On Sat, Apr 26, 2025 at 3:36 AM Jonathan Cameron via
<qemu-devel@nongnu.org> wrote:
>
> On Tue, 22 Apr 2025 12:26:55 -0700
> Richard Henderson <richard.hender...@linaro.org> wrote:
>
> > Recover two bits from the inline flags.
>
>
> Hi Richard,
>
> Early days but something (I'm fairly sure in this patch) is tripping up my
> favourite
> TCG corner case of running code out of MMIO memory (interleaved CXL memory).
>
> Only seeing it on arm64 tests so far which isn't upstream yet..
> (guess what I was getting ready to post today)
>
> Back trace is:
>
> #0 0x0000555555fd4296 in cpu_atomic_fetch_andq_le_mmu (env=0x555557ee19b0,
> addr=18442241572520067072, val=18446744073701163007, oi=8244,
> retaddr=<optimized out>) at ../../accel/tcg/atomic_template.h:140
> #1 0x00007fffb6894125 in code_gen_buffer ()
> #2 0x0000555555fc4c46 in cpu_tb_exec (cpu=cpu@entry=0x555557ededf0,
> itb=itb@entry=0x7fffb6894000 <code_gen_buffer+200511443>,
> tb_exit=tb_exit@entry=0x7ffff4bfb744) at ../../accel/tcg/cpu-exec.c:455
> #3 0x0000555555fc51c2 in cpu_loop_exec_tb (tb_exit=0x7ffff4bfb744,
> last_tb=<synthetic pointer>, pc=<optimized out>, tb=0x7fffb6894000
> <code_gen_buffer+200511443>, cpu=0x555557ededf0) at
> ../../accel/tcg/cpu-exec.c:904
> #4 cpu_exec_loop (cpu=cpu@entry=0x555557ededf0, sc=sc@entry=0x7ffff4bfb7f0)
> at ../../accel/tcg/cpu-exec.c:1018
> #5 0x0000555555fc58f1 in cpu_exec_setjmp (cpu=cpu@entry=0x555557ededf0,
> sc=sc@entry=0x7ffff4bfb7f0) at ../../accel/tcg/cpu-exec.c:1035
> #6 0x0000555555fc5f6c in cpu_exec (cpu=cpu@entry=0x555557ededf0) at
> ../../accel/tcg/cpu-exec.c:1061
> #7 0x0000555556146ac3 in tcg_cpu_exec (cpu=cpu@entry=0x555557ededf0) at
> ../../accel/tcg/tcg-accel-ops.c:81
> #8 0x0000555556146ee3 in mttcg_cpu_thread_fn (arg=arg@entry=0x555557ededf0)
> at ../../accel/tcg/tcg-accel-ops-mttcg.c:94
> #9 0x00005555561f6450 in qemu_thread_start (args=0x555557f8f430) at
> ../../util/qemu-thread-posix.c:541
> #10 0x00007ffff7750aa4 in start_thread (arg=<optimized out>) at
> ./nptl/pthread_create.c:447
> #11 0x00007ffff77ddc3c in clone3 () at
> ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
>
> I haven't pushed out the rebased tree yet making this a truly awful bug
> report.
>
> The pull request you sent with this in wasn't bisectable so this was a bit of
> a guessing
> game. I see the seg fault only after this patch.
I see the same thing with some RISC-V tests. I can provide the test
images if you want as well
build/qemu-system-riscv64 -machine virt -cpu rv64,h=false -m 1G \
-serial mon:stdio -serial null -nographic \
-append "root=/dev/vda ro" \
-netdev user,id=net0 -device virtio-net-device,netdev=net0 \
-smp 4 -d guest_errors \
-bios none \
-device loader,file=./images/qemuriscv64/buildroot/Image,addr=0x80200000 \
-kernel ./images/qemuriscv64/buildroot/fw_jump.elf \
-drive
id=disk0,file=./images/qemuriscv64/buildroot/rootfs.ext2,if=none,format=raw
\
-device virtio-blk-device,drive=disk0
#0 0x000055555598b0f1 in cpu_atomic_xchgl_le_mmu (env=0x5555567ff290,
addr=33554444, val=0, oi=3619, retaddr=<optimized out>)
at ../accel/tcg/atomic_template.h:111
#1 0x00007fffb2c5e537 in code_gen_buffer ()
#2 0x000055555597c661 in cpu_tb_exec
(cpu=cpu@entry=0x5555567fc6d0, itb=itb@entry=0x7fffb2c5e400
<code_gen_buffer+113632211>, tb_exit=tb_exit@entry=0x7fff47ffe764)
at ../accel/tcg/cpu-exec.c:453
#3 0x000055555597cb4a in cpu_loop_exec_tb
(cpu=0x5555567fc6d0, tb=0x7fffb2c5e400 <code_gen_buffer+113632211>,
pc=<optimized out>, last_tb=<synthetic pointer>,
tb_exit=0x7fff47ffe764)
at ../accel/tcg/cpu-exec.c:903
#4 cpu_exec_loop (cpu=cpu@entry=0x5555567fc6d0,
sc=sc@entry=0x7fff47ffe810) at ../accel/tcg/cpu-exec.c:1017
#5 0x000055555597d23d in cpu_exec_setjmp
(cpu=cpu@entry=0x5555567fc6d0, sc=sc@entry=0x7fff47ffe810) at
../accel/tcg/cpu-exec.c:1034
#6 0x000055555597d909 in cpu_exec (cpu=cpu@entry=0x5555567fc6d0) at
../accel/tcg/cpu-exec.c:1060
#7 0x0000555555af1c62 in tcg_cpu_exec (cpu=cpu@entry=0x5555567fc6d0)
at ../accel/tcg/tcg-accel-ops.c:81
#8 0x0000555555af2012 in mttcg_cpu_thread_fn (arg=0x5555567fc6d0) at
../accel/tcg/tcg-accel-ops-mttcg.c:94
#9 0x0000555555b956c7 in qemu_thread_start (args=0x5555569e8da0) at
../util/qemu-thread-posix.c:541
#10 0x00007ffff77f2f14 in start_thread () at /lib64/libc.so.6
#11 0x00007ffff7875aac in __clone3 () at /lib64/libc.so.6
Alistair
