[PATCH v2 27/30] linux-user/s390x: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/s390x/cpu_loop.c | 16 +---
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/linux-user/s390x/cpu_loop.c b/linux-user/s390x/cpu_loop.c
index 6a69a6dd26..8287d3dfe8 100644
--- a/linux-user/s390x/cpu_loop.c
+++ b/linux-user/s390x/cpu_loop.c
@@ -21,6 +21,8 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
/* s390x masks the fault address it reports in si_addr for SIGSEGV and SIGBUS
*/
#define S390X_FAIL_ADDR_MASK -4096LL
@@ -58,7 +60,6 @@ void cpu_loop(CPUS390XState *env)
{
CPUState *cs = env_cpu(env);
int trapnr, n, sig;
-target_siginfo_t info;
target_ulong addr;
abi_long ret;
@@ -110,11 +111,8 @@ void cpu_loop(CPUS390XState *env)
goto do_signal_pc;
case PGM_PROTECTION:
case PGM_ADDRESSING:
-sig = TARGET_SIGSEGV;
-/* XXX: check env->error_code */
-n = TARGET_SEGV_MAPERR;
-addr = env->__excp_addr & S390X_FAIL_ADDR_MASK;
-goto do_signal;
+force_sigsegv_for_addr(env->__excp_addr &
S390X_FAIL_ADDR_MASK);
+break;
case PGM_EXECUTE:
case PGM_SPECIFICATION:
case PGM_SPECIAL_OP:
@@ -157,11 +155,7 @@ void cpu_loop(CPUS390XState *env)
*/
env->psw.addr += env->int_pgm_ilen;
do_signal:
-info.si_signo = sig;
-info.si_errno = 0;
-info.si_code = n;
-info._sifields._sigfault._addr = addr;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(sig, n, addr);
break;
case EXCP_ATOMIC:
--
2.25.1
[PATCH v2 21/30] linux-user/microblaze: Fix SIGFPE si_codes
Fix a typo for ESR_EC_DIVZERO, which is integral not floating-point.
Fix the if ladder for decoding floating-point exceptions.
Signed-off-by: Richard Henderson
---
linux-user/microblaze/cpu_loop.c | 20 +++-
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/linux-user/microblaze/cpu_loop.c b/linux-user/microblaze/cpu_loop.c
index 9e07e52573..4a75c853b2 100644
--- a/linux-user/microblaze/cpu_loop.c
+++ b/linux-user/microblaze/cpu_loop.c
@@ -81,15 +81,25 @@ void cpu_loop(CPUMBState *env)
env->iflags &= ~(IMM_FLAG | D_FLAG);
switch (env->esr & 31) {
case ESR_EC_DIVZERO:
-si_code = TARGET_FPE_FLTDIV;
+si_code = TARGET_FPE_INTDIV;
break;
case ESR_EC_FPU:
-si_code = 0;
-if (env->fsr & FSR_IO) {
+/*
+ * Note that the kernel passes along fsr as si_code
+ * if there's no recognized bit set. Possibly this
+ * implies that si_code is 0, but follow the structure.
+ */
+si_code = env->fsr;
+if (si_code & FSR_IO) {
si_code = TARGET_FPE_FLTINV;
-}
-if (env->fsr & FSR_DZ) {
+} else if (si_code & FSR_OF) {
+si_code = TARGET_FPE_FLTOVF;
+} else if (si_code & FSR_UF) {
+si_code = TARGET_FPE_FLTUND;
+} else if (si_code & FSR_DZ) {
si_code = TARGET_FPE_FLTDIV;
+} else if (si_code & FSR_DO) {
+si_code = TARGET_FPE_FLTRES;
}
break;
default:
--
2.25.1
Re: [PATCH 2/5] qemu/qarray.h: weak scalar type check in QARRAY_CREATE()
On 8/21/21 1:30 PM, Christian Schoenebeck wrote: Unfortunately something like _Static_assert(typeof(a) == typeof(b), "type mismatch"); is currently not suported by C. So for the time being at least check that the size of the scalar types match at compile time. Did you try _Static_assert(__builtin_types_compatible_p(X, Y), "type mismatch"); r~ Signed-off-by: Christian Schoenebeck --- include/qemu/qarray.h | 6 ++ 1 file changed, 6 insertions(+) diff --git a/include/qemu/qarray.h b/include/qemu/qarray.h index 230a556e81..2cb8656c5d 100644 --- a/include/qemu/qarray.h +++ b/include/qemu/qarray.h @@ -27,6 +27,8 @@ #ifndef QEMU_QARRAY_H #define QEMU_QARRAY_H +#include "qemu/compiler.h" + /** * QArray provides a mechanism to access arrays in common C-style (e.g. by * square bracket [] operator) in conjunction with reference variables that @@ -143,6 +145,10 @@ * @param len - amount of array elements to be allocated immediately */ #define QARRAY_CREATE(scalar_type, auto_var, len) \ +QEMU_BUILD_BUG_MSG( \ +sizeof(scalar_type) != sizeof(*auto_var), \ +"QArray scalar type mismatch" \ +); \ qarray_create_##scalar_type((_var), len) #endif /* QEMU_QARRAY_H */
[PATCH v2 20/30] linux-user/microblaze: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/microblaze/cpu_loop.c | 73 +---
1 file changed, 29 insertions(+), 44 deletions(-)
diff --git a/linux-user/microblaze/cpu_loop.c b/linux-user/microblaze/cpu_loop.c
index c3396a6e09..9e07e52573 100644
--- a/linux-user/microblaze/cpu_loop.c
+++ b/linux-user/microblaze/cpu_loop.c
@@ -21,13 +21,14 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
void cpu_loop(CPUMBState *env)
{
CPUState *cs = env_cpu(env);
-int trapnr, ret;
-target_siginfo_t info;
-
+int trapnr, ret, si_code;
+
while (1) {
cpu_exec_start(cs);
trapnr = cpu_exec(cs);
@@ -36,18 +37,12 @@ void cpu_loop(CPUMBState *env)
switch (trapnr) {
case 0xaa:
-{
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = 0;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
+/* FIXME: save vaddr in tlb_fill */
+force_sigsegv_for_addr(0);
break;
case EXCP_INTERRUPT:
- /* just indicate that signals should be handled asap */
- break;
+/* just indicate that signals should be handled asap */
+break;
case EXCP_SYSCALL:
/* Return address is 4 bytes after the call. */
env->regs[14] += 4;
@@ -75,6 +70,7 @@ void cpu_loop(CPUMBState *env)
*/
env->regs[14] = env->pc;
break;
+
case EXCP_HW_EXCP:
env->regs[17] = env->pc + 4;
if (env->iflags & D_FLAG) {
@@ -82,42 +78,31 @@ void cpu_loop(CPUMBState *env)
env->pc -= 4;
/* FIXME: if branch was immed, replay the imm as well. */
}
-
env->iflags &= ~(IMM_FLAG | D_FLAG);
-
switch (env->esr & 31) {
-case ESR_EC_DIVZERO:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = TARGET_FPE_FLTDIV;
-info._sifields._sigfault._addr = 0;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-break;
-case ESR_EC_FPU:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-if (env->fsr & FSR_IO) {
-info.si_code = TARGET_FPE_FLTINV;
-}
-if (env->fsr & FSR_DZ) {
-info.si_code = TARGET_FPE_FLTDIV;
-}
-info._sifields._sigfault._addr = 0;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-break;
-default:
-fprintf(stderr, "Unhandled hw-exception: 0x%x\n",
-env->esr & ESR_EC_MASK);
-cpu_dump_state(cs, stderr, 0);
-exit(EXIT_FAILURE);
-break;
+case ESR_EC_DIVZERO:
+si_code = TARGET_FPE_FLTDIV;
+break;
+case ESR_EC_FPU:
+si_code = 0;
+if (env->fsr & FSR_IO) {
+si_code = TARGET_FPE_FLTINV;
+}
+if (env->fsr & FSR_DZ) {
+si_code = TARGET_FPE_FLTDIV;
+}
+break;
+default:
+fprintf(stderr, "Unhandled hw-exception: 0x%x\n",
+env->esr & ESR_EC_MASK);
+cpu_dump_state(cs, stderr, 0);
+exit(EXIT_FAILURE);
}
+force_sig_fault(TARGET_SIGFPE, si_code, env->pc);
break;
+
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
--
2.25.1
[PATCH v2 30/30] linux-user/xtensa: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/xtensa/cpu_loop.c | 34 --
1 file changed, 12 insertions(+), 22 deletions(-)
diff --git a/linux-user/xtensa/cpu_loop.c b/linux-user/xtensa/cpu_loop.c
index 64831c9199..869a8501b8 100644
--- a/linux-user/xtensa/cpu_loop.c
+++ b/linux-user/xtensa/cpu_loop.c
@@ -20,6 +20,8 @@
#include "qemu/osdep.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
static void xtensa_rfw(CPUXtensaState *env)
{
@@ -124,7 +126,6 @@ static void xtensa_underflow12(CPUXtensaState *env)
void cpu_loop(CPUXtensaState *env)
{
CPUState *cs = env_cpu(env);
-target_siginfo_t info;
abi_ulong ret;
int trapnr;
@@ -161,14 +162,12 @@ void cpu_loop(CPUXtensaState *env)
case EXC_USER:
switch (env->sregs[EXCCAUSE]) {
case ILLEGAL_INSTRUCTION_CAUSE:
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPC,
+env->sregs[EPC1]);
+break;
case PRIVILEGED_CAUSE:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code =
-env->sregs[EXCCAUSE] == ILLEGAL_INSTRUCTION_CAUSE ?
-TARGET_ILL_ILLOPC : TARGET_ILL_PRVOPC;
-info._sifields._sigfault._addr = env->sregs[EPC1];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_PRVOPC,
+env->sregs[EPC1]);
break;
case SYSCALL_CAUSE:
@@ -217,20 +216,13 @@ void cpu_loop(CPUXtensaState *env)
break;
case INTEGER_DIVIDE_BY_ZERO_CAUSE:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = TARGET_FPE_INTDIV;
-info._sifields._sigfault._addr = env->sregs[EPC1];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTDIV,
+env->sregs[EPC1]);
break;
case LOAD_PROHIBITED_CAUSE:
case STORE_PROHIBITED_CAUSE:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_ACCERR;
-info._sifields._sigfault._addr = env->sregs[EXCVADDR];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sigsegv_for_addr(env->sregs[EXCVADDR]);
break;
default:
@@ -239,10 +231,8 @@ void cpu_loop(CPUXtensaState *env)
}
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT,
+env->sregs[EPC1]);
break;
case EXC_DEBUG:
default:
--
2.25.1
[PATCH v2 16/30] linux-user/hppa: Set FPE_CONDTRAP for COND
This si_code was changed in 75abf64287cab, for linux 4.17.
Signed-off-by: Richard Henderson
---
linux-user/syscall_defs.h | 1 +
linux-user/hppa/cpu_loop.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 55ccc6ae03..f9efbffe0c 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -688,6 +688,7 @@ typedef struct target_siginfo {
#define TARGET_FPE_FLTINV (7) /* floating point invalid operation */
#define TARGET_FPE_FLTSUB (8) /* subscript out of range */
#define TARGET_FPE_FLTUNK (14) /* undiagnosed fp exception */
+#define TARGET_FPE_CONDTRAP(15) /* trap on condition */
#define TARGET_NSIGFPE 15
/*
diff --git a/linux-user/hppa/cpu_loop.c b/linux-user/hppa/cpu_loop.c
index 7bc85dffd0..cc076e7cdb 100644
--- a/linux-user/hppa/cpu_loop.c
+++ b/linux-user/hppa/cpu_loop.c
@@ -171,6 +171,8 @@ void cpu_loop(CPUHPPAState *env)
force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTOVF, env->iaoq_f);
break;
case EXCP_COND:
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_CONDTRAP, env->iaoq_f);
+break;
case EXCP_ASSIST:
force_sig_fault(TARGET_SIGFPE, 0, env->iaoq_f);
break;
--
2.25.1
[PATCH v2 23/30] linux-user/mips: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/mips/cpu_loop.c | 45 --
1 file changed, 14 insertions(+), 31 deletions(-)
diff --git a/linux-user/mips/cpu_loop.c b/linux-user/mips/cpu_loop.c
index 797b6bf659..2350ac66e1 100644
--- a/linux-user/mips/cpu_loop.c
+++ b/linux-user/mips/cpu_loop.c
@@ -63,8 +63,7 @@ static void do_tr_or_bp(CPUMIPSState *env, unsigned int code,
bool trap)
void cpu_loop(CPUMIPSState *env)
{
CPUState *cs = env_cpu(env);
-target_siginfo_t info;
-int trapnr;
+int trapnr, si_code;
abi_long ret;
# ifdef TARGET_ABI_MIPSO32
unsigned int syscall_num;
@@ -157,52 +156,36 @@ done_syscall:
case EXCP_TLBS:
case EXCP_AdEL:
case EXCP_AdES:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = env->CP0_BadVAddr;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sigsegv_for_addr(env->CP0_BadVAddr);
break;
case EXCP_CpU:
case EXCP_RI:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = 0;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+case EXCP_DSPDIS:
+force_sig(TARGET_SIGILL);
break;
case EXCP_INTERRUPT:
/* just indicate that signals should be handled asap */
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-break;
-case EXCP_DSPDIS:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPC;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT,
+env->active_tc.PC);
break;
case EXCP_FPE:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = TARGET_FPE_FLTUNK;
+si_code = TARGET_FPE_FLTUNK;
if (GET_FP_CAUSE(env->active_fpu.fcr31) & FP_INVALID) {
-info.si_code = TARGET_FPE_FLTINV;
+si_code = TARGET_FPE_FLTINV;
} else if (GET_FP_CAUSE(env->active_fpu.fcr31) & FP_DIV0) {
-info.si_code = TARGET_FPE_FLTDIV;
+si_code = TARGET_FPE_FLTDIV;
} else if (GET_FP_CAUSE(env->active_fpu.fcr31) & FP_OVERFLOW) {
-info.si_code = TARGET_FPE_FLTOVF;
+si_code = TARGET_FPE_FLTOVF;
} else if (GET_FP_CAUSE(env->active_fpu.fcr31) & FP_UNDERFLOW) {
-info.si_code = TARGET_FPE_FLTUND;
+si_code = TARGET_FPE_FLTUND;
} else if (GET_FP_CAUSE(env->active_fpu.fcr31) & FP_INEXACT) {
-info.si_code = TARGET_FPE_FLTRES;
+si_code = TARGET_FPE_FLTRES;
}
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGFPE, si_code, env->active_tc.PC);
break;
+
/* The code below was inspired by the MIPS Linux kernel trap
* handling code in arch/mips/kernel/traps.c.
*/
--
2.25.1
[PATCH v2 26/30] linux-user/riscv: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/riscv/cpu_loop.c | 36 +++-
1 file changed, 7 insertions(+), 29 deletions(-)
diff --git a/linux-user/riscv/cpu_loop.c b/linux-user/riscv/cpu_loop.c
index 74a9628dc9..32c440365c 100644
--- a/linux-user/riscv/cpu_loop.c
+++ b/linux-user/riscv/cpu_loop.c
@@ -22,14 +22,14 @@
#include "qemu/error-report.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
#include "elf.h"
#include "semihosting/common-semi.h"
void cpu_loop(CPURISCVState *env)
{
CPUState *cs = env_cpu(env);
-int trapnr, signum, sigcode;
-target_ulong sigaddr;
+int trapnr;
target_ulong ret;
for (;;) {
@@ -38,10 +38,6 @@ void cpu_loop(CPURISCVState *env)
cpu_exec_end(cs);
process_queued_cpu_work(cs);
-signum = 0;
-sigcode = 0;
-sigaddr = 0;
-
switch (trapnr) {
case EXCP_INTERRUPT:
/* just indicate that signals should be handled asap */
@@ -77,46 +73,28 @@ void cpu_loop(CPURISCVState *env)
}
break;
case RISCV_EXCP_ILLEGAL_INST:
-signum = TARGET_SIGILL;
-sigcode = TARGET_ILL_ILLOPC;
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPC, env->pc);
break;
case RISCV_EXCP_BREAKPOINT:
-signum = TARGET_SIGTRAP;
-sigcode = TARGET_TRAP_BRKPT;
-sigaddr = env->pc;
+case EXCP_DEBUG:
+gdbstep:
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case RISCV_EXCP_INST_PAGE_FAULT:
case RISCV_EXCP_LOAD_PAGE_FAULT:
case RISCV_EXCP_STORE_PAGE_FAULT:
-signum = TARGET_SIGSEGV;
-sigcode = TARGET_SEGV_MAPERR;
-sigaddr = env->badaddr;
+force_sigsegv_for_addr(env->badaddr);
break;
case RISCV_EXCP_SEMIHOST:
env->gpr[xA0] = do_common_semihosting(cs);
env->pc += 4;
break;
-case EXCP_DEBUG:
-gdbstep:
-signum = TARGET_SIGTRAP;
-sigcode = TARGET_TRAP_BRKPT;
-break;
default:
EXCP_DUMP(env, "\nqemu: unhandled CPU exception %#x - aborting\n",
trapnr);
exit(EXIT_FAILURE);
}
-if (signum) {
-target_siginfo_t info = {
-.si_signo = signum,
-.si_errno = 0,
-.si_code = sigcode,
-._sifields._sigfault._addr = sigaddr
-};
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
-
process_pending_signals(env);
}
}
--
2.25.1
[PATCH v2 29/30] linux-user/sparc: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/sparc/cpu_loop.c | 38 +++--
1 file changed, 7 insertions(+), 31 deletions(-)
diff --git a/linux-user/sparc/cpu_loop.c b/linux-user/sparc/cpu_loop.c
index 02532f198d..20fca9f9f3 100644
--- a/linux-user/sparc/cpu_loop.c
+++ b/linux-user/sparc/cpu_loop.c
@@ -21,6 +21,7 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
#define SPARC64_STACK_BIAS 2047
@@ -153,7 +154,6 @@ void cpu_loop (CPUSPARCState *env)
CPUState *cs = env_cpu(env);
int trapnr;
abi_long ret;
-target_siginfo_t info;
while (1) {
cpu_exec_start(cs);
@@ -219,14 +219,7 @@ void cpu_loop (CPUSPARCState *env)
break;
case TT_TFAULT:
case TT_DFAULT:
-{
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = env->mmuregs[4];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
+force_sigsegv_for_addr(env->mmuregs[4]);
break;
#else
case TT_SPILL: /* window overflow */
@@ -236,18 +229,10 @@ void cpu_loop (CPUSPARCState *env)
restore_window(env);
break;
case TT_TFAULT:
+force_sigsegv_for_addr(cpu_tsptr(env)->tpc);
+break;
case TT_DFAULT:
-{
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-if (trapnr == TT_DFAULT)
-info._sifields._sigfault._addr = env->dmmu.mmuregs[4];
-else
-info._sifields._sigfault._addr = cpu_tsptr(env)->tpc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
+force_sigsegv_for_addr(env->dmmu.mmuregs[4]);
break;
#ifndef TARGET_ABI32
case 0x16e:
@@ -264,19 +249,10 @@ void cpu_loop (CPUSPARCState *env)
/* just indicate that signals should be handled asap */
break;
case TT_ILL_INSN:
-{
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPC;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPC, env->pc);
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
--
2.25.1
[PATCH v2 18/30] linux-user/i386: Use force_sig, force_sig_fault, force_sigsegv_for_addr
Replace the local gen_signal with the generic functions that
match how the kernel raises signals.
Signed-off-by: Richard Henderson
---
linux-user/i386/cpu_loop.c | 46 +-
1 file changed, 16 insertions(+), 30 deletions(-)
diff --git a/linux-user/i386/cpu_loop.c b/linux-user/i386/cpu_loop.c
index 5866e98441..787d4ccfc0 100644
--- a/linux-user/i386/cpu_loop.c
+++ b/linux-user/i386/cpu_loop.c
@@ -21,6 +21,7 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
/***/
/* CPUX86 core interface */
@@ -81,17 +82,6 @@ static void set_idt(int n, unsigned int dpl)
}
#endif
-static void gen_signal(CPUX86State *env, int sig, int code, abi_ptr addr)
-{
-target_siginfo_t info = {
-.si_signo = sig,
-.si_code = code,
-._sifields._sigfault._addr = addr
-};
-
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
-
#ifdef TARGET_X86_64
static bool write_ok_or_segv(CPUX86State *env, abi_ptr addr, size_t len)
{
@@ -103,8 +93,7 @@ static bool write_ok_or_segv(CPUX86State *env, abi_ptr addr,
size_t len)
return true;
}
-env->error_code = PG_ERROR_W_MASK | PG_ERROR_U_MASK;
-gen_signal(env, TARGET_SIGSEGV, TARGET_SEGV_MAPERR, addr);
+force_sigsegv_for_addr(addr);
return false;
}
@@ -190,8 +179,7 @@ static void emulate_vsyscall(CPUX86State *env)
return;
sigsegv:
-/* Like force_sig(SIGSEGV). */
-gen_signal(env, TARGET_SIGSEGV, TARGET_SI_KERNEL, 0);
+force_sig(TARGET_SIGSEGV);
}
#endif
@@ -263,53 +251,51 @@ void cpu_loop(CPUX86State *env)
#endif
case EXCP0B_NOSEG:
case EXCP0C_STACK:
-gen_signal(env, TARGET_SIGBUS, TARGET_SI_KERNEL, 0);
+force_sig(TARGET_SIGBUS);
break;
case EXCP0D_GPF:
/* XXX: potential problem if ABI32 */
if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-gen_signal(env, TARGET_SIGSEGV, TARGET_SI_KERNEL, 0);
+force_sig(TARGET_SIGSEGV);
break;
case EXCP0E_PAGE:
-gen_signal(env, TARGET_SIGSEGV,
- (env->error_code & 1 ?
-TARGET_SEGV_ACCERR : TARGET_SEGV_MAPERR),
- env->cr[2]);
+force_sigsegv_for_addr(env->cr[2]);
break;
case EXCP00_DIVZ:
if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-gen_signal(env, TARGET_SIGFPE, TARGET_FPE_INTDIV, env->eip);
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTDIV, env->eip);
break;
case EXCP01_DB:
+if (maybe_handle_vm86_trap(env, trapnr)) {
+break;
+}
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->eip);
+break;
case EXCP03_INT3:
if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-if (trapnr == EXCP01_DB) {
-gen_signal(env, TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->eip);
-} else {
-gen_signal(env, TARGET_SIGTRAP, TARGET_SI_KERNEL, 0);
-}
+force_sig(TARGET_SIGTRAP);
break;
case EXCP04_INTO:
case EXCP05_BOUND:
if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-gen_signal(env, TARGET_SIGSEGV, TARGET_SI_KERNEL, 0);
+force_sig(TARGET_SIGSEGV);
break;
case EXCP06_ILLOP:
-gen_signal(env, TARGET_SIGILL, TARGET_ILL_ILLOPN, env->eip);
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPN, env->eip);
break;
case EXCP_INTERRUPT:
/* just indicate that signals should be handled asap */
break;
case EXCP_DEBUG:
-gen_signal(env, TARGET_SIGTRAP, TARGET_TRAP_BRKPT, 0);
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->eip);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
--
2.25.1
[PATCH v2 17/30] linux-user/i386: Split out maybe_handle_vm86_trap
Reduce the number of ifdefs within cpu_loop().
Signed-off-by: Richard Henderson
---
linux-user/i386/cpu_loop.c | 31 +++
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/linux-user/i386/cpu_loop.c b/linux-user/i386/cpu_loop.c
index f813e87294..5866e98441 100644
--- a/linux-user/i386/cpu_loop.c
+++ b/linux-user/i386/cpu_loop.c
@@ -195,6 +195,17 @@ static void emulate_vsyscall(CPUX86State *env)
}
#endif
+static bool maybe_handle_vm86_trap(CPUX86State *env, int trapnr)
+{
+#ifndef TARGET_X86_64
+if (env->eflags & VM_MASK) {
+handle_vm86_trap(env, trapnr);
+return true;
+}
+#endif
+return false;
+}
+
void cpu_loop(CPUX86State *env)
{
CPUState *cs = env_cpu(env);
@@ -256,12 +267,9 @@ void cpu_loop(CPUX86State *env)
break;
case EXCP0D_GPF:
/* XXX: potential problem if ABI32 */
-#ifndef TARGET_X86_64
-if (env->eflags & VM_MASK) {
-handle_vm86_fault(env);
+if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-#endif
gen_signal(env, TARGET_SIGSEGV, TARGET_SI_KERNEL, 0);
break;
case EXCP0E_PAGE:
@@ -271,22 +279,16 @@ void cpu_loop(CPUX86State *env)
env->cr[2]);
break;
case EXCP00_DIVZ:
-#ifndef TARGET_X86_64
-if (env->eflags & VM_MASK) {
-handle_vm86_trap(env, trapnr);
+if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-#endif
gen_signal(env, TARGET_SIGFPE, TARGET_FPE_INTDIV, env->eip);
break;
case EXCP01_DB:
case EXCP03_INT3:
-#ifndef TARGET_X86_64
-if (env->eflags & VM_MASK) {
-handle_vm86_trap(env, trapnr);
+if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-#endif
if (trapnr == EXCP01_DB) {
gen_signal(env, TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->eip);
} else {
@@ -295,12 +297,9 @@ void cpu_loop(CPUX86State *env)
break;
case EXCP04_INTO:
case EXCP05_BOUND:
-#ifndef TARGET_X86_64
-if (env->eflags & VM_MASK) {
-handle_vm86_trap(env, trapnr);
+if (maybe_handle_vm86_trap(env, trapnr)) {
break;
}
-#endif
gen_signal(env, TARGET_SIGSEGV, TARGET_SI_KERNEL, 0);
break;
case EXCP06_ILLOP:
--
2.25.1
[PATCH v2 22/30] linux-user/mips: Improve do_break
Rename to do_tr_or_bp, as per the kernel function.
Add a 'trap' argument, akin to the kernel's si_code, but clearer.
The return value is always 0, so change the return value to void.
Use force_sig and force_sig_fault.
Signed-off-by: Richard Henderson
---
linux-user/mips/cpu_loop.c | 47 ++
1 file changed, 27 insertions(+), 20 deletions(-)
diff --git a/linux-user/mips/cpu_loop.c b/linux-user/mips/cpu_loop.c
index 9d813ece4e..797b6bf659 100644
--- a/linux-user/mips/cpu_loop.c
+++ b/linux-user/mips/cpu_loop.c
@@ -21,6 +21,7 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
#include "elf.h"
#include "internal.h"
#include "fpu_helper.h"
@@ -38,29 +39,25 @@ enum {
BRK_DIVZERO = 7
};
-static int do_break(CPUMIPSState *env, target_siginfo_t *info,
-unsigned int code)
+static void do_tr_or_bp(CPUMIPSState *env, unsigned int code, bool trap)
{
-int ret = -1;
+target_ulong pc = env->active_tc.PC;
switch (code) {
case BRK_OVERFLOW:
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTOVF, pc);
+break;
case BRK_DIVZERO:
-info->si_signo = TARGET_SIGFPE;
-info->si_errno = 0;
-info->si_code = (code == BRK_OVERFLOW) ? FPE_INTOVF : FPE_INTDIV;
-queue_signal(env, info->si_signo, QEMU_SI_FAULT, &*info);
-ret = 0;
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTDIV, pc);
break;
default:
-info->si_signo = TARGET_SIGTRAP;
-info->si_errno = 0;
-queue_signal(env, info->si_signo, QEMU_SI_FAULT, &*info);
-ret = 0;
+if (trap) {
+force_sig(TARGET_SIGTRAP);
+} else {
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, pc);
+}
break;
}
-
-return ret;
}
void cpu_loop(CPUMIPSState *env)
@@ -214,6 +211,13 @@ done_syscall:
abi_ulong trap_instr;
unsigned int code;
+/*
+ * FIXME: It would be better to decode the trap number
+ * during translate, and store it in error_code while
+ * raising the exception. We should not be re-reading
+ * the opcode here.
