* [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load
@ 2018-11-13 17:04 Alberto Ortega
2018-12-05 11:35 ` [Qemu-devel] [Bug 1803160] " Alex Bennée
` (6 more replies)
0 siblings, 7 replies; 9+ messages in thread
From: Alberto Ortega @ 2018-11-13 17:04 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "tcg_crash.elf"
https://bugs.launchpad.net/bugs/1803160/+attachment/5212335/+files/tcg_crash.elf
** Description changed:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
- at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
+ at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
- at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
+ at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
- Find ELF file attached, and also in the following hexdump:
-
- $ hexdump -C tcg_crash.elf
- 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
- 00000010 02 00 03 00 01 00 00 00 54 80 04 08 34 00 00 00 |........T...4...|
- 00000020 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 |........4. .....|
- 00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
- 00000040 00 80 04 08 64 00 00 00 64 00 00 00 05 00 00 00 |....d...d.......|
- 00000050 00 10 00 00 d2 dc a8 45 31 ca f0 35 d9 4d 8f 18 |.......E1..5.M..|
- 00000060 05 2e 6f 9f |..o.|
+ Find ELF file attached.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
New
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
@ 2018-12-05 11:35 ` Alex Bennée
2018-12-05 12:16 ` Alex Bennée
` (5 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Alex Bennée @ 2018-12-05 11:35 UTC (permalink / raw)
To: qemu-devel
** Tags added: tcg
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
New
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
2018-12-05 11:35 ` [Qemu-devel] [Bug 1803160] " Alex Bennée
@ 2018-12-05 12:16 ` Alex Bennée
2018-12-05 16:03 ` Alberto Ortega
` (4 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Alex Bennée @ 2018-12-05 12:16 UTC (permalink / raw)
To: qemu-devel
Can you please re-test on the current master, I think this was fixed by:
commit e84fcd7f662a0d8198703f6f89416d7ac2c32767
Author: Richard Henderson <richard.henderson@linaro.org>
Date: Tue Nov 13 20:35:10 2018 +0100
target/i386: Generate #UD when applying LOCK to a register
destination
Testing on my box:
12:14:20 [alex@idun:~/l/qemu.git] master + ./i386-linux-user/qemu-i386 ~/tcg_crash.elf
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
fish: “./i386-linux-user/qemu-i386 ~/t…” terminated by signal SIGILL (Illegal instruction)
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
Fix Committed
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
2018-12-05 11:35 ` [Qemu-devel] [Bug 1803160] " Alex Bennée
2018-12-05 12:16 ` Alex Bennée
@ 2018-12-05 16:03 ` Alberto Ortega
2018-12-05 20:42 ` Alberto Ortega
` (3 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Alberto Ortega @ 2018-12-05 16:03 UTC (permalink / raw)
To: qemu-devel
I've tested this again and I haven't been able to reproduce it anymore
on the current master, it looks fixed.
Thanks! :)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
Fix Committed
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
` (2 preceding siblings ...)
2018-12-05 16:03 ` Alberto Ortega
@ 2018-12-05 20:42 ` Alberto Ortega
2018-12-07 16:51 ` Richard Henderson
` (2 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Alberto Ortega @ 2018-12-05 20:42 UTC (permalink / raw)
To: qemu-devel
Hello again,
After more testing I've been able to trigger this bug again using qemu
from git master. Find attached a new ELF that will reproduce the
problem:
$ qemu-i386 tcg_crash1.elf
/home/alberto/Documents/qemu/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ./qemu/build/i386-linux-user/qemu-i386 tcg_crash1.elf
Invalid instructions:
f0 invalid
40 inc eax
a7 cmpsd dword [esi], dword ptr es:[edi]
48 dec eax
GDB backtrace is the same as before.
** Attachment added: "tcg_crash1.elf"
https://bugs.launchpad.net/qemu/+bug/1803160/+attachment/5219544/+files/tcg_crash1.elf
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
Fix Committed
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
` (3 preceding siblings ...)
2018-12-05 20:42 ` Alberto Ortega
@ 2018-12-07 16:51 ` Richard Henderson
2018-12-09 19:47 ` Philippe Mathieu-Daudé
2018-12-10 8:59 ` Alberto Ortega
2018-12-12 8:37 ` Thomas Huth
6 siblings, 1 reply; 9+ messages in thread
From: Richard Henderson @ 2018-12-07 16:51 UTC (permalink / raw)
To: qemu-devel
This second crash is of course a different bug.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
Fix Committed
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-12-07 16:51 ` Richard Henderson
@ 2018-12-09 19:47 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 9+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-12-09 19:47 UTC (permalink / raw)
To: 1803160; +Cc: qemu-devel@nongnu.org Developers
Hi Alberto,
Can you open another ticket for your new bug?
Thanks.
On Fri, Dec 7, 2018 at 6:22 PM Richard Henderson <rth@twiddle.net> wrote:
>
> This second crash is of course a different bug.
>
> --
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1803160
>
> Title:
> qemu-3.1.0-rc0: tcg.c crash in temp_load
>
> Status in QEMU:
> Fix Committed
>
> Bug description:
> QEMU version:
> -------------
>
> qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
>
> Summary:
> --------
>
> TCG crashes in i386 and x86_64 when it tries to execute some specific
> illegal instructions. When running full OS emulation, both the guest
> system and QEMU crash.
>
> The issue has been reproduced in two scenarios:
>
> Ubuntu x64 host running Debian x86 guest with the following command
> line: qemu-system-x86_64 -m 4G debian.qcow
>
> When the attached ELF file is executed inside the guest, QEMU crashes.
>
> It can also be reproduced from the command line:
>
> $ qemu-i386 tcg_crash.elf
> /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
> qemu: uncaught target signal 11 (Segmentation fault) - core dumped
> zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
>
> GDB backtrace:
>
> (gdb) bt
> #0 0x0000000060206488 in raise ()
> #1 0x0000000060206b8a in abort ()
> #2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
> at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
> #3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
> #4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
> #5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
> at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
> #6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
> #7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
> #8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
> #9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
> (gdb)
>
> Testcase:
> ---------
>
> Find ELF file attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
` (4 preceding siblings ...)
2018-12-07 16:51 ` Richard Henderson
@ 2018-12-10 8:59 ` Alberto Ortega
2018-12-12 8:37 ` Thomas Huth
6 siblings, 0 replies; 9+ messages in thread
From: Alberto Ortega @ 2018-12-10 8:59 UTC (permalink / raw)
To: qemu-devel
I've just opened #1807675 for the new bug.
Thanks!
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
Fix Committed
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
` (5 preceding siblings ...)
2018-12-10 8:59 ` Alberto Ortega
@ 2018-12-12 8:37 ` Thomas Huth
6 siblings, 0 replies; 9+ messages in thread
From: Thomas Huth @ 2018-12-12 8:37 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1803160
Title:
qemu-3.1.0-rc0: tcg.c crash in temp_load
Status in QEMU:
Fix Released
Bug description:
QEMU version:
-------------
qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
Summary:
--------
TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.
The issue has been reproduced in two scenarios:
Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow
When the attached ELF file is executed inside the guest, QEMU crashes.
It can also be reproduced from the command line:
$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
GDB backtrace:
(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)
Testcase:
---------
Find ELF file attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-12-12 8:51 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-13 17:04 [Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load Alberto Ortega
2018-12-05 11:35 ` [Qemu-devel] [Bug 1803160] " Alex Bennée
2018-12-05 12:16 ` Alex Bennée
2018-12-05 16:03 ` Alberto Ortega
2018-12-05 20:42 ` Alberto Ortega
2018-12-07 16:51 ` Richard Henderson
2018-12-09 19:47 ` Philippe Mathieu-Daudé
2018-12-10 8:59 ` Alberto Ortega
2018-12-12 8:37 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.