From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40483)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pkern@hub.kern.lc>) id 1Zstd5-0003RF-2j
	for qemu-devel@nongnu.org; Sun, 01 Nov 2015 09:29:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pkern@hub.kern.lc>) id 1Zstd1-0004Rw-QI
	for qemu-devel@nongnu.org; Sun, 01 Nov 2015 09:29:07 -0500
Received: from stormwind.0x539.de ([188.40.127.183]:45576)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pkern@hub.kern.lc>) id 1Zstd1-0004Q0-H1
	for qemu-devel@nongnu.org; Sun, 01 Nov 2015 09:29:03 -0500
Date: Sun, 1 Nov 2015 15:28:51 +0100
From: Philipp Kern <pkern@debian.org>
Message-ID: <20151101142851.GA23096@home.philkern.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl"
Content-Disposition: inline
Subject: [Qemu-devel] Segmentation fault when running qemu-system-s390x
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org, Peter Maydell <peter.maydell@linaro.org>
Cc: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>, Paolo Bonzini <pbonzini@redhat.com>


--BXVAT5kNtrzKuDFl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[Resent with the correct list address]

Hi,

I get a segmentation fault when trying to run qemu-system-s390x with a
simple Debian kernel and initrd.

According to git bisect:

0a1c71cec63e95f9b8d0dc96d049d2daa00c5210 is the first bad commit
commit 0a1c71cec63e95f9b8d0dc96d049d2daa00c5210
Author: Peter Maydell <peter.maydell@linaro.org>
Date:   Thu Oct 1 15:29:48 2015 +0100

    exec.c: Don't call cpu_reload_memory_map() from cpu_exec_init()
   =20
    Currently we call cpu_reload_memory_map() from cpu_exec_init(),
    but this is not necessary:
     * KVM doesn't use the data structures maintained by
       cpu_reload_memory_map() (the TLB and cpu->memory_dispatch)
     * for TCG, we will call this function via tcg_commit() either
       as soon as tcg_cpu_address_space_init() registers the listener,
       or when the first MemoryRegion is added to the AddressSpace
       if the AS is empty when we register the listener
   =20
    The unnecessary call is awkward for adding support for multiple
    address spaces per CPU, so drop it.
   =20
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    Reviewed-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
    Message-Id: <1443709790-25180-2-git-send-email-peter.maydell@linaro.org>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

:100644 100644 7d90a522524b64a86a09c71dd54da804380ad803 ab5d8a8061252899f04=
aaa6d83723b139a11597a M      exec.c

