becomes empty. + +That's the culprit, I think. It also explains why the bug doesn't appear under Windows; because port 0x60 reads from DPMI are simulated, they don't correspond to actual port 0x60 reads in the guest. I don't know what the fix ought be; documentation about the i8042 that I found is unclear about what real hardware does in this case. + +If I'm reading the code correctly, DOSEMU[3] (also the DOSEMU2 fork[4]), DOSBox[5], Bochs[6] and VirtualBox[7] keep one value to be read from 0x60 at until the next interrupt, avoiding the issue. + +[1] <http://www.delorie.com/bin/cvsweb.cgi/djgpp/src/libc/go32/exceptn.S?rev=1.7>; function ___djgpp_kbd_hdlr +[2] <http://svn.freepascal.org/cgi-bin/viewvc.cgi/trunk/rtl/go32v2/exceptn.as?revision=8210&view=co>; function ___djgpp_kbd_hdlr +[3] <https://sourceforge.net/p/dosemu/code/ci/8897222f8830e0bd2769935f611a0e5c3271bcb9/tree/src/plugin/kbd_unicode/serv_8042.c> +[4] <https://github.com/stsp/dosemu2/blob/69419c7a5430f0109f9df45b179d9b223b075550/src/plugin/kbd_unicode/serv_8042.c> +[5] <https://sourceforge.net/p/dosbox/code-0/3961/tree/dosbox/trunk/src/ints/bios_keyboard.cpp> +[6] <https://sourceforge.net/p/bochs/code/12853/tree/trunk/bochs/iodev/keyboard.cc> +[7] <https://www.virtualbox.org/browser/vbox/trunk/src/VBox/Devices/Input/DevPS2.cpp?rev=60404> + + +The QEMU project is currently considering to move its bug tracking to +another system. For this we need to know which bugs are still valid +and which could be closed already. Thus we are setting older bugs to +"Incomplete" now. + +If you still think this bug report here is valid, then please switch +the state back to "New" within the next 60 days, otherwise this report +will be marked as "Expired". Or please mark it as "Fix Released" if +the problem has been solved with a newer version of QEMU already. + +Thank you and sorry for the inconvenience. + + +[Expired for QEMU because there has been no activity for 60 days.] + diff --git a/results/classifier/deepseek-1/output/QEMU./1818937 b/results/classifier/deepseek-1/output/QEMU./1818937 new file mode 100644 index 000000000..dcab7ed5b --- /dev/null +++ b/results/classifier/deepseek-1/output/QEMU./1818937 @@ -0,0 +1,247 @@ + +Crash with HV_ERROR on macOS host + +On macOS host running Windows 10 guest, qemu crashed with error message: Error: HV_ERROR. + +Host: macOS Mojave 10.14.3 (18D109) Late 2014 Mac mini presumably Core i5 4278U. +QEMU: git commit a3e3b0a7bd5de211a62cdf2d6c12b96d3c403560 +QEMU parameter: qemu-system-x86_64 -m 3000 -drive file=disk.img,if=virtio,discard=unmap -accel hvf -soundhw hda -smp 3 + +thread list +Process 56054 stopped + thread #1: tid = 0x2ffec8, 0x00007fff48d0805a vImage`vLookupTable_Planar16 + 970, queue = 'com.apple.main-thread' + thread #2: tid = 0x2ffecc, 0x00007fff79d6d7de libsystem_kernel.dylib`__psynch_cvwait + 10 + thread #3: tid = 0x2ffecd, 0x00007fff79d715aa libsystem_kernel.dylib`__select + 10 + thread #4: tid = 0x2ffece, 0x00007fff79d71d9a libsystem_kernel.dylib`__sigwait + 10 +* thread #6: tid = 0x2ffed0, 0x00007fff79d7023e libsystem_kernel.dylib`__pthread_kill + 10, stop reason = signal SIGABRT + thread #7: tid = 0x2ffed1, 0x00007fff79d6d7de libsystem_kernel.dylib`__psynch_cvwait + 10 + thread #8: tid = 0x2ffed2, 0x00007fff79d6d7de libsystem_kernel.dylib`__psynch_cvwait + 10 + thread #11: tid = 0x2fff34, 0x00007fff79d6a17a libsystem_kernel.dylib`mach_msg_trap + 10, name = 'com.apple.NSEventThread' + thread #30: tid = 0x300c04, 0x00007fff79e233f8 libsystem_pthread.dylib`start_wqthread + thread #31: tid = 0x300c16, 0x00007fff79e233f8 libsystem_pthread.dylib`start_wqthread + thread #32: tid = 0x300c17, 0x0000000000000000 + thread #33: tid = 0x300c93, 0x00007fff79d6d7de libsystem_kernel.dylib`__psynch_cvwait + 10 + + +Crashed thread: + +* thread #6, stop reason = signal SIGABRT + * frame #0: 0x00007fff79d7023e libsystem_kernel.dylib`__pthread_kill + 10 + frame #1: 0x00007fff79e26c1c libsystem_pthread.dylib`pthread_kill + 285 + frame #2: 0x00007fff79cd91c9 libsystem_c.dylib`abort + 127 + frame #3: 0x000000010baa476d qemu-system-x86_64`assert_hvf_ok(ret=<unavailable>) at hvf.c:106 [opt] + frame #4: 0x000000010baa4c8f qemu-system-x86_64`hvf_vcpu_exec(cpu=0x00007f8e5283de00) at hvf.c:681 [opt] + frame #5: 0x000000010b988423 qemu-system-x86_64`qemu_hvf_cpu_thread_fn(arg=0x00007f8e5283de00) at cpus.c:1636 [opt] + frame #6: 0x000000010bd9dfce qemu-system-x86_64`qemu_thread_start(args=<unavailable>) at qemu-thread-posix.c:502 [opt] + frame #7: 0x00007fff79e24305 libsystem_pthread.dylib`_pthread_body + 126 + frame #8: 0x00007fff79e2726f libsystem_pthread.dylib`_pthread_start + 70 + frame #9: 0x00007fff79e23415 libsystem_pthread.dylib`thread_start + 13 + +I can reproduce this by booting the Windows 10 x64 install ISO with the command line: + ++ WINIMG=Win10.iso ++ VIRTIMG=virtio-win-0.1.164.iso ++ qemu-system-x86_64 -accel hvf -drive driver=raw,file=Win10.img,if=virtio -m 1536 -net nic,model=virtio -net user -cdrom Win10.iso -drive file=virtio-win-0.1.164.iso,index=3,media=cdrom -rtc base=localtime,clock=host -smp cores=2 -usb -device usb-tablet -net user +qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2] +qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2] +Unimplemented handler (fffff80641601c38) for 0 (f 11) +Unimplemented handler (fffff8064160192f) for 0 (f 7f) +qemu-system-x86_64: Error: HV_ERROR +./qemu-boot.sh: line 20: 32294 Abort trap: 6 qemu-system-x86_64 -accel hvf -drive driver=raw,file=Win10.img,if=virtio -m 1536 -net nic,model=virtio -net user -cdrom ${WINIMG} -drive file=${VIRTIMG},index=3,media=cdrom -rtc base=localtime,clock=host -smp cores=2 -usb -device usb-tablet -net user + +^This is on version: + +% qemu-system-x86_64 --version +QEMU emulator version 4.0.50 (v4.0.0-rc4-52-g3284aa1281-dirty) +Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers + +I'm looking into the issue... HV_ERROR is a high-level return value and doesn't give enough details about the nature of the error. The error is returned from vmexit handler in AppleHV.kext (which implements kernel part of Hypervisor.framework). Perhaps we should extract more data from the VMCS and print it before aborting the execution. + +We can reproduce this problem with Linux guests as well (running 4.15 Ubuntu Xenial and 4.14 Android kernels). Mac models with integrated GPU seem to be more affected according to our testing, and the crash does not always occur, needs multiple tries to be triggered. We would be happy to assist in debugging, once you have a patch that can generate more detailed logs. + +For the triage of the issue we need the following VMCS fields: +* instruction error +* exit reason +* exit qualification + +On my machine (with macOS 10.14.5) each time QEMU exits with HV_ERROR, AppleHV