assert fails in s390x TCG

assert fails in s390x TCG

[Claudio Fontana]

Hello Cornelia, Richard,

I had some strange behavior in an s390x TCG VM that I am debugging,

and configured latest upstream QEMU with --enable-debug --enable-debug-tcg

and I am running the qemu binary with -d unimp,guest_errors .

I get:

/usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -vga none -cpu qemu -d unimp,guest_errors -object rng-random,filename=/dev/random,id=rng0 -device virtio-rng-ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-id/virtio-0 rootfstype=ext3 rootflags=data=writeback,nobarrier,commit=150,noatime elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet elevator=noop console=hvc0 init=build -m 2048 -drive file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -device virtio-blk-ccw,drive=disk,serial=0 -drive file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -device virtio-blk-ccw,drive=swap,serial=1 -device virtio-serial-ccw -device virtconsole,chardev=virtiocon0 -chardev stdio,id=virtiocon0 -chardev socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/monitor -mon chardev=monitor,mode=readline -smp 8

unimplemented opcode 0xb9ab
unimplemented opcode 0xb2af

ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))
Bail out! ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))

Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff53516c0 (LWP 215975)]
(gdb) bt
#0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
#1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
#2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
#3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
#4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
#5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
#6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
#7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
#8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
#9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
#10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
#11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
#12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
#13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
#14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

(gdb) frame 5
#5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
348         g_assert(page_is_locked(pd));
(gdb) list 348
343     static void page_unlock__debug(const PageDesc *pd)
344     {
345         bool removed;
346
347         ht_pages_locked_debug_init();
348         g_assert(page_is_locked(pd));
349         removed = g_hash_table_remove(ht_pages_locked_debug, pd);
350         g_assert(removed);
351     }
352

(gdb) info threads
  Id   Target Id                                            Frame 
  1    Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39" 0x00007ffff7385596 in ppoll () from /lib64/libc.so.6
  2    Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39" 0x00007ffff738b41d in syscall () from /lib64/libc.so.6
* 3    Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39" 0x00007ffff730dabc in __pthread_kill_implementation () from /lib64/libc.so.6
  4    Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
  5    Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
  6    Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
  7    Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
  8    Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
  9    Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
  10   Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6

(gdb) thread apply all bt

Thread 10 (Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556803f30, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567b0600) at ../softmmu/cpus.c:424
#4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567b0600) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556803f70) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 9 (Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555567b0340, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555675cb10) at ../softmmu/cpus.c:424
#4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555675cb10) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555567b0380) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 8 (Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555675c850, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567090f0) at ../softmmu/cpus.c:424
#4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567090f0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555675c890) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 7 (Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556708e50, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566b5490) at ../softmmu/cpus.c:424
#4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566b5490) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556708e90) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 6 (Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566b51d0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566619a0) at ../softmmu/cpus.c:424
#4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566619a0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555566b5210) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 5 (Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566616e0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555660deb0) at ../softmmu/cpus.c:424
#4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555660deb0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556661720) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 4 (Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555660dbf0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555565ba3d0) at ../softmmu/cpus.c:424
#4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555565ba3d0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555660dc30) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 3 (Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39"):
#0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
#1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
#2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
#3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
#4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
#5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
#6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
#7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
#8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
#9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
#10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
#11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
#12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
#13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
#14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 2 (Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39"):
#0  0x00007ffff738b41d in syscall () at /lib64/libc.so.6
#1  0x0000555555dc0759 in qemu_futex_wait (f=0x555556352818 <rcu_call_ready_event>, val=4294967295) at /root/git/qemu/include/qemu/futex.h:29
#2  0x0000555555dc0940 in qemu_event_wait (ev=0x555556352818 <rcu_call_ready_event>) at ../util/qemu-thread-posix.c:464
#3  0x0000555555dcd228 in call_rcu_thread (opaque=0x0) at ../util/rcu.c:278
#4  0x0000555555dc0af3 in qemu_thread_start (args=0x5555563bdf20) at ../util/qemu-thread-posix.c:541
#5  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#6  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 1 (Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39"):
#0  0x00007ffff7385596 in ppoll () at /lib64/libc.so.6
#1  0x0000555555dde228 in qemu_poll_ns (fds=0x55555680ae50, nfds=75, timeout=9378142) at ../util/qemu-timer.c:351
#2  0x0000555555dd9b50 in os_host_main_loop_wait (timeout=9378142) at ../util/main-loop.c:308
#3  0x0000555555dd9c7f in main_loop_wait (nonblocking=0) at ../util/main-loop.c:592
#4  0x00005555559e5c3e in qemu_main_loop () at ../softmmu/runstate.c:732
#5  0x0000555555bbff42 in qemu_default_main () at ../softmmu/main.c:37
#6  0x0000555555bbff78 in main (argc=46, argv=0x7fffffffe278) at ../softmmu/main.c:48

----

If I build normally without debug-tcg I don't seem to incur in this assertion.

Since I have some strange misbehavior at runtime, with processes dying with segfaults and the guest kernel complaining:

 [ 2269s] [ 2243.901667][ T8318] User process fault: interruption code 0011 ilc:2 in libc.so.6[3ff87a80000+1c9000]
 [ 2269s] [ 2243.904433][ T8318] Failing address: 000002aa0f73f000 TEID: 000002aa0f73f800
 [ 2269s] [ 2243.904952][ T8318] Fault in primary space mode while using user ASCE.
 [ 2269s] [ 2243.905405][ T8318] AS:00000000057841c7 R3:0000000001fdc007 S:000000000398c000 P:0000000000000400 

I thought they might possibly be related..

Thanks for any suggestion,

Claudio

Re: assert fails in s390x TCG

[Claudio Fontana]

.. adding Alex, maybe something related to multithreaded TCG?

On 7/21/23 11:08, Claudio Fontana wrote:
> 
> Hello Cornelia, Richard,
> 
> I had some strange behavior in an s390x TCG VM that I am debugging,
> 
> and configured latest upstream QEMU with --enable-debug --enable-debug-tcg
> 
> and I am running the qemu binary with -d unimp,guest_errors .
> 
> I get:
> 
> /usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -vga none -cpu qemu -d unimp,guest_errors -object rng-random,filename=/dev/random,id=rng0 -device virtio-rng-ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-id/virtio-0 rootfstype=ext3 rootflags=data=writeback,nobarrier,commit=150,noatime elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet elevator=noop console=hvc0 init=build -m 2048 -drive file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -device virtio-blk-ccw,drive=disk,serial=0 -drive file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -device virtio-blk-ccw,drive=swap,serial=1 -device virtio-serial-ccw -device virtconsole,chardev=virtiocon0 -chardev stdio,id=virtiocon0 -chardev socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/monitor -mon chardev=monitor,mode=readline -smp 8
> 
> unimplemented opcode 0xb9ab
> unimplemented opcode 0xb2af
> 
> ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))
> Bail out! ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))
> 
> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
> (gdb) bt
> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
> #9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
> #10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
> #11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
> #12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
> #13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
> #14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> (gdb) frame 5
> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
> 348         g_assert(page_is_locked(pd));
> (gdb) list 348
> 343     static void page_unlock__debug(const PageDesc *pd)
> 344     {
> 345         bool removed;
> 346
> 347         ht_pages_locked_debug_init();
> 348         g_assert(page_is_locked(pd));
> 349         removed = g_hash_table_remove(ht_pages_locked_debug, pd);
> 350         g_assert(removed);
> 351     }
> 352
> 
> (gdb) info threads
>   Id   Target Id                                            Frame 
>   1    Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39" 0x00007ffff7385596 in ppoll () from /lib64/libc.so.6
>   2    Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39" 0x00007ffff738b41d in syscall () from /lib64/libc.so.6
> * 3    Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39" 0x00007ffff730dabc in __pthread_kill_implementation () from /lib64/libc.so.6
>   4    Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   5    Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   6    Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   7    Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   8    Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   9    Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   10   Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
> 
> (gdb) thread apply all bt
> 
> Thread 10 (Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556803f30, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567b0600) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567b0600) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556803f70) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 9 (Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555567b0340, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555675cb10) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555675cb10) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555567b0380) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 8 (Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555675c850, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567090f0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567090f0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555675c890) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 7 (Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556708e50, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566b5490) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566b5490) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556708e90) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 6 (Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566b51d0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566619a0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566619a0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555566b5210) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 5 (Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566616e0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555660deb0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555660deb0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556661720) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 4 (Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555660dbf0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555565ba3d0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555565ba3d0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555660dc30) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 3 (Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39"):
> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
> #9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
> #10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
> #11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
> #12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
> #13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
> #14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 2 (Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39"):
> #0  0x00007ffff738b41d in syscall () at /lib64/libc.so.6
> #1  0x0000555555dc0759 in qemu_futex_wait (f=0x555556352818 <rcu_call_ready_event>, val=4294967295) at /root/git/qemu/include/qemu/futex.h:29
> #2  0x0000555555dc0940 in qemu_event_wait (ev=0x555556352818 <rcu_call_ready_event>) at ../util/qemu-thread-posix.c:464
> #3  0x0000555555dcd228 in call_rcu_thread (opaque=0x0) at ../util/rcu.c:278
> #4  0x0000555555dc0af3 in qemu_thread_start (args=0x5555563bdf20) at ../util/qemu-thread-posix.c:541
> #5  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #6  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 1 (Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39"):
> #0  0x00007ffff7385596 in ppoll () at /lib64/libc.so.6
> #1  0x0000555555dde228 in qemu_poll_ns (fds=0x55555680ae50, nfds=75, timeout=9378142) at ../util/qemu-timer.c:351
> #2  0x0000555555dd9b50 in os_host_main_loop_wait (timeout=9378142) at ../util/main-loop.c:308
> #3  0x0000555555dd9c7f in main_loop_wait (nonblocking=0) at ../util/main-loop.c:592
> #4  0x00005555559e5c3e in qemu_main_loop () at ../softmmu/runstate.c:732
> #5  0x0000555555bbff42 in qemu_default_main () at ../softmmu/main.c:37
> #6  0x0000555555bbff78 in main (argc=46, argv=0x7fffffffe278) at ../softmmu/main.c:48
> 
> ----
> 
> If I build normally without debug-tcg I don't seem to incur in this assertion.
> 
> Since I have some strange misbehavior at runtime, with processes dying with segfaults and the guest kernel complaining:
> 
>  [ 2269s] [ 2243.901667][ T8318] User process fault: interruption code 0011 ilc:2 in libc.so.6[3ff87a80000+1c9000]
>  [ 2269s] [ 2243.904433][ T8318] Failing address: 000002aa0f73f000 TEID: 000002aa0f73f800
>  [ 2269s] [ 2243.904952][ T8318] Fault in primary space mode while using user ASCE.
>  [ 2269s] [ 2243.905405][ T8318] AS:00000000057841c7 R3:0000000001fdc007 S:000000000398c000 P:0000000000000400 
> 
> I thought they might possibly be related..
> 
> Thanks for any suggestion,
> 
> Claudio
> 
> 

Re: assert fails in s390x TCG

[Richard Henderson]

On 7/21/23 02:08, Claudio Fontana wrote:
> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
> (gdb) bt
> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556


https://patchew.org/QEMU/20230726201330.357175-1-richard.henderson@linaro.org/


r~

Re: assert fails in s390x TCG

[Claudio Fontana]

On 7/27/23 19:41, Richard Henderson wrote:
> On 7/21/23 02:08, Claudio Fontana wrote:
>> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
>> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
>> (gdb) bt
>> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
>> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
>> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
>> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
>> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
>> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
>> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
> 
> 
> https://patchew.org/QEMU/20230726201330.357175-1-richard.henderson@linaro.org/
> 
> 
> r~

Hi Richard,

I applied your patch, however I still encounter an assert:

ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)
Bail out! ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)

Thread 6 "qemu-system-s39" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffeef5fe6c0 (LWP 116343)]
0x00007ffff730dabc in __pthread_kill_implementation () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
#1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
#2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
#3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
#4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
#5  0x0000555555b96f82 in assert_no_pages_locked () at ../accel/tcg/tb-maint.c:367
#6  0x0000555555b976cc in page_collection_lock (start=6674, last=6674) at ../accel/tcg/tb-maint.c:614
#7  0x0000555555b9877c in tb_invalidate_phys_range (start=27336872, last=27336879) at ../accel/tcg/tb-maint.c:1197
#8  0x0000555555b6b25e in invalidate_and_set_dirty (mr=0x5555563f6e90, addr=27336872, length=8) at ../softmmu/physmem.c:2542
#9  0x0000555555b6d72d in address_space_stq_internal
    (as=0x5555566b7350, addr=27336872, val=2930044561408, attrs=..., result=0x0, endian=DEVICE_NATIVE_ENDIAN)
    at /root/git/qemu/memory_ldst.c.inc:495
#10 0x0000555555b6d7aa in address_space_stq (as=0x5555566b7350, addr=27336872, val=2930044561408, attrs=..., result=0x0)
    at /root/git/qemu/memory_ldst.c.inc:510
#11 0x0000555555a9fff6 in stq_phys (as=0x5555566b7350, addr=27336872, val=2930044561408)
    at /root/git/qemu/include/exec/memory_ldst_phys.h.inc:55
#12 0x0000555555aa0630 in s390_cpu_tlb_fill
    (cs=0x555556663c80, address=2930044559360, size=1, access_type=MMU_INST_FETCH, mmu_idx=0, probe=false, retaddr=0)
    at ../target/s390x/tcg/excp_helper.c:194
#13 0x0000555555ba8a89 in probe_access_internal
    (env=0x555556666460, addr=2930044559360, fault_size=1, access_type=MMU_INST_FETCH, mmu_idx=0, nonfault=false, phost=0x7ffeef5fcfd0, pfu\
ll=0x7ffeef5fcfc8, retaddr=0, check_mem_cbs=false) at ../accel/tcg/cputlb.c:1530
#14 0x0000555555ba90f0 in get_page_addr_code_hostp (env=0x555556666460, addr=2930044559360, hostp=0x7ffeef5fd2f0)
    at ../accel/tcg/cputlb.c:1695
#15 0x0000555555ba122d in translator_access (env=0x555556666460, db=0x7ffeef5fd2c0, pc=2930044559360, len=4)
    at ../accel/tcg/translator.c:257
#16 0x0000555555ba15e2 in translator_ldl (env=0x555556666460, db=0x7ffeef5fd2c0, pc=2930044559360) at ../accel/tcg/translator.c:351
#17 0x0000555555abd537 in ld_code4 (env=0x555556666460, s=0x7ffeef5fd2c0, pc=2930044559360) at ../target/s390x/tcg/translate.c:399
#18 0x0000555555ad9e93 in extract_insn (env=0x555556666460, s=0x7ffeef5fd2c0) at ../target/s390x/tcg/translate.c:6204
#19 0x0000555555ada171 in translate_one (env=0x555556666460, s=0x7ffeef5fd2c0) at ../target/s390x/tcg/translate.c:6296
#20 0x0000555555ada85c in s390x_tr_translate_insn (dcbase=0x7ffeef5fd2c0, cs=0x555556663c80) at ../target/s390x/tcg/translate.c:6469
#21 0x0000555555ba100d in translator_loop
    (cpu=0x555556663c80, tb=0x7fffe77a1480, max_insns=0x7ffeef5fd3f4, pc=2930044559358, host_pc=0x7fff08801ffe, ops=0x555556216b60 <s390x_t\
r_ops>, db=0x7ffeef5fd2c0) at ../accel/tcg/translator.c:180
#22 0x0000555555adaabe in gen_intermediate_code
    (cs=0x555556663c80, tb=0x7fffe77a1480, max_insns=0x7ffeef5fd3f4, pc=2930044559358, host_pc=0x7fff08801ffe)
    at ../target/s390x/tcg/translate.c:6535
#23 0x0000555555b9f167 in setjmp_gen_code
    (env=0x555556666460, tb=0x7fffe77a1480, pc=2930044559358, host_pc=0x7fff08801ffe, max_insns=0x7ffeef5fd3f4, ti=0x7ffeef5fd410)
    at ../accel/tcg/translate-all.c:278
#24 0x0000555555b9f47e in tb_gen_code (cpu=0x555556663c80, pc=2930044559358, cs_base=0, flags=1744961539, cflags=-16252928)
    at ../accel/tcg/translate-all.c:360
#25 0x0000555555b960b3 in cpu_exec_loop (cpu=0x555556663c80, sc=0x7ffeef5fd540) at ../accel/tcg/cpu-exec.c:1005
#26 0x0000555555b96252 in cpu_exec_setjmp (cpu=0x555556663c80, sc=0x7ffeef5fd540) at ../accel/tcg/cpu-exec.c:1057
#27 0x0000555555b962d9 in cpu_exec (cpu=0x555556663c80) at ../accel/tcg/cpu-exec.c:1083
#28 0x0000555555bba868 in tcg_cpus_exec (cpu=0x555556663c80) at ../accel/tcg/tcg-accel-ops.c:75
#29 0x0000555555bbaf20 in mttcg_cpu_thread_fn (arg=0x555556663c80) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
#30 0x0000555555dc1ece in qemu_thread_start (args=0x5555566b74f0) at ../util/qemu-thread-posix.c:541
#31 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#32 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

