* [Qemu-devel] [Bug 1792659] [NEW] watchpoints might not properly stop execution at the right address
@ 2018-09-15 1:12 Ramiro Polla
2020-11-12 18:26 ` [Bug 1792659] " Thomas Huth
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Ramiro Polla @ 2018-09-15 1:12 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
This bug has been tested with the latest development tree
(19b599f7664b2ebfd0f405fb79c14dd241557452).
I am using qemu-system-i386 with the gdbserver stub. I set a watchpoint
on some address. When the watchpoint is hit, it will be reported by gdb,
but it might happen that eip points to the wrong address (execution has
not properly stopped when the watchpoint was hit).
The setup I used to reproduce it is quite complex, but I believe I have
found the cause of the bug, so I will describe that.
The check_watchpoint() function sets cflags_next_tb in order to force
the execution of only one instruction, and then exits the current tb. It
then expects to be called again after that one instruction is executed,
the watchpoint is hit and it is reported to gdb.
The problem is that another interrupt might have been generated around
the same time as the watchpoint. If the interrupt changes eip and
execution goes on in another address, the value of cflags_next_tb will
be spoiled. When we come back from the interrupt to the address where
the watchpoint is hit, it is possible that a tb with multiple
instructions is been executed, and therefore eip points to the wrong
address, ahead of where it should be.
In my case, the order is as follows:
* i8259 generates an IRQ
- cpu->interrupt_request contains both CPU_INTERRUPT_TGT_EXT_1 and CPU_INTERRUPT_HARD
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with CPU_INTERRUPT_TGT_EXT_1
- execution continues
* I am exactly at the instruction where the watchpoint is hit.
- check_watchpoint() is called and cflags_next_tb is set to force the execution of only one instruction.
- execution breaks out of the loop with siglongjmp()
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with the IRQ. eip is changed and cflags_next_tb is spoiled
- execution continues at the IRQ
[...]
* The kernel finishes dealing with the IRQ
* I am back at the instruction where the watchpoint is hit.
- A tb is created and executed with two instructions instead of one
- eip is now ahead of the instruction that hit the watchpoint
* cpu_handle_interrupt() is called
- it deals with CPU_INTERRUPT_DEBUG
- the watchpoint is reported by gdb, but with the wrong eip.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1792659
Title:
watchpoints might not properly stop execution at the right address
Status in QEMU:
New
Bug description:
This bug has been tested with the latest development tree
(19b599f7664b2ebfd0f405fb79c14dd241557452).
I am using qemu-system-i386 with the gdbserver stub. I set a
watchpoint on some address. When the watchpoint is hit, it will be
reported by gdb, but it might happen that eip points to the wrong
address (execution has not properly stopped when the watchpoint was
hit).
The setup I used to reproduce it is quite complex, but I believe I
have found the cause of the bug, so I will describe that.
The check_watchpoint() function sets cflags_next_tb in order to force
the execution of only one instruction, and then exits the current tb.
It then expects to be called again after that one instruction is
executed, the watchpoint is hit and it is reported to gdb.
The problem is that another interrupt might have been generated around
the same time as the watchpoint. If the interrupt changes eip and
execution goes on in another address, the value of cflags_next_tb will
be spoiled. When we come back from the interrupt to the address where
the watchpoint is hit, it is possible that a tb with multiple
instructions is been executed, and therefore eip points to the wrong
address, ahead of where it should be.
In my case, the order is as follows:
* i8259 generates an IRQ
- cpu->interrupt_request contains both CPU_INTERRUPT_TGT_EXT_1 and CPU_INTERRUPT_HARD
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with CPU_INTERRUPT_TGT_EXT_1
- execution continues
* I am exactly at the instruction where the watchpoint is hit.
- check_watchpoint() is called and cflags_next_tb is set to force the execution of only one instruction.
- execution breaks out of the loop with siglongjmp()
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with the IRQ. eip is changed and cflags_next_tb is spoiled
- execution continues at the IRQ
[...]
* The kernel finishes dealing with the IRQ
* I am back at the instruction where the watchpoint is hit.
- A tb is created and executed with two instructions instead of one
- eip is now ahead of the instruction that hit the watchpoint
* cpu_handle_interrupt() is called
- it deals with CPU_INTERRUPT_DEBUG
- the watchpoint is reported by gdb, but with the wrong eip.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1792659/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1792659] Re: watchpoints might not properly stop execution at the right address
2018-09-15 1:12 [Qemu-devel] [Bug 1792659] [NEW] watchpoints might not properly stop execution at the right address Ramiro Polla
@ 2020-11-12 18:26 ` Thomas Huth
2020-11-12 20:13 ` Alex Bennée
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2020-11-12 18:26 UTC (permalink / raw)
To: qemu-devel
The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience.