Backtrace at the bad revision (with -O0):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdc07d700 (LWP 23112)]
0x00005555555dd0f1 in address_space_lookup_region (d=3D0x0, addr=3D65536, r=
esolve_subpage=3Dfalse) at /home/pkern/src/qemu/exec.c:333
333         section =3D phys_page_find(d->phys_map, addr, d->map.nodes, d->=
map.sections);
(gdb) bt full
#0  0x00005555555dd0f1 in address_space_lookup_region (d=3D0x0, addr=3D6553=
6, resolve_subpage=3Dfalse)
    at /home/pkern/src/qemu/exec.c:333
        section =3D 0x0
        subpage =3D 0x5555577096f0
#1  0x00005555555dd1b7 in address_space_translate_internal (d=3D0x0, addr=
=3D65536, xlat=3D0x7fffdc07c588, plen=3D0x7fffdc07c590,=20
    resolve_subpage=3Dfalse) at /home/pkern/src/qemu/exec.c:350
        section =3D 0x0
        mr =3D 0x0
        diff =3D {lo =3D 140736884884752, hi =3D 1}
#2  0x00005555555dd4d5 in address_space_translate_for_iotlb (cpu=3D0x555557=
858a80, addr=3D65536, xlat=3D0x7fffdc07c588,=20
    plen=3D0x7fffdc07c590) at /home/pkern/src/qemu/exec.c:434
        section =3D 0x5555558b1868
        __PRETTY_FUNCTION__ =3D "address_space_translate_for_iotlb"
#3  0x000055555562b786 in tlb_set_page_with_attrs (cpu=3D0x555557858a80, va=
ddr=3D65536, paddr=3D65536, attrs=3D..., prot=3D7, mmu_idx=3D0,=20
    size=3D4096) at /home/pkern/src/qemu/cputlb.c:366
        env =3D 0x555557860d00
        section =3D 0x7
        index =3D 712983228
        address =3D 12281431504
        code_address =3D 16
        addend =3D 65536
        te =3D 0x100010000
        iotlb =3D 93825004614208
        xlat =3D 93824994779868
        sz =3D 4096
        vidx =3D 0
        __PRETTY_FUNCTION__ =3D "tlb_set_page_with_attrs"
#4  0x000055555562bb0a in tlb_set_page (cpu=3D0x555557858a80, vaddr=3D65536=
, paddr=3D65536, prot=3D7, mmu_idx=3D0, size=3D4096)
    at /home/pkern/src/qemu/cputlb.c:436
No locals.
#5  0x000055555569b915 in s390_cpu_handle_mmu_fault (cs=3D0x555557858a80, o=
rig_vaddr=3D65536, rw=3D2, mmu_idx=3D0)
    at /home/pkern/src/qemu/target-s390x/helper.c:146
        cpu =3D 0x555557858a80
        __func__ =3D "s390_cpu_handle_mmu_fault"
        env =3D 0x555557860d00
        asc =3D 0
        vaddr =3D 65536
        raddr =3D 65536
        prot =3D 7
#6  0x00005555556a2a9e in tlb_fill (cs=3D0x555557858a80, addr=3D65536, is_w=
rite=3D2, mmu_idx=3D0, retaddr=3D0)
    at /home/pkern/src/qemu/target-s390x/mem_helper.c:39
        ret =3D 21845
#7  0x0000555555631b39 in helper_ret_ldb_cmmu (env=3D0x555557860d00, addr=
=3D65536, oi=3D0, retaddr=3D0)
    at /home/pkern/src/qemu/softmmu_template.h:189
        mmu_idx =3D 0
        index =3D 16
        tlb_addr =3D 18446744073709551615
        haddr =3D 0
        res =3D 0 '\000'
#8  0x000055555562aa82 in cpu_ldub_code_ra (env=3D0x555557860d00, ptr=3D655=
36, retaddr=3D0)
    at /home/pkern/src/qemu/include/exec/cpu_ldst_template.h:89
        page_index =3D 16
        res =3D 0
        addr =3D 65536
        mmu_idx =3D 0
        oi =3D 0
#9  0x000055555562aaf8 in cpu_ldub_code (env=3D0x555557860d00, ptr=3D65536)
    at /home/pkern/src/qemu/include/exec/cpu_ldst_template.h:101
No locals.
#10 0x000055555562bba6 in get_page_addr_code (env1=3D0x555557860d00, addr=
=3D65536) at /home/pkern/src/qemu/cputlb.c:456