(gdb) thread apply all bt

Thread 87 (Thread 0x7ffec2beb6c0 (LWP 116440) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730b275 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1739 in qemu_cond_timedwait_ts (cond=0x5555563ff1b0, mutex=0x5555563ff140, ts=0x7ffec2bea580, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:239
#3  0x0000555555dc17d4 in qemu_cond_timedwait_impl (cond=0x5555563ff1b0, mutex=0x5555563ff140, ms=10000, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:253
#4  0x0000555555ddddfc in worker_thread (opaque=0x5555563ff130) at ../util/thread-pool.c:90
#5  0x0000555555dc1ece in qemu_thread_start (args=0x7ffebc000b70) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 86 (Thread 0x7ffecde2c6c0 (LWP 116439) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730b275 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1739 in qemu_cond_timedwait_ts (cond=0x5555563ff1b0, mutex=0x5555563ff140, ts=0x7ffecde2b580, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:239
#3  0x0000555555dc17d4 in qemu_cond_timedwait_impl (cond=0x5555563ff1b0, mutex=0x5555563ff140, ms=10000, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:253
#4  0x0000555555ddddfc in worker_thread (opaque=0x5555563ff130) at ../util/thread-pool.c:90
#5  0x0000555555dc1ece in qemu_thread_start (args=0x7ffea4000b70) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 85 (Thread 0x7ffecf73e6c0 (LWP 116438) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730b275 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1739 in qemu_cond_timedwait_ts (cond=0x5555563ff1b0, mutex=0x5555563ff140, ts=0x7ffecf73d580, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:239
#3  0x0000555555dc17d4 in qemu_cond_timedwait_impl (cond=0x5555563ff1b0, mutex=0x5555563ff140, ms=10000, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:253
#4  0x0000555555ddddfc in worker_thread (opaque=0x5555563ff130) at ../util/thread-pool.c:90
#5  0x0000555555dc1ece in qemu_thread_start (args=0x7ffeb0000b70) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 84 (Thread 0x7ffec14e26c0 (LWP 116437) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730b275 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1739 in qemu_cond_timedwait_ts (cond=0x5555563ff1b0, mutex=0x5555563ff140, ts=0x7ffec14e1580, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:239
#3  0x0000555555dc17d4 in qemu_cond_timedwait_impl (cond=0x5555563ff1b0, mutex=0x5555563ff140, ms=10000, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:253
#4  0x0000555555ddddfc in worker_thread (opaque=0x5555563ff130) at ../util/thread-pool.c:90
#5  0x0000555555dc1ece in qemu_thread_start (args=0x7ffe88000b70) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 83 (Thread 0x7ffea3fff6c0 (LWP 116436) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730b275 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1739 in qemu_cond_timedwait_ts (cond=0x5555563ff1b0, mutex=0x5555563ff140, ts=0x7ffea3ffe580, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:239
#3  0x0000555555dc17d4 in qemu_cond_timedwait_impl (cond=0x5555563ff1b0, mutex=0x5555563ff140, ms=10000, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:253
#4  0x0000555555ddddfc in worker_thread (opaque=0x5555563ff130) at ../util/thread-pool.c:90
#5  0x0000555555dc1ece in qemu_thread_start (args=0x55555675eb70) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 82 (Thread 0x7ffea0ff96c0 (LWP 116435) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730b275 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1739 in qemu_cond_timedwait_ts (cond=0x5555563ff1b0, mutex=0x5555563ff140, ts=0x7ffea0ff8580, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:239
#3  0x0000555555dc17d4 in qemu_cond_timedwait_impl (cond=0x5555563ff1b0, mutex=0x5555563ff140, ms=10000, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:253
#4  0x0000555555ddddfc in worker_thread (opaque=0x5555563ff130) at ../util/thread-pool.c:90
#5  0x0000555555dc1ece in qemu_thread_start (args=0x5555565bc420) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 81 (Thread 0x7ffe6e7fc6c0 (LWP 116434) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730b275 in pthread_cond_timedwait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1739 in qemu_cond_timedwait_ts (cond=0x5555563ff1b0, mutex=0x5555563ff140, ts=0x7ffe6e7fb580, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:239
#3  0x0000555555dc17d4 in qemu_cond_timedwait_impl (cond=0x5555563ff1b0, mutex=0x5555563ff140, ms=10000, file=0x555555fea535 "../util/thread-pool.c", line=90) at ../util/qemu-thread-posix.c:253
#4  0x0000555555ddddfc in worker_thread (opaque=0x5555563ff130) at ../util/thread-pool.c:90
#5  0x0000555555dc1ece in qemu_thread_start (args=0x5555565bf630) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 10 (Thread 0x7ffeed5fa6c0 (LWP 116347) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1686 in qemu_cond_wait_impl (cond=0x555556806210, mutex=0x55555632cf60 <qemu_global_mutex>, file=0x555555f07d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567b28e0) at ../softmmu/cpus.c:424
#4  0x0000555555bbafec in mttcg_cpu_thread_fn (arg=0x5555567b28e0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc1ece in qemu_thread_start (args=0x555556806250) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 9 (Thread 0x7ffeeddfb6c0 (LWP 116346) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1686 in qemu_cond_wait_impl (cond=0x5555567b2620, mutex=0x55555632cf60 <qemu_global_mutex>, file=0x555555f07d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555675edf0) at ../softmmu/cpus.c:424
#4  0x0000555555bbafec in mttcg_cpu_thread_fn (arg=0x55555675edf0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc1ece in qemu_thread_start (args=0x5555567b2660) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 8 (Thread 0x7ffeee5fc6c0 (LWP 116345) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1686 in qemu_cond_wait_impl (cond=0x55555675eb30, mutex=0x55555632cf60 <qemu_global_mutex>, file=0x555555f07d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555670b3d0) at ../softmmu/cpus.c:424
#4  0x0000555555bbafec in mttcg_cpu_thread_fn (arg=0x55555670b3d0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc1ece in qemu_thread_start (args=0x55555675eb70) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 7 (Thread 0x7ffeeedfd6c0 (LWP 116344) "qemu-system-s39"):
#0  0x0000555555ba7596 in tlb_reset_dirty_range_locked (tlb_entry=0x555556757140, start=140732950200320, length=4096) at ../accel/tcg/cputlb.c:993
#1  0x0000555555ba76d7 in tlb_reset_dirty (cpu=0x55555670b3d0, start1=140732950200320, length=4096) at ../accel/tcg/cputlb.c:1041
#2  0x0000555555b66e02 in tlb_reset_dirty_range_all (start=27344896, length=4096) at ../softmmu/physmem.c:839
#3  0x0000555555b6709d in cpu_physical_memory_test_and_clear_dirty (start=27344896, length=4096, client=1) at ../softmmu/physmem.c:886
#4  0x0000555555ba755b in tlb_protect_code (ram_addr=27344896) at ../accel/tcg/cputlb.c:961
#5  0x0000555555b97a4b in tb_page_add (p=0x7ffee8120090, tb=0x7fffe8599f80, n=0) at ../accel/tcg/tb-maint.c:706
#6  0x0000555555b97b2b in tb_record (tb=0x7fffe8599f80) at ../accel/tcg/tb-maint.c:721
#7  0x0000555555b9848d in tb_link_page (tb=0x7fffe8599f80) at ../accel/tcg/tb-maint.c:983
#8  0x0000555555b9facd in tb_gen_code (cpu=0x5555566b7770, pc=1026, cs_base=0, flags=1744928771, cflags=-16252928) at ../accel/tcg/translate-all.c:553
#9  0x0000555555b960b3 in cpu_exec_loop (cpu=0x5555566b7770, sc=0x7ffeeedfc540) at ../accel/tcg/cpu-exec.c:1005
#10 0x0000555555b96252 in cpu_exec_setjmp (cpu=0x5555566b7770, sc=0x7ffeeedfc540) at ../accel/tcg/cpu-exec.c:1057
#11 0x0000555555b962d9 in cpu_exec (cpu=0x5555566b7770) at ../accel/tcg/cpu-exec.c:1083
#12 0x0000555555bba868 in tcg_cpus_exec (cpu=0x5555566b7770) at ../accel/tcg/tcg-accel-ops.c:75
#13 0x0000555555bbaf20 in mttcg_cpu_thread_fn (arg=0x5555566b7770) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
#14 0x0000555555dc1ece in qemu_thread_start (args=0x55555670b170) at ../util/qemu-thread-posix.c:541
#15 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#16 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 6 (Thread 0x7ffeef5fe6c0 (LWP 116343) "qemu-system-s39"):
#0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
#1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
#2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
#3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
#4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
#5  0x0000555555b96f82 in assert_no_pages_locked () at ../accel/tcg/tb-maint.c:367
#6  0x0000555555b976cc in page_collection_lock (start=6674, last=6674) at ../accel/tcg/tb-maint.c:614
#7  0x0000555555b9877c in tb_invalidate_phys_range (start=27336872, last=27336879) at ../accel/tcg/tb-maint.c:1197
#8  0x0000555555b6b25e in invalidate_and_set_dirty (mr=0x5555563f6e90, addr=27336872, length=8) at ../softmmu/physmem.c:2542
#9  0x0000555555b6d72d in address_space_stq_internal (as=0x5555566b7350, addr=27336872, val=2930044561408, attrs=..., result=0x0, endian=DEVICE_NATIVE_ENDIAN) at /root/git/qemu/memory_ldst.c.inc:495
#10 0x0000555555b6d7aa in address_space_stq (as=0x5555566b7350, addr=27336872, val=2930044561408, attrs=..., result=0x0) at /root/git/qemu/memory_ldst.c.inc:510
#11 0x0000555555a9fff6 in stq_phys (as=0x5555566b7350, addr=27336872, val=2930044561408) at /root/git/qemu/include/exec/memory_ldst_phys.h.inc:55
#12 0x0000555555aa0630 in s390_cpu_tlb_fill (cs=0x555556663c80, address=2930044559360, size=1, access_type=MMU_INST_FETCH, mmu_idx=0, probe=false, retaddr=0) at ../target/s390x/tcg/excp_helper.c:194
#13 0x0000555555ba8a89 in probe_access_internal (env=0x555556666460, addr=2930044559360, fault_size=1, access_type=MMU_INST_FETCH, mmu_idx=0, nonfault=false, phost=0x7ffeef5fcfd0, pfull=0x7ffeef5fcfc8, retaddr=0, check_mem_cbs=false) at ../accel/tcg/cputlb.c:1530
#14 0x0000555555ba90f0 in get_page_addr_code_hostp (env=0x555556666460, addr=2930044559360, hostp=0x7ffeef5fd2f0) at ../accel/tcg/cputlb.c:1695
#15 0x0000555555ba122d in translator_access (env=0x555556666460, db=0x7ffeef5fd2c0, pc=2930044559360, len=4) at ../accel/tcg/translator.c:257
#16 0x0000555555ba15e2 in translator_ldl (env=0x555556666460, db=0x7ffeef5fd2c0, pc=2930044559360) at ../accel/tcg/translator.c:351
#17 0x0000555555abd537 in ld_code4 (env=0x555556666460, s=0x7ffeef5fd2c0, pc=2930044559360) at ../target/s390x/tcg/translate.c:399
#18 0x0000555555ad9e93 in extract_insn (env=0x555556666460, s=0x7ffeef5fd2c0) at ../target/s390x/tcg/translate.c:6204
#19 0x0000555555ada171 in translate_one (env=0x555556666460, s=0x7ffeef5fd2c0) at ../target/s390x/tcg/translate.c:6296
#20 0x0000555555ada85c in s390x_tr_translate_insn (dcbase=0x7ffeef5fd2c0, cs=0x555556663c80) at ../target/s390x/tcg/translate.c:6469
#21 0x0000555555ba100d in translator_loop (cpu=0x555556663c80, tb=0x7fffe77a1480, max_insns=0x7ffeef5fd3f4, pc=2930044559358, host_pc=0x7fff08801ffe, ops=0x555556216b60 <s390x_tr_ops>, db=0x7ffeef5fd2c0) at ../accel/tcg/translator.c:180
#22 0x0000555555adaabe in gen_intermediate_code (cs=0x555556663c80, tb=0x7fffe77a1480, max_insns=0x7ffeef5fd3f4, pc=2930044559358, host_pc=0x7fff08801ffe) at ../target/s390x/tcg/translate.c:6535
#23 0x0000555555b9f167 in setjmp_gen_code (env=0x555556666460, tb=0x7fffe77a1480, pc=2930044559358, host_pc=0x7fff08801ffe, max_insns=0x7ffeef5fd3f4, ti=0x7ffeef5fd410) at ../accel/tcg/translate-all.c:278
#24 0x0000555555b9f47e in tb_gen_code (cpu=0x555556663c80, pc=2930044559358, cs_base=0, flags=1744961539, cflags=-16252928) at ../accel/tcg/translate-all.c:360
#25 0x0000555555b960b3 in cpu_exec_loop (cpu=0x555556663c80, sc=0x7ffeef5fd540) at ../accel/tcg/cpu-exec.c:1005
#26 0x0000555555b96252 in cpu_exec_setjmp (cpu=0x555556663c80, sc=0x7ffeef5fd540) at ../accel/tcg/cpu-exec.c:1057
#27 0x0000555555b962d9 in cpu_exec (cpu=0x555556663c80) at ../accel/tcg/cpu-exec.c:1083
#28 0x0000555555bba868 in tcg_cpus_exec (cpu=0x555556663c80) at ../accel/tcg/tcg-accel-ops.c:75
#29 0x0000555555bbaf20 in mttcg_cpu_thread_fn (arg=0x555556663c80) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
#30 0x0000555555dc1ece in qemu_thread_start (args=0x5555566b74f0) at ../util/qemu-thread-posix.c:541
#31 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#32 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 5 (Thread 0x7ffeefdff6c0 (LWP 116342) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1686 in qemu_cond_wait_impl (cond=0x5555566639c0, mutex=0x55555632cf60 <qemu_global_mutex>, file=0x555555f07d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x555556610190) at ../softmmu/cpus.c:424
#4  0x0000555555bbafec in mttcg_cpu_thread_fn (arg=0x555556610190) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc1ece in qemu_thread_start (args=0x555556663a00) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 4 (Thread 0x7ffff4b506c0 (LWP 116341) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1686 in qemu_cond_wait_impl (cond=0x55555660fed0, mutex=0x55555632cf60 <qemu_global_mutex>, file=0x555555f07d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555565bc6a0) at ../softmmu/cpus.c:424
#4  0x0000555555bbafec in mttcg_cpu_thread_fn (arg=0x5555565bc6a0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc1ece in qemu_thread_start (args=0x55555660ff10) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 3 (Thread 0x7ffff53516c0 (LWP 116339) "qemu-system-s39"):
#0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
#1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
#2  0x0000555555dc1686 in qemu_cond_wait_impl (cond=0x5555565bc3e0, mutex=0x55555632cf60 <qemu_global_mutex>, file=0x555555f07d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
#3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x555556568c90) at ../softmmu/cpus.c:424
#4  0x0000555555bbafec in mttcg_cpu_thread_fn (arg=0x555556568c90) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
#5  0x0000555555dc1ece in qemu_thread_start (args=0x5555565bc420) at ../util/qemu-thread-posix.c:541
#6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 2 (Thread 0x7ffff63bb6c0 (LWP 116338) "qemu-system-s39"):
#0  0x00007ffff738b41d in syscall () at /lib64/libc.so.6
#1  0x0000555555dc1b34 in qemu_futex_wait (f=0x555556354cf8 <rcu_call_ready_event>, val=4294967295) at /root/git/qemu/include/qemu/futex.h:29
#2  0x0000555555dc1d1b in qemu_event_wait (ev=0x555556354cf8 <rcu_call_ready_event>) at ../util/qemu-thread-posix.c:464
#3  0x0000555555dce603 in call_rcu_thread (opaque=0x0) at ../util/rcu.c:278
#4  0x0000555555dc1ece in qemu_thread_start (args=0x5555563bff20) at ../util/qemu-thread-posix.c:541
#5  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
#6  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6