+ */
+
if (env->hflags & MIPS_HFLAG_M16) {
if (env->insn_flags & ASE_MICROMIPS) {
/* microMIPS mode */
@@ -266,9 +270,7 @@ done_syscall:
}
}
-if (do_break(env, , code) != 0) {
-goto error;
-}
+do_tr_or_bp(env, code, false);
}
break;
case EXCP_TRAP:
@@ -276,6 +278,13 @@ done_syscall:
abi_ulong trap_instr;
unsigned int code = 0;
+/*
+ * FIXME: It would be better to decode the trap number
+ * during translate, and store it in error_code while
+ * raising the exception. We should not be re-reading
+ * the opcode here.
+ */
+
if (env->hflags & MIPS_HFLAG_M16) {
/* microMIPS mode */
abi_ulong instr[2];
@@ -302,9 +311,7 @@ done_syscall:
}
}
-if (do_break(env, , code) != 0) {
-goto error;
-}
+do_tr_or_bp(env, code, true);
}
break;
case EXCP_ATOMIC:
--
2.25.1
[PATCH v2 28/30] linux-user/sh4: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/sh4/cpu_loop.c | 14 --
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/linux-user/sh4/cpu_loop.c b/linux-user/sh4/cpu_loop.c
index 222ed1c670..0c3ec908e7 100644
--- a/linux-user/sh4/cpu_loop.c
+++ b/linux-user/sh4/cpu_loop.c
@@ -21,12 +21,13 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
void cpu_loop(CPUSH4State *env)
{
CPUState *cs = env_cpu(env);
int trapnr, ret;
-target_siginfo_t info;
while (1) {
bool arch_interrupt = true;
@@ -58,18 +59,11 @@ void cpu_loop(CPUSH4State *env)
/* just indicate that signals should be handled asap */
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case 0xa0:
case 0xc0:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = env->tea;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sigsegv_for_addr(env->tea);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
--
2.25.1
[PATCH v2 14/30] linux-user/hppa: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/hppa/cpu_loop.c | 32 +++-
1 file changed, 7 insertions(+), 25 deletions(-)
diff --git a/linux-user/hppa/cpu_loop.c b/linux-user/hppa/cpu_loop.c
index 82d8183821..3500b2c291 100644
--- a/linux-user/hppa/cpu_loop.c
+++ b/linux-user/hppa/cpu_loop.c
@@ -20,6 +20,8 @@
#include "qemu/osdep.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
static abi_ulong hppa_lws(CPUHPPAState *env)
{
@@ -108,7 +110,6 @@ static abi_ulong hppa_lws(CPUHPPAState *env)
void cpu_loop(CPUHPPAState *env)
{
CPUState *cs = env_cpu(env);
-target_siginfo_t info;
abi_ulong ret;
int trapnr;
@@ -152,42 +153,23 @@ void cpu_loop(CPUHPPAState *env)
case EXCP_PAGE_REF:
case EXCP_DMAR:
case EXCP_DMPI:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_ACCERR;
-info._sifields._sigfault._addr = env->cr[CR_IOR];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sigsegv_for_addr(env->cr[CR_IOR]);
break;
case EXCP_UNALIGN:
-info.si_signo = TARGET_SIGBUS;
-info.si_errno = 0;
-info.si_code = 0;
-info._sifields._sigfault._addr = env->cr[CR_IOR];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGBUS, TARGET_BUS_ADRALN, env->cr[CR_IOR]);
break;
case EXCP_ILL:
case EXCP_PRIV_OPR:
case EXCP_PRIV_REG:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPN;
-info._sifields._sigfault._addr = env->iaoq_f;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPN, env->iaoq_f);
break;
case EXCP_OVERFLOW:
case EXCP_COND:
case EXCP_ASSIST:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = 0;
-info._sifields._sigfault._addr = env->iaoq_f;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGFPE, 0, env->iaoq_f);
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->iaoq_f);
break;
case EXCP_INTERRUPT:
/* just indicate that signals should be handled asap */
--
2.25.1
[PATCH v2 15/30] linux-user/hppa: Use the proper si_code for PRIV_OPR, PRIV_REG, OVERFLOW
These si_codes have been properly set by the kernel since the beginning. Signed-off-by: Richard Henderson --- linux-user/hppa/cpu_loop.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/linux-user/hppa/cpu_loop.c b/linux-user/hppa/cpu_loop.c index 3500b2c291..7bc85dffd0 100644 --- a/linux-user/hppa/cpu_loop.c +++ b/linux-user/hppa/cpu_loop.c @@ -159,11 +159,17 @@ void cpu_loop(CPUHPPAState *env) force_sig_fault(TARGET_SIGBUS, TARGET_BUS_ADRALN, env->cr[CR_IOR]); break; case EXCP_ILL: -case EXCP_PRIV_OPR: -case EXCP_PRIV_REG: force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPN, env->iaoq_f); break; +case EXCP_PRIV_OPR: +force_sig_fault(TARGET_SIGILL, TARGET_ILL_PRVOPC, env->iaoq_f); +break; +case EXCP_PRIV_REG: +force_sig_fault(TARGET_SIGILL, TARGET_ILL_PRVREG, env->iaoq_f); +break; case EXCP_OVERFLOW: +force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTOVF, env->iaoq_f); +break; case EXCP_COND: case EXCP_ASSIST: force_sig_fault(TARGET_SIGFPE, 0, env->iaoq_f); -- 2.25.1
[PATCH v2 12/30] linux-user/cris: Use force_sig_fault, force_sigsegv_code
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/cris/cpu_loop.c | 22 ++
1 file changed, 6 insertions(+), 16 deletions(-)
diff --git a/linux-user/cris/cpu_loop.c b/linux-user/cris/cpu_loop.c
index 334e1e..7a31402ab4 100644
--- a/linux-user/cris/cpu_loop.c
+++ b/linux-user/cris/cpu_loop.c
@@ -21,13 +21,13 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
void cpu_loop(CPUCRISState *env)
{
CPUState *cs = env_cpu(env);
int trapnr, ret;
-target_siginfo_t info;
-
+
while (1) {
cpu_exec_start(cs);
trapnr = cpu_exec(cs);
@@ -36,18 +36,11 @@ void cpu_loop(CPUCRISState *env)
switch (trapnr) {
case 0xaa:
-{
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = env->pregs[PR_EDA];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
+force_sigsegv_for_addr(env->pregs[PR_EDA]);
break;
case EXCP_INTERRUPT:
- /* just indicate that signals should be handled asap */
- break;
+/* just indicate that signals should be handled asap */
+break;
case EXCP_BREAK:
ret = do_syscall(env,
env->regs[9],
@@ -65,10 +58,7 @@ void cpu_loop(CPUCRISState *env)
}
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
--
2.25.1
[PATCH v2 25/30] linux-user/ppc: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
The user-only version of ppc_cpu_tlb_fill does not distinguish
between the various hw codes. Drop all of that and just use
the new force_sigsegv_for_addr function. The fault address for
POWERPC_EXCP_ISI is nip exactly, not nip - 4.
Signed-off-by: Richard Henderson
---
linux-user/ppc/cpu_loop.c | 142 --
1 file changed, 30 insertions(+), 112 deletions(-)
diff --git a/linux-user/ppc/cpu_loop.c b/linux-user/ppc/cpu_loop.c
index fa91ea0eed..4893bbd021 100644
--- a/linux-user/ppc/cpu_loop.c
+++ b/linux-user/ppc/cpu_loop.c
@@ -21,6 +21,8 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
static inline uint64_t cpu_ppc_get_tb(CPUPPCState *env)
{
@@ -74,8 +76,7 @@ int ppc_dcr_write (ppc_dcr_t *dcr_env, int dcrn, uint32_t val)
void cpu_loop(CPUPPCState *env)
{
CPUState *cs = env_cpu(env);
-target_siginfo_t info;
-int trapnr;
+int trapnr, si_signo, si_code;
target_ulong ret;
for(;;) {
@@ -100,61 +101,10 @@ void cpu_loop(CPUPPCState *env)
"Aborting\n");
break;
case POWERPC_EXCP_DSI: /* Data storage exception*/
-/* XXX: check this. Seems bugged */
-switch (env->error_code & 0xFF00) {
-case 0x4000:
-case 0x4200:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_MAPERR;
-break;
-case 0x0400:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLADR;
-break;
-case 0x0800:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_ACCERR;
-break;
-default:
-/* Let's send a regular segfault... */
-EXCP_DUMP(env, "Invalid segfault errno (%02x)\n",
- env->error_code);
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_MAPERR;
-break;
-}
-info._sifields._sigfault._addr = env->spr[SPR_DAR];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sigsegv_for_addr(env->spr[SPR_DAR]);
break;
case POWERPC_EXCP_ISI: /* Instruction storage exception */
-/* XXX: check this */
-switch (env->error_code & 0xFF00) {
-case 0x4000:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_MAPERR;
-break;
-case 0x1000:
-case 0x0800:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_ACCERR;
-break;
-default:
-/* Let's send a regular segfault... */
-EXCP_DUMP(env, "Invalid segfault errno (%02x)\n",
- env->error_code);
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_MAPERR;
-break;
-}
-info._sifields._sigfault._addr = env->nip - 4;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sigsegv_for_addr(env->nip);
break;
case POWERPC_EXCP_EXTERNAL: /* External input*/
cpu_abort(cs, "External interrupt while in user mode. "
@@ -162,35 +112,30 @@ void cpu_loop(CPUPPCState *env)
break;
case POWERPC_EXCP_ALIGN:/* Alignment exception */
/* XXX: check this */
-info.si_signo = TARGET_SIGBUS;
-info.si_errno = 0;
-info.si_code = TARGET_BUS_ADRALN;
-info._sifields._sigfault._addr = env->nip;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGBUS, TARGET_BUS_ADRALN, env->nip);
break;
case POWERPC_EXCP_PROGRAM: /* Program exception */
case POWERPC_EXCP_HV_EMU: /* HV emulation */
/* XXX: check this */
switch (env->error_code & ~0xF) {
case POWERPC_EXCP_FP:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
+si_signo = TARGET_SIGFPE;
switch (env->error_code & 0xF) {
case POWERPC_EXCP_FP_OX:
-info.si_code = TARGET_FPE_FLTOVF;
+si_code = TARGET_FPE_FLTOVF;
[PATCH v2 13/30] linux-user/hexagon: Use force_sigsegv_code
Use the new function instead of setting up a target_siginfo_t
and calling queue_signal. Note that we were incorrectly using
QEMU_SI_KILL instead of QEMU_SI_FAULT for raising SIGSEGV.
Signed-off-by: Richard Henderson
---
linux-user/hexagon/cpu_loop.c | 22 --
1 file changed, 4 insertions(+), 18 deletions(-)
diff --git a/linux-user/hexagon/cpu_loop.c b/linux-user/hexagon/cpu_loop.c
index bc34f5d7c3..6095ca06ca 100644
--- a/linux-user/hexagon/cpu_loop.c
+++ b/linux-user/hexagon/cpu_loop.c
@@ -21,13 +21,13 @@
#include "qemu/osdep.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
#include "internal.h"
void cpu_loop(CPUHexagonState *env)
{
CPUState *cs = env_cpu(env);
-int trapnr, signum, sigcode;
-target_ulong sigaddr;
+int trapnr;
target_ulong syscallnum;
target_ulong ret;
@@ -37,10 +37,6 @@ void cpu_loop(CPUHexagonState *env)
cpu_exec_end(cs);
process_queued_cpu_work(cs);
-signum = 0;
-sigcode = 0;
-sigaddr = 0;
-
switch (trapnr) {
case EXCP_INTERRUPT:
/* just indicate that signals should be handled asap */
@@ -66,8 +62,8 @@ void cpu_loop(CPUHexagonState *env)
case HEX_EXCP_FETCH_NO_UPAGE:
case HEX_EXCP_PRIV_NO_UREAD:
case HEX_EXCP_PRIV_NO_UWRITE:
-signum = TARGET_SIGSEGV;
-sigcode = TARGET_SEGV_MAPERR;
+/* FIXME: need to store vaddr in hexagon_tlb_fill */
+force_sigsegv_for_addr(0);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
@@ -78,16 +74,6 @@ void cpu_loop(CPUHexagonState *env)
exit(EXIT_FAILURE);
}
-if (signum) {
-target_siginfo_t info = {
-.si_signo = signum,
-.si_errno = 0,
-.si_code = sigcode,
-._sifields._sigfault._addr = sigaddr
-};
-queue_signal(env, info.si_signo, QEMU_SI_KILL, );
-}
-
process_pending_signals(env);
}
}
--
2.25.1
[PATCH v2 09/30] linux-user/alpha: Set TRAP_UNK for bugchk and unknown gentrap
These si_codes were changed in 535906c684fca, for linux 4.17.
Signed-off-by: Richard Henderson
---
linux-user/syscall_defs.h | 1 +
linux-user/alpha/cpu_loop.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index a5ce487dcc..55ccc6ae03 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -715,6 +715,7 @@ typedef struct target_siginfo {
#define TARGET_TRAP_TRACE (2) /* process trace trap */
#define TARGET_TRAP_BRANCH (3) /* process taken branch trap */
#define TARGET_TRAP_HWBKPT (4) /* hardware breakpoint/watchpoint */
+#define TARGET_TRAP_UNK (5) /* undiagnosed trap */
struct target_rlimit {
abi_ulong rlim_cur;
diff --git a/linux-user/alpha/cpu_loop.c b/linux-user/alpha/cpu_loop.c
index 7ce2461a02..b2e9503c50 100644
--- a/linux-user/alpha/cpu_loop.c
+++ b/linux-user/alpha/cpu_loop.c
@@ -99,7 +99,7 @@ void cpu_loop(CPUAlphaState *env)
/* BUGCHK */
info.si_signo = TARGET_SIGTRAP;
info.si_errno = 0;
-info.si_code = 0;
+info.si_code = TARGET_TRAP_UNK;
info._sifields._sigfault._addr = env->pc;
queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
break;
@@ -168,7 +168,7 @@ void cpu_loop(CPUAlphaState *env)
break;
default:
info.si_signo = TARGET_SIGTRAP;
-info.si_code = 0;
+info.si_code = TARGET_TRAP_UNK;
break;
}
info.si_errno = 0;
--
2.25.1
[PATCH v2 11/30] linux-user/alpha: Use force_sig_fault, force_sigsegv_code
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/alpha/cpu_loop.c | 76 +++--
1 file changed, 23 insertions(+), 53 deletions(-)
diff --git a/linux-user/alpha/cpu_loop.c b/linux-user/alpha/cpu_loop.c
index e5f78a439a..b624311a5f 100644
--- a/linux-user/alpha/cpu_loop.c
+++ b/linux-user/alpha/cpu_loop.c
@@ -21,12 +21,13 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
void cpu_loop(CPUAlphaState *env)
{
CPUState *cs = env_cpu(env);
-int trapnr;
-target_siginfo_t info;
+int trapnr, si_code;
abi_long sysret;
while (1) {
@@ -53,34 +54,17 @@ void cpu_loop(CPUAlphaState *env)
exit(EXIT_FAILURE);
break;
case EXCP_MMFAULT:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = (page_get_flags(env->trap_arg0) & PAGE_VALID
-? TARGET_SEGV_ACCERR : TARGET_SEGV_MAPERR);
-info._sifields._sigfault._addr = env->trap_arg0;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sigsegv_for_addr(env->trap_arg0);
break;
case EXCP_UNALIGN:
-info.si_signo = TARGET_SIGBUS;
-info.si_errno = 0;
-info.si_code = TARGET_BUS_ADRALN;
-info._sifields._sigfault._addr = env->trap_arg0;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGBUS, TARGET_BUS_ADRALN, env->trap_arg0);
break;
case EXCP_OPCDEC:
do_sigill:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPC;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPC, env->pc);
break;
case EXCP_ARITH:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = TARGET_FPE_FLTINV;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_FLTINV, env->pc);
break;
case EXCP_FEN:
/* No-op. Linux simply re-enables the FPU. */
@@ -89,20 +73,10 @@ void cpu_loop(CPUAlphaState *env)
switch (env->error_code) {
case 0x80:
/* BPT */
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-break;
+goto do_sigtrap_brkpt;
case 0x81:
/* BUGCHK */
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_UNK;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-break;
+goto do_sigtrap_unk;
case 0x83:
/* CALLSYS */
trapnr = env->ir[IR_V0];
@@ -143,47 +117,43 @@ void cpu_loop(CPUAlphaState *env)
abort();
case 0xAA:
/* GENTRAP */
-info.si_signo = TARGET_SIGFPE;
switch (env->ir[IR_A0]) {
case TARGET_GEN_INTOVF:
-info.si_code = TARGET_FPE_INTOVF;
+si_code = TARGET_FPE_INTOVF;
break;
case TARGET_GEN_INTDIV:
-info.si_code = TARGET_FPE_INTDIV;
+si_code = TARGET_FPE_INTDIV;
break;
case TARGET_GEN_FLTOVF:
-info.si_code = TARGET_FPE_FLTOVF;
+si_code = TARGET_FPE_FLTOVF;
break;
case TARGET_GEN_FLTUND:
-info.si_code = TARGET_FPE_FLTUND;
+si_code = TARGET_FPE_FLTUND;
break;
case TARGET_GEN_FLTINV:
-info.si_code = TARGET_FPE_FLTINV;
+si_code = TARGET_FPE_FLTINV;
break;
case TARGET_GEN_FLTINE:
-info.si_code = TARGET_FPE_FLTRES;
+si_code = TARGET_FPE_FLTRES;
break;
case TARGET_GEN_ROPRAND:
-info.si_code = TARGET_FPE_FLTUNK;
+si_code = TARGET_FPE_FLTUNK;
break;
default:
-info.si_signo = TARGET_SIGTRAP;
-
[PATCH v2 08/30] linux-user/aarch64: Use force_sig_fault()
From: Peter Maydell
Use the new force_sig_fault() function instead of setting up
a target_siginfo_t and calling queue_signal().
Signed-off-by: Peter Maydell
Message-Id: <20210813131809.28655-8-peter.mayd...@linaro.org>
Signed-off-by: Richard Henderson
---
linux-user/aarch64/cpu_loop.c | 34 +-
1 file changed, 9 insertions(+), 25 deletions(-)
diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index 5d8675944d..11e34cb100 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -21,6 +21,7 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
#include "qemu/guest-random.h"
#include "semihosting/common-semi.h"
#include "target/arm/syndrome.h"
@@ -77,9 +78,8 @@
void cpu_loop(CPUARMState *env)
{
CPUState *cs = env_cpu(env);
-int trapnr, ec, fsc;
+int trapnr, ec, fsc, si_code;
abi_long ret;
-target_siginfo_t info;
for (;;) {
cpu_exec_start(cs);
@@ -108,18 +108,10 @@ void cpu_loop(CPUARMState *env)
/* just indicate that signals should be handled asap */
break;
case EXCP_UDEF:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPN;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPN, env->pc);
break;
case EXCP_PREFETCH_ABORT:
case EXCP_DATA_ABORT:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info._sifields._sigfault._addr = env->exception.vaddress;
-
/* We should only arrive here with EC in {DATAABORT, INSNABORT}. */
ec = syn_get_ec(env->exception.syndrome);
assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
@@ -128,28 +120,24 @@ void cpu_loop(CPUARMState *env)
fsc = extract32(env->exception.syndrome, 0, 6);
switch (fsc) {
case 0x04 ... 0x07: /* Translation fault, level {0-3} */
-info.si_code = TARGET_SEGV_MAPERR;
+si_code = TARGET_SEGV_MAPERR;
break;
case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
-info.si_code = TARGET_SEGV_ACCERR;
+si_code = TARGET_SEGV_ACCERR;
break;
case 0x11: /* Synchronous Tag Check Fault */
-info.si_code = TARGET_SEGV_MTESERR;
+si_code = TARGET_SEGV_MTESERR;
break;
default:
g_assert_not_reached();
}
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGSEGV, si_code, env->exception.vaddress);
break;
case EXCP_DEBUG:
case EXCP_BKPT:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case EXCP_SEMIHOST:
env->xregs[0] = do_common_semihosting(cs);
@@ -169,11 +157,7 @@ void cpu_loop(CPUARMState *env)
/* Check for MTE asynchronous faults */
if (unlikely(env->cp15.tfsr_el[0])) {
env->cp15.tfsr_el[0] = 0;
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info._sifields._sigfault._addr = 0;
-info.si_code = TARGET_SEGV_MTEAERR;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGSEGV, TARGET_SEGV_MTEAERR, 0);
}
process_pending_signals(env);
--
2.25.1
[PATCH v2 10/30] linux-user/alpha: Set FPE_FLTUNK for gentrap ROPRAND
This si_code was changed in 4cc13e4f6d441, for linux 4.17. Signed-off-by: Richard Henderson --- linux-user/alpha/cpu_loop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux-user/alpha/cpu_loop.c b/linux-user/alpha/cpu_loop.c index b2e9503c50..e5f78a439a 100644 --- a/linux-user/alpha/cpu_loop.c +++ b/linux-user/alpha/cpu_loop.c @@ -164,7 +164,7 @@ void cpu_loop(CPUAlphaState *env) info.si_code = TARGET_FPE_FLTRES; break; case TARGET_GEN_ROPRAND: -info.si_code = 0; +info.si_code = TARGET_FPE_FLTUNK; break; default: info.si_signo = TARGET_SIGTRAP; -- 2.25.1
[PATCH v2 24/30] linux-user/openrisc: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/openrisc/cpu_loop.c | 37 +-
1 file changed, 10 insertions(+), 27 deletions(-)
diff --git a/linux-user/openrisc/cpu_loop.c b/linux-user/openrisc/cpu_loop.c
index b33fa77718..d2632ce6a3 100644
--- a/linux-user/openrisc/cpu_loop.c
+++ b/linux-user/openrisc/cpu_loop.c
@@ -21,13 +21,14 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
void cpu_loop(CPUOpenRISCState *env)
{
CPUState *cs = env_cpu(env);
int trapnr;
abi_long ret;
-target_siginfo_t info;
for (;;) {
cpu_exec_start(cs);
@@ -54,42 +55,24 @@ void cpu_loop(CPUOpenRISCState *env)
break;
case EXCP_DPF:
case EXCP_IPF:
+force_sigsegv_for_addr(env->eear);
+break;
case EXCP_RANGE:
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+case EXCP_FPE:
+/* ??? The kernel vectors both of these to unhandled_exception. */
+force_sig(TARGET_SIGSEGV);
break;
case EXCP_ALIGN:
-info.si_signo = TARGET_SIGBUS;
-info.si_errno = 0;
-info.si_code = TARGET_BUS_ADRALN;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGBUS, TARGET_BUS_ADRALN, env->eear);
break;
case EXCP_ILLEGAL:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPC;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-break;
-case EXCP_FPE:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = 0;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPC, env->pc);
break;
case EXCP_INTERRUPT:
/* We processed the pending cpu work above. */
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
--
2.25.1
[PATCH v2 07/30] linux-user/arm: Use force_sig_fault()
From: Peter Maydell
Use the new force_sig_fault() function instead of setting up
a target_siginfo_t and calling queue_signal().
Signed-off-by: Peter Maydell
Message-Id: <20210813131809.28655-7-peter.mayd...@linaro.org>
Signed-off-by: Richard Henderson
---
linux-user/arm/cpu_loop.c | 53 +++
1 file changed, 15 insertions(+), 38 deletions(-)
diff --git a/linux-user/arm/cpu_loop.c b/linux-user/arm/cpu_loop.c
index b8ece169f9..d4b4f0c71f 100644
--- a/linux-user/arm/cpu_loop.c
+++ b/linux-user/arm/cpu_loop.c
@@ -93,7 +93,6 @@ static void arm_kernel_cmpxchg64_helper(CPUARMState *env)
{
uint64_t oldval, newval, val;
uint32_t addr, cpsr;
-target_siginfo_t info;
/* Based on the 32 bit code in do_kernel_trap */
@@ -142,12 +141,9 @@ segv:
end_exclusive();
/* We get the PC of the entry address - which is as good as anything,
on a real kernel what you get depends on which mode it uses. */
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = env->exception.vaddress;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGSEGV, TARGET_SEGV_MAPERR,
+env->exception.vaddress);
}
/* Handle a jump to the kernel code page. */
@@ -285,8 +281,6 @@ void cpu_loop(CPUARMState *env)
CPUState *cs = env_cpu(env);
int trapnr;
unsigned int n, insn;
-target_siginfo_t info;
-uint32_t addr;
abi_ulong ret;
for(;;) {
@@ -321,11 +315,8 @@ void cpu_loop(CPUARMState *env)
break;
}
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPN;
-info._sifields._sigfault._addr = env->regs[15];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPN,
+env->regs[15]);
}
break;
case EXCP_SWI:
@@ -393,18 +384,14 @@ void cpu_loop(CPUARMState *env)
* Otherwise SIGILL. This includes any SWI with
* immediate not originally 0x9f, because
* of the earlier XOR.
+ * Like the real kernel, we report the addr of the
+ * SWI in the siginfo si_addr but leave the PC
+ * pointing at the insn after the SWI.
*/
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLTRP;
-info._sifields._sigfault._addr = env->regs[15];
-if (env->thumb) {
-info._sifields._sigfault._addr -= 2;
-} else {
-info._sifields._sigfault._addr -= 4;
-}
-queue_signal(env, info.si_signo,
- QEMU_SI_FAULT, );
+abi_ulong faultaddr = env->regs[15];
+faultaddr -= env->thumb ? 2 : 4;
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLTRP,
+faultaddr);
}
break;
}
@@ -435,24 +422,14 @@ void cpu_loop(CPUARMState *env)
break;
case EXCP_PREFETCH_ABORT:
case EXCP_DATA_ABORT:
-addr = env->exception.vaddress;
-{
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = addr;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
+/* XXX: check env->error_code */
+force_sig_fault(TARGET_SIGSEGV, TARGET_SEGV_MAPERR,
+env->exception.vaddress);
break;
case EXCP_DEBUG:
case EXCP_BKPT:
excp_debug:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-info._sifields._sigfault._addr = env->regs[15];
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->regs[15]);
break;
case EXCP_KERNEL_TRAP:
if (do_kernel_trap(env))
--
2.25.1
[PATCH v2 03/30] linux-user/arm: Use force_sig() to deliver fpa11 emulation SIGFPE
From: Peter Maydell
In the Arm target code, when the fpa11 emulation code tells us we
need to send the guest a SIGFPE, we do this with queue_signal(), but
we are using the wrong si_type, and we aren't setting the _sifields
union members corresponding to either the si_type we are using or the
si_type we should be using.
As the existing comment notes, the kernel code for this calls the old
send_sig() function to deliver the signal. This eventually results
in the kernel's signal handling code fabricating a siginfo_t with a
SI_KERNEL code and a zero pid and uid. For QEMU this means we need
to use QEMU_SI_KILL. We already have a function for that:
force_sig() sets up the whole target_siginfo_t the way we need it.
Signed-off-by: Peter Maydell
Message-Id: <20210813131809.28655-4-peter.mayd...@linaro.org>
[rth: Include signal-common.h]
Signed-off-by: Richard Henderson
---
linux-user/arm/cpu_loop.c | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/linux-user/arm/cpu_loop.c b/linux-user/arm/cpu_loop.c
index 007752f5b7..b8ece169f9 100644
--- a/linux-user/arm/cpu_loop.c
+++ b/linux-user/arm/cpu_loop.c
@@ -22,6 +22,7 @@
#include "qemu.h"
#include "elf.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
#include "semihosting/common-semi.h"
#define get_user_code_u32(x, gaddr, env)\
@@ -266,16 +267,13 @@ static bool emulate_arm_fpa11(CPUARMState *env, uint32_t
opcode)
ts->fpa.fpsr |= raise & ~enabled;
if (raise & enabled) {
-target_siginfo_t info = { };
-
/*
* The kernel's nwfpe emulator does not pass a real si_code.