        mmu_idx =3D 0
        page_index =3D 16
        pd =3D 0
        p =3D 0x7fffdc07d700
        mr =3D 0x5555558927ff
        cpu =3D 0x555557858a80
        __func__ =3D "get_page_addr_code"
#11 0x00005555555e6ec9 in tb_find_physical (cpu=3D0x555557858a80, pc=3D6553=
6, cs_base=3D0, flags=3D4097)
    at /home/pkern/src/qemu/cpu-exec.c:222
        env =3D 0x555557860d00
        tb =3D 0x5555560e7710
        ptb1 =3D 0x5555560de0b0
        h =3D 257
        phys_pc =3D 93824994775183
        phys_page1 =3D 93825004369680
        virt_page2 =3D 140736884885760
#12 0x00005555555e7033 in tb_find_slow (cpu=3D0x555557858a80, pc=3D65536, c=
s_base=3D0, flags=3D4097)
    at /home/pkern/src/qemu/cpu-exec.c:266
        tb =3D 0x10400
#13 0x00005555555e7186 in tb_find_fast (cpu=3D0x555557858a80) at /home/pker=
n/src/qemu/cpu-exec.c:314
        env =3D 0x555557860d00
        tb =3D 0x0
        cs_base =3D 0
        pc =3D 65536
        flags =3D 4097
#14 0x00005555555e7594 in cpu_s390x_exec (cpu=3D0x555557858a80) at /home/pk=
ern/src/qemu/cpu-exec.c:463
        cc =3D 0x5555560f4b20
        __func__ =3D "cpu_s390x_exec"
        ret =3D 21845
        interrupt_request =3D 0
        tb =3D 0x7fffdc07c9a0
        tc_ptr =3D 0x5555556c0f65 <runstate_is_running+14> "\017\266\300]\3=
03UH\211\345\277\002"
        next_tb =3D 0
        sc =3D {diff_clk =3D 140736884885952, last_cpu_icount =3D 400871159=
59, realtime_clock =3D 140736884885952}
#15 0x00005555556100ef in tcg_cpu_exec (cpu=3D0x555557858a80) at /home/pker=
n/src/qemu/cpus.c:1450
        ret =3D 21845
#16 0x00005555556101cd in tcg_exec_all () at /home/pkern/src/qemu/cpus.c:14=
82
        cpu =3D 0x555557858a80
        r =3D 32767
#17 0x000055555560f721 in qemu_tcg_cpu_thread_fn (arg=3D0x555557858a80) at =
/home/pkern/src/qemu/cpus.c:1128
        cpu =3D 0x0
#18 0x00007ffff258e0a4 in start_thread (arg=3D0x7fffdc07d700) at pthread_cr=
eate.c:309
        __res =3D <optimized out>
        pd =3D 0x7fffdc07d700
        now =3D <optimized out>
---Type <return> to continue, or q <return> to quit---
        unwind_buf =3D {cancel_jmp_buf =3D {{jmp_buf =3D {140736884889344, =
-5613847576358200238, 1, 140737354125408, 0,=20
                140736884889344, 5613775766303759442, 5613877598567357522},=
 mask_was_saved =3D 0}}, priv =3D {pad =3D {0x0, 0x0, 0x0,=20
              0x0}, data =3D {prev =3D 0x0, cleanup =3D 0x0, canceltype =3D=
 0}}}
        not_first_call =3D <optimized out>
        pagesize_m1 =3D <optimized out>
        sp =3D <optimized out>
        freesize =3D <optimized out>
        __PRETTY_FUNCTION__ =3D "start_thread"
#19 0x00007ffff22c304d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clo=
ne.S:111
No locals.

Kind regards and thanks
Philipp Kern

--BXVAT5kNtrzKuDFl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWNiGjAAoJEERuJUU10FbsC7kIAKwTvpEWlE0rj4wJmh2iFiu7
FLrAOmryti1YkwHMwzmDLptFeh87KftLdgMgdxq0+isA96iLc9RtWc1XyfjglK6+
M+q7reIYuZp1pvIhQQKyXPnu3adisZ2cjQ8tq8raxZhRYeBvwX+igDfSugOs66EP
+VkRCWPWiZRdlpgafBevslf4PRv5VdQrX3R0wxtZ4Kw1XmRXZL4/m7flrLqVXaj2
5yOBZggN4JaKZT3GAv1FnNw7RLVUL/ZZSZXMhn2gA4dieXMBRBLKb4RyOu1iX5rB
pePHnVnLolETHt0d1/IsDPi5khH0FPjIJQ5CxOQiagbqytJtmJYlfcGoMVv5t8k=
=rLZE
-----END PGP SIGNATURE-----

--BXVAT5kNtrzKuDFl--