Thread 1 (Thread 0x7ffff63bef40 (LWP 116335) "qemu-system-s39"):
#0  0x00007ffff7385596 in ppoll () at /lib64/libc.so.6
#1  0x0000555555ddf603 in qemu_poll_ns (fds=0x55555680d130, nfds=75, timeout=9583649) at ../util/qemu-timer.c:351
#2  0x0000555555ddaf2b in os_host_main_loop_wait (timeout=9583649) at ../util/main-loop.c:308
#3  0x0000555555ddb05a in main_loop_wait (nonblocking=0) at ../util/main-loop.c:592
#4  0x00005555559e5ec1 in qemu_main_loop () at ../softmmu/runstate.c:732
#5  0x0000555555bc0cb4 in qemu_default_main () at ../softmmu/main.c:37
#6  0x0000555555bc0cea in main (argc=46, argv=0x7fffffffe278) at ../softmmu/main.c:48
(gdb) 

Re: assert fails in s390x TCG

[Richard Henderson]

On 7/28/23 06:29, Claudio Fontana wrote:
> On 7/27/23 19:41, Richard Henderson wrote:
>> On 7/21/23 02:08, Claudio Fontana wrote:
>>> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
>>> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
>>> (gdb) bt
>>> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
>>> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
>>> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
>>> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
>>> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
>>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>>> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
>>> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
>>> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
>>
>>
>> https://patchew.org/QEMU/20230726201330.357175-1-richard.henderson@linaro.org/
>>
>>
>> r~
> 
> Hi Richard,
> 
> I applied your patch, however I still encounter an assert:
> 
> ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)
> Bail out! ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)

What's the test case?


r~

Re: assert fails in s390x TCG

[Claudio Fontana]

On 7/28/23 15:33, Richard Henderson wrote:
> On 7/28/23 06:29, Claudio Fontana wrote:
>> On 7/27/23 19:41, Richard Henderson wrote:
>>> On 7/21/23 02:08, Claudio Fontana wrote:
>>>> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
>>>> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
>>>> (gdb) bt
>>>> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
>>>> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
>>>> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
>>>> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
>>>> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
>>>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>>>> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
>>>> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
>>>> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
>>>
>>>
>>> https://patchew.org/QEMU/20230726201330.357175-1-richard.henderson@linaro.org/
>>>
>>>
>>> r~
>>
>> Hi Richard,
>>
>> I applied your patch, however I still encounter an assert:
>>
>> ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)
>> Bail out! ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)
> 
> What's the test case?
> 
> 
> r~

It is a test environment for building packages, so the guest at the time of the error is running ./configure for the package swig-v4.1.1.tar.gz

checking build system type... s390x-ibm-linux-gnu^M
checking host system type... s390x-ibm-linux-gnu^M
checking for a BSD-compatible install... /usr/bin/install -c^M
checking whether build environment is sane... [New Thread 0x7ffea3fff6c0 (LWP 116436)]
[New Thread 0x7ffec14e26c0 (LWP 116437)]
[New Thread 0x7ffecf73e6c0 (LWP 116438)]
[New Thread 0x7ffecde2c6c0 (LWP 116439)]
[New Thread 0x7ffec2beb6c0 (LWP 116440)]
yes^M
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p^M
checking for gawk... gawk^M
checking whether make sets $(MAKE)... yes^M
checking whether make supports nested variables... yes^M
checking for s390x-ibm-linux-gnu-gcc... gcc^M
checking whether the C compiler works... **

So I presume we are in:

AC_PROG_CC

Re: assert fails in s390x TCG

[Claudio Fontana]

On 7/28/23 15:45, Claudio Fontana wrote:
> On 7/28/23 15:33, Richard Henderson wrote:
>> On 7/28/23 06:29, Claudio Fontana wrote:
>>> On 7/27/23 19:41, Richard Henderson wrote:
>>>> On 7/21/23 02:08, Claudio Fontana wrote:
>>>>> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
>>>>> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
>>>>> (gdb) bt
>>>>> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
>>>>> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
>>>>> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
>>>>> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
>>>>> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
>>>>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>>>>> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
>>>>> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
>>>>> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
>>>>
>>>>
>>>> https://patchew.org/QEMU/20230726201330.357175-1-richard.henderson@linaro.org/
>>>>
>>>>
>>>> r~
>>>
>>> Hi Richard,
>>>
>>> I applied your patch, however I still encounter an assert:
>>>
>>> ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)
>>> Bail out! ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)
>>
>> What's the test case?
>>
>>
>> r~
> 
> It is a test environment for building packages, so the guest at the time of the error is running ./configure for the package swig-v4.1.1.tar.gz
> 
> checking build system type... s390x-ibm-linux-gnu^M
> checking host system type... s390x-ibm-linux-gnu^M
> checking for a BSD-compatible install... /usr/bin/install -c^M
> checking whether build environment is sane... [New Thread 0x7ffea3fff6c0 (LWP 116436)]
> [New Thread 0x7ffec14e26c0 (LWP 116437)]
> [New Thread 0x7ffecf73e6c0 (LWP 116438)]
> [New Thread 0x7ffecde2c6c0 (LWP 116439)]
> [New Thread 0x7ffec2beb6c0 (LWP 116440)]
> yes^M
> checking for a thread-safe mkdir -p... /usr/bin/mkdir -p^M
> checking for gawk... gawk^M
> checking whether make sets $(MAKE)... yes^M
> checking whether make supports nested variables... yes^M
> checking for s390x-ibm-linux-gnu-gcc... gcc^M
> checking whether the C compiler works... **
> 
> So I presume we are in:
> 
> AC_PROG_CC
> 


I am rerunning this over and over, and it seems it always aborts there in the same place.

C
 

Re: assert fails in s390x TCG

[Richard Henderson]

On 7/28/23 07:23, Claudio Fontana wrote:
>> It is a test environment for building packages, so the guest at the time of the error is running ./configure for the package swig-v4.1.1.tar.gz
>>
>> checking build system type... s390x-ibm-linux-gnu^M
>> checking host system type... s390x-ibm-linux-gnu^M
>> checking for a BSD-compatible install... /usr/bin/install -c^M
>> checking whether build environment is sane... [New Thread 0x7ffea3fff6c0 (LWP 116436)]
>> [New Thread 0x7ffec14e26c0 (LWP 116437)]
>> [New Thread 0x7ffecf73e6c0 (LWP 116438)]
>> [New Thread 0x7ffecde2c6c0 (LWP 116439)]
>> [New Thread 0x7ffec2beb6c0 (LWP 116440)]
>> yes^M
>> checking for a thread-safe mkdir -p... /usr/bin/mkdir -p^M
>> checking for gawk... gawk^M
>> checking whether make sets $(MAKE)... yes^M
>> checking whether make supports nested variables... yes^M
>> checking for s390x-ibm-linux-gnu-gcc... gcc^M
>> checking whether the C compiler works... **
>>
>> So I presume we are in:
>>
>> AC_PROG_CC
>>
> 
> 
> I am rerunning this over and over, and it seems it always aborts there in the same place.

You didn't say what the host is, only qemu-system-s390x.
Am I barking up the wrong tree looking at s390x host?


r~

Re: assert fails in s390x TCG

[Claudio Fontana]

On 7/28/23 16:28, Richard Henderson wrote:
> On 7/28/23 07:23, Claudio Fontana wrote:
>>> It is a test environment for building packages, so the guest at the time of the error is running ./configure for the package swig-v4.1.1.tar.gz
>>>
>>> checking build system type... s390x-ibm-linux-gnu^M
>>> checking host system type... s390x-ibm-linux-gnu^M
>>> checking for a BSD-compatible install... /usr/bin/install -c^M
>>> checking whether build environment is sane... [New Thread 0x7ffea3fff6c0 (LWP 116436)]
>>> [New Thread 0x7ffec14e26c0 (LWP 116437)]
>>> [New Thread 0x7ffecf73e6c0 (LWP 116438)]
>>> [New Thread 0x7ffecde2c6c0 (LWP 116439)]
>>> [New Thread 0x7ffec2beb6c0 (LWP 116440)]
>>> yes^M
>>> checking for a thread-safe mkdir -p... /usr/bin/mkdir -p^M
>>> checking for gawk... gawk^M
>>> checking whether make sets $(MAKE)... yes^M
>>> checking whether make supports nested variables... yes^M
>>> checking for s390x-ibm-linux-gnu-gcc... gcc^M
>>> checking whether the C compiler works... **
>>>
>>> So I presume we are in:
>>>
>>> AC_PROG_CC
>>>
>>
>>
>> I am rerunning this over and over, and it seems it always aborts there in the same place.
> 
> You didn't say what the host is, only qemu-system-s390x.
> Am I barking up the wrong tree looking at s390x host?
> 
> 
> r~

sorry, no it is an x86 host in this case, running openSUSE Tumbleweed.

Re: assert fails in s390x TCG

[Claudio Fontana]

On 7/28/23 16:40, Claudio Fontana wrote:
> On 7/28/23 16:28, Richard Henderson wrote:
>> On 7/28/23 07:23, Claudio Fontana wrote:
>>>> It is a test environment for building packages, so the guest at the time of the error is running ./configure for the package swig-v4.1.1.tar.gz
>>>>
>>>> checking build system type... s390x-ibm-linux-gnu^M
>>>> checking host system type... s390x-ibm-linux-gnu^M
>>>> checking for a BSD-compatible install... /usr/bin/install -c^M
>>>> checking whether build environment is sane... [New Thread 0x7ffea3fff6c0 (LWP 116436)]
>>>> [New Thread 0x7ffec14e26c0 (LWP 116437)]
>>>> [New Thread 0x7ffecf73e6c0 (LWP 116438)]
>>>> [New Thread 0x7ffecde2c6c0 (LWP 116439)]
>>>> [New Thread 0x7ffec2beb6c0 (LWP 116440)]
>>>> yes^M
>>>> checking for a thread-safe mkdir -p... /usr/bin/mkdir -p^M
>>>> checking for gawk... gawk^M
>>>> checking whether make sets $(MAKE)... yes^M
>>>> checking whether make supports nested variables... yes^M
>>>> checking for s390x-ibm-linux-gnu-gcc... gcc^M
>>>> checking whether the C compiler works... **
>>>>
>>>> So I presume we are in:
>>>>
>>>> AC_PROG_CC
>>>>
>>>
>>>
>>> I am rerunning this over and over, and it seems it always aborts there in the same place.
>>
>> You didn't say what the host is, only qemu-system-s390x.
>> Am I barking up the wrong tree looking at s390x host?
>>
>>
>> r~
> 
> sorry, no it is an x86 host in this case, running openSUSE Tumbleweed.
> 
> 
> 

