[Qemu-devel] [BUG] qemu crash when using "lsilogic"

[Qemu-devel] [BUG] qemu crash when using "lsilogic"

[Wanlong Gao]

Hi all and Avi,

I met the upstream qemu crash when using "lsilogic", my first sight is that I
can't access the VNC view, it gave me a black screen, here is my command line,

/work/git/qemu/x86_64-softmmu/qemu-system-x86_64 -name f17 -m 3096 -M pc-0.15 -enable-kvm -smp 4,sockets=4,cores=1,threads=1 -drive file=/vm/f17.img,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -vnc 127.0.0.1:7 -device lsi,id=scsi0,bus=pci.0,addr=0x8 -drive file=/vm/scsi-disks/scsi1.img,if=none,id=drive-scsi0-0-0,format=raw -device scsi-hd,bus=scsi0.0,scsi-id=0,drive=drive-scsi0-0-0,id=scsi0-0-0

After that, I run a bisect, and here is my bisect log:

$ git bisect log
git bisect start
# bad: [e24dc9feb0d68142d54dc3c097f57588836d1338] tci: Support deposit operations
git bisect bad e24dc9feb0d68142d54dc3c097f57588836d1338
# good: [8db972cfa469b4e4afd9c65e54e796b83b5ce3a2] Update version for 1.2.0
git bisect good 8db972cfa469b4e4afd9c65e54e796b83b5ce3a2
# good: [7762c2c1e02e44fdc473cbe75105faba08b906cc] memory: rename 'exec-obsolete.h'
git bisect good 7762c2c1e02e44fdc473cbe75105faba08b906cc
# bad: [f3cdbc329fa7621ece7e673f23c3101e6b0c952b] hw/vexpress.c: Don't prematurely explode QEMUMachineInitArgs
git bisect bad f3cdbc329fa7621ece7e673f23c3101e6b0c952b
# bad: [3cbc002c34aa85ea952ee9b169a3ff97d350516a] block: prepare code for adding block notifiers
git bisect bad 3cbc002c34aa85ea952ee9b169a3ff97d350516a
# good: [f354b1a1ee7a1c72d51b42808724a2b10eec315f] fix CONFIG_QEMU_HELPERDIR generation again
git bisect good f354b1a1ee7a1c72d51b42808724a2b10eec315f
# good: [aa723c23147e93fef8475bd80fd29e633378c34d] cpus: create qemu_in_vcpu_thread()
git bisect good aa723c23147e93fef8475bd80fd29e633378c34d
# bad: [90734e02bd2fb137346d4184cec6c5d26e68f29b] serial: add pci-serial documentation
git bisect bad 90734e02bd2fb137346d4184cec6c5d26e68f29b
# bad: [1d71148eace669827ba15101819b54b20fcca616] memory: move tcg flush into a tcg memory listener
git bisect bad 1d71148eace669827ba15101819b54b20fcca616
# bad: [975aefe011197453284a4ab777000183e6096d5b] memory: provide defaults for MemoryListener operations
git bisect bad 975aefe011197453284a4ab777000183e6096d5b
# bad: [12b40e471f33e552fa3d962887b416cf67831446] xen_pt: use separate MemoryListeners for memory and I/O
git bisect bad 12b40e471f33e552fa3d962887b416cf67831446
# bad: [d22b096ef6e0b20810193b68a1d472f3fb8a4f9e] kvm: use separate MemoryListeners for memory and I/O
git bisect bad d22b096ef6e0b20810193b68a1d472f3fb8a4f9e
# good: [0fada67420e29f389119ca6f44285203400e0730] vhost: use MemoryListener filtering to only monitor RAM address space
git bisect good 0fada67420e29f389119ca6f44285203400e0730


After the last bisect step, it showed below,

$ git bisect good
d22b096ef6e0b20810193b68a1d472f3fb8a4f9e is the first bad commit
commit d22b096ef6e0b20810193b68a1d472f3fb8a4f9e
Author: Avi Kivity <avi@redhat.com>
Date:   Sun Sep 30 22:21:11 2012 +0200

    kvm: use separate MemoryListeners for memory and I/O
    
    The construct
    
       if (address_space == get_system_memory()) {
           // memory thing
       } else {
           // io thing
       }
    
    fails if we have more than two address spaces.  Use a separate listener
    for memory and I/O, and utilize MemoryListener's address space filtering to
    fix this.
    
