From: Laurent Desnogues <laurent.desnogues@gmail.com>
To: Robert Henry <robhenry@microsoft.com>
Cc: "Alex Bennée" <alex.bennee@linaro.org>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: QEMU for aarch64 with plugins seems to fail basic consistency checks
Date: Fri, 24 Jan 2020 10:02:08 +0100 [thread overview]
Message-ID: <CABoDooMHEeHN_500GuCUgS9sNwWvA193AiDamq8Fmkp00DABjw@mail.gmail.com> (raw)
In-Reply-To: <BL0PR2101MB1026C24DACAFB1771DE47706D60E0@BL0PR2101MB1026.namprd21.prod.outlook.com>
Hello,
On Fri, Jan 24, 2020 at 1:45 AM Robert Henry <robhenry@microsoft.com> wrote:
>
> I wrote a QEMU plugin for aarch64 where the insn and mem callbacks print out the specifics of the guest instructions as they are "executed". I expect this trace stream to be well behaved but it is not. By well-behaved, I expect memory insns print out some memory details, non-memory insns don't print anything, and the pc only changes after a control flow instruction. I don't see that gross correctness about 2% of the time.
>
> I'm using qemu at tag v4.2.0 (or master head; it doesn't matter), running on a x86_64 host.
> I build qemu using ./configure --disable-sdl --enable-gtk --enable-plugins --enable-debug --target-list=aarch64-softmmu aarch64-linux-user
> I execute qemu from its build area build/aarch64-linux-user/qemu-aarch64, with flags --cpu cortex-a72 and the appropriate args to --plugin ... -d plugin -D .....
> I'm emulating a simple C program in linux emulation mode.
> The resulting qemu execution is valgrind clean (eg, I run qemu under valgrind) for my little program save for memory leaks I reported a few days ago.
>
> Below is an example of my trace output (the first int printed is the cpu_index, checked to be always 0). Note that the ldr instruction at 0x41a608 sometimes reports a memop, but most of the time it doesn't. Note that 0x41a608 is seen, by trace, running back to back. Note that (bottom of trace) that the movz instruction reports a memop. (The executed code comes from glibc _dl_aux_init, executed before main() is called.)
>
> How should this problem be tackled? I can't figure out how to make each tcg block be exactly 1 guest (aarch64) insn, which is where I'd first start out.
To get TBs of a single instruction, you can add -singlestep to the command line.
HTH,
Laurent
> 0 0x000000000041a784 0x000000000041a784 0xf1000c3f cmp x1, #3
> 0 0x000000000041a788 0x000000000041a788 0x54fff401 b.ne #0xfffffffffffffe80
> 0 0x000000000041a78c 0x000000000041a78c 0x52800033 movz w19, #0x1
> 0 0x000000000041a790 0x000000000041a790 0xf9400416 ldr x22, [x0, #8] 0 mem {3 0 0 0} 0x0000004000800618
> 0 0x000000000041a794 0x000000000041a794 0x17ffff9d b #0xfffffffffffffe74
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]! 0 mem {3 0 0 0} 0x0000004000800620
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]! 0 mem {3 0 0 0} 0x0000004000800630
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a608 0x000000000041a608 0xf8410c01 ldr x1, [x0, #0x10]!
> 0 0x000000000041a60c 0x000000000041a60c 0xb4000221 cbz x1, #0x44
> 0 0x000000000041a7d8 0x000000000041a7d8 0x52800035 movz w21, #0x1
> 0 0x000000000041a7dc 0x000000000041a7dc 0xf9400418 ldr x24, [x0, #8] 0 mem {3 0 0 0} 0x0000004000800638
> 0 0x000000000041a7e0 0x000000000041a7e0 0x17ffff8a b #0xfffffffffffffe28
> 0 0x000000000041a7d8 0x000000000041a7d8 0x52800035 movz w21, #0x1 0 mem {3 0 0 0} 0x0000004000800640
>
>
>
>
>
next prev parent reply other threads:[~2020-01-24 9:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-24 0:45 QEMU for aarch64 with plugins seems to fail basic consistency checks Robert Henry
2020-01-24 9:02 ` Laurent Desnogues [this message]
2020-01-24 16:36 ` Alex Bennée
2020-01-24 17:59 ` [EXTERNAL] " Robert Henry
2020-01-24 19:44 ` Alex Bennée
2020-01-27 22:25 ` Robert Henry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABoDooMHEeHN_500GuCUgS9sNwWvA193AiDamq8Fmkp00DABjw@mail.gmail.com \
--to=laurent.desnogues@gmail.com \
--cc=alex.bennee@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=robhenry@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).