diff options
Diffstat (limited to 'results/classifier/phi4:14b/output/runtime')
46 files changed, 1467 insertions, 0 deletions
diff --git a/results/classifier/phi4:14b/output/runtime/1070 b/results/classifier/phi4:14b/output/runtime/1070 new file mode 100644 index 000000000..7f24dfa9e --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1070 @@ -0,0 +1,13 @@ + + + +gdbstub XML generation for ARM is done for every CPU +Description of problem: +- As arm_cpu_register_gdb_regs_for_features is called from the device + realize stage for each vCPU in user mode we end up uselessly + regenerating the XML for every new thread. Once you get up to 100 + threads this starts exceeding the large maps done for QHT and PageDesc +Steps to reproduce: +See above command line, valgrind picks it up +Additional information: +See also #866, #967 diff --git a/results/classifier/phi4:14b/output/runtime/1086 b/results/classifier/phi4:14b/output/runtime/1086 new file mode 100644 index 000000000..56d70a3b2 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1086 @@ -0,0 +1,72 @@ + + + +Numpy/scipy test suites fails in QEMU on ppc64le (but not on aarch64) +Description of problem: +I'm not really qualified to report this problem, but after being affected by it for ~2 years (and QEMU 7 not fixing things), I decided to give it a shot. Please excuse reporting deficiencies, I'll endeavour to fix them as best I can once pointed out. + +In my spare time, I help out for the packaging effort in the [conda-forge](https://conda-forge.org/) ecosystem, which is mostly associated/attached to the python world, but - in contrast to the vanilla python tools - also deals with non-python dependencies, and in particular has strong enough abstractions to deal with ABI-issues and generally provides much better integration than the packages on PyPI. + +This strength of abstraction has also allowed conda-forge to publish artefacts for many more architectures than most projects are commonly able to provide precompiled binaries for. Due to the lack of (reliable) public CI for aarch64 & ppc64le, these packages are mostly cross-compiled from linux-x86. Where cross compilation is not possible, the packages are compiled in emulation through QEMU, coming through https://github.com/multiarch/qemu-user-static (this is the part of the infrastructure I don't fully understand myself...). The full infrastructure is somewhat involved, but should not be relevant (hopefully) to the issue at hand (see instructions below) - and even if that turns out to be the case, that would be a great information gain as well. + +In either case, the tests for the package (ideally comprising the entire upstream test suite) are then run in emulation. + +Two of the so-called "feedstocks" I co-maintain are for [numpy](https://github.com/conda-forge/numpy-feedstock) and [scipy](https://github.com/conda-forge/scipy-feedstock), and there have been persistent issues with running the test suite in emulation on PPC (interestingly, the same setup on a different architecture - aarch64 - has no problems). However, the compiled artefacts on PPC run fine on native hardware. + +Said otherwise, it appears numpy/scipy are exercising QEMU enough to uncover some bugs. I've seen similar problems also in other packages (e.g. the cvxpy-stack), reinforcing the impression that this is a QEMU issue, and not one on the level of the individual packages. + +Depending on the exact combination of python version, the result of the numpy test suite might be as follows: +``` +320 failed, 18900 passed, 361 skipped, 36 xfailed, 9 xpassed, 144 warnings in 2516.49s (0:41:56) +``` + +Looking at the test failures, sometimes the results are garbage +``` +> assert_array_max_ulp(x, x+eps, maxulp=20) +E AssertionError: Arrays are not almost equal up to 20 ULP (max difference is 8.55554e+08 ULP) + +eps = 1.1920929e-07 +self = <numpy.testing.tests.test_utils.TestULP object at 0x401ec8beb0> +x = array([ 2.3744986e-38, nan, 2.2482052e-15, 7.5780330e+28, + nan, nan, 5.8310814e+29, -5.6511531e+24, + 1.0010809e+00, 1.0101526e+00], dtype=float32) +``` +sometimes the values are permuted +``` +> assert_array_equal(actual, desired) +E AssertionError: +E Arrays are not equal +E +E x and y nan location mismatch: +E x: array([0.000000e+00, 6.704092e-39, 9.000000e+00, 2.350989e-38, +E 0.000000e+00, 0.000000e+00, 0.000000e+00, 0.000000e+00, +E 6.772341e-39, nan], dtype=float32) +E y: array([6.704092e-39, 6.772341e-39, 0.000000e+00, 0.000000e+00, +E 0.000000e+00, 0.000000e+00, nan, 2.350989e-38, +E 2.000000e+00, 7.000000e+00], dtype=float32) +``` +sometimes the results are fundamentally different (zero vs. non-zero) +``` +> raise AssertionError(msg) +E AssertionError: +E Arrays are not almost equal to 6 decimals +E +E Mismatched elements: 72 / 216 (33.3%) +E Max absolute difference: 1. +E Max relative difference: 1. +E x: array([[[[[0., 0., 0.], +E [0., 0., 0.], +E [0., 0., 0.]],... +E y: array([[[[[1., 0., 0.], +E [0., 1., 0.], +E [0., 0., 1.]],... +``` + +I don't know where it goes wrong, but it's not just a little tolerance violation. One PR that illustrates this is [here](https://github.com/conda-forge/numpy-feedstock/pull/274) and the respective CI run is [here](https://dev.azure.com/conda-forge/feedstock-builds/_build/results?buildId=526218&view=results) (ignore the errors for osx-arm64, those are unrelated). +Steps to reproduce: +1. In an emulated ppc64 machine, install miniforge from [here](https://github.com/conda-forge/miniforge/releases/latest/download/Miniforge3-Linux-ppc64le.sh) +2. Run `conda create -n test_env numpy pytest cython hypothesis typing_extensions` and then `conda activate test_env` +3. Run `python -c "import numpy; numpy.test()"` +4. Pick any test that fails and run it as `python -c "import numpy; numpy.test(tests='x.y.z')"` +Additional information: + diff --git a/results/classifier/phi4:14b/output/runtime/1156313 b/results/classifier/phi4:14b/output/runtime/1156313 new file mode 100644 index 000000000..76a0b70e8 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1156313 @@ -0,0 +1,129 @@ + +semantic: 0.869 +mistranslation: 0.841 +assembly: 0.789 +device: 0.777 +instruction: 0.707 +other: 0.705 +vnc: 0.702 +graphic: 0.657 +socket: 0.605 +boot: 0.576 +network: 0.533 +KVM: 0.518 + +X86-64 flags handling broken + +The current qemu sources cause improper handling of flags on x86-64. +This bug seems to have shown up a few weeks ago. + +A plain install of Debian GNU/Linux makes user processes catch +spurious signals. The kernel seems to run stably, though. + +The ADX feature works very poorly. It might be related; at least it +allows for reproducibly provoking invalid behaviour. + +Here is a test case: + +================================================================ +qemumain.c +#include <stdio.h> +long adx(); +int +main () +{ + printf ("%lx\n", adx (0xffbeef, 17)); + return 0; +} +================================================================ +qemuadx.s: + .globl adx +adx: xor %rax, %rax +1: dec %rdi + jnz 1b + .byte 0xf3, 0x48, 0x0f, 0x38, 0xf6, 0xc0 # adox %rax, %rax + .byte 0x66, 0x48, 0x0f, 0x38, 0xf6, 0xc0 # adcx %rax, %rax + ret +================================================================ + +Compile and execute: +$ gcc -m64 qemumain.c qemuadx.s +$ a.out +ffffff8000378cd8 + +Expected output is simply "0". The garbage value varies between qemu +compiles and guest systems. + +Note that one needs a recent GNU assembler in order to handle adox and +adcx. For convenience I have supplied them as byte sequences. + +Exaplanation and feeble analysis: + +The 0xffbeef argument is a loop count. It is necessary to loop for a +while in order to trigger this bug. If the loop count is decreased, +the bug will seen intermittently; the lower the count, the less +frequent the invalid behaviour. + +It seems like a reasonable assumption that this bug is related to +flags handling at context switch. Presumably, qemu keeps flags state +in some internal format, then recomputes then when needing to form the +eflags register, as needed for example for context switching. + +I haven't tried to reproduce this bug using qemu-x86_64 and SYSROOT, +but I strongly suspect that to be impossible. I