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1792659
Title:
watchpoints might not properly stop execution at the right address
Status in QEMU:
Incomplete
Bug description:
This bug has been tested with the latest development tree
(19b599f7664b2ebfd0f405fb79c14dd241557452).
I am using qemu-system-i386 with the gdbserver stub. I set a
watchpoint on some address. When the watchpoint is hit, it will be
reported by gdb, but it might happen that eip points to the wrong
address (execution has not properly stopped when the watchpoint was
hit).
The setup I used to reproduce it is quite complex, but I believe I
have found the cause of the bug, so I will describe that.
The check_watchpoint() function sets cflags_next_tb in order to force
the execution of only one instruction, and then exits the current tb.
It then expects to be called again after that one instruction is
executed, the watchpoint is hit and it is reported to gdb.
The problem is that another interrupt might have been generated around
the same time as the watchpoint. If the interrupt changes eip and
execution goes on in another address, the value of cflags_next_tb will
be spoiled. When we come back from the interrupt to the address where
the watchpoint is hit, it is possible that a tb with multiple
instructions is been executed, and therefore eip points to the wrong
address, ahead of where it should be.
In my case, the order is as follows:
* i8259 generates an IRQ
- cpu->interrupt_request contains both CPU_INTERRUPT_TGT_EXT_1 and CPU_INTERRUPT_HARD
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with CPU_INTERRUPT_TGT_EXT_1
- execution continues
* I am exactly at the instruction where the watchpoint is hit.
- check_watchpoint() is called and cflags_next_tb is set to force the execution of only one instruction.
- execution breaks out of the loop with siglongjmp()
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with the IRQ. eip is changed and cflags_next_tb is spoiled
- execution continues at the IRQ
[...]
* The kernel finishes dealing with the IRQ
* I am back at the instruction where the watchpoint is hit.
- A tb is created and executed with two instructions instead of one
- eip is now ahead of the instruction that hit the watchpoint
* cpu_handle_interrupt() is called
- it deals with CPU_INTERRUPT_DEBUG
- the watchpoint is reported by gdb, but with the wrong eip.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1792659/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1792659] Re: watchpoints might not properly stop execution at the right address
2018-09-15 1:12 [Qemu-devel] [Bug 1792659] [NEW] watchpoints might not properly stop execution at the right address Ramiro Polla
2020-11-12 18:26 ` [Bug 1792659] " Thomas Huth
@ 2020-11-12 20:13 ` Alex Bennée
2020-11-12 20:29 ` Richard Henderson
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Alex Bennée @ 2020-11-12 20:13 UTC (permalink / raw)
To: qemu-devel
** Tags added: tcg
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1792659
Title:
watchpoints might not properly stop execution at the right address
Status in QEMU:
Incomplete
Bug description:
This bug has been tested with the latest development tree
(19b599f7664b2ebfd0f405fb79c14dd241557452).
I am using qemu-system-i386 with the gdbserver stub. I set a
watchpoint on some address. When the watchpoint is hit, it will be
reported by gdb, but it might happen that eip points to the wrong
address (execution has not properly stopped when the watchpoint was
hit).
The setup I used to reproduce it is quite complex, but I believe I
have found the cause of the bug, so I will describe that.
The check_watchpoint() function sets cflags_next_tb in order to force
the execution of only one instruction, and then exits the current tb.
It then expects to be called again after that one instruction is
executed, the watchpoint is hit and it is reported to gdb.
The problem is that another interrupt might have been generated around
the same time as the watchpoint. If the interrupt changes eip and
execution goes on in another address, the value of cflags_next_tb will
be spoiled. When we come back from the interrupt to the address where
the watchpoint is hit, it is possible that a tb with multiple
instructions is been executed, and therefore eip points to the wrong
address, ahead of where it should be.
In my case, the order is as follows:
* i8259 generates an IRQ
- cpu->interrupt_request contains both CPU_INTERRUPT_TGT_EXT_1 and CPU_INTERRUPT_HARD
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with CPU_INTERRUPT_TGT_EXT_1
- execution continues
* I am exactly at the instruction where the watchpoint is hit.
- check_watchpoint() is called and cflags_next_tb is set to force the execution of only one instruction.
- execution breaks out of the loop with siglongjmp()
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with the IRQ. eip is changed and cflags_next_tb is spoiled
- execution continues at the IRQ
[...]
* The kernel finishes dealing with the IRQ
* I am back at the instruction where the watchpoint is hit.
