From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:50028)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1UdHmc-000876-I8
	for qemu-devel@nongnu.org; Fri, 17 May 2013 06:21:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1UdHma-0000je-00
	for qemu-devel@nongnu.org; Fri, 17 May 2013 06:21:06 -0400
Received: from mail-ye0-f174.google.com ([209.85.213.174]:45344)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1UdHmZ-0000ja-QM
	for qemu-devel@nongnu.org; Fri, 17 May 2013 06:21:03 -0400
Received: by mail-ye0-f174.google.com with SMTP id r9so450897yen.33
	for <qemu-devel@nongnu.org>; Fri, 17 May 2013 03:21:03 -0700 (PDT)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
Message-ID: <51960486.3050206@redhat.com>
Date: Fri, 17 May 2013 12:20:54 +0200
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <20130516195843.983.69688.malonedeb@soybean.canonical.com>
	<20130516195843.983.69688.malonedeb@soybean.canonical.com>
	<519553A4.9030900@redhat.com>
In-Reply-To: <519553A4.9030900@redhat.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [Bug 1180970] [NEW] qemu: fatal: Trying to execute
 code outside RAM or ROM; worked in 1.4.0, fails in 1.4.92
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Laszlo Ersek <lersek@redhat.com>
Cc: Duane Voth <duanev@gmail.com>, Bug 1180970 <1180970@bugs.launchpad.net>, qemu-devel@nongnu.org

Il 16/05/2013 23:46, Laszlo Ersek ha scritto:
> On 05/16/13 21:58, Duane Voth wrote:> Public bug reported:
>>
>> I'm using qemu to run and debug the EDK2 uEFI environment. OVMF is
>> being built out of the EDK2 tree I've checked out (r14367).
>> (Reproducing all this could be tedious so I am available for
>> debugging/testing.)
>>
>> qemu 1.4.0 was able to execute this guest environment with no trouble,
>> qemu 1.4.92 however issues an error message and aborts.  The command
>> line I use to start qemu is:
>>
>> $ /usr/local/bin/qemu-system-x86_64 -m 1024 -bios OVMF.fd -monitor stdio
>>
>> 1.4.92 gives the following register dump:
>>
>> QEMU 1.4.92 monitor - type 'help' for more information
>> (qemu) qemu: fatal: Trying to execute code outside RAM or ROM at 0x0000000100000000
>>
>> RAX=000000003e084da8 RBX=000000003e084868 RCX=0000000000000000 RDX=000000003e084f00
>> RSI=0000000000000001 RDI=000000003e085000 RBP=000000003e084708 RSP=000000003fac8510
>> R8 =0000000000000000 R9 =000000003e14c3e3 R10=0000000000000033 R11=00000000000000d3
>> R12=000000003e0848a0 R13=0000000000000000 R14=0000000000000000 R15=0000000000000000
>> RIP=00000000ffffffe4 RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
>> ES =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> CS =0028 0000000000000000 ffffffff 00af9b00 DPL=0 CS64 [-RA]
>> SS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> DS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> FS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> GS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> LDT=0000 0000000000000000 0000ffff 00008200 DPL=0 LDT
>> TR =0000 0000000000000000 0000ffff 00008b00 DPL=0 TSS64-busy
>> GDT=     000000003fa50e98 0000003f
>> IDT=     000000003f9d6e20 00000fff
>> CR0=80000033 CR2=0000000000000000 CR3=000000003fa67000 CR4=00000668
>> ...
>>
>>
>> Questions:
>> 1) Is this problem relevant?  (is full backward compatability to be
>> supported?)
>> 2) Are there new guest execution controls in 1.4.9x that might cause
>> this?
>> 3) If #2, can they be disabled by a qemu command line switch?
>> 4) If not #2, in what qemu source file specifically can I find the
>> logic causing the abort? (help me help you :)
>> 5) If guest memory is corrupted or improperly mapped, how can I keep
>> qemu alive to examime/dump guest memory?
> 
> I reckon you don't see this with KVM enabled. (Because I don't see it
> with KVM enabled, with my own OVMF builds anyway :), plus the "Trying to
> execute code outside RAM or ROM" message comes from code that strikes me
> as part of TCG.)
> 
> It surprises me that RIP=00000000ffffffe4 whereas get_page_addr_code()
> [cputlb.c] logs "at 0x0000000100000000".
> 
> The RIP seems to be in OVMF init code.
> 
> 0x0000000100000000 is 4G exactly and looks suspicious.
> 
> Can you try bisecting TCG between 1.4.0 and current master?
> 
> git log --oneline --reverse v1.4.0.. -- tcg \
> | egrep -v 'tcg[-/](arm|ppc|sparc|s390|mips)'
> 
>   0b0d332 TCG: Final globals clean-up
>   5e5f07e TCG: Move translation block variables to new context inside tcg_ctx: tb_ctx
>   24537a0 qemu-log: Rename the public-facing cpu_set_log function to qemu_set_log
>   e6a7273 tcg: Make 32-bit multiword operations optional for 64-bit hosts
>   bbc863b tcg-i386: Always implement 32-bit multiword ops
>   d7156f7 tcg: Add 64-bit multiword arithmetic operations
>   4d3203f tcg: Add signed multiword multiplication operations
>   3c51a98 tcg: Implement a 64-bit to 32-bit extraction helper
>   696a8be tcg: Implement multiword multiply helpers
>   f6953a7 tcg: Implement multiword addition helpers
>   624988a tcg-i386: Implement multiword arithmetic ops
>   f402f38 tcg: Implement muls2 with mulu2
>   f1fae40 tcg: Apply life analysis to 64-bit multiword arithmetic ops
>   989b697 qemu-log: default to stderr for logging output
>   0980011 tcg: Document tcg_qemu_tb_exec() and provide constants for low bit uses
>   378df4b Handle CPU interrupts by inline checking of a flag
>   294e466 Use proper term in TCG README
>   2d49754 tcg-optimize: Fold sub r,0,x to neg r,x
>   03fc054 tci: Use 32-bit signed offsets to loads/stores
>   4699ca6 tci: Delete unused tb_ret_addr
>   ee79c35 tci: Make tcg temporaries local to tcg_qemu_tb_exec
>   0a9c234 Merge branch 'tci' of git://qemu.weilnetz.de/qemu
>   ed60512 tcg: fix deposit_i64 op on 32-bit targets
>   d6b64b2 tcg: Log the contents of the prologue with -d out_asm
>   66e61b5 tcg/optimize: fix setcond2 optimization
> 
> Anyway I'm just throwing around words and waving my hand, hoping that
> someone with actual insight will chime in.

You also need to add target-i386/ to this list, but yes, bisection
sounds like a plan.

I suggest that you bisect using a new build directory on every
compilation step, something like "rm -rf build; mkdir build; (cd build
&& ../configure --target-list=x86_64-softmmu && make -jNN)".

Paolo