From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
To: "Michael Tokarev" <mjt@tls.msk.ru>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"QEMU Development" <qemu-devel@nongnu.org>
Cc: "Jonathan Cameron" <Jonathan.Cameron@huawei.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Mark Cave-Ayland" <mark.caveayland@nutanix.com>
Subject: Re: apparent race condition in mttcg memory handling
Date: Mon, 21 Jul 2025 10:28:26 -0700 [thread overview]
Message-ID: <f50b74c1-24c7-4e48-9f42-b6ce721f70d3@linaro.org> (raw)
In-Reply-To: <e1272431-f38d-46ee-8140-38e2c3418399@linaro.org>
On 7/21/25 10:25 AM, Pierrick Bouvier wrote:
> On 7/21/25 10:14 AM, Michael Tokarev wrote:
>> On 21.07.2025 19:29, Pierrick Bouvier wrote:
>>> On 7/21/25 9:23 AM, Pierrick Bouvier wrote:
>> ..
>>>> looks like a good target for TSAN, which might expose the race without
>>>> really having to trigger it.
>>>> https://www.qemu.org/docs/master/devel/testing/main.html#building-and-
>>>> testing-with-tsan
>>
>> I think I tried with TSAN and it gave something useful even.
>> The prob now is to reproduce the thing by someone more familiar
>> with this stuff than me :)
>>
>>>> Else, you can reproduce your run using rr record -h (chaos mode) [1],
>>>> which randomly schedules threads, until it catches the segfault, and
>>>> then you'll have a reproducible case to debug.
>>>
>>> In case you never had opportunity to use rr, it is quite convenient,
>>> because you can set a hardware watchpoint on your faulty pointer (watch
>>> -l), do a reverse-continue, and in most cases, you'll directly reach
>>> where the bug happened. Feels like cheating.
>>
>> rr is the first thing I tried. Nope, it's absolutely hopeless. It
>> tried to boot just the kernel for over 30 minutes, after which I just
>> gave up.
>>
>
> I had a similar thing to debug recently, and with a simple loop, I
> couldn't expose it easily. The bug I had was triggered with 3%
> probability, which seems close from yours.
> As rr record -h is single threaded, I found useful to write a wrapper
> script [1] to run one instance, and then run it in parallel using:
> ./run_one.sh | head -n 10000 | parallel --bar -j$(nproc)
>
> With that, I could expose the bug in 2 minutes reliably (vs trying for
> more than one hour before). With your 64 cores, I'm sure it will quickly
> expose it.
>
> Might be worth a try, as you need to only catch the bug once to be able
> to reproduce it.
>
> [1] https://github.com/pbo-linaro/qemu/blob/master/try_rme.sh
>
In this script, I finally used qemu rr feature (as QEMU was working
fine, but there was a bug in the software stack itself, that I wanted to
investigate under gdbstub). But I was mentioning the same approach using
rr (the tool).
>> Thanks,
>>
>> /mjt
>
next prev parent reply other threads:[~2025-07-21 17:29 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-30 19:20 apparent race condition in mttcg memory handling Michael Tokarev
2025-06-04 10:47 ` Michael Tokarev
2025-07-21 11:47 ` Philippe Mathieu-Daudé
2025-07-21 16:23 ` Pierrick Bouvier
2025-07-21 16:29 ` Pierrick Bouvier
2025-07-21 17:14 ` Michael Tokarev
2025-07-21 17:25 ` Pierrick Bouvier
2025-07-21 17:28 ` Pierrick Bouvier [this message]
2025-07-21 17:31 ` Peter Maydell
2025-07-21 17:52 ` Pierrick Bouvier
2025-07-22 20:11 ` Gustavo Romero
2025-07-23 6:31 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f50b74c1-24c7-4e48-9f42-b6ce721f70d3@linaro.org \
--to=pierrick.bouvier@linaro.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=alex.bennee@linaro.org \
--cc=mark.caveayland@nutanix.com \
--cc=mjt@tls.msk.ru \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).