Re: [Qemu-devel] int128_get64: Assertion `!a.hi' failed

[Paolo Bonzini <pbonzini@redhat.com>]

Il 27/09/2013 20:29, Max Filippov ha scritto:
> Hi,
> 
> I'm getting said assertion failure debugging linux userspace
> application through the qemu gdbstub. The backtrace looks like this:
> 
> qemu-system-xtensa: include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.
> 
> Program received signal SIGABRT, Aborted.
> [Switching to Thread 0x7ffff7fe8880 (LWP 15378)]
> 0x00007ffff639e285 in raise () from /lib64/libc.so.6
> (gdb) bt
> #0  0x00007ffff639e285 in raise () from /lib64/libc.so.6
> #1  0x00007ffff639fb9b in abort () from /lib64/libc.so.6
> #2  0x00007ffff6396e9e in __assert_fail_base () from /lib64/libc.so.6
> #3  0x00007ffff6396f42 in __assert_fail () from /lib64/libc.so.6
> #4  0x00005555556eea6a in int128_get64 (a=...) at include/qemu/int128.h:22
> #5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
> resolve_subpage=true) at exec.c:264
> #6  0x00005555556efc03 in address_space_translate (as=0x555555e8d100, addr=18446744069448138751, xlat=0x7fffffffa538, plen=0x7fffffffa540,
> is_write=false) at exec.c:278
> #7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
> #8  0x00005555556f00f2 in breakpoint_invalidate (cpu=0x555555f1df80, pc=537189728) at exec.c:413
> #9  0x00005555556f0725 in cpu_breakpoint_remove_by_ref (env=0x555555f1e0b8, breakpoint=0x555555f4bc20) at exec.c:557
> #10 0x00005555556f0649 in cpu_breakpoint_remove (env=0x555555f1e0b8, pc=537189728, flags=16) at exec.c:541
> #11 0x000055555570c13b in gdb_breakpoint_remove (addr=537189728, len=2, type=0) at gdbstub.c:691
> #12 0x000055555570d031 in gdb_handle_packet (s=0x555555f38100, line_buf=0x555555f3811c "z0,2004dd60,2") at gdbstub.c:991
> #13 0x000055555570e45c in gdb_read_byte (s=0x555555f38100, ch=56) at gdbstub.c:1405
> #14 0x000055555570e5b0 in gdb_chr_receive (opaque=0x0, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", size=17) at
> gdbstub.c:1623
> #15 0x000055555567d463 in qemu_chr_be_write (s=0x555555f0c640, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", len=17)
> at qemu-char.c:165
> #16 0x000055555568185b in tcp_chr_read (chan=0x555555f0c050, cond=G_IO_IN, opaque=0x555555f0c640) at qemu-char.c:2505
> #17 0x00007ffff76f1f3d in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
> #18 0x000055555564a301 in glib_pollfds_poll () at main-loop.c:189
> #19 0x000055555564a3f5 in os_host_main_loop_wait (timeout=-1) at main-loop.c:234
> #20 0x000055555564a4c8 in main_loop_wait (nonblocking=0) at main-loop.c:483
> #21 0x00005555556d9c04 in main_loop () at vl.c:2016
> #22 0x00005555556e0e6b in main (argc=20, argv=0x7fffffffdd88, envp=0x7fffffffde30) at vl.c:4361
> 
> 
> breakpoint_invalidate couldn't map breakpoint's virtual address,
> and get_phys_page_debug returned -1:
> 
> (gdb) f 7
> #7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
> 1373        mr = address_space_translate(&address_space_memory, addr, &addr, &l, false);
> (gdb) p/x addr
> $2 = 0xffffffffffffffff
> 
> 
> Later address_space_translate_internal found a section that didn't actually
> contain the addr and made a diff with non-zero .hi:
> 
> (gdb) f 5
> #5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
> resolve_subpage=true) at exec.c:264
> 264         *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
> (gdb) p/x diff
> $4 = {
>   lo = 0x100000001,
>   hi = 0xffffffffffffffff
> }
> (gdb) p/x *section
> $6 = {
>   mr = 0x555555f04b00,
>   address_space = 0x555555e8d100,
>   offset_within_region = 0x0,
>   size = {
>     lo = 0x2000000,
>     hi = 0x0
>   },
>   offset_within_address_space = 0xfe000000,
>   readonly = 0x0
> }
> 
> 
> I'm not sure what's the proper fix, returning -1 for the failed get_phys_page_debug
> is common for 32-bit targets. The easiest seems to be checking the result of
> cpu_get_phys_page debug in the breakpoint_invalidate:
> 
> --- >8 ---
> commit cb3f9f90688be062b8a1f12b116f3d48c7ded232
> Author: Max Filippov <jcmvbkbc@gmail.com>
> Date:   Fri Sep 27 22:19:16 2013 +0400
> 
>     exec: fix breakpoint_invalidate when pc may not be translated
> 
>     This fixes qemu abort with the following message:
> 
>         include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.
> 
>     which happens due to attempt to invalidate breakpoint by virtual address
>     for which get_phys_page_debug couldn't find mapping.
> 
>     Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
> 
> diff --git a/exec.c b/exec.c
> index 26681ce..a7e284a 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -410,8 +410,10 @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
>  #else
>  static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
>  {
> -    tb_invalidate_phys_addr(cpu_get_phys_page_debug(cpu, pc) |
> -            (pc & ~TARGET_PAGE_MASK));
> +    hwaddr phys = cpu_get_phys_page_debug(cpu, pc);
> +    if (phys != -1) {
> +        tb_invalidate_phys_addr(phys | (pc & ~TARGET_PAGE_MASK));
> +    }
>  }
>  #endif
>  #endif /* TARGET_HAS_ICE */
> 
> 

Yes, this makes sense.  I'll queue it for 1.6.2 and 1.7.

Paolo