From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MWh0X-0006zs-U7
	for qemu-devel@nongnu.org; Thu, 30 Jul 2009 21:34:05 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MWh0T-0006wJ-Am
	for qemu-devel@nongnu.org; Thu, 30 Jul 2009 21:34:05 -0400
Received: from [199.232.76.173] (port=45170 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MWh0T-0006wA-6w
	for qemu-devel@nongnu.org; Thu, 30 Jul 2009 21:34:01 -0400
Received: from mail.gmx.net ([213.165.64.20]:35029)
	by monty-python.gnu.org with smtp (Exim 4.60)
	(envelope-from <dl9pf@gmx.de>) id 1MWh0S-0002Lg-HB
	for qemu-devel@nongnu.org; Thu, 30 Jul 2009 21:34:00 -0400
From: "Jan-Simon =?utf-8?q?M=C3=B6ller?=" <dl9pf@gmx.de>
Date: Fri, 31 Jul 2009 03:34:00 +0200
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200907310334.00712.dl9pf@gmx.de>
Subject: [Qemu-devel] qemu-arm fails on test-mmap
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Hi!

I've spotted an bug in mmap for the qemu-arm . It causes a segfault of qemu or at least the running process.

Its reproducible here with "test-mmap" .

legolas:/> qemu-arm ./test-mmap
pagesize=4096 pagemask=fff
check_aligned_anonymous_unfixed_mmaps passed
check_aligned_anonymous_unfixed_colliding_mmapsSegmentation fault (core dumped)


A lengthy trace with debugging on in mmap.c is at
http://filebin.ca/yxypzq/qemu_mmap_segfault.bz2

[... last mmap call ...]
munmap: start=0x5fffd000 len=0x00001000
mmap: start=0x00000000 len=0x00008000 prot=r-- flags=MAP_ANON MAP_PRIVATE fd=-1 offset=00000000
ret=0x5ffff000
start    end      size     prot
00008000-0000b000 00003000 r-x
00012000-00013000 00001000 r--
00013000-00037000 00024000 rw-
40000000-40080000 00080000 rw-
40080000-40081000 00001000 ---
40081000-4009f000 0001e000 r-x
4009f000-400a6000 00007000 ---
400a6000-400a7000 00001000 r--
400a7000-400a8000 00001000 rw-
400a8000-42081000 01fd9000 ---
42085000-421bf000 0013a000 r-x
421bf000-421c6000 00007000 ---
421c6000-421c8000 00002000 r--
421c8000-421ce000 00006000 rw-
5fffe000-60007000 00009000 r--

Segmentation fault

It seems to hit > 0x5fffffff -> segfault.

Best,
Jan-Simon