spills the following error into system log: +2019-07-06 10:38:56.148547+0300 0x1e3ee4 Default 0x0 0 0 kernel: (AppleHV) AppleHV: /BuildRoot/Library/Caches/com.apple.xbs/Sources/Hypervisor/Hypervisor-31.230.1/kext/x86/vmx/hv_vmx_vcpu.cpp : hv_return_t hv_vmx_vcpu_t::hv_vmx_vcpu_run() +: 997 + +Such log lines can be read with the command: +$ log show -predicate 'senderImagePath CONTAINS "AppleHV"' + +The error above can only happen if vmlaunch or vmresume has failed and RFLAGS has either CF or ZF (or both) set to 1, according to Intel SDM. Unfortunately the exact RFLAGS value is not logged by Hypervisor.framework. I have submitted a feedback report (FB6787376) to log RFLAGS if it's not zero immediately after vmlaunch/vmresume. + +If you wish to assist in debugging of the issue, please build and use QEMU from the branch: +https://github.com/roolebo/qemu/tree/debug-hv-error + +Or apply the patch to your tree: +https://github.com/roolebo/qemu/commit/f8098782573a89fc323d8dcae2d5445335e626f0.diff + +The log line I've got is the following: +➜ vms ~/dev/qemu/x86_64-softmmu/qemu-system-x86_64 -accel hvf -m 2G -cdrom ~/Downloads/ubuntu-18.04.2-desktop-amd64.iso -hda ubuntu.qc +ow2 +qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2] +qemu-system-x86_64: hv_vcpu_run failed +qemu-system-x86_64: instruction error: 0x0000000000000007 +qemu-system-x86_64: exit reason: 0x0000000000000030 +qemu-system-x86_64: exit qualification: 0x0000000000000083 +qemu-system-x86_64: pri proc based ctls: 0x0000000095206dfa +qemu-system-x86_64: sec proc based ctls: 0x00000000000000a3 +qemu-system-x86_64: eptp: 0x000000000000003f +qemu-system-x86_64: gpa: 0x000000007d9ef000 +qemu-system-x86_64: gla: 0xfffffe0000000ec0 +qemu-system-x86_64: Error: HV_ERROR + + +Instruction error is 0x7 and Intel SDM 31-4 Vol. 3C states that: +The processor checks on the VMX controls and host-state area. If any of these checks fail, the VM-entry instruction fails. RFLAGS.ZF is set to 1 and either 7 (VM entry with invalid control field(s)) or 8 (VM entry with invalid host-state field(s)) is saved in the VM-instruction error field. + +Hi Roman, + +thanks for the patch, we were able to reproduce this issue with our custom Android Cuttlefish based d VM (running 4.14 kernel): + +2019-07-23T11:36:37.180753Z qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2] +2019-07-23T11:36:37.182517Z qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2] +2019-07-23T11:37:54.647855Z qemu-system-x86_64: hv_vcpu_run failed +2019-07-23T11:37:54.650737Z qemu-system-x86_64: exit reason: 0x0000000000000030 +2019-07-23T11:37:54.661753Z qemu-system-x86_64: exit qualification: 0x0000000000000981 +2019-07-23T11:37:54.661769Z qemu-system-x86_64: instruction error: 0x0000000000000007 +2019-07-23T11:37:54.661780Z qemu-system-x86_64: pri proc based ctls: 0x0000000095206dfa +2019-07-23T11:37:54.661790Z qemu-system-x86_64: sec proc based ctls: 0x00000000000000a3 +2019-07-23T11:37:54.661799Z qemu-system-x86_64: eptp: 0x000000000000003f +2019-07-23T11:37:54.661810Z qemu-system-x86_64: gpa: 0x000000007fd05004 +2019-07-23T11:37:54.661820Z qemu-system-x86_64: gla: 0xfffffe000002f004 +2019-07-23T11:37:54.661828Z qemu-system-x86_64: Error: HV_ERROR + +The error happened right at startup, after multiple tries. + +Thank you, +Gergely + +My guess is that RFLAGS.ZF == 1 and one or a few of the checks on VMX controls have failed. So far I have verified the following checks (26-2 and 26-3 in Intel SDM Vol. 3C): +* Reserved bits in Pin-based VM execution controls are set according to associated capabilities MSR +* Reserved bits in Primary Proc-based VM execution controls are set according to associated capabilities MSR +* Reserved bits in Secondary Proc-based VM execution controls are set according to associated capabilities MSR +* CR-3 target count is not greater than 4. (the count is 0) +* Use I/O bitmaps check is not applicable because "use I/O bitmaps" VM-execution control is 0. +* Reserved bits in VM-exit controls are set according to associated capabilities MSR +* Reserved bits in VM-entry controls are set according to associated capabilities MSR + +However, the MSR-bitmap Address check might fail: +"If the “use MSR bitmaps” VM-execution control is 1, bits 11:0 of the MSR-bitmap address must be 0. The address should not set any bits beyond the processor’s physical-address width." + +Bit 28 in Pin-based VM execution controls is set to 1 while the MSR address has bits 5:1 set to 1 (0x3f). There's no way to disable the "use MSR bitmaps" execution control so I'll try to make a patch that sets 4k-page aligned MSR bitmap address. + +Updated log lines show the VMX capabilities for the control fields and VMCS fields related to the failure: +qemu-system-x86_64: hv_vcpu_run failed +qemu-system-x86_64: exit reason: 0x0000000000000030 +qemu-system-x86_64: exit qualification: 0x0000000000000083 +qemu-system-x86_64: instruction error: 0x0000000000000007 +qemu-system-x86_64: VM-EXECUTION CONTROL FIELDS +qemu-system-x86_64: Pin-Based VM-Execution Controls +qemu-system-x86_64: pin based ctls: 0x000000000000003f +qemu-system-x86_64: pin based caps: 0x0000007f0000003f +qemu-system-x86_64: Processor-Based VM-Execution Controls +qemu-system-x86_64: pri proc based ctls: 0x0000000095206dfa +qemu-system-x86_64: pri proc based caps: 0xfdf9fffe9500697a +qemu-system-x86_64: sec proc based ctls: 0x00000000000000a3 +qemu-system-x86_64: sec proc based caps: 0x00011cef000000a2 +qemu-system-x86_64: CR3-Target Controls +qemu-system-x86_64: cr3 target count: 0x0000000000000000 +qemu-system-x86_64: MSR-Bitmap Address: 0x000000000000003f +qemu-system-x86_64: VM-EXIT CONTROL FIELDS +qemu-system-x86_64: VM-Exit Controls +qemu-system-x86_64: vm exit ctls: 0x0000000000236fff +qemu-system-x86_64: vm exit caps: 0x00636fff00236fff +qemu-system-x86_64: VM-ENTRY CONTROL FIELDS +qemu-system-x86_64: VM-Entry Controls +qemu-system-x86_64: vm entry ctls: 0x00000000000093ff +qemu-system-x86_64: vm entry caps: 0x000093ff000091ff +qemu-system-x86_64: Error: HV_ERROR + +It's not possible to allocate MSR bitmap in userspace because it requires a physical address to be stored in the VMCS field. However, the bitmap page is already allocated inside kernel part of Hypervisor.framework. The 4k bitmap region is aligned to page boundary. It's worth to continue inspection of the checks (26.2 CHECKS ON VMX CONTROLS AND HOST-STATE AREA). + +The reason why MSR Bitmap Address has weird value is because it's not necessarily the value of the VMCS field (albeit VMCS_CTRL_MSR_BITMAPS is defined in hv_arch_vmx.h). HVF uses an internal lookup table that has a limited set of VMCS fields exposed by Apple. The list is documented at the reference page: https://developer.apple.com/documentation/hypervisor/1469436-virtual_machine_control_structur + +It's likely that 0x3f is a field from the VMCS lookup table. Given the signature of hv_vmx_vcpu_read_vmcs, I would expect an error (e.g. HV_BAD_ARGUMENT) to be returned instead of the silent failure. I have submitted FB6858948 to Apple to correct the behaviour. + +So, Apple doesn't provide an explicit access to MSR Bitmap Address field but allows to control the bitmap via hv_vcpu_enable_native_msr. + +During the inspection of Apple reference, I have noticed that Guest CR0 and CR0 Guest/Host Mask has incorrect value. Apple defines that Guest CR0 is writable only if: +CR0.CD and CR0.NW are unset + +But hvf accel code follows Intel SDM "Table 9-1. IA-32 and Intel 64 Processor States Following Power-up, Reset, or INIT" and sets CR0 value to: 0x60000010 + +Likewise, CR0 Guest/Host Mask is conditionally writable if: +CR0.CD and CR0.NW are set + +I doubt if it's related to the HV_ERROR issue but I'll prepare a patch to fix both fields (and likely set CR0 Read Shadow). + +Are there any updates? Trying to run the IE11 image from Microsoft (based on Windows 8.1) and it is crashing with this error sporadically :-\ + +I'm not exactly sure what commit improved the situation (either https://git.qemu.org/?p=qemu.git;a=commit;h=e37aa8b0e410 or https://git.qemu.org/?p=qemu.git;a=commit;h=fbafbb6db7742) but I have noticed that sporadic failures are gone after the series was applied: https://lists.gnu.org/archive/html/qemu-devel/2019-11/msg03977.html + +The issue should be fixed in QEMU v5.0+ + +I'm getting this error immediately and consistently when trying to boot the Win10 ISO with the following command: + +$ qemu-system-x86_64 -M accel=hvf -cpu host -smp 2 -hda windows-image.img -cdrom Win10_20H2_English_x64.iso -m 8G -vga virtio -usb -device usb-tablet -display default -boot d +qemu-system-x86_64: Error: HV_ERROR +[1] 3921 abort qemu-system-x86_64 -M accel=hvf -cpu host -smp 2 -hda windows-image.img -cdro + +$ qemu-system-x86_64 --version +QEMU emulator version 5.1.0 +Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers + +Running on MacOS 11.0.1 + +Same here. Also on macOS host: + +$ qemu-system-x86_64 -machine type=q35,accel=hvf \ +-cpu max \ +-smp 2 \ +-hda ubuntu.qcow2 \ +-cdrom ./ubuntu-20.04.1-desktop-amd64.iso \ +-m 2G \ +-vga virtio \ +-usb \ +-device usb-tablet \ +-display default,show-cursor=on +qemu-system-x86_64: Error: HV_ERROR +[1] 77901 abort qemu-system-x86_64 -machine type=q35,accel=hvf -cpu max -smp 2 -hda -cdrom + +$ qemu-system-x86_64 --version +QEMU emulator version 5.1.0 +Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers + +$ sysctl -a | grep machdep.cpu.brand_string +machdep.cpu.brand_string: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz + + +Same here on macOS 11.0.1 when specifying accel=hvf. Crash report is attached. + +$ qemu-system-x86_64 -machine accel=hvf -smp 2 -m 2G -hda current.qcow -boot d -cdrom ubuntu-18.04.5-desktop-amd64.iso +qemu-system-x86_64: Error: HV_ERROR +[1] 2912 abort qemu-system-x86_64 -machine accel=hvf -smp 2 -m 2G -hda -boot d -cdrom + +$ qemu-system-x86_64 --version +QEMU emulator version 5.1.0 +Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers + +$ sysctl -a | grep machdep.cpu.brand_string +machdep.cpu.brand_string: Intel(R) Core(TM) i7-1068NG7 CPU @ 2.30GH + +For the Mac Big sur 11.0.1 or 11.1, the HV_ERROR issue was caused by code signing issue. +the com.apple.vm.hypervisor is deprecated and now is com.apple.security.hypervisor + +Following pages worth of checking: +https://stackoverflow.com/questions/64642062/apple-hypervisor-is-completely-broken-on-macos-big-sur-beta-11-0-1 +https://superuser.com/questions/1436370/how-to-codesign-gdb-on-os-x-mojave + +so, basically, just need to codesign entitlement of qemu-system-x86_64 binary file and it will. + +I am now able to boot the linux iso without problem, but Windows 10 iso still hang at boot.....unfortnately. + + diff --git a/results/classifier/deepseek-1/output/QEMU./1910941 b/results/classifier/deepseek-1/output/QEMU./1910941 new file mode 100644 index 000000000..91d1ecb69 --- /dev/null +++ b/results/classifier/deepseek-1/output/QEMU./1910941 @@ -0,0 +1,131 @@ + +Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk + +Hello, + +Using hypervisor fuzzer, hyfuzz, I found an assertion failure through virtio-blk emulator. + +A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service. + +This was found in version 5.2.0 (master) + +``` + +qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed. +[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386 + +Program terminated with signal SIGABRT, Aborted. +#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 +#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79 +#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92 +#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101 +#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88 +#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121 +#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196 +#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429 +#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438 +#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499 +#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795 +#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326 +#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533 +#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329 +#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372 +#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382 +#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306 +#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 +#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232 +#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255 +#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531 +#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720 +#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50 +#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310 +#24 0x000056537a92894a in _start () + +``` + +To reproduce this issue, please run the QEMU with the following command line. + +``` + +# To reproduce this issue, please run the QEMU process with the following command line. + +$ qemu-system-i386 -m 512 -drive file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-pci,drive=drive0,id=virtblk0,num-queues=4 -drive file=disk.img,if=none,id=drive0 + +``` + +Please let me know if I can provide any further info. + +Thank you. + + + +This is OSS-Fuzz Issue 26797 + +=== Reproducer === +cat << EOF | ./qemu-system-i386 -machine q35 \ +-device virtio-blk,drive=disk0 \ +-drive file=null-co://,id=disk0,if=none,format=raw \ +-serial none -monitor none -qtest stdio -nographic +outl 0xcf8 0x80001890 +outl 0xcfc 0x4 +outl 0xcf8 0x8000188a +outl 0xcfc 0xd4624 +outl 0xcf8 0x80001894 +outl 0xcfc 0x20000002 +outl 0xcf8 0x80001889 +outl 0xcfc 0x18000000 +outl 0xcf8 0x80001896 +outl 0xcfc 0x0 +outl 0xcf8 0x8000188c +outw 0xcfc 0x20 +outl 0xcf8 0x80001894 +outl 0xcfc 0x1 +outl 0xcf8 0x8000188c +outw 0xcfc 0x1c +outl 0xcf8 0x80001895 +outl 0xcfc 0x0 +outl 0xcf8 0x80001889 +outl 0xcfc 0x18000000 +outl 0xcf8 0x80001894 +outl 0xcfc 0x40 +outl 0xcf8 0x8000188c +outw 0xcfc 0x14 +outl 0xcf8 0x80001894 +outl 0xcfc 0x1004 +EOF + +=== Stack Trace === +qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed. + +==2382430== ERROR: libFuzzer: deadly signal +#8 address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5 +#9 stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5 +#10 virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9 +#11 vring_set_avail_event /src/qemu/hw/virtio/virtio.c:429:5 +#12 virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:438:9 +#13 virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:499:9 +#14 virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13 +#15 virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12 +#16 virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2326:15 +#17 virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3533:9 +#18 aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9 +#19 aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20 +#20 aio_dispatch /src/qemu/util/aio-posix.c:382:5 +#21 aio_ctx_dispatch /src/qemu/util/async.c:306:5 +#22 g_main_context_dispatch +#23 glib_pollfds_poll /src/qemu/util/main-loop.c:232:9 +#24 os_host_main_loop_wait /src/qemu/util/main-loop.c:255:5 +#25 main_loop_wait /src/qemu/util/main-loop.c:531:11 +#26 flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:49:9 +#27 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:683:17 + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.6797 + + +This is an automated cleanup. This bug report has been moved to QEMU's +new bug tracker on gitlab.com and thus gets marked as 'expired' now. +Please continue with the discussion here: + + https://gitlab.com/qemu-project/qemu/-/issues/301 + + diff --git a/results/classifier/deepseek-1/output/QEMU./757702 b/results/classifier/deepseek-1/output/QEMU./757702 new file mode 100644 index 000000000..9f38e13bb --- /dev/null +++ b/results/classifier/deepseek-1/output/QEMU./757702 @@ -0,0 +1,842 @@ + +ARM: singlestepping insn which UNDEFs should stop at UNDEF vector insn, not after it + +ARMv7a has lot of undefined instruction from its instruction opcode space. This undefined instructions are very useful for replacing sensitive non-priviledged instructions of guest operating systems (virtualization). The undefined instruction exception executes at <exception_base> + 0x4, where <exception_base> can be 0x0 or 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, seems like this is a new bug. As as example, if we try to execute value "0xec019800" in qemu 0.14.0 then it should cause undefined exception at <exception_base>+0x4 since "0xec019800" is an undefined instruction. + +I can't reproduce this (either with current trunk or with qemu 0.14.0 release version). Also, if we were directing UNDEF exceptions to the SVC entry point I think it would cause fairly obvious breakage of Linux guests. + +I'm going to attach the test program I used to confirm that we are correctly directing the exception to the 0x4 vector: + +./arm-softmmu/qemu-system-arm -kernel ~/linaro/qemu-misc-tests/undef-exc.axf -semihosting +Starting test +In undef vector + +I'll also attach the binary, since it's only 2K and the source needs armcc to build. + +If you can provide a simple test program and qemu command line which demonstrates the behaviour you think is incorrect I can investigate further. + + + + + + +> ARMv7a has lot of undefined instruction from its instruction opcode space. This undefined instructions +>are very useful for replacing sensitive non-priviledged instructions of guest operating systems (virtualization). + +PS: please don't use arbitrary UNDEF instruction patterns for this (the one you quoted is in the STC instruction space for example). There's an officially-defined "permanently UNDEF" space: + cond 0111 1111 xxxx xxxx xxxx 1111 xxxx +available for this purpose, which will mean you don't have to worry about newer versions of the architecture allocating the UNDEF patterns you were using. + + +Hi, + +You are right, I have deliberately used an instruction from a "permanently +UNDEF" space. I have used this instruction because thats this are the only +UNDEF instructions with maximum payload of 20 bits. + +Also, the instruction "0xec019800" does not belong to STC instruction space. +GNU object dump does not display it as undefined instruction due to internal +bug, but it is definitely an undefined instruction. +May be the undefined instructions from "permanently UNDEF" space are only +executing from offset 0x8 in QEMU 0.14.0. It used to work fine with QEMU +0.13.0. + +PFA, my test elf file. The UNDEF instruction that i have reported is +at location 0x100058 in this elf file. The execution of elf file starts from +0x100000. + +I have launched qemu with command: ./qemu-system-arm -s -S -M realview-pb-a8 +-serial stdio -kernel ../../../xvisor/tests/armv7/pb-a8/arm_test.elf +I am debugging using gdb command: arm-none-eabi-gdb arm_test.elf +--eval-command="target remote localhost:1234" + +Please let me know if you are not able to reproduce the bug. + +--Anup + +On Tue, Apr 12, 2011 at 3:13 PM, Peter Maydell <email address hidden>wrote: + +> > ARMv7a has lot of undefined instruction from its instruction opcode +> space. This undefined instructions +> >are very useful for replacing sensitive non-priviledged instructions of +> guest operating systems (virtualization). +> +> PS: please don't use arbitrary UNDEF instruction patterns for this (the one +> you quoted is in the STC instruction space for example). There's an +> officially-defined "permanently UNDEF" space: +> cond 0111 1111 xxxx xxxx xxxx 1111 xxxx +> available for this purpose, which will mean you don't have to worry about +> newer versions of the architecture allocating the UNDEF patterns you were +> using. +> +> -- +> You received this bug notification because you are a direct subscriber +> of the bug. +> https://bugs.launchpad.net/bugs/757702 +> +> Title: +> Undefined instruction exception starts at offset 0x8 instead of 0x4 +> +> Status in QEMU: +> New +> +> Bug description: +> ARMv7a has lot of undefined instruction from its instruction opcode +> space. This undefined instructions are very useful for replacing +> sensitive non-priviledged instructions of guest operating systems +> (virtualization). The undefined instruction exception