On Fri, Aug 05, 2016 at 10:45:57AM +0100, Peter Maydell wrote: > If you build with clang-3.8's undefined behaviour sanitizer > it reveals that hw/ppc/spapr_iommu.c is calling memset() > with a NULL pointer: > > $ (cd build/clang; UBSAN_OPTIONS=print_stacktrace=1 > QTEST_QEMU_BINARY=ppc64-softmmu/qemu-system-ppc64 > QTEST_QEMU_IMG=qemu-img MALLOC_PERTURB_=${MALLOC_PERTURB_:-$((RANDOM % > 255 + 1))} gtester -k --verbose -m=quick tests/endianness-test) > TEST: tests/endianness-test... (pid=9726) > /ppc64/endianness/mac99: OK > /ppc64/endianness/pseries: > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_iommu.c:388:12: > runtime error: null pointer passed as argument 1, which is declared to > never be null > /usr/include/string.h:62:62: note: nonnull attribute specified here > #0 0x562e11e5a793 in spapr_tce_reset > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_iommu.c:388:5 > #1 0x562e11e69259 in spapr_phb_children_reset > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_pci.c:1487:9 > #2 0x562e12712cbf in do_object_child_foreach > /home/petmay01/linaro/qemu-from-laptop/qemu/qom/object.c:837:19 > #3 0x562e11e67b1b in spapr_phb_reset > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_pci.c:1519:5 > #4 0x562e12210405 in qdev_reset_one > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/core/qdev.c:295:5 > #5 0x562e122103af in qdev_walk_children > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/core/qdev.c:610:15 > #6 0x562e1221c808 in qbus_walk_children > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/core/bus.c:59:15 > #7 0x562e1208d362 in qemu_devices_reset > /home/petmay01/linaro/qemu-from-laptop/qemu/vl.c:1712:9 > #8 0x562e11e460ed in ppc_spapr_reset > /home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr.c:1198:5 > #9 0x562e1208d3fb in qemu_system_reset > /home/petmay01/linaro/qemu-from-laptop/qemu/vl.c:1725:9 > #10 0x562e12093479 in main > /home/petmay01/linaro/qemu-from-laptop/qemu/vl.c:4574:5 > #11 0x7f61a4a1282f in __libc_start_main > /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 > #12 0x562e11be80b8 in _start > (/home/petmay01/linaro/qemu-from-laptop/qemu/build/clang/ppc64-softmmu/qemu-system-ppc64+0xcbc0b8) > > OK > > Presumably the size is also 0 in this case or it would > segfault, but this is UB. Would somebody like to take a > look at fixing it?
Ah, yeah, looks like this was introduced by the changes which allow the TCE table to exist in a disabled state (marked by nb_table == 0). I've put a fix into ppc-for-2.7. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
signature.asc
Description: PGP signature