[Qemu-devel] [regression] qemu-system-arm: segfault in lsi_do_command

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Jonathan Nieder <jrnieder@gmail.com>
To: Kevin Wolf <kwolf@redhat.com>
Cc: qemu@vger.kernel.org,
	Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>,
	qemu-devel@nongnu.org
Subject: [Qemu-devel] [regression] qemu-system-arm: segfault in lsi_do_command
Date: Mon, 16 May 2011 06:23:58 -0500	[thread overview]
Message-ID: <20110516111926.GA7928@elie> (raw)
In-Reply-To: <1288876539-8300-4-git-send-email-kwolf@redhat.com>

Hi,

Kevin Wolf wrote:

> This pulls the request completion for error cases from the caller to
> scsi_disk_emulate_command. This should not change semantics, but allows to
> reuse scsi_handle_write_error() for flushes in the next patch.

Today I tried out qemu-system-arm for the first time.  It's faster
than I expected; very neat.  Unfortunately it segfaults.

Reproducible with "master" (077030d11).  Bisects to v0.14.0-rc0~489
(scsi-disk: Complete failed requests in scsi_disk_emulate_command,
2010-10-25).

Ideas?
Jonathan

Backtrace:

| Program received signal SIGSEGV, Segmentation fault.
| 0x00000000005552b5 in lsi_do_command (s=0x13b84d0) at /home/jrn/src/qemu/hw/lsi53c895a.c:762
| 762             dev->info->read_data(dev, s->current->tag);
| (gdb) bt full
| #0  0x00000000005552b5 in lsi_do_command (s=0x13b84d0) at /home/jrn/src/qemu/hw/lsi53c895a.c:762
|         dev = 0x13baf10
|         buf = "\000\000\000\000\000\000\000\000\251\207Q\000\000\000\000"
|         n = 656877154
| #1  lsi_execute_script (s=0x13b84d0) at /home/jrn/src/qemu/hw/lsi53c895a.c:1067
|         insn = 20688656
|         addr = 97263452
|         addr_high = <value optimized out>
|         opcode = <value optimized out>
|         insn_processed = 18
| #2  0x00000000005566b8 in lsi_reg_writeb (s=0x13b84d0, offset=<value optimized out>, val=32 ' ')
|     at /home/jrn/src/qemu/hw/lsi53c895a.c:1656
| No locals.
| #3  0x000000004059fe4e in ?? ()
| No symbol table info available.
| #4  0x0000000000000040 in ?? ()
| No symbol table info available.
| #5  0x0000000000000000 in ?? ()
| No symbol table info available.
| (gdb) p n
| $1 = 656877154
| (gdb) p dev->info
| $2 = (SCSIDeviceInfo *) 0x8df000
| (gdb) p s->current
| $3 = (lsi_request *) 0x0

That's weird because qemu_mallocz should have checked for NULL.

Program counter:

| Dump of assembler code for function lsi_execute_script:
[...]
|    0x0000000000555250 <+2784>:  callq  0x42a970 <qemu_mallocz>
|    0x0000000000555255 <+2789>:  mov    0x334(%rbx),%edx
|    0x000000000055525b <+2795>:  mov    %rax,0x350(%rbx)
|    0x0000000000555262 <+2802>:  mov    %rbp,%rdi
|    0x0000000000555265 <+2805>:  mov    %edx,(%rax)
|    0x0000000000555267 <+2807>:  mov    0x350(%rbx),%rsi
|    0x000000000055526e <+2814>:  lea    0x30(%rsp),%rdx
|    0x0000000000555273 <+2819>:  mov    0x98(%rbp),%rax
|    0x000000000055527a <+2826>:  mov    0x330(%rbx),%ecx
|    0x0000000000555280 <+2832>:  mov    (%rsi),%esi
|    0x0000000000555282 <+2834>:  callq  *0x78(%rax)
|    0x0000000000555285 <+2837>:  cmp    $0x0,%eax
|    0x0000000000555288 <+2840>:  mov    %eax,%r14d
|    0x000000000055528b <+2843>:  jle    0x5555cc <lsi_execute_script+3676>
|    0x0000000000555291 <+2849>:  movzbl 0x38b(%rbx),%eax
|    0x0000000000555298 <+2856>:  mov    0x350(%rbx),%rdx
|    0x000000000055529f <+2863>:  mov    %rbp,%rdi
|    0x00000000005552a2 <+2866>:  and    $0xfffffffffffffff8,%eax
|    0x00000000005552a5 <+2869>:  or     $0x1,%eax
|    0x00000000005552a8 <+2872>:  mov    %al,0x38b(%rbx)
|    0x00000000005552ae <+2878>:  mov    0x98(%rbp),%rax
| => 0x00000000005552b5 <+2885>:  mov    (%rdx),%esi
|    0x00000000005552b7 <+2887>:  callq  *0x80(%rax)
|    0x00000000005552bd <+2893>:  mov    0x338(%rbx),%ebp

