[Qemu-devel] int128_get64: Assertion `!a.hi' failed

[Qemu-devel] int128_get64: Assertion `!a.hi' failed

[Max Filippov]

Hi,

I'm getting said assertion failure debugging linux userspace
application through the qemu gdbstub. The backtrace looks like this:

qemu-system-xtensa: include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff7fe8880 (LWP 15378)]
0x00007ffff639e285 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff639e285 in raise () from /lib64/libc.so.6
#1  0x00007ffff639fb9b in abort () from /lib64/libc.so.6
#2  0x00007ffff6396e9e in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff6396f42 in __assert_fail () from /lib64/libc.so.6
#4  0x00005555556eea6a in int128_get64 (a=...) at include/qemu/int128.h:22
#5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
resolve_subpage=true) at exec.c:264
#6  0x00005555556efc03 in address_space_translate (as=0x555555e8d100, addr=18446744069448138751, xlat=0x7fffffffa538, plen=0x7fffffffa540,
is_write=false) at exec.c:278
#7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
#8  0x00005555556f00f2 in breakpoint_invalidate (cpu=0x555555f1df80, pc=537189728) at exec.c:413
#9  0x00005555556f0725 in cpu_breakpoint_remove_by_ref (env=0x555555f1e0b8, breakpoint=0x555555f4bc20) at exec.c:557
#10 0x00005555556f0649 in cpu_breakpoint_remove (env=0x555555f1e0b8, pc=537189728, flags=16) at exec.c:541
#11 0x000055555570c13b in gdb_breakpoint_remove (addr=537189728, len=2, type=0) at gdbstub.c:691
#12 0x000055555570d031 in gdb_handle_packet (s=0x555555f38100, line_buf=0x555555f3811c "z0,2004dd60,2") at gdbstub.c:991
#13 0x000055555570e45c in gdb_read_byte (s=0x555555f38100, ch=56) at gdbstub.c:1405
#14 0x000055555570e5b0 in gdb_chr_receive (opaque=0x0, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", size=17) at
gdbstub.c:1623
#15 0x000055555567d463 in qemu_chr_be_write (s=0x555555f0c640, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", len=17)
at qemu-char.c:165
#16 0x000055555568185b in tcp_chr_read (chan=0x555555f0c050, cond=G_IO_IN, opaque=0x555555f0c640) at qemu-char.c:2505
#17 0x00007ffff76f1f3d in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#18 0x000055555564a301 in glib_pollfds_poll () at main-loop.c:189
#19 0x000055555564a3f5 in os_host_main_loop_wait (timeout=-1) at main-loop.c:234
#20 0x000055555564a4c8 in main_loop_wait (nonblocking=0) at main-loop.c:483
#21 0x00005555556d9c04 in main_loop () at vl.c:2016
#22 0x00005555556e0e6b in main (argc=20, argv=0x7fffffffdd88, envp=0x7fffffffde30) at vl.c:4361


breakpoint_invalidate couldn't map breakpoint's virtual address,
and get_phys_page_debug returned -1:

(gdb) f 7
#7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
1373        mr = address_space_translate(&address_space_memory, addr, &addr, &l, false);
(gdb) p/x addr
$2 = 0xffffffffffffffff


Later address_space_translate_internal found a section that didn't actually
contain the addr and made a diff with non-zero .hi:

(gdb) f 5
#5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
resolve_subpage=true) at exec.c:264
264         *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
(gdb) p/x diff
$4 = {
  lo = 0x100000001,
  hi = 0xffffffffffffffff
}
(gdb) p/x *section
$6 = {
  mr = 0x555555f04b00,
  address_space = 0x555555e8d100,
  offset_within_region = 0x0,
  size = {
    lo = 0x2000000,
    hi = 0x0
  },
  offset_within_address_space = 0xfe000000,
  readonly = 0x0
}


I'm not sure what's the proper fix, returning -1 for the failed get_phys_page_debug
is common for 32-bit targets. The easiest seems to be checking the result of
cpu_get_phys_page debug in the breakpoint_invalidate:

--- >8 ---
commit cb3f9f90688be062b8a1f12b116f3d48c7ded232
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Fri Sep 27 22:19:16 2013 +0400

    exec: fix breakpoint_invalidate when pc may not be translated

    This fixes qemu abort with the following message:

        include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.

    which happens due to attempt to invalidate breakpoint by virtual address
    for which get_phys_page_debug couldn't find mapping.