executes at +> <exception_base> + 0x4, where <exception_base> can be 0x0 or +> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +> seems like this is a new bug. As as example, if we try to execute +> value "0xec019800" in qemu 0.14.0 then it should cause undefined +> exception at <exception_base>+0x4 since "0xec019800" is an undefined +> instruction. +> +> To unsubscribe from this bug, go to: +> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +> + + +Hi + +The correct command to launch qemu will be: ./qemu-system-arm -s -S -M +realview-pb-a8 -serial stdio -kernel arm_test.elf +Sorry, for mistake in previous mail. + +--Anup + +On Tue, Apr 12, 2011 at 3:48 PM, Anup Patel +<email address hidden>wrote: + +> Hi, +> +> You are right, I have deliberately used an instruction from a "permanently +> UNDEF" space. I have used this instruction because thats this are the only +> UNDEF instructions with maximum payload of 20 bits. +> +> Also, the instruction "0xec019800" does not belong to STC instruction +> space. GNU object dump does not display it as undefined instruction due to +> internal bug, but it is definitely an undefined instruction. +> May be the undefined instructions from "permanently UNDEF" space are only +> executing from offset 0x8 in QEMU 0.14.0. It used to work fine with QEMU +> 0.13.0. +> +> PFA, my test elf file. The UNDEF instruction that i have reported is +> at location 0x100058 in this elf file. The execution of elf file starts from +> 0x100000. +> +> I have launched qemu with command: ./qemu-system-arm -s -S -M +> realview-pb-a8 -serial stdio -kernel +> ../../../xvisor/tests/armv7/pb-a8/arm_test.elf +> I am debugging using gdb command: arm-none-eabi-gdb arm_test.elf +> --eval-command="target remote localhost:1234" +> +> Please let me know if you are not able to reproduce the bug. +> +> --Anup +> +> On Tue, Apr 12, 2011 at 3:13 PM, Peter Maydell <email address hidden>wrote: +> +>> > ARMv7a has lot of undefined instruction from its instruction opcode +>> space. This undefined instructions +>> >are very useful for replacing sensitive non-priviledged instructions of +>> guest operating systems (virtualization). +>> +>> PS: please don't use arbitrary UNDEF instruction patterns for this (the +>> one you quoted is in the STC instruction space for example). There's an +>> officially-defined "permanently UNDEF" space: +>> cond 0111 1111 xxxx xxxx xxxx 1111 xxxx +>> available for this purpose, which will mean you don't have to worry about +>> newer versions of the architecture allocating the UNDEF patterns you were +>> using. +>> +>> -- +>> You received this bug notification because you are a direct subscriber +>> of the bug. +>> https://bugs.launchpad.net/bugs/757702 +>> +>> Title: +>> Undefined instruction exception starts at offset 0x8 instead of 0x4 +>> +>> Status in QEMU: +>> New +>> +>> Bug description: +>> ARMv7a has lot of undefined instruction from its instruction opcode +>> space. This undefined instructions are very useful for replacing +>> sensitive non-priviledged instructions of guest operating systems +>> (virtualization). The undefined instruction exception executes at +>> <exception_base> + 0x4, where <exception_base> can be 0x0 or +>> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +>> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +>> seems like this is a new bug. As as example, if we try to execute +>> value "0xec019800" in qemu 0.14.0 then it should cause undefined +>> exception at <exception_base>+0x4 since "0xec019800" is an undefined +>> instruction. +>> +>> To unsubscribe from this bug, go to: +>> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +>> +> +> + + +> Also, the instruction "0xec019800" does not belong to STC instruction space. + +Yes it does. STC encoding A1 is: cond:4 110 p u d w 0 rn:4 crd:4 coproc:4 imm:8 +For STC the combination of P=0 U=0 D=0 W=0 is UNDEFINED, but it's still in STC space. This is not "permanently UNDEF", it might be allocated to do something in future. + +> PFA, my test elf file. + +Thanks. Your test case appears to be broken in that it doesn't actually set up the vector table at address 0: +cam-vm-266:karmic:qemu-misc-tests$ objdump --disassemble ~/Desktop/arm_test.elf |less + +[...] +Disassembly of section .text: + +00100000 <_start_vect>: + 100000: e59ff018 ldr pc, [pc, #24] ; 100020 <__reset> + 100004: e59ff018 ldr pc, [pc, #24] ; 100024 <__undefined_instruction> + 100008: e59ff018 ldr pc, [pc, #24] ; 100028 <__software_interrupt> + 10000c: e59ff018 ldr pc, [pc, #24] ; 10002c <__prefetch_abort> + 100010: e59ff018 ldr pc, [pc, #24] ; 100030 <__data_abort> + 100014: e59ff018 ldr pc, [pc, #24] ; 100034 <__not_used> + 100018: e59ff018 ldr pc, [pc, #24] ; 100038 <__irq> + 10001c: e59ff018 ldr pc, [pc, #24] ; 10003c <__fiq> + +So what happens is: +0x00100000: e59ff018 ldr pc, [pc, #24] # qemu starts us at the ELF entry point +0x00100054: e3a08000 mov r8, #0 ; 0x0 +0x00100054: e3a08000 mov r8, #0 ; 0x0 +0x00100058: ec019800 stc 8, cr9, [r1], {0} # here's our UNDEF +0x00000004: 00000000 andeq r0, r0, r0 # jump to UNDEF vector at 0x4 as expected +...but since nothing was loaded at address 0 the code is all NOPs and we just execute through it... +0x00000008: 00000000 andeq r0, r0, r0 +0x0000000c: 00000000 andeq r0, r0, r0 +0x00000010: 00000000 andeq r0, r0, r0 +...etc... + +and eventually we fall into the actual image start at 0x100000, and we go round in a big loop. + +You can tell we're going to the correct vector if you ask gdb to put a breakpoint there with "break *0x4" -- we hit it after executing the undef. + + +Actually, the undefined instruction that I have used is documented as +undefined at two places in "ARM Instruction Set Encoding" section of ARMv7a +reference manual: +1. Refer "Table A5-22 Supervisor Call, and coprocessor instructions" +2. Refer "A8.6.188 STC, STC2" + +So you see one can easily get confused that this instruction belongs to STC +space. Actually speaking this UNDEF instruction spans not only in STC space +but also in LDC space. + +--Anup + +On Tue, Apr 12, 2011 at 4:19 PM, Peter Maydell <email address hidden>wrote: + +> > Also, the instruction "0xec019800" does not belong to STC instruction +> space. +> +> Yes it does. STC encoding A1 is: cond:4 110 p u d w 0 rn:4 crd:4 coproc:4 +> imm:8 +> For STC the combination of P=0 U=0 D=0 W=0 is UNDEFINED, but it's still in +> STC space. This is not "permanently UNDEF", it might be allocated to do +> something in future. +> +> > PFA, my test elf file. +> +> Thanks. Your test case appears to be broken in that it doesn't actually set +> up the vector table at address 0: +> cam-vm-266:karmic:qemu-misc-tests$ objdump --disassemble +> ~/Desktop/arm_test.elf |less +> +> [...] +> Disassembly of section .text: +> +> 00100000 <_start_vect>: +> 100000: e59ff018 ldr pc, [pc, #24] ; 100020 <__reset> +> 100004: e59ff018 ldr pc, [pc, #24] ; 100024 +> <__undefined_instruction> +> 100008: e59ff018 ldr pc, [pc, #24] ; 100028 +> <__software_interrupt> +> 10000c: e59ff018 ldr pc, [pc, #24] ; 10002c +> <__prefetch_abort> +> 100010: e59ff018 ldr pc, [pc, #24] ; 100030 +> <__data_abort> +> 100014: e59ff018 ldr pc, [pc, #24] ; 100034 +> <__not_used> +> 100018: e59ff018 ldr pc, [pc, #24] ; 100038 <__irq> +> 10001c: e59ff018 ldr pc, [pc, #24] ; 10003c <__fiq> +> +> So what happens is: +> 0x00100000: e59ff018 ldr pc, [pc, #24] # qemu starts us at the ELF +> entry point +> 0x00100054: e3a08000 mov r8, #0 ; 0x0 +> 0x00100054: e3a08000 mov r8, #0 ; 0x0 +> 0x00100058: ec019800 stc 8, cr9, [r1], {0} # here's our UNDEF +> 0x00000004: 00000000 andeq r0, r0, r0 # jump to UNDEF vector +> at 0x4 as expected +> ...but since nothing was loaded at address 0 the code is all NOPs and we +> just execute through it... +> 0x00000008: 00000000 andeq r0, r0, r0 +> 0x0000000c: 00000000 andeq r0, r0, r0 +> 0x00000010: 00000000 andeq r0, r0, r0 +> ...etc... +> +> and eventually we fall into the actual image start at 0x100000, and we +> go round in a big loop. +> +> You can tell we're going to the correct vector if you ask gdb to put a +> breakpoint there with "break *0x4" -- we hit it after executing the +> undef. +> +> -- +> You received this bug notification because you are a direct subscriber +> of the bug. +> https://bugs.launchpad.net/bugs/757702 +> +> Title: +> Undefined instruction exception starts at offset 0x8 instead of 0x4 +> +> Status in QEMU: +> New +> +> Bug description: +> ARMv7a has lot of undefined instruction from its instruction opcode +> space. This undefined instructions are very useful for replacing +> sensitive non-priviledged instructions of guest operating systems +> (virtualization). The undefined instruction exception executes at +> <exception_base> + 0x4, where <exception_base> can be 0x0 or +> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +> seems like this is a new bug. As as example, if we try to execute +> value "0xec019800" in qemu 0.14.0 then it should cause undefined +> exception at <exception_base>+0x4 since "0xec019800" is an undefined +> instruction. +> +> To unsubscribe from this bug, go to: +> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +> + + +Also, in the test case hits 0x8 after encountering UNDEF instruction at +0x100058. +The test case is not broken it failed in initialization sequence itself. + +PS: I had download most recent version of QEMU 0.14.0 and build it my self. + +On Tue, Apr 12, 2011 at 4:33 PM, Anup Patel +<email address hidden>wrote: + +> Actually, the undefined instruction that I have used is documented as +> undefined at two places in "ARM Instruction Set Encoding" section of ARMv7a +> reference manual: +> 1. Refer "Table A5-22 Supervisor Call, and coprocessor instructions" +> 2. Refer "A8.6.188 STC, STC2" +> +> So you see one can easily get confused that this instruction belongs to STC +> space. Actually speaking this UNDEF instruction spans not only in STC space +> but also in LDC space. +> +> --Anup +> +> On Tue, Apr 12, 2011 at 4:19 PM, Peter Maydell <email address hidden>wrote: +> +>> > Also, the instruction "0xec019800" does not belong to STC instruction +>> space. +>> +>> Yes it does. STC encoding A1 is: cond:4 110 p u d w 0 rn:4 crd:4 coproc:4 +>> imm:8 +>> For STC the combination of P=0 U=0 D=0 W=0 is UNDEFINED, but it's still in +>> STC space. This is not "permanently UNDEF", it might be allocated to do +>> something in future. +>> +>> > PFA, my test elf file. +>> +>> Thanks. Your test case appears to be broken in that it doesn't actually +>> set up the vector table at address 0: +>> cam-vm-266:karmic:qemu-misc-tests$ objdump --disassemble +>> ~/Desktop/arm_test.elf |less +>> +>> [...] +>> Disassembly of section .text: +>> +>> 00100000 <_start_vect>: +>> 100000: e59ff018 ldr pc, [pc, #24] ; 100020 <__reset> +>> 100004: e59ff018 ldr pc, [pc, #24] ; 100024 +>> <__undefined_instruction> +>> 100008: e59ff018 ldr pc, [pc, #24] ; 100028 +>> <__software_interrupt> +>> 10000c: e59ff018 ldr pc, [pc, #24] ; 10002c +>> <__prefetch_abort> +>> 100010: e59ff018 ldr pc, [pc, #24] ; 100030 +>> <__data_abort> +>> 100014: e59ff018 ldr pc, [pc, #24] ; 100034 +>> <__not_used> +>> 100018: e59ff018 ldr pc, [pc, #24] ; 100038 <__irq> +>> 10001c: e59ff018 ldr pc, [pc, #24] ; 10003c <__fiq> +>> +>> So what happens is: +>> 0x00100000: e59ff018 ldr pc, [pc, #24] # qemu starts us at the +>> ELF entry point +>> 0x00100054: e3a08000 mov r8, #0 ; 0x0 +>> 0x00100054: e3a08000 mov r8, #0 ; 0x0 +>> 0x00100058: ec019800 stc 8, cr9, [r1], {0} # here's our UNDEF +>> 0x00000004: 00000000 andeq r0, r0, r0 # jump to UNDEF +>> vector at 0x4 as expected +>> ...but since nothing was loaded at address 0 the code is all NOPs and we +>> just execute through it... +>> 0x00000008: 00000000 andeq r0, r0, r0 +>> 0x0000000c: 00000000 andeq r0, r0, r0 +>> 0x00000010: 00000000 andeq r0, r0, r0 +>> ...etc... +>> +>> and eventually we fall into the actual image start at 0x100000, and we +>> go round in a big loop. +>> +>> You can tell we're going to the correct vector if you ask gdb to put a +>> breakpoint there with "break *0x4" -- we hit it after executing the +>> undef. +>> +>> -- +>> You received this bug notification because you are a direct subscriber +>> of the bug. +>> https://bugs.launchpad.net/bugs/757702 +>> +>> Title: +>> Undefined instruction exception starts at offset 0x8 instead of 0x4 +>> +>> Status in QEMU: +>> New +>> +>> Bug description: +>> ARMv7a has lot of undefined instruction from its instruction opcode +>> space. This undefined instructions are very useful for replacing +>> sensitive non-priviledged instructions of guest operating systems +>> (virtualization). The undefined instruction exception executes at +>> <exception_base> + 0x4, where <exception_base> can be 0x0 or +>> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +>> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +>> seems like this is a new bug. As as example, if we try to execute +>> value "0xec019800" in qemu 0.14.0 then it should cause undefined +>> exception at <exception_base>+0x4 since "0xec019800" is an undefined +>> instruction. +>> +>> To unsubscribe from this bug, go to: +>> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +>> +> +> + + +Sorry, I didn't notice the footnote in table A5-22; I see what you mean now. It's still not permanently-UNDEF space though and you'd really be better off using that instead. In any case, qemu does properly UNDEF the instruction so this is a bit of a diversion. + + +> Also, in the test case hits 0x8 after encountering UNDEF instruction at 0x100058. + +So