- * It merely uses send_sig(SIGFPE, current, 1).
+ * It merely uses send_sig(SIGFPE, current, 1), which results in
+ * __send_signal() filling out SI_KERNEL with pid and uid 0 (under
+ * the "SEND_SIG_PRIV" case). That's what our force_sig() does.
*/
-info.si_signo = TARGET_SIGFPE;
-info.si_code = TARGET_SI_KERNEL;
-
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig(TARGET_SIGFPE);
} else {
env->regs[15] += 4;
}
--
2.25.1
[PATCH v2 06/30] linux-user: Provide new force_sigsegv_for_addr() function
Most linux-user targets so far do not distinguish between SEGV_MAPERR
and SEGV_ACCERR. This function will be used to fix that.
Signed-off-by: Richard Henderson
---
linux-user/signal-common.h | 1 +
linux-user/signal.c| 18 ++
2 files changed, 19 insertions(+)
diff --git a/linux-user/signal-common.h b/linux-user/signal-common.h
index 536c7ac2c2..9090bbb315 100644
--- a/linux-user/signal-common.h
+++ b/linux-user/signal-common.h
@@ -40,6 +40,7 @@ void tswap_siginfo(target_siginfo_t *tinfo,
void set_sigmask(const sigset_t *set);
void force_sig(int sig);
void force_sigsegv(int oldsig);
+void force_sigsegv_for_addr(abi_ulong addr);
void force_sig_fault(int sig, int code, abi_ulong addr);
#if defined(TARGET_ARCH_HAS_SETUP_FRAME)
void setup_frame(int sig, struct target_sigaction *ka,
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 5ea8e4584a..0bb369c888 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -663,6 +663,24 @@ void force_sig_fault(int sig, int code, abi_ulong addr)
queue_signal(env, sig, QEMU_SI_FAULT, );
}
+/*
+ * Force a synchronously taken SIGSEGV signal for @addr.
+ * Distinguish between SEGV_MAPERR and SEGV_ACCERR here,
+ * in preference to doing that for each target.
+ */
+void force_sigsegv_for_addr(abi_ulong addr)
+{
+/*
+ * MAPERR indicates the page is not present at all.
+ * Otherwise, it must have been a permission problem.
+ */
+int si_code = TARGET_SEGV_MAPERR;
+if (page_get_flags(addr) & PAGE_VALID) {
+si_code = TARGET_SEGV_ACCERR;
+}
+force_sig_fault(TARGET_SIGSEGV, si_code, addr);
+}
+
/* Force a SIGSEGV if we couldn't write to memory trying to set
* up the signal frame. oldsig is the signal we were trying to handle
* at the point of failure.
--
2.25.1
[PATCH v2 19/30] linux-user/m68k: Use force_sig_fault, force_sigsegv_for_addr
Use the new functions instead of setting up a target_siginfo_t
and calling queue_signal.
Signed-off-by: Richard Henderson
---
linux-user/m68k/cpu_loop.c | 35 +++
1 file changed, 7 insertions(+), 28 deletions(-)
diff --git a/linux-user/m68k/cpu_loop.c b/linux-user/m68k/cpu_loop.c
index c7a500b58c..aa46fdcc77 100644
--- a/linux-user/m68k/cpu_loop.c
+++ b/linux-user/m68k/cpu_loop.c
@@ -21,13 +21,14 @@
#include "qemu-common.h"
#include "qemu.h"
#include "cpu_loop-common.h"
+#include "signal-common.h"
+
void cpu_loop(CPUM68KState *env)
{
CPUState *cs = env_cpu(env);
int trapnr;
unsigned int n;
-target_siginfo_t info;
for(;;) {
cpu_exec_start(cs);
@@ -44,25 +45,13 @@ void cpu_loop(CPUM68KState *env)
case EXCP_ILLEGAL:
case EXCP_LINEA:
case EXCP_LINEF:
-info.si_signo = TARGET_SIGILL;
-info.si_errno = 0;
-info.si_code = TARGET_ILL_ILLOPN;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPN, env->pc);
break;
case EXCP_CHK:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = TARGET_FPE_INTOVF;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTOVF, env->pc);
break;
case EXCP_DIV0:
-info.si_signo = TARGET_SIGFPE;
-info.si_errno = 0;
-info.si_code = TARGET_FPE_INTDIV;
-info._sifields._sigfault._addr = env->pc;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGFPE, TARGET_FPE_INTDIV, env->pc);
break;
case EXCP_TRAP0:
{
@@ -89,20 +78,10 @@ void cpu_loop(CPUM68KState *env)
/* just indicate that signals should be handled asap */
break;
case EXCP_ACCESS:
-{
-info.si_signo = TARGET_SIGSEGV;
-info.si_errno = 0;
-/* XXX: check env->error_code */
-info.si_code = TARGET_SEGV_MAPERR;
-info._sifields._sigfault._addr = env->mmu.ar;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
-}
+force_sigsegv_for_addr(env->mmu.ar);
break;
case EXCP_DEBUG:
-info.si_signo = TARGET_SIGTRAP;
-info.si_errno = 0;
-info.si_code = TARGET_TRAP_BRKPT;
-queue_signal(env, info.si_signo, QEMU_SI_FAULT, );
+force_sig_fault(TARGET_SIGTRAP, TARGET_TRAP_BRKPT, env->pc);
break;
case EXCP_ATOMIC:
cpu_exec_step_atomic(cs);
--
2.25.1
[PATCH v2 02/30] linux-user/arm: Set siginfo_t addr field for SIGTRAP signals
From: Peter Maydell When generating a TRAP_BRKPT SIGTRAP, set the siginfo_t addr field to the PC where the breakpoint/singlestep trap occurred; this is what the kernel does for this signal for this architecture. Signed-off-by: Peter Maydell Message-Id: <20210813131809.28655-3-peter.mayd...@linaro.org> Signed-off-by: Richard Henderson --- linux-user/arm/cpu_loop.c | 1 + 1 file changed, 1 insertion(+) diff --git a/linux-user/arm/cpu_loop.c b/linux-user/arm/cpu_loop.c index 69632d15be..007752f5b7 100644 --- a/linux-user/arm/cpu_loop.c +++ b/linux-user/arm/cpu_loop.c @@ -453,6 +453,7 @@ void cpu_loop(CPUARMState *env) info.si_signo = TARGET_SIGTRAP; info.si_errno = 0; info.si_code = TARGET_TRAP_BRKPT; +info._sifields._sigfault._addr = env->regs[15]; queue_signal(env, info.si_signo, QEMU_SI_FAULT, ); break; case EXCP_KERNEL_TRAP: -- 2.25.1
[PATCH v2 04/30] linux-user: Zero out target_siginfo_t in force_sig()
From: Peter Maydell
The target_siginfo_t we populate in force_sig() will eventually
get copied onto the target's stack. Zero it out so that any extra
padding in the sifields union is consistently zero when the guest
sees it.
Signed-off-by: Peter Maydell
Message-Id: <20210813131809.28655-5-peter.mayd...@linaro.org>
Signed-off-by: Richard Henderson
---
linux-user/signal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/signal.c b/linux-user/signal.c
index a8faea6f09..fd3c6a3e60 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -636,7 +636,7 @@ void force_sig(int sig)
{
CPUState *cpu = thread_cpu;
CPUArchState *env = cpu->env_ptr;
-target_siginfo_t info;
+target_siginfo_t info = {};
info.si_signo = sig;
info.si_errno = 0;
--
2.25.1
[PATCH v2 01/30] linux-user/aarch64: Set siginfo_t addr field for SIGTRAP signals
From: Peter Maydell When generating a TRAP_BRKPT SIGTRAP, set the siginfo_t addr field to the PC where the breakpoint/singlestep trap occurred; this is what the kernel does for this signal for this architecture. Fixes: Coverity 1459154 Signed-off-by: Peter Maydell Message-Id: <20210813131809.28655-2-peter.mayd...@linaro.org> Signed-off-by: Richard Henderson --- linux-user/aarch64/cpu_loop.c | 1 + 1 file changed, 1 insertion(+) diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c index ee72a1c20f..5d8675944d 100644 --- a/linux-user/aarch64/cpu_loop.c +++ b/linux-user/aarch64/cpu_loop.c @@ -148,6 +148,7 @@ void cpu_loop(CPUARMState *env) info.si_signo = TARGET_SIGTRAP; info.si_errno = 0; info.si_code = TARGET_TRAP_BRKPT; +info._sifields._sigfault._addr = env->pc; queue_signal(env, info.si_signo, QEMU_SI_FAULT, ); break; case EXCP_SEMIHOST: -- 2.25.1
[PATCH v2 00/30] linux-user: Clean up siginfo_t handling
Supercedes: 20210813131809.28655-1-peter.mayd...@linaro.org
("linux-user: Clean up siginfo_t handling for arm, aarch64")
Changes from Peter's v1:
* Introduce force_sigsegv_for_addr().
* Convert the rest of the targets, except nios2
(nios2 looks very wrong, and I can't test it).
* Other misc cleanups to signal handling, while I
was nearby and looking at kernel code.
r~
Peter Maydell (7):
linux-user/aarch64: Set siginfo_t addr field for SIGTRAP signals
linux-user/arm: Set siginfo_t addr field for SIGTRAP signals
linux-user/arm: Use force_sig() to deliver fpa11 emulation SIGFPE
linux-user: Zero out target_siginfo_t in force_sig()
linux-user: Provide new force_sig_fault() function
linux-user/arm: Use force_sig_fault()
linux-user/aarch64: Use force_sig_fault()
Richard Henderson (23):
linux-user: Provide new force_sigsegv_for_addr() function
linux-user/alpha: Set TRAP_UNK for bugchk and unknown gentrap
linux-user/alpha: Set FPE_FLTUNK for gentrap ROPRAND
linux-user/alpha: Use force_sig_fault, force_sigsegv_code
linux-user/cris: Use force_sig_fault, force_sigsegv_code
linux-user/hexagon: Use force_sigsegv_code
linux-user/hppa: Use force_sig_fault, force_sigsegv_for_addr
linux-user/hppa: Use the proper si_code for PRIV_OPR, PRIV_REG,
OVERFLOW
linux-user/hppa: Set FPE_CONDTRAP for COND
linux-user/i386: Split out maybe_handle_vm86_trap
linux-user/i386: Use force_sig, force_sig_fault,
force_sigsegv_for_addr
linux-user/m68k: Use force_sig_fault, force_sigsegv_for_addr
linux-user/microblaze: Use force_sig_fault, force_sigsegv_for_addr
linux-user/microblaze: Fix SIGFPE si_codes
linux-user/mips: Improve do_break
linux-user/mips: Use force_sig_fault, force_sigsegv_for_addr
linux-user/openrisc: Use force_sig_fault, force_sigsegv_for_addr
linux-user/ppc: Use force_sig_fault, force_sigsegv_for_addr
linux-user/riscv: Use force_sig_fault, force_sigsegv_for_addr
linux-user/s390x: Use force_sig_fault, force_sigsegv_for_addr
linux-user/sh4: Use force_sig_fault, force_sigsegv_for_addr
linux-user/sparc: Use force_sig_fault, force_sigsegv_for_addr
linux-user/xtensa: Use force_sig_fault, force_sigsegv_for_addr
linux-user/signal-common.h | 2 +
linux-user/syscall_defs.h| 2 +
linux-user/aarch64/cpu_loop.c| 33 ++-
linux-user/alpha/cpu_loop.c | 76 +
linux-user/arm/cpu_loop.c| 64 +-
linux-user/cris/cpu_loop.c | 22 ++---
linux-user/hexagon/cpu_loop.c| 22 +
linux-user/hppa/cpu_loop.c | 40 -
linux-user/i386/cpu_loop.c | 77 +++--
linux-user/m68k/cpu_loop.c | 35 ++--
linux-user/microblaze/cpu_loop.c | 83 +-
linux-user/mips/cpu_loop.c | 92 +---
linux-user/openrisc/cpu_loop.c | 37 +++-
linux-user/ppc/cpu_loop.c| 142 +++
linux-user/riscv/cpu_loop.c | 36 ++--
linux-user/s390x/cpu_loop.c | 16 ++--
linux-user/sh4/cpu_loop.c| 14 +--
linux-user/signal.c | 37 +++-
linux-user/sparc/cpu_loop.c | 38 ++---
linux-user/xtensa/cpu_loop.c | 34 +++-
20 files changed, 310 insertions(+), 592 deletions(-)
--
2.25.1
[PATCH v2 05/30] linux-user: Provide new force_sig_fault() function
From: Peter Maydell
In many places in the linux-user code we need to queue a signal for
the guest using the QEMU_SI_FAULT si_type. This requires that the
caller sets up and passes us a target_siginfo, including setting the
appropriate part of the _sifields union for the si_type. In a number
of places the code forgets to set the _sifields union field.
Provide a new force_sig_fault() function, which does the same thing
as the Linux kernel function of that name -- it takes the signal
number, the si_code value and the address to use in
_sifields._sigfault, and assembles the target_siginfo itself. This
makes the callsites simpler and means it's harder to forget to pass
in an address value.
We follow force_sig() and the kernel's force_sig_fault() in not
requiring the caller to pass in the CPU pointer but always acting
on the CPU of the current thread.
Signed-off-by: Peter Maydell
Message-Id: <20210813131809.28655-6-peter.mayd...@linaro.org>
Signed-off-by: Richard Henderson
---
linux-user/signal-common.h | 1 +
linux-user/signal.c| 17 +
2 files changed, 18 insertions(+)
diff --git a/linux-user/signal-common.h b/linux-user/signal-common.h
index ea86328b28..536c7ac2c2 100644
--- a/linux-user/signal-common.h
+++ b/linux-user/signal-common.h
@@ -40,6 +40,7 @@ void tswap_siginfo(target_siginfo_t *tinfo,
void set_sigmask(const sigset_t *set);
void force_sig(int sig);
void force_sigsegv(int oldsig);
+void force_sig_fault(int sig, int code, abi_ulong addr);
#if defined(TARGET_ARCH_HAS_SETUP_FRAME)
void setup_frame(int sig, struct target_sigaction *ka,
target_sigset_t *set, CPUArchState *env);
diff --git a/linux-user/signal.c b/linux-user/signal.c
index fd3c6a3e60..5ea8e4584a 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -646,6 +646,23 @@ void force_sig(int sig)
queue_signal(env, info.si_signo, QEMU_SI_KILL, );
}
+/*
+ * Force a synchronously taken QEMU_SI_FAULT signal. For QEMU the
+ * 'force' part is handled in process_pending_signals().
+ */
+void force_sig_fault(int sig, int code, abi_ulong addr)
+{
+CPUState *cpu = thread_cpu;
+CPUArchState *env = cpu->env_ptr;
+target_siginfo_t info = {};
+
+info.si_signo = sig;
+info.si_errno = 0;
+info.si_code = code;
+info._sifields._sigfault._addr = addr;
+queue_signal(env, sig, QEMU_SI_FAULT, );
+}
+
/* Force a SIGSEGV if we couldn't write to memory trying to set
* up the signal frame. oldsig is the signal we were trying to handle
* at the point of failure.
--
2.25.1
Re: [PATCH v4 3/7] python/aqmp-tui: Add AQMP TUI draft
On Sun, Aug 22, 2021 at 1:36 AM John Snow wrote:
> On Thu, Aug 19, 2021 at 1:39 PM G S Niteesh Babu
> wrote:
>
>> Added a draft of AQMP TUI.
>>
>> Implements the follwing basic features:
>> 1) Command transmission/reception.
>> 2) Shows events asynchronously.
>> 3) Shows server status in the bottom status bar.
>>
>> Also added type annotations and necessary pylint,
>> mypy configurations
>>
>> Signed-off-by: G S Niteesh Babu
>> ---
>> python/qemu/aqmp/aqmp_tui.py | 566 +++
>> python/setup.cfg | 15 +-
>> 2 files changed, 579 insertions(+), 2 deletions(-)
>> create mode 100644 python/qemu/aqmp/aqmp_tui.py
>>
>> diff --git a/python/qemu/aqmp/aqmp_tui.py b/python/qemu/aqmp/aqmp_tui.py
>> new file mode 100644
>> index 00..12c9c4162a
>> --- /dev/null
>> +++ b/python/qemu/aqmp/aqmp_tui.py
>> @@ -0,0 +1,566 @@
>> +# Copyright (c) 2021
>> +#
>> +# Authors:
>> +# Niteesh Babu G S
>> +#
>> +# This work is licensed under the terms of the GNU GPL, version 2 or
>> +# later. See the COPYING file in the top-level directory.
>> +"""
>> +AQMP TUI
>> +
>> +AQMP TUI is an asynchronous interface built on top the of the AQMP
>> library.
>> +It is the successor of QMP-shell and is bought-in as a replacement for
>> it.
>> +
>> +Example Usage: aqmp-tui
>> +Full Usage: aqmp-tui --help
>> +"""
>> +
>> +import argparse
>> +import asyncio
>> +import logging
>> +from logging import Handler, LogRecord
>> +import signal
>> +from typing import (
>> +List,
>> +Optional,
>> +Tuple,
>> +Type,
>> +Union,
>> +cast,
>> +)
>> +
>> +import urwid
>> +import urwid_readline
>> +
>> +from ..qmp import QEMUMonitorProtocol, QMPBadPortError
>> +from .message import DeserializationError, Message, UnexpectedTypeError
>> +from .protocol import ConnectError
>> +from .qmp_client import ExecInterruptedError, QMPClient
>> +from .util import create_task, pretty_traceback
>> +
>> +
>> +# The name of the signal that is used to update the history list
>> +UPDATE_MSG: str = 'UPDATE_MSG'
>> +
>> +
>> +def format_json(msg: str) -> str:
>> +"""
>> +Formats given multi-line JSON message into a single-line message.
>> +Converting into single line is more asthetically pleasing when
>> looking
>> +along with error messages.
>> +
>> +Eg:
>> +Input:
>> + [ 1,
>> +true,
>> +3 ]
>> +The above input is not a valid QMP message and produces the
>> following error
>> +"QMP message is not a JSON object."
>> +When displaying this in TUI in multiline mode we get
>> +
>> +[ 1,
>> + true,
>> + 3 ]: QMP message is not a JSON object.
>> +
>> +whereas in singleline mode we get the following
>> +
>> +[1, true, 3]: QMP message is not a JSON object.
>> +
>> +The single line mode is more asthetically pleasing.
>> +
>> +:param msg:
>> +The message to formatted into single line.
>> +
>> +:return: Formatted singleline message.
>> +
>> +NOTE: We cannot use the JSON module here because it is only capable
>> of
>> +format valid JSON messages. But here the goal is to also format
>> invalid
>> +JSON messages.
>> +"""
>> +msg = msg.replace('\n', '')
>> +words = msg.split(' ')
>> +words = [word for word in words if word != '']
>> +return ' '.join(words)
>> +
>> +
>> +def has_tui_handler(logger: logging.Logger,
>> +handler_type: Type[Handler]) -> bool:
>> +"""
>> +The Logger class has no interface to check if a certain type of
>> handler is
>> +installed or not. So we provide an interface to do so.
>> +
>> +:param logger:
>> +Logger object
>> +:param handler_type:
>> +The type of the handler to be checked.
>> +
>> +:return: returns True if handler of type `handler_type` is installed
>> else
>> + False.
>> +"""
>> +handlers = logger.handlers
>> +for handler in handlers:
>> +if isinstance(handler, handler_type):
>> +return True
>> +return False
>> +
>> +
>> +class App(QMPClient):
>> +"""
>> +Implements the AQMP TUI.
>> +
>> +Initializes the widgets and starts the urwid event loop.
>> +"""
>> +def __init__(self, address: Union[str, Tuple[str, int]]) -> None:
>> +"""
>> +Initializes the TUI.
>> +
>> +:param address:
>> +Address of the server to connect to.
>> +"""
>> +urwid.register_signal(type(self), UPDATE_MSG)
>> +self.window = Window(self)
>> +self.address = address
>> +self.aloop: Optional[asyncio.AbstractEventLoop] = None
>> +super().__init__()
>> +
>> +def add_to_history(self, msg: str, level: Optional[str] = None) ->
>> None:
>> +"""
>> +Appends the msg to the history list.
>> +
>> +:param msg:
>> +The raw message to be appended in string type.
>> +"""
>> +urwid.emit_signal(self, UPDATE_MSG,
Re: [PATCH v4 0/7] AQMP TUI Draft
On Sat, Aug 21, 2021 at 9:39 AM John Snow wrote: > > > On Thu, Aug 19, 2021 at 1:39 PM G S Niteesh Babu > wrote: > >> Hello all, >> >> Gitlab: >> https://gitlab.com/niteesh.gs/qemu/-/commits/aqmp-tui-prototype-v4 >> CI: https://gitlab.com/niteesh.gs/qemu/-/pipelines/356024270 >> >> Revision since v3: >> 1) Added docstrings >> 2) Minor changes in AQMP TUI Draft >> 3) Switched to constant retry delay in QMP connection manager and other >>minor changes. >> >> G S Niteesh Babu (7): >> python: disable pylint errors for aqmp-tui >> python: Add dependencies for AQMP TUI >> python/aqmp-tui: Add AQMP TUI draft >> python: Add entry point for aqmp-tui >> python: add optional pygments dependency >> python/aqmp-tui: Add syntax highlighting >> python/aqmp-tui: Add QMP connection manager >> >> python/Pipfile.lock | 20 + >> python/qemu/aqmp/aqmp_tui.py | 681 +++ >> python/setup.cfg | 29 +- >> 3 files changed, 729 insertions(+), 1 deletion(-) >> create mode 100644 python/qemu/aqmp/aqmp_tui.py >> >> -- >> 2.17.1 >> >> > Hiya, please specify what your branch is based on when you submit your > patchsets using the Based-On tag. > Oops sorry, I'll make sure to add it in the next revision. > > - It's time to drop patch #1 entirely. > - We can drop the word 'draft' from the commit messages now, let's try to > make this solid. > - If you want to keep the TODO comments in the code, add a pylint > configuration item that allows "todo" but disallows "fixme" and "xxx" > comments. > > Detailed review to follow tomorrow, but you can start working on these > items right away. I might also squash patch #7 directly into patch #3, but > haven't looked too closely yet. > I have addressed all your above comments in this branch https://gitlab.com/niteesh.gs/qemu/-/commits/aqmp-tui-prototype-v5 except squashing of patches #3 and #7. Will do it once you review patch #7. > > (Note that due to an update to pylint that happened just today, check-tox > is going to fail now -- that's fine, it's not your fault. As long as > check-pipenv works, you're in good shape. I'll have a fix in my python > branch tomorrow for these problems.) >
[PATCH 5/5] 9pfs: use QArray in v9fs_walk()
Signed-off-by: Christian Schoenebeck
---
hw/9pfs/9p.c | 17 +
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index b59572fa79..91062ee4d6 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1707,13 +1707,14 @@ static void coroutine_fn v9fs_walk(void *opaque)
int name_idx;
g_autofree V9fsQID *qids = NULL;
int i, err = 0;
-V9fsPath dpath, path, *pathes = NULL;
+V9fsPath dpath, path;
+QArrayRef(V9fsPath) pathes = NULL;
uint16_t nwnames;
struct stat stbuf, fidst;
g_autofree struct stat *stbufs = NULL;
size_t offset = 7;
int32_t fid, newfid;
-V9fsString *wnames = NULL;
+QArrayRef(V9fsString) wnames = NULL;
V9fsFidState *fidp;
V9fsFidState *newfidp = NULL;
V9fsPDU *pdu = opaque;
@@ -1734,10 +1735,10 @@ static void coroutine_fn v9fs_walk(void *opaque)
goto out_nofid;
}
if (nwnames) {
-wnames = g_new0(V9fsString, nwnames);
+QARRAY_CREATE(V9fsString, wnames, nwnames);
qids = g_new0(V9fsQID, nwnames);
stbufs = g_new0(struct stat, nwnames);
-pathes = g_new0(V9fsPath, nwnames);
+QARRAY_CREATE(V9fsPath, pathes, nwnames);
for (i = 0; i < nwnames; i++) {
err = pdu_unmarshal(pdu, offset, "s", [i]);
if (err < 0) {
@@ -1869,14 +1870,6 @@ out:
v9fs_path_free();
out_nofid:
pdu_complete(pdu, err);
-if (nwnames && nwnames <= P9_MAXWELEM) {
-for (name_idx = 0; name_idx < nwnames; name_idx++) {
-v9fs_string_free([name_idx]);
-v9fs_path_free([name_idx]);
-}
-g_free(wnames);
-g_free(pathes);
-}
}
static int32_t coroutine_fn get_iounit(V9fsPDU *pdu, V9fsPath *path)
--
2.20.1
[PATCH 4/5] 9pfs: make V9fsPath usable via QArray API
Signed-off-by: Christian Schoenebeck
---
fsdev/file-op-9p.h | 2 ++
hw/9pfs/9p.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
index 42f677cf38..7630f0e538 100644
--- a/fsdev/file-op-9p.h
+++ b/fsdev/file-op-9p.h
@@ -18,6 +18,7 @@
#include
#include
#include "qemu-fsdev-throttle.h"
+#include "qemu/qarray.h"
#define SM_LOCAL_MODE_BITS0600
#define SM_LOCAL_DIR_MODE_BITS0700
@@ -105,6 +106,7 @@ struct V9fsPath {
uint16_t size;
char *data;
};
+DECLARE_QARRAY_TYPE(V9fsPath);
typedef union V9fsFidOpenState V9fsFidOpenState;
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index c857b31321..b59572fa79 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -50,6 +50,8 @@ enum {
Oappend = 0x80,
};
+DEFINE_QARRAY_TYPE(V9fsPath, v9fs_path_free);
+
static ssize_t pdu_marshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
{
ssize_t ret;
--
2.20.1
[PATCH 3/5] 9pfs: make V9fsString usable via QArray API
Signed-off-by: Christian Schoenebeck
---
fsdev/9p-marshal.c | 2 ++
fsdev/9p-marshal.h | 3 +++
2 files changed, 5 insertions(+)
diff --git a/fsdev/9p-marshal.c b/fsdev/9p-marshal.c
index a01bba6908..fbfc2a62cd 100644
--- a/fsdev/9p-marshal.c
+++ b/fsdev/9p-marshal.c
@@ -18,6 +18,8 @@
#include "9p-marshal.h"
+DEFINE_QARRAY_TYPE(V9fsString, v9fs_string_free);
+
void v9fs_string_free(V9fsString *str)
{
g_free(str->data);
diff --git a/fsdev/9p-marshal.h b/fsdev/9p-marshal.h
index ceaf2f521e..7229e4e617 100644
--- a/fsdev/9p-marshal.h
+++ b/fsdev/9p-marshal.h
@@ -1,10 +1,13 @@
#ifndef QEMU_9P_MARSHAL_H
#define QEMU_9P_MARSHAL_H
+#include "qemu/qarray.h"
+
typedef struct V9fsString {
uint16_t size;
char *data;
} V9fsString;
+DECLARE_QARRAY_TYPE(V9fsString);
typedef struct V9fsQID {
uint8_t type;
--
2.20.1
[PATCH 2/5] qemu/qarray.h: weak scalar type check in QARRAY_CREATE()
Unfortunately something like _Static_assert(typeof(a) == typeof(b), "type mismatch"); is currently not suported by C. So for the time being at least check that the size of the scalar types match at compile time. Signed-off-by: Christian Schoenebeck --- include/qemu/qarray.h | 6 ++ 1 file changed, 6 insertions(+) diff --git a/include/qemu/qarray.h b/include/qemu/qarray.h index 230a556e81..2cb8656c5d 100644 --- a/include/qemu/qarray.h +++ b/include/qemu/qarray.h @@ -27,6 +27,8 @@ #ifndef QEMU_QARRAY_H #define QEMU_QARRAY_H +#include "qemu/compiler.h" + /** * QArray provides a mechanism to access arrays in common C-style (e.g. by * square bracket [] operator) in conjunction with reference variables that @@ -143,6 +145,10 @@ * @param len - amount of array elements to be allocated immediately */ #define QARRAY_CREATE(scalar_type, auto_var, len) \ +QEMU_BUILD_BUG_MSG( \ +sizeof(scalar_type) != sizeof(*auto_var), \ +"QArray scalar type mismatch" \ +); \ qarray_create_##scalar_type((_var), len) #endif /* QEMU_QARRAY_H */ -- 2.20.1
[PATCH 0/5] introduce QArray
Patches 1 and 2 introduce include/qemu/qarray.h which implements a deep auto free mechanism for arrays. Unlike GArray it does not require special macros, function calls or member dereferencing to access the individual array elements. So existing C-style array code can be retained with only very little changes. In this initial version QArray only supports the concept of unique pointers, i.e. it does not support reference counting. The array (and all dynamically allocated memory of individual array elements) is auto freed once execution leaves the scope of the reference variable (unique pointer) associated with the array. Patches 3..5 are provided (e.g. as example) for 9p being the first user of this new QArray API. These particular patches 3..5 are rebased on my current 9p queue: https://github.com/cschoenebeck/qemu/commits/9p.next which are basically just the following two queued patches: https://github.com/cschoenebeck/qemu/commit/7772715d43908235940f5b7dec68d0458b1ccdf4 https://github.com/cschoenebeck/qemu/commit/838b55e392ea7d52e714fdba1db777f658aee2cc Christian Schoenebeck (5): qemu/qarray.h: introduce QArray qemu/qarray.h: weak scalar type check in QARRAY_CREATE() 9pfs: make V9fsString usable via QArray API 9pfs: make V9fsPath usable via QArray API 9pfs: use QArray in v9fs_walk() fsdev/9p-marshal.c| 2 + fsdev/9p-marshal.h| 3 + fsdev/file-op-9p.h| 2 + hw/9pfs/9p.c | 19 ++ include/qemu/qarray.h | 154 ++ 5 files changed, 168 insertions(+), 12 deletions(-) create mode 100644 include/qemu/qarray.h -- 2.20.1
[PATCH 1/5] qemu/qarray.h: introduce QArray
Implements deep auto free of arrays while retaining common C-style
squared bracket access.