(gdb) frame 17
#17 0x0000555555abd537 in ld_code4 (env=0x5555566b9f50, s=0x7ffeeedfc2c0, pc=2929224048640) at ../target/s390x/tcg/translate.c:399
399         return (uint64_t)(uint32_t)translator_ldl(env, &s->base, pc);
(gdb) p env
$7 = (CPUS390XState *) 0x5555566b9f50
(gdb) p env[0]
$8 = {regs = {0, 128, 4396110331904, 2929231704344, 2929231698920, 0, 1, 4294967295, 127, 129, 2929167695872, 2929167695874, 
    4396120469352, 2929227322880, 4393751543808, 4397869291280}, vregs = {{4294967296, 4294967296}, {1, 4294967297}, {1, 4294967297}, {
      4294967296, 4294967297}, {4294967297, 4294967297}, {4294967297, 4294967297}, {4294967297, 1}, {4294967297, 4294967296}, {1, 
      4294967296}, {4294967297, 1}, {4294967297, 4294967296}, {0, 4294967296}, {4294967296, 1}, {0, 0}, {0, 1}, {4294967297, 0}, {
      4294967297, 4294967296}, {4294967296, 1}, {0, 1}, {8589934592, 0}, {4294967295, 4294967297}, {1, 4294967296}, {4294967297, 
      4294967296}, {4294967297, 4294967297}, {4294967297, 4294967297}, {1, 4294967297}, {4294967297, 1}, {0, 4294967297}, {1, 0}, {0, 0}, {
      4294967297, 4294967296}, {0, 24}}, aregs = {1023, 2369217472, 0 <repeats 14 times>}, gscb = {0, 0, 0, 0}, etoken = 0, 
  etoken_extension = 0, diag318_info = 0, start_initial_reset_fields = {<No data fields>}, fpc = 0, cc_op = 15, bpbc = false, 
  fpu_status = {float_exception_flags = 0, float_rounding_mode = float_round_nearest_even, 
    floatx80_rounding_precision = floatx80_precision_x, tininess_before_rounding = true, flush_to_zero = false, 
    flush_inputs_to_zero = false, default_nan_mode = false, snan_bit_is_one = false, use_first_nan = false, no_signaling_nans = false, 
    rebias_overflow = false, rebias_underflow = false}, psw = {mask = 505845723963588608, addr = 2929224048638}, 
  crash_reason = S390_CRASH_REASON_UNKNOWN, cc_src = 1, cc_dst = 128, cc_vr = 129, ex_value = 0, ex_target = 10319062, __excp_addr = 0, 
  psa = 27344896, int_pgm_code = 16, int_pgm_ilen = 2, int_svc_code = 90, int_svc_ilen = 2, per_address = 0, per_perc_atmid = 0, cregs = {
    337013264, 74613191, 118912, 0, 65535, 118912, 805306368, 74613191, 32768, 0, 0, 0, 0, 22298631, 3674210304, 118976}, 
  ckc = 15972532250018284863, cputm = 2251799817033977205, todpr = 4, pfault_token = 18446744073709551615, pfault_compare = 0, 
  pfault_select = 0, gbea = 1026, pp = 9223372036854778665, start_normal_reset_fields = {<No data fields>}, 
  riccb = '\000' <repeats 63 times>, pending_int = 0, external_call_addr = 6, emergency_signals = {0, 0, 0, 0}, 
  tlb_fill_tec = 2929224050688, tlb_fill_exc = 17, end_reset_fields = {<No data fields>}, core_id = 4, cpuid = 18014400747208704, 
  tod_timer = 0x5555566ba530, cpu_timer = 0x5555566ba570, cpu_state = 3 '\003', sigp_order = 0 '\000'}
(gdb) p s[0]
$9 = {base = {tb = 0x7fffe4923a00, pc_first = 2929224048638, pc_next = 2929224048638, is_jmp = DISAS_NEXT, num_insns = 1, max_insns = 512, 
    singlestep_enabled = false, host_addr = {0x7fff07ef8ffe, 0x0}}, insn = 0x7ffedc013740, insn_start = 0x7ffedc00b6b8, fields = {
    raw_insn = 18446744073709550296, op = 0, op2 = 0, presentC = 0, presentO = 0, c = {-10352, 32767, -295710720, 32766, -143555232, 
      32767, 1449893712}}, ex_value = 0, pc_tmp = 93825010474832, ilen = 4007641952, cc_op = CC_OP_DYNAMIC, exit_to_mainloop = false}

Re: assert fails in s390x TCG

[Richard Henderson]

On 7/28/23 06:29, Claudio Fontana wrote:
> On 7/27/23 19:41, Richard Henderson wrote:
>> On 7/21/23 02:08, Claudio Fontana wrote:
>>> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
>>> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
>>> (gdb) bt
>>> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
>>> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
>>> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
>>> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
>>> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
>>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>>> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
>>> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
>>> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
>>
>>
>> https://patchew.org/QEMU/20230726201330.357175-1-richard.henderson@linaro.org/
>>
>>
>> r~
> 
> Hi Richard,
> 
> I applied your patch, however I still encounter an assert:
> 
> ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)
> Bail out! ERROR:../accel/tcg/tb-maint.c:367:assert_no_pages_locked: assertion failed: (g_hash_table_size(ht_pages_locked_debug) == 0)


Ok, this is a different problem.  And tricky...



> 
> Thread 6 "qemu-system-s39" received signal SIGABRT, Aborted.
> [Switching to Thread 0x7ffeef5fe6c0 (LWP 116343)]
> 0x00007ffff730dabc in __pthread_kill_implementation () from /lib64/libc.so.6
> (gdb) bt
> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
> #5  0x0000555555b96f82 in assert_no_pages_locked () at ../accel/tcg/tb-maint.c:367
> #6  0x0000555555b976cc in page_collection_lock (start=6674, last=6674) at ../accel/tcg/tb-maint.c:614
> #7  0x0000555555b9877c in tb_invalidate_phys_range (start=27336872, last=27336879) at ../accel/tcg/tb-maint.c:1197
> #8  0x0000555555b6b25e in invalidate_and_set_dirty (mr=0x5555563f6e90, addr=27336872, length=8) at ../softmmu/physmem.c:2542
> #9  0x0000555555b6d72d in address_space_stq_internal
>      (as=0x5555566b7350, addr=27336872, val=2930044561408, attrs=..., result=0x0, endian=DEVICE_NATIVE_ENDIAN)
>      at /root/git/qemu/memory_ldst.c.inc:495
> #10 0x0000555555b6d7aa in address_space_stq (as=0x5555566b7350, addr=27336872, val=2930044561408, attrs=..., result=0x0)
>      at /root/git/qemu/memory_ldst.c.inc:510
> #11 0x0000555555a9fff6 in stq_phys (as=0x5555566b7350, addr=27336872, val=2930044561408)
>      at /root/git/qemu/include/exec/memory_ldst_phys.h.inc:55
> #12 0x0000555555aa0630 in s390_cpu_tlb_fill
>      (cs=0x555556663c80, address=2930044559360, size=1, access_type=MMU_INST_FETCH, mmu_idx=0, probe=false, retaddr=0)
>      at ../target/s390x/tcg/excp_helper.c:194
> #13 0x0000555555ba8a89 in probe_access_internal
>      (env=0x555556666460, addr=2930044559360, fault_size=1, access_type=MMU_INST_FETCH, mmu_idx=0, nonfault=false, phost=0x7ffeef5fcfd0, pfu\
> ll=0x7ffeef5fcfc8, retaddr=0, check_mem_cbs=false) at ../accel/tcg/cputlb.c:1530
> #14 0x0000555555ba90f0 in get_page_addr_code_hostp (env=0x555556666460, addr=2930044559360, hostp=0x7ffeef5fd2f0)
>      at ../accel/tcg/cputlb.c:1695
> #15 0x0000555555ba122d in translator_access (env=0x555556666460, db=0x7ffeef5fd2c0, pc=2930044559360, len=4)
>      at ../accel/tcg/translator.c:257
> #16 0x0000555555ba15e2 in translator_ldl (env=0x555556666460, db=0x7ffeef5fd2c0, pc=2930044559360) at ../accel/tcg/translator.c:351

#16: load for translation,
#15: translation for next page
#12: tlb_fill for next page
#11: store, updating access bit on the PTE
#8: invalidate the page table page, which was also marked code?!?
#5: assert no pages locked -- we never expected to invalidate in this context.

It's the page containing both code and a page table entry that concerns me.  It seems like 
a kernel bug, though obviously we shouldn't crash.  I'm not sure what to do about it.


r~

Re: assert fails in s390x TCG

[Richard Henderson]

On 7/28/23 09:05, Richard Henderson wrote:
> It's the page containing both code and a page table entry that concerns me.  It seems like 
> a kernel bug, though obviously we shouldn't crash.  I'm not sure what to do about it.

Bah.  Of course it's not a kernel bug, since the store is to LowCore.
And of course LowCore is part of a larger page, which easily has other stuff.

Still trying to work out what to do...


r~

Re: assert fails in s390x TCG

[Claudio Fontana]

On 7/21/23 11:08, Claudio Fontana wrote:
> 
> Hello Cornelia, Richard,
> 
> I had some strange behavior in an s390x TCG VM that I am debugging,
> 
> and configured latest upstream QEMU with --enable-debug --enable-debug-tcg
> 
> and I am running the qemu binary with -d unimp,guest_errors .
> 
> I get:
> 
> /usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -vga none -cpu qemu -d unimp,guest_errors -object rng-random,filename=/dev/random,id=rng0 -device virtio-rng-ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-id/virtio-0 rootfstype=ext3 rootflags=data=writeback,nobarrier,commit=150,noatime elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet elevator=noop console=hvc0 init=build -m 2048 -drive file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -device virtio-blk-ccw,drive=disk,serial=0 -drive file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -device virtio-blk-ccw,drive=swap,serial=1 -device virtio-serial-ccw -device virtconsole,chardev=virtiocon0 -chardev stdio,id=virtiocon0 -chardev socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/monitor -mon chardev=monitor,mode=readline -smp 8
> 
> unimplemented opcode 0xb9ab
> unimplemented opcode 0xb2af
> 
> ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))
> Bail out! ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))
> 
> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
> (gdb) bt
> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
> #9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
> #10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
> #11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
> #12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
> #13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
> #14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> (gdb) frame 5
> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
> 348         g_assert(page_is_locked(pd));
> (gdb) list 348
> 343     static void page_unlock__debug(const PageDesc *pd)
> 344     {
> 345         bool removed;
> 346
> 347         ht_pages_locked_debug_init();
> 348         g_assert(page_is_locked(pd));
> 349         removed = g_hash_table_remove(ht_pages_locked_debug, pd);
> 350         g_assert(removed);
> 351     }
> 352
> 
> (gdb) info threads
>   Id   Target Id                                            Frame 
>   1    Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39" 0x00007ffff7385596 in ppoll () from /lib64/libc.so.6
>   2    Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39" 0x00007ffff738b41d in syscall () from /lib64/libc.so.6
> * 3    Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39" 0x00007ffff730dabc in __pthread_kill_implementation () from /lib64/libc.so.6
>   4    Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   5    Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   6    Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   7    Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   8    Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   9    Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>   10   Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
> 
> (gdb) thread apply all bt
> 
> Thread 10 (Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556803f30, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567b0600) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567b0600) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556803f70) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 9 (Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555567b0340, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555675cb10) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555675cb10) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555567b0380) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 8 (Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555675c850, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567090f0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567090f0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555675c890) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 7 (Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556708e50, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566b5490) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566b5490) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556708e90) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 6 (Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566b51d0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566619a0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566619a0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555566b5210) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 5 (Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566616e0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555660deb0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555660deb0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556661720) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 4 (Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39"):
> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555660dbf0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555565ba3d0) at ../softmmu/cpus.c:424
> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555565ba3d0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555660dc30) at ../util/qemu-thread-posix.c:541
> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 3 (Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39"):
> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
> #9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
> #10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
> #11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
> #12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
> #13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
> #14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 2 (Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39"):
> #0  0x00007ffff738b41d in syscall () at /lib64/libc.so.6
> #1  0x0000555555dc0759 in qemu_futex_wait (f=0x555556352818 <rcu_call_ready_event>, val=4294967295) at /root/git/qemu/include/qemu/futex.h:29
> #2  0x0000555555dc0940 in qemu_event_wait (ev=0x555556352818 <rcu_call_ready_event>) at ../util/qemu-thread-posix.c:464
> #3  0x0000555555dcd228 in call_rcu_thread (opaque=0x0) at ../util/rcu.c:278
> #4  0x0000555555dc0af3 in qemu_thread_start (args=0x5555563bdf20) at ../util/qemu-thread-posix.c:541
> #5  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
> #6  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
> 
> Thread 1 (Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39"):
> #0  0x00007ffff7385596 in ppoll () at /lib64/libc.so.6
> #1  0x0000555555dde228 in qemu_poll_ns (fds=0x55555680ae50, nfds=75, timeout=9378142) at ../util/qemu-timer.c:351
> #2  0x0000555555dd9b50 in os_host_main_loop_wait (timeout=9378142) at ../util/main-loop.c:308
> #3  0x0000555555dd9c7f in main_loop_wait (nonblocking=0) at ../util/main-loop.c:592
> #4  0x00005555559e5c3e in qemu_main_loop () at ../softmmu/runstate.c:732
> #5  0x0000555555bbff42 in qemu_default_main () at ../softmmu/main.c:37
> #6  0x0000555555bbff78 in main (argc=46, argv=0x7fffffffe278) at ../softmmu/main.c:48
> 
> ----

Hi Richard,

with the two patches:

accel/tcg: Clear tcg_ctx->gen_tb on buffer overflow

and

target/s390x: Move trans_exc_code update to do_program_interrupt

I do not get asserts anymore.

I did notice though some error happening once, that I never saw before when I was running without these patches (and without --enable-debug-tcg, so I would not get asserts).

I have "-d unimp,guest_errors" currently in the cmdline.

unimplemented opcode 0x0000
[   87.544553][  T320] illegal operation: 0001 ilc:1 [#1] SMP 
[   87.546245][  T320] Modules linked in: virtio_blk(+) xfs btrfs blake2b_generic xor raid6_pq libcrc32c ext4 crc32_vx_s390 crc16 mbcache jbd2 squashfs lz4_decompress fuse dm_snapshot dm_bufio dm_crypt essiv authenc dm_mod binfmt_misc loop sg scsi_mod
[   87.550754][  T320] Supported: Yes
[   87.552441][  T320] CPU: 4 PID: 320 Comm: modprobe Not tainted 5.14.21-150400.22-default #1 SLE15-SP4 a8270a81de044ce12d2ba9b360e3443bea691c52
[   87.554408][  T320] Hardware name: QEMU 8561 QEMU (KVM/Linux)
[   87.555528][  T320] Krnl PSW : 0704e00180000000 000003ff80580002 (____versions+0x7f80240c6a/0x7f802411f8 [virtio_blk])
[   87.557435][  T320]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
[   87.558866][  T320] Krnl GPRS: 0000000007ca7520 000003ff805805d8 000000000400f030 0000000007c40000
[   87.559938][  T320]            0000000000000000 0000000000000000 0000000000000000 000000000400f030
[   87.561557][  T320]            0000000007ca7480 0000000000000007 0000000000000000 0000000007c40000
[   87.562821][  T320]            0000000002dfa100 0000000000002200 000003ff805805de 000003800033b6d8
[   87.566124][  T320] Krnl Code:#000003ff80580000: 0000                illegal 
[   87.566124][  T320]           >000003ff80580002: 0000                illegal 
[   87.566124][  T320]            000003ff80580004: 011a                unknown
[   87.566124][  T320]            000003ff80580006: c1f800000000        unknown
[   87.566124][  T320]            000003ff8058000c: 00fa                unknown
[   87.566124][  T320]            000003ff8058000e: c1a800000000        unknown
[   87.566124][  T320]            000003ff80580014: 00fd                unknown
[   87.566124][  T320]            000003ff80580016: 6c500d10            md      %f5,3344
[   87.573838][  T320] Call Trace:
[   87.576335][  T320]  [<000003ff80580002>] ____versions+0x7f80240c6a/0x7f802411f8 [virtio_blk] 
[   87.577717][  T320] ([<00000000005cf7d6>] blk_mq_alloc_rqs+0xfe/0x2a8)
[   87.578756][  T320]  [<00000000005cf9fe>] __blk_mq_alloc_map_and_request+0x7e/0x100 
[   87.579829][  T320]  [<00000000005d09be>] blk_mq_alloc_tag_set+0x266/0x3b8 
[   87.580847][  T320]  [<000003ff80581b62>] virtblk_probe+0x3d2/0xb88 [virtio_blk] 
[   87.582545][  T320]  [<00000000006ddb12>] virtio_dev_probe+0x192/0x360 
[   87.583506][  T320]  [<000000000072d2e2>] really_probe+0x1c2/0x490 
[   87.584357][  T320]  [<000000000072d768>] driver_probe_device+0x40/0xf8 
[   87.585248][  T320]  [<000000000072ddf6>] __driver_attach+0x86/0x198 
[   87.586055][  T320]  [<000000000072a8fa>] bus_for_each_dev+0x82/0xc8 
[   87.586964][  T320]  [<000000000072c130>] bus_add_driver+0x170/0x258 
[   87.587767][  T320]  [<000000000072e608>] driver_register+0x88/0x160 
[   87.588631][  T320]  [<000003ff8058706a>] init+0x6a/0x1000 [virtio_blk] 
[   87.589550][  T320]  [<0000000000100bf0>] do_one_initcall+0x40/0x208 
[   87.590491][  T320]  [<00000000009c1620>] do_init_module+0x70/0x260 
[   87.592186][  T320]  [<000000000021e0b4>] load_module+0x1de4/0x25d0 
[   87.593207][  T320]  [<000000000021ea58>] __do_sys_init_module+0x1b8/0x1e8 
[   87.594226][  T320]  [<00000000009c570a>] __do_syscall+0x1c2/0x1e8 
[   87.595069][  T320]  [<00000000009d4a28>] system_call+0x78/0xa0 
[   87.596053][  T320] Last Breaking-Event-Address:
[   87.596697][  T320]  [<000000003fffe2c0>] 0x3fffe2c0
[   87.598784][  T320] Kernel panic - not syncing: Fatal exception: panic_on_oops
Guest crashed on cpu 4: disabled-wait
PSW: 0x0002000180000000 0x000000000010fdd0

This did not manifest again when rerunning.
Just FYI in case it helps, it might "just" be a kernel error, but I never saw this before when running unpatched...

