From mboxrd@z Thu Jan 1 00:00:00 1970 From: wogiz@openmailbox.org Subject: Re: =?utf-8?q?Bug_in_x86_instruction_emulator=3F?= Date: Thu, 07 Apr 2016 03:26:29 +0200 Message-ID: <79866f85c99f49afd823a2b00e00505e@openmailbox.org> References: <20e259d208b95167bb495a6ed0bf684d@openmailbox.org> <20160406025735.1ffbb1a6@mdontu-l> <5704CEF4.2050308@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_630440146445c9fff9dd9ddc4dfcaaf9" Return-path: In-Reply-To: <5704CEF4.2050308@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: Andrew Cooper Cc: =?UTF-8?Q?Mihai_Don=C8=9Bu?= , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --=_630440146445c9fff9dd9ddc4dfcaaf9 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8; format=flowed On 2016-04-06 10:55, Andrew Cooper wrote: > On 06/04/16 00:57, Mihai Donțu wrote: >> On Wed, 06 Apr 2016 01:38:32 +0200 wogiz@openmailbox.org wrote: >>> I'm running Xen 4.6.1 with Alpine Linux 3.3.3 in dom0. In a HVM domU >>> with vga="qxl", Xorg will segfault instantly if tried started. >>> Multiple >>> Linux distros have been tested and Xorg segfaults in all. >>> >>> Attached are a full backtrace from domU generated by Xorg, and a >>> assembler dump of function 'sse2_blt'. >>> >>> According to Xen IRC channel, the cause could be a bug in the x86 >>> instruction emulator related to SSE. >> I don't believe the x86 emulator is complete wrt the SSE instruction >> set. But I do wonder why, in your case, these instructions need >> emulation at all. Unless touching the video RAM requires emulation. >> Can >> you try using a different video driver? I see xorg picked up qxl, >> maybe >> try vesa? >> > > Now I think about it, even dirty VRAM tracking shouldn't actually > emulate the instructions. > > Can you grab the full register state at the point of Xorgs crash? > `info > regs` in gdb? > > The instruction in use, `movaps` is specified to fault if the memory > operand isn't aligned on a 16byte boundary. Therefore, if %rax in this > case isn't a multiple of 16, this is a code generation bug, rather than > an emulation bug. > > ~Andrew Attached is the full register state. I'm very interested in getting to the bottom of this, so please let me know if I can do anything to help. --=_630440146445c9fff9dd9ddc4dfcaaf9 Content-Transfer-Encoding: base64 Content-Type: text/plain; name=register-state.txt Content-Disposition: attachment; filename=register-state.txt; size=800 KGdkYikgaW5mbyByZWdpc3RlcnMgCnJheCAgICAgICAgICAgIDB4ZjFmZTAwMDAwMWUwMDAJNjgx MTQ3NDUzNDA4NDYwODAKcmJ4ICAgICAgICAgICAgMHg5CTkKcmN4ICAgICAgICAgICAgMHhmZmZm ZmMwMAk0Mjk0OTY2MjcyCnJkeCAgICAgICAgICAgIDB4MjIyMjIyCTIyMzY5NjIKcnNpICAgICAg ICAgICAgMHg3ZmM2NTA1NDEwMDAJMTQwNDg5NzI3OTM4NTYwCnJkaSAgICAgICAgICAgIDB4N2Zj NjViM2VlNDIwCTE0MDQ4OTkxMTEwMDQ0OApyYnAgICAgICAgICAgICAweDE2CTB4MTYKcnNwICAg ICAgICAgICAgMHg3ZmZjYWQwNDBiNTgJMHg3ZmZjYWQwNDBiNTgKcjggICAgICAgICAgICAgMHg0 MDAJMTAyNApyOSAgICAgICAgICAgICAweDIwCTMyCnIxMCAgICAgICAgICAgIDB4MjAJMzIKcjEx ICAgICAgICAgICAgMHg5CTkKcjEyICAgICAgICAgICAgMHg0CTQKcjEzICAgICAgICAgICAgMHhm ZmZmZmZmZgk0Mjk0OTY3Mjk1CnIxNCAgICAgICAgICAgIDB4NTVkZmY4MmQ4ODIwCTk0NDIwNDI5 ODAxNTA0CnIxNSAgICAgICAgICAgIDB4NTVkZmY4MmQ4MGMwCTk0NDIwNDI5Nzk5NjE2CnJpcCAg ICAgICAgICAgIDB4N2ZjNjVjM2Q1NjI2CTB4N2ZjNjVjM2Q1NjI2IDxzc2UyX2JsdCsxMTU5Pgpl ZmxhZ3MgICAgICAgICAweDEzMjA2CVsgUEYgSUYgIzEyICMxMyBSRiBdCmNzICAgICAgICAgICAg IDB4MzMJNTEKc3MgICAgICAgICAgICAgMHgyYgk0MwpkcyAgICAgICAgICAgICAweDAJMAplcyAg ICAgICAgICAgICAweDAJMApmcyAgICAgICAgICAgICAweDAJMApncyAgICAgICAgICAgICAweDAJ MAo= --=_630440146445c9fff9dd9ddc4dfcaaf9 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwOi8vbGlzdHMueGVuLm9y Zy94ZW4tZGV2ZWwK --=_630440146445c9fff9dd9ddc4dfcaaf9--