- A tb is created and executed with two instructions instead of one
- eip is now ahead of the instruction that hit the watchpoint
* cpu_handle_interrupt() is called
- it deals with CPU_INTERRUPT_DEBUG
- the watchpoint is reported by gdb, but with the wrong eip.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1792659/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1792659] Re: watchpoints might not properly stop execution at the right address
2018-09-15 1:12 [Qemu-devel] [Bug 1792659] [NEW] watchpoints might not properly stop execution at the right address Ramiro Polla
2020-11-12 18:26 ` [Bug 1792659] " Thomas Huth
2020-11-12 20:13 ` Alex Bennée
@ 2020-11-12 20:29 ` Richard Henderson
2020-11-12 20:44 ` Richard Henderson
2021-05-09 16:17 ` Philippe Mathieu-Daudé
4 siblings, 0 replies; 6+ messages in thread
From: Richard Henderson @ 2020-11-12 20:29 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1792659
Title:
watchpoints might not properly stop execution at the right address
Status in QEMU:
Confirmed
Bug description:
This bug has been tested with the latest development tree
(19b599f7664b2ebfd0f405fb79c14dd241557452).
I am using qemu-system-i386 with the gdbserver stub. I set a
watchpoint on some address. When the watchpoint is hit, it will be
reported by gdb, but it might happen that eip points to the wrong
address (execution has not properly stopped when the watchpoint was
hit).
The setup I used to reproduce it is quite complex, but I believe I
have found the cause of the bug, so I will describe that.
The check_watchpoint() function sets cflags_next_tb in order to force
the execution of only one instruction, and then exits the current tb.
It then expects to be called again after that one instruction is
executed, the watchpoint is hit and it is reported to gdb.
The problem is that another interrupt might have been generated around
the same time as the watchpoint. If the interrupt changes eip and
execution goes on in another address, the value of cflags_next_tb will
be spoiled. When we come back from the interrupt to the address where
the watchpoint is hit, it is possible that a tb with multiple
instructions is been executed, and therefore eip points to the wrong
address, ahead of where it should be.
In my case, the order is as follows:
* i8259 generates an IRQ
- cpu->interrupt_request contains both CPU_INTERRUPT_TGT_EXT_1 and CPU_INTERRUPT_HARD
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with CPU_INTERRUPT_TGT_EXT_1
- execution continues
* I am exactly at the instruction where the watchpoint is hit.
- check_watchpoint() is called and cflags_next_tb is set to force the execution of only one instruction.
- execution breaks out of the loop with siglongjmp()
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with the IRQ. eip is changed and cflags_next_tb is spoiled
- execution continues at the IRQ
[...]
* The kernel finishes dealing with the IRQ
* I am back at the instruction where the watchpoint is hit.
- A tb is created and executed with two instructions instead of one
- eip is now ahead of the instruction that hit the watchpoint
* cpu_handle_interrupt() is called
- it deals with CPU_INTERRUPT_DEBUG
- the watchpoint is reported by gdb, but with the wrong eip.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1792659/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1792659] Re: watchpoints might not properly stop execution at the right address
2018-09-15 1:12 [Qemu-devel] [Bug 1792659] [NEW] watchpoints might not properly stop execution at the right address Ramiro Polla
` (2 preceding siblings ...)
2020-11-12 20:29 ` Richard Henderson
@ 2020-11-12 20:44 ` Richard Henderson
2021-05-09 16:17 ` Philippe Mathieu-Daudé
4 siblings, 0 replies; 6+ messages in thread
From: Richard Henderson @ 2020-11-12 20:44 UTC (permalink / raw)
To: qemu-devel
I can follow the logic here and agree there's a bug.
It would be nice if there were a reproducer, to verify
that the bug is actually fixed, but I can make a stab
at it without.
** Changed in: qemu
Assignee: (unassigned) => Richard Henderson (rth)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1792659
Title:
watchpoints might not properly stop execution at the right address
Status in QEMU:
Confirmed
Bug description:
This bug has been tested with the latest development tree
(19b599f7664b2ebfd0f405fb79c14dd241557452).
I am using qemu-system-i386 with the gdbserver stub. I set a
watchpoint on some address. When the watchpoint is hit, it will be
reported by gdb, but it might happen that eip points to the wrong
address (execution has not properly stopped when the watchpoint was
hit).
The setup I used to reproduce it is quite complex, but I believe I
have found the cause of the bug, so I will describe that.
The check_watchpoint() function sets cflags_next_tb in order to force
the execution of only one instruction, and then exits the current tb.
It then expects to be called again after that one instruction is
executed, the watchpoint is hit and it is reported to gdb.