use +qemu-system-x86_64 and the guest Debian GNU/Linux x86_64 (version +6.0.6) . + +The bug happens also with the guest FreeBSD x86_64 version 9.1. (The +iteration count for triggering the problem 50% of the runs is not the +same when using the kernel Linux and FreeBSD's kernel, presumably due +to different ticks.) + +The bug happens much more frequently for a loaded system; in fact, the +loop count can be radically decreased if two instances of the trigger +program are run in parallel. + +Richard Henderson <email address hidden> writes: + + Patch at http://patchwork.ozlabs.org/patch/229139/ + +Thanks. I can confirm that this fixes the bug triggered by my test case +(and yours). However, the instability of Debian GNU/Linux x86_64 has +not improved. + +The exact same Debian version (debian "testing") updated at the same +time runs well on hardware. + +My qemu Debian system now got messed up, since I attempted an upgrade in +the buggy qemu, which segfaulted several times during the upgrade. I +need to reinstall, and then rely on -snapshot. + +There is a problem with denorms which is reproducible, but whether that +is a qemu bug, and whether it can actually cause the observed +instability, is questionable. Here is a testcase for that problem: + + + + +It should terminate. The observed buggy behaviour is that it hangs. + +The instability problem can be observed at gmplib.org/devel/tm-date.html. +hwl-deb.gmplib.org is Debian under qemu with -cpu Haswell,+adx. + +Not that the exact same qemu runs FreeBSD flawlessly (hwl.gmplib.org). +It is neither instable nor does it run the denorms testcase poorly. + +I fully realise this is a hopeless bug report, but I am sure you can +reproduce it, since it is far from GMP specific. After all apt-get +update; apt-get upgrade triggered it. Debugging it will be a nightmare. + +Qemu version: main git repo from less than a week ago + Richard ADX +patch. + +-- +Torbjörn + + +It looks from this bug that we fixed the initial ADOX bug in commit c53de1a2896cc (2013), and I've just tried the 'qemu-denorm-problem.s' test case from comment #1 and it works OK, so I think we've fixed that denormals bug too. Given that, and that this bug report is 4 years old, I'm going to close it. If you're still having problems with recent versions of QEMU, please open a new bug. + + diff --git a/results/classifier/phi4:14b/output/runtime/121 b/results/classifier/phi4:14b/output/runtime/121 new file mode 100644 index 000000000..74768dcb1 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/121 @@ -0,0 +1,4 @@ + + + +multiprocess program gets incorrect results with qemu arm-linux-user diff --git a/results/classifier/phi4:14b/output/runtime/1211 b/results/classifier/phi4:14b/output/runtime/1211 new file mode 100644 index 000000000..496c499ac --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1211 @@ -0,0 +1,10 @@ + + + +Bad fonts in "cirrus" VGA card. +Description of problem: +Similar to #988. Fixed by set "no_bitblt" and "sw_cursor" in XF86Config file. +Steps to reproduce: +Similar to #988. +Additional information: + diff --git a/results/classifier/phi4:14b/output/runtime/122 b/results/classifier/phi4:14b/output/runtime/122 new file mode 100644 index 000000000..24cc126d6 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/122 @@ -0,0 +1,4 @@ + + + +linux-user does not check PROT_EXEC diff --git a/results/classifier/phi4:14b/output/runtime/1221966 b/results/classifier/phi4:14b/output/runtime/1221966 new file mode 100644 index 000000000..0da40dbc9 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1221966 @@ -0,0 +1,37 @@ + + + +SIGSEGV in static_code_gen_buffer + +Trying to run 'ls' (or, anything else as far as I can tell) from a SunOS 5.8 box under RHEL 6.4 linux, I get a segfault. I've tried qemu-1.5.3, qemu-1.6.0, and I fetched git://git.qemu-project.org/qemu.git. I've also tried a statically linked sh from /sbin/ and it also segfaulted. + +wcolburn@anotheruvula</home/anotheruvula/qemu>$ gdb bin/qemu-sparc +GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1) +Copyright (C) 2010 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. Type "show copying" +and "show warranty" for details. +This GDB was configured as "x86_64-redhat-linux-gnu". +For bug reporting instructions, please see: +<http://www.gnu.org/software/gdb/bugs/>... +Reading symbols from /home/anotheruvula/qemu/bin/qemu-sparc...done. +(gdb) run ../sparc/ls +Starting program: /home/anotheruvula/qemu/bin/qemu-sparc ../sparc/ls +[Thread debugging using libthread_db enabled] + +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff8259116 in static_code_gen_buffer () +Missing separate debuginfos, use: debuginfo-install glib2-2.22.5-7.el6.x86_64 glibc-2.12-1.107.el6_4.4.x86_64 +(gdb) where +#0 0x00007ffff8259116 in static_code_gen_buffer () +#1 0x00007ffff7f570cd in cpu_tb_exec (cpu=0x7ffffa2b1210, tb_ptr= + 0x7ffff82590d0 "A\213n \205í\017\205Í") + at /home/anotheruvula/qemu-devel/cpu-exec.c:56 +#2 0x00007ffff7f57b2d in cpu_sparc_exec (env=0x7ffffa2b1348) + at /home/anotheruvula/qemu-devel/cpu-exec.c:631 +#3 0x00007ffff7f77f36 in cpu_loop (env=0x7ffffa2b1348) + at /home/anotheruvula/qemu-devel/linux-user/main.c:1089 +#4 0x00007ffff7f798ff in main (argc=2, argv=0x7fffffffdfc8, envp= + 0x7fffffffdfe0) at /home/anotheruvula/qemu-devel/linux-user/main.c:4083 +(gdb) \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1361912 b/results/classifier/phi4:14b/output/runtime/1361912 new file mode 100644 index 000000000..c5b00197c --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1361912 @@ -0,0 +1,12 @@ + + + +qemu-mips64 Segmentation fault + +When I ran qemu-mips64 for any mips 64 executable , I got this error: + +$ ./qemu-mips64 ../lang +qemu: uncaught target signal 11 (Segmentation fault) - core dumped +Segmentation fault (core dumped) + +Is this a known issue? \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1457275 b/results/classifier/phi4:14b/output/runtime/1457275 new file mode 100644 index 000000000..c4c233a02 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1457275 @@ -0,0 +1,108 @@ + + + +qemu-user hangs in m{,un}map loop + +Gentoo amd64 there, tried both 2.3.0 and eba05e922e8e7f307bc5d4104a78797e55124e97 versions of qemu. Reproduces with qemu-x86_64 as well. + +∞ strace qemu-arm bin/true 2>&1| head -n 100 +execve("/usr/bin/qemu-arm", ["qemu-arm", "bin/true"], [/* 49 vars */]) = 0 +uname({sysname="Linux", nodename="l29ah-home", ...}) = 0 +brk(0) = 0x62a4d070 +brk(0x62a4e2b0) = 0x62a4e2b0 +arch_prctl(ARCH_SET_FS, 0x62a4d980) = 0 +set_tid_address(0x62a4dc50) = 7841 +set_robust_list(0x62a4dc60, 24) = 0 +rt_sigaction(SIGRTMIN, {0x6011bd10, [], SA_RESTORER|SA_SIGINFO, 0x60122710}, NULL, 8) = 0 +rt_sigaction(SIGRT_1, {0x6011bda0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x60122710}, NULL, 8) = 0 +rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 +getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 +readlink("/proc/self/exe", "/usr/bin/qemu-arm", 4096) = 17 +brk(0x62a6f2b0) = 0x62a6f2b0 +brk(0x62a70000) = 0x62a70000 +rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 +mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x2c951ff9000 +mprotect(0x2c951ff9000, 4096, PROT_NONE) = 0 +clone(child_stack=0x2c9527f8df0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x2c9527f99d0, tls=0x2c9527f9700, child_tidptr=0x2c9527f99d0) = 7842 +rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 +gettimeofday({1432174351, 569148}, NULL) = 0 +getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 +time(NULL) = 1432174351 +openat(AT_FDCWD, "/usr/gnemul/qemu-arm", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory) +uname({sysname="Linux", nodename="l29ah-home", ...