Re: aarch64: Crash with qemu master when starting Jailhouse

From: Peter Maydell <peter.maydell@linaro.org>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Richard Henderson <richard.henderson@linaro.org>,
	qemu-devel <qemu-devel@nongnu.org>
Subject: Re: aarch64: Crash with qemu master when starting Jailhouse
Date: Tue, 21 Jul 2020 10:28:42 +0100	[thread overview]
Message-ID: <CAFEAcA-XwoUG+2wy8e404qnSRgy+LpzGph+BO3KKMbOhgmvECA@mail.gmail.com> (raw)
In-Reply-To: <b19e8210-7cac-e1b5-f89b-ae73ec21d8cb@siemens.com>

On Tue, 21 Jul 2020 at 08:22, Jan Kiszka <jan.kiszka@siemens.com> wrote:
>
> Hi,
>
> I've seen this first a couple of weeks ago, ignored it, but it's still there today with master:

Richard, this looks like an issue with your recent rearrangement
of the cacheattrs handling: we get into get_phys_addr_lpae() with
a NULL cacheattrs pointer that we weren't expecting.

> Thread 13 "qemu-system-aar" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7f90e2ffd700 (LWP 26883)]
> 0x0000560ef0bddda7 in get_phys_addr_lpae (env=<optimized out>, address=address@entry=1095261192, access_type=access_type@entry=MMU_DATA_LOAD, mmu_idx=mmu_idx@entry=ARMMMUIdx_Stage2, s1_is_el0=s1_is_el0@entry=false,
>     phys_ptr=phys_ptr@entry=0x7f90e2ffc200, txattrs=0x7f90e2ffc1ec, prot=0x7f90e2ffc1f0, page_size_ptr=0x7f90e2ffc1f8, fi=0x7f90e2ffc530, cacheattrs=0x0) at /data/qemu/target/arm/helper.c:11106
> 11106           cacheattrs->attrs = convert_stage2_attrs(env, extract32(attrs, 0, 4));
> (gdb) bt
> #0  0x0000560ef0bddda7 in get_phys_addr_lpae
>     (env=<optimized out>, address=address@entry=1095261192, access_type=access_type@entry=MMU_DATA_LOAD, mmu_idx=mmu_idx@entry=ARMMMUIdx_Stage2, s1_is_el0=s1_is_el0@entry=false, phys_ptr=phys_ptr@entry=0x7f90e2ffc200, txattrs=0x7f90e2ffc1ec, prot=0x7f90e2ffc1f0, page_size_ptr=0x7f90e2ffc1f8, fi=0x7f90e2ffc530, cacheattrs=0x0) at /data/qemu/target/arm/helper.c:11106
> #1  0x0000560ef0bde3c6 in S1_ptw_translate (env=env@entry=0x560ef32742b0, mmu_idx=mmu_idx@entry=ARMMMUIdx_Stage1_E1, addr=1095261192, txattrs=..., fi=fi@entry=0x7f90e2ffc530) at /data/qemu/target/arm/helper.c:10218
> #2  0x0000560ef0bdd7f0 in arm_ldq_ptw (fi=0x7f90e2ffc530, mmu_idx=ARMMMUIdx_Stage1_E1, is_secure=false, addr=<optimized out>, cs=0x560ef326ac10) at /data/qemu/target/arm/helper.c:10284
> #3  0x0000560ef0bdd7f0 in get_phys_addr_lpae
>     (env=env@entry=0x560ef32742b0, address=address@entry=18446674270391351284, access_type=access_type@entry=MMU_INST_FETCH, mmu_idx=mmu_idx@entry=ARMMMUIdx_Stage1_E1, s1_is_el0=s1_is_el0@entry=false, phys_ptr=phys_ptr@entry=0x7f90e2ffc490, txattrs=0x7f90e2ffc518, prot=0x7f90e2ffc514, page_size_ptr=0x7f90e2ffc528, fi=0x7f90e2ffc530, cacheattrs=0x7f90e2ffc51c) at /data/qemu/target/arm/helper.c:11014
> #4  0x0000560ef0bdfacb in get_phys_addr (env=env@entry=0x560ef32742b0, address=<optimized out>, address@entry=18446674270391351284, access_type=access_type@entry=MMU_INST_FETCH, mmu_idx=<optimized out>,