The problem is that another interrupt might have been generated around
the same time as the watchpoint. If the interrupt changes eip and
execution goes on in another address, the value of cflags_next_tb will
be spoiled. When we come back from the interrupt to the address where
the watchpoint is hit, it is possible that a tb with multiple
instructions is been executed, and therefore eip points to the wrong
address, ahead of where it should be.
In my case, the order is as follows:
* i8259 generates an IRQ
- cpu->interrupt_request contains both CPU_INTERRUPT_TGT_EXT_1 and CPU_INTERRUPT_HARD
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with CPU_INTERRUPT_TGT_EXT_1
- execution continues
* I am exactly at the instruction where the watchpoint is hit.
- check_watchpoint() is called and cflags_next_tb is set to force the execution of only one instruction.
- execution breaks out of the loop with siglongjmp()
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with the IRQ. eip is changed and cflags_next_tb is spoiled
- execution continues at the IRQ
[...]
* The kernel finishes dealing with the IRQ
* I am back at the instruction where the watchpoint is hit.
- A tb is created and executed with two instructions instead of one
- eip is now ahead of the instruction that hit the watchpoint
* cpu_handle_interrupt() is called
- it deals with CPU_INTERRUPT_DEBUG
- the watchpoint is reported by gdb, but with the wrong eip.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1792659/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1792659] Re: watchpoints might not properly stop execution at the right address
2018-09-15 1:12 [Qemu-devel] [Bug 1792659] [NEW] watchpoints might not properly stop execution at the right address Ramiro Polla
` (3 preceding siblings ...)
2020-11-12 20:44 ` Richard Henderson
@ 2021-05-09 16:17 ` Philippe Mathieu-Daudé
4 siblings, 0 replies; 6+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-05-09 16:17 UTC (permalink / raw)
To: qemu-devel
This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'invalid' now.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/245
** Changed in: qemu
Status: Confirmed => Invalid
** Changed in: qemu
Assignee: Richard Henderson (rth) => (unassigned)
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #245
https://gitlab.com/qemu-project/qemu/-/issues/245
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1792659
Title:
watchpoints might not properly stop execution at the right address
Status in QEMU:
Invalid
Bug description:
This bug has been tested with the latest development tree
(19b599f7664b2ebfd0f405fb79c14dd241557452).
I am using qemu-system-i386 with the gdbserver stub. I set a
watchpoint on some address. When the watchpoint is hit, it will be
reported by gdb, but it might happen that eip points to the wrong
address (execution has not properly stopped when the watchpoint was
hit).
The setup I used to reproduce it is quite complex, but I believe I
have found the cause of the bug, so I will describe that.
The check_watchpoint() function sets cflags_next_tb in order to force
the execution of only one instruction, and then exits the current tb.
It then expects to be called again after that one instruction is
executed, the watchpoint is hit and it is reported to gdb.
The problem is that another interrupt might have been generated around
the same time as the watchpoint. If the interrupt changes eip and
execution goes on in another address, the value of cflags_next_tb will
be spoiled. When we come back from the interrupt to the address where
the watchpoint is hit, it is possible that a tb with multiple
instructions is been executed, and therefore eip points to the wrong
address, ahead of where it should be.
In my case, the order is as follows:
* i8259 generates an IRQ
- cpu->interrupt_request contains both CPU_INTERRUPT_TGT_EXT_1 and CPU_INTERRUPT_HARD
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with CPU_INTERRUPT_TGT_EXT_1
- execution continues
* I am exactly at the instruction where the watchpoint is hit.
- check_watchpoint() is called and cflags_next_tb is set to force the execution of only one instruction.
- execution breaks out of the loop with siglongjmp()
* cpu_handle_interrupt() -> x86_cpu_exec_interrupt() is called
- it deals with the IRQ. eip is changed and cflags_next_tb is spoiled
- execution continues at the IRQ
[...]
* The kernel finishes dealing with the IRQ
* I am back at the instruction where the watchpoint is hit.
- A tb is created and executed with two instructions instead of one
- eip is now ahead of the instruction that hit the watchpoint
* cpu_handle_interrupt() is called
- it deals with CPU_INTERRUPT_DEBUG
- the watchpoint is reported by gdb, but with the wrong eip.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1792659/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-05-09 16:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-15 1:12 [Qemu-devel] [Bug 1792659] [NEW] watchpoints might not properly stop execution at the right address Ramiro Polla
2020-11-12 18:26 ` [Bug 1792659] " Thomas Huth
2020-11-12 20:13 ` Alex Bennée
2020-11-12 20:29 ` Richard Henderson
2020-11-12 20:44 ` Richard Henderson
2021-05-09 16:17 ` Philippe Mathieu-Daudé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).