}) = 0 +mprotect(0x60519000, 33558528, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 +madvise(0x605190b0, 33554432, MADV_HUGEPAGE) = -1 EINVAL (Invalid argument) +mmap(NULL, 50331648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c94eff9000 +brk(0x62a91000) = 0x62a91000 +mmap(NULL, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x1000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x2000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x3000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x4000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x5000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x6000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x7000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x8000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x9000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0xa000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0xb000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0xc000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0xd000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0xe000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0xf000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x10000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 +mmap(0x11000, 4143972352, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x2c857ff9000 +mmap(0x2c957fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2c857ff8000 +munmap(0x2c857ff8000, 4096) = 0 +munmap(0x2c857ff9000, 4143972352) = 0 \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1606 b/results/classifier/phi4:14b/output/runtime/1606 new file mode 100644 index 000000000..6f678ad0f --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1606 @@ -0,0 +1,32 @@ + + + +riscv: fence.i is not functional +Description of problem: +The attached user-level test is designed to do the following (in iteration): + + - Thread P0 on CPU0 changes some text/code, while + + - Thread P1 on CPU1 checks/reads the code, fence.i, then executes the same code. + +Results (in stdout) indicates that CPU1 has read the new code (1:x5=a009) but executed the old one (1:x7=1) (against the specification). +Steps to reproduce: +1. echo 2 > /proc/sys/vm/nr_hugepages +2. ./CoRF+fence.i +Additional information: +Example output: +```[CoRF+fence.i.c](/uploads/c150ca0910783cc4bfc3886789b64c28/CoRF+fence.i.c) +Test CoRF+fence.i Allowed +Histogram (4 states) +25784 :>1:x5=0xa009; 1:x7=2; +24207 *>1:x5=0xa009; 1:x7=1; <-- THIS LINE +8 :>1:x5=0xa019; 1:x7=1; +1 :>1:x5=0xa019; 1:x7=2; +Ok +Witnesses +Positive: 24207 Negative 25793 +Condition exists (1:x5=0xa009 /\ 1:x7=1) is validated +Observation CoRF+fence.i Sometimes 24207 25793 +Time CoRF+fence.i 0.85 +Hash= +``` diff --git a/results/classifier/phi4:14b/output/runtime/1654137 b/results/classifier/phi4:14b/output/runtime/1654137 new file mode 100644 index 000000000..d5672caa3 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1654137 @@ -0,0 +1,10 @@ + + + +Ctrl-A b not working in 2.8.0 + +With a recent update from 2.7.0 to 2.8.0 I have discovered that I can no longer send a "break" to the VM. Ctrl-A b is simply ignored. Other Ctrl-A sequences seem to work correctly. + +This is on a NetBSD amd64 system, version 7.99.53, and qemu was installed on this system from source. + +Reverting to the previous install restores "break" capability. \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1697 b/results/classifier/phi4:14b/output/runtime/1697 new file mode 100644 index 000000000..eb55b0932 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1697 @@ -0,0 +1,22 @@ + + + +qemu-arm -cpu cortex-m55 dummy_test qemu-arm: ../accel/tcg/user-exec.c:492: page_set_flags: Assertion `last <= GUEST_ADDR_MAX' failed. +Description of problem: +Basic testing failed for cortex m55 +Steps to reproduce: +1.Pulled the newest qemu 8.0.50 + +2.Create a Dummy test with only return 0 in main function + +3.run ` arm-none-eabi-gcc -o dummy_test -O2 -g -mcpu=cortex-m55 dummy_test.cc --specs=rdimon.specs` and then `qemu-arm -cpu cortex-m55 dummy_test` + +`arm-none-eabi-gcc (Arm GNU Toolchain 12.2.MPACBTI-Rel1 (Build arm-12-mpacbti.34)) 12.2.1 20230214 +Copyright (C) 2022 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.` + +`qemu-arm version 8.0.50 (v8.0.0-1739-g5f9dd6a8ce) +Copyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers` +Additional information: +It is a known problem in another issues: https://gitlab.com/qemu-project/qemu/-/issues/1528#note_1389268261. diff --git a/results/classifier/phi4:14b/output/runtime/1773743 b/results/classifier/phi4:14b/output/runtime/1773743 new file mode 100644 index 000000000..d98167cc5 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1773743 @@ -0,0 +1,24 @@ + + + +qemu-user -g xxx -E LD_PROFILE=xxx segfault + +Here is two simple steps to reproduce the bug: + +$ qemu-x86_64 -E LD_PROFILE=libc.so.6 -E LD_PROFILE_OUTPUT=. -g 12345 -L / /bin/ls + +(libc.so and /bin/ls might change on your system, in this case we just need a binary with a profilable needed library) + +In a other window launch: + +$ gdb +(gdb) target remote :12345 +(gdb) c + +At this point qemu will segfault. + +It seems this problem is appends when sigprof passed to gdb. +One way I have found to bypass this: +patch gdbstub.c gdb_handlesig and ignore sig if +sig == TARGET_SIGPROF +(which means now I can't catch sigprof on gdb anymore) \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1793539 b/results/classifier/phi4:14b/output/runtime/1793539 new file mode 100644 index 000000000..9b541f405 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1793539 @@ -0,0 +1,12 @@ + + + +qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x6003ddc5 + +During the build of gedit for RISC-V this error occurs: + +$ qemu-riscv64 -E LD_LIBRARY_PATH=gedit/.libs ./gedit/.libs/gedit +qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x6003ddc5 +qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x600009e4 + +https://build.opensuse.org/package/live_build_log/openSUSE:Factory:RISCV/gedit/standard/riscv64 \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1798 b/results/classifier/phi4:14b/output/runtime/1798 new file mode 100644 index 000000000..4d67e4936 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1798 @@ -0,0 +1,4 @@ + + + +conversions of malloc/calloc/free to g_malloc/g_new/g_free etc diff --git a/results/classifier/phi4:14b/output/runtime/1807 b/results/classifier/phi4:14b/output/runtime/1807 new file mode 100644 index 000000000..aee76b466 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1807 @@ -0,0 +1,27 @@ + + + +sparc64 always segfaults doesn't work on Ubuntu 23.04 +Description of problem: +It segfaults when it tries to use 'printf' or 'puts' to print to the screen. +Steps to reproduce: +Do the following at the command line + +``` +$ sparc64-linux-gnu-g++ --version +sparc64-linux-gnu-g++ (Ubuntu 12.2.0-14ubuntu2) 12.2.0 +Copyright (C) 2022 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +$ echo -e "#include <stdio.h> \n int main(void) { puts(\"Hello World\"); }" > test.cpp +$ sparc64-linux-gnu-g++ -o test test.cpp -static +$ qemu-sparc64-static --version +qemu-sparc64 version 7.2.0 (Debian 1:7.2+dfsg-5ubuntu2) +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +$ qemu-sparc64-static ./test +Segmentation fault (core dumped) +$ qemu-sparc-static ./test +qemu-sparc-static: ./test: Invalid ELF image for this architecture +$ qemu-sparc32plus-static ./test +qemu-sparc32plus-static: ./test: Invalid ELF image for this architecture +``` diff --git a/results/classifier/phi4:14b/output/runtime/1814128 b/results/classifier/phi4:14b/output/runtime/1814128 new file mode 100644 index 000000000..7b23ecb00 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1814128 @@ -0,0 +1,158 @@ + + + +qemu-user fails to set up a reasonable brk for static-pie + +static pie binaries may not get a reasonable brk, +with glibc this means they crash in early tls setup code: +https://sourceware.org/bugzilla/show_bug.cgi?id=24152 + +qemu seems to put brk at the end of the data segment, +but if the stack starts (ends) right next to it then +allocation with brk fails. + +in such situation i think qemu should arrange the +stack or brk to be elsewhere so there is plenty +space to grow (in case of glibc it's enough if tls +setup works: later allocations can fall back to mmap). + +(ubuntu bionic x86_64 ldconfig.real from libc-bin package) +$ qemu-x86_64 -strace -d page /sbin/ldconfig.real +host mmap_min_addr=0x8000 +guest_base 0x0 +start end size prot +0000004000000000-00000040000f2000 00000000000f2000 r-x +00000040000f2000-00000040002f2000 0000000000200000 --- +00000040002f2000-00000040002fa000 0000000000008000 