From: "J. Mayer" <l_indien@magic.fr>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] Bug report
Date: Sun, 11 Apr 2004 17:04:42 +0200 [thread overview]
Message-ID: <1081695882.10224.256.camel@rapid> (raw)
[-- Attachment #1: Type: text/plain, Size: 480 bytes --]
I just had a SIGSEGV, running qemu under gdb on my PC. Here's the case:
we enter tb_link_phys with phys_pc == 0
Then, we crash in tb_alloc_page because the PageDesc returned by
page_find is NULL.
So, dereferencing this pointer, we get a segfault:
p = page_find(page_addr >> TARGET_PAGE_BITS);
tb->page_next[n] = p->first_tb;
^^^^^^
You'll find useful informations in gdb output, attached.
--
J. Mayer <l_indien@magic.fr>
Never organized
[-- Attachment #2: Qemu segfault gdb output --]
[-- Type: text/plain, Size: 3316 bytes --]
(qemu)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 27064)]
tb_link_phys (tb=0x83ff094, phys_pc=0, phys_page2=4294967295)
at /home/jocelyn/devel/ppc_emul/qemu-newCVS/qemu/exec.c:694
694 tb->page_next[n] = p->first_tb;
(gdb) bt
#0 tb_link_phys (tb=0x83ff094, phys_pc=0, phys_page2=4294967295)
at /home/jocelyn/devel/ppc_emul/qemu-newCVS/qemu/exec.c:694
#1 0x0806a38c in cpu_ppc_exec (env1=0x8f007c0)
at /home/jocelyn/devel/ppc_emul/qemu-newCVS/qemu/cpu-exec.c:346
#2 0x0804b839 in main_loop ()
at /home/jocelyn/devel/ppc_emul/qemu-newCVS/qemu/vl.c:1528
#3 0x0804c453 in main (argc=134526736, argv=0xbffff124)
at /home/jocelyn/devel/ppc_emul/qemu-newCVS/qemu/vl.c:2170
(gdb) p tb
= (TranslationBlock *) 0x83ff094
(gdb) p/x *tb
= {pc = 0x7ffff660, cs_base = 0x0, flags = 0x0, size = 0x4, cflags = 0x0,
tc_ptr = 0x8de24c0, hash_next = 0x0, phys_hash_next = 0x83919d8,
page_next = {0x0, 0x0}, page_addr = {0x37962000, 0x0}, tb_next_offset = {
0xffff, 0xffff}, tb_jmp_offset = {0x0, 0x0, 0xffff, 0xffff}, jmp_next = {
0x0, 0x0}, jmp_first = 0x0}
(gdb) p/x l1_map[0]
= 0x8f18b10
(gdb) p/x *l1_map[0]
= {phys_offset = 0x0, first_tb = 0x83ff050, code_write_count = 0x0,
code_bitmap = 0x0}
(gdb) info registers
eax 0x0 0
ecx 0x83919d8 137959896
edx 0x37962 227682
ebx 0x0 0
esp 0xbfffdc50 0xbfffdc50
ebp 0x8f007c0 0x8f007c0
esi 0x83ff094 138408084
edi 0xffffffff -1
eip 0x8060886 0x8060886
eflags 0x10246 66118
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x7 7
(gdb) disas
Dump of assembler code for function tb_link_phys:
0x08060830 <tb_link_phys+0>: push %ebp
0x08060831 <tb_link_phys+1>: push %edi
0x08060832 <tb_link_phys+2>: push %esi
0x08060833 <tb_link_phys+3>: push %ebx
0x08060834 <tb_link_phys+4>: sub bashxc,%esp
0x08060837 <tb_link_phys+7>: xor %ebx,%ebx
0x08060839 <tb_link_phys+9>: mov 0x24(%esp,1),%eax
0x0806083d <tb_link_phys+13>: mov 0x20(%esp,1),%esi
0x08060841 <tb_link_phys+17>: mov 0x28(%esp,1),%edi
0x08060845 <tb_link_phys+21>: mov %eax,%edx
0x08060847 <tb_link_phys+23>: and bashx7fff,%edx
0x0806084d <tb_link_phys+29>: and bashxfffff000,%eax
0x08060852 <tb_link_phys+34>: mov %eax,0x24(%esi)
0x08060855 <tb_link_phys+37>: shl bashx2,%edx
0x08060858 <tb_link_phys+40>: mov 0x8278780(%edx),%ecx
0x0806085e <tb_link_phys+46>: mov %ecx,0x18(%esi)
0x08060861 <tb_link_phys+49>: mov %esi,0x8278780(%edx)
0x08060867 <tb_link_phys+55>: mov %eax,%edx
0x08060869 <tb_link_phys+57>: shr bashx16,%eax
0x0806086c <tb_link_phys+60>: mov 0x80a55a0(,%eax,4),%eax
0x08060873 <tb_link_phys+67>: shr bashxc,%edx
0x08060876 <tb_link_phys+70>: test %eax,%eax
0x08060878 <tb_link_phys+72>: je 0x8060886 <tb_link_phys+86>
0x0806087a <tb_link_phys+74>: and bashx3ff,%edx
0x08060880 <tb_link_phys+80>: shl bashx4,%edx
0x08060883 <tb_link_phys+83>: lea (%edx,%eax,1),%ebx
0x08060886 <tb_link_phys+86>: mov 0x4(%ebx),%edx
next reply other threads:[~2004-04-11 15:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-11 15:04 J. Mayer [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-11-01 23:48 [Qemu-devel] Bug report Julien Lancien
2005-11-01 23:57 ` Mike Kronenberg
2005-11-02 0:00 ` Karl Magdsick
[not found] ` <e1843770511011607m1cda6256o37102cf17cc75fea@mail.gmail.com>
2005-11-02 0:08 ` Julien Lancien
2005-11-02 0:42 ` Jim C. Brown
2005-11-02 0:20 ` Philip Machanick
2005-11-02 7:03 ` Gwenole Beauchesne
2006-12-03 16:40 Mike Smith
2007-12-17 13:48 Bas Wijnen
2007-12-18 16:52 ` Paul Brook
2007-12-19 1:11 ` Bas Wijnen
2009-01-11 12:07 [Qemu-devel] bug report Artem Kozarezov
2013-10-06 16:55 Peter Cheung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1081695882.10224.256.camel@rapid \
--to=l_indien@magic.fr \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).