    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>

diff --git a/exec.c b/exec.c
index 26681ce..a7e284a 100644
--- a/exec.c
+++ b/exec.c
@@ -410,8 +410,10 @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
 #else
 static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
 {
-    tb_invalidate_phys_addr(cpu_get_phys_page_debug(cpu, pc) |
-            (pc & ~TARGET_PAGE_MASK));
+    hwaddr phys = cpu_get_phys_page_debug(cpu, pc);
+    if (phys != -1) {
+        tb_invalidate_phys_addr(phys | (pc & ~TARGET_PAGE_MASK));
+    }
 }
 #endif
 #endif /* TARGET_HAS_ICE */


-- 
Thanks.
-- Max

Re: [Qemu-devel] int128_get64: Assertion `!a.hi' failed

[Paolo Bonzini]

Il 27/09/2013 20:29, Max Filippov ha scritto:
> Hi,
> 
> I'm getting said assertion failure debugging linux userspace
> application through the qemu gdbstub. The backtrace looks like this:
> 
> qemu-system-xtensa: include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.
> 
> Program received signal SIGABRT, Aborted.
> [Switching to Thread 0x7ffff7fe8880 (LWP 15378)]
> 0x00007ffff639e285 in raise () from /lib64/libc.so.6
> (gdb) bt
> #0  0x00007ffff639e285 in raise () from /lib64/libc.so.6
> #1  0x00007ffff639fb9b in abort () from /lib64/libc.so.6
> #2  0x00007ffff6396e9e in __assert_fail_base () from /lib64/libc.so.6
> #3  0x00007ffff6396f42 in __assert_fail () from /lib64/libc.so.6
> #4  0x00005555556eea6a in int128_get64 (a=...) at include/qemu/int128.h:22
> #5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
> resolve_subpage=true) at exec.c:264
> #6  0x00005555556efc03 in address_space_translate (as=0x555555e8d100, addr=18446744069448138751, xlat=0x7fffffffa538, plen=0x7fffffffa540,
> is_write=false) at exec.c:278
> #7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
> #8  0x00005555556f00f2 in breakpoint_invalidate (cpu=0x555555f1df80, pc=537189728) at exec.c:413
> #9  0x00005555556f0725 in cpu_breakpoint_remove_by_ref (env=0x555555f1e0b8, breakpoint=0x555555f4bc20) at exec.c:557
> #10 0x00005555556f0649 in cpu_breakpoint_remove (env=0x555555f1e0b8, pc=537189728, flags=16) at exec.c:541
> #11 0x000055555570c13b in gdb_breakpoint_remove (addr=537189728, len=2, type=0) at gdbstub.c:691
> #12 0x000055555570d031 in gdb_handle_packet (s=0x555555f38100, line_buf=0x555555f3811c "z0,2004dd60,2") at gdbstub.c:991
> #13 0x000055555570e45c in gdb_read_byte (s=0x555555f38100, ch=56) at gdbstub.c:1405
> #14 0x000055555570e5b0 in gdb_chr_receive (opaque=0x0, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", size=17) at
> gdbstub.c:1623
> #15 0x000055555567d463 in qemu_chr_be_write (s=0x555555f0c640, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", len=17)
> at qemu-char.c:165
> #16 0x000055555568185b in tcp_chr_read (chan=0x555555f0c050, cond=G_IO_IN, opaque=0x555555f0c640) at qemu-char.c:2505
> #17 0x00007ffff76f1f3d in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
> #18 0x000055555564a301 in glib_pollfds_poll () at main-loop.c:189
> #19 0x000055555564a3f5 in os_host_main_loop_wait (timeout=-1) at main-loop.c:234
> #20 0x000055555564a4c8 in main_loop_wait (nonblocking=0) at main-loop.c:483
> #21 0x00005555556d9c04 in main_loop () at vl.c:2016
> #22 0x00005555556e0e6b in main (argc=20, argv=0x7fffffffdd88, envp=0x7fffffffde30) at vl.c:4361
> 
> 
> breakpoint_invalidate couldn't map breakpoint's virtual address,
> and get_phys_page_debug returned -1:
> 
> (gdb) f 7
> #7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
> 1373        mr = address_space_translate(&address_space_memory, addr, &addr, &l, false);
> (gdb) p/x addr
> $2 = 0xffffffffffffffff
> 
> 
> Later address_space_translate_internal found a section that didn't actually
> contain the addr and made a diff with non-zero .hi:
> 
> (gdb) f 5
> #5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
> resolve_subpage=true) at exec.c:264
> 264         *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
> (gdb) p/x diff
> $4 = {
>   lo = 0x100000001,
>   hi = 0xffffffffffffffff
> }
> (gdb) p/x *section
> $6 = {
>   mr = 0x555555f04b00,
>   address_space = 0x555555e8d100,
>   offset_within_region = 0x0,
>   size = {
>     lo = 0x2000000,
>     hi = 0x0
>   },
>   offset_within_address_space = 0xfe000000,
>   readonly = 0x0
> }
> 
> 
> I'm not sure what's the proper fix, returning -1 for the failed get_phys_page_debug
> is common for 32-bit targets. The easiest seems to be checking the result of
> cpu_get_phys_page debug in the breakpoint_invalidate:
> 
> --- >8 ---
> commit cb3f9f90688be062b8a1f12b116f3d48c7ded232
> Author: Max Filippov <jcmvbkbc@gmail.com>
> Date:   Fri Sep 27 22:19:16 2013 +0400
> 
>     exec: fix breakpoint_invalidate when pc may not be translated
> 
>     This fixes qemu abort with the following message:
> 
>         include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.
> 
>     which happens due to attempt to invalidate breakpoint by virtual address
>     for which get_phys_page_debug couldn't find mapping.
> 
>     Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
> 
> diff --git a/exec.c b/exec.c
> index 26681ce..a7e284a 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -410,8 +410,10 @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
>  #else
>  static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
>  {
> -    tb_invalidate_phys_addr(cpu_get_phys_page_debug(cpu, pc) |
> -            (pc & ~TARGET_PAGE_MASK));
> +    hwaddr phys = cpu_get_phys_page_debug(cpu, pc);
> +    if (phys != -1) {
> +        tb_invalidate_phys_addr(phys | (pc & ~TARGET_PAGE_MASK));
> +    }
>  }
>  #endif
>  #endif /* TARGET_HAS_ICE */
> 
> 