rw- +00000040002fa000-00000040002fb000 0000000000001000 --- +00000040002fb000-0000004000afb000 0000000000800000 rw- +start_brk 0x0000000000000000 +end_code 0x00000040000f1ee8 +start_code 0x0000004000000000 +start_data 0x00000040002f2838 +end_data 0x00000040002f8518 +start_stack 0x0000004000afa130 +brk 0x00000040002f9dd8 +entry 0x0000004000009bc0 +argv_start 0x0000004000afa138 +env_start 0x0000004000afa148 +auxv_start 0x0000004000afa280 +28561 brk(NULL) = 0x00000040002fa000 +28561 brk(0x00000040002fb1c0) = 0x00000040002fa000 +--- SIGSEGV {si_signo=SIGSEGV, si_code=1, si_addr=0xffffffffffffffc0} --- +qemu: uncaught target signal 11 (Segmentation fault) - core dumped + +$ readelf -hldSW /tmp/ldconfig.real +ELF Header: + Magic: 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00 + Class: ELF64 + Data: 2's complement, little endian + Version: 1 (current) + OS/ABI: UNIX - GNU + ABI Version: 0 + Type: DYN (Shared object file) + Machine: Advanced Micro Devices X86-64 + Version: 0x1 + Entry point address: 0x9bc0 + Start of program headers: 64 (bytes into file) + Start of section headers: 1022920 (bytes into file) + Flags: 0x0 + Size of this header: 64 (bytes) + Size of program headers: 56 (bytes) + Number of program headers: 8 + Size of section headers: 64 (bytes) + Number of section headers: 38 + Section header string table index: 37 + +Section Headers: + [Nr] Name Type Address Off Size ES Flg Lk Inf Al + [ 0] NULL 0000000000000000 000000 000000 00 0 0 0 + [ 1] .note.ABI-tag NOTE 0000000000000200 000200 000020 00 A 0 0 4 + [ 2] .note.gnu.build-id NOTE 0000000000000220 000220 000024 00 A 0 0 4 + [ 3] .gnu.hash GNU_HASH 0000000000000248 000248 00001c 00 A 4 0 8 + [ 4] .dynsym DYNSYM 0000000000000268 000268 000018 18 A 5 1 8 + [ 5] .dynstr STRTAB 0000000000000280 000280 000001 00 A 0 0 1 + [ 6] .rela.dyn RELA 0000000000000288 000288 008748 18 A 4 0 8 + [ 7] .rela.plt RELA 00000000000089d0 0089d0 000318 18 AI 4 27 8 + [ 8] .init PROGBITS 0000000000008ce8 008ce8 000017 00 AX 0 0 4 + [ 9] .plt PROGBITS 0000000000008d00 008d00 000270 10 AX 0 0 16 + [10] .plt.got PROGBITS 0000000000008f70 008f70 000060 08 AX 0 0 8 + [11] .text PROGBITS 0000000000008fd0 008fd0 0bd29c 00 AX 0 0 16 + [12] __libc_freeres_fn PROGBITS 00000000000c6270 0c6270 0016b3 00 AX 0 0 16 + [13] __libc_thread_freeres_fn PROGBITS 00000000000c7930 0c7930 00108f 00 AX 0 0 16 + [14] .fini PROGBITS 00000000000c89c0 0c89c0 000009 00 AX 0 0 4 + [15] .rodata PROGBITS 00000000000c89e0 0c89e0 01af08 00 A 0 0 32 + [16] .stapsdt.base PROGBITS 00000000000e38e8 0e38e8 000001 00 A 0 0 1 + [17] .eh_frame_hdr PROGBITS 00000000000e38ec 0e38ec 001f94 00 A 0 0 4 + [18] .eh_frame PROGBITS 00000000000e5880 0e5880 00c5b8 00 A 0 0 8 + [19] .gcc_except_table PROGBITS 00000000000f1e38 0f1e38 0000b0 00 A 0 0 1 + [20] .tdata PROGBITS 00000000002f2838 0f2838 000028 00 WAT 0 0 8 + [21] .tbss NOBITS 00000000002f2860 0f2860 000040 00 WAT 0 0 8 + [22] .init_array INIT_ARRAY 00000000002f2860 0f2860 000010 08 WA 0 0 8 + [23] .fini_array FINI_ARRAY 00000000002f2870 0f2870 000010 08 WA 0 0 8 + [24] .data.rel.ro PROGBITS 00000000002f2880 0f2880 0034c4 00 WA 0 0 32 + [25] .dynamic DYNAMIC 00000000002f5d48 0f5d48 0001a0 10 WA 5 0 8 + [26] .got PROGBITS 00000000002f5ee8 0f5ee8 000110 08 WA 0 0 8 + [27] .got.plt PROGBITS 00000000002f6000 0f6000 000148 08 WA 0 0 8 + [28] .data PROGBITS 00000000002f6160 0f6160 001bd4 00 WA 0 0 32 + [29] __libc_subfreeres PROGBITS 00000000002f7d38 0f7d38 000060 00 WA 0 0 8 + [30] __libc_IO_vtables PROGBITS 00000000002f7da0 0f7da0 000768 00 WA 0 0 32 + [31] __libc_atexit PROGBITS 00000000002f8508 0f8508 000008 00 WA 0 0 8 + [32] __libc_thread_subfreeres PROGBITS 00000000002f8510 0f8510 000008 00 WA 0 0 8 + [33] .bss NOBITS 00000000002f8520 0f8518 001890 00 WA 0 0 32 + [34] __libc_freeres_ptrs NOBITS 00000000002f9db0 0f8518 000028 00 WA 0 0 8 + [35] .note.stapsdt NOTE 0000000000000000 0f8518 0014cc 00 0 0 4 + [36] .gnu_debuglink PROGBITS 0000000000000000 0f99e4 000034 00 0 0 4 + [37] .shstrtab STRTAB 0000000000000000 0f9a18 0001ab 00 0 0 1 +Key to Flags: + W (write), A (alloc), X (execute), M (merge), S (strings), I (info), + L (link order), O (extra OS processing required), G (group), T (TLS), + C (compressed), x (unknown), o (OS specific), E (exclude), + l (large), p (processor specific) + +Program Headers: + Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align + LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x0f1ee8 0x0f1ee8 R E 0x200000 + LOAD 0x0f2838 0x00000000002f2838 0x00000000002f2838 0x005ce0 0x0075a0 RW 0x200000 + DYNAMIC 0x0f5d48 0x00000000002f5d48 0x00000000002f5d48 0x0001a0 0x0001a0 RW 0x8 + NOTE 0x000200 0x0000000000000200 0x0000000000000200 0x000044 0x000044 R 0x4 + TLS 0x0f2838 0x00000000002f2838 0x00000000002f2838 0x000028 0x000068 R 0x8 + GNU_EH_FRAME 0x0e38ec 0x00000000000e38ec 0x00000000000e38ec 0x001f94 0x001f94 R 0x4 + GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10 + GNU_RELRO 0x0f2838 0x00000000002f2838 0x00000000002f2838 0x0037c8 0x0037c8 R 0x1 + + Section to Segment mapping: + Segment Sections... + 00 .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .rela.dyn .rela.plt .init .plt .plt.got .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata .stapsdt.base .eh_frame_hdr .eh_frame .gcc_except_table + 01 .tdata .init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data __libc_subfreeres __libc_IO_vtables __libc_atexit __libc_thread_subfreeres .bss __libc_freeres_ptrs + 02 .dynamic + 03 .note.ABI-tag .note.gnu.build-id + 04 .tdata .tbss + 05 .eh_frame_hdr + 06 + 07 .tdata .init_array .fini_array .data.rel.ro .dynamic .got + +Dynamic section at offset 0xf5d48 contains 22 entries: + Tag Type Name/Value + 0x000000000000000c (INIT) 0x8ce8 + 0x000000000000000d (FINI) 0xc89c0 + 0x0000000000000019 (INIT_ARRAY) 0x2f2860 + 0x000000000000001b (INIT_ARRAYSZ) 16 (bytes) + 0x000000000000001a (FINI_ARRAY) 0x2f2870 + 0x000000000000001c (FINI_ARRAYSZ) 16 (bytes) + 0x000000006ffffef5 (GNU_HASH) 0x248 + 0x0000000000000005 (STRTAB) 0x280 + 0x0000000000000006 (SYMTAB) 0x268 + 0x000000000000000a (STRSZ) 1 (bytes) + 0x000000000000000b (SYMENT) 24 (bytes) + 0x0000000000000015 (DEBUG) 0x0 + 0x0000000000000003 (PLTGOT) 0x2f6000 + 0x0000000000000002 (PLTRELSZ) 792 (bytes) + 0x0000000000000014 (PLTREL) RELA + 0x0000000000000017 (JMPREL) 0x89d0 + 0x0000000000000007 (RELA) 0x288 + 0x0000000000000008 (RELASZ) 34632 (bytes) + 0x0000000000000009 (RELAENT) 24 (bytes) + 0x000000006ffffffb (FLAGS_1) Flags: PIE + 0x000000006ffffff9 (RELACOUNT) 1443 + 0x0000000000000000 (NULL) 0x0 \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1840922 b/results/classifier/phi4:14b/output/runtime/1840922 new file mode 100644 index 000000000..79a8d0f3f --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1840922 @@ -0,0 +1,24 @@ + + + +qemu-arm for cortex-m33 aborts with unhandled CPU exception 0x8 + +Hi, + +While experimenting with running the GCC testsuite with cortex-m33 as target (to exercise v8-m code), I came across this failure: +qemu: unhandled CPU exception 0x8 - aborting +R00=fffeaf58 R01=fffeaf58 R02=00000000 R03=fffeaf5d +R04=fffeaf5c R05=fffeaf9c R06=00000000 R07=fffeaf80 +R08=00000000 R09=00000000 R10=00019dbc R11=00000000 +R12=000000f0 R13=fffeaf58 R14=000081f3 R15=fffeaf5c +XPSR=61000000 -ZC- T NS priv-thread +qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x6033c908 + +I'm using arm-eabi-gcc, so it targets bare-metal, not linux. + +The testcase is GCC's gcc/testsuite/gcc.c-torture/execute/20000822-1.c; it works when compiled at -O2, but crashes when compiled at -Os. The test uses nested functions, so it creates a trampoline on the stack, whose address may be a problem. But since the stack address seems to be in the same range in the O2 and Os cases, it's not that clear. + +I'm attaching the C source, asm, binary executables and qemu traces with in_asm,cpu. + +I execute the binaries with: +qemu-arm --cpu cortex-m33 ./20000822-1.exe.Os \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1854 b/results/classifier/phi4:14b/output/runtime/1854 new file mode 100644 index 000000000..fd165c9ee --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1854 @@ -0,0 +1,21 @@ + + + +s390x: qemu-user: ERROR:../linux-user/elfload.c:2239:zero_bss: code should not be reached +Description of problem: +The nolibc-test program from the Linux kernel crashes since 5f4e5b34092556ab1577e25d1262bd5975b26980 . +Reverting that commit fixes the issue. +Steps to reproduce: +1. Build `nolibc-test` for s390x from Linux kernel tree. (from `tools/testing/selftests/nolibc/`). EDIT: compiled binary is uploaded below. +2. Run it under qemu-s390x. + +``` + ./qemu-s390x nolibc-test +** +ERROR:../linux-user/elfload.c:2239:zero_bss: code should not be reached +Bail out! ERROR:../linux-user/elfload.c:2239:zero_bss: code should not be reached +Aborted (core dumped) + +``` +Additional information: + diff --git a/results/classifier/phi4:14b/output/runtime/1857 b/results/classifier/phi4:14b/output/runtime/1857 new file mode 100644 index 000000000..64840da4c --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1857 @@ -0,0 +1,55 @@ + + + +Major qemu-aarch64 performance slowdown since commit 59b6b42cd3 +Description of problem: +I have observed a major performance slowdown between qemu 8.0.0 and 8.1.0: + + +qemu 8.0.0: 0.8s + +qemu 8.1.0: 6.8s + + +After bisecting the commits between 8.0.0 and 8.1.0, the offending commit is 59b6b42cd3: + + +commit 59b6b42cd3446862567637f3a7ab31d69c9bef51 +Author: Richard Henderson <richard.henderson@linaro.org> +Date: Tue Jun 6 10:19:39 2023 +0100 + + target/arm: Enable FEAT_LSE2 for -cpu max + + Reviewed-by: Peter Maydell <peter.maydell@linaro.org> + Signed-off-by: Richard Henderson <richard.henderson@linaro.org> + Message-id: 20230530191438.411344-21-richard.henderson@linaro.org + Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + + +Reverting the commit in latest master fixes the problem: + +qemu 8.0.0: 0.8s + +qemu 8.1.0: 6.8s + +qemu master + revert 59b6b42cd3: 0.8s + +Alternatively, specify `-cpu cortex-a35` to disable LSE2: + +`time ./qemu-aarch64 -cpu cortex-a35`: 0.8s + +`time ./qemu-aarch64`: 6.77s + +The slowdown is also observed when running qemu-aarch64 on aarch64 machine: + +`time ./qemu-aarch64 /usr/bin/node -e 1`: 2.91s + +`time ./qemu-aarch64 -cpu cortex-a35 /usr/bin/node -e 1`: 1.77s + +The slowdown on x86_64 machine is small: 362ms -> 378ms. +Steps to reproduce: +1. Run `time ./qemu-aarch64 node-aarch64 -e 1` (node-aarch64 is NodeJS v16 built for AArch64) +2. Using qemu master, the output says `0.8s` +3. Using qemu master with commit 59b6b42cd3 reverted, the output says `6.77s` +Additional information: + diff --git a/results/classifier/phi4:14b/output/runtime/1860056 b/results/classifier/phi4:14b/output/runtime/1860056 new file mode 100644 index 000000000..441b6f4ad --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1860056 @@ -0,0 +1,23 @@ + + + +mips binaries segfault + +Hello World appears to segfault with qemu mips, on a Debian 10.0.0 Buster amd64 host. + +Example: + + +$ cat mips/test/hello.cpp +#include <iostream> +using std::cout; + +int main() { + cout << "Hello World!\n"; + return 0; +} + +$ mips-linux-gnu-g++ -o hello hello.cpp && ./hello +qemu: uncaught target signal 11 (Segmentation fault) - core dumped + +Note that 64-bit MIPS and little endian 32-bit MIPS qemu work fine. The problem is limited to big endian 32-bit MIPS. \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1886097 b/results/classifier/phi4:14b/output/runtime/1886097 new file mode 100644 index 000000000..01677e722 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1886097 @@ -0,0 +1,36 @@ + + + +Error in user-mode calculation of ELF program's brk + +There's a discrepancy between the way QEMU user-mode and Linux calculate the initial program break for statically-linked binaries. I have a binary with the following segments: + + Program Headers: + Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align + EXIDX 0x065a14 0x00075a14 0x00075a14 0x00588 0x00588 R 0x4 + PHDR 0x0a3000 0x000a3000 0x000a3000 0x00160 0x00160 R 0x1000 + LOAD 0x0a3000 0x000a3000 0x000a3000 0x00160 0x00160 R 0x1000 + LOAD 0x000000 0x00010000 0x00010000 0x65fa0 0x65fa0 R E 0x10000 + LOAD 0x066b7c 0x00086b7c 0x00086b7c 0x02384 0x02384 RW 0x10000 + NOTE 0x000114 0x00010114 0x00010114 0x00044 0x00044 R 0x4 + TLS 0x066b7c 0x00086b7c 0x00086b7c 0x00010 0x00030 R 0x4 + GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x8 + GNU_RELRO 0x066b7c 0x00086b7c 0x00086b7c 0x00484 0x00484 R 0x1 + LOAD 0x07e000 0x00089000 0x00089000 0x03ff4 0x03ff4 R E 0x1000 + LOAD 0x098000 0x00030000 0x00030000 0x01000 0x01000 RW 0x1000 + +The call to set_brk in Linux's binfmt_elf.c receives these arguments: + + set_brk(0xa3160, 0xa3160, 1) + +Whereas in QEMU, info->brk gets set to 0x88f00. When the binary is run in QEMU, it crashes on the second call to brk, whereas it runs fine on real ARM hardware. I think the trouble is that the program break is set to an address lower than the virtual address of a LOAD segment (the program headers, in this case). + +I believe that this discrepancy arises because in QEMU, info->brk is only incremented when the LOAD segment in question has PROT_WRITE. For this binary, the LOAD segment with write permissions and the highest virtual address is + + LOAD 0x066b7c 0x00086b7c 0x00086b7c 0x02384 0x02384 RW 0x10000 + +which overlaps with the TLS segment: + + TLS 0x066b7c 0x00086b7c 0x00086b7c 0x00010 0x00030 R 0x4 + +However, the Linux kernel puts the program break after the loadable segment with the highest virtual address, regardless of flags. So I think the fix is for QEMU to do the same. \ No newline at end of file diff --git a/results/classifier/phi4:14b/output/runtime/1952 b/results/classifier/phi4:14b/output/runtime/1952 new file mode 100644 index 000000000..b08e13127 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/1952 @@ -0,0 +1,99 @@ + + + +elf-linux-user: segfault caused by invalid loaddr extracted by the ELF loader +Description of problem: +Emulating ELF binaries as emitted by Zig may lead to segfault in QEMU, which typically looks like this + +``` +$ qemu-x86_64 simple +fish: Job 1, 'qemu-x86_64 simple' terminated by signal SIGSEGV (Address boundary error) +``` +Steps to reproduce: +1. Obtain latest Zig nightly +2. Compile simple static C program using Zig's ELF linker: + +``` +$ echo "int main() { return 0 };" > simple.c +$ zig build-exe simple.c -lc -target x86_64-linux-musl -fno-lld --image-base 0x1000000 +$ qemu-x86_64 simple +fish: Job 1, 'qemu-x86_64 simple' terminated by signal SIGSEGV (Address boundary error) +``` +Additional information: +Note that running `simple` directly it's correctly mmaped and executed by the kernel: + +``` +$ ./simple +$ echo $status +0 +``` + +The reason this happens is because of an assumption QEMU's ELF loader makes on the virtual addresses and offsets of `PT_LOAD` segments, namely: + +``` +vaddr2 - vaddr1 >= off2 - off1 +``` + +Typically, to the best of my knowledge, this is conformed to by the linkers in the large, but it is not required at all. Here's a one-line tweak to QEMU's loader that fixes the segfault: + +```diff +diff --git a/linux-user/elfload.c b/linux-user/elfload.c +index f21e2e0c3d..eabb4fed03 100644 +--- a/linux-user/elfload.c ++++ b/linux-user/elfload.c +@@ -3211,7 +3211,7 @@ static void load_elf_image(const char *image_name, int image_fd, + for (i = 0; i < ehdr->e_phnum; ++i) { + struct elf_phdr *eppnt = phdr + i; + if (eppnt->p_type == PT_LOAD) { +- abi_ulong a = eppnt->p_vaddr - eppnt->p_offset; ++ abi_ulong a = eppnt->p_vaddr & ~(eppnt->p_align - 1); + if (a < loaddr) { + loaddr = a; + } +``` + +The reason why this breaks for ELF binaries emitted by Zig is that while virtual addresses are allocated sequentially or pre-allocated, file offsets are allocated on a best-effort basis wherever there is enough space in the file to fit a given section/segment so that we can move the contents in file while preserving the allocated virtual addresses on a whim. To provide a more concrete example, here's the load segment layout for `simple` as emitted by Zig: + +``` +$ readelf -l simple + +Elf file type is EXEC (Executable file) +Entry point 0x1002000 +There are 7 program headers, starting at offset 64 + +Program Headers: + Type Offset VirtAddr PhysAddr + FileSiz MemSiz Flags Align + PHDR 0x0000000000000040 