Recipe:

| $ ./configure --prefix=$HOME/opt/qemu --disable-werror
| [...]
| $ make -j2 install STRIP=:
| [...]
| $ PATH=$HOME/opt/qemu/bin:$PATH
| $ qemu-img create arm-install.qemu 10G
| Formatting 'arm-install.qemu', fmt=raw size=10737418240
| $ wget http://d-i.debian.org/daily-images/armel/daily/versatile/netboot/initrd.gz
| [...]
| $ wget http://d-i.debian.org/daily-images/armel/daily/versatile/netboot/vmlinuz-2.6.37-2-versatile
| [...]
| $ sha1sum initrd.gz vmlinuz-2.6.37-2-versatile
| 9822cd356e2e66c0ee2d08f2dfc100f074683b81  initrd.gz
| 81aa8f15f6d0fb3fa971d859787f89eec653d1a3  vmlinuz-2.6.37-2-versatile
| $
| $ qemu-system-arm  -M versatilepb -kernel vmlinuz-2.6.37-2-versatile \
|		-initrd initrd.gz -hda arm-install.qemu
| Segmentation fault (core dumped)

The above transcript does not describe the installation process, since
it happened in another window.

1. choice of keymap, mirror, etc are boring
2. It asks for a root password.  Leave it blank.
3. It asks for a new account.  I chose "sudoer".
4. It wants a password.  Give one.
5. Choose a time zone and switch to vt4 for messages.
6. Messages (copied by hand):

| kernel: [  928.454139] SCSI subsystem initialized
| kernel: [  928.767929] PCI: enabling device 0000:00:0c.0 (0100 -> 0103)
| kernel: [  928.840653] sym0: <895a> rev 0x0 at pci 0000:00:0c.0 irq 27
| kernel: [  928.893943] sym0: No NVRAM, ID 7, Fast-40, LVD, parity checking
| kernel: [  928.902942] sym0: SCSI BUS has been reset.
| kernel: [  928.903283] scsi0 : sym-2.2.3
| kernel: [  931.915071] sym0: unknown interrupt(s) ignored, ISTAT=0x5 DSTAT=0x80 SIST=0x0
| kernel: [  931.922015] scsi 0:0:0:0: Direct-Access     QEMU     QEMU HARDDISK    0.14 PQ: 0 ANSI: 5
| kernel: [  931.922765] scsi target0:0:0: tagged command queuing enabled, command queue depth 16.
| kernel: [  931.923171] scsi target0:0:0: Beginning Domain Validation
| kernel: [  931.928165] scsi target0:0:0: Domain Validation skipping write tests

7. Segfault.  The messages stop.

| $ gcc --version
| gcc (Debian 4.6.0-7) 4.6.1 20110507 (prerelease)
| Copyright (C) 2011 Free Software Foundation, Inc.
| This is free software; see the source for copying conditions.  There is NO
| warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
| $ ld --version
| GNU ld (GNU Binutils for Debian) 2.21.51.20110421
| Copyright 2011 Free Software Foundation, Inc.
| This program is free software; you may redistribute it under the terms of
| the GNU General Public License version 3 or (at your option) a later version.
| This program has absolutely no warranty.
| $ /lib/libc.so.6 | head -1
| GNU C Library (Debian EGLIBC 2.13-4) stable release version 2.13, by Roland McGrath et al.
| $ uname -a
| Linux elie 2.6.39-rc5-amd64 #1 SMP Sat Apr 30 05:48:55 UTC 2011 x86_64 GNU/Linux

next prev parent reply	other threads:[~2011-05-16 11:24 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-04 13:15 [Qemu-devel] [PULL 00/10] Block patches Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 01/10] scsi-disk: Implement rerror option Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 02/10] block: Allow bdrv_flush to return errors Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 03/10] scsi-disk: Complete failed requests in scsi_disk_emulate_command Kevin Wolf
2011-05-16 11:23   ` Jonathan Nieder [this message]
2011-05-16 15:13     ` [Qemu-devel] [regression] qemu-system-arm: segfault in lsi_do_command Kevin Wolf
2011-05-16 15:30       ` Jonathan Nieder
2011-05-16 15:43       ` Jonathan Nieder
2011-05-16 15:58         ` Kevin Wolf
2011-05-16 16:26           ` Paolo Bonzini
2011-05-16 18:35             ` Jonathan Nieder
2011-05-17  7:43             ` Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 04/10] scsi-disk: Implement werror for flushes Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 05/10] vpc: Implement bdrv_flush Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 06/10] qcow2: Invalidate cache after failed read Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 07/10] block: avoid a warning on 64 bit hosts with long as int64_t Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 08/10] ide: Handle immediate bdrv_aio_flush failure Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 09/10] virtio-blk: Handle immediate flush failure properly Kevin Wolf
2010-11-04 13:15 ` [Qemu-devel] [PATCH 10/10] scsi-disk: Fix immediate failure of bdrv_aio_* Kevin Wolf
2010-11-04 13:23 ` [Qemu-devel] Re: [PULL 00/10] Block patches Anthony Liguori

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110516111926.GA7928@elie \
    --to=jrnieder@gmail.com \
    --cc=kwolf@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu@vger.kernel.org \
    --cc=stefanha@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).