From: Laurent Vivier <laurent@vivier.eu>
To: Thomas Huth <thuth@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Laurent Vivier <lvivier@redhat.com>,
Richard Henderson <rth@twiddle.net>
Cc: Peter Maydell <peter.maydell@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] out of bounds in set_cc_op()
Date: Thu, 21 Dec 2017 14:07:59 +0100 [thread overview]
Message-ID: <40dbaff2-918c-bba6-2a70-7c5f9b19cb66@vivier.eu> (raw)
In-Reply-To: <e7994a8d-3a02-99c7-d919-c940aa4bc066@redhat.com>
Le 21/12/2017 à 13:49, Thomas Huth a écrit :
> On 20.12.2017 22:56, Paolo Bonzini wrote:
>> On 20/12/2017 20:20, Peter Maydell wrote:
>>> On the x86/sanitizer build, new runtime errors:
>>> GTESTER check-qtest-m68k
>>> /home/petmay01/linaro/qemu-for-merges/target/m68k/translate.c:230:12:
>>> runtime error: index -1 out of bounds for type 'const uint8_t [11]'
>>>
>>> ...and similar fails on one or two boards on most of the other
>>> guest architectures.
>>
>> These are preexisting bugs, now exposed by the boot-serial-test.
>> Thomas, can you identify the architectures that have a problem and
>> notify the maintainers? In the meanwhile I'll keep the boot-serial-test
>> enhancements queued locally, and remove them from the pull request.
>
> Laurent, Richard,
>
> looks like old_op is -1 when set_cc_op() is called here for the first
> time. The problem can be reproduced by running the mini-kernel directly.
> Just get http://people.redhat.com/~thuth/m68k-uart.bin and run QEMU like
> this:
>
> qemu-system-m68k -nographic -kernel ~/tmp/m68k-uart.bin -serial none
>
> That kernel only contains these few instructions:
>
> 0x41, 0xf9, 0xfc, 0x06, 0x00, 0x00, /* lea 0xfc060000,%a0 */
> 0x10, 0x3c, 0x00, 0x54, /* move.b #'T',%d0 */
> 0x11, 0x7c, 0x00, 0x04, 0x00, 0x08, /* move.b #4,8(%a0) */
> 0x11, 0x40, 0x00, 0x0c, /* move.b %d0,12(%a0) */
> 0x60, 0xfa /* bra.s loop */
>
> The problem occurs during the second instruction (i.e. the first move.b).
>
> Do you have any ideas where this -1 in s->cc_op could come from?
I think it comes from CCOp: it's the value of CC_OP_DYNAMIC.
We should not use it to access cc_op_live[].
I try to find a fix, but I think Richard knows this better than me.
Thanks,
Laurent
next prev parent reply other threads:[~2017-12-21 13:08 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-20 17:14 [Qemu-devel] [PULL 00/46] First batch of misc patches for QEMU 2.12 Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 01/46] memfd: fix configure test Paolo Bonzini
2018-04-30 15:49 ` Greg Kurz
2017-12-20 17:14 ` [Qemu-devel] [PULL 02/46] qemu-thread: fix races on threads that exit very quickly Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 03/46] qemu-pr-helper: miscellaneous fixes Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 04/46] contrib: add systemd unit files Paolo Bonzini
2018-01-10 14:44 ` Daniel P. Berrange
2017-12-20 17:14 ` [Qemu-devel] [PULL 05/46] Revert "docker: Enable features explicitly in test-full" Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 06/46] scsi-block: Add share-rw option Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 07/46] MAITAINERS: List Fam Zheng as reviewer for SCSI patches Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 08/46] x86/cpu: Enable new SSE/AVX/AVX512 cpu features Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 09/46] hyperv: set partition-wide MSRs only on first vcpu Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 10/46] hyperv: ensure SINTx msrs are reset properly Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 11/46] hyperv: make SynIC version msr constant Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 12/46] cpus: make pause_all_cpus() play with SMP on single threaded TCG Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 13/46] cpu-exec: fix missed CPU kick during interrupt injection Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 14/46] target/i386: Fix compiler warnings Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 15/46] baum: Truncate braille device size to 84x1 Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 16/46] sockets: remove obsolete code that updated listen address Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 17/46] target/i386: Fix handling of VEX prefixes Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 18/46] tests/boot-serial-test: Make sure that we check the timeout regularly Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 19/46] tests/boot-serial-test: Add code to allow to specify our own kernel or bios Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 20/46] tests/boot-serial-test: Add support for the mcf5208evb board Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 21/46] tests/boot-serial-test: Add tests for microblaze boards Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 22/46] hw/moxie/moxiesim: Add support for loading a BIOS on moxiesim Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 23/46] tests/boot-serial-test: Add a test for the moxiesim machine Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 24/46] tests/boot-serial-test: Add support for the raspi2 machine Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 25/46] cpu: refactor cpu_address_space_init() Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 26/46] cpu: suffix cpu address spaces with cpu index Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 27/46] block/iscsi: dont leave allocmap in an invalid state on UNMAP failure Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 28/46] block/iscsi: only report an iSCSI Failure if we don't handle it gracefully Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 29/46] exec: Don't reuse unassigned_mem_ops for io_mem_rom Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 30/46] hw/mips/boston: Remove workaround for writes to ROM aborting Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 31/46] hw/i386/vmport: replace fprintf() by trace events or LOG_UNIMP Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 32/46] scsi: provide general-purpose functions to manage sense data Paolo Bonzini
2017-12-22 15:25 ` Roman Kagan
2017-12-20 17:14 ` [Qemu-devel] [PULL 33/46] scsi: replace hex constants with #defines Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 34/46] Remove legacy -no-kvm-pit option Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 35/46] i8259: convert DPRINTFs into trace Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 36/46] i8259: use DEBUG_IRQ_COUNT always Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 37/46] i8259: generalize statistics into common code Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 38/46] kvm-i8259: support "info pic" and "info irq" Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 39/46] i8259: move TYPE_INTERRUPT_STATS_PROVIDER upper Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 40/46] checkpatch: volatile with a comment or sig_atomic_t is okay Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 41/46] rcu: reduce more than 7MB heap memory by malloc_trim() Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 42/46] chardev: fix backend events regression with mux chardev Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 43/46] test: add some chardev mux event tests Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 44/46] blockdev: convert internal NBD server to QIONetListener Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 45/46] blockdev: convert qemu-nbd " Paolo Bonzini
2017-12-20 17:14 ` [Qemu-devel] [PULL 46/46] chardev: convert the socket " Paolo Bonzini
2017-12-20 18:21 ` [Qemu-devel] [PULL 00/46] First batch of misc patches for QEMU 2.12 no-reply
2017-12-20 19:20 ` Peter Maydell
2017-12-20 21:56 ` Paolo Bonzini
2017-12-21 12:49 ` [Qemu-devel] out of bounds in set_cc_op() (was: [PULL 00/46] First batch of misc patches for QEMU 2.12) Thomas Huth
2017-12-21 13:07 ` Laurent Vivier [this message]
2017-12-21 13:32 ` [Qemu-devel] out of bounds in set_cc_op() Laurent Vivier
2017-12-21 14:10 ` Paolo Bonzini
2017-12-21 14:13 ` Laurent Vivier
2017-12-21 14:14 ` Paolo Bonzini
2017-12-21 14:36 ` Laurent Vivier
2017-12-21 19:20 ` Laurent Vivier
2017-12-21 19:30 ` Paolo Bonzini
2018-01-02 16:57 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40dbaff2-918c-bba6-2a70-7c5f9b19cb66@vivier.eu \
--to=laurent@vivier.eu \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).