>     mmu_idx@entry=ARMMMUIdx_Stage1_E1, phys_ptr=phys_ptr@entry=0x7f90e2ffc490, attrs=attrs@entry=0x7f90e2ffc518, prot=0x7f90e2ffc514, page_size=0x7f90e2ffc528, fi=0x7f90e2ffc530, cacheattrs=0x7f90e2ffc51c)
>     at /data/qemu/target/arm/helper.c:12115
> #5  0x0000560ef0bdf5ca in get_phys_addr
>     (env=env@entry=0x560ef32742b0, address=address@entry=18446674270391351284, access_type=access_type@entry=MMU_INST_FETCH, mmu_idx=<optimized out>, phys_ptr=phys_ptr@entry=0x7f90e2ffc520, attrs=attrs@entry=0x7f90e2ffc518, prot=0x7f90e2ffc514, page_size=0x7f90e2ffc528, fi=0x7f90e2ffc530, cacheattrs=0x7f90e2ffc51c) at /data/qemu/target/arm/helper.c:11950
> #6  0x0000560ef0bef669 in arm_cpu_tlb_fill (cs=0x560ef326ac10, address=18446674270391351284, size=<optimized out>, access_type=MMU_INST_FETCH, mmu_idx=2, probe=<optimized out>, retaddr=0) at /data/qemu/target/arm/tlb_helper.c:177
> #7  0x0000560ef0adbd85 in tlb_fill (cpu=0x560ef326ac10, addr=18446674270391351284, size=0, access_type=MMU_INST_FETCH, mmu_idx=2, retaddr=0) at /data/qemu/accel/tcg/cputlb.c:1032
> #8  0x0000560ef0adf216 in get_page_addr_code_hostp (env=<optimized out>, addr=addr@entry=18446674270391351284, hostp=hostp@entry=0x0) at /data/qemu/accel/tcg/cputlb.c:1211
> #9  0x0000560ef0adf287 in get_page_addr_code (env=<optimized out>, addr=addr@entry=18446674270391351284) at /data/qemu/accel/tcg/cputlb.c:1243
> #10 0x0000560ef0af21c4 in tb_htable_lookup (cpu=cpu@entry=0x560ef326ac10, pc=18446674270391351284, cs_base=<optimized out>, flags=2182107137, cf_mask=4278714368) at /data/qemu/accel/tcg/cpu-exec.c:337
> #11 0x0000560ef0af2fd6 in tb_lookup__cpu_state (cf_mask=<optimized out>, flags=0x7f90e2ffc718, cs_base=0x7f90e2ffc720, pc=0x7f90e2ffc728, cpu=0x0) at /data/qemu/include/exec/tb-lookup.h:43
> #12 0x0000560ef0af2fd6 in tb_find (cf_mask=524288, tb_exit=0, last_tb=0x0, cpu=0x0) at /data/qemu/accel/tcg/cpu-exec.c:404
> #13 0x0000560ef0af2fd6 in cpu_exec (cpu=cpu@entry=0x560ef326ac10) at /data/qemu/accel/tcg/cpu-exec.c:748
> #14 0x0000560ef0bb779f in tcg_cpu_exec (cpu=0x560ef326ac10) at /data/qemu/softmmu/cpus.c:1356
> #15 0x0000560ef0bb980b in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x560ef326ac10) at /data/qemu/softmmu/cpus.c:1664
> #16 0x0000560ef10aaf76 in qemu_thread_start (args=<optimized out>) at /data/qemu/util/qemu-thread-posix.c:521
> #17 0x00007f919e9434f9 in start_thread () at /lib64/libpthread.so.0
> #18 0x00007f919e67bf2f in clone () at /lib64/libc.so.6
>
> I've reproduced that with a local Jailhouse installation, but I suspect
> (do not have the time right now to check) that a vanilla jailhouse-
> images [1] build for qemu-arm64 will trigger it as well. Once time
> permits, I could try to generate and share such an image.
>
> qemu 3.1.1.1 of my distro is fine, also f4d8cf148e43.
>
> Any ideas?
>
> Jan
>
> [1] https://github.com/siemens/jailhouse-images

thanks
-- PMM