0x0000000001000040 0x0000000001000040 + 0x0000000000000188 0x0000000000000188 R 0x8 + LOAD 0x0000000000000000 0x0000000001000000 0x0000000001000000 + 0x00000000000001c8 0x00000000000001c8 R 0x1000 + LOAD 0x0000000000021000 0x0000000001001000 0x0000000001001000 + 0x0000000000000078 0x0000000000000078 R 0x1000 + LOAD 0x0000000000022000 0x0000000001002000 0x0000000001002000 + 0x000000000000065a 0x000000000000065a R E 0x1000 + LOAD 0x0000000000023000 0x0000000001003000 0x0000000001003000 + 0x0000000000000060 0x0000000000000278 RW 0x1000 + GNU_EH_FRAME 0x0000000000021064 0x0000000001001064 0x0000000001001064 + 0x0000000000000014 0x0000000000000014 R 0x4 + GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 + 0x0000000000000000 0x0000000000000000 RW 0x1 + + Section to Segment mapping: + Segment Sections... + 00 + 01 + 02 .rodata.str1.1 .rodata .eh_frame .eh_frame_hdr + 03 .text .init .fini + 04 .data .got .bss + 05 .eh_frame_hdr + 06 +``` + +As you can see, initially `loaddr := 0x1000000 - 0x0 = 0x1000000`. However, upon iterating over the second load segment, we already get + +``` +a := 0x1001000 - 0x21000 = 0xfe000 +``` + +and since `a < loaddr`, we incorrectly set `loaddr := 0xfe000`. diff --git a/results/classifier/phi4:14b/output/runtime/2027 b/results/classifier/phi4:14b/output/runtime/2027 new file mode 100644 index 000000000..f9fb7e78f --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2027 @@ -0,0 +1,236 @@ + + + +Go runtime panic with qemu-x86_64-static on aarch64 (bisected) +Description of problem: +I have run into some crashes with certain x86 Go binaries running on arm64 (Asahi Linux) using qemu-user-static. The issue is also reproducible on current master (9c74490bff6c8886a922008d0c9ce6cae70dd17e). I have bisected the issue to commit 2d708164e0475064e0e2167bd73e8570e22df1e0: + +``` +first bad commit: [2d708164e0475064e0e2167bd73e8570e22df1e0] linux-user: Define TASK_UNMAPPED_BASE in $guest/target_mman.h +``` +Steps to reproduce: +1. Build example Go program `GOARCH=amd64 go build -o crashing .` +2. Run it with `qemu-x86_64-static ./crashing` + +<details><summary>Go program to reproduce</summary> + +```go +package main + +import "crypto/x509" + +func main() { + x509.SystemCertPool() +} +``` + +</details> +Additional information: +<details><summary>Go program stacktrace</summary> + +``` +runtime: lfstack.push invalid packing: node=0xffff3c3a9780 cnt=0x1 packed=0xffff3c3a97800001 -> node=0xffffffff3c3a9780 +fatal error: lfstack.push + +runtime stack: +runtime.throw({0x52cb61?, 0x2ce5?}) + /usr/lib/golang/src/runtime/panic.go:1077 +0x5c fp=0xc000613f08 sp=0xc000613ed8 pc=0x433d5c +runtime.(*lfstack).push(0xa0000000002?, 0xffffffffffffefe8?) + /usr/lib/golang/src/runtime/lfstack.go:29 +0x125 fp=0xc000613f48 sp=0xc000613f08 pc=0x40ac25 +runtime.(*spanSetBlockAlloc).free(...) + /usr/lib/golang/src/runtime/mspanset.go:322 +runtime.(*spanSet).reset(0x64d220) + /usr/lib/golang/src/runtime/mspanset.go:264 +0x79 fp=0xc000613f78 sp=0xc000613f48 pc=0x42ef79 +runtime.finishsweep_m() + /usr/lib/golang/src/runtime/mgcsweep.go:260 +0x95 fp=0xc000613fb8 sp=0xc000613f78 pc=0x423455 +runtime.gcStart.func2() + /usr/lib/golang/src/runtime/mgc.go:687 +0xf fp=0xc000613fc8 sp=0xc000613fb8 pc=0x45bd8f +traceback: unexpected SPWRITE function runtime.systemstack +runtime.systemstack() + /usr/lib/golang/src/runtime/asm_amd64.s:509 +0x4a fp=0xc000613fd8 sp=0xc000613fc8 pc=0x46016a + +goroutine 1 [running]: +runtime.systemstack_switch() + /usr/lib/golang/src/runtime/asm_amd64.s:474 +0x8 fp=0xc0001bb9f0 sp=0xc0001bb9e0 pc=0x460108 +runtime.gcStart({0xc000600000?, 0x98370?, 0x307800?}) + /usr/lib/golang/src/runtime/mgc.go:686 +0x2e5 fp=0xc0001bba88 sp=0xc0001bb9f0 pc=0x418e05 +runtime.mallocgc(0x98370, 0x50bb80, 0x1) + /usr/lib/golang/src/runtime/malloc.go:1242 +0x76f fp=0xc0001bbaf0 sp=0xc0001bba88 pc=0x40caaf +runtime.makeslice(0xc0001840a8?, 0x26?, 0x0?) + /usr/lib/golang/src/runtime/slice.go:103 +0x49 fp=0xc0001bbb18 sp=0xc0001bbaf0 pc=0x449729 +os.ReadFile({0xc00035a0f0?, 0x52dcd6?}) + /usr/lib/golang/src/os/file.go:738 +0xe5 fp=0xc0001bbbf0 sp=0xc0001bbb18 pc=0x49ed25 +crypto/x509.loadSystemRoots() + /usr/lib/golang/src/crypto/x509/root_unix.go:70 +0x3d4 fp=0xc0001bbcd8 sp=0xc0001bbbf0 pc=0x4fdef4 +crypto/x509.initSystemRoots() + /usr/lib/golang/src/crypto/x509/root.go:30 +0x5c fp=0xc0001bbd10 sp=0xc0001bbcd8 pc=0x4fd9fc +sync.(*Once).doSlow(0x1?, 0xb30000c00018ada0?) + /usr/lib/golang/src/sync/once.go:74 +0xbf fp=0xc0001bbd70 sp=0xc0001bbd10 pc=0x467bff +sync.(*Once).Do(...) + /usr/lib/golang/src/sync/once.go:65 +crypto/x509.systemRootsPool() + /usr/lib/golang/src/crypto/x509/root.go:21 +0x45 fp=0xc0001bbdc0 sp=0xc0001bbd70 pc=0x4fd8a5 +crypto/x509.SystemCertPool() + /usr/lib/golang/src/crypto/x509/cert_pool.go:112 +0x25 fp=0xc0001bbf30 sp=0xc0001bbdc0 pc=0x4f6705 +main.main() + /home/cyrill/dev/goruntime-crash/main.go:6 +0xf fp=0xc0001bbf40 sp=0xc0001bbf30 pc=0x4ff18f +runtime.main() + /usr/lib/golang/src/runtime/proc.go:267 +0x2bb fp=0xc0001bbfe0 sp=0xc0001bbf40 pc=0x43673b +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0001bbfe8 sp=0xc0001bbfe0 pc=0x461f61 + +goroutine 2 [force gc (idle)]: +runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004efa8 sp=0xc00004ef88 pc=0x436b8e +runtime.goparkunlock(...) + /usr/lib/golang/src/runtime/proc.go:404 +runtime.forcegchelper() + /usr/lib/golang/src/runtime/proc.go:322 +0xb3 fp=0xc00004efe0 sp=0xc00004efa8 pc=0x436a13 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004efe8 sp=0xc00004efe0 pc=0x461f61 +created by runtime.init.6 in goroutine 1 + /usr/lib/golang/src/runtime/proc.go:310 +0x1a + +goroutine 3 [GC sweep wait]: +runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004f778 sp=0xc00004f758 pc=0x436b8e +runtime.goparkunlock(...) + /usr/lib/golang/src/runtime/proc.go:404 +runtime.bgsweep(0x0?) + /usr/lib/golang/src/runtime/mgcsweep.go:321 +0xdf fp=0xc00004f7c8 sp=0xc00004f778 pc=0x4235bf +runtime.gcenable.func1() + /usr/lib/golang/src/runtime/mgc.go:200 +0x25 fp=0xc00004f7e0 sp=0xc00004f7c8 pc=0x418945 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004f7e8 sp=0xc00004f7e0 pc=0x461f61 +created by runtime.gcenable in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:200 +0x66 + +goroutine 4 [GC scavenge wait]: +runtime.gopark(0xc00006c000?, 0x570658?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004ff70 sp=0xc00004ff50 pc=0x436b8e +runtime.goparkunlock(...) + /usr/lib/golang/src/runtime/proc.go:404 +runtime.(*scavengerState).park(0x625680) + /usr/lib/golang/src/runtime/mgcscavenge.go:425 +0x49 fp=0xc00004ffa0 sp=0xc00004ff70 pc=0x420e49 +runtime.bgscavenge(0x0?) + /usr/lib/golang/src/runtime/mgcscavenge.go:658 +0x59 fp=0xc00004ffc8 sp=0xc00004ffa0 pc=0x4213f9 +runtime.gcenable.func2() + /usr/lib/golang/src/runtime/mgc.go:201 +0x25 fp=0xc00004ffe0 sp=0xc00004ffc8 pc=0x4188e5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004ffe8 sp=0xc00004ffe0 pc=0x461f61 +created by runtime.gcenable in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:201 +0xa5 + +goroutine 17 [finalizer wait]: +runtime.gopark(0x400000?, 0x10004e670?, 0x0?, 0x0?, 0x654640?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004e628 sp=0xc00004e608 pc=0x436b8e +runtime.runfinq() + /usr/lib/golang/src/runtime/mfinal.go:193 +0x107 fp=0xc00004e7e0 sp=0xc00004e628 pc=0x4179c7 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004e7e8 sp=0xc00004e7e0 pc=0x461f61 +created by runtime.createfing in goroutine 1 + /usr/lib/golang/src/runtime/mfinal.go:163 +0x3d + +goroutine 18 [GC worker (idle)]: +runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004a750 sp=0xc00004a730 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00004a7e0 sp=0xc00004a750 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004a7e8 sp=0xc00004a7e0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 19 [GC worker (idle)]: +runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004af50 sp=0xc00004af30 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00004afe0 sp=0xc00004af50 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004afe8 sp=0xc00004afe0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 33 [GC worker (idle)]: +runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc000090750 sp=0xc000090730 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc0000907e0 sp=0xc000090750 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0000907e8 sp=0xc0000907e0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 20 [GC worker (idle)]: +runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004b750 sp=0xc00004b730 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00004b7e0 sp=0xc00004b750 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004b7e8 sp=0xc00004b7e0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 49 [GC worker (idle)]: +runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00008c750 sp=0xc00008c730 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00008c7e0 sp=0xc00008c750 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00008c7e8 sp=0xc00008c7e0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 21 [GC worker (idle)]: +runtime.gopark(0xa740c76b8ab?