Signed-off-by: Christian Schoenebeck
---
include/qemu/qarray.h | 148 ++
1 file changed, 148 insertions(+)
create mode 100644 include/qemu/qarray.h
diff --git a/include/qemu/qarray.h b/include/qemu/qarray.h
new file mode 100644
index 00..230a556e81
--- /dev/null
+++ b/include/qemu/qarray.h
@@ -0,0 +1,148 @@
+/*
+ * QArray - deep auto free C-array
+ *
+ * Copyright (c) 2021 Crudebyte
+ *
+ * Authors:
+ * Christian Schoenebeck
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#ifndef QEMU_QARRAY_H
+#define QEMU_QARRAY_H
+
+/**
+ * QArray provides a mechanism to access arrays in common C-style (e.g. by
+ * square bracket [] operator) in conjunction with reference variables that
+ * perform deep auto free of the array when leaving the scope of the auto
+ * reference variable. That means not only is the array itself automatically
+ * freed, but also memory dynamically allocated by the individual array
+ * elements.
+ *
+ * Example:
+ *
+ * Consider the following user struct @c Foo which shall be used as scalar
+ * (element) type of an array:
+ * @code
+ * typedef struct Foo {
+ * int i;
+ * char *s;
+ * } Foo;
+ * @endcode
+ * and assume it has the following function to free memory allocated by @c Foo
+ * instances:
+ * @code
+ * void free_foo(Foo *foo) {
+ * free(foo->s);
+ * }
+ * @endcode
+ * Add the following to a shared header file:
+ * @code
+ * DECLARE_QARRAY_TYPE(Foo);
+ * @endcode
+ * and the following to a C unit file:
+ * @code
+ * DEFINE_QARRAY_TYPE(Foo, free_foo);
+ * @endcode
+ * Finally the array may then be used like this:
+ * @code
+ * void doSomething(int n) {
+ * QArrayRef(Foo) foos = NULL;
+ * QARRAY_CREATE(Foo, foos, n);
+ * for (size_t i = 0; i < n; ++i) {
+ * foos[i].i = i;
+ * foos[i].s = calloc(4096, 1);
+ * snprintf(foos[i].s, 4096, "foo %d", i);
+ * }
+ * }
+ * @endcode
+ */
+
+/**
+ * Declares an array for the passed @a scalar_type.
+ *
+ * This is typically used from a shared header file.
+ *
+ * @param scalar_type - type of the individual array elements
+ */
+#define DECLARE_QARRAY_TYPE(scalar_type) \
+typedef struct QArray##scalar_type { \
+size_t len; \
+scalar_type first[]; \
+} QArray##scalar_type; \
+\
+void qarray_create_##scalar_type(scalar_type **auto_var, size_t len); \
+void qarray_auto_free_##scalar_type(scalar_type **auto_var); \
+
+/**
+ * Defines an array for the passed @a scalar_type and appropriate
+ * @a scalar_cleanup_func.
+ *
+ * @param scalar_type - type of the individual array elements
+ * @param scalar_cleanup_func - appropriate function to free memory dynamically
+ * allocated by individual array elements before
+ */
+#define DEFINE_QARRAY_TYPE(scalar_type, scalar_cleanup_func) \
+void qarray_create_##scalar_type(scalar_type **auto_var, size_t len) \
+{ \
+qarray_auto_free_##scalar_type(auto_var); \
+QArray##scalar_type *arr = g_malloc0(sizeof(QArray##scalar_type) + \
+len * sizeof(scalar_type)); \
+arr->len = len; \
+*auto_var = >first[0]; \
+} \
+\
+void qarray_auto_free_##scalar_type(scalar_type **auto_var) \
+{ \
+scalar_type *first = (*auto_var); \
+if (!first) { \
+return; \
+} \
+QArray##scalar_type *arr = (QArray##scalar_type *) ( \
+((char *)first) - offsetof(QArray##scalar_type, first) \
+); \
+for (size_t i = 0; i < arr->len; ++i) { \
+scalar_cleanup_func(>first[i]); \
+} \
+g_free(arr); \
+} \
+
+/**
+ * Used to declare a reference variable (unique pointer) for an array. After
+ * leaving the scope of the reference variable, the associated array is
+ * automatically freed.
+ *
+ * @param
Re: [PATCH v2 6/8] target/arm: Assert thumb pc is aligned
On 8/21/21 9:59 PM, Richard Henderson wrote:
> Misaligned thumb PC is architecturally impossible.
> Assert is better than proceeding, in case we've missed
> something somewhere.
>
> Expand a comment about aligning the pc in gdbstub.
> Fail an incoming migrate if a thumb pc is misaligned.
>
> Signed-off-by: Richard Henderson
> ---
> target/arm/gdbstub.c | 9 +++--
> target/arm/machine.c | 9 +
> target/arm/translate.c | 3 +++
> 3 files changed, 19 insertions(+), 2 deletions(-)
> diff --git a/target/arm/translate.c b/target/arm/translate.c
> index dfeaa2321d..a93ea3c47c 100644
> --- a/target/arm/translate.c
> +++ b/target/arm/translate.c
> @@ -9595,6 +9595,9 @@ static void thumb_tr_translate_insn(DisasContextBase
> *dcbase, CPUState *cpu)
> uint32_t insn;
> bool is_16bit;
>
> +/* Misaligned thumb PC is architecturally impossible. */
> +assert((dc->base.pc_next & 1) == 0);
What about using tcg_debug_assert() instead?
> if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
> dc->base.pc_next += 2;
> return;
>
[PATCH v2 8/8] tests/tcg: Add arm and aarch64 pc alignment tests
Signed-off-by: Richard Henderson
---
tests/tcg/aarch64/pcalign-a64.c | 37 +
tests/tcg/arm/pcalign-a32.c | 46 +++
tests/tcg/aarch64/Makefile.target | 4 +--
tests/tcg/arm/Makefile.target | 4 +++
4 files changed, 89 insertions(+), 2 deletions(-)
create mode 100644 tests/tcg/aarch64/pcalign-a64.c
create mode 100644 tests/tcg/arm/pcalign-a32.c
diff --git a/tests/tcg/aarch64/pcalign-a64.c b/tests/tcg/aarch64/pcalign-a64.c
new file mode 100644
index 00..6b9277f919
--- /dev/null
+++ b/tests/tcg/aarch64/pcalign-a64.c
@@ -0,0 +1,37 @@
+/* Test PC misalignment exception */
+
+#include
+#include
+#include
+#include
+
+static void *expected;
+
+static void sigbus(int sig, siginfo_t *info, void *vuc)
+{
+assert(info->si_code == BUS_ADRALN);
+assert(info->si_addr == expected);
+exit(EXIT_SUCCESS);
+}
+
+int main()
+{
+void *tmp;
+
+struct sigaction sa = {
+.sa_sigaction = sigbus,
+.sa_flags = SA_SIGINFO
+};
+
+if (sigaction(SIGBUS, , NULL) < 0) {
+perror("sigaction");
+return EXIT_FAILURE;
+}
+
+asm volatile("adr %0, 1f + 1\n\t"
+ "str %0, %1\n\t"
+ "br %0\n"
+ "1:"
+ : "="(tmp), "=m"(expected));
+abort();
+}
diff --git a/tests/tcg/arm/pcalign-a32.c b/tests/tcg/arm/pcalign-a32.c
new file mode 100644
index 00..3c9c8cc97b
--- /dev/null
+++ b/tests/tcg/arm/pcalign-a32.c
@@ -0,0 +1,46 @@
+/* Test PC misalignment exception */
+
+#ifdef __thumb__
+#error "This test must be compiled for ARM"
+#endif
+
+#include
+#include
+#include
+#include
+
+static void *expected;
+
+static void sigbus(int sig, siginfo_t *info, void *vuc)
+{
+assert(info->si_code == BUS_ADRALN);
+assert(info->si_addr == expected);
+exit(EXIT_SUCCESS);
+}
+
+int main()
+{
+void *tmp;
+
+struct sigaction sa = {
+.sa_sigaction = sigbus,
+.sa_flags = SA_SIGINFO
+};
+
+if (sigaction(SIGBUS, , NULL) < 0) {
+perror("sigaction");
+return EXIT_FAILURE;
+}
+
+asm volatile("adr %0, 1f + 2\n\t"
+ "str %0, %1\n\t"
+ "bx %0\n"
+ "1:"
+ : "="(tmp), "=m"(expected));
+
+/*
+ * From v8, it is CONSTRAINED UNPREDICTABLE whether BXWritePC aligns
+ * the address or not. If so, we can legitimately fall through.
+ */
+return EXIT_SUCCESS;
+}
diff --git a/tests/tcg/aarch64/Makefile.target
b/tests/tcg/aarch64/Makefile.target
index 2c05c90d17..1d967901bd 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -8,8 +8,8 @@ VPATH += $(ARM_SRC)
AARCH64_SRC=$(SRC_PATH)/tests/tcg/aarch64
VPATH += $(AARCH64_SRC)
-# Float-convert Tests
-AARCH64_TESTS=fcvt
+# Base architecture tests
+AARCH64_TESTS=fcvt pcalign-a64
fcvt: LDFLAGS+=-lm
diff --git a/tests/tcg/arm/Makefile.target b/tests/tcg/arm/Makefile.target
index 5ab59ed6ce..f509d823d4 100644
--- a/tests/tcg/arm/Makefile.target
+++ b/tests/tcg/arm/Makefile.target
@@ -29,6 +29,10 @@ run-fcvt: fcvt
$(call run-test,fcvt,$(QEMU) $<,"$< on $(TARGET_NAME)")
$(call diff-out,fcvt,$(ARM_SRC)/fcvt.ref)
+# PC alignment test
+ARM_TESTS += pcalign-a32
+pcalign-a32: CFLAGS+=-marm
+
ifeq ($(CONFIG_ARM_COMPATIBLE_SEMIHOSTING),y)
# Semihosting smoke test for linux-user
--
2.25.1
Re: [PATCH v4 3/7] python/aqmp-tui: Add AQMP TUI draft
On Thu, Aug 19, 2021 at 1:39 PM G S Niteesh Babu
wrote:
> Added a draft of AQMP TUI.
>
> Implements the follwing basic features:
> 1) Command transmission/reception.
> 2) Shows events asynchronously.
> 3) Shows server status in the bottom status bar.
>
> Also added type annotations and necessary pylint,
> mypy configurations
>
> Signed-off-by: G S Niteesh Babu
> ---
> python/qemu/aqmp/aqmp_tui.py | 566 +++
> python/setup.cfg | 15 +-
> 2 files changed, 579 insertions(+), 2 deletions(-)
> create mode 100644 python/qemu/aqmp/aqmp_tui.py
>
> diff --git a/python/qemu/aqmp/aqmp_tui.py b/python/qemu/aqmp/aqmp_tui.py
> new file mode 100644
> index 00..12c9c4162a
> --- /dev/null
> +++ b/python/qemu/aqmp/aqmp_tui.py
> @@ -0,0 +1,566 @@
> +# Copyright (c) 2021
> +#
> +# Authors:
> +# Niteesh Babu G S
> +#
> +# This work is licensed under the terms of the GNU GPL, version 2 or
> +# later. See the COPYING file in the top-level directory.
> +"""
> +AQMP TUI
> +
> +AQMP TUI is an asynchronous interface built on top the of the AQMP
> library.
> +It is the successor of QMP-shell and is bought-in as a replacement for it.
> +
> +Example Usage: aqmp-tui
> +Full Usage: aqmp-tui --help
> +"""
> +
> +import argparse
> +import asyncio
> +import logging
> +from logging import Handler, LogRecord
> +import signal
> +from typing import (
> +List,
> +Optional,
> +Tuple,
> +Type,
> +Union,
> +cast,
> +)
> +
> +import urwid
> +import urwid_readline
> +
> +from ..qmp import QEMUMonitorProtocol, QMPBadPortError
> +from .message import DeserializationError, Message, UnexpectedTypeError
> +from .protocol import ConnectError
> +from .qmp_client import ExecInterruptedError, QMPClient
> +from .util import create_task, pretty_traceback
> +
> +
> +# The name of the signal that is used to update the history list
> +UPDATE_MSG: str = 'UPDATE_MSG'
> +
> +
> +def format_json(msg: str) -> str:
> +"""
> +Formats given multi-line JSON message into a single-line message.
> +Converting into single line is more asthetically pleasing when looking
> +along with error messages.
> +
> +Eg:
> +Input:
> + [ 1,
> +true,
> +3 ]
> +The above input is not a valid QMP message and produces the following
> error
> +"QMP message is not a JSON object."
> +When displaying this in TUI in multiline mode we get
> +
> +[ 1,
> + true,
> + 3 ]: QMP message is not a JSON object.
> +
> +whereas in singleline mode we get the following
> +
> +[1, true, 3]: QMP message is not a JSON object.
> +
> +The single line mode is more asthetically pleasing.
> +
> +:param msg:
> +The message to formatted into single line.
> +
> +:return: Formatted singleline message.
> +
> +NOTE: We cannot use the JSON module here because it is only capable of
> +format valid JSON messages. But here the goal is to also format
> invalid
> +JSON messages.
> +"""
> +msg = msg.replace('\n', '')
> +words = msg.split(' ')
> +words = [word for word in words if word != '']
> +return ' '.join(words)
> +
> +
> +def has_tui_handler(logger: logging.Logger,
> +handler_type: Type[Handler]) -> bool:
> +"""
> +The Logger class has no interface to check if a certain type of
> handler is
> +installed or not. So we provide an interface to do so.
> +
> +:param logger:
> +Logger object
> +:param handler_type:
> +The type of the handler to be checked.
> +
> +:return: returns True if handler of type `handler_type` is installed
> else
> + False.
> +"""
> +handlers = logger.handlers
> +for handler in handlers:
> +if isinstance(handler, handler_type):
> +return True
> +return False
> +
> +
> +class App(QMPClient):
> +"""
> +Implements the AQMP TUI.
> +
> +Initializes the widgets and starts the urwid event loop.
> +"""
> +def __init__(self, address: Union[str, Tuple[str, int]]) -> None:
> +"""
> +Initializes the TUI.
> +
> +:param address:
> +Address of the server to connect to.
> +"""
> +urwid.register_signal(type(self), UPDATE_MSG)
> +self.window = Window(self)
> +self.address = address
> +self.aloop: Optional[asyncio.AbstractEventLoop] = None
> +super().__init__()
> +
> +def add_to_history(self, msg: str, level: Optional[str] = None) ->
> None:
> +"""
> +Appends the msg to the history list.
> +
> +:param msg:
> +The raw message to be appended in string type.
> +"""
> +urwid.emit_signal(self, UPDATE_MSG, msg, level)
> +
> +def _cb_outbound(self, msg: Message) -> Message:
> +"""
> +Callback: outbound message hook.
> +
> +Appends the outgoing messages to the history box.
> +
> +:param msg: raw
[PATCH v2 6/8] target/arm: Assert thumb pc is aligned
Misaligned thumb PC is architecturally impossible.
Assert is better than proceeding, in case we've missed
something somewhere.
Expand a comment about aligning the pc in gdbstub.
Fail an incoming migrate if a thumb pc is misaligned.
Signed-off-by: Richard Henderson
---
target/arm/gdbstub.c | 9 +++--
target/arm/machine.c | 9 +
target/arm/translate.c | 3 +++
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index 826601b341..a54b42418b 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -76,8 +76,13 @@ int arm_cpu_gdb_write_register(CPUState *cs, uint8_t
*mem_buf, int n)
tmp = ldl_p(mem_buf);
-/* Mask out low bit of PC to workaround gdb bugs. This will probably
- cause problems if we ever implement the Jazelle DBX extensions. */
+/*
+ * Mask out low bits of PC to workaround gdb bugs.
+ * This avoids an assert in thumb_tr_translate_insn, because it is
+ * architecturally impossible to misalign the pc.
+ * This will probably cause problems if we ever implement the
+ * Jazelle DBX extensions.
+ */
if (n == 15) {
tmp &= ~1;
}
diff --git a/target/arm/machine.c b/target/arm/machine.c
index 81e30de824..b5004a67e9 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -781,6 +781,15 @@ static int cpu_post_load(void *opaque, int version_id)
hw_breakpoint_update_all(cpu);
hw_watchpoint_update_all(cpu);
+/*
+ * Misaligned thumb pc is architecturally impossible.
+ * We have an assert in thumb_tr_translate_insn to verify this.
+ * Fail an incoming migrate to avoid this assert.
+ */
+if (!is_a64(env) && env->thumb && (env->regs[15] & 1)) {
+return -1;
+}
+
if (!kvm_enabled()) {
pmu_op_finish(>env);
}
diff --git a/target/arm/translate.c b/target/arm/translate.c
index dfeaa2321d..a93ea3c47c 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -9595,6 +9595,9 @@ static void thumb_tr_translate_insn(DisasContextBase
*dcbase, CPUState *cpu)
uint32_t insn;
bool is_16bit;
+/* Misaligned thumb PC is architecturally impossible. */
+assert((dc->base.pc_next & 1) == 0);
+
if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
dc->base.pc_next += 2;
return;
--
2.25.1
[PATCH v2 7/8] target/arm: Suppress bp for exceptions with more priority
Both single-step and pc alignment faults have priority over
breakpoint exceptions.
Reviewed-by: Peter Maydell
Signed-off-by: Richard Henderson
---
target/arm/debug_helper.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index 2983e36dd3..32f3caec23 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -220,6 +220,7 @@ bool arm_debug_check_breakpoint(CPUState *cs)
{
ARMCPU *cpu = ARM_CPU(cs);
CPUARMState *env = >env;
+target_ulong pc;
int n;
/*
@@ -231,6 +232,28 @@ bool arm_debug_check_breakpoint(CPUState *cs)
return false;
}
+/*
+ * Single-step exceptions have priority over breakpoint exceptions.
+ * If single-step state is active-pending, suppress the bp.
+ */
+if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) {
+return false;
+}
+
+/*
+ * PC alignment faults have priority over breakpoint exceptions.
+ */
+pc = is_a64(env) ? env->pc : env->regs[15];
+if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) {
+return false;
+}
+
+/*
+ * Instruction aborts have priority over breakpoint exceptions.
+ * TODO: We would need to look up the page for PC and verify that
+ * it is present and executable.
+ */
+
for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
if (bp_wp_matches(cpu, n, false)) {
return true;
--
2.25.1
[PATCH v2 5/8] target/arm: Take an exception if PC is misaligned
For A64, any input to an indirect branch can cause this.
For A32, many indirect branch paths force the branch to be aligned,
but BXWritePC does not. This includes the BX instruction but also
other interworking changes to PC. Prior to v8, this case is UNDEFINED.
With v8, this is CONSTRAINED UNPREDICTABLE and may either raise an
exception or force align the PC.
We choose to raise an exception because we have the infrastructure,
it makes the generated code for gen_bx simpler, and it has the
possibility of catching more guest bugs.
Signed-off-by: Richard Henderson
---
target/arm/helper.h| 1 +
target/arm/syndrome.h | 5 +
target/arm/tlb_helper.c| 24 +++
target/arm/translate-a64.c | 21 ++--
target/arm/translate.c | 39 +++---
5 files changed, 81 insertions(+), 9 deletions(-)
diff --git a/target/arm/helper.h b/target/arm/helper.h
index 248569b0cd..d629ee6859 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -47,6 +47,7 @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE,
DEF_HELPER_2(exception_internal, void, env, i32)
DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32)
DEF_HELPER_2(exception_bkpt_insn, void, env, i32)
+DEF_HELPER_2(exception_pc_alignment, noreturn, env, tl)
DEF_HELPER_1(setend, void, env)
DEF_HELPER_2(wfi, void, env, i32)
DEF_HELPER_1(wfe, void, env)
diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
index 54d135897b..e9d97fac6e 100644
--- a/target/arm/syndrome.h
+++ b/target/arm/syndrome.h
@@ -275,4 +275,9 @@ static inline uint32_t syn_illegalstate(void)
return (EC_ILLEGALSTATE << ARM_EL_EC_SHIFT) | ARM_EL_IL;
}
+static inline uint32_t syn_pcalignment(void)
+{
+return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
+}
+
#endif /* TARGET_ARM_SYNDROME_H */
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index 3107f9823e..25c422976e 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -9,6 +9,7 @@
#include "cpu.h"
#include "internals.h"
#include "exec/exec-all.h"
+#include "exec/helper-proto.h"
static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
unsigned int target_el,
@@ -123,6 +124,29 @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, );
}
+void helper_exception_pc_alignment(CPUARMState *env, target_ulong pc)
+{
+int target_el = exception_target_el(env);
+
+if (target_el == 2 || arm_el_is_aa64(env, target_el)) {
+/*
+ * To aarch64 and aarch32 el2, pc alignment has a
+ * special exception class.
+ */
+env->exception.vaddress = pc;
+env->exception.fsr = 0;
+raise_exception(env, EXCP_PREFETCH_ABORT, syn_pcalignment(),
target_el);
+} else {
+/*
+ * To aarch32 el1, pc alignment is like data alignment
+ * except with a prefetch abort.
+ */
+ARMMMUFaultInfo fi = { .type = ARMFault_Alignment };
+arm_deliver_fault(env_archcpu(env), pc, MMU_INST_FETCH,
+ cpu_mmu_index(env, true), );
+}
+}
+
#if !defined(CONFIG_USER_ONLY)
/*
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 333bc836b2..39c2fb8c7e 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -14752,8 +14752,10 @@ static void aarch64_tr_translate_insn(DisasContextBase
*dcbase, CPUState *cpu)
{
DisasContext *s = container_of(dcbase, DisasContext, base);
CPUARMState *env = cpu->env_ptr;
+uint64_t pc = s->base.pc_next;
uint32_t insn;
+/* Singlestep exceptions have the highest priority. */
if (s->ss_active && !s->pstate_ss) {
/* Singlestep state is Active-pending.
* If we're in this state at the start of a TB then either
@@ -14768,13 +14770,28 @@ static void
aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
assert(s->base.num_insns == 1);
gen_swstep_exception(s, 0, 0);
s->base.is_jmp = DISAS_NORETURN;
+s->base.pc_next = pc + 4;
return;
}
-s->pc_curr = s->base.pc_next;
+if (pc & 3) {
+/*
+ * PC alignment fault. This has priority over the instruction abort
+ * that we would receive from a translation fault via arm_ldl_code.
+ * This should only be possible after an indirect branch, at the
+ * start of the TB.
+ */
+assert(s->base.num_insns == 1);
+gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
+s->base.is_jmp = DISAS_NORETURN;
+s->base.pc_next = QEMU_ALIGN_UP(pc, 4);
+return;
+}
+
+s->pc_curr = pc;
insn = arm_ldl_code(env, s->base.pc_next, s->sctlr_b);
s->insn = insn;
-s->base.pc_next += 4;
+s->base.pc_next = pc + 4;
s->fp_access_checked = false;
s->sve_access_checked =
[PATCH v2 4/8] linux-user/arm: Report SIGBUS and SIGSEGV correctly
Pull the fault information from where we placed it, in
arm_cpu_tlb_fill and arm_cpu_do_unaligned_access.
Signed-off-by: Richard Henderson
---
Pulled out from the larger unaligned data patch set.
For short-form FSC, pc misalignment is reported in the same way.
---
linux-user/arm/cpu_loop.c | 39 ++-
1 file changed, 34 insertions(+), 5 deletions(-)
diff --git a/linux-user/arm/cpu_loop.c b/linux-user/arm/cpu_loop.c
index d4b4f0c71f..5731d3c937 100644
--- a/linux-user/arm/cpu_loop.c
+++ b/linux-user/arm/cpu_loop.c
@@ -24,6 +24,7 @@
#include "cpu_loop-common.h"
#include "signal-common.h"
#include "semihosting/common-semi.h"
+#include "target/arm/syndrome.h"
#define get_user_code_u32(x, gaddr, env)\
({ abi_long __r = get_user_u32((x), (gaddr)); \
@@ -279,8 +280,8 @@ static bool emulate_arm_fpa11(CPUARMState *env, uint32_t
opcode)
void cpu_loop(CPUARMState *env)
{
CPUState *cs = env_cpu(env);
-int trapnr;
-unsigned int n, insn;
+int trapnr, si_signo, si_code;
+unsigned int n, insn, ec, fsc;
abi_ulong ret;
for(;;) {
@@ -422,9 +423,37 @@ void cpu_loop(CPUARMState *env)
break;
case EXCP_PREFETCH_ABORT:
case EXCP_DATA_ABORT:
-/* XXX: check env->error_code */
-force_sig_fault(TARGET_SIGSEGV, TARGET_SEGV_MAPERR,
-env->exception.vaddress);
+/*
+ * For user-only we don't set TTBCR_EAE, so we always get
+ * short-form FSC, which then tells us to look at the FSR.
+ */
+ec = syn_get_ec(env->exception.syndrome);
+assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
+fsc = extract32(env->exception.syndrome, 0, 6);
+assert(fsc == 0x3f);
+switch (env->exception.fsr & 0x1f) {
+case 0x1: /* Alignment */
+si_signo = TARGET_SIGBUS;
+si_code = TARGET_BUS_ADRALN;
+break;
+case 0x3: /* Access flag fault, level 1 */
+case 0x6: /* Access flag fault, level 2 */
+case 0x9: /* Domain fault, level 1 */
+case 0xb: /* Domain fault, level 2 */
+case 0xd: /* Permision fault, level 1 */
+case 0xf: /* Permision fault, level 2 */
+si_signo = TARGET_SIGSEGV;
+si_code = TARGET_SEGV_ACCERR;
+break;
+case 0x5: /* Translation fault, level 1 */
+case 0x7: /* Translation fault, level 2 */
+si_signo = TARGET_SIGSEGV;
+si_code = TARGET_SEGV_MAPERR;
+break;
+default:
+g_assert_not_reached();
+}
+force_sig_fault(si_signo, si_code, env->exception.vaddress);
break;
case EXCP_DEBUG:
case EXCP_BKPT:
--
2.25.1
[PATCH v2 2/8] target/arm: Merge disas_a64_insn into aarch64_tr_translate_insn
It is confusing to have different exits from translation
for various conditions in separate functions.