if you run qemu like this: +qemu-system-arm -M realview-pb-a8 -serial stdio -kernel arm_test.elf -s -S + +and run arm-none-gnueabi-gdb with no arguments and in gdb type these commands: + +(gdb) target remote :1234 +Remote debugging using :1234 +0x00100000 in ?? () +(gdb) break *0x4 +Breakpoint 1 at 0x4 +(gdb) break *0x8 +Breakpoint 2 at 0x8 +(gdb) c +Continuing. + +...what does gdb do? +(For me it says "Breakpoint 1, 0x00000004 in ?? ()" which is what I expect.) + + +I see 0x00000008 (). + +I am using qemu-0.14.0.tar.gz available for QEMU Downloads. + +--Anup + +On Tue, Apr 12, 2011 at 5:12 PM, Peter Maydell <email address hidden>wrote: + +> > Also, in the test case hits 0x8 after encountering UNDEF instruction +> at 0x100058. +> +> So if you run qemu like this: +> qemu-system-arm -M realview-pb-a8 -serial stdio -kernel arm_test.elf -s -S +> +> and run arm-none-gnueabi-gdb with no arguments and in gdb type these +> commands: +> +> (gdb) target remote :1234 +> Remote debugging using :1234 +> 0x00100000 in ?? () +> (gdb) break *0x4 +> Breakpoint 1 at 0x4 +> (gdb) break *0x8 +> Breakpoint 2 at 0x8 +> (gdb) c +> Continuing. +> +> ...what does gdb do? +> (For me it says "Breakpoint 1, 0x00000004 in ?? ()" which is what I +> expect.) +> +> -- +> You received this bug notification because you are a direct subscriber +> of the bug. +> https://bugs.launchpad.net/bugs/757702 +> +> Title: +> Undefined instruction exception starts at offset 0x8 instead of 0x4 +> +> Status in QEMU: +> New +> +> Bug description: +> ARMv7a has lot of undefined instruction from its instruction opcode +> space. This undefined instructions are very useful for replacing +> sensitive non-priviledged instructions of guest operating systems +> (virtualization). The undefined instruction exception executes at +> <exception_base> + 0x4, where <exception_base> can be 0x0 or +> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +> seems like this is a new bug. As as example, if we try to execute +> value "0xec019800" in qemu 0.14.0 then it should cause undefined +> exception at <exception_base>+0x4 since "0xec019800" is an undefined +> instruction. +> +> To unsubscribe from this bug, go to: +> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +> + + +Try this out one last time. I am sure you will be able to replicate the +problem. + +Run qemu like this: +qemu-system-arm -M realview-pb-a8 -serial stdio -kernel arm_test.elf -s -S + +and run arm-none-gnueabi-gdb with no arguments and in gdb type these +commands: + +(gdb) target remote :1234 +Remote debugging using :1234 +0x00100000 in ?? () +(gdb) si +0x00100054 in ?? () +(gdb) si +0x00100054 in ?? () +(gdb) si +0x00000008 in ?? () + +(I expect it to jump to 0x00000004 after 0x00100054) + +--Anup + +On Tue, Apr 12, 2011 at 5:40 PM, Anup Patel +<email address hidden>wrote: + +> I see 0x00000008 (). +> +> I am using qemu-0.14.0.tar.gz available for QEMU Downloads. +> +> --Anup +> +> +> On Tue, Apr 12, 2011 at 5:12 PM, Peter Maydell <email address hidden>wrote: +> +>> > Also, in the test case hits 0x8 after encountering UNDEF instruction +>> at 0x100058. +>> +>> So if you run qemu like this: +>> qemu-system-arm -M realview-pb-a8 -serial stdio -kernel arm_test.elf -s -S +>> +>> and run arm-none-gnueabi-gdb with no arguments and in gdb type these +>> commands: +>> +>> (gdb) target remote :1234 +>> Remote debugging using :1234 +>> 0x00100000 in ?? () +>> (gdb) break *0x4 +>> Breakpoint 1 at 0x4 +>> (gdb) break *0x8 +>> Breakpoint 2 at 0x8 +>> (gdb) c +>> Continuing. +>> +>> ...what does gdb do? +>> (For me it says "Breakpoint 1, 0x00000004 in ?? ()" which is what I +>> expect.) +>> +>> -- +>> You received this bug notification because you are a direct subscriber +>> of the bug. +>> https://bugs.launchpad.net/bugs/757702 +>> +>> Title: +>> Undefined instruction exception starts at offset 0x8 instead of 0x4 +>> +>> Status in QEMU: +>> New +>> +>> Bug description: +>> ARMv7a has lot of undefined instruction from its instruction opcode +>> space. This undefined instructions are very useful for replacing +>> sensitive non-priviledged instructions of guest operating systems +>> (virtualization). The undefined instruction exception executes at +>> <exception_base> + 0x4, where <exception_base> can be 0x0 or +>> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +>> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +>> seems like this is a new bug. As as example, if we try to execute +>> value "0xec019800" in qemu 0.14.0 then it should cause undefined +>> exception at <exception_base>+0x4 since "0xec019800" is an undefined +>> instruction. +>> +>> To unsubscribe from this bug, go to: +>> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +>> +> +> + + +Hi, + +Were you able to replicate the problem with the steps that I had mentioned ? +The key thing is is if you don't set breakpoint at 0x4 or 0x8 just follow +the execution flow using "si" command of GDB. +You will definitely hit the problem. + +--Anup + +On Tue, Apr 12, 2011 at 5:57 PM, Anup Patel +<email address hidden>wrote: + +> Try this out one last time. I am sure you will be able to replicate the +> problem. +> +> Run qemu like this: +> qemu-system-arm -M realview-pb-a8 -serial stdio -kernel arm_test.elf -s -S +> +> and run arm-none-gnueabi-gdb with no arguments and in gdb type these +> commands: +> +> (gdb) target remote :1234 +> Remote debugging using :1234 +> 0x00100000 in ?? () +> (gdb) si +> 0x00100054 in ?? () +> (gdb) si +> 0x00100054 in ?? () +> (gdb) si +> 0x00000008 in ?? () +> +> (I expect it to jump to 0x00000004 after 0x00100054) +> +> --Anup +> +> On Tue, Apr 12, 2011 at 5:40 PM, Anup Patel <<email address hidden> +> > wrote: +> +>> I see 0x00000008 (). +>> +>> I am using qemu-0.14.0.tar.gz available for QEMU Downloads. +>> +>> --Anup +>> +>> +>> On Tue, Apr 12, 2011 at 5:12 PM, Peter Maydell <email address hidden>wrote: +>> +>>> > Also, in the test case hits 0x8 after encountering UNDEF instruction +>>> at 0x100058. +>>> +>>> So if you run qemu like this: +>>> qemu-system-arm -M realview-pb-a8 -serial stdio -kernel arm_test.elf -s +>>> -S +>>> +>>> and run arm-none-gnueabi-gdb with no arguments and in gdb type these +>>> commands: +>>> +>>> (gdb) target remote :1234 +>>> Remote debugging using :1234 +>>> 0x00100000 in ?? () +>>> (gdb) break *0x4 +>>> Breakpoint 1 at 0x4 +>>> (gdb) break *0x8 +>>> Breakpoint 2 at 0x8 +>>> (gdb) c +>>> Continuing. +>>> +>>> ...what does gdb do? +>>> (For me it says "Breakpoint 1, 0x00000004 in ?? ()" which is what I +>>> expect.) +>>> +>>> -- +>>> You received this bug notification because you are a direct subscriber +>>> of the bug. +>>> https://bugs.launchpad.net/bugs/757702 +>>> +>>> Title: +>>> Undefined instruction exception starts at offset 0x8 