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004bf50 sp=0xc00004bf30 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00004bfe0 sp=0xc00004bf50 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004bfe8 sp=0xc00004bfe0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 22 [GC worker (idle)]: +runtime.gopark(0xa740cc9dc5e?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004c750 sp=0xc00004c730 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00004c7e0 sp=0xc00004c750 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004c7e8 sp=0xc00004c7e0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 23 [GC worker (idle)]: +runtime.gopark(0x654640?, 0x1?, 0xba?, 0x5f?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004cf50 sp=0xc00004cf30 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00004cfe0 sp=0xc00004cf50 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004cfe8 sp=0xc00004cfe0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 24 [GC worker (idle)]: +runtime.gopark(0xa740c58ec16?, 0x0?, 0x0?, 0x0?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00004d750 sp=0xc00004d730 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00004d7e0 sp=0xc00004d750 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00004d7e8 sp=0xc00004d7e0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c + +goroutine 34 [GC worker (idle)]: +runtime.gopark(0x654640?, 0x1?, 0x7a?, 0xa3?, 0x0?) + /usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc000090f50 sp=0xc000090f30 pc=0x436b8e +runtime.gcBgMarkWorker() + /usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc000090fe0 sp=0xc000090f50 pc=0x41a2c5 +runtime.goexit() + /usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000090fe8 sp=0xc000090fe0 pc=0x461f61 +created by runtime.gcBgMarkStartWorkers in goroutine 1 + /usr/lib/golang/src/runtime/mgc.go:1217 +0x1c +exit status 2 +``` + +</details> diff --git a/results/classifier/phi4:14b/output/runtime/2487 b/results/classifier/phi4:14b/output/runtime/2487 new file mode 100644 index 000000000..c5d0c2770 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2487 @@ -0,0 +1,71 @@ + + + +qemu-x86_64: qemu/tcg/ppc/tcg-target.c.inc:1777:tcg_out_test: code should not be reached +Description of problem: +Using this basic test file: + +```c +int +main (void) +{ + return 0; +} +``` + +compiled into a static executable using an x86_64 toolchain (glibc or musl both tested), + +``` +gwyn ~/qemu-bug # file test1 +test1: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, with debug_info, not stripped + +gwyn ~/qemu-bug # file test2 +test2: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=276dc49ee7cbd3b760e24761bf9fb9e1cc4b4349, for GNU/Linux 3.2.0, not stripped +``` + +Using QEMU from 15957eb9efe2da67c796612cead95cba28ba9bda or newer: + +``` +gwyn ~/qemu-bug # ../emus-ppc64/bin/qemu-x86_64 --version +qemu-x86_64 version 9.0.50 (v9.0.0-521-g15957eb9ef-dirty) +Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers +``` + +QEMU crashes: + +``` +gwyn ~/qemu-bug # ../emus-ppc64/bin/qemu-x86_64 ./test2 +** +ERROR:/root/qemu/tcg/ppc/tcg-target.c.inc:1777:tcg_out_test: code should not be reached +Bail out! ERROR:/root/qemu/tcg/ppc/tcg-target.c.inc:1777:tcg_out_test: code should not be reached +Aborted +``` +Steps to reproduce: +1. Build QEMU user for ppc64 (may affect other hosts) using commit 15957eb9efe2da67c796612cead95cba28ba9bda or newer. +2. Run any simple x86_64 executable. +3. Observe the crash. +Additional information: +Bisected to here: + +``` +commit 15957eb9efe2da67c796612cead95cba28ba9bda +Author: Paolo Bonzini <pbonzini@redhat.com> +Date: Fri Oct 27 05:57:31 2023 +0200 + + target/i386: use TSTEQ/TSTNE to test low bits + + When testing the sign bit or equality to zero of a partial register, it + is useful to use a single TSTEQ or TSTNE operation. It can also be used + to test the parity flag, using bit 0 of the population count. + + Do not do this for target_ulong-sized values however; the optimizer would + produce a comparison against zero anyway, and it avoids shifts by 64 + which are undefined behavior. + + Reviewed-by: Richard Henderson <richard.henderson@linaro.org> + Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + + target/i386/tcg/emit.c.inc | 5 ++--- + target/i386/tcg/translate.c | 28 ++++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 11 deletions(-) +``` diff --git a/results/classifier/phi4:14b/output/runtime/2505 b/results/classifier/phi4:14b/output/runtime/2505 new file mode 100644 index 000000000..3eaa737f1 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2505 @@ -0,0 +1,4 @@ + + + +Interpreter ELF flags ignored when selecting CPU diff --git a/results/classifier/phi4:14b/output/runtime/2525 b/results/classifier/phi4:14b/output/runtime/2525 new file mode 100644 index 000000000..5ba0def18 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2525 @@ -0,0 +1,4 @@ + + + +bFLT triggers accel/tcg/user-exec.c:505: page_set_flags: Assertion `have_mmap_lock()' failed. diff --git a/results/classifier/phi4:14b/output/runtime/2569 b/results/classifier/phi4:14b/output/runtime/2569 new file mode 100644 index 000000000..2d07cccc8 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2569 @@ -0,0 +1,8 @@ + + + +The alpha target doesn't support tcg plugin register tracking due to missing XML +Description of problem: +There is no register tracking because we build our register list based on XML and there was no XML for alpha because its so old. We could synthesise one to cover the register to fix this. +Steps to reproduce: +1. ./qemu-alpha -d plugin -plugin ./contrib/plugins/libexeclog.so,reg=\* ./tests/tcg/alpha-linux-user/hello-alpha diff --git a/results/classifier/phi4:14b/output/runtime/2580 b/results/classifier/phi4:14b/output/runtime/2580 new file mode 100644 index 000000000..cdc12b610 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2580 @@ -0,0 +1,15 @@ + + + +qemu-aarch64_be 9.1.0 fails to run any Linux programs due to unreachable in gdb_find_static_feature() +Description of problem: +``` +❯ cat empty.c +void _start() {} +❯ clang empty.c -target aarch64_be-linux -nostdlib -fuse-ld=lld +❯ qemu-aarch64_be ./a.out +** +ERROR:../gdbstub/gdbstub.c:493:gdb_find_static_feature: code should not be reached +Bail out! ERROR:../gdbstub/gdbstub.c:493:gdb_find_static_feature: code should not be reached +fish: Job 1, 'qemu-aarch64_be ./a.out' terminated by signal SIGABRT (Abort) +``` diff --git a/results/classifier/phi4:14b/output/runtime/2598 b/results/classifier/phi4:14b/output/runtime/2598 new file mode 100644 index 000000000..0a978ad07 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2598 @@ -0,0 +1,4 @@ + + + +linux-user on riscv64 host: Unable to find a guest_base to satisfy all guest address mapping requirements 00000000-ffffffff diff --git a/results/classifier/phi4:14b/output/runtime/261 b/results/classifier/phi4:14b/output/runtime/261 new file mode 100644 index 000000000..5e5ce90d0 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/261 @@ -0,0 +1,4 @@ + + + +broken signal handling in nios2 user-mode emulation diff --git a/results/classifier/phi4:14b/output/runtime/276 b/results/classifier/phi4:14b/output/runtime/276 new file mode 100644 index 000000000..b44725302 