Merge disas_a64_insn into its only caller. Standardize
on the "s" name for the DisasContext, as the code from
disas_a64_insn had more instances.
Reviewed-by: Peter Maydell
Signed-off-by: Richard Henderson
---
target/arm/translate-a64.c | 224 ++---
1 file changed, 109 insertions(+), 115 deletions(-)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 230cc8d83b..333bc836b2 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -14649,113 +14649,6 @@ static bool btype_destination_ok(uint32_t insn, bool
bt, int btype)
return false;
}
-/* C3.1 A64 instruction index by encoding */
-static void disas_a64_insn(CPUARMState *env, DisasContext *s)
-{
-uint32_t insn;
-
-s->pc_curr = s->base.pc_next;
-insn = arm_ldl_code(env, s->base.pc_next, s->sctlr_b);
-s->insn = insn;
-s->base.pc_next += 4;
-
-s->fp_access_checked = false;
-s->sve_access_checked = false;
-
-if (s->pstate_il) {
-/*
- * Illegal execution state. This has priority over BTI
- * exceptions, but comes after instruction abort exceptions.
- */
-gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
- syn_illegalstate(), default_exception_el(s));
-return;
-}
-
-if (dc_isar_feature(aa64_bti, s)) {
-if (s->base.num_insns == 1) {
-/*
- * At the first insn of the TB, compute s->guarded_page.
- * We delayed computing this until successfully reading
- * the first insn of the TB, above. This (mostly) ensures
- * that the softmmu tlb entry has been populated, and the
- * page table GP bit is available.
- *
- * Note that we need to compute this even if btype == 0,
- * because this value is used for BR instructions later
- * where ENV is not available.
- */
-s->guarded_page = is_guarded_page(env, s);
-
-/* First insn can have btype set to non-zero. */
-tcg_debug_assert(s->btype >= 0);
-
-/*
- * Note that the Branch Target Exception has fairly high
- * priority -- below debugging exceptions but above most
- * everything else. This allows us to handle this now
- * instead of waiting until the insn is otherwise decoded.
- */
-if (s->btype != 0
-&& s->guarded_page
-&& !btype_destination_ok(insn, s->bt, s->btype)) {
-gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
- syn_btitrap(s->btype),
- default_exception_el(s));
-return;
-}
-} else {
-/* Not the first insn: btype must be 0. */
-tcg_debug_assert(s->btype == 0);
-}
-}
-
-switch (extract32(insn, 25, 4)) {
-case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
-unallocated_encoding(s);
-break;
-case 0x2:
-if (!dc_isar_feature(aa64_sve, s) || !disas_sve(s, insn)) {
-unallocated_encoding(s);
-}
-break;
-case 0x8: case 0x9: /* Data processing - immediate */
-disas_data_proc_imm(s, insn);
-break;
-case 0xa: case 0xb: /* Branch, exception generation and system insns */
-disas_b_exc_sys(s, insn);
-break;
-case 0x4:
-case 0x6:
-case 0xc:
-case 0xe: /* Loads and stores */
-disas_ldst(s, insn);
-break;
-case 0x5:
-case 0xd: /* Data processing - register */
-disas_data_proc_reg(s, insn);
-break;
-case 0x7:
-case 0xf: /* Data processing - SIMD and floating point */
-disas_data_proc_simd_fp(s, insn);
-break;
-default:
-assert(FALSE); /* all 15 cases should be handled above */
-break;
-}
-
-/* if we allocated any temporaries, free them here */
-free_tmp_a64(s);
-
-/*
- * After execution of most insns, btype is reset to 0.
- * Note that we set btype == -1 when the insn sets btype.
- */
-if (s->btype > 0 && s->base.is_jmp != DISAS_NORETURN) {
-reset_btype(s);
-}
-}
-
static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
CPUState *cpu)
{
@@ -14857,10 +14750,11 @@ static void aarch64_tr_insn_start(DisasContextBase
*dcbase, CPUState *cpu)
static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
{
-DisasContext *dc = container_of(dcbase, DisasContext, base);
+DisasContext *s = container_of(dcbase, DisasContext, base);
CPUARMState *env = cpu->env_ptr;
+uint32_t insn;
-if (dc->ss_active && !dc->pstate_ss) {
+if (s->ss_active && !s->pstate_ss) {
[PATCH v2 3/8] linux-user/aarch64: Handle EC_PCALIGNMENT
This will shortly be raised for execution with a misaligned pc.
Signed-off-by: Richard Henderson
---
linux-user/aarch64/cpu_loop.c | 44 +--
1 file changed, 27 insertions(+), 17 deletions(-)
diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index 11e34cb100..6e03afb2bd 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -78,7 +78,7 @@
void cpu_loop(CPUARMState *env)
{
CPUState *cs = env_cpu(env);
-int trapnr, ec, fsc, si_code;
+int trapnr, ec, fsc, si_sig, si_code;
abi_long ret;
for (;;) {
@@ -112,28 +112,38 @@ void cpu_loop(CPUARMState *env)
break;
case EXCP_PREFETCH_ABORT:
case EXCP_DATA_ABORT:
-/* We should only arrive here with EC in {DATAABORT, INSNABORT}. */
ec = syn_get_ec(env->exception.syndrome);
-assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
-
-/* Both EC have the same format for FSC, or close enough. */
-fsc = extract32(env->exception.syndrome, 0, 6);
-switch (fsc) {
-case 0x04 ... 0x07: /* Translation fault, level {0-3} */
-si_code = TARGET_SEGV_MAPERR;
+switch (ec) {
+case EC_DATAABORT:
+case EC_INSNABORT:
+/* Both EC have the same format for FSC, or close enough. */
+fsc = extract32(env->exception.syndrome, 0, 6);
+switch (fsc) {
+case 0x04 ... 0x07: /* Translation fault, level {0-3} */
+si_sig = TARGET_SIGSEGV;
+si_code = TARGET_SEGV_MAPERR;
+break;
+case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
+case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
+si_sig = TARGET_SIGSEGV;
+si_code = TARGET_SEGV_ACCERR;
+break;
+case 0x11: /* Synchronous Tag Check Fault */
+si_sig = TARGET_SIGSEGV;
+si_code = TARGET_SEGV_MTESERR;
+break;
+default:
+g_assert_not_reached();
+}
break;
-case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
-case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
-si_code = TARGET_SEGV_ACCERR;
-break;
-case 0x11: /* Synchronous Tag Check Fault */
-si_code = TARGET_SEGV_MTESERR;
+case EC_PCALIGNMENT:
+si_sig = TARGET_SIGBUS;
+si_code = TARGET_BUS_ADRALN;
break;
default:
g_assert_not_reached();
}
-
-force_sig_fault(TARGET_SIGSEGV, si_code, env->exception.vaddress);
+force_sig_fault(si_sig, si_code, env->exception.vaddress);
break;
case EXCP_DEBUG:
case EXCP_BKPT:
--
2.25.1
[PATCH v2 1/8] target/arm: Take an exception if PSTATE.IL is set
From: Peter Maydell
In v8A, the PSTATE.IL bit is set for various kinds of illegal
exception return or mode-change attempts. We already set PSTATE.IL
(or its AArch32 equivalent CPSR.IL) in all those cases, but we
weren't implementing the part of the behaviour where attempting to
execute an instruction with PSTATE.IL takes an immediate exception
with an appropriate syndrome value.
Add a new TB flags bit tracking PSTATE.IL/CPSR.IL, and generate code
to take an exception instead of whatever the instruction would have
been.
PSTATE.IL and CPSR.IL change only on exception entry, attempted
exception exit, and various AArch32 mode changes via cpsr_write().
These places generally already rebuild the hflags, so the only place
we need an extra rebuild_hflags call is in the illegal-return
codepath of the AArch64 exception_return helper.
Signed-off-by: Peter Maydell
Message-Id: <20210817162118.24319-1-peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson
[rth: Added missing returns; set IL bit in syndrome]
Signed-off-by: Richard Henderson
---
target/arm/cpu.h | 1 +
target/arm/syndrome.h | 5 +
target/arm/translate.h | 2 ++
target/arm/helper-a64.c| 1 +
target/arm/helper.c| 8
target/arm/translate-a64.c | 11 +++
target/arm/translate.c | 21 +
7 files changed, 49 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 9f0a5f84d5..be557bf5d8 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -3441,6 +3441,7 @@ FIELD(TBFLAG_ANY, FPEXC_EL, 8, 2)
FIELD(TBFLAG_ANY, DEBUG_TARGET_EL, 10, 2)
/* Memory operations require alignment: SCTLR_ELx.A or CCR.UNALIGN_TRP */
FIELD(TBFLAG_ANY, ALIGN_MEM, 12, 1)
+FIELD(TBFLAG_ANY, PSTATE__IL, 13, 1)
/*
* Bit usage when in AArch32 state, both A- and M-profile.
diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
index 39a31260f2..54d135897b 100644
--- a/target/arm/syndrome.h
+++ b/target/arm/syndrome.h
@@ -270,4 +270,9 @@ static inline uint32_t syn_wfx(int cv, int cond, int ti,
bool is_16bit)
(cv << 24) | (cond << 20) | ti;
}
+static inline uint32_t syn_illegalstate(void)
+{
+return (EC_ILLEGALSTATE << ARM_EL_EC_SHIFT) | ARM_EL_IL;
+}
+
#endif /* TARGET_ARM_SYNDROME_H */
diff --git a/target/arm/translate.h b/target/arm/translate.h
index 241596c5bd..af1b6fa03c 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -98,6 +98,8 @@ typedef struct DisasContext {
bool hstr_active;
/* True if memory operations require alignment */
bool align_mem;
+/* True if PSTATE.IL is set */
+bool pstate_il;
/*
* >= 0, a copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI.
* < 0, set by the current instruction.
diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index 26f79f9141..19445b3c94 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -1071,6 +1071,7 @@ illegal_return:
if (!arm_singlestep_active(env)) {
env->pstate &= ~PSTATE_SS;
}
+helper_rebuild_hflags_a64(env, cur_el);
qemu_log_mask(LOG_GUEST_ERROR, "Illegal exception return at EL%d: "
"resuming execution at 0x%" PRIx64 "\n", cur_el, env->pc);
}
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 155d8bf239..201ecf8c67 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -13408,6 +13408,10 @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState
*env, int fp_el,
DP_TBFLAG_A32(flags, HSTR_ACTIVE, 1);
}
+if (env->uncached_cpsr & CPSR_IL) {
+DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
+}
+
return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
}
@@ -13502,6 +13506,10 @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState
*env, int el, int fp_el,
}
}
+if (env->pstate & PSTATE_IL) {
+DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
+}
+
if (cpu_isar_feature(aa64_mte, env_archcpu(env))) {
/*
* Set MTE_ACTIVE if any access may be Checked, and leave clear
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 422e2ac0c9..230cc8d83b 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -14662,6 +14662,16 @@ static void disas_a64_insn(CPUARMState *env,
DisasContext *s)
s->fp_access_checked = false;
s->sve_access_checked = false;
+if (s->pstate_il) {
+/*
+ * Illegal execution state. This has priority over BTI
+ * exceptions, but comes after instruction abort exceptions.
+ */
+gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+ syn_illegalstate(), default_exception_el(s));
+return;
+}
+
if (dc_isar_feature(aa64_bti, s)) {
if (s->base.num_insns == 1) {
/*
@@ -14780,6 +14790,7 @@ static void
aarch64_tr_init_disas_context(DisasContextBase *dcbase,
#endif
dc->fp_excp_el = EX_TBFLAG_ANY(tb_flags, FPEXC_EL);
dc->align_mem =
[PATCH v2 0/8] target/arm: Fix insn exception priorities
Raise pc alignment faults.
Fix single-step and pc-align priority over breakpoints.
Not yet fixing insn abort priority over breakpoints.
Based-on: 20210813131809.28655-1-peter.mayd...@linaro.org
("linux-user: Clean up siginfo_t handling for arm, aarch64")
Changes for v2:
* Handle the exceptions in cpu_loop.
* Fix how the instruction is raised for aa32 el1.
* Add pc alignment test cases.
r~
Peter Maydell (1):
target/arm: Take an exception if PSTATE.IL is set
Richard Henderson (7):
target/arm: Merge disas_a64_insn into aarch64_tr_translate_insn
linux-user/aarch64: Handle EC_PCALIGNMENT
linux-user/arm: Report SIGBUS and SIGSEGV correctly
target/arm: Take an exception if PC is misaligned
target/arm: Assert thumb pc is aligned
target/arm: Suppress bp for exceptions with more priority
tests/tcg: Add arm and aarch64 pc alignment tests
target/arm/cpu.h | 1 +
target/arm/helper.h | 1 +
target/arm/syndrome.h | 10 ++
target/arm/translate.h| 2 +
linux-user/aarch64/cpu_loop.c | 44 +++--
linux-user/arm/cpu_loop.c | 39 -
target/arm/debug_helper.c | 23 +++
target/arm/gdbstub.c | 9 +-
target/arm/helper-a64.c | 1 +
target/arm/helper.c | 8 +
target/arm/machine.c | 9 +
target/arm/tlb_helper.c | 24 +++
target/arm/translate-a64.c| 276 --
target/arm/translate.c| 63 ++-
tests/tcg/aarch64/pcalign-a64.c | 37
tests/tcg/arm/pcalign-a32.c | 46 +
tests/tcg/aarch64/Makefile.target | 4 +-
tests/tcg/arm/Makefile.target | 4 +
18 files changed, 441 insertions(+), 160 deletions(-)
create mode 100644 tests/tcg/aarch64/pcalign-a64.c
create mode 100644 tests/tcg/arm/pcalign-a32.c
--
2.25.1
Re: [PATCH v4 2/7] python: Add dependencies for AQMP TUI
On Thu, Aug 19, 2021 at 1:39 PM G S Niteesh Babu wrote: > Added dependencies for the upcoming AQMP TUI under the optional > 'tui' group. > > The same dependencies have also been added under the devel group > since no work around has been found for optional groups to imply > other optional groups. > > Signed-off-by: G S Niteesh Babu > Reviewed-by: John Snow
Re: [PATCH] target/arm: Take an exception if PSTATE.IL is set
On Sat, 21 Aug 2021 at 19:59, Richard Henderson
wrote:
>
> > +static inline uint32_t syn_illegalstate(void)
> > +{
> > +return EC_ILLEGALSTATE << ARM_EL_EC_SHIFT;
> > +}
>
> I just noticed this should have the IL bit set.
Yep. (I remembered about that for the BXJ trap in the other patch,
but I wrote this one first and didn't remember it then...)
-- PMM
[PATCH 1/1] python: Update for pylint 2.10
A few new annoyances. Of note is the new warning for an unspecified
encoding when opening a text file, which actually does indicate a
potentially real problem; see
https://www.python.org/dev/peps/pep-0597/#motivation
I was under the impression that open would try to figure out the
encoding of a file for you -- apparently this is completely false. It
uses the platform's preferred encoding, whatever that may be.
What we ought to use here, I believe, is sys.stderr.encoding.
Signed-off-by: John Snow
---
python/qemu/machine/machine.py | 6 --
python/setup.cfg | 1 +
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/qemu/machine/machine.py b/python/qemu/machine/machine.py
index 971ed7e8c6..1f47fc5a2b 100644
--- a/python/qemu/machine/machine.py
+++ b/python/qemu/machine/machine.py
@@ -25,6 +25,7 @@
import signal
import socket
import subprocess
+import sys
import tempfile
from types import TracebackType
from typing import (
@@ -284,7 +285,8 @@ def get_pid(self) -> Optional[int]:
def _load_io_log(self) -> None:
if self._qemu_log_path is not None:
-with open(self._qemu_log_path, "r") as iolog:
+with open(self._qemu_log_path, "r",
+ encoding=sys.stdout.encoding) as iolog:
self._iolog = iolog.read()
@property
@@ -565,7 +567,7 @@ def _qmp(self) -> QEMUMonitorProtocol:
@classmethod
def _qmp_args(cls, _conv_keys: bool = True, **args: Any) -> Dict[str, Any]:
-qmp_args = dict()
+qmp_args = {}
for key, value in args.items():
if _conv_keys:
qmp_args[key.replace('_', '-')] = value
diff --git a/python/setup.cfg b/python/setup.cfg
index 14bab90288..f220419755 100644
--- a/python/setup.cfg
+++ b/python/setup.cfg
@@ -104,6 +104,7 @@ good-names=i,
[pylint.similarities]
# Ignore imports when computing similarities.
ignore-imports=yes
+ignore-signatures=yes
[isort]
force_grid_wrap=4
--
2.31.1
[PATCH 0/1] Update check-python-tox test for pylint 2.10
The 'check-python-tox' CI test will probably start showing warnings without this. This can go into the next release, just ignore the CI warning until the tree opens. John Snow (1): python: Update for pylint 2.10 python/qemu/machine/machine.py | 6 -- python/setup.cfg | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) -- 2.31.1
Re: [PATCH] target/arm: Take an exception if PSTATE.IL is set
> +static inline uint32_t syn_illegalstate(void)
> +{
> +return EC_ILLEGALSTATE << ARM_EL_EC_SHIFT;
> +}
I just noticed this should have the IL bit set.
r~
Re: [For 6.1 PATCH] hw/arm: xilinx_zynq: Disconnect the UART clocks temporarily
On Sat, 21 Aug 2021 at 16:45, Bin Meng wrote:
>
> As of today, when booting upstream U-Boot for Xilinx Zynq, the UART
> does not receive anything. Initial debugging shows that the UART clock
> frequency is 0 somehow which prevents the UART from receiving anything.
> Note the U-Boot can still output data to the UART tx fifo, which should
> not happen, as the design seems to prevent the data transmission when
> clock is not enabled but somehow it only applies to the Rx side.
>
> For anyone who is interested to give a try, here is the U-Boot defconfig:
> $ make xilinx_zynq_virt_defconfig
>
> and QEMU commands to test U-Boot:
> $ qemu-system-arm -M xilinx-zynq-a9 -m 1G -display none -serial null -serial
> stdio \
> -device loader,file=u-boot-dtb.bin,addr=0x400,cpu-num=0
>
> Note U-Boot used to boot properly in QEMU 4.2.0 which is the QEMU
> version used in current U-Boot's CI testing. The UART clock changes
> were introduced by the following 3 commits:
>
> 38867cb7ec90 ("hw/misc/zynq_slcr: add clock generation for uarts")
> b636db306e06 ("hw/char/cadence_uart: add clock support")
> 5b49a34c6800 ("hw/arm/xilinx_zynq: connect uart clocks to slcr")
>
> Looks like we don't have enough time to figure out a proper fix before
> 6.1.0 release date, let's disconnect the UART clocks temporarily.
This is too late for 6.1 regardless, I'm afraid.
thanks
-- PMM
Re: [PATCH v2 0/5] target/mips: Replace TARGET_WORDS_BIGENDIAN by cpu_is_bigendian()
On 8/18/21 11:55 PM, Philippe Mathieu-Daudé wrote: > MIPS CPU store its endianess in the CP0 Config0 register. > Use that runtime information instead of #ifdef'ry checking > TARGET_WORDS_BIGENDIAN by introducing the cpu_is_bigendian() > helper. > > Philippe Mathieu-Daudé (5): > target/mips: Call cpu_is_bigendian & inline GET_OFFSET in ld/st > helpers > target/mips: Replace GET_LMASK() macro by get_lmask(32) function > target/mips: Replace GET_LMASK64() macro by get_lmask(64) function > target/mips: Store CP0_Config0 in DisasContext > target/mips: Replace TARGET_WORDS_BIGENDIAN by cpu_is_bigendian() Thanks, applied to mips-next.
Re: [PATCH 0/8] target/mips: Housekeeping in gen_helper() macros
On 8/17/21 4:52 PM, Richard Henderson wrote: > On 8/16/21 10:50 AM, Philippe Mathieu-Daudé wrote: >> Trivial patches: >> - Remove unused macros >> - Use tcg_constant_i32() >> - Inline the macros when few uses >> - Move macro definitions in translate.h >> >> Philippe Mathieu-Daudé (8): >> target/mips: Remove gen_helper_0e3i() >> target/mips: Remove gen_helper_1e2i() >> target/mips: Use tcg_constant_i32() in gen_helper_0e2i() >> target/mips: Simplify gen_helper() macros by using tcg_constant_i32() >> target/mips: Inline gen_helper_1e1i() call in op_ld_INSN() macros >> target/mips: Inline gen_helper_0e0i() >> target/mips: Use tcg_constant_i32() in generate_exception_err() >> target/mips: Define gen_helper() macros in translate.h > > Reviewed-by: Richard Henderson Thanks, series applied to mips-next.
Re: [PATCH v2] net/colo: check vnet_hdr_support flag when using virtio-net
On Thu, 19 Aug 2021 09:27:17 +0800
Tao Xu wrote:
> When COLO use only one vnet_hdr_support parameter between
> COLO network filter(filter-mirror, filter-redirector or
> filter-rewriter and colo-compare, packet will not be parsed
> correctly. Acquire network driver related to COLO, if it is
> nirtio-net, check vnet_hdr_support flag of COLO network filter
> and colo-compare.
>
> Signed-off-by: Tao Xu
> Signed-off-by: Zhang Chen
> ---
>
> Changelog:
> v2:
> Detect virtio-net driver and apply vnet_hdr_support
> automatically. (Jason)
> ---
> net/colo-compare.c| 57 +++
> net/colo.c| 20 +++
> net/colo.h| 4 +++
> net/filter-mirror.c | 21
> net/filter-rewriter.c | 10
> qapi/qom.json | 6 +
> qemu-options.hx | 6 +++--
> 7 files changed, 122 insertions(+), 2 deletions(-)
>
> diff --git a/net/colo-compare.c b/net/colo-compare.c
> index b100e7b51f..870bd05a41 100644
> --- a/net/colo-compare.c
> +++ b/net/colo-compare.c
> @@ -110,6 +110,7 @@ struct CompareState {
> char *sec_indev;
> char *outdev;
> char *notify_dev;
> +char *netdev;
> CharBackend chr_pri_in;
> CharBackend chr_sec_in;
> CharBackend chr_out;
> @@ -838,6 +839,28 @@ static int compare_chr_can_read(void *opaque)
> return COMPARE_READ_LEN_MAX;
> }
>
> +static int colo_set_default_netdev(void *opaque, QemuOpts *opts, Error
> **errp)
> +{
> +const char *colo_obj_type, *netdev_from_filter;
> +char **netdev = (char **)opaque;
> +
> +colo_obj_type = qemu_opt_get(opts, "qom-type");
> +
> +if (colo_obj_type &&
> +(strcmp(colo_obj_type, "filter-mirror") == 0 ||
> + strcmp(colo_obj_type, "filter-redirector") == 0 ||
> + strcmp(colo_obj_type, "filter-rewriter") == 0)) {
> +netdev_from_filter = qemu_opt_get(opts, "netdev");
> +if (*netdev == NULL) {
> +*netdev = g_strdup(netdev_from_filter);
> +} else if (strcmp(*netdev, netdev_from_filter) != 0) {
> +warn_report("%s is using a different netdev from other COLO "
> +"component", colo_obj_type);
> +}
> +}
> +return 0;
> +}
> +
Hi,
This doesn't properly handle the case where there are multiple network
devices and one is virtio-net and the other isn't. This would be a
regression as this worked fine before.
> /*
> * Called from the main thread on the primary for packets
> * arriving over the socket from the primary.
> @@ -1050,6 +1073,21 @@ static void compare_set_vnet_hdr(Object *obj,
> s->vnet_hdr = value;
> }
>
> +static char *compare_get_netdev(Object *obj, Error **errp)
> +{
> +CompareState *s = COLO_COMPARE(obj);
> +
> +return g_strdup(s->netdev);
> +}
> +
> +static void compare_set_netdev(Object *obj, const char *value, Error **errp)
> +{
> +CompareState *s = COLO_COMPARE(obj);
> +
> +g_free(s->netdev);
> +s->netdev = g_strdup(value);
> +}
> +
> static char *compare_get_notify_dev(Object *obj, Error **errp)
> {
> CompareState *s = COLO_COMPARE(obj);
> @@ -1274,6 +1312,12 @@ static void colo_compare_complete(UserCreatable *uc,
> Error **errp)
> max_queue_size = MAX_QUEUE_SIZE;
> }
>
> +if (!s->netdev) {
> +/* Set default netdev as the first colo netfilter found */
> +qemu_opts_foreach(qemu_find_opts("object"),
> + colo_set_default_netdev, >netdev, NULL);
> +}
> +
> if (find_and_check_chardev(, s->pri_indev, errp) ||
> !qemu_chr_fe_init(>chr_pri_in, chr, errp)) {
> return;
> @@ -1289,6 +1333,16 @@ static void colo_compare_complete(UserCreatable *uc,
> Error **errp)
> return;
> }
>
> +if (!s->vnet_hdr &&
> +qemu_opts_foreach(qemu_find_opts("device"),
> + vnet_driver_check, s->netdev, NULL)) {
> +/*
> + * colo compare needs 'vnet_hdr_support' when it works on virtio-net,
> + * add 'vnet_hdr_support' automatically
> + */
> +s->vnet_hdr = true;
> +}
> +
There is no way to disable vnet_hdr_support with virtio-net now.
> net_socket_rs_init(>pri_rs, compare_pri_rs_finalize, s->vnet_hdr);
> net_socket_rs_init(>sec_rs, compare_sec_rs_finalize, s->vnet_hdr);
>
> @@ -1400,6 +1454,9 @@ static void colo_compare_init(Object *obj)
> s->vnet_hdr = false;
> object_property_add_bool(obj, "vnet_hdr_support", compare_get_vnet_hdr,
> compare_set_vnet_hdr);
> +/* colo compare can't varify that netdev is correct */
> +object_property_add_str(obj, "netdev", compare_get_netdev,
> +compare_set_netdev);
> }
>
> void colo_compare_cleanup(void)
> diff --git a/net/colo.c b/net/colo.c
> index 3a3e6e89a0..4a03780f45 100644
> --- a/net/colo.c
> +++ b/net/colo.c
> @@ -243,3 +243,23 @@ bool
[For 6.1 PATCH] hw/arm: xilinx_zynq: Disconnect the UART clocks temporarily
As of today, when booting upstream U-Boot for Xilinx Zynq, the UART
does not receive anything. Initial debugging shows that the UART clock
frequency is 0 somehow which prevents the UART from receiving anything.
Note the U-Boot can still output data to the UART tx fifo, which should
not happen, as the design seems to prevent the data transmission when
clock is not enabled but somehow it only applies to the Rx side.
For anyone who is interested to give a try, here is the U-Boot defconfig:
$ make xilinx_zynq_virt_defconfig
and QEMU commands to test U-Boot:
$ qemu-system-arm -M xilinx-zynq-a9 -m 1G -display none -serial null -serial
stdio \
-device loader,file=u-boot-dtb.bin,addr=0x400,cpu-num=0
Note U-Boot used to boot properly in QEMU 4.2.0 which is the QEMU
version used in current U-Boot's CI testing. The UART clock changes
were introduced by the following 3 commits:
38867cb7ec90 ("hw/misc/zynq_slcr: add clock generation for uarts")
b636db306e06 ("hw/char/cadence_uart: add clock support")
5b49a34c6800 ("hw/arm/xilinx_zynq: connect uart clocks to slcr")
Looks like we don't have enough time to figure out a proper fix before
6.1.0 release date, let's disconnect the UART clocks temporarily.