Thanks,

Claudio

Re: assert fails in s390x TCG

[Claudio Fontana]

On 7/31/23 13:31, Claudio Fontana wrote:
> On 7/21/23 11:08, Claudio Fontana wrote:
>>
>> Hello Cornelia, Richard,
>>
>> I had some strange behavior in an s390x TCG VM that I am debugging,
>>
>> and configured latest upstream QEMU with --enable-debug --enable-debug-tcg
>>
>> and I am running the qemu binary with -d unimp,guest_errors .
>>
>> I get:
>>
>> /usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -vga none -cpu qemu -d unimp,guest_errors -object rng-random,filename=/dev/random,id=rng0 -device virtio-rng-ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-id/virtio-0 rootfstype=ext3 rootflags=data=writeback,nobarrier,commit=150,noatime elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet elevator=noop console=hvc0 init=build -m 2048 -drive file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -device virtio-blk-ccw,drive=disk,serial=0 -drive file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -device virtio-blk-ccw,drive=swap,serial=1 -device virtio-serial-ccw -device virtconsole,chardev=virtiocon0 -chardev stdio,id=virtiocon0 -chardev socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/monitor -mon chardev=monitor,mode=readline -smp 8
>>
>> unimplemented opcode 0xb9ab
>> unimplemented opcode 0xb2af
>>
>> ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))
>> Bail out! ERROR:../accel/tcg/tb-maint.c:348:page_unlock__debug: assertion failed: (page_is_locked(pd))
>>
>> Thread 3 "qemu-system-s39" received signal SIGABRT, Aborted.
>> [Switching to Thread 0x7ffff53516c0 (LWP 215975)]
>> (gdb) bt
>> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
>> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
>> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
>> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
>> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
>> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
>> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
>> #9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
>> #10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
>> #11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
>> #12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
>> #13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
>> #14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> (gdb) frame 5
>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>> 348         g_assert(page_is_locked(pd));
>> (gdb) list 348
>> 343     static void page_unlock__debug(const PageDesc *pd)
>> 344     {
>> 345         bool removed;
>> 346
>> 347         ht_pages_locked_debug_init();
>> 348         g_assert(page_is_locked(pd));
>> 349         removed = g_hash_table_remove(ht_pages_locked_debug, pd);
>> 350         g_assert(removed);
>> 351     }
>> 352
>>
>> (gdb) info threads
>>   Id   Target Id                                            Frame 
>>   1    Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39" 0x00007ffff7385596 in ppoll () from /lib64/libc.so.6
>>   2    Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39" 0x00007ffff738b41d in syscall () from /lib64/libc.so.6
>> * 3    Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39" 0x00007ffff730dabc in __pthread_kill_implementation () from /lib64/libc.so.6
>>   4    Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>>   5    Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>>   6    Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>>   7    Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>>   8    Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>>   9    Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>>   10   Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39" 0x00007ffff730820e in __futex_abstimed_wait_common () from /lib64/libc.so.6
>>
>> (gdb) thread apply all bt
>>
>> Thread 10 (Thread 0x7ffeed5fa6c0 (LWP 215982) "qemu-system-s39"):
>> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
>> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
>> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556803f30, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
>> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567b0600) at ../softmmu/cpus.c:424
>> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567b0600) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
>> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556803f70) at ../util/qemu-thread-posix.c:541
>> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 9 (Thread 0x7ffeeddfb6c0 (LWP 215981) "qemu-system-s39"):
>> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
>> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
>> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555567b0340, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
>> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555675cb10) at ../softmmu/cpus.c:424
>> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555675cb10) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
>> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555567b0380) at ../util/qemu-thread-posix.c:541
>> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 8 (Thread 0x7ffeee5fc6c0 (LWP 215980) "qemu-system-s39"):
>> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
>> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
>> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555675c850, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
>> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555567090f0) at ../softmmu/cpus.c:424
>> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555567090f0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
>> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555675c890) at ../util/qemu-thread-posix.c:541
>> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 7 (Thread 0x7ffeeedfd6c0 (LWP 215979) "qemu-system-s39"):
>> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
>> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
>> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x555556708e50, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
>> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566b5490) at ../softmmu/cpus.c:424
>> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566b5490) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
>> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556708e90) at ../util/qemu-thread-posix.c:541
>> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 6 (Thread 0x7ffeef5fe6c0 (LWP 215978) "qemu-system-s39"):
>> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
>> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
>> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566b51d0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
>> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555566619a0) at ../softmmu/cpus.c:424
>> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555566619a0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
>> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x5555566b5210) at ../util/qemu-thread-posix.c:541
>> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 5 (Thread 0x7ffeefdff6c0 (LWP 215977) "qemu-system-s39"):
>> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
>> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
>> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x5555566616e0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
>> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x55555660deb0) at ../softmmu/cpus.c:424
>> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x55555660deb0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
>> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x555556661720) at ../util/qemu-thread-posix.c:541
>> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 4 (Thread 0x7ffff4b506c0 (LWP 215976) "qemu-system-s39"):
>> #0  0x00007ffff730820e in __futex_abstimed_wait_common () at /lib64/libc.so.6
>> #1  0x00007ffff730af50 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libc.so.6
>> #2  0x0000555555dc02ab in qemu_cond_wait_impl (cond=0x55555660dbf0, mutex=0x55555632aac0 <qemu_global_mutex>, file=0x555555f05d6b "../softmmu/cpus.c", line=424) at ../util/qemu-thread-posix.c:225
>> #3  0x00005555559d78fb in qemu_wait_io_event (cpu=0x5555565ba3d0) at ../softmmu/cpus.c:424
>> #4  0x0000555555bba27a in mttcg_cpu_thread_fn (arg=0x5555565ba3d0) at ../accel/tcg/tcg-accel-ops-mttcg.c:123
>> #5  0x0000555555dc0af3 in qemu_thread_start (args=0x55555660dc30) at ../util/qemu-thread-posix.c:541
>> #6  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #7  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 3 (Thread 0x7ffff53516c0 (LWP 215975) "qemu-system-s39"):
>> #0  0x00007ffff730dabc in __pthread_kill_implementation () at /lib64/libc.so.6
>> #1  0x00007ffff72bc266 in raise () at /lib64/libc.so.6
>> #2  0x00007ffff72a4897 in abort () at /lib64/libc.so.6
>> #3  0x00007ffff76f0eee in  () at /lib64/libglib-2.0.so.0
>> #4  0x00007ffff775649a in g_assertion_message_expr () at /lib64/libglib-2.0.so.0
>> #5  0x0000555555b96134 in page_unlock__debug (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:348
>> #6  0x0000555555b962a9 in page_unlock (pd=0x7ffee8680440) at ../accel/tcg/tb-maint.c:397
>> #7  0x0000555555b96580 in tb_unlock_pages (tb=0x7fffefffeb00) at ../accel/tcg/tb-maint.c:483
>> #8  0x0000555555b94698 in cpu_exec_longjmp_cleanup (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:556
>> #9  0x0000555555b954e0 in cpu_exec_setjmp (cpu=0x555556566a30, sc=0x7ffff5350540) at ../accel/tcg/cpu-exec.c:1054
>> #10 0x0000555555b9557a in cpu_exec (cpu=0x555556566a30) at ../accel/tcg/cpu-exec.c:1083
>> #11 0x0000555555bb9af6 in tcg_cpus_exec (cpu=0x555556566a30) at ../accel/tcg/tcg-accel-ops.c:75
>> #12 0x0000555555bba1ae in mttcg_cpu_thread_fn (arg=0x555556566a30) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
>> #13 0x0000555555dc0af3 in qemu_thread_start (args=0x5555565ba150) at ../util/qemu-thread-posix.c:541
>> #14 0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #15 0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 2 (Thread 0x7ffff63bb6c0 (LWP 215974) "qemu-system-s39"):
>> #0  0x00007ffff738b41d in syscall () at /lib64/libc.so.6
>> #1  0x0000555555dc0759 in qemu_futex_wait (f=0x555556352818 <rcu_call_ready_event>, val=4294967295) at /root/git/qemu/include/qemu/futex.h:29
>> #2  0x0000555555dc0940 in qemu_event_wait (ev=0x555556352818 <rcu_call_ready_event>) at ../util/qemu-thread-posix.c:464
>> #3  0x0000555555dcd228 in call_rcu_thread (opaque=0x0) at ../util/rcu.c:278
>> #4  0x0000555555dc0af3 in qemu_thread_start (args=0x5555563bdf20) at ../util/qemu-thread-posix.c:541
>> #5  0x00007ffff730bc64 in start_thread () at /lib64/libc.so.6
>> #6  0x00007ffff7393550 in clone3 () at /lib64/libc.so.6
>>
>> Thread 1 (Thread 0x7ffff63bef40 (LWP 215971) "qemu-system-s39"):
>> #0  0x00007ffff7385596 in ppoll () at /lib64/libc.so.6
>> #1  0x0000555555dde228 in qemu_poll_ns (fds=0x55555680ae50, nfds=75, timeout=9378142) at ../util/qemu-timer.c:351
>> #2  0x0000555555dd9b50 in os_host_main_loop_wait (timeout=9378142) at ../util/main-loop.c:308
>> #3  0x0000555555dd9c7f in main_loop_wait (nonblocking=0) at ../util/main-loop.c:592
>> #4  0x00005555559e5c3e in qemu_main_loop () at ../softmmu/runstate.c:732
>> #5  0x0000555555bbff42 in qemu_default_main () at ../softmmu/main.c:37
>> #6  0x0000555555bbff78 in main (argc=46, argv=0x7fffffffe278) at ../softmmu/main.c:48
>>
>> ----
> 
> Hi Richard,
> 
> with the two patches:
> 
> accel/tcg: Clear tcg_ctx->gen_tb on buffer overflow
> 
> and
> 
> target/s390x: Move trans_exc_code update to do_program_interrupt
> 
> I do not get asserts anymore.
> 
> I did notice though some error happening once, that I never saw before when I was running without these patches (and without --enable-debug-tcg, so I would not get asserts).
> 
> I have "-d unimp,guest_errors" currently in the cmdline.
> 
> unimplemented opcode 0x0000
> [   87.544553][  T320] illegal operation: 0001 ilc:1 [#1] SMP 
> [   87.546245][  T320] Modules linked in: virtio_blk(+) xfs btrfs blake2b_generic xor raid6_pq libcrc32c ext4 crc32_vx_s390 crc16 mbcache jbd2 squashfs lz4_decompress fuse dm_snapshot dm_bufio dm_crypt essiv authenc dm_mod binfmt_misc loop sg scsi_mod
> [   87.550754][  T320] Supported: Yes
> [   87.552441][  T320] CPU: 4 PID: 320 Comm: modprobe Not tainted 5.14.21-150400.22-default #1 SLE15-SP4 a8270a81de044ce12d2ba9b360e3443bea691c52
> [   87.554408][  T320] Hardware name: QEMU 8561 QEMU (KVM/Linux)
> [   87.555528][  T320] Krnl PSW : 0704e00180000000 000003ff80580002 (____versions+0x7f80240c6a/0x7f802411f8 [virtio_blk])
> [   87.557435][  T320]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
> [   87.558866][  T320] Krnl GPRS: 0000000007ca7520 000003ff805805d8 000000000400f030 0000000007c40000
> [   87.559938][  T320]            0000000000000000 0000000000000000 0000000000000000 000000000400f030
> [   87.561557][  T320]            0000000007ca7480 0000000000000007 0000000000000000 0000000007c40000
> [   87.562821][  T320]            0000000002dfa100 0000000000002200 000003ff805805de 000003800033b6d8
> [   87.566124][  T320] Krnl Code:#000003ff80580000: 0000                illegal 
> [   87.566124][  T320]           >000003ff80580002: 0000                illegal 
> [   87.566124][  T320]            000003ff80580004: 011a                unknown
> [   87.566124][  T320]            000003ff80580006: c1f800000000        unknown
> [   87.566124][  T320]            000003ff8058000c: 00fa                unknown
> [   87.566124][  T320]            000003ff8058000e: c1a800000000        unknown
> [   87.566124][  T320]            000003ff80580014: 00fd                unknown
> [   87.566124][  T320]            000003ff80580016: 6c500d10            md      %f5,3344
> [   87.573838][  T320] Call Trace:
> [   87.576335][  T320]  [<000003ff80580002>] ____versions+0x7f80240c6a/0x7f802411f8 [virtio_blk] 
> [   87.577717][  T320] ([<00000000005cf7d6>] blk_mq_alloc_rqs+0xfe/0x2a8)
> [   87.578756][  T320]  [<00000000005cf9fe>] __blk_mq_alloc_map_and_request+0x7e/0x100 
> [   87.579829][  T320]  [<00000000005d09be>] blk_mq_alloc_tag_set+0x266/0x3b8 
> [   87.580847][  T320]  [<000003ff80581b62>] virtblk_probe+0x3d2/0xb88 [virtio_blk] 
> [   87.582545][  T320]  [<00000000006ddb12>] virtio_dev_probe+0x192/0x360 
> [   87.583506][  T320]  [<000000000072d2e2>] really_probe+0x1c2/0x490 
> [   87.584357][  T320]  [<000000000072d768>] driver_probe_device+0x40/0xf8 
> [   87.585248][  T320]  [<000000000072ddf6>] __driver_attach+0x86/0x198 
> [   87.586055][  T320]  [<000000000072a8fa>] bus_for_each_dev+0x82/0xc8 
> [   87.586964][  T320]  [<000000000072c130>] bus_add_driver+0x170/0x258 
> [   87.587767][  T320]  [<000000000072e608>] driver_register+0x88/0x160 
> [   87.588631][  T320]  [<000003ff8058706a>] init+0x6a/0x1000 [virtio_blk] 
> [   87.589550][  T320]  [<0000000000100bf0>] do_one_initcall+0x40/0x208 
> [   87.590491][  T320]  [<00000000009c1620>] do_init_module+0x70/0x260 
> [   87.592186][  T320]  [<000000000021e0b4>] load_module+0x1de4/0x25d0 
> [   87.593207][  T320]  [<000000000021ea58>] __do_sys_init_module+0x1b8/0x1e8 
> [   87.594226][  T320]  [<00000000009c570a>] __do_syscall+0x1c2/0x1e8 
> [   87.595069][  T320]  [<00000000009d4a28>] system_call+0x78/0xa0 
> [   87.596053][  T320] Last Breaking-Event-Address:
> [   87.596697][  T320]  [<000000003fffe2c0>] 0x3fffe2c0
> [   87.598784][  T320] Kernel panic - not syncing: Fatal exception: panic_on_oops
> Guest crashed on cpu 4: disabled-wait
> PSW: 0x0002000180000000 0x000000000010fdd0
> 
> This did not manifest again when rerunning.
> Just FYI in case it helps, it might "just" be a kernel error, but I never saw this before when running unpatched...
> 

Rebooted a number of times until now, did not reproduce. Happened only once.

