Re: [Qemu-devel] [Qemu-discuss] Segmentation fault on target tricore

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Konopik, Andreas" <andreas.konopik@fau.de>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, qemu-discuss@nongnu.org
Subject: Re: [Qemu-devel] [Qemu-discuss] Segmentation fault on target tricore
Date: Tue, 17 Sep 2019 15:06:16 +0200	[thread overview]
Message-ID: <75c41dce4fe333c0304f5e80e3ea6f34@fau.de> (raw)
In-Reply-To: <CAFEAcA-oP9QkYnQr1SQUvTks+9ySjDCn0G5yuULdOBepQi-PSw@mail.gmail.com>

>> Using gdb and valgrind I found out that:
>> - 'gen_mtcr()' and 'gen_mfcr()' access uninitialized values, i.e. 
>> CSFRs,
>> which leads to the Segfault
>> - The uninitialised values were created by stack allocation of
>> DisasContext in 'gen_intermediate_code()'
> 
> This definitely sounds like a bug: do you have a stack
> backtrace from valgrind or gdb of the bad access and the
> segfault?
> 

GDB:

> [...]
> Thread 3 "qemu-system-tri" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7ffff10a4700 (LWP 146730)]
> 0x00005555556edb67 in gen_mfcr (ret=0xab0, offset=<optimized out>,
>    ctx=<optimized out>)
>    at /home/akonopik/qemu_src/target/tricore/cpu.h:274
> 274	    return (env->features & (1ULL << feature)) != 0;
> (gdb) bt
> #0  0x00005555556edb67 in gen_mfcr
>    (ret=0xab0, offset=<optimized out>, ctx=<optimized out>)
>    at /home/akonopik/qemu_src/target/tricore/cpu.h:274
> #1  0x000055555570bc30 in decode_rlc_opc (op1=<optimized out>, 
> ctx=0x7ffff10a3540)
>    at /home/akonopik/qemu_src/target/tricore/translate.c:6020
> #2  0x000055555570bc30 in decode_32Bit_opc 
> (ctx=ctx@entry=0x7ffff10a3540)
>    at /home/akonopik/qemu_src/target/tricore/translate.c:8680
> #3  0x000055555570bf77 in tricore_tr_translate_insn
>    (dcbase=0x7ffff10a3540, cpu=<optimized out>)
>    at /home/akonopik/qemu_src/target/tricore/translate.c:8856
> #4  0x00005555556e15c9 in translator_loop (ops=
>    0x555555c2b340 <tricore_tr_ops>, db=0x7ffff10a3540, 
> cpu=0x555555dc0480, tb=<optimized out>, max_insns=<optimized out>)
>    at /home/akonopik/qemu_src/accel/tcg/translator.c:94
> #5  0x000055555570d96c in gen_intermediate_code
>    (cs=cs@entry=0x555555dc0480, tb=tb@entry=0x7fffea000280 
> <code_gen_buffer+595>, max_insns=max_insns@entry=512)
>    at /home/akonopik/qemu_src/target/tricore/translate.c:8907
> #6  0x00005555556e01f4 in tb_gen_code
>    (cpu=cpu@entry=0x555555dc0480, pc=pc@entry=2147485022, 
> cs_base=cs_base@entry=0, flags=flags@entry=0, cflags=-16777216, 
> cflags@entry=0)
>    at /home/akonopik/qemu_src/accel/tcg/translate-all.c:1738
> #7  0x00005555556de474 in tb_find
>    (cf_mask=0, tb_exit=0, last_tb=0x7fffea000140 <code_gen_buffer+275>, 
> cpu=0x555555dc0758) at /home/akonopik/qemu_src/accel/tcg/cpu-exec.c:408
> #8  0x00005555556de474 in cpu_exec (cpu=cpu@entry=0x555555dc0480)
>    at /home/akonopik/qemu_src/accel/tcg/cpu-exec.c:730
> #9  0x00005555556a59c0 in tcg_cpu_exec (cpu=0x555555dc0480)
>    at /home/akonopik/qemu_src/cpus.c:1445
> #10 0x00005555556a7831 in qemu_tcg_rr_cpu_thread_fn 
> (arg=arg@entry=0x555555dc0480)
>    at /home/akonopik/qemu_src/cpus.c:1547
> #11 0x00005555558d540b in qemu_thread_start (args=<optimized out>)
>    at /home/akonopik/qemu_src/util/qemu-thread-posix.c:502
> #12 0x00007ffff5a1657f in start_thread () at /usr/lib/libpthread.so.0
> #13 0x00007ffff59460e3 in clone () at /usr/lib/libc.so.6

VALGRIND:

> ==146846== Memcheck, a memory error detector
> ==146846== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et 
> al.
> ==146846== Using Valgrind-3.14.0 and LibVEX; rerun with -h for 
> copyright info
> ==146846== Command:
> /home/akonopik/qemu_src/build/tricore-softmmu/qemu-system-tricore 
> -nographic -M
> tricore_testboard -cpu tc1796 -kernel /home/akonopik/hello.elf
> ==146846==
> --146846-- WARNING: unhandled amd64-linux syscall: 317
> --146846-- You may be able to write your own handler.
> --146846-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
> --146846-- Nevertheless we consider this a bug.  Please report
> --146846-- it at http://valgrind.org/support/bug_reports.html.
> ==146846== Conditional jump or move depends on uninitialised value(s)
> ==146846==    at 0x223D94: tcg_target_init (tcg-target.inc.c:3776)
> ==146846==    by 0x223D94: tcg_context_init (tcg.c:961)
> ==146846==    by 0x293E29: cpu_gen_init (translate-all.c:240)
> ==146846==    by 0x293E29: tcg_exec_init (translate-all.c:1148)
> ==146846==    by 0x275333: tcg_init (tcg-all.c:63)
> ==146846==    by 0x274DE3: accel_init_machine (accel.c:63)
> ==146846==    by 0x274DE3: configure_accelerator (accel.c:110)
> ==146846==    by 0x210236: main (vl.c:4185)
> ==146846==  Uninitialised value was created by a stack allocation
> ==146846==    at 0x5E3E117: ??? (in /usr/lib/libglib-2.0.so.0.6200.0)
> ==146846==
> QEMU 4.1.50 monitor - type 'help' for more information
> (qemu) ==146846== Thread 3:
> ==146846== Use of uninitialised value of size 8
> ==146846==    at 0x2A1B67: gen_mfcr.isra.0 (csfr.def:9)
> ==146846==    by 0x2BFC2F: decode_rlc_opc (translate.c:6020)
> ==146846==    by 0x2BFC2F: decode_32Bit_opc (translate.c:8680)
> ==146846==    by 0x2BFF76: tricore_tr_translate_insn (translate.c:8856)
> ==146846==    by 0x2955C8: translator_loop (translator.c:94)
> ==146846==    by 0x2C196B: gen_intermediate_code (translate.c:8907)
> ==146846==    by 0x2941F3: tb_gen_code (translate-all.c:1738)
> ==146846==    by 0x292473: tb_find (cpu-exec.c:408)
> ==146846==    by 0x292473: cpu_exec (cpu-exec.c:730)
> ==146846==    by 0x2599BF: tcg_cpu_exec (cpus.c:1445)
> ==146846==    by 0x25B830: qemu_tcg_rr_cpu_thread_fn (cpus.c:1547)
> ==146846==    by 0x48940A: qemu_thread_start (qemu-thread-posix.c:502)
> ==146846==    by 0x6DEE57E: start_thread (in 
> /usr/lib/libpthread-2.29.so)
> ==146846==    by 0x6F040E2: clone (in /usr/lib/libc-2.29.so)
> ==146846==  Uninitialised value was created by a stack allocation
> ==146846==    at 0x2C1940: gen_intermediate_code (translate.c:8905)
> ==146846==
> ==146846== Use of uninitialised value of size 8
> ==146846==    at 0x2A302C: gen_mtcr.isra.0 (csfr.def:9)
> ==146846==    by 0x2BFC9C: decode_rlc_opc (translate.c:6046)
> ==146846==    by 0x2BFC9C: decode_32Bit_opc (translate.c:8680)
> ==146846==    by 0x2BFF76: tricore_tr_translate_insn (translate.c:8856)
> ==146846==    by 0x2955C8: translator_loop (translator.c:94)
> ==146846==    by 0x2C196B: gen_intermediate_code (translate.c:8907)
> ==146846==    by 0x2941F3: tb_gen_code (translate-all.c:1738)
> ==146846==    by 0x292473: tb_find (cpu-exec.c:408)
> ==146846==    by 0x292473: cpu_exec (cpu-exec.c:730)
> ==146846==    by 0x2599BF: tcg_cpu_exec (cpus.c:1445)
> ==146846==    by 0x25B830: qemu_tcg_rr_cpu_thread_fn (cpus.c:1547)
> ==146846==    by 0x48940A: qemu_thread_start (qemu-thread-posix.c:502)
> ==146846==    by 0x6DEE57E: start_thread (in 
> /usr/lib/libpthread-2.29.so)
> ==146846==    by 0x6F040E2: clone (in /usr/lib/libc-2.29.so)
> ==146846==  Uninitialised value was created by a stack allocation
> ==146846==    at 0x2C1940: gen_intermediate_code (translate.c:8905)
> [...]


Regards,

Andreas

next prev parent reply	other threads:[~2019-09-17 13:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <9cf47438fa943b28ee987cea7b76a459@fau.de>
2019-09-17 12:32 ` [Qemu-devel] [Qemu-discuss] Segmentation fault on target tricore Peter Maydell
2019-09-17 13:06   ` Konopik, Andreas [this message]
2019-09-17 13:45     ` Peter Maydell
2019-09-18 15:54       ` Bastian Koppelmann
2019-09-17 13:07   ` Bastian Koppelmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=75c41dce4fe333c0304f5e80e3ea6f34@fau.de \
    --to=andreas.konopik@fau.de \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-discuss@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).