[Qemu-devel] Not predictable "qemu: uncaught target signal 11"

[Andrea Pellegrini <andrea.pellegrini@gmail.com>]

Hi all,
I am instrumenting qemu to extract memory traces. Thanks to Vince 
Weaver  I was able to modify the helper and produce traces for all 
memory accesses. However, often I receive the message "qemu: uncaught 
target signal 11 (Segmentation fault) - exiting". As you can see, only 
in the last run of the program I was able to complete the run of a 
simple "hello world" example. The exception is raised at the beginning 
of the execution and does not seem to raise in a particular point in the 
execution of the benchmark. The benchmark was compile with gcc-3.4 in my 
host amd64 Debian machine.
Funny thing, using my instrumentation of qemu I am able to start the 
installation of Windows XP in it with no problem.

apellegr@vinaccia:~/projects/qemu-0.9.1/x86_64-linux-user$ time 
./qemu-x86_64 ../tests/hello_andrea.amd64 > /tmp/traces
qemu: uncaught target signal 11 (Segmentation fault) - exiting

real    0m0.083s
user    0m0.072s
sys    0m0.008s
apellegr@vinaccia:~/projects/qemu-0.9.1/x86_64-linux-user$ time 
./qemu-x86_64 ../tests/hello_andrea.amd64 > /tmp/traces
qemu: uncaught target signal 11 (Segmentation fault) - exiting

real    0m0.010s
user    0m0.004s
sys    0m0.004s
apellegr@vinaccia:~/projects/qemu-0.9.1/x86_64-linux-user$ time 
./qemu-x86_64 ../tests/hello_andrea.amd64 > /tmp/traces
qemu: uncaught target signal 11 (Segmentation fault) - exiting

real    0m0.069s
user    0m0.060s
sys    0m0.008s

apellegr@vinaccia:~/projects/qemu-0.9.1/x86_64-linux-user$ time 
./qemu-x86_64 ../tests/hello_andrea.amd64 > /tmp/traces
qemu: uncaught target signal 11 (Segmentation fault) - exiting

real    0m0.094s
user    0m0.076s
sys    0m0.016s
apellegr@vinaccia:~/projects/qemu-0.9.1/x86_64-linux-user$ time 
./qemu-x86_64 ../tests/hello_andrea.amd64 > /tmp/traces
Segmentation fault

real    0m0.092s
user    0m0.060s
sys    0m0.012s
apellegr@vinaccia:~/projects/qemu-0.9.1/x86_64-linux-user$ time 
./qemu-x86_64 ../tests/hello_andrea.amd64 > /tmp/traces

real    0m0.073s
user    0m0.068s
sys    0m0.004s


The Segmentation Fault is raised at line 884 (line number might be 
slightly different) in the exec.c file:

/* add the tb in the target page and protect it if necessary */
static inline void tb_alloc_page(TranslationBlock *tb,
                                 unsigned int n, target_ulong page_addr)
{
    PageDesc *p;
    TranslationBlock *last_first_tb;

    tb->page_addr[n] = page_addr;
    p = page_find_alloc(page_addr >> TARGET_PAGE_BITS);
    tb->page_next[n] = p->first_tb;                   // 
<-------------------------------------------------- THIS LINE
    last_first_tb = p->first_tb;
    p->first_tb = (TranslationBlock *)((long)tb | n);
    invalidate_page_bitmap(p);

...
}

I did change the function gen_intermediate_code_internal in translate.c 
to allow only one instruction in each translated basic block, to do so I 
added at the end of the for(;;) loop:

        // Andrea, break every instruction
        gen_jmp_im(pc_ptr - dc->cs_base);
        gen_eob(dc);
        break;
        // Andrea, end tb

Anybody can help tracking down the causes of this SegFault?
Thanks!
~Andrea