C

Issue with s390 TCG and libc __strstr_arch13 [Was: Re: assert fails in s390x TCG]

[Claudio Fontana]

Hi,

On 7/21/23 11:08, Claudio Fontana wrote:
> 
> Hello Cornelia, Richard,
> 
> I had some strange behavior in an s390x TCG VM that I am debugging,
> 
> and configured latest upstream QEMU with --enable-debug --enable-debug-tcg
> 
> and I am running the qemu binary with -d unimp,guest_errors .
> 
> I get:
> 
> /usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -vga none -cpu qemu -d unimp,guest_errors -object rng-random,filename=/dev/random,id=rng0 -device virtio-rng-ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-id/virtio-0 rootfstype=ext3 rootflags=data=writeback,nobarrier,commit=150,noatime elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet elevator=noop console=hvc0 init=build -m 2048 -drive file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -device virtio-blk-ccw,drive=disk,serial=0 -drive file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -device virtio-blk-ccw,drive=swap,serial=1 -device virtio-serial-ccw -device virtconsole,chardev=virtiocon0 -chardev stdio,id=virtiocon0 -chardev socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/monitor -mon chardev=monitor,mode=readline -smp 8
> 
> unimplemented opcode 0xb9ab
> unimplemented opcode 0xb2af
> 

...

> Since I have some strange misbehavior at runtime, with processes dying with segfaults and the guest kernel complaining:
> 
>  [ 2269s] [ 2243.901667][ T8318] User process fault: interruption code 0011 ilc:2 in libc.so.6[3ff87a80000+1c9000]
>  [ 2269s] [ 2243.904433][ T8318] Failing address: 000002aa0f73f000 TEID: 000002aa0f73f800
>  [ 2269s] [ 2243.904952][ T8318] Fault in primary space mode while using user ASCE.
>  [ 2269s] [ 2243.905405][ T8318] AS:00000000057841c7 R3:0000000001fdc007 S:000000000398c000 P:0000000000000400 
> 

I am analyzing this problem further, now that the assertions have been solved.

I seem to have found an issue that manifests as a wrong return value from glibc's

__strstr_arch13

found in glibc/sysdeps/s390/strstr-arch13.S, which ends up in libc.so

Based on my tests, I could not trigger this issue on baremetal, I could only see it when run under TCG.

The workload here is the testsuite of the swig package:

git clone https://github.com/swig/swig.git

https://github.com/swig/swig/releases/tag/v4.1.1
https://github.com/swig/swig/commit/77323a0f07562b7d90d36181697a72a909b9519a

The error presents itself as a return of strstr with a match past the end of the terminating NUL character of the string.

Here is the test I am doing to showcase it: I implemented a simple strstr as follows:

--------

static char *strstr_simple(const char *haystack, const char *needle)
{
  /*                                                                                                                                        
   * This function return a pointer to the beginning of the located substring, or NULL if the substring is not found.                       
   * If needle is the empty string, the return value is always haystack itself.                                                             
   */
  int i, j;

  if (needle == NULL || haystack == NULL) {
    return NULL;
  }
  if (needle[0] == 0) {
    return (char *)haystack;
  }
  for (i = 0; haystack[i] != 0; i++) {
    for (j = 0; haystack[i + j] != 0 && needle[j] != 0; j++) {
      if (needle[j] != haystack[i + j]) {
        break;
      }
    }
    if (needle[j] == 0) {
      return (char *)haystack + i;
    }
  }
  return NULL;
}


--------

and then I have a wrapper that compares the results of this simple implementation with what comes from regular strstr,
where I made sure that the strstr_ifunc results in __strstr_arch13:

char *strstr_w(const char *haystack, const char *needle)
{
  char *rv1 = strstr(haystack, needle);
  char *rv2 = strstr_simple(haystack, needle);
  if (rv1 != rv2) {
    printf("haystack: %p \"%s\"\n"
           "needle: %p \"%s\"\n"
           "rv1: %p\n"
           "rv2: %p\n",
           (void*)haystack, haystack,
           (void*)needle, needle,
           (void*)rv1, (void*)rv2);
    assert(0);
  }
  return rv1;
}

--------


After building swig with compilation flags: -m64 -march=z14 -mtune=z15

and running even a minimal test like:

$ cd Examples/perl5/simple
$ export SWIG_LIB=../../../Lib
$ ../../../swig -perl5 -o example.c.wrap example.i

I get:

haystack: 0x2aa2a2488f0 "        "363:operator< ignored" "
needle: 0x2aa2961bc8c " ^A"
rv1: 0x2aa2a24891e
rv2: (nil)
swig: DOH/copy.c:120: strstr_w: Assertion `0' failed.
Aborted

As you can see here strstr returns a match where there is none, and what is even worse, the pointer 0x2aa2a24891e is past the end of the string (0x2aa2a248910).

This causes the successive code (that relies on valid strstr results) to memmove a negative value of bytes, which ends up hitting the end of the heap for the process, causing the segfault originally encountered.

I can make the issue disappear for example by forcing the strstr_ifunc to choose __GI_strstr instead of __strstr_arch13.

Maybe something going wrong in the vector string search emulation, something rings a bell?

Let me know if there is something I can provide that could help investigate further.

Thanks,

Claudio

Re: Issue with s390 TCG and libc __strstr_arch13

[Thomas Huth]

On 04/08/2023 11.00, Claudio Fontana wrote:
> Hi,
> 
> On 7/21/23 11:08, Claudio Fontana wrote:
>>
>> Hello Cornelia, Richard,
>>
>> I had some strange behavior in an s390x TCG VM that I am debugging,
>>
>> and configured latest upstream QEMU with --enable-debug --enable-debug-tcg
>>
>> and I am running the qemu binary with -d unimp,guest_errors .
>>
>> I get:
>>
>> /usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -vga none -cpu qemu -d unimp,guest_errors -object rng-random,filename=/dev/random,id=rng0 -device virtio-rng-ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-id/virtio-0 rootfstype=ext3 rootflags=data=writeback,nobarrier,commit=150,noatime elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet elevator=noop console=hvc0 init=build -m 2048 -drive file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -device virtio-blk-ccw,drive=disk,serial=0 -drive file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -device virtio-blk-ccw,drive=swap,serial=1 -device virtio-serial-ccw -device virtconsole,chardev=virtiocon0 -chardev stdio,id=virtiocon0 -chardev socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/monitor -mon chardev=monitor,mode=readline -smp 8
>>
>> unimplemented opcode 0xb9ab
>> unimplemented opcode 0xb2af
>>
> 
> ...
> 
>> Since I have some strange misbehavior at runtime, with processes dying with segfaults and the guest kernel complaining:
>>
>>   [ 2269s] [ 2243.901667][ T8318] User process fault: interruption code 0011 ilc:2 in libc.so.6[3ff87a80000+1c9000]
>>   [ 2269s] [ 2243.904433][ T8318] Failing address: 000002aa0f73f000 TEID: 000002aa0f73f800
>>   [ 2269s] [ 2243.904952][ T8318] Fault in primary space mode while using user ASCE.
>>   [ 2269s] [ 2243.905405][ T8318] AS:00000000057841c7 R3:0000000001fdc007 S:000000000398c000 P:0000000000000400
>>
> 
> I am analyzing this problem further, now that the assertions have been solved.
> 
> I seem to have found an issue that manifests as a wrong return value from glibc's
> 
> __strstr_arch13
> 
> found in glibc/sysdeps/s390/strstr-arch13.S, which ends up in libc.so
> 
> Based on my tests, I could not trigger this issue on baremetal, I could only see it when run under TCG.
> 
> The workload here is the testsuite of the swig package:
> 
> git clone https://github.com/swig/swig.git
> 
> https://github.com/swig/swig/releases/tag/v4.1.1
> https://github.com/swig/swig/commit/77323a0f07562b7d90d36181697a72a909b9519a
> 
> The error presents itself as a return of strstr with a match past the end of the terminating NUL character of the string.
> 
> Here is the test I am doing to showcase it: I implemented a simple strstr as follows:
> 
> --------
> 
> static char *strstr_simple(const char *haystack, const char *needle)
> {
>    /*
>     * This function return a pointer to the beginning of the located substring, or NULL if the substring is not found.
>     * If needle is the empty string, the return value is always haystack itself.
>     */
>    int i, j;
> 
>    if (needle == NULL || haystack == NULL) {
>      return NULL;
>    }
>    if (needle[0] == 0) {
>      return (char *)haystack;
>    }
>    for (i = 0; haystack[i] != 0; i++) {
>      for (j = 0; haystack[i + j] != 0 && needle[j] != 0; j++) {
>        if (needle[j] != haystack[i + j]) {
>          break;
>        }
>      }
>      if (needle[j] == 0) {
>        return (char *)haystack + i;
>      }
>    }
>    return NULL;
> }
> 
> 
> --------
> 
> and then I have a wrapper that compares the results of this simple implementation with what comes from regular strstr,
> where I made sure that the strstr_ifunc results in __strstr_arch13:
> 
> char *strstr_w(const char *haystack, const char *needle)
> {
>    char *rv1 = strstr(haystack, needle);
>    char *rv2 = strstr_simple(haystack, needle);
>    if (rv1 != rv2) {
>      printf("haystack: %p \"%s\"\n"
>             "needle: %p \"%s\"\n"
>             "rv1: %p\n"
>             "rv2: %p\n",
>             (void*)haystack, haystack,
>             (void*)needle, needle,
>             (void*)rv1, (void*)rv2);
>      assert(0);
>    }
>    return rv1;
> }
> 
> --------
> 
> 
> After building swig with compilation flags: -m64 -march=z14 -mtune=z15
> 
> and running even a minimal test like:
> 
> $ cd Examples/perl5/simple
> $ export SWIG_LIB=../../../Lib
> $ ../../../swig -perl5 -o example.c.wrap example.i
> 
> I get:
> 
> haystack: 0x2aa2a2488f0 "        "363:operator< ignored" "
> needle: 0x2aa2961bc8c " ^A"
> rv1: 0x2aa2a24891e
> rv2: (nil)
> swig: DOH/copy.c:120: strstr_w: Assertion `0' failed.
> Aborted
> 
> As you can see here strstr returns a match where there is none, and what is even worse, the pointer 0x2aa2a24891e is past the end of the string (0x2aa2a248910).
> 
> This causes the successive code (that relies on valid strstr results) to memmove a negative value of bytes, which ends up hitting the end of the heap for the process, causing the segfault originally encountered.
> 
> I can make the issue disappear for example by forcing the strstr_ifunc to choose __GI_strstr instead of __strstr_arch13.
> 
> Maybe something going wrong in the vector string search emulation, something rings a bell?
> 
> Let me know if there is something I can provide that could help investigate further.

Could you maybe get a disassembly of your __strstr_arch13 function, so we 
could see which vector instructions are in there?

  Thomas

Re: Issue with s390 TCG and libc __strstr_arch13

[Claudio Fontana]

On 8/4/23 11:20, Thomas Huth wrote:
> On 04/08/2023 11.00, Claudio Fontana wrote:
>> Hi,
>>
>> On 7/21/23 11:08, Claudio Fontana wrote:
>>>
>>> Hello Cornelia, Richard,
>>>
>>> I had some strange behavior in an s390x TCG VM that I am debugging,
>>>
>>> and configured latest upstream QEMU with --enable-debug --enable-debug-tcg
>>>
>>> and I am running the qemu binary with -d unimp,guest_errors .
>>>
>>> I get:
>>>
>>> /usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -vga none -cpu qemu -d unimp,guest_errors -object rng-random,filename=/dev/random,id=rng0 -device virtio-rng-ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-id/virtio-0 rootfstype=ext3 rootflags=data=writeback,nobarrier,commit=150,noatime elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet elevator=noop console=hvc0 init=build -m 2048 -drive file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -device virtio-blk-ccw,drive=disk,serial=0 -drive file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -device virtio-blk-ccw,drive=swap,serial=1 -device virtio-serial-ccw -device virtconsole,chardev=virtiocon0 -chardev stdio,id=virtiocon0 -chardev socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/monitor -mon chardev=monitor,mode=readline -smp 8
>>>
>>> unimplemented opcode 0xb9ab
>>> unimplemented opcode 0xb2af
>>>
>>
>> ...
>>
>>> Since I have some strange misbehavior at runtime, with processes dying with segfaults and the guest kernel complaining:
>>>
>>>   [ 2269s] [ 2243.901667][ T8318] User process fault: interruption code 0011 ilc:2 in libc.so.6[3ff87a80000+1c9000]
>>>   [ 2269s] [ 2243.904433][ T8318] Failing address: 000002aa0f73f000 TEID: 000002aa0f73f800
>>>   [ 2269s] [ 2243.904952][ T8318] Fault in primary space mode while using user ASCE.
>>>   [ 2269s] [ 2243.905405][ T8318] AS:00000000057841c7 R3:0000000001fdc007 S:000000000398c000 P:0000000000000400
>>>
>>
>> I am analyzing this problem further, now that the assertions have been solved.
>>
>> I seem to have found an issue that manifests as a wrong return value from glibc's
>>
>> __strstr_arch13
>>
>> found in glibc/sysdeps/s390/strstr-arch13.S, which ends up in libc.so
>>
>> Based on my tests, I could not trigger this issue on baremetal, I could only see it when run under TCG.
>>
>> The workload here is the testsuite of the swig package:
>>
>> git clone https://github.com/swig/swig.git
>>
>> https://github.com/swig/swig/releases/tag/v4.1.1
>> https://github.com/swig/swig/commit/77323a0f07562b7d90d36181697a72a909b9519a
>>
>> The error presents itself as a return of strstr with a match past the end of the terminating NUL character of the string.
>>
>> Here is the test I am doing to showcase it: I implemented a simple strstr as follows:
>>
>> --------
>>
>> static char *strstr_simple(const char *haystack, const char *needle)
>> {
>>    /*
>>     * This function return a pointer to the beginning of the located substring, or NULL if the substring is not found.
>>     * If needle is the empty string, the return value is always haystack itself.
>>     */
>>    int i, j;
>>
>>    if (needle == NULL || haystack == NULL) {
>>      return NULL;
>>    }
>>    if (needle[0] == 0) {
>>      return (char *)haystack;
>>    }
>>    for (i = 0; haystack[i] != 0; i++) {
>>      for (j = 0; haystack[i + j] != 0 && needle[j] != 0; j++) {
>>        if (needle[j] != haystack[i + j]) {
>>          break;
>>        }
>>      }
>>      if (needle[j] == 0) {
>>        return (char *)haystack + i;
>>      }
>>    }
>>    return NULL;
>> }
>>
>>
>> --------
>>
>> and then I have a wrapper that compares the results of this simple implementation with what comes from regular strstr,
>> where I made sure that the strstr_ifunc results in __strstr_arch13:
>>
>> char *strstr_w(const char *haystack, const char *needle)
>> {
>>    char *rv1 = strstr(haystack, needle);
>>    char *rv2 = strstr_simple(haystack, needle);
>>    if (rv1 != rv2) {
>>      printf("haystack: %p \"%s\"\n"
>>             "needle: %p \"%s\"\n"
>>             "rv1: %p\n"
>>             "rv2: %p\n",
>>             (void*)haystack, haystack,
>>             (void*)needle, needle,
>>             (void*)rv1, (void*)rv2);
>>      assert(0);
>>    }
>>    return rv1;
>> }
>>
>> --------
>>
>>
>> After building swig with compilation flags: -m64 -march=z14 -mtune=z15
>>
>> and running even a minimal test like:
>>
>> $ cd Examples/perl5/simple
>> $ export SWIG_LIB=../../../Lib
>> $ ../../../swig -perl5 -o example.c.wrap example.i
>>
>> I get:
>>
>> haystack: 0x2aa2a2488f0 "        "363:operator< ignored" "
>> needle: 0x2aa2961bc8c " ^A"
>> rv1: 0x2aa2a24891e
>> rv2: (nil)
>> swig: DOH/copy.c:120: strstr_w: Assertion `0' failed.
>> Aborted
>>
>> As you can see here strstr returns a match where there is none, and what is even worse, the pointer 0x2aa2a24891e is past the end of the string (0x2aa2a248910).
>>
>> This causes the successive code (that relies on valid strstr results) to memmove a negative value of bytes, which ends up hitting the end of the heap for the process, causing the segfault originally encountered.
>>
>> I can make the issue disappear for example by forcing the strstr_ifunc to choose __GI_strstr instead of __strstr_arch13.
>>
>> Maybe something going wrong in the vector string search emulation, something rings a bell?
>>
>> Let me know if there is something I can provide that could help investigate further.
> 
> Could you maybe get a disassembly of your __strstr_arch13 function, so we 
> could see which vector instructions are in there?
> 
>   Thomas

