[Qemu-devel] int128_get64: Assertion `!a.hi' failed

[Max Filippov <jcmvbkbc@gmail.com>]

Hi,

I'm getting said assertion failure debugging linux userspace
application through the qemu gdbstub. The backtrace looks like this:

qemu-system-xtensa: include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff7fe8880 (LWP 15378)]
0x00007ffff639e285 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff639e285 in raise () from /lib64/libc.so.6
#1  0x00007ffff639fb9b in abort () from /lib64/libc.so.6
#2  0x00007ffff6396e9e in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff6396f42 in __assert_fail () from /lib64/libc.so.6
#4  0x00005555556eea6a in int128_get64 (a=...) at include/qemu/int128.h:22
#5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
resolve_subpage=true) at exec.c:264
#6  0x00005555556efc03 in address_space_translate (as=0x555555e8d100, addr=18446744069448138751, xlat=0x7fffffffa538, plen=0x7fffffffa540,
is_write=false) at exec.c:278
#7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
#8  0x00005555556f00f2 in breakpoint_invalidate (cpu=0x555555f1df80, pc=537189728) at exec.c:413
#9  0x00005555556f0725 in cpu_breakpoint_remove_by_ref (env=0x555555f1e0b8, breakpoint=0x555555f4bc20) at exec.c:557
#10 0x00005555556f0649 in cpu_breakpoint_remove (env=0x555555f1e0b8, pc=537189728, flags=16) at exec.c:541
#11 0x000055555570c13b in gdb_breakpoint_remove (addr=537189728, len=2, type=0) at gdbstub.c:691
#12 0x000055555570d031 in gdb_handle_packet (s=0x555555f38100, line_buf=0x555555f3811c "z0,2004dd60,2") at gdbstub.c:991
#13 0x000055555570e45c in gdb_read_byte (s=0x555555f38100, ch=56) at gdbstub.c:1405
#14 0x000055555570e5b0 in gdb_chr_receive (opaque=0x0, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", size=17) at
gdbstub.c:1623
#15 0x000055555567d463 in qemu_chr_be_write (s=0x555555f0c640, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", len=17)
at qemu-char.c:165
#16 0x000055555568185b in tcp_chr_read (chan=0x555555f0c050, cond=G_IO_IN, opaque=0x555555f0c640) at qemu-char.c:2505
#17 0x00007ffff76f1f3d in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#18 0x000055555564a301 in glib_pollfds_poll () at main-loop.c:189
#19 0x000055555564a3f5 in os_host_main_loop_wait (timeout=-1) at main-loop.c:234
#20 0x000055555564a4c8 in main_loop_wait (nonblocking=0) at main-loop.c:483
#21 0x00005555556d9c04 in main_loop () at vl.c:2016
#22 0x00005555556e0e6b in main (argc=20, argv=0x7fffffffdd88, envp=0x7fffffffde30) at vl.c:4361


breakpoint_invalidate couldn't map breakpoint's virtual address,
and get_phys_page_debug returned -1:

(gdb) f 7
#7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
1373        mr = address_space_translate(&address_space_memory, addr, &addr, &l, false);
(gdb) p/x addr
$2 = 0xffffffffffffffff


Later address_space_translate_internal found a section that didn't actually
contain the addr and made a diff with non-zero .hi:

(gdb) f 5
#5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
resolve_subpage=true) at exec.c:264
264         *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
(gdb) p/x diff
$4 = {
  lo = 0x100000001,
  hi = 0xffffffffffffffff
}
(gdb) p/x *section
$6 = {
  mr = 0x555555f04b00,
  address_space = 0x555555e8d100,
  offset_within_region = 0x0,
  size = {
    lo = 0x2000000,
    hi = 0x0
  },
  offset_within_address_space = 0xfe000000,
  readonly = 0x0
}


I'm not sure what's the proper fix, returning -1 for the failed get_phys_page_debug
is common for 32-bit targets. The easiest seems to be checking the result of
cpu_get_phys_page debug in the breakpoint_invalidate:

--- >8 ---
commit cb3f9f90688be062b8a1f12b116f3d48c7ded232
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Fri Sep 27 22:19:16 2013 +0400

    exec: fix breakpoint_invalidate when pc may not be translated

    This fixes qemu abort with the following message:

        include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.

    which happens due to attempt to invalidate breakpoint by virtual address
    for which get_phys_page_debug couldn't find mapping.

    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>

diff --git a/exec.c b/exec.c
index 26681ce..a7e284a 100644
--- a/exec.c
+++ b/exec.c
@@ -410,8 +410,10 @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
 #else
 static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
 {
-    tb_invalidate_phys_addr(cpu_get_phys_page_debug(cpu, pc) |
-            (pc & ~TARGET_PAGE_MASK));
+    hwaddr phys = cpu_get_phys_page_debug(cpu, pc);
+    if (phys != -1) {
+        tb_invalidate_phys_addr(phys | (pc & ~TARGET_PAGE_MASK));
+    }
 }
 #endif
 #endif /* TARGET_HAS_ICE */


-- 
Thanks.
-- Max