Signed-off-by: Bin Meng
---
hw/arm/xilinx_zynq.c | 4
1 file changed, 4 deletions(-)
diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
index 245af81bbb..1bc749f6b8 100644
--- a/hw/arm/xilinx_zynq.c
+++ b/hw/arm/xilinx_zynq.c
@@ -257,16 +257,12 @@ static void zynq_init(MachineState *machine)
dev = qdev_new(TYPE_CADENCE_UART);
busdev = SYS_BUS_DEVICE(dev);
qdev_prop_set_chr(dev, "chardev", serial_hd(0));
-qdev_connect_clock_in(dev, "refclk",
- qdev_get_clock_out(slcr, "uart0_ref_clk"));
sysbus_realize_and_unref(busdev, _fatal);
sysbus_mmio_map(busdev, 0, 0xE000);
sysbus_connect_irq(busdev, 0, pic[59 - IRQ_OFFSET]);
dev = qdev_new(TYPE_CADENCE_UART);
busdev = SYS_BUS_DEVICE(dev);
qdev_prop_set_chr(dev, "chardev", serial_hd(1));
-qdev_connect_clock_in(dev, "refclk",
- qdev_get_clock_out(slcr, "uart1_ref_clk"));
sysbus_realize_and_unref(busdev, _fatal);
sysbus_mmio_map(busdev, 0, 0xE0001000);
sysbus_connect_irq(busdev, 0, pic[82 - IRQ_OFFSET]);
--
2.25.1
[PATCH] hw/acpi/pcihp: validate bsel property of the bus before unplugging device
Bsel property of the pci bus indicates whether the bus supports acpi hotplug.
We need to validate the presence of this property before performing any hotplug
related callback operations. Currently validation of the existence of this
property was absent from acpi_pcihp_device_unplug_cb() function but is present
in other hotplug/unplug callback functions. Hence, this change adds the missing
check for the above function.
Signed-off-by: Ani Sinha
---
hw/acpi/pcihp.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index 0fd0c1d811..9982815a87 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -372,9 +372,15 @@ void acpi_pcihp_device_unplug_cb(HotplugHandler
*hotplug_dev, AcpiPciHpState *s,
DeviceState *dev, Error **errp)
{
PCIDevice *pdev = PCI_DEVICE(dev);
+int bsel = acpi_pcihp_get_bsel(pci_get_bus(pdev));
+
+trace_acpi_pci_unplug(PCI_SLOT(pdev->devfn), bsel);
-trace_acpi_pci_unplug(PCI_SLOT(pdev->devfn),
- acpi_pcihp_get_bsel(pci_get_bus(pdev)));
+if (bsel < 0) {
+error_setg(errp, "Unsupported bus. Bus doesn't have property '"
+ ACPI_PCIHP_PROP_BSEL "' set");
+return;
+}
/*
* clean up acpi-index so it could reused by another device
--
2.25.1
[Bug 1905521] Re: assert issue locates in hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed
This is an automated cleanup. This bug report has been moved to QEMU's new bug tracker on gitlab.com and thus gets marked as 'expired' now. Please continue with the discussion here: https://gitlab.com/qemu-project/qemu/-/issues/552 ** Changed in: qemu Status: Incomplete => Expired ** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #552 https://gitlab.com/qemu-project/qemu/-/issues/552 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1905521 Title: assert issue locates in hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed Status in QEMU: Expired Bug description: Hello, I found an assertion failure in hw/scsi/lsi53c895a.c:624 This was found in latest version 5.2.0. my reproduced environment is as follows: Host: ubuntu 18.04 Guest: ubuntu 18.04 QEMU boot command line: qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:-:22 -display none -device lsi53c895a -trace lsi\* Backtrace is as follows: #0 0x7f845c6eff47 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x7f845c6f18b1 in __GI_abort () at abort.c:79 #2 0x7f845c6e142a in __assert_fail_base (fmt=0x7f845c868a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55a1034486a0 "s->current", file=file@entry=0x55a103448360 "../hw/scsi/lsi53c895a.c", line=line@entry=624, function=function@entry=0x55a10344ae60 <__PRETTY_FUNCTION__.31674> "lsi_do_dma") at assert.c:92 #3 0x7f845c6e14a2 in __GI___assert_fail (assertion=0x55a1034486a0 "s->current", file=0x55a103448360 "../hw/scsi/lsi53c895a.c", line=624, function=0x55a10344ae60 <__PRETTY_FUNCTION__.31674> "lsi_do_dma") at assert.c:101 #4 0x55a102049c65 in lsi_do_dma (s=0x6260c100, out=1) at ../hw/scsi/lsi53c895a.c:624 #5 0x55a102051573 in lsi_execute_script (s=0x6260c100) at ../hw/scsi/lsi53c895a.c:1250 #6 0x55a10205b05d in lsi_reg_writeb (s=0x6260c100, offset=47, val=178 '\262') at ../hw/scsi/lsi53c895a.c:1984 #7 0x55a10205fef8 in lsi_io_write (opaque=0x6260c100, addr=47, val=178, size=1) at ../hw/scsi/lsi53c895a.c:2146 #8 0x55a102d1b791 in memory_region_write_accessor (mr=0x6260cbe0, addr=47, value=0x7f8349dfe2f8, size=1, shift=0, mask=255, attrs=...) at ../softmmu/memory.c:484 #9 0x55a102d1bba8 in access_with_adjusted_size (addr=47, value=0x7f8349dfe2f8, size=1, access_size_min=1, access_size_max=1, access_fn=0x55a102d1b4de , mr=0x6260cbe0, attrs=...) at ../softmmu/memory.c:545 #10 0x55a102d261ef in memory_region_dispatch_write (mr=0x6260cbe0, addr=47, data=178, op=MO_8, attrs=...) at ../softmmu/memory.c:1494 #11 0x55a102b57c3c in flatview_write_continue (fv=0x606ea920, addr=49199, attrs=..., ptr=0x7f8449efb000, len=1, addr1=47, l=1, mr=0x6260cbe0) at ../softmmu/physmem.c:2767 #12 0x55a102b57f07 in flatview_write (fv=0x606ea920, addr=49199, attrs=..., buf=0x7f8449efb000, len=1) at ../softmmu/physmem.c:2807 #13 0x55a102b587cb in address_space_write (as=0x55a105ebca80 , addr=49199, attrs=..., buf=0x7f8449efb000, len=1) at ../softmmu/physmem.c:2899 #14 0x55a102b58878 in address_space_rw (as=0x55a105ebca80 , addr=49199, attrs=..., buf=0x7f8449efb000, len=1, is_write=true) at ../softmmu/physmem.c:2909 #15 0x55a102ad4d50 in kvm_handle_io (port=49199, attrs=..., data=0x7f8449efb000, direction=1, size=1, count=1) at ../accel/kvm/kvm-all.c:2283 #16 0x55a102ad6a0f in kvm_cpu_exec (cpu=0x62e00400) at ../accel/kvm/kvm-all.c:2529 #17 0x55a102c26fbb in kvm_vcpu_thread_fn (arg=0x62e00400) at ../accel/kvm/kvm-cpus.c:49 #18 0x55a1032c08f8 in qemu_thread_start (args=0x60382780) at ../util/qemu-thread-posix.c:521 #19 0x7f845caa96db in start_thread (arg=0x7f8349dff700) at pthread_create.c:463 #20 0x7f845c7d2a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 The poc is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1905521/+subscriptions
Re: [PATCH] softmmu/physmem: Improve guest memory allocation failure error message
On 8/21/21 12:01 PM, Bin Meng wrote:
> On Fri, Aug 20, 2021 at 11:52 PM Philippe Mathieu-Daudé
> wrote:
>>
>> When Linux refuses to overcommit a seriously wild allocation we get:
>>
>> $ qemu-system-i386 -m 4000
>> qemu-system-i386: cannot set up guest memory 'pc.ram': Cannot allocate
>> memory
>>
>> Slighly improve the error message, displaying the memory size
>
> typo: Slightly
Oops.
>> if (!new_block->host) {
>> +g_autofree char *size_s =
>> size_to_str(new_block->max_length);
>
> Does g_autofree work with every compiler we support?
>
> Looks it only applies to GCC and clang?
> https://www.gitmemory.com/issue/linuxwacom/libwacom/142/518787578
Which are the only two supported by the project AFAIK.
g_autofree depends on glib, minimum available since commit 00f2cfbbec6
("glib: bump min required glib library version to 2.48").
Merged here:
commit 3590b27c7a2be7a24b4b265
Merge: d013d220c71 57b9f113fce
Date: Thu Aug 22 17:57:09 2019 +0100
Merge remote-tracking branch
'remotes/berrange/tags/autofree-pull-request' into staging
require newer glib2 to enable autofree'ing of stack
variables exiting scope
> Tested-by: Bin Meng
Thanks!
Re: [RFC PATCH 1/1] QEMU plugin interface extension
On Sat, 21 Aug 2021 at 10:48, Florian Hauschild
wrote:
>
> This extension covers functions:
> * to read and write guest memory
> * to read and write guest registers
> * to flush tb cache
> * to control single stepping of qemu from plugin
>
> These changes allow the user to
> * collect more information about the behaviour of the system
> * change the guest state with a plugin during execution
> * control cache of tcg
> * allow for precise instrumentation in execution flow
> +
> +static int plugin_read_register(CPUState *cpu, GByteArray *buf, int reg)
> +{
> +CPUClass *cc = CPU_GET_CLASS(cpu);
> +if (reg < cc->gdb_num_core_regs) {
> +return cc->gdb_read_register(cpu, buf, reg);
> +}
> +return 0;
> +}
At the point where these functions execute is the emulation
definitely stopped (ie no register values currently held
live in TCG locals) ?
-- PMM
Re: [RFC PATCH 0/1] QEMU TCG plugin interface extensions
On 8/21/21 11:45 AM, Florian Hauschild wrote: Hi all, I extended the plugin interface with additional functionalities. I wrote the extensions for fault injection/exploration reasearch using QEMU. The additional functionalities for a plugin are: * Read and write guest memory * Read and write guest registers * Allow plugin to force QEMU into single step mode * Flush TB cache from plugin If something is added to read a register from a plugin, then execlog plugin could print the operands value of each instruction. This would definitely be helpful for side-channel analysis: the Hamming weight (sum of bits) of the last operand roughly models the power consumption side-channel leakage. If I recall correctly, there are some concerns about allowing to access registers inside plugins. Past threads about reading/writing registers: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08741.html https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg04588.html Thanks, -- Alexandre OpenPGP_signature Description: OpenPGP digital signature
Re: [PATCH] softmmu/physmem: Improve guest memory allocation failure error message
On Sat, 21 Aug 2021 at 11:03, Bin Meng wrote: > Does g_autofree work with every compiler we support? Yes. We use it extensively: $ git grep g_autofree |wc -l 329 > Looks it only applies to GCC and clang? > https://www.gitmemory.com/issue/linuxwacom/libwacom/142/518787578 Those are the only two compilers we support :-) -- PMM
Re: [PATCH v3 13/14] tcg/arm: Reserve a register for guest_base
On Fri, 20 Aug 2021 at 19:47, Richard Henderson
wrote:
>
> On 8/20/21 2:03 AM, Peter Maydell wrote:
> >> -} else if (datalo != addend) {
> >> +} else if (scratch_addend) {
> >> tcg_out_ld32_rwb(s, COND_AL, datalo, addend, addrlo);
> >> tcg_out_ld32_12(s, COND_AL, datahi, addend, 4);
> >> } else {
> >
> > I don't understand this change. Yes, we can trash the addend
> > register, but if it's the same as 'datalo' then the second load
> > is not going to DTRT... Shouldn't this be
> >if (scratch_addend && datalo != addend)
> > ?
>
> Previously, addend was *always* a scratch register, TCG_REG_TMP or such.
> Afterward, addend may be TCG_REG_GUEST_BASE, which should not be modified.
> At no point is there overlap between addend and data{hi,lo}.
So the old "datalo == addend" code path was dead code ?
Perhaps if the function now assumes that scratch_addend implies
that datalo != addend it would be worth assert()ing that, in case
some future callsite doesn't realize the restriction ?
thanks
-- PMM
Re: [PATCH] softmmu/physmem: Improve guest memory allocation failure error message
On Fri, Aug 20, 2021 at 11:52 PM Philippe Mathieu-Daudé
wrote:
>
> When Linux refuses to overcommit a seriously wild allocation we get:
>
> $ qemu-system-i386 -m 4000
> qemu-system-i386: cannot set up guest memory 'pc.ram': Cannot allocate
> memory
>
> Slighly improve the error message, displaying the memory size
typo: Slightly
> requested (in case the user didn't expect unspecified memory size
> unit is in MiB):
>
> $ qemu-system-i386 -m 4000
> qemu-system-i386: Cannot set up 38.1 TiB of guest memory 'pc.ram': Cannot
> allocate memory
>
> Reported-by: Bin Meng
> Signed-off-by: Philippe Mathieu-Daudé
> ---
> softmmu/physmem.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/softmmu/physmem.c b/softmmu/physmem.c
> index 2e18947598e..2f300a9e79b 100644
> --- a/softmmu/physmem.c
> +++ b/softmmu/physmem.c
> @@ -1982,8 +1982,10 @@ static void ram_block_add(RAMBlock *new_block, Error
> **errp)
>_block->mr->align,
>shared, noreserve);
> if (!new_block->host) {
> +g_autofree char *size_s = size_to_str(new_block->max_length);
Does g_autofree work with every compiler we support?
Looks it only applies to GCC and clang?
https://www.gitmemory.com/issue/linuxwacom/libwacom/142/518787578
> error_setg_errno(errp, errno,
> - "cannot set up guest memory '%s'",
> + "Cannot set up %s of guest memory '%s'",
> + size_s,
Nice improvement!
> memory_region_name(new_block->mr));
> qemu_mutex_unlock_ramlist();
> return;
Tested-by: Bin Meng
[RFC PATCH 1/1] QEMU plugin interface extension
This extension covers functions:
* to read and write guest memory
* to read and write guest registers
* to flush tb cache
* to control single stepping of qemu from plugin
These changes allow the user to
* collect more information about the behaviour of the system
* change the guest state with a plugin during execution
* control cache of tcg
* allow for precise instrumentation in execution flow
Signed-off-by: Florian Hauschild
---
include/qemu/qemu-plugin.h | 35
plugins/meson.build | 1 +
plugins/readwriteextension.c | 106 +++
3 files changed, 142 insertions(+)
create mode 100644 plugins/readwriteextension.c
diff --git a/include/qemu/qemu-plugin.h b/include/qemu/qemu-plugin.h
index e6e815abc5..c7a0c5f379 100644
--- a/include/qemu/qemu-plugin.h
+++ b/include/qemu/qemu-plugin.h
@@ -577,4 +577,39 @@ int qemu_plugin_n_max_vcpus(void);
*/
void qemu_plugin_outs(const char *string);
+
+/**
+ * read_reg() read a register
+ * @reg: Number of the register
+ *
+ * Returns the value of the register
+ */
+uint64_t read_reg(int reg);
+
+/**
+ * write_reg() - write to a register
+ * @reg: number of the register
+ * @val: value written to register
+ */
+void write_reg(int reg, uint64_t val);
+
+/**
+ * plugin_flush_tb() - Flush the tb cache
+ */
+void plugin_flush_tb(void);
+
+/**
+ * plugin_rw_memory_cpu() - Function to read from and write to a guest address.
+ * @address: baseaddress of the memory section
+ * @buffer: buffer managed by caller the value should be written to
+ * @buf_size: size of the buffer and memory size read/written.
+ * @write: 1 if write, 0 if read
+ */
+int plugin_rw_memory_cpu(uint64_t address, uint8_t buffer[], size_t buf_size,
char write);
+
+/**
+ * plugin_single_step() - Function to change single step behaviour from the
plugin.
+ */
+void plugin_single_step(int enable);
+
#endif /* QEMU_PLUGIN_API_H */
diff --git a/plugins/meson.build b/plugins/meson.build
index e77723010e..b95cbab0b1 100644
--- a/plugins/meson.build
+++ b/plugins/meson.build
@@ -10,4 +10,5 @@ specific_ss.add(when: 'CONFIG_PLUGIN', if_true: [files(
'loader.c',
'core.c',
'api.c',
+ 'readwriteextension.c',
), declare_dependency(link_args: plugin_ldflags)])
diff --git a/plugins/readwriteextension.c b/plugins/readwriteextension.c
new file mode 100644
index 00..47460c396f
--- /dev/null
+++ b/plugins/readwriteextension.c
@@ -0,0 +1,106 @@
+/**
+ * QEMU Plugin read write extension code
+ *
+ * This is the code that allows the plugin to read and write
+ * memory and registers and flush the tb cache. Also allows
+ * to set QEMU into singlestep mode from Plugin.
+ *
+ * Based on plugin interface:
+ * Copyright (C) 2017, Emilio G. Cota
+ * Copyright (C) 2019, Linaro
+ *
+ * Copyright (C) 2021 Florian Hauschild
+ *
+ * License: GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+
+
+#include "qemu/osdep.h"
+#include "qemu/plugin.h"
+#include "hw/core/cpu.h"
+#include "cpu.h"
+#include "exec/exec-all.h"
+
+void plugin_async_flush_tb(CPUState *cpu, run_on_cpu_data arg);
+void plugin_async_flush_tb(CPUState *cpu, run_on_cpu_data arg)
+{
+g_assert(cpu_in_exclusive_context(cpu));
+tb_flush(cpu);
+}
+
+
+
+int plugin_rw_memory_cpu(uint64_t address, uint8_t buffer[], size_t buf_size,
char write)
+{
+return cpu_memory_rw_debug(current_cpu, address, buffer, buf_size, write);
+
+}
+
+
+void plugin_flush_tb(void)
+{
+async_safe_run_on_cpu(current_cpu, plugin_async_flush_tb, RUN_ON_CPU_NULL);
+}
+
+static int plugin_read_register(CPUState *cpu, GByteArray *buf, int reg)
+{
+CPUClass *cc = CPU_GET_CLASS(cpu);
+if (reg < cc->gdb_num_core_regs) {
+return cc->gdb_read_register(cpu, buf, reg);
+}
+return 0;
+}
+
+uint64_t read_reg(int reg)
+{
+GByteArray *val = g_byte_array_new();
+uint64_t reg_ret = 0;
+int ret_bytes = plugin_read_register(current_cpu, val, reg);
+if (ret_bytes == 1) {
+reg_ret = val->data[0];
+}
+if (ret_bytes == 2) {
+reg_ret = *(uint16_t *) &(val->data[0]);
+}
+if (ret_bytes == 4) {
+reg_ret = *(uint32_t *) &(val->data[0]);
+}
+if (ret_bytes == 8) {
+reg_ret = *(uint64_t *) &(val->data[0]);
+}
+return reg_ret;
+}
+
+void write_reg(int reg, uint64_t val)
+{
+CPUState *cpu = current_cpu;
+CPUClass *cc = CPU_GET_CLASS(cpu);
+
+if (reg < cc->gdb_num_core_regs) {
+cc->gdb_write_register(cpu, (uint8_t *) , reg);
+}
+}
+
+void plugin_single_step(int enable)
+{
+/* singlestep is set in softmmu/vl.c*/
+static int orig_value;
+static int executed = 1;
+
+if (unlikely(executed == 1)) {
+orig_value = singlestep;
+executed = 2;
+}
+
+if (enable == 1) {
+singlestep = 1;
+} else {
+singlestep = orig_value;
+}
+
+tb_flush(current_cpu);
+}
--
[RFC PATCH 0/1] QEMU TCG plugin interface extensions
Hi all, I extended the plugin interface with additional functionalities. I wrote the extensions for fault injection/exploration reasearch using QEMU. The additional functionalities for a plugin are: * Read and write guest memory * Read and write guest registers * Allow plugin to force QEMU into single step mode * Flush TB cache from plugin Currently the changes are stored inside its own c file. Should it be moved into one of the other plugin files? Should a new config option be added to only enable the additional extensions if set? Best regards, Florian Florian Hauschild (1): QEMU plugin interface extension include/qemu/qemu-plugin.h | 35 plugins/meson.build | 1 + plugins/readwriteextension.c | 106 +++ 3 files changed, 142 insertions(+) create mode 100644 plugins/readwriteextension.c -- 2.25.1
Re: [PATCH V6 00/27] Live Update
Hi, steve It seems the VM will stuck after cpr-load on AArch64 environment? My AArch64 environment and test steps: 1. linux kernel: 5.14-rc6 2. QEMU version: v6.1.0-rc2 (patch your patchset), and configure with `../configure --target-list=aarch64-softmmu --disable-werror --enable-kvm` 4. Steps to live update: # ./build/aarch64-softmmu/qemu-system-aarch64 -machine virt,accel=kvm,gic-version=3,memfd-alloc=on -nodefaults -cpu host -m 2G -smp 1 -drive file=/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw,if=pflash,format=raw,readonly=on -drive file=,format=qcow2,if=none,id=drive_image1 -device virtio-blk-pci,id=image1,drive=drive_image1 -vnc :10 -device virtio-gpu,id=video0 -device piix3-usb-uhci,id=usb -device usb-tablet,id=input0,bus=usb.0,port=1 -device usb-kbd,id=input1,bus=usb.0,port=2 -monitor stdio (qemu) cpr-save /tmp/qemu.save restart (qemu) cpr-exec ./build/aarch64-softmmu/qemu-system-aarch64 -machine virt,accel=kvm,gic-version=3,memfd-alloc=on -nodefaults -cpu host -m 2G -smp 1 -drive file=/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw,if=pflash,format=raw,readonly=on -drive file=,format=qcow2,if=none,id=drive_image1 -device virtio-blk-pci,id=image1,drive=drive_image1 -vnc :10 -device virtio-gpu,id=video0 -device piix3-usb-uhci,id=usb -device usb-tablet,id=input0,bus=usb.0,port=1 -device usb-kbd,id=input1,bus=usb.0,port=2 -monitor stdio -S (qemu) QEMU 6.0.92 monitor - type 'help' for more information (qemu) cpr-load /tmp/qemu.save Does I miss something? On 2021/8/7 5:43, Steve Sistare wrote: > Provide the cpr-save, cpr-exec, and cpr-load commands for live update. > These save and restore VM state, with minimal guest pause time, so that > qemu may be updated to a new version in between. > > cpr-save stops the VM and saves vmstate to an ordinary file. It supports > any type of guest image and block device, but the caller must not modify > guest block devices between cpr-save and cpr-load. It supports two modes: > reboot and restart. > > In reboot mode, the caller invokes cpr-save and then terminates qemu. > The caller may then update the host kernel and system software and reboot. > The caller resumes the guest by running qemu with the same arguments as the > original process and invoking cpr-load. To use this mode, guest ram must be > mapped to a persistent shared memory file such as /dev/dax0.0, or /dev/shm > PKRAM as proposed in > https://lore.kernel.org/lkml/1617140178-8773-1-git-send-email-anthony.yzn...@oracle.com. > > The reboot mode supports vfio devices if the caller first suspends the > guest, such as by issuing guest-suspend-ram to the qemu guest agent. The > guest drivers' suspend methods flush outstanding requests and re-initialize > the devices, and thus there is no device state to save and restore. > > Restart mode preserves the guest VM across a restart of the qemu process. > After cpr-save, the caller passes qemu command-line arguments to cpr-exec, > which directly exec's the new qemu binary. The arguments must include -S > so new qemu starts in a paused state and waits for the cpr-load command. > The restart mode supports vfio devices by preserving the vfio container, > group, device, and event descriptors across the qemu re-exec, and by > updating DMA mapping virtual addresses using VFIO_DMA_UNMAP_FLAG_VADDR and > VFIO_DMA_MAP_FLAG_VADDR as defined in > https://lore.kernel.org/kvm/1611939252-7240-1-git-send-email-steven.sist...@oracle.com/ > and integrated in Linux kernel 5.12. > > To use the restart mode, qemu must be started with the memfd-alloc option, > which allocates guest ram using memfd_create. The memfd's are saved to > the environment and kept open across exec, after which they are found from > the environment and re-mmap'd. Hence guest ram is preserved in place, > albeit with new virtual addresses in the qemu process. > > The caller resumes the guest by invoking cpr-load, which loads state from > the file. If the VM was running at cpr-save time, then VM execution resumes. > If the VM was suspended at cpr-save time (reboot mode), then the caller must > issue a system_wakeup command to resume. > > The first patches add reboot mode: > - memory: qemu_check_ram_volatile > - migration: fix populate_vfio_info > - migration: qemu file wrappers > - migration: simplify savevm > - vl: start on wakeup request > - cpr: reboot mode > - cpr: reboot HMP interfaces > > The next patches add restart mode: > - memory: flat section iterator > - oslib: qemu_clear_cloexec > - machine: memfd-alloc option > - qapi: list utility functions > - vl: helper to request re-exec > - cpr: preserve extra state > - cpr: restart mode > - cpr: restart HMP interfaces > - hostmem-memfd: cpr for memory-backend-memfd > > The next patches add vfio support for restart mode: > - pci: export functions for cpr > - vfio-pci: refactor for cpr > - vfio-pci: cpr part 1 (fd and dma) > - vfio-pci: cpr part 2 (msi) > - vfio-pci: cpr part 3 (intx) > > The next
[Bug 1905521] Re: assert issue locates in hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed
** Changed in: qemu Assignee: Gaoning Pan (hades0506) => (unassigned) -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1905521 Title: assert issue locates in hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed Status in QEMU: Incomplete Bug description: Hello, I found an assertion failure in hw/scsi/lsi53c895a.c:624 This was found in latest version 5.2.0. my reproduced environment is as follows: Host: ubuntu 18.04 Guest: ubuntu 18.04 QEMU boot command line: qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:-:22 -display none -device lsi53c895a -trace lsi\* Backtrace is as follows: #0 0x7f845c6eff47 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x7f845c6f18b1 in __GI_abort () at abort.c:79 #2 0x7f845c6e142a in __assert_fail_base (fmt=0x7f845c868a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55a1034486a0 "s->current", file=file@entry=0x55a103448360 "../hw/scsi/lsi53c895a.c", line=line@entry=624, function=function@entry=0x55a10344ae60 <__PRETTY_FUNCTION__.31674> "lsi_do_dma") at assert.c:92 #3 0x7f845c6e14a2 in __GI___assert_fail (assertion=0x55a1034486a0 "s->current", file=0x55a103448360 "../hw/scsi/lsi53c895a.c", line=624, function=0x55a10344ae60 <__PRETTY_FUNCTION__.31674> "lsi_do_dma") at assert.c:101 #4 0x55a102049c65 in lsi_do_dma (s=0x6260c100, out=1) at ../hw/scsi/lsi53c895a.c:624 #5 0x55a102051573 in lsi_execute_script (s=0x6260c100) at ../hw/scsi/lsi53c895a.c:1250 #6 0x55a10205b05d in lsi_reg_writeb (s=0x6260c100, offset=47, val=178 '\262') at ../hw/scsi/lsi53c895a.c:1984 #7 0x55a10205fef8 in lsi_io_write (opaque=0x6260c100, addr=47, val=178, size=1) at ../hw/scsi/lsi53c895a.c:2146 #8 0x55a102d1b791 in memory_region_write_accessor (mr=0x6260cbe0, addr=47, value=0x7f8349dfe2f8, size=1, shift=0, mask=255, attrs=...) at ../softmmu/memory.c:484 #9 0x55a102d1bba8 in access_with_adjusted_size (addr=47, value=0x7f8349dfe2f8, size=1, access_size_min=1, access_size_max=1, access_fn=0x55a102d1b4de , mr=0x6260cbe0, attrs=...) at ../softmmu/memory.c:545 #10 0x55a102d261ef in memory_region_dispatch_write (mr=0x6260cbe0, addr=47, data=178, op=MO_8, attrs=...) at ../softmmu/memory.c:1494 #11 0x55a102b57c3c in flatview_write_continue (fv=0x606ea920, addr=49199, attrs=..., ptr=0x7f8449efb000, len=1, addr1=47, l=1, mr=0x6260cbe0) at ../softmmu/physmem.c:2767 #12 0x55a102b57f07 in flatview_write (fv=0x606ea920, addr=49199, attrs=..., buf=0x7f8449efb000, len=1) at ../softmmu/physmem.c:2807 #13 0x55a102b587cb in address_space_write (as=0x55a105ebca80 , addr=49199, attrs=..., buf=0x7f8449efb000, len=1) at ../softmmu/physmem.c:2899 #14 0x55a102b58878 in address_space_rw (as=0x55a105ebca80 , addr=49199, attrs=..., buf=0x7f8449efb000, len=1, is_write=true) at ../softmmu/physmem.c:2909 #15 0x55a102ad4d50 in kvm_handle_io (port=49199, attrs=..., data=0x7f8449efb000, direction=1, size=1, count=1) at ../accel/kvm/kvm-all.c:2283 #16 0x55a102ad6a0f in kvm_cpu_exec (cpu=0x62e00400) at ../accel/kvm/kvm-all.c:2529 #17 0x55a102c26fbb in kvm_vcpu_thread_fn (arg=0x62e00400) at ../accel/kvm/kvm-cpus.c:49 #18 0x55a1032c08f8 in qemu_thread_start (args=0x60382780) at ../util/qemu-thread-posix.c:521 #19 0x7f845caa96db in start_thread (arg=0x7f8349dff700) at pthread_create.c:463 #20 0x7f845c7d2a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 The poc is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1905521/+subscriptions
[Bug 1914117] Re: Short files returned via FTP on Qemu with various architectures and OSes