Here it is:

000000000002ac70 <__strstr_arch13>:
   2ac70:	e7 10 30 00 60 27 	lcbb	%r1,0(%r3),6
   2ac76:	a7 14 00 c6       	jo	2ae02 <__strstr_arch13+0x192>
   2ac7a:	e7 20 30 00 68 06 	vl	%v18,0(%r3),6
   2ac80:	e7 32 20 20 0e 81 	vfenezb	%v19,%v18,%v18
   2ac86:	e7 43 00 07 04 21 	vlgvb	%r4,%v19,7
   2ac8c:	a7 59 00 11       	lghi	%r5,17
   2ac90:	ec 48 e0 00 00 fc 	cgibe	%r4,0,0(%r14)
   2ac96:	c2 4e 00 00 00 09 	clgfi	%r4,9
   2ac9c:	c0 24 00 04 70 42 	jgh	b8d20 <__GI_strstr>
   2aca2:	b9 09 00 54       	sgr	%r5,%r4
   2aca6:	e7 10 20 00 60 27 	lcbb	%r1,0(%r2),6
   2acac:	a7 14 00 96       	jo	2add8 <__strstr_arch13+0x168>
   2acb0:	e7 00 20 00 08 06 	vl	%v16,0(%r2)
   2acb6:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2acbc:	a7 74 00 33       	jne	2ad22 <__strstr_arch13+0xb2>
   2acc0:	e7 10 20 10 60 27 	lcbb	%r1,16(%r2),6
   2acc6:	a7 14 00 87       	jo	2add4 <__strstr_arch13+0x164>
   2acca:	e7 00 20 10 08 06 	vl	%v16,16(%r2)
   2acd0:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2acd6:	a7 74 00 24       	jne	2ad1e <__strstr_arch13+0xae>
   2acda:	e7 10 20 20 60 27 	lcbb	%r1,32(%r2),6
   2ace0:	a7 14 00 78       	jo	2add0 <__strstr_arch13+0x160>
   2ace4:	e7 00 20 20 08 06 	vl	%v16,32(%r2)
   2acea:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2acf0:	a7 74 00 15       	jne	2ad1a <__strstr_arch13+0xaa>
   2acf4:	e7 10 20 30 60 27 	lcbb	%r1,48(%r2),6
   2acfa:	a7 14 00 69       	jo	2adcc <__strstr_arch13+0x15c>
   2acfe:	e7 00 20 30 08 06 	vl	%v16,48(%r2)
   2ad04:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2ad0a:	a7 74 00 06       	jne	2ad16 <__strstr_arch13+0xa6>
   2ad0e:	41 20 20 40       	la	%r2,64(%r2)
   2ad12:	a7 f4 ff ca       	j	2aca6 <__strstr_arch13+0x36>
   2ad16:	41 20 20 10       	la	%r2,16(%r2)
   2ad1a:	41 20 20 10       	la	%r2,16(%r2)
   2ad1e:	41 20 20 10       	la	%r2,16(%r2)
   2ad22:	a7 24 00 4f       	jh	2adc0 <__strstr_arch13+0x150>
   2ad26:	a7 44 00 4a       	jl	2adba <__strstr_arch13+0x14a>
   2ad2a:	e7 15 20 00 60 27 	lcbb	%r1,0(%r5,%r2),6
   2ad30:	41 25 20 00       	la	%r2,0(%r5,%r2)
   2ad34:	a7 14 00 52       	jo	2add8 <__strstr_arch13+0x168>
   2ad38:	e7 00 20 00 08 06 	vl	%v16,0(%r2)
   2ad3e:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2ad44:	a7 24 00 3e       	jh	2adc0 <__strstr_arch13+0x150>
   2ad48:	a7 44 00 39       	jl	2adba <__strstr_arch13+0x14a>
   2ad4c:	41 25 20 00       	la	%r2,0(%r5,%r2)
   2ad50:	a7 84 ff ab       	je	2aca6 <__strstr_arch13+0x36>
   2ad54:	e7 10 20 00 60 27 	lcbb	%r1,0(%r2),6
   2ad5a:	a7 14 00 3f       	jo	2add8 <__strstr_arch13+0x168>
   2ad5e:	e7 00 20 00 08 06 	vl	%v16,0(%r2)
   2ad64:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2ad6a:	a7 24 00 2b       	jh	2adc0 <__strstr_arch13+0x150>
   2ad6e:	a7 44 00 26       	jl	2adba <__strstr_arch13+0x14a>
   2ad72:	41 25 20 00       	la	%r2,0(%r5,%r2)
   2ad76:	a7 84 ff 98       	je	2aca6 <__strstr_arch13+0x36>
   2ad7a:	e7 10 20 00 60 27 	lcbb	%r1,0(%r2),6
   2ad80:	a7 14 00 2c       	jo	2add8 <__strstr_arch13+0x168>
   2ad84:	e7 00 20 00 08 06 	vl	%v16,0(%r2)
   2ad8a:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2ad90:	a7 24 00 18       	jh	2adc0 <__strstr_arch13+0x150>
   2ad94:	a7 44 00 13       	jl	2adba <__strstr_arch13+0x14a>
   2ad98:	41 25 20 00       	la	%r2,0(%r5,%r2)
   2ad9c:	a7 84 ff 85       	je	2aca6 <__strstr_arch13+0x36>
   2ada0:	e7 10 20 00 60 27 	lcbb	%r1,0(%r2),6
   2ada6:	a7 14 00 19       	jo	2add8 <__strstr_arch13+0x168>
   2adaa:	e7 00 20 00 08 06 	vl	%v16,0(%r2)
   2adb0:	e7 40 20 20 3f 8b 	vstrszb	%v20,%v16,%v18,%v19
   2adb6:	a7 f4 ff c7       	j	2ad44 <__strstr_arch13+0xd4>
   2adba:	a7 29 00 00       	lghi	%r2,0
   2adbe:	07 fe             	br	%r14
   2adc0:	e7 44 00 07 04 21 	vlgvb	%r4,%v20,7
   2adc6:	41 24 20 00       	la	%r2,0(%r4,%r2)
   2adca:	07 fe             	br	%r14
   2adcc:	41 20 20 10       	la	%r2,16(%r2)
   2add0:	41 20 20 10       	la	%r2,16(%r2)
   2add4:	41 20 20 10       	la	%r2,16(%r2)
   2add8:	a7 1a ff ff       	ahi	%r1,-1
   2addc:	e7 01 20 00 08 37 	vll	%v16,%r1,0(%r2)
   2ade2:	e7 51 00 07 08 22 	vlvgb	%v21,%r1,7
   2ade8:	e7 10 00 20 0e 81 	vfenezb	%v17,%v16,%v16
   2adee:	e7 15 00 00 0c d9 	veclb	%v17,%v21
   2adf4:	a7 c4 ff 61       	jle	2acb6 <__strstr_arch13+0x46>
   2adf8:	e7 00 20 00 08 06 	vl	%v16,0(%r2)
   2adfe:	a7 f4 ff 5c       	j	2acb6 <__strstr_arch13+0x46>
   2ae02:	a7 1a ff ff       	ahi	%r1,-1
   2ae06:	e7 21 30 00 08 37 	vll	%v18,%r1,0(%r3)
   2ae0c:	e7 51 00 07 08 22 	vlvgb	%v21,%r1,7
   2ae12:	e7 32 20 20 0e 81 	vfenezb	%v19,%v18,%v18
   2ae18:	e7 35 00 00 0c d9 	veclb	%v19,%v21
   2ae1e:	a7 c4 ff 34       	jle	2ac86 <__strstr_arch13+0x16>
   2ae22:	e7 20 30 00 08 06 	vl	%v18,0(%r3)
   2ae28:	e7 32 20 20 0e 81 	vfenezb	%v19,%v18,%v18
   2ae2e:	a7 f4 ff 2c       	j	2ac86 <__strstr_arch13+0x16>

Re: Issue with s390 TCG and libc __strstr_arch13

[Ilya Leoshkevich]