instead of 0x4 +>>> +>>> Status in QEMU: +>>> New +>>> +>>> Bug description: +>>> ARMv7a has lot of undefined instruction from its instruction opcode +>>> space. This undefined instructions are very useful for replacing +>>> sensitive non-priviledged instructions of guest operating systems +>>> (virtualization). The undefined instruction exception executes at +>>> <exception_base> + 0x4, where <exception_base> can be 0x0 or +>>> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +>>> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +>>> seems like this is a new bug. As as example, if we try to execute +>>> value "0xec019800" in qemu 0.14.0 then it should cause undefined +>>> exception at <exception_base>+0x4 since "0xec019800" is an undefined +>>> instruction. +>>> +>>> To unsubscribe from this bug, go to: +>>> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +>>> +>> +>> +> + + +> Were you able to replicate the problem with the steps that I had mentioned ? +> The key thing is is if you don't set breakpoint at 0x4 or 0x8 just follow +> the execution flow using "si" command of GDB. +> You will definitely hit the problem. + +Ah, I had to find a different gdb to reproduce this with (arm-none-eabi-gdb from the 2010.09 codesourcery toolchain). That gdb does single-step-insn by asking the target to single step, and you get the behaviour above. The gdb I was using does single-step-insn by setting breakpoints at where it thinks the next insn will be, which means that "si" on the UNDEF never returns because gdb has set a bp at 0x10005c which we of course never hit. With the codesourcery gdb I see 'si' having the behaviour you describe above. + +However: + +(gdb) target remote :1234 +Remote debugging using :1234 +0x00100000 in ?? () +(gdb) break *0x4 +Breakpoint 1 at 0x4 +(gdb) si +0x00100054 in ?? () +(gdb) si +0x00100058 in ?? () +(gdb) si + +Breakpoint 1, 0x00000004 in ?? () + +ie if we set an explicit breakpoint at 0x4 we do hit it. I think it's just that the singlestep doesn't do what you expect: instead of stopping before we execute the instruction at the UNDEF vector, we first execute it and then stop afterwards [this sort of makes a twisted kind of sense if you think about it -- we never actually executed the UNDEF insn because we took the exception first, so single-step executes exactly one instruction which is the one at 0x4. However it's hopelessly confusing for the user so I'd consider it a bug.] + +Can you confirm that if you set the breakpoint as I do in the transcript above you see the same output? + +So I think that what is happening here is that misbehaviour by qemu's gdb interface is confusing you, rather than the actual qemu ARM implementation being wrong. + +If you revise your test program so that it installs some actual code into the vectors rather than leaving them all as NOPs I think this will be more obvious. + + +I think you are right. This seems to be more of a GDB issue. + +Any ways thanks for your support. + +--Anup + +On Wed, Apr 13, 2011 at 5:24 PM, Peter Maydell <email address hidden>wrote: + +> > Were you able to replicate the problem with the steps that I had +> mentioned ? +> > The key thing is is if you don't set breakpoint at 0x4 or 0x8 just follow +> > the execution flow using "si" command of GDB. +> > You will definitely hit the problem. +> +> Ah, I had to find a different gdb to reproduce this with (arm-none-eabi- +> gdb from the 2010.09 codesourcery toolchain). That gdb does single-step- +> insn by asking the target to single step, and you get the behaviour +> above. The gdb I was using does single-step-insn by setting breakpoints +> at where it thinks the next insn will be, which means that "si" on the +> UNDEF never returns because gdb has set a bp at 0x10005c which we of +> course never hit. With the codesourcery gdb I see 'si' having the +> behaviour you describe above. +> +> However: +> +> (gdb) target remote :1234 +> Remote debugging using :1234 +> 0x00100000 in ?? () +> (gdb) break *0x4 +> Breakpoint 1 at 0x4 +> (gdb) si +> 0x00100054 in ?? () +> (gdb) si +> 0x00100058 in ?? () +> (gdb) si +> +> Breakpoint 1, 0x00000004 in ?? () +> +> ie if we set an explicit breakpoint at 0x4 we do hit it. I think it's +> just that the singlestep doesn't do what you expect: instead of stopping +> before we execute the instruction at the UNDEF vector, we first execute +> it and then stop afterwards [this sort of makes a twisted kind of sense +> if you think about it -- we never actually executed the UNDEF insn +> because we took the exception first, so single-step executes exactly one +> instruction which is the one at 0x4. However it's hopelessly confusing +> for the user so I'd consider it a bug.] +> +> Can you confirm that if you set the breakpoint as I do in the transcript +> above you see the same output? +> +> So I think that what is happening here is that misbehaviour by qemu's +> gdb interface is confusing you, rather than the actual qemu ARM +> implementation being wrong. +> +> If you revise your test program so that it installs some actual code +> into the vectors rather than leaving them all as NOPs I think this will +> be more obvious. +> +> -- +> You received this bug notification because you are a direct subscriber +> of the bug. +> https://bugs.launchpad.net/bugs/757702 +> +> Title: +> Undefined instruction exception starts at offset 0x8 instead of 0x4 +> +> Status in QEMU: +> New +> +> Bug description: +> ARMv7a has lot of undefined instruction from its instruction opcode +> space. This undefined instructions are very useful for replacing +> sensitive non-priviledged instructions of guest operating systems +> (virtualization). The undefined instruction exception executes at +> <exception_base> + 0x4, where <exception_base> can be 0x0 or +> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at +> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0, +> seems like this is a new bug. As as example, if we try to execute +> value "0xec019800" in qemu 0.14.0 then it should cause undefined +> exception at <exception_base>+0x4 since "0xec019800" is an undefined +> instruction. +> +> To unsubscribe from this bug, go to: +> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe +> + + +> I think you are right. This seems to be more of a GDB issue. + +The debug stub is still part of QEMU, so let's not close this bug just yet :-) + + +Triaging old bug tickets ... can you somehow still reproduce this problem with the latest version of QEMU (currently v2.9), or could we close this ticket nowadays? + +[Expired for QEMU because there has been no activity for 60 days.] + +This is still a bug, we shouldn't have let it expire. + + +Fix has been included here: +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ba3c35d9c4026361fd3 + |