Yes, this makes sense.  I'll queue it for 1.6.2 and 1.7.

Paolo

Re: [Qemu-devel] int128_get64: Assertion `!a.hi' failed

[Max Filippov]

On Fri, Sep 27, 2013 at 11:36 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Il 27/09/2013 20:29, Max Filippov ha scritto:
>> Hi,
>>
>> I'm getting said assertion failure debugging linux userspace
>> application through the qemu gdbstub. The backtrace looks like this:
>>
>> qemu-system-xtensa: include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.
>>
>> Program received signal SIGABRT, Aborted.
>> [Switching to Thread 0x7ffff7fe8880 (LWP 15378)]
>> 0x00007ffff639e285 in raise () from /lib64/libc.so.6
>> (gdb) bt
>> #0  0x00007ffff639e285 in raise () from /lib64/libc.so.6
>> #1  0x00007ffff639fb9b in abort () from /lib64/libc.so.6
>> #2  0x00007ffff6396e9e in __assert_fail_base () from /lib64/libc.so.6
>> #3  0x00007ffff6396f42 in __assert_fail () from /lib64/libc.so.6
>> #4  0x00005555556eea6a in int128_get64 (a=...) at include/qemu/int128.h:22
>> #5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
>> resolve_subpage=true) at exec.c:264
>> #6  0x00005555556efc03 in address_space_translate (as=0x555555e8d100, addr=18446744069448138751, xlat=0x7fffffffa538, plen=0x7fffffffa540,
>> is_write=false) at exec.c:278
>> #7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
>> #8  0x00005555556f00f2 in breakpoint_invalidate (cpu=0x555555f1df80, pc=537189728) at exec.c:413
>> #9  0x00005555556f0725 in cpu_breakpoint_remove_by_ref (env=0x555555f1e0b8, breakpoint=0x555555f4bc20) at exec.c:557
>> #10 0x00005555556f0649 in cpu_breakpoint_remove (env=0x555555f1e0b8, pc=537189728, flags=16) at exec.c:541
>> #11 0x000055555570c13b in gdb_breakpoint_remove (addr=537189728, len=2, type=0) at gdbstub.c:691
>> #12 0x000055555570d031 in gdb_handle_packet (s=0x555555f38100, line_buf=0x555555f3811c "z0,2004dd60,2") at gdbstub.c:991
>> #13 0x000055555570e45c in gdb_read_byte (s=0x555555f38100, ch=56) at gdbstub.c:1405
>> #14 0x000055555570e5b0 in gdb_chr_receive (opaque=0x0, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", size=17) at
>> gdbstub.c:1623
>> #15 0x000055555567d463 in qemu_chr_be_write (s=0x555555f0c640, buf=0x7fffffffc810 "$z0,2004dd60,2#289process+;qRelocInsn+#2a+=\366\377\177", len=17)
>> at qemu-char.c:165
>> #16 0x000055555568185b in tcp_chr_read (chan=0x555555f0c050, cond=G_IO_IN, opaque=0x555555f0c640) at qemu-char.c:2505
>> #17 0x00007ffff76f1f3d in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
>> #18 0x000055555564a301 in glib_pollfds_poll () at main-loop.c:189
>> #19 0x000055555564a3f5 in os_host_main_loop_wait (timeout=-1) at main-loop.c:234
>> #20 0x000055555564a4c8 in main_loop_wait (nonblocking=0) at main-loop.c:483
>> #21 0x00005555556d9c04 in main_loop () at vl.c:2016