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/276 @@ -0,0 +1,4 @@ + + + +Error in user-mode calculation of ELF program's brk diff --git a/results/classifier/phi4:14b/output/runtime/280 b/results/classifier/phi4:14b/output/runtime/280 new file mode 100644 index 000000000..a52d19ece --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/280 @@ -0,0 +1,4 @@ + + + +(ARM64) qemu-x86_64+schroot(Debian bullseye) can't run chrome and can't load HTML diff --git a/results/classifier/phi4:14b/output/runtime/2815 b/results/classifier/phi4:14b/output/runtime/2815 new file mode 100644 index 000000000..4236102b4 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2815 @@ -0,0 +1,4 @@ + + + +clang 17 and newer -fsanitize=function causes QEMU user-mode to SEGV when calling TCG prologue diff --git a/results/classifier/phi4:14b/output/runtime/2846 b/results/classifier/phi4:14b/output/runtime/2846 new file mode 100644 index 000000000..e2a6268f1 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/2846 @@ -0,0 +1,4 @@ + + + +linux-user hangs if fd_trans_lock is held during fork diff --git a/results/classifier/phi4:14b/output/runtime/311 b/results/classifier/phi4:14b/output/runtime/311 new file mode 100644 index 000000000..ff15261db --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/311 @@ -0,0 +1,4 @@ + + + +qemu user mode: rt signals not implemented for sparc guests diff --git a/results/classifier/phi4:14b/output/runtime/324 b/results/classifier/phi4:14b/output/runtime/324 new file mode 100644 index 000000000..fe76e37d9 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/324 @@ -0,0 +1,4 @@ + + + +chrome based apps can not be run under qemu user mode diff --git a/results/classifier/phi4:14b/output/runtime/326 b/results/classifier/phi4:14b/output/runtime/326 new file mode 100644 index 000000000..f635a6102 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/326 @@ -0,0 +1,4 @@ + + + +QEMU-user ignores MADV_DONTNEED diff --git a/results/classifier/phi4:14b/output/runtime/355 b/results/classifier/phi4:14b/output/runtime/355 new file mode 100644 index 000000000..8286c0d0f --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/355 @@ -0,0 +1,4 @@ + + + +A possible divide by zero bug in get_whole_cluster diff --git a/results/classifier/phi4:14b/output/runtime/356 b/results/classifier/phi4:14b/output/runtime/356 new file mode 100644 index 000000000..a9e926b76 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/356 @@ -0,0 +1,4 @@ + + + +qemu linux-user doesn't translate host/target data for iovec I/O diff --git a/results/classifier/phi4:14b/output/runtime/419 b/results/classifier/phi4:14b/output/runtime/419 new file mode 100644 index 000000000..f9d5b396d --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/419 @@ -0,0 +1,4 @@ + + + +bsd-user dumps core for all binaries emulated diff --git a/results/classifier/phi4:14b/output/runtime/442 b/results/classifier/phi4:14b/output/runtime/442 new file mode 100644 index 000000000..ea8a9a235 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/442 @@ -0,0 +1,4 @@ + + + +Firebird crashes on qemu-m68k-user with pthread_mutex_init error diff --git a/results/classifier/phi4:14b/output/runtime/616 b/results/classifier/phi4:14b/output/runtime/616 new file mode 100644 index 000000000..3aa0af141 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/616 @@ -0,0 +1,110 @@ + + + +overflow condition code determined incorrectly after addition on s390x +Description of problem: +The following program foo.c +[foo.c](/uploads/78f5f799af6e3c400a6a42634f3f0e63/foo.c) + +``` +#include <stdio.h> + +int overflow_32 (int x, int y) +{ + int sum; + return ! __builtin_add_overflow (x, y, &sum); +} + +int overflow_64 (long long x, long long y) +{ + long sum; + return ! __builtin_add_overflow (x, y, &sum); +} + +int a1 = -2147483648; +int b1 = -2147483648; +long long a2 = -9223372036854775808L; +long long b2 = -9223372036854775808L; + +int main () +{ + { + int a = a1; + int b = b1; + printf ("a = 0x%x, b = 0x%x\n", a, b); + printf ("no_overflow = %d\n", overflow_32 (a, b)); + } + { + long long a = a2; + long long b = b2; + printf ("a = 0x%llx, b = 0x%llx\n", a, b); + printf ("no_overflow = %d\n", overflow_64 (a, b)); + } +} +``` + +should print + +``` +a = 0x80000000, b = 0x80000000 +no_overflow = 0 +a = 0x8000000000000000, b = 0x8000000000000000 +no_overflow = 0 +``` + +However, when compiled as an s390x program and executed through +qemu 6.1.0 (Linux user-mode), it prints 'no_overflow = 1' twice. + +``` +$ s390x-linux-gnu-gcc-10 --version +s390x-linux-gnu-gcc-10 (Ubuntu 10.3.0-1ubuntu1~20.04) 10.3.0 +``` + +``` +$ s390x-linux-gnu-gcc-10 -static foo.c +$ ~/inst-qemu/6.1.0/bin/qemu-s390x a.out +a = 0x80000000, b = 0x80000000 +no_overflow = 1 +a = 0x8000000000000000, b = 0x8000000000000000 +no_overflow = 1 +``` + +``` +$ s390x-linux-gnu-gcc-10 -O2 -static foo.c +$ ~/inst-qemu/6.1.0/bin/qemu-s390x a.out +a = 0x80000000, b = 0x80000000 +no_overflow = 1 +a = 0x8000000000000000, b = 0x8000000000000000 +no_overflow = 1 +``` + +The code generated by 's390x-linux-gnu-gcc-10 -O2' makes use of the +'o' (overflow / ones) condition code: + +``` +overflow_64: + lgr %r1,%r2 ;; copy a into %r1 + lghi %r2,0 + agr %r1,%r3 ;; add a and b + bnor %r14 ;; if no overflow, return %r2 = 0 + lghi %r2,1 + br %r14 ;; otherwise, return %r2 = 1 +``` + +Either the bug is in GCC, that is, GCC produces code that uses the CPU's +overflow condition code when it shouldn't. + +Or the bug is in QEMU, that is, QEMU does not set the overflow condition +code correctly. + +This can be decided by running the above program on real Linux/s390x hardware +(to which I don't have access). +Steps to reproduce: +[foo.static.s390x](/uploads/ac41abf4c54baf9ca96ba82d75a24ad6/foo.static.s390x) +(foo.static.s390x is attached, the result of "s390x-linux-gnu-gcc-10 -static -O2 foo.c -o foo.static.s390x") + +1. `qemu-s390x foo.static.s390x` +Additional information: +If the bug is really in QEMU, the attached patch fixes it. + +[0001-s390x-Fix-determination-of-overflow-condition-code-a.patch](/uploads/552917079ccd25f1861d682fc9dee3e8/0001-s390x-Fix-determination-of-overflow-condition-code-a.patch) diff --git a/results/classifier/phi4:14b/output/runtime/704 b/results/classifier/phi4:14b/output/runtime/704 new file mode 100644 index 000000000..25f043317 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/704 @@ -0,0 +1,4 @@ + + + +linux-user: misaligned address for type 'struct linux_dirent64' diff --git a/results/classifier/phi4:14b/output/runtime/817 b/results/classifier/phi4:14b/output/runtime/817 new file mode 100644 index 000000000..bb98d5237 --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/817 @@ -0,0 +1,4 @@ + + + +linux-user: waitid leaves target siginfo uninitialized when info.si_pid is zero diff --git a/results/classifier/phi4:14b/output/runtime/922 b/results/classifier/phi4:14b/output/runtime/922 new file mode 100644 index 000000000..6078a920d --- /dev/null +++ b/results/classifier/phi4:14b/output/runtime/922 @@ -0,0 +1,23 @@ + + + +QEMU 7.0.0-rc0: Random segfaults when running grep using qemu-arm-static +Description of problem: +I'm running ARM binaries using 32 bit qemu-arm-static on x86_64 host. Sometimes when running grep via qemu, I get a random segmentation fault. Sometimes it happens faster, sometimes it takes several thousand iterations, but sooner or later it happens and really annoying. + +This problem is also reproduced on 6.2, 5.2 and 5.1 releases, and NOT reproduced on 5.0 + +I wrote small test to demonstrate this bug. +Steps to reproduce: +1. Download the test environment: [qemu-test-segfault.tar.bz2](/uploads/8f52617d46ba1e5bf29fc273cd07131d/qemu-test-segfault.tar.bz2) +2. `$ make # To build the docker container` +3. `$ make shell # To run ARM bash` +4. Inside a container, run `while true; do /qemu /bin/grep -E f text > /dev/null; [ $? -ne 0 ] && break; done`. After a while you will get segfault: +``` +[root@0d81b08f032b /]# /qemu --version +qemu-arm version 6.2.90 +Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers +[root@0d81b08f032b /]# while true; do /qemu /bin/grep -E f text > /dev/null; [ $? -ne 0 ] && break; done +Segmentation fault (core dumped) +[root@0d81b08f032b /]# +``` |