On Fri, 2023-08-04 at 11:58 +0200, Claudio Fontana wrote:
> On 8/4/23 11:20, Thomas Huth wrote:
> > On 04/08/2023 11.00, Claudio Fontana wrote:
> > > Hi,
> > > 
> > > On 7/21/23 11:08, Claudio Fontana wrote:
> > > > 
> > > > Hello Cornelia, Richard,
> > > > 
> > > > I had some strange behavior in an s390x TCG VM that I am
> > > > debugging,
> > > > 
> > > > and configured latest upstream QEMU with --enable-debug --
> > > > enable-debug-tcg
> > > > 
> > > > and I am running the qemu binary with -d unimp,guest_errors .
> > > > 
> > > > I get:
> > > > 
> > > > /usr/bin/qemu-system-s390x -nodefaults -no-reboot -nographic -
> > > > vga none -cpu qemu -d unimp,guest_errors -object rng-
> > > > random,filename=/dev/random,id=rng0 -device virtio-rng-
> > > > ccw,rng=rng0 -runas qemu -net none -kernel /var/tmp/boot/kernel
> > > > -initrd /var/tmp/boot/initrd -append root=/dev/disk/by-
> > > > id/virtio-0 rootfstype=ext3
> > > > rootflags=data=writeback,nobarrier,commit=150,noatime
> > > > elevator=noop nmi_watchdog=0 rw oops=panic panic=1 quiet
> > > > elevator=noop console=hvc0 init=build -m 2048 -drive
> > > > file=/var/tmp/img,format=raw,if=none,id=disk,cache=unsafe -
> > > > device virtio-blk-ccw,drive=disk,serial=0 -drive
> > > > file=/var/tmp/swap,format=raw,if=none,id=swap,cache=unsafe -
> > > > device virtio-blk-ccw,drive=swap,serial=1 -device virtio-
> > > > serial-ccw -device virtconsole,chardev=virtiocon0 -chardev
> > > > stdio,id=virtiocon0 -chardev
> > > > socket,id=monitor,server=on,wait=off,path=/var/tmp/img.qemu/mon
> > > > itor -mon chardev=monitor,mode=readline -smp 8
> > > > 
> > > > unimplemented opcode 0xb9ab
> > > > unimplemented opcode 0xb2af
> > > > 
> > > 
> > > ...
> > > 
> > > > Since I have some strange misbehavior at runtime, with
> > > > processes dying with segfaults and the guest kernel
> > > > complaining:
> > > > 
> > > >   [ 2269s] [ 2243.901667][ T8318] User process fault:
> > > > interruption code 0011 ilc:2 in libc.so.6[3ff87a80000+1c9000]
> > > >   [ 2269s] [ 2243.904433][ T8318] Failing address:
> > > > 000002aa0f73f000 TEID: 000002aa0f73f800
> > > >   [ 2269s] [ 2243.904952][ T8318] Fault in primary space mode
> > > > while using user ASCE.
> > > >   [ 2269s] [ 2243.905405][ T8318] AS:00000000057841c7
> > > > R3:0000000001fdc007 S:000000000398c000 P:0000000000000400
> > > > 
> > > 
> > > I am analyzing this problem further, now that the assertions have
> > > been solved.
> > > 
> > > I seem to have found an issue that manifests as a wrong return
> > > value from glibc's
> > > 
> > > __strstr_arch13
> > > 
> > > found in glibc/sysdeps/s390/strstr-arch13.S, which ends up in
> > > libc.so
> > > 
> > > Based on my tests, I could not trigger this issue on baremetal, I
> > > could only see it when run under TCG.
> > > 
> > > The workload here is the testsuite of the swig package:
> > > 
> > > git clone https://github.com/swig/swig.git
> > > 
> > > https://github.com/swig/swig/releases/tag/v4.1.1
> > > https://github.com/swig/swig/commit/77323a0f07562b7d90d36181697a72a909b9519a
> > > 
> > > The error presents itself as a return of strstr with a match past
> > > the end of the terminating NUL character of the string.
> > > 
> > > Here is the test I am doing to showcase it: I implemented a
> > > simple strstr as follows:
> > > 
> > > --------
> > > 
> > > static char *strstr_simple(const char *haystack, const char
> > > *needle)
> > > {
> > >    /*
> > >     * This function return a pointer to the beginning of the
> > > located substring, or NULL if the substring is not found.
> > >     * If needle is the empty string, the return value is always
> > > haystack itself.
> > >     */
> > >    int i, j;
> > > 
> > >    if (needle == NULL || haystack == NULL) {
> > >      return NULL;
> > >    }
> > >    if (needle[0] == 0) {
> > >      return (char *)haystack;
> > >    }
> > >    for (i = 0; haystack[i] != 0; i++) {
> > >      for (j = 0; haystack[i + j] != 0 && needle[j] != 0; j++) {
> > >        if (needle[j] != haystack[i + j]) {
> > >          break;
> > >        }
> > >      }
> > >      if (needle[j] == 0) {
> > >        return (char *)haystack + i;
> > >      }
> > >    }
> > >    return NULL;
> > > }
> > > 
> > > 
> > > --------
> > > 
> > > and then I have a wrapper that compares the results of this
> > > simple implementation with what comes from regular strstr,
> > > where I made sure that the strstr_ifunc results in
> > > __strstr_arch13:
> > > 
> > > char *strstr_w(const char *haystack, const char *needle)
> > > {
> > >    char *rv1 = strstr(haystack, needle);
> > >    char *rv2 = strstr_simple(haystack, needle);
> > >    if (rv1 != rv2) {
> > >      printf("haystack: %p \"%s\"\n"
> > >             "needle: %p \"%s\"\n"
> > >             "rv1: %p\n"
> > >             "rv2: %p\n",
> > >             (void*)haystack, haystack,
> > >             (void*)needle, needle,
> > >             (void*)rv1, (void*)rv2);
> > >      assert(0);
> > >    }
> > >    return rv1;
> > > }
> > > 
> > > --------
> > > 
> > > 
> > > After building swig with compilation flags: -m64 -march=z14 -
> > > mtune=z15
> > > 
> > > and running even a minimal test like:
> > > 
> > > $ cd Examples/perl5/simple
> > > $ export SWIG_LIB=../../../Lib
> > > $ ../../../swig -perl5 -o example.c.wrap example.i
> > > 
> > > I get:
> > > 
> > > haystack: 0x2aa2a2488f0 "        "363:operator< ignored" "
> > > needle: 0x2aa2961bc8c " ^A"
> > > rv1: 0x2aa2a24891e
> > > rv2: (nil)
> > > swig: DOH/copy.c:120: strstr_w: Assertion `0' failed.
> > > Aborted
> > > 
> > > As you can see here strstr returns a match where there is none,
> > > and what is even worse, the pointer 0x2aa2a24891e is past the end
> > > of the string (0x2aa2a248910).
> > > 
> > > This causes the successive code (that relies on valid strstr
> > > results) to memmove a negative value of bytes, which ends up
> > > hitting the end of the heap for the process, causing the segfault
> > > originally encountered.
> > > 
> > > I can make the issue disappear for example by forcing the
> > > strstr_ifunc to choose __GI_strstr instead of __strstr_arch13.
> > > 
> > > Maybe something going wrong in the vector string search
> > > emulation, something rings a bell?
> > > 
> > > Let me know if there is something I can provide that could help
> > > investigate further.
> > 
> > Could you maybe get a disassembly of your __strstr_arch13 function,
> > so we 
> > could see which vector instructions are in there?
> > 
> >   Thomas
> 
> Here it is:
> 
> 000000000002ac70 <__strstr_arch13>:
>    2ac70:       e7 10 30 00 60 27       lcbb    %r1,0(%r3),6
>    2ac76:       a7 14 00 c6             jo      2ae02
> <__strstr_arch13+0x192>
>    2ac7a:       e7 20 30 00 68 06       vl      %v18,0(%r3),6
>    2ac80:       e7 32 20 20 0e 81       vfenezb %v19,%v18,%v18
>    2ac86:       e7 43 00 07 04 21       vlgvb   %r4,%v19,7
>    2ac8c:       a7 59 00 11             lghi    %r5,17
>    2ac90:       ec 48 e0 00 00 fc       cgibe   %r4,0,0(%r14)
>    2ac96:       c2 4e 00 00 00 09       clgfi   %r4,9
>    2ac9c:       c0 24 00 04 70 42       jgh     b8d20 <__GI_strstr>
>    2aca2:       b9 09 00 54             sgr     %r5,%r4
>    2aca6:       e7 10 20 00 60 27       lcbb    %r1,0(%r2),6
>    2acac:       a7 14 00 96             jo      2add8
> <__strstr_arch13+0x168>
>    2acb0:       e7 00 20 00 08 06       vl      %v16,0(%r2)
>    2acb6:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2acbc:       a7 74 00 33             jne     2ad22
> <__strstr_arch13+0xb2>
>    2acc0:       e7 10 20 10 60 27       lcbb    %r1,16(%r2),6
>    2acc6:       a7 14 00 87             jo      2add4
> <__strstr_arch13+0x164>
>    2acca:       e7 00 20 10 08 06       vl      %v16,16(%r2)
>    2acd0:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2acd6:       a7 74 00 24             jne     2ad1e
> <__strstr_arch13+0xae>
>    2acda:       e7 10 20 20 60 27       lcbb    %r1,32(%r2),6
>    2ace0:       a7 14 00 78             jo      2add0
> <__strstr_arch13+0x160>
>    2ace4:       e7 00 20 20 08 06       vl      %v16,32(%r2)
>    2acea:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2acf0:       a7 74 00 15             jne     2ad1a
> <__strstr_arch13+0xaa>
>    2acf4:       e7 10 20 30 60 27       lcbb    %r1,48(%r2),6
>    2acfa:       a7 14 00 69             jo      2adcc
> <__strstr_arch13+0x15c>
>    2acfe:       e7 00 20 30 08 06       vl      %v16,48(%r2)
>    2ad04:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2ad0a:       a7 74 00 06             jne     2ad16
> <__strstr_arch13+0xa6>
>    2ad0e:       41 20 20 40             la      %r2,64(%r2)
>    2ad12:       a7 f4 ff ca             j       2aca6
> <__strstr_arch13+0x36>
>    2ad16:       41 20 20 10             la      %r2,16(%r2)
>    2ad1a:       41 20 20 10             la      %r2,16(%r2)
>    2ad1e:       41 20 20 10             la      %r2,16(%r2)
>    2ad22:       a7 24 00 4f             jh      2adc0
> <__strstr_arch13+0x150>
>    2ad26:       a7 44 00 4a             jl      2adba
> <__strstr_arch13+0x14a>
>    2ad2a:       e7 15 20 00 60 27       lcbb    %r1,0(%r5,%r2),6
>    2ad30:       41 25 20 00             la      %r2,0(%r5,%r2)
>    2ad34:       a7 14 00 52             jo      2add8
> <__strstr_arch13+0x168>
>    2ad38:       e7 00 20 00 08 06       vl      %v16,0(%r2)
>    2ad3e:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2ad44:       a7 24 00 3e             jh      2adc0
> <__strstr_arch13+0x150>
>    2ad48:       a7 44 00 39             jl      2adba
> <__strstr_arch13+0x14a>
>    2ad4c:       41 25 20 00             la      %r2,0(%r5,%r2)
>    2ad50:       a7 84 ff ab             je      2aca6
> <__strstr_arch13+0x36>
>    2ad54:       e7 10 20 00 60 27       lcbb    %r1,0(%r2),6
>    2ad5a:       a7 14 00 3f             jo      2add8
> <__strstr_arch13+0x168>
>    2ad5e:       e7 00 20 00 08 06       vl      %v16,0(%r2)
>    2ad64:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2ad6a:       a7 24 00 2b             jh      2adc0
> <__strstr_arch13+0x150>
>    2ad6e:       a7 44 00 26             jl      2adba
> <__strstr_arch13+0x14a>
>    2ad72:       41 25 20 00             la      %r2,0(%r5,%r2)
>    2ad76:       a7 84 ff 98             je      2aca6
> <__strstr_arch13+0x36>
>    2ad7a:       e7 10 20 00 60 27       lcbb    %r1,0(%r2),6
>    2ad80:       a7 14 00 2c             jo      2add8
> <__strstr_arch13+0x168>
>    2ad84:       e7 00 20 00 08 06       vl      %v16,0(%r2)
>    2ad8a:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2ad90:       a7 24 00 18             jh      2adc0
> <__strstr_arch13+0x150>
>    2ad94:       a7 44 00 13             jl      2adba
> <__strstr_arch13+0x14a>
>    2ad98:       41 25 20 00             la      %r2,0(%r5,%r2)
>    2ad9c:       a7 84 ff 85             je      2aca6
> <__strstr_arch13+0x36>
>    2ada0:       e7 10 20 00 60 27       lcbb    %r1,0(%r2),6
>    2ada6:       a7 14 00 19             jo      2add8
> <__strstr_arch13+0x168>
>    2adaa:       e7 00 20 00 08 06       vl      %v16,0(%r2)
>    2adb0:       e7 40 20 20 3f 8b       vstrszb %v20,%v16,%v18,%v19
>    2adb6:       a7 f4 ff c7             j       2ad44
> <__strstr_arch13+0xd4>
>    2adba:       a7 29 00 00             lghi    %r2,0
>    2adbe:       07 fe                   br      %r14
>    2adc0:       e7 44 00 07 04 21       vlgvb   %r4,%v20,7
>    2adc6:       41 24 20 00             la      %r2,0(%r4,%r2)
>    2adca:       07 fe                   br      %r14
>    2adcc:       41 20 20 10             la      %r2,16(%r2)
>    2add0:       41 20 20 10             la      %r2,16(%r2)
>    2add4:       41 20 20 10             la      %r2,16(%r2)
>    2add8:       a7 1a ff ff             ahi     %r1,-1
>    2addc:       e7 01 20 00 08 37       vll     %v16,%r1,0(%r2)
>    2ade2:       e7 51 00 07 08 22       vlvgb   %v21,%r1,7
>    2ade8:       e7 10 00 20 0e 81       vfenezb %v17,%v16,%v16
>    2adee:       e7 15 00 00 0c d9       veclb   %v17,%v21
>    2adf4:       a7 c4 ff 61             jle     2acb6
> <__strstr_arch13+0x46>
>    2adf8:       e7 00 20 00 08 06       vl      %v16,0(%r2)
>    2adfe:       a7 f4 ff 5c             j       2acb6
> <__strstr_arch13+0x46>
>    2ae02:       a7 1a ff ff             ahi     %r1,-1
>    2ae06:       e7 21 30 00 08 37       vll     %v18,%r1,0(%r3)
>    2ae0c:       e7 51 00 07 08 22       vlvgb   %v21,%r1,7
>    2ae12:       e7 32 20 20 0e 81       vfenezb %v19,%v18,%v18
>    2ae18:       e7 35 00 00 0c d9       veclb   %v19,%v21
>    2ae1e:       a7 c4 ff 34             jle     2ac86
> <__strstr_arch13+0x16>
>    2ae22:       e7 20 30 00 08 06       vl      %v18,0(%r3)
>    2ae28:       e7 32 20 20 0e 81       vfenezb %v19,%v18,%v18
>    2ae2e:       a7 f4 ff 2c             j       2ac86
> <__strstr_arch13+0x16>

Thanks! I did some trace comparisons, and I can see that vstrszb
sometimes produces a CC that is different from the one from the real
hardware. I'll dig into this further and hopefully come up with a
patch.

Re: assert fails in s390x TCG

[Philippe Mathieu-Daudé]

On 28/7/23 18:43, Richard Henderson wrote:
> On 7/28/23 09:05, Richard Henderson wrote:
>> It's the page containing both code and a page table entry that 
>> concerns me.  It seems like a kernel bug, though obviously we 
>> shouldn't crash.  I'm not sure what to do about it.
> 
> Bah.  Of course it's not a kernel bug, since the store is to LowCore.
> And of course LowCore is part of a larger page, which easily has other 
> stuff.

Maybe related to
https://lore.kernel.org/qemu-devel/20240611215814.32752-1-anjo@rev.ng/

Re: assert fails in s390x TCG

[Claudio Fontana]

On 6/12/24 14:41, Philippe Mathieu-Daudé wrote:
> On 28/7/23 18:43, Richard Henderson wrote:
>> On 7/28/23 09:05, Richard Henderson wrote:
>>> It's the page containing both code and a page table entry that 
>>> concerns me.  It seems like a kernel bug, though obviously we 
>>> shouldn't crash.  I'm not sure what to do about it.
>>
>> Bah.  Of course it's not a kernel bug, since the store is to LowCore.
>> And of course LowCore is part of a larger page, which easily has other 
>> stuff.
> 
> Maybe related to
> https://lore.kernel.org/qemu-devel/20240611215814.32752-1-anjo@rev.ng/
> 

Hi philippe,

this was already fixed by Ilya's commit:

commit 791b2b6a930273db694b9ba48bbb406e78715927
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date:   Sat Aug 5 01:03:18 2023 +0200

    target/s390x: Fix the "ignored match" case in VSTRS
    
    Currently the emulation of VSTRS recognizes partial matches in presence
    of \0 in the haystack, which, according to PoP, is not correct:
    
        If the ZS flag is one and a zero byte was detected
        in the second operand, then there can not be a
        partial match ...
    
    Add a check for this. While at it, fold a number of explicitly handled
    special cases into the generic logic.
    
    Cc: qemu-stable@nongnu.org
    Reported-by: Claudio Fontana <cfontana@suse.de>
    Closes: https://lists.gnu.org/archive/html/qemu-devel/2023-08/msg00633.html
    Fixes: 1d706f314191 ("target/s390x: vxeh2: vector string search")
    Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
    Message-Id: <20230804233748.218935-3-iii@linux.ibm.com>
    Tested-by: Claudio Fontana <cfontana@suse.de>
    Acked-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Thomas Huth <thuth@redhat.com>

Ciao,

Claudio

Re: assert fails in s390x TCG

[Philippe Mathieu-Daudé]

On 12/6/24 15:08, Claudio Fontana wrote:
> On 6/12/24 14:41, Philippe Mathieu-Daudé wrote:
>> On 28/7/23 18:43, Richard Henderson wrote:
>>> On 7/28/23 09:05, Richard Henderson wrote:
>>>> It's the page containing both code and a page table entry that
>>>> concerns me.  It seems like a kernel bug, though obviously we
>>>> shouldn't crash.  I'm not sure what to do about it.
>>>
>>> Bah.  Of course it's not a kernel bug, since the store is to LowCore.
>>> And of course LowCore is part of a larger page, which easily has other
>>> stuff.
>>
>> Maybe related to
>> https://lore.kernel.org/qemu-devel/20240611215814.32752-1-anjo@rev.ng/
>>
> 
> Hi philippe,
> 
> this was already fixed by Ilya's commit:
> 
> commit 791b2b6a930273db694b9ba48bbb406e78715927
> Author: Ilya Leoshkevich <iii@linux.ibm.com>
> Date:   Sat Aug 5 01:03:18 2023 +0200
> 
>      target/s390x: Fix the "ignored match" case in VSTRS
>      
>      Currently the emulation of VSTRS recognizes partial matches in presence
>      of \0 in the haystack, which, according to PoP, is not correct:
>      
>          If the ZS flag is one and a zero byte was detected
>          in the second operand, then there can not be a
>          partial match ...
>      
>      Add a check for this. While at it, fold a number of explicitly handled
>      special cases into the generic logic.
>      
>      Cc: qemu-stable@nongnu.org
>      Reported-by: Claudio Fontana <cfontana@suse.de>
>      Closes: https://lists.gnu.org/archive/html/qemu-devel/2023-08/msg00633.html
>      Fixes: 1d706f314191 ("target/s390x: vxeh2: vector string search")
>      Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
>      Message-Id: <20230804233748.218935-3-iii@linux.ibm.com>
>      Tested-by: Claudio Fontana <cfontana@suse.de>
>      Acked-by: David Hildenbrand <david@redhat.com>
>      Signed-off-by: Thomas Huth <thuth@redhat.com>

Ah great, thanks Ilya ;)