>> #22 0x00005555556e0e6b in main (argc=20, argv=0x7fffffffdd88, envp=0x7fffffffde30) at vl.c:4361
>>
>>
>> breakpoint_invalidate couldn't map breakpoint's virtual address,
>> and get_phys_page_debug returned -1:
>>
>> (gdb) f 7
>> #7  0x0000555555757dd3 in tb_invalidate_phys_addr (addr=18446744073709551615) at translate-all.c:1373
>> 1373        mr = address_space_translate(&address_space_memory, addr, &addr, &l, false);
>> (gdb) p/x addr
>> $2 = 0xffffffffffffffff
>>
>>
>> Later address_space_translate_internal found a section that didn't actually
>> contain the addr and made a diff with non-zero .hi:
>>
>> (gdb) f 5
>> #5  0x00005555556efb81 in address_space_translate_internal (d=0x7fffdc01c920, addr=18446744069448138751, xlat=0x7fffffffa4b0, plen=0x7fffffffa540,
>> resolve_subpage=true) at exec.c:264
>> 264         *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
>> (gdb) p/x diff
>> $4 = {
>>   lo = 0x100000001,
>>   hi = 0xffffffffffffffff
>> }
>> (gdb) p/x *section
>> $6 = {
>>   mr = 0x555555f04b00,
>>   address_space = 0x555555e8d100,
>>   offset_within_region = 0x0,
>>   size = {
>>     lo = 0x2000000,
>>     hi = 0x0
>>   },
>>   offset_within_address_space = 0xfe000000,
>>   readonly = 0x0
>> }
>>
>>
>> I'm not sure what's the proper fix, returning -1 for the failed get_phys_page_debug
>> is common for 32-bit targets. The easiest seems to be checking the result of
>> cpu_get_phys_page debug in the breakpoint_invalidate:
>>
>> --- >8 ---
>> commit cb3f9f90688be062b8a1f12b116f3d48c7ded232
>> Author: Max Filippov <jcmvbkbc@gmail.com>
>> Date:   Fri Sep 27 22:19:16 2013 +0400
>>
>>     exec: fix breakpoint_invalidate when pc may not be translated
>>
>>     This fixes qemu abort with the following message:
>>
>>         include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.
>>
>>     which happens due to attempt to invalidate breakpoint by virtual address
>>     for which get_phys_page_debug couldn't find mapping.
>>
>>     Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
>>
>> diff --git a/exec.c b/exec.c
>> index 26681ce..a7e284a 100644
>> --- a/exec.c
>> +++ b/exec.c
>> @@ -410,8 +410,10 @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
>>  #else
>>  static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
>>  {
>> -    tb_invalidate_phys_addr(cpu_get_phys_page_debug(cpu, pc) |
>> -            (pc & ~TARGET_PAGE_MASK));
>> +    hwaddr phys = cpu_get_phys_page_debug(cpu, pc);
>> +    if (phys != -1) {
>> +        tb_invalidate_phys_addr(phys | (pc & ~TARGET_PAGE_MASK));
>> +    }
>>  }
>>  #endif
>>  #endif /* TARGET_HAS_ICE */
>>
>>
>
> Yes, this makes sense.  I'll queue it for 1.6.2 and 1.7.

Ping? Paolo, do you need this patch resent without scissors?

-- 
Thanks.
-- Max