[Qemu-devel] TCG/GCC breakage

[Qemu-devel] TCG/GCC breakage

[Glauber Costa]

I'm seeing a strange behaviour here using qemu-system-x86_64
(kvm not even compiled in) on an i386 host

I'm suspecting gcc is doing something nasty in here, but I'll open it
up here to see if any
of you have any suggestion.

I get segfaults very early in execution, and after some investigation,
I figured out that
ebp register is corrupted. I can't determine where the corruption starts.

I then did rm x86-64-softmmu/op_helper.o; make CC=gcc34, so only this
file get compiled
by an older gcc, and it worked again.

So it seems to me gcc may be generating gibberish somewhere in
helpers, but since
this code is a bit fragile, it might well be some mistake on our part.

Ideas on how to attack it ?

-- 
Glauber  Costa.
"Free as in Freedom"
http://glommer.net

"The less confident you are, the more serious you have to act."

Re: [Qemu-devel] TCG/GCC breakage

[Aurelien Jarno]

On Wed, Mar 11, 2009 at 12:40:20AM -0300, Glauber Costa wrote:
> I'm seeing a strange behaviour here using qemu-system-x86_64
> (kvm not even compiled in) on an i386 host
> 
> I'm suspecting gcc is doing something nasty in here, but I'll open it
> up here to see if any
> of you have any suggestion.
> 
> I get segfaults very early in execution, and after some investigation,
> I figured out that
> ebp register is corrupted. I can't determine where the corruption starts.

Does QEMU segfault, or processes in the guest? How to reproduce that?
Which QEMU version are you using? I am able to run a Debian Etch x86_64 
guest without problem here.

> I then did rm x86-64-softmmu/op_helper.o; make CC=gcc34, so only this
> file get compiled
> by an older gcc, and it worked again.

Which versions of gcc did you tried? I am using gcc 4.3 here.

> So it seems to me gcc may be generating gibberish somewhere in
> helpers, but since
> this code is a bit fragile, it might well be some mistake on our part.
> 
> Ideas on how to attack it ?
> 

You may want to use the -d option to find the offending helper function.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Re: [Qemu-devel] TCG/GCC breakage

[Paul Bolle]

On Wed, 2009-03-11 at 00:40 -0300, Glauber Costa wrote:
> I'm seeing a strange behaviour here using qemu-system-x86_64
> (kvm not even compiled in) on an i386 host

For what it's worth, the same seems to happen here with an i386 guest on
an i386 host.

> I get segfaults very early in execution, and after some investigation,
> I figured out that ebp register is corrupted. I can't determine where
> the corruption starts.
> 
> I then did rm x86-64-softmmu/op_helper.o; make CC=gcc34, so only this
> file get compiled by an older gcc, and it worked again.

If I compile (i386-softmmu/qemu and thus) i386-softmmu/op_helper.o with
Fedora rawhide's current gcc (i.e. 4.4.0 20090307 (Red Hat 4.4.0-0.23))
qemu segfaults very early too. If I recompile just that file with gcc34
(i.e, 3.4.6 20060404 (Red Hat 3.4.6-13)) qemu does not segfault very
early anymore.


Paul Bolle

Re: [Qemu-devel] TCG/GCC breakage

[Aurelien Jarno]

On Wed, Mar 11, 2009 at 12:40:20AM -0300, Glauber Costa wrote:
> I'm seeing a strange behaviour here using qemu-system-x86_64
> (kvm not even compiled in) on an i386 host
> 
> I'm suspecting gcc is doing something nasty in here, but I'll open it
> up here to see if any
> of you have any suggestion.
> 
> I get segfaults very early in execution, and after some investigation,
> I figured out that
> ebp register is corrupted. I can't determine where the corruption starts.
> 
> I then did rm x86-64-softmmu/op_helper.o; make CC=gcc34, so only this
> file get compiled
> by an older gcc, and it worked again.
> 
> So it seems to me gcc may be generating gibberish somewhere in
> helpers, but since
> this code is a bit fragile, it might well be some mistake on our part.
> 
> Ideas on how to attack it ?
> 

I have been able to find time to look a bit more closer at this issue. I
confirm that I am able to reproduce it with GCC 4.4, and that the %ebp
register is corrupted after a call to some helpers.

However, contrary to what I expected, it doesn't crash on call to
helpers from TCG code, but rather on call of helper from cpu-exec.c. One
of them is helper_cc_compute_all(). A diff on the assembly code between
GCC 4.3 and 4.4 shows that %ebp is now used to access values in static
tables, but is then never restored.

It looks like that GCC is being mistaken by the fact that %ebp is used
as the env register and consider that this register does not have to be
saved and restored. That's why I really think it is a GCC 4.4 issue, and
not a QEMU one.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net