    Signed-off-by: Avi Kivity <avi@redhat.com>

:100644 100644 92a71374ed1e040cef5ad70a6cb00adabf671dd4 c69e01200461c7a87440f7a915bd171a9fc8f318 M	kvm-all.c


Ooooops, I didn't find any error in above patch, can you guys help to investigate this bug?


Thanks,
Wanlong Gao

Re: [Qemu-devel] [BUG] qemu crash when using "lsilogic"

[Wanlong Gao]

On 11/19/2012 05:43 PM, Wanlong Gao wrote:
> Hi all and Avi,
> 
> I met the upstream qemu crash when using "lsilogic", my first sight is that I
> can't access the VNC view, it gave me a black screen, here is my command line,
> 
> /work/git/qemu/x86_64-softmmu/qemu-system-x86_64 -name f17 -m 3096 -M pc-0.15 -enable-kvm -smp 4,sockets=4,cores=1,threads=1 -drive file=/vm/f17.img,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -vnc 127.0.0.1:7 -device lsi,id=scsi0,bus=pci.0,addr=0x8 -drive file=/vm/scsi-disks/scsi1.img,if=none,id=drive-scsi0-0-0,format=raw -device scsi-hd,bus=scsi0.0,scsi-id=0,drive=drive-scsi0-0-0,id=scsi0-0-0
> 
> After that, I run a bisect, and here is my bisect log:
> 
> $ git bisect log
> git bisect start
> # bad: [e24dc9feb0d68142d54dc3c097f57588836d1338] tci: Support deposit operations
> git bisect bad e24dc9feb0d68142d54dc3c097f57588836d1338
> # good: [8db972cfa469b4e4afd9c65e54e796b83b5ce3a2] Update version for 1.2.0
> git bisect good 8db972cfa469b4e4afd9c65e54e796b83b5ce3a2
> # good: [7762c2c1e02e44fdc473cbe75105faba08b906cc] memory: rename 'exec-obsolete.h'
> git bisect good 7762c2c1e02e44fdc473cbe75105faba08b906cc
> # bad: [f3cdbc329fa7621ece7e673f23c3101e6b0c952b] hw/vexpress.c: Don't prematurely explode QEMUMachineInitArgs
> git bisect bad f3cdbc329fa7621ece7e673f23c3101e6b0c952b
> # bad: [3cbc002c34aa85ea952ee9b169a3ff97d350516a] block: prepare code for adding block notifiers
> git bisect bad 3cbc002c34aa85ea952ee9b169a3ff97d350516a
> # good: [f354b1a1ee7a1c72d51b42808724a2b10eec315f] fix CONFIG_QEMU_HELPERDIR generation again
> git bisect good f354b1a1ee7a1c72d51b42808724a2b10eec315f
> # good: [aa723c23147e93fef8475bd80fd29e633378c34d] cpus: create qemu_in_vcpu_thread()
> git bisect good aa723c23147e93fef8475bd80fd29e633378c34d
> # bad: [90734e02bd2fb137346d4184cec6c5d26e68f29b] serial: add pci-serial documentation
> git bisect bad 90734e02bd2fb137346d4184cec6c5d26e68f29b
> # bad: [1d71148eace669827ba15101819b54b20fcca616] memory: move tcg flush into a tcg memory listener
> git bisect bad 1d71148eace669827ba15101819b54b20fcca616
> # bad: [975aefe011197453284a4ab777000183e6096d5b] memory: provide defaults for MemoryListener operations
> git bisect bad 975aefe011197453284a4ab777000183e6096d5b
> # bad: [12b40e471f33e552fa3d962887b416cf67831446] xen_pt: use separate MemoryListeners for memory and I/O
> git bisect bad 12b40e471f33e552fa3d962887b416cf67831446
> # bad: [d22b096ef6e0b20810193b68a1d472f3fb8a4f9e] kvm: use separate MemoryListeners for memory and I/O
> git bisect bad d22b096ef6e0b20810193b68a1d472f3fb8a4f9e
> # good: [0fada67420e29f389119ca6f44285203400e0730] vhost: use MemoryListener filtering to only monitor RAM address space
> git bisect good 0fada67420e29f389119ca6f44285203400e0730
> 
> 
> After the last bisect step, it showed below,
> 
> $ git bisect good
> d22b096ef6e0b20810193b68a1d472f3fb8a4f9e is the first bad commit
> commit d22b096ef6e0b20810193b68a1d472f3fb8a4f9e
> Author: Avi Kivity <avi@redhat.com>
> Date:   Sun Sep 30 22:21:11 2012 +0200
> 
>     kvm: use separate MemoryListeners for memory and I/O
>     
>     The construct
>     
>        if (address_space == get_system_memory()) {
>            // memory thing
>        } else {
>            // io thing
>        }
>     
>     fails if we have more than two address spaces.  Use a separate listener
>     for memory and I/O, and utilize MemoryListener's address space filtering to
>     fix this.
>     
>     Signed-off-by: Avi Kivity <avi@redhat.com>
> 
> :100644 100644 92a71374ed1e040cef5ad70a6cb00adabf671dd4 c69e01200461c7a87440f7a915bd171a9fc8f318 M	kvm-all.c
> 
> 
> Ooooops, I didn't find any error in above patch, can you guys help to investigate this bug?