slirp has been updated for QEMU 6.1-rc2, so this should be fixed in the latest 6.1 release candidate. If you've got some spare minutes, could you please check whether it's working for you now in 6.1-rc4 ? ** Changed in: qemu Status: In Progress => Fix Committed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1914117 Title: Short files returned via FTP on Qemu with various architectures and OSes Status in QEMU: Fix Committed Bug description: Qemu 5.2 on Mac OS X Big Sur. I originally thought that it might be caused by the home-brew version of Qemu, but this evening I have removed the brew edition and compiled from scratch (using Ninja & Xcode compiler). Still getting the same problem,. On the following architectures: arm64, amd64 and sometimes i386 running NetBSD host OS; i386 running OpenBSD host OS: I have seen a consistent problem with FTP returning short files. The file will be a couple of bytes too short. I do not believe this is a problem with the OS. Downloading the perl source code from CPAN does not work properly, nor does downloading bind from isc. I've tried this on different architectures as above. (Qemu 4.2 on Ubuntu/x86_64 with NetBSD/i386 seems to function fine. My gut feel is there is something not right on the Mac OS version of Qemu or a bug in 5.2 - obviously in the network layer somewhere. If you have anything you want me to try, please let me know - happy to help get a resolution.) To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1914117/+subscriptions
[Bug 1921664] Re: Coroutines are racy for risc64 emu on arm64 - crash on Assertion
@Christian & Tommy : Could you please check whether the problematic binaries were built with link-time optimization, i.e. with -flto ? If so, does the problem go away when you rebuild the package without LTO? ** Changed in: qemu Status: New => Incomplete ** Changed in: qemu (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921664 Title: Coroutines are racy for risc64 emu on arm64 - crash on Assertion Status in QEMU: Incomplete Status in qemu package in Ubuntu: Incomplete Bug description: Note: this could as well be "riscv64 on arm64" for being slow@slow and affect other architectures as well. The following case triggers on a Raspberry Pi4 running with arm64 on Ubuntu 21.04 [1][2]. It might trigger on other environments as well, but that is what we have seen it so far. $ wget https://github.com/carlosedp/riscv-bringup/releases/download/v1.0/UbuntuFocal-riscv64-QemuVM.tar.gz $ tar xzf UbuntuFocal-riscv64-QemuVM.tar.gz $ ./run_riscvVM.sh (wait ~2 minutes) [ OK ] Reached target Local File Systems (Pre). [ OK ] Reached target Local File Systems. Starting udev Kernel Device Manager... qemu-system-riscv64: ../../util/qemu-coroutine-lock.c:57: qemu_co_queue_wait_impl: Assertion `qemu_in_coroutine()' failed. This is often, but not 100% reproducible and the cases differ slightly we see either of: - qemu-system-riscv64: ../../util/qemu-coroutine-lock.c:57: qemu_co_queue_wait_impl: Assertion `qemu_in_coroutine()' failed. - qemu-system-riscv64: ../../block/aio_task.c:64: aio_task_pool_wait_one: Assertion `qemu_coroutine_self() == pool->main_co' failed. Rebuilding working cases has shown to make them fail, as well as rebulding (or even reinstalling) bad cases has made them work. Also the same builds on different arm64 CPUs behave differently. TL;DR: The full list of conditions influencing good/bad case here are not yet known. [1]: https://ubuntu.com/tutorials/how-to-install-ubuntu-on-your-raspberry-pi#1-overview [2]: http://cdimage.ubuntu.com/daily-preinstalled/pending/hirsute-preinstalled-desktop-arm64+raspi.img.xz --- --- original report --- --- I regularly run a RISC-V (RV64GC) QEMU VM, but an update a few days ago broke it. Now when I launch it, it hits an assertion: OpenSBI v0.6 _ _ / __ \ / | _ \_ _| | | | |_ __ ___ _ __ | (___ | |_) || | | | | | '_ \ / _ \ '_ \ \___ \| _ < | | | |__| | |_) | __/ | | |) | |_) || |_ \/| .__/ \___|_| |_|_/|/_| | | |_| ... Found /boot/extlinux/extlinux.conf Retrieving file: /boot/extlinux/extlinux.conf 618 bytes read in 2 ms (301.8 KiB/s) RISC-V Qemu Boot Options 1: Linux kernel-5.5.0-dirty 2: Linux kernel-5.5.0-dirty (recovery mode) Enter choice: 1:Linux kernel-5.5.0-dirty Retrieving file: /boot/initrd.img-5.5.0-dirty qemu-system-riscv64: ../../block/aio_task.c:64: aio_task_pool_wait_one: Assertion `qemu_coroutine_self() == pool->main_co' failed. ./run.sh: line 31: 1604 Aborted (core dumped) qemu-system-riscv64 -machine virt -nographic -smp 8 -m 8G -bios fw_payload.bin -device virtio-blk-devi ce,drive=hd0 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-device,rng=rng0 -drive file=riscv64-UbuntuFocal-qemu.qcow2,format=qcow2,id=hd0 -devi ce virtio-net-device,netdev=usernet -netdev user,id=usernet,$ports Interestingly this doesn't happen on the AMD64 version of Ubuntu 21.04 (fully updated). Think you have everything already, but just in case: $ lsb_release -rd Description:Ubuntu Hirsute Hippo (development branch) Release:21.04 $ uname -a Linux minimacvm 5.11.0-11-generic #12-Ubuntu SMP Mon Mar 1 19:27:36 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux (note this is a VM running on macOS/M1) $ apt-cache policy qemu qemu: Installed: 1:5.2+dfsg-9ubuntu1 Candidate: 1:5.2+dfsg-9ubuntu1 Version table: *** 1:5.2+dfsg-9ubuntu1 500 500 http://ports.ubuntu.com/ubuntu-ports hirsute/universe arm64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: qemu 1:5.2+dfsg-9ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-11.12-generic 5.11.0 Uname: Linux 5.11.0-11-generic aarch64 ApportVersion: 2.20.11-0ubuntu61 Architecture: arm64 CasperMD5CheckResult: unknown CurrentDmesg: Error: command ['pkexec', 'dmesg'] failed with exit code 127: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie Error executing command as another user: Not authorized This incident has been reported. Date: Mon Mar 29 02:33:25 2021 Dependencies:
[Bug 1878057] Re: null-ptr dereference in megasas_command_complete
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Incomplete => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1878057 Title: null-ptr dereference in megasas_command_complete Status in QEMU: Invalid Bug description: Hello, While fuzzing, I found an input that triggers a null-pointer dereference in megasas_command_complete: ==14959==ERROR: AddressSanitizer: SEGV on unknown address 0x0003 (pc 0x55b1d11b4df1 bp 0x7ffeb55ca450 sp 0x7ffeb55ca1e0 T0) ==14959==The signal is caused by a WRITE memory access. ==14959==Hint: address points to the zero page. #0 0x55b1d11b4df1 in megasas_command_complete /home/alxndr/Development/qemu/hw/scsi/megasas.c:1877:40 #1 0x55b1d11759ec in scsi_req_complete /home/alxndr/Development/qemu/hw/scsi/scsi-bus.c:1430:5 #2 0x55b1d115c98f in scsi_aio_complete /home/alxndr/Development/qemu/hw/scsi/scsi-disk.c:216:5 #3 0x55b1d151c638 in blk_aio_complete /home/alxndr/Development/qemu/block/block-backend.c:1375:9 #4 0x55b1d151c638 in blk_aio_complete_bh /home/alxndr/Development/qemu/block/block-backend.c:1385:5 #5 0x55b1d16f3a5b in aio_bh_call /home/alxndr/Development/qemu/util/async.c:136:5 #6 0x55b1d16f3a5b in aio_bh_poll /home/alxndr/Development/qemu/util/async.c:164:13 #7 0x55b1d16fe43e in aio_dispatch /home/alxndr/Development/qemu/util/aio-posix.c:380:5 #8 0x55b1d16f54fa in aio_ctx_dispatch /home/alxndr/Development/qemu/util/async.c:306:5 #9 0x7f47937c89ed in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e9ed) #10 0x55b1d16fbef4 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9 #11 0x55b1d16fbef4 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5 #12 0x55b1d16fbef4 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11 #13 0x55b1d0cd16a6 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9 #14 0x55b1d1608dca in main /home/alxndr/Development/qemu/softmmu/main.c:49:5 #15 0x7f4792378e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16 #16 0x55b1d091d7b9 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x8f47b9) I can reproduce it in qemu 5.0 built with using: cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -no-shutdown -M q35 -device megasas -device scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 -nographic -qtest stdio -monitor none -serial none outl 0xcf8 0x80001814 outl 0xcfc 0xc021 outl 0xcf8 0x80001818 outl 0xcf8 0x80001804 outw 0xcfc 0x7 outl 0xcf8 0x80001810 outl 0xcfc 0xe10c outl 0xcf8 0x8000f810 write 0x44b20 0x1 0x35 write 0x44b00 0x1 0x03 write 0xc021e10c0040 0x81 0x014b0400013100014b0400013800014b0400013f00014b0400014600014b0400014d00014b0400015400014b0400015b00014b0400016200014b0400016900014b040001714b0400017700014b0400017e00014b0400018500014b0400018c00014b04 EOF I also attached the trace to this launchpad report, in case the formatting is broken: qemu-system-i386 -qtest stdio -monitor none -serial none -M pc-q35-5.0 -no-shutdown -M q35 -device megasas -device scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 -nographic < attachment Please let me know if I can provide any further info. -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1878057/+subscriptions
[Bug 1913667] Re: FPE in npcm7xx_clk_update_pll
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Incomplete ** Changed in: qemu Status: Incomplete => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1913667 Title: FPE in npcm7xx_clk_update_pll Status in QEMU: Invalid Bug description: I've been working on integrating the generic-fuzzer with ARM machines on OSS-Fuzz so we can fuzz devices on architectures beyond i386 devices. Since I saw that there is some active development for the Nuvoton machines, I thought it might be useful to fuzz the NPCM750 machine Reproducer: cat << EOF | ./qemu-system-aarch64 -M npcm750-evb \ -accel qtest -qtest stdio write 0xf080100c 0x4 0x00 write 0xf080100c 0x4 0x00 EOF Trace: ../hw/misc/npcm7xx_clk.c:131:14: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/misc/npcm7xx_clk.c:131:14 in AddressSanitizer:DEADLYSIGNAL = ==717855==ERROR: AddressSanitizer: FPE on unknown address 0x5619201fcd8c (pc 0x5619201fcd8c bp 0x7ffc94214e50 sp 0x7ffc94214e30 T0) #0 0x5619201fcd8c in npcm7xx_clk_update_pll /hw/misc/npcm7xx_clk.c:131:14 #1 0x5619201ff5dc in npcm7xx_clk_write /hw/misc/npcm7xx_clk.c:799:13 #2 0x5619214781fe in memory_region_write_accessor /softmmu/memory.c:491:5 #3 0x561921477bfb in access_with_adjusted_size /softmmu/memory.c:552:18 #4 0x561921477467 in memory_region_dispatch_write /softmmu/memory.c #5 0x561921807ffb in flatview_write_continue /softmmu/physmem.c:2759:23 #6 0x5619217fd71b in flatview_write /softmmu/physmem.c:2799:14 #7 0x5619217fd71b in address_space_write /softmmu/physmem.c:2891:18 #8 0x561921465eee in qtest_process_command /softmmu/qtest.c:539:13 #9 0x561921462b97 in qtest_process_inbuf /softmmu/qtest.c:797:9 #10 0x561921cb3286 in fd_chr_read /chardev/char-fd.c:68:9 #11 0x7f4ad283baae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae) #12 0x56192230e363 in glib_pollfds_poll /util/main-loop.c:232:9 #13 0x56192230e363 in os_host_main_loop_wait /util/main-loop.c:255:5 #14 0x56192230e363 in main_loop_wait /util/main-loop.c:531:11 #15 0x5619213c9599 in qemu_main_loop /softmmu/runstate.c:721:9 #16 0x56191f6561fd in main /softmmu/main.c:50:5 #17 0x7f4ad22e0cc9 in __libc_start_main csu/../csu/libc-start.c:308:16 #18 0x56191f5a9bc9 in _start (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9) To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1913667/+subscriptions
[Bug 1913669] Re: FPE in npcm7xx_adc_convert
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1913669 Title: FPE in npcm7xx_adc_convert Status in QEMU: Invalid Bug description: Reproducer: cat << EOF | ./qemu-system-aarch64 -M npcm750-evb \ -accel qtest -qtest stdio write 0xf000c000 0x4 0x02400200 clock_step EOF Trace: ../hw/adc/npcm7xx_adc.c:60:51: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/adc/npcm7xx_adc.c:60:51 in AddressSanitizer:DEADLYSIGNAL = ==717962==ERROR: AddressSanitizer: FPE on unknown address 0x55901aa6e67a (pc 0x55901aa6e67a bp 0x7fff0ac087e0 sp 0x7fff0ac087a0 T0) #0 0x55901aa6e67a in npcm7xx_adc_convert /hw/adc/npcm7xx_adc.c:60:51 #1 0x55901aa6e67a in npcm7xx_adc_convert_done /hw/adc/npcm7xx_adc.c:106:15 #2 0x55901ceb847e in timerlist_run_timers /util/qemu-timer.c:574:9 #3 0x55901c05d804 in qtest_clock_warp /softmmu/qtest.c:356:9 #4 0x55901c059781 in qtest_process_command /softmmu/qtest.c:752:9 #5 0x55901c051b97 in qtest_process_inbuf /softmmu/qtest.c:797:9 #6 0x55901c8a2286 in fd_chr_read /chardev/char-fd.c:68:9 #7 0x7fa5c43f1aae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae) #8 0x55901cefd363 in glib_pollfds_poll /util/main-loop.c:232:9 #9 0x55901cefd363 in os_host_main_loop_wait /util/main-loop.c:255:5 #10 0x55901cefd363 in main_loop_wait /util/main-loop.c:531:11 #11 0x55901bfb8599 in qemu_main_loop /softmmu/runstate.c:721:9 #12 0x55901a2451fd in main /softmmu/main.c:50:5 #13 0x7fa5c3e96cc9 in __libc_start_main csu/../csu/libc-start.c:308:16 #14 0x55901a198bc9 in _start (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /hw/adc/npcm7xx_adc.c:60:51 in npcm7xx_adc_convert To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1913669/+subscriptions
[Bug 1918321] Re: [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd
Thanks for moving it over! ... let's close this one here on Launchpad
now.
** Changed in: qemu
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1918321
Title:
[OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in
megasas_finish_dcmd
Status in QEMU:
Invalid
Bug description:
Hello,
== QTest Reproducer ==
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x8801
* outl 0xcfc 0x0500
* outl 0xcf8 0x8816
* outl 0xcfc 0x1900
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x19c0 0x00
* EOF
*/
static void null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device megasas
-device "
"scsi-cd,drive=null0 -blockdev
driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x8801);
qtest_outl(s, 0xcfc, 0x0500);
qtest_outl(s, 0xcf8, 0x8816);
qtest_outl(s, 0xcfc, 0x1900);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x19c0, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(, , NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
== Stack Trace ==
../hw/scsi/megasas.c:1884:21: runtime error: member access within null
pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null
pointer of type 'struct mfi_frame_header'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=
==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x0003 (pc
0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)
==314546==The signal is caused by a WRITE memory access.
==314546==Hint: address points to the zero page.
#0 0x55b1b4f4de73 in megasas_command_complete
build/../hw/scsi/megasas.c:1884:40
#1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5
#2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9
#3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5
#4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9
#5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9
#6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9
#7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13
#8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5
#9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5
#10 0x7fd88c098baa in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11
#14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5
#16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions
Re: [PATCH v3 02/16] tcg/mips: Support unaligned access for softmmu
在2021年8月19日八月 上午4:19,Richard Henderson写道:
> We can use the routines just added for user-only to emit
> unaligned accesses in softmmu mode too.
>
> Signed-off-by: Richard Henderson
Reviewed-by: Jiaxun Yang
Thanks!
> ---
> tcg/mips/tcg-target.c.inc | 91 ++-
> 1 file changed, 51 insertions(+), 40 deletions(-)
>
> diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
> index 7ed0de9dae..3d6a0ba39e 100644
> --- a/tcg/mips/tcg-target.c.inc
> +++ b/tcg/mips/tcg-target.c.inc
> @@ -1154,8 +1154,10 @@ static void tcg_out_tlb_load(TCGContext *s,
> TCGReg base, TCGReg addrl,
> tcg_insn_unit *label_ptr[2], bool is_load)
> {
> MemOp opc = get_memop(oi);
> -unsigned s_bits = opc & MO_SIZE;
> unsigned a_bits = get_alignment_bits(opc);
> +unsigned s_bits = opc & MO_SIZE;
> +unsigned a_mask = (1 << a_bits) - 1;
> +unsigned s_mask = (1 << s_bits) - 1;
> int mem_index = get_mmuidx(oi);
> int fast_off = TLB_MASK_TABLE_OFS(mem_index);
> int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
> @@ -1163,7 +1165,7 @@ static void tcg_out_tlb_load(TCGContext *s,
> TCGReg base, TCGReg addrl,
> int add_off = offsetof(CPUTLBEntry, addend);
> int cmp_off = (is_load ? offsetof(CPUTLBEntry, addr_read)
> : offsetof(CPUTLBEntry, addr_write));
> -target_ulong mask;
> +target_ulong tlb_mask;
>
> /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx]. */
> tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP0, TCG_AREG0, mask_off);
> @@ -1177,27 +1179,13 @@ static void tcg_out_tlb_load(TCGContext *s,
> TCGReg base, TCGReg addrl,
> /* Add the tlb_table pointer, creating the CPUTLBEntry address in
> TMP3. */
> tcg_out_opc_reg(s, ALIAS_PADD, TCG_TMP3, TCG_TMP3, TCG_TMP1);
>
> -/* We don't currently support unaligned accesses.
> - We could do so with mips32r6. */
> -if (a_bits < s_bits) {
> -a_bits = s_bits;
> -}
> -
> -/* Mask the page bits, keeping the alignment bits to compare against. */
> -mask = (target_ulong)TARGET_PAGE_MASK | ((1 << a_bits) - 1);
> -
> /* Load the (low-half) tlb comparator. */
> if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
> -tcg_out_ld(s, TCG_TYPE_I32, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
> -tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, mask);
> +tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
> } else {
> tcg_out_ldst(s, (TARGET_LONG_BITS == 64 ? OPC_LD
> : TCG_TARGET_REG_BITS == 64 ? OPC_LWU : OPC_LW),
> TCG_TMP0, TCG_TMP3, cmp_off);
> -tcg_out_movi(s, TCG_TYPE_TL, TCG_TMP1, mask);
> -/* No second compare is required here;
> - load the tlb addend for the fast path. */
> -tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
> }
>
> /* Zero extend a 32-bit guest address for a 64-bit host. */
> @@ -1205,7 +1193,25 @@ static void tcg_out_tlb_load(TCGContext *s,
> TCGReg base, TCGReg addrl,
> tcg_out_ext32u(s, base, addrl);
> addrl = base;
> }
> -tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrl);
> +
> +/*
> + * Mask the page bits, keeping the alignment bits to compare
> against.
> + * For unaligned accesses, compare against the end of the access to
> + * verify that it does not cross a page boundary.
> + */
> +tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
> +tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, tlb_mask);
> +if (a_mask >= s_mask) {
> +tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrl);
> +} else {
> +tcg_out_opc_imm(s, ALIAS_PADDI, TCG_TMP2, addrl, s_mask -
> a_mask);
> +tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, TCG_TMP2);
> +}
> +
> +if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
> +/* Load the tlb addend for the fast path. */
> +tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
> +}
>
> label_ptr[0] = s->code_ptr;
> tcg_out_opc_br(s, OPC_BNE, TCG_TMP1, TCG_TMP0);
> @@ -1213,7 +1219,7 @@ static void tcg_out_tlb_load(TCGContext *s,
> TCGReg base, TCGReg addrl,
> /* Load and test the high half tlb comparator. */
> if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
> /* delay slot */
> -tcg_out_ld(s, TCG_TYPE_I32, TCG_TMP0, TCG_TMP3, cmp_off +
> HI_OFF);
> +tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + HI_OFF);
>
> /* Load the tlb addend for the fast path. */
> tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
> @@ -1535,8 +1541,7 @@ static void tcg_out_qemu_ld_direct(TCGContext *s,
> TCGReg lo, TCGReg hi,
> }
> }
>
> -static void __attribute__((unused))
> -tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
> +static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg
> hi,
>
[Bug 1917082] Re: [OSS-Fuzz] Issue 27574 e1000: Loopback-related stack-overflow
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1917082 Title: [OSS-Fuzz] Issue 27574 e1000: Loopback-related stack-overflow Status in QEMU: Invalid Bug description: === Reproducer === cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ 512M -M q35 -nodefaults -device e1000,netdev=net0 -netdev user,id=net0 \ -qtest /dev/null -qtest stdio outl 0xcf8 0x8813 outl 0xcfc 0xfe outl 0xcf8 0x8803 outw 0xcfc 0x0600 write 0xfe000102 0x1 0x0a writel 0xfe20 0x420ff00 write 0xfe00280a 0x2 0x0828 clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step clock_step write 0xfe00281b 0x1 0x08 write 0xf9b 0x1 0x01 write 0x2170 0x1 0x14 write 0x2171 0x1 0x38 write 0x2173 0x1 0xfe write 0xfe000402 0x1 0x02 write 0xfe00380a 0x2 0x0210 write 0xfe003818 0x1 0xfa EOF === Stack-trace === ==288216==ERROR: AddressSanitizer: stack-overflow on address 0x7fff51c96f48 (pc 0x56247061af36 bp 0x7fff51c97790 sp 0x7fff51c96f50 T0) #0 0x56247061af36 in __asan_memcpy (/home/alxndr/Development/qemu/build/qemu-system-i386+0x2baff36) #1 0x5624718eb70d in flatview_read_continue /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2846:13 #2 0x5624718ecd1b in flatview_read /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2879:12 #3 0x5624718ecd1b in address_space_read_full /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2892:18 #4 0x562470bcb75b in dma_memory_rw_relaxed /home/alxndr/Development/qemu/include/sysemu/dma.h:88:12 #5 0x562470bcb75b in dma_memory_rw /home/alxndr/Development/qemu/include/sysemu/dma.h:127:12 #6 0x562470bcb75b in pci_dma_rw /home/alxndr/Development/qemu/include/hw/pci/pci.h:803:12 #7 0x562470bcb75b in pci_dma_read /home/alxndr/Development/qemu/include/hw/pci/pci.h:821:12 #8 0x562470bcb75b in e1000_receive_iov /home/alxndr/Development/qemu/build/../hw/net/e1000.c:954:9 #9 0x562470bca465 in e1000_receive /home/alxndr/Development/qemu/build/../hw/net/e1000.c:1025:12 #10 0x562470bc9671 in e1000_send_packet /home/alxndr/Development/qemu/build/../hw/net/e1000.c:549:9 #11 0x562470bc7dd8 in xmit_seg /home/alxndr/Development/qemu/build/../hw/net/e1000.c #12 0x562470bc4dfe in process_tx_desc /home/alxndr/Development/qemu/build/../hw/net/e1000.c:701:9 #13 0x562470bc4dfe in start_xmit /home/alxndr/Development/qemu/build/../hw/net/e1000.c:756:9 #14 0x562470bc4dfe in set_tctl /home/alxndr/Development/qemu/build/../hw/net/e1000.c:1127:5 #15 0x5624719ef2f6 in memory_region_write_accessor /home/alxndr/Development/qemu/build/../softmmu/memory.c:491:5 #16 0x5624719eed63 in access_with_adjusted_size /home/alxndr/Development/qemu/build/../softmmu/memory.c:552:18 #17 0x5624719ee5c0 in memory_region_dispatch_write /home/alxndr/Development/qemu/build/../softmmu/memory.c #18 0x5624718f7776 in flatview_write_continue /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2776:23 #19 0x5624718ed13b in flatview_write /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2816:14 #20 0x5624718ed13b in address_space_write /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2908:18 #21 0x562470bcba6b in dma_memory_rw_relaxed /home/alxndr/Development/qemu/include/sysemu/dma.h:88:12 #22 0x562470bcba6b in dma_memory_rw /home/alxndr/Development/qemu/include/sysemu/dma.h:127:12 #23 0x562470bcba6b in pci_dma_rw /home/alxndr/Development/qemu/include/hw/pci/pci.h:803:12 #24 0x562470bcba6b in pci_dma_write /home/alxndr/Development/qemu/include/hw/pci/pci.h:839:12 #25 0x562470bcba6b in e1000_receive_iov /home/alxndr/Development/qemu/build/../hw/net/e1000.c:967:21 #26 0x562470bca465 in e1000_receive /home/alxndr/Development/qemu/build/../hw/net/e1000.c:1025:12 #27 0x562470bc9671 in e1000_send_packet /home/alxndr/Development/qemu/build/../hw/net/e1000.c:549:9 ...
[Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1911216 Title: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Status in QEMU: Invalid Bug description: Hello, I found an assertion failure in hw/usb/hcd-ohci.c:1297 This was found in latest version 5.2.0. my reproduced environment is as follows: Host: ubuntu 18.04 Guest: ubuntu 18.04 QEMU boot command line: qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1 backtrace is as follows pwndbg> bt #0 0x7fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x7fdf392ac03a in __GI_abort () at abort.c:89 #2 0x55c613721118 in ohci_frame_boundary (opaque=0x627191f0) at hw/usb/hcd-ohci.c:1297 #3 0x55c6140bdf0e in timerlist_run_timers (timer_list=0x60b5bcc0) at util/qemu-timer.c:572 #4 0x55c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586 #5 0x55c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672 #6 0x55c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523 #7 0x55c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676 #8 0x55c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49 #9 0x7fdf39295840 in __libc_start_main (main=0x55c613f21699 , argc=7, argv=0x7fff174cdd28, init=, fini=, rtld_fini=, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291 #10 0x55c6120a4349 in _start () The poc is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
[Bug 1914638] Re: [OSS-Fuzz] Issue 30219: Global-buffer-overflow in mode_sense_page
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1914638 Title: [OSS-Fuzz] Issue 30219: Global-buffer-overflow in mode_sense_page Status in QEMU: Invalid Bug description: == Reproducer (build with --enable-sanitizers) == cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \ -device megasas -device scsi-cd,drive=null0 \ -blockdev driver=null-co,read-zeroes=on,node-name=null0 \ -nographic -qtest stdio outl 0xcf8 0x8818 outl 0xcfc 0xc000 outl 0xcf8 0x8804 outw 0xcfc 0x7 write 0x0 0x1 0x03 write 0x7 0x1 0x3f write 0x10 0x1 0x03 write 0x20 0x1 0x55 write 0x21 0x1 0x10 write 0x28 0x1 0x10 write 0x30 0x1 0xff write 0x31 0x1 0xff write 0x32 0x1 0xff write 0x33 0x1 0xff write 0x34 0x1 0xff write 0x35 0x1 0xff write 0x36 0x1 0xff write 0x37 0x1 0xff write 0x3b 0x1 0x10 write 0x43 0x1 0x10 write 0x44 0x1 0x10 write 0x4f 0x1 0x10 write 0x53 0x1 0x10 write 0x5b 0x1 0x10 write 0x5f 0x1 0x10 write 0x67 0x1 0x10 write 0x6b 0x1 0x10 write 0x73 0x1 0x10 write 0x75 0x1 0x10 write 0x7d 0x1 0x10 write 0x83 0x1 0x10 write 0x8b 0x1 0x10 write 0x8f 0x1 0x10 write 0x97 0x1 0x10 write 0x9b 0x1 0x10 write 0xa3 0x1 0x03 write 0xa6 0x1 0x10 write 0xae 0x1 0x10 write 0xb3 0x1 0x10 write 0xbb 0x1 0x10 write 0xbf 0x1 0x10 write 0xc7 0x1 0x10 write 0xca 0x1 0x10 write 0xd3 0x1 0x06 write 0xd7 0x1 0x10 write 0xdf 0x1 0x10 write 0xe3 0x1 0x06 write 0xeb 0x1 0x01 write 0xef 0x1 0x10 write 0xf7 0x1 0x10 write 0xfb 0x1 0x10 write 0x103 0x1 0x20 write 0x107 0x1 0x10 write 0x10f 0x1 0x10 write 0x113 0x1 0x10 write 0x11b 0x1 0x10 write 0x11f 0x1 0x10 write 0x127 0x1 0x10 write 0x12b 0x1 0x10 write 0x130 0x1 0x10 write 0x137 0x1 0x10 write 0x13f 0x1 0x40 write 0x141 0x1 0x10 write 0x14b 0x1 0x10 write 0x14f 0x1 0x10 write 0x157 0x1 0x10 write 0x15b 0x1 0x10 write 0x161 0x1 0x10 write 0x167 0x1 0x03 write 0x16f 0x1 0x06 write 0x172 0x1 0x10 write 0x17b 0x1 0x10 write 0x17f 0x1 0x10 write 0x187 0x1 0x10 write 0x18b 0x1 0x10 write 0x192 0x1 0x10 write 0x197 0x1 0x06 write 0x19f 0x1 0x20 write 0x1a3 0x1 0x10 write 0x1ab 0x1 0x40 write 0x1af 0x1 0x01 write 0x1b7 0x1 0x10 write 0x1bb 0x1 0x20 write 0x1c3 0x1 0x10 write 0x1c7 0x1 0x20 write 0x1cc 0x1 0x10 write 0x1d3 0x1 0x10 write 0x1db 0x1 0x10 write 0x1df 0x1 0x10 write 0x1e7 0x1 0x10 write 0x1eb 0x1 0x10 write 0x1f3 0x1 0x10 write 0x1f4 0x1 0x10 write 0x1fd 0x1 0x10 write 0x203 0x1 0x40 write 0x20b 0x1 0x10 write 0x20f 0x1 0x10 write 0x217 0x1 0x10 write 0x21b 0x1 0x10 write 0x223 0x1 0x10 write 0x225 0x1 0x10 write 0x22e 0x1 0x10 write 0x233 0x1 0x06 write 0x23b 0x1 0x10 write 0x23f 0x1 0x10 write 0x247 0x1 0x10 write 0x24b 0x1 0x10 write 0x252 0x1 0x10 write 0x256 0x1 0x10 write 0x25f 0x1 0x10 write 0x263 0x1 0x20 write 0x26b 0x1 0x06 write 0x26f 0x1 0x40 write 0x277 0x1 0x10 write 0x27b 0x1 0x10 write 0x283 0x1 0x10 write 0x287 0x1 0x10 write 0x28f 0x1 0x10 write 0x290 0x1 0x10 write 0x29b 0x1 0x10 write 0x29f 0x1 0x10 write 0x2a7 0x1 0x10 write 0x2ab 0x1 0x10 write 0x2b3 0x1 0x10 write 0x2b7 0x1 0x10 write 0x2bf 0x1 0x10 write 0x2c1 0x1 0x10 write 0x2c9 0x1 0x10 write 0x2cf 0x1 0x10 write 0x2d7 0x1 0x10 write 0x2db 0x1 0x10 write 0x2e3 0x1 0x10 write 0x2e7 0x1 0x10 write 0x2ef 0x1 0x03 write 0x2f2 0x1 0x10 write 0x2fa 0x1 0x10 write 0x2ff 0x1 0x10 write 0x307 0x1 0x10 write 0x30b 0x1 0x10 write 0x313 0x1 0x10 write 0x316 0x1 0x10 write 0x31f 0x1 0x06 write 0x323 0x1 0x10 outb 0xc040 0x0 EOF === Stack Trace === ==1025760==ERROR: AddressSanitizer: global-buffer-overflow on address 0x558f557253fc at pc 0x558f549ab376 bp 0x7ffd436e9770 sp 0x7ffd436e9768 READ of size 4 at 0x558f557253fc thread T0 SCARINESS: 17 (4-byte-read-global-buffer-overflow) #0 0x558f549ab375 in mode_sense_page /src/qemu/hw/scsi/scsi-disk.c:1104:10 #1 0x558f549afd86 in scsi_disk_check_mode_select /src/qemu/hw/scsi/scsi-disk.c:1447:11 #2 0x558f549af9a6 in mode_select_pages /src/qemu/hw/scsi/scsi-disk.c:1515:17 #3 0x558f549ae593 in scsi_disk_emulate_mode_select /src/qemu/hw/scsi/scsi-disk.c:1570:13 #4 0x558f549a56e9 in scsi_disk_emulate_write_data /src/qemu/hw/scsi/scsi-disk.c:1861:9 #5 0x558f548b9b49 in scsi_req_continue /src/qemu/hw/scsi/scsi-bus.c:0 #6 0x558f548b9fc4 in scsi_req_data /src/qemu/hw/scsi/scsi-bus.c:1427:5 #7 0x558f549a5554 in scsi_disk_emulate_write_data /src/qemu/hw/scsi/scsi-disk.c:1853:9 #8 0x558f548b9b49 in scsi_req_continue /src/qemu/hw/scsi/scsi-bus.c:0 #9 0x558f54ac7cf6 in megasas_enqueue_req /src/qemu/hw/scsi/megasas.c:1660:9 #10
[Bug 1891354] Re: Heap-use-after-free in usb_packet_unmap
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1891354 Title: Heap-use-after-free in usb_packet_unmap Status in QEMU: Invalid Bug description: Hello, Reproducer: cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \ -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \ -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \ -nodefaults -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xc0202 outl 0xcf8 0x80001004 outl 0xcfc 0x1c77695e writel 0xc0040 0xd855 writeq 0xc2000 0xff051401 write 0x1d 0x1 0x27 write 0x2d 0x1 0x2e write 0x17232 0x1 0x03 write 0x17254 0x1 0x05 write 0x17276 0x1 0x72 write 0x17278 0x1 0x02 write 0x3d 0x1 0x27 write 0x40 0x1 0x2e write 0x41 0x1 0x72 write 0x42 0x1 0x01 write 0x4d 0x1 0x2e write 0x4f 0x1 0x01 write 0x2007c 0x1 0xc7 writeq 0xc2000 0x5c051401 write 0x20070 0x1 0x80 write 0x20078 0x1 0x08 write 0x2007c 0x1 0xfe write 0x2007d 0x1 0x08 write 0x20081 0x1 0xff write 0x20082 0x1 0x0b write 0x20089 0x1 0x8c write 0x2008d 0x1 0x04 write 0x2009d 0x1 0x10 writeq 0xc2000 0x2505ef019e092f00 EOF 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x61145030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8 READ of size 4 at 0x61145030 thread T0 #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28 #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5 #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5 #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9 #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13 #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5 #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 #10 0x55db78cfee6b in flatview_write exec.c:3216:14 #11 0x55db78cfee6b in address_space_write exec.c:3308:18 #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 #15 0x7fc5d7f1a897 in g_main_context_dispatch #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9 #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5 #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11 #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9 #20 0x55db7a8860fd in main softmmu/main.c:49:5 0x61145030 is located 48 bytes inside of 256-byte region [0x61145000,0x61145100) freed by thread T0 here: #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d) #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9 #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5 #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13 #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9 #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13 #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5 #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 #10 0x55db78cfee6b in flatview_write exec.c:3216:14 #11 0x55db78cfee6b in address_space_write exec.c:3308:18 #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9 #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5 #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9 #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5 #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5 #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9 #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13 #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5 #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 #24 0x55db78cfee6b in flatview_write exec.c:3216:14 #25 0x55db78cfee6b in address_space_write exec.c:3308:18 #26 0x55db793072a9 in qtest_process_command
[Bug 1890155] Re: Abort in vmxnet3_validate_interrupt_idx
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1890155 Title: Abort in vmxnet3_validate_interrupt_idx Status in QEMU: Invalid Bug description: Hello, Reproducer: cat << EOF | ./i386-softmmu/qemu-system-i386 \ -device vmxnet3 -m 64 -nodefaults -qtest stdio -nographic outl 0xcf8 0x80001014 outl 0xcfc 0xe0001000 outl 0xcf8 0x80001018 outl 0xcf8 0x80001004 outw 0xcfc 0x7 write 0x0 0x1 0xe1 write 0x1 0x1 0xfe write 0x2 0x1 0xbe write 0x3 0x1 0xba write 0x52 0x1 0x61 writeq 0xe0001020 0xef0bff5ecafe EOF == #7 0x55b271a89b67 in hw_error /home/alxndr/Development/qemu/general-fuzz/softmmu/cpus.c:927:5 #8 0x55b272fc6433 in vmxnet3_validate_interrupt_idx /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1355:9 #9 0x55b272fc4e6d in vmxnet3_validate_interrupts /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1364:5 #10 0x55b272fbe723 in vmxnet3_activate_device /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1546:5 #11 0x55b272fb6fba in vmxnet3_handle_command /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1576:9 #12 0x55b272fb410f in vmxnet3_io_bar1_write /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1772:9 #13 0x55b271ac4193 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:483:5 #14 0x55b271ac3637 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18 #15 0x55b271ac1256 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1466:16 #16 0x55b270e724a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23 #17 0x55b270e5acc6 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14 qemu: hardware error: Bad interrupt index: 97 Aborted -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1890155/+subscriptions
[Bug 1892963] Re: Heap-use-after-free in put_dwords through ehci_flush_qh
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1892963 Title: Heap-use-after-free in put_dwords through ehci_flush_qh Status in QEMU: Invalid Bug description: Hello, Reproducer: cat << EOF | ./qemu-system-i386 -machine q35 \ -device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\ multifunction=on,id=ich9-ehci-1 \ -drive if=none,id=usbcdrom,media=cdrom \ -device usb-storage,bus=ich9-ehci-1.0,\ port=2,drive=usbcdrom \ -display none -nodefaults -qtest stdio -accel qtest outl 0xcf8 0x8000ef02 outl 0xcfc 0xfbff0061 outl 0xcf8 0x8000ef11 outl 0xcfc 0x60606060 writeq 0x60606065 0xb70560ff847f writeq 0x60606065 0xff0004fe05ff writeq 0x60606020 0xff015e5c057b0039 writeq 0x60606033 0x846c8a020611 write 0x204 0x4 0x4a606060 write 0x8 0x4 0x97a98095 write 0x0 0x4 0x4a606060 write 0x4 0x4 0x97a98095 write 0xc 0x4 0x4a606060 write 0x10 0x4 0x97a98095 write 0x14 0x4 0x4a606060 write 0x18 0x4 0x97a98095 write 0x1c 0x4 0x4a606060 clock_step EOF The trace: 797726@1598407357.169284:usb_port_claim bus 0, port 2 797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high 797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD 797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x, sts 0x4, mask 0x0 797726@1598407357.186943:usb_ehci_reset === RESET === 797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci 797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x, sts 0x4, mask 0x0 797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x, sts 0x1000, mask 0x0 797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD 797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x, sts 0x1004, mask 0x0 [R +0.073737] outl 0xcf8 0x8000ef02 OK [S +0.073774] OK [R +0.073801] outl 0xcfc 0xfbff0061 OK [S +0.075074] OK [R +0.075108] outl 0xcf8 0x8000ef11 OK [S +0.075126] OK [R +0.075135] outl 0xcfc 0x60606060 OK [S +0.076290] OK [R +0.076317] writeq 0x60606065 0xb70560ff847f 797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84 797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1 797726@1598407357.194971:usb_ehci_port_suspend port #1 797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003) OK [S +0.076363] OK [R +0.076377] writeq 0x60606065 0xff0004fe05ff 797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05 797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0 797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci 797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x, sts 0x1004, mask 0x0 797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD 797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x, sts 0x1004, mask 0x0 797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183) OK [S +0.076439] OK [R +0.076457] writeq 0x60606020 0xff015e5c057b0039 797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039 attempt to set frame list size -- value 8 797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0 797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x8) 797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c 797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0 797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0 797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0 797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x, sts 0x0, mask 0x0 797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4) OK [S +0.076519] OK [R +0.076534] writeq 0x60606033 0x846c8a020611 797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x206 ehci: PERIODIC list base register set while periodic schedule is enabled and HC is enabled 797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x206 (old: 0x0) OK [S +0.076562] OK [R +0.076574] write 0x204 0x4 0x4a606060 OK [S +0.076855] OK [R +0.076869] write 0x8 0x4 0x97a98095 OK [S +0.077214] OK [R +0.077225] write 0x0 0x4 0x4a606060 OK [S +0.077233] OK [R +0.077242] write 0x4 0x4 0x97a98095 OK [S +0.077250] OK [R +0.077258] write 0xc 0x4 0x4a606060 OK [S +0.077266] OK [R +0.077274] write 0x10 0x4 0x97a98095 OK [S +0.077281] OK [R +0.077289] write 0x14 0x4 0x4a606060 OK [S
[Bug 1907938] Re: [OSS-Fuzz] Issue 28524 virtio-blk: ASSERT: !s->dataplane_started
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1907938 Title: [OSS-Fuzz] Issue 28524 virtio-blk: ASSERT: !s->dataplane_started Status in QEMU: Invalid Bug description: affects qemu === Reproducer === cat << EOF |./qemu-system-i386 -display none -m 512M -machine q35 \ -device virtio-blk,drive=disk0 \ -drive file=null-co://,id=disk0,if=none,format=raw -qtest stdio outl 0xcf8 0x8000181f outl 0xcfc 0xa044d79 outl 0xcf8 0x80001802 outl 0xcf8 0x80001804 outl 0xcfc 0xb9045dff outl 0xcf8 0x8000180e outl 0xcfc 0xfb9465a outl 0xf85 0x9e1ea5c2 write 0x9f002 0x1 0x04 write 0x9f004 0x1 0x04 write 0x9e040 0x1 0x04 write 0x9e043 0x1 0x01 write 0x9e048 0x1 0x10 write 0x9e04c 0x1 0x01 write 0x9e04e 0x1 0x6e write 0x104 0x1 0x01 write 0x9e6e3 0x1 0x01 write 0x9e6eb 0x1 0x04 write 0x9e6ec 0x1 0x6e write 0x9f006 0x1 0x04 write 0x9f008 0x1 0x04 write 0x9f00a 0x1 0x04 outl 0xf8f 0xc EOF === Stack Trace === qemu-fuzz-i386: ../hw/block/virtio-blk.c:917: void virtio_blk_reset(VirtIODevice *): Assertion `!s->dataplane_started' failed. ==702068== ERROR: libFuzzer: deadly signal #0 0x55bd6fc9f311 in __sanitizer_print_stack_trace (fuzz-i386+0x2b16311) #1 0x55bd6fbe83d8 in fuzzer::PrintStackTrace() (fuzz-i386+0x2a5f3d8) #2 0x55bd6fbce413 in fuzzer::Fuzzer::CrashCallback() (fuzz-i386+0x2a45413) #3 0x7ff5241b813f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1413f) #4 0x7ff523feddb0 in __libc_signal_restore_set signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 #5 0x7ff523feddb0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3 #6 0x7ff523fd7536 in abort stdlib/abort.c:79:7 #7 0x7ff523fd740e in __assert_fail_base assert/assert.c:92:3 #8 0x7ff523fe65b1 in __assert_fail assert/assert.c:101:3 #9 0x55bd7116c435 in virtio_blk_reset hw/block/virtio-blk.c:917:5 #10 0x55bd710c94a2 in virtio_reset hw/virtio/virtio.c:2001:9 #11 0x55bd6ff0e0a5 in virtio_pci_reset hw/virtio/virtio-pci.c:1886:5 #12 0x55bd6ff10686 in virtio_ioport_write hw/virtio/virtio-pci.c:339:13 #13 0x55bd6ff10686 in virtio_pci_config_write hw/virtio/virtio-pci.c:456:9 #14 0x55bd713fd025 in memory_region_write_accessor softmmu/memory.c:491:5 #15 0x55bd713fca93 in access_with_adjusted_size softmmu/memory.c:552:18 #16 0x55bd713fc2f0 in memory_region_dispatch_write softmmu/memory.c #17 0x55bd70e4bf36 in flatview_write_continue softmmu/physmem.c:2759:23 #18 0x55bd70e41bbb in flatview_write softmmu/physmem.c:2799:14 #19 0x55bd70e41bbb in address_space_write softmmu/physmem.c:2891:18 #20 0x55bd71153462 in cpu_outl softmmu/ioport.c:80:5 #21 0x55bd712d586e in qtest_process_command softmmu/qtest.c:483:13 #22 0x55bd712d35bf in qtest_process_inbuf softmmu/qtest.c:797:9 #23 0x55bd712d3315 in qtest_server_inproc_recv softmmu/qtest.c:904:9 #24 0x55bd71910df8 in qtest_sendf tests/qtest/libqtest.c:438:5 #25 0x55bd71911fae in qtest_out tests/qtest/libqtest.c:952:5 #26 0x55bd71911fae in qtest_outl tests/qtest/libqtest.c:968:5 #27 0x55bd6fcd1aa2 in op_out tests/qtest/fuzz/generic_fuzz.c:395:13 #28 0x55bd6fcd04e9 in generic_fuzz tests/qtest/fuzz/generic_fuzz.c:680:17 #29 0x55bd6fcc9723 in LLVMFuzzerTestOneInput tests/qtest/fuzz/fuzz.c:151:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28524 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1907938/+subscriptions
[Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1907497 Title: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel- hda: Stack-overflow in ldl_le_dma Status in QEMU: Invalid Bug description: affects qemu === Reproducer (build with --enable-sanitizers) === cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \ -device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \ -device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \ -qtest stdio outl 0xcf8 0x8804 outw 0xcfc 0x write 0x0 0x1 0x12 write 0x2 0x1 0x2f outl 0xcf8 0x8811 outl 0xcfc 0x5a6a4406 write 0x6a44005a 0x1 0x11 write 0x6a44005c 0x1 0x3f write 0x6a442050 0x4 0x446a write 0x6a44204a 0x1 0xf3 write 0x6a44204c 0x1 0xff writeq 0x6a44005a 0x17b3f0011 write 0x6a442050 0x4 0x446a write 0x6a44204a 0x1 0xf3 write 0x6a44204c 0x1 0xff EOF === Stack Trace === ==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0) #0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159) #1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12 #2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15 #3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10 #4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18 #5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18 #6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12 #7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12 #8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1 #9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1 #10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16 #11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5 #12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18 #13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c #14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23 #15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14 #16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18 #17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18 #18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12 #19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12 #20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1 #21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1 #22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5 #23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5 ... OSS-Fuzz Report: https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=28435 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
[Bug 1909261] Re: [OSS-Fuzz] Issue 28929 xhci: ASSERT: xfer->packet.status != USB_RET_NAK
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909261 Title: [OSS-Fuzz] Issue 28929 xhci: ASSERT: xfer->packet.status != USB_RET_NAK Status in QEMU: Invalid Bug description: === Reproducer === ./qemu-system-i386 -m 512M -machine q35,accel=qtest \ -drive file=null-co://,if=none,format=raw,id=disk0 \ -device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \ -device usb-bot -device usb-storage,drive=disk0 \ -chardev null,id=cd0 -chardev null,id=cd1 \ -device usb-braille,chardev=cd0 -device usb-ccid \ -device usb-ccid -device usb-kbd -device usb-mouse \ -device usb-serial,chardev=cd1 -device usb-tablet \ -device usb-wacom-tablet -device usb-audio \ -qtest stdio -nographic -nodefaults < attachment === Stack Trace === #0 raise #1 abort #2 libc.so.6 #3 __assert_fail #4 xhci_kick_epctx /src/qemu/hw/usb/hcd-xhci.c:1865:13 #5 xhci_ep_kick_timer /src/qemu/hw/usb/hcd-xhci.c:1034:5 #6 timerlist_run_timers /src/qemu/util/qemu-timer.c:574:9 #7 qemu_clock_run_timers /src/qemu/util/qemu-timer.c:588:12 #8 qtest_clock_warp /src/qemu/softmmu/qtest.c:356:9 #9 qtest_process_command /src/qemu/softmmu/qtest.c:752:9 #10 qtest_process_inbuf /src/qemu/softmmu/qtest.c:797:9 #11 qtest_server_inproc_recv /src/qemu/softmmu/qtest.c:904:9 #12 send_wrapper /src/qemu/tests/qtest/libqtest.c:1390:5 #13 qtest_sendf /src/qemu/tests/qtest/libqtest.c:438:5 #14 qtest_clock_step_next /src/qemu/tests/qtest/libqtest.c:912:5 #15 op_clock_step /src/qemu/tests/qtest/fuzz/generic_fuzz.c:574:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28929 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909261/+subscriptions
[Bug 1878250] Re: Assertion failure in iov_from_buf_full through the e1000e
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1878250 Title: Assertion failure in iov_from_buf_full through the e1000e Status in QEMU: Invalid Bug description: Hello, While fuzzing, I found an input that triggers an assertion failure in iov_from_buf_full through the e1000e: size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t, const void *, size_t): Assertion `offset == 0' failed. #3 0x76866092 in __GI___assert_fail (assertion=0x570c74c0 "offset == 0", file=0x570c7500 "/home/alxndr/Development/qemu/util/iov.c", line=0x28, function=0x570c7560 <__PRETTY_FUNCTION__.iov_from_buf_full> "size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t, const void *, size_t)") at assert.c:101 #4 0x56c5fa5e in iov_from_buf_full (iov=, iov_cnt=, offset=, buf=buf@entry=0x7fffbb60, bytes=, bytes@entry=0x2) at /home/alxndr/Development/qemu/util/iov.c:40 #5 0x565f585e in iov_from_buf (iov=0x7fffb830, iov_cnt=0xb830, offset=0x0, buf=0x7fffbb60, bytes=0x2) at /home/alxndr/Development/qemu/include/qemu/iov.h:49 #6 0x565f585e in net_tx_pkt_update_ip_checksums (pkt=) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:139 #7 0x56621f9c in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:638 #8 0x56621f9c in e1000e_tx_pkt_send (core=0x7fffeeb754e0, tx=0x7fffeeb95748, queue_index=) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:658 #9 0x56621f9c in e1000e_process_tx_desc (core=0x7fffeeb754e0, tx=0x7fffeeb95748, dp=, queue_index=) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743 #10 0x56621f9c in e1000e_start_xmit (core=, txr=) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934 #11 0x5661edb1 in e1000e_set_tdt (core=0x7fffb830, index=0xe06, val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451 #12 0x5660f2cd in e1000e_core_write (core=, addr=, val=, size=) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261 #13 0x560028d7 in memory_region_write_accessor (mr=, addr=, value=, size=, shift=, mask=, attrs=...) at /home/alxndr/Development/qemu/memory.c:483 I can reproduce it in qemu 5.0 using: cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic -qtest stdio -monitor none -serial none outl 0xcf8 0x80001010 outl 0xcfc 0xe102 outl 0xcf8 0x80001014 outl 0xcf8 0x80001004 outw 0xcfc 0x7 outl 0xcf8 0x800010a2 write 0xe10207e8 0x14 0x2d05225f3f5f5e02250013ff write 0x26a 0xc 0x08004500feff02007b06 write 0xe1020098 0x3a2 0x06ffdf054e411b0002e106ffe1054e411b0002e106ffe3054e411b0002e106ffe5054e411b0002e106ffe7054e411b0002e106ffe9054e411b0002e106ffeb054e411b0002e106ffed054e411b0002e106ffef054e411b0002e106fff1054e411b0002e106fff3054e411b0002e106fff5054e411b0002e106fff7054e411b0002e106fff9054e411b0002e106fffb054e411b0002e106fffd054e411b0002e106054e411b0002e106ff01054e411b0002e106ff03054e411b0002e106ff05054e411b0002e106ff07054e411b0002e106ff09054e411b0002e106ff0b054e411b0002e106ff0d054e411b0002e106ff0f054e411b0002e106ff11054e411b0002e106ff13054e411b0002e106ff15054e411b0002e106ff17054e411b0002e106ff19054e411b0002e106ff1b054e411b0002e106ff1d054e411b0002e106ff1f054e411b0002e106ff21054e411b0002e106ff23054e411b0002e106ff25054e411b0002e106ff27054e411b0002e106ff29054e411b0002e106ff2b054e411b0002e106ff2d054e411b0002e106ff2f054e411b0002e106ff31054e411b0002e106ff33054e411b0002e106ff35054e411b0002e106ff37054e411b0002e106ff39054e411b0002e106ff3b054e411b0002e106ff3d054e411b0002e106ff3f054e411b0002e106ff41054e411b0002e106ff43054e411b0002e106ff45054e411b0002e106ff47054e411b0002e106ff49054e411b0002e106ff4b054e411b0002e106ff4d054e411b0002e106ff4f054e411b0002e106ff51054e411b0002e106ff53054e411b0002e106ff55054e411b0002e106ff57054e411b0002e106ff59054e411b0002e106ff5b054e411b0002e106ff5d054e411b0002e106ff5f054e411b0002e106ff61054e411b0002e106ff6305 EOF I also attached the traces to this launchpad report, in case the formatting is broken: qemu-system-i386 -M pc-q35-5.0 -nographic -qtest
[Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1878645 Title: null-ptr dereference in ich9_apm_ctrl_changed Status in QEMU: Invalid Bug description: Hello, While fuzzing, I found an input which triggers a NULL pointer dereference in tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe this bug is specific to QTest? ==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x00b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0) ==23862==The signal is caused by a READ memory access. ==23862==Hint: address points to the zero page. #0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qemu/accel/tcg/tcg-all.c:57:21 #1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/include/hw/core/cpu.h:872:5 #2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/qemu/hw/isa/lpc_ich9.c:442:13 #3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/hw/isa/apm.c:50:13 #4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5 #5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18 #6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16 #7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23 #8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14 #9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18 #10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c:60:5 #11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/qemu/qtest.c:392:13 #12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9 #13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5 #14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9 #15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9 #16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9 #17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12 #18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897) #19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9 #20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5 #21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11 #22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9 #23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main.c:49:5 #24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16 #25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xc9c819) I can reproduce this in qemu 5.0 built with AddressSanitizer using these qtest commands: cat << EOF | ./qemu-system-i386 \ -qtest stdio -nographic -monitor none -serial none \ -M pc-q35-5.0 outl 0xcf8 0x8400f841 outl 0xcfc 0xaa215d6d outl 0x6d30 0x2ef8ffbe outb 0xb2 0x20 EOF Please let me know if I can provide any further info. -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions
[Bug 1878034] Re: memcpy param-overlap through e1000e_write_to_rx_buffers
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1878034 Title: memcpy param-overