semantic: 0.765
user-level: 0.723
ppc: 0.717
arm: 0.686
PID: 0.679
kernel: 0.675
permissions: 0.661
VMM: 0.659
debug: 0.644
peripherals: 0.641
mistranslation: 0.638
assembly: 0.637
register: 0.630
architecture: 0.601
device: 0.601
graphic: 0.594
boot: 0.593
risc-v: 0.588
vnc: 0.568
virtual: 0.562
TCG: 0.557
hypervisor: 0.528
socket: 0.516
files: 0.498
performance: 0.483
network: 0.451
i386: 0.441
KVM: 0.409
x86: 0.359

QEMU crash after a QuickBASIC program integer overflow

A trivial program compiler with QuickBASIC 4.5 with integer overflow will crash QEMU when ran under MS-DOS 5.0 or FreeDOS 1.2:

C:\KILLER>type killer.bas                                                       
A% = VAL("99999"):PRINT A%                                                      
                                                                                
C:\KILLER>killer.exe                                                            
**                                                                              
  ERROR:../qemu-5.2.0/accel/tcg/tcg-cpus.c:541:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked())                                           
Aborted

QEMU version v5.2, compiler for ARM, and started with command line:

qemu-system-i386 -curses -cpu 486 -m 1 -drive dos.img

The same test under Ubuntu QEMU and KVM/x86_64 (QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.14)) will just silently hang the QEMU. On DOSBOX, the machine does not die and program outputs the value -31073.

The EXE to reproduce the issue is attached.



The program works (in TCQ mode) with QEMU v5.0.0.

QEMU starts crashing with the commit:

commit 975af797f1e04e4d1b1a12f1731141d3770fdbce
Author: Joseph Myers <email address hidden>
Date:   Fri May 15 21:21:24 2020 +0000

    target/i386: fix IEEE x87 floating-point exception raising


For -enable-kvm I haven't been able to find a working commit. All versions since v3.1.0 just silently hang with the program.

Attached is a minimal FreeDOS floppy disk to reproduce the TCG crash. Still reproducible with QEMU v6.0.0:

WARNING: Image format was not specified for 'test-floppy.img' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
SeaBIOS (version rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org)
Booting from Floppy...
................................................123
FreeDOS kernel 2042 (build 2042 OEM:0xfd) [compiled May 11 2016]
Kernel compatibility 7.10 - WATCOMC - FAT32 support

(C) Copyright 1995-2012 Pasquale J. Villani and The FreeDOS Project.
All Rights Reserved. This is free software and comes with ABSOLUTELY NO
WARRANTY; you can redistribute it and/or modify it under the terms of the
GNU General Public License as published by the Free Software Foundation;
either version 2, or (at your option) any later version.
 - InitDiskno hard disks detected

FreeCom version 0.84-pre2 XMS_Swap [Aug 28 2006 00:29:00]
A:\>KILLER.EXE
**
ERROR:../accel/tcg/tcg-accel-ops.c:80:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked())
Bail out! ERROR:../accel/tcg/tcg-accel-ops.c:80:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked())
Aborted


Since commit 975af797f1e helper_fist_ST0() sets float_flag_invalid.

FErr# IRQ raise since bf13bfab084 ("i386: implement IGNNE"):

  Change the handling of port F0h writes and FPU exceptions to implement IGNNE.
  
  The implementation mixes a bit what the chipset and processor do in real
  hardware, but the effect is the same as what happens with actual FERR#
  and IGNNE# pins: writing to port F0h asserts IGNNE# in addition to lowering
  FP_IRQ; while clearing the SE bit in the FPU status word deasserts IGNNE#.




This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/318