I confirmed again and found that "lsi" can't work on the upstream qemu.
Any thoughts?

Thanks,
Wanlong Gao

> 
> 
> Thanks,
> Wanlong Gao
> 
> 

Re: [Qemu-devel] [BUG] qemu crash when using "lsilogic"

[Avi Kivity]

On 11/20/2012 11:01 AM, Wanlong Gao wrote:

>> $ git bisect good
>> d22b096ef6e0b20810193b68a1d472f3fb8a4f9e is the first bad commit
>> commit d22b096ef6e0b20810193b68a1d472f3fb8a4f9e
>> Author: Avi Kivity <avi@redhat.com>
>> Date:   Sun Sep 30 22:21:11 2012 +0200
>> 
>>     kvm: use separate MemoryListeners for memory and I/O
>>     
>>     The construct
>>     
>>        if (address_space == get_system_memory()) {
>>            // memory thing
>>        } else {
>>            // io thing
>>        }
>>     
>>     fails if we have more than two address spaces.  Use a separate listener
>>     for memory and I/O, and utilize MemoryListener's address space filtering to
>>     fix this.
>>     
>>     Signed-off-by: Avi Kivity <avi@redhat.com>
>> 
>> :100644 100644 92a71374ed1e040cef5ad70a6cb00adabf671dd4 c69e01200461c7a87440f7a915bd171a9fc8f318 M	kvm-all.c
>> 
>> 
>> Ooooops, I didn't find any error in above patch, can you guys help to investigate this bug?
> 
> I confirmed again and found that "lsi" can't work on the upstream qemu.
> Any thoughts?
> 

I appears to be a bug in Seabios:

(gdb) thread 3
[Switching to thread 3 (Thread 0x7fffebfff700 (LWP 19032))]
#0  0x000055555586df2c in access_with_adjusted_size (addr=29563620,
value=0x7fffebffe5f0, size=4, access_size_min=0, access_size_max=0, access=
    0x55555586ddbb <memory_region_read_accessor>, opaque=0x55555655dd00)
at /home/tlv/akivity/qemu/memory.c:349
349	{
(gdb) bt
#0  0x000055555586df2c in access_with_adjusted_size (addr=29563620,
value=0x7fffebffe5f0, size=4, access_size_min=0, access_size_max=0, access=
    0x55555586ddbb <memory_region_read_accessor>, opaque=0x55555655dd00)
at /home/tlv/akivity/qemu/memory.c:349
#1  0x0000555555870a4e in memory_region_dispatch_read1
(mr=0x55555655dd00, addr=29563620, size=4) at
/home/tlv/akivity/qemu/memory.c:862
#2  0x0000555555870b3e in memory_region_dispatch_read
(mr=0x55555655dd00, addr=29563620, size=4) at
/home/tlv/akivity/qemu/memory.c:894
#3  0x0000555555873c2d in io_mem_read (mr=0x55555655dd00, addr=29563620,
size=4) at /home/tlv/akivity/qemu/memory.c:1575
#4  0x00005555558054ed in address_space_rw (as=0x555556629d78,
addr=29563620, buf=0x7fffebffe874 "", len=4, is_write=false) at
/home/tlv/akivity/qemu/exec.c:3428
#5  0x00005555556bf4c3 in dma_memory_rw_relaxed (dma=0x555556603cf0,
addr=29563620, buf=0x7fffebffe874, len=4, dir=DMA_DIRECTION_TO_DEVICE)
at /home/tlv/akivity/qemu/dma.h:130
#6  0x00005555556bf558 in dma_memory_rw (dma=0x555556603cf0,
addr=29563620, buf=0x7fffebffe874, len=4, dir=DMA_DIRECTION_TO_DEVICE)
at /home/tlv/akivity/qemu/dma.h:156
#7  0x00005555556bf5fb in pci_dma_rw (dev=0x555556629b60, addr=29563620,
buf=0x7fffebffe874, len=4, dir=DMA_DIRECTION_TO_DEVICE) at
/home/tlv/akivity/qemu/hw/pci.h:607
#8  0x00005555556bf65b in pci_dma_read (dev=0x555556629b60,
addr=29563620, buf=0x7fffebffe874, len=4) at
/home/tlv/akivity/qemu/hw/pci.h:614
#9  0x00005555556bfc08 in read_dword (s=0x555556629b60, addr=29563620)
at /home/tlv/akivity/qemu/hw/lsi53c895a.c:385
#10 0x00005555556c1937 in lsi_execute_script (s=0x555556629b60) at
/home/tlv/akivity/qemu/hw/lsi53c895a.c:1040
#11 0x00005555556c3c82 in lsi_reg_writeb (s=0x555556629b60, offset=47,
val=0 '\000') at /home/tlv/akivity/qemu/hw/lsi53c895a.c:1781
#12 0x00005555556c513c in lsi_io_write (opaque=0x555556629b60, addr=47,
val=0, size=1) at /home/tlv/akivity/qemu/hw/lsi53c895a.c:1953
#13 0x000055555586def2 in memory_region_write_accessor
(opaque=0x55555662a340, addr=47, value=0x7fffebffeab0, size=1, shift=0,
mask=255) at /home/tlv/akivity/qemu/memory.c:334
#14 0x000055555586dfd4 in access_with_adjusted_size (addr=47,
value=0x7fffebffeab0, size=1, access_size_min=1, access_size_max=1,
access=0x55555586de6d <memory_region_write_accessor>,
    opaque=0x55555662a340) at /home/tlv/akivity/qemu/memory.c:364
#15 0x000055555586e43c in memory_region_iorange_write
(iorange=0x7fffe4000ed0, offset=47, width=1, data=0) at
/home/tlv/akivity/qemu/memory.c:439
#16 0x0000555555866acc in ioport_writeb_thunk (opaque=0x7fffe4000ed0,
addr=49199, data=0) at /home/tlv/akivity/qemu/ioport.c:212
#17 0x00005555558664a6 in ioport_write (index=0, address=49199, data=0)
at /home/tlv/akivity/qemu/ioport.c:83
#18 0x0000555555867046 in cpu_outb (addr=49199, val=0 '\000') at
/home/tlv/akivity/qemu/ioport.c:289
#19 0x000055555586a958 in kvm_handle_io (port=49199,
data=0x7ffff7ff3000, direction=1, size=1, count=1) at
/home/tlv/akivity/qemu/kvm-all.c:1423
#20 0x000055555586af5e in kvm_cpu_exec (env=0x55555659b0b0) at
/home/tlv/akivity/qemu/kvm-all.c:1571
#21 0x00005555557f74e4 in qemu_kvm_cpu_thread_fn (arg=0x55555659b0b0) at
/home/tlv/akivity/qemu/cpus.c:757
#22 0x00007ffff6727d14 in start_thread () from /lib64/libpthread.so.0
#23 0x00007ffff533667d in clone () from /lib64/libc.so.6
(gdb) fr 4
#4  0x00005555558054ed in address_space_rw (as=0x555556629d78,
addr=29563620, buf=0x7fffebffe874 "", len=4, is_write=false) at
/home/tlv/akivity/qemu/exec.c:3428
3428	                    val = io_mem_read(section->mr, addr1, 4);
(gdb) p as.root.name
$1 = 0x55555662cc80 "bus master"
(gdb) p as.root.enabled
$2 = false

We're executing a scsi script without enabling the lsi bus master bit.

There is also a bug in the lsi code:


1038	again:
1039	    insn_processed++;
1040	    insn = read_dword(s, s->dsp);
1041	    if (!insn) {
1042	        /* If we receive an empty opcode increment the DSP by 4 bytes
1043	           instead of 8 and execute the next opcode at that location */
1044	        s->dsp += 4;
1045	        goto again;

Which causes the script interpreter to go into an infinite loop.  This
should be moved to a bottom half or thread.


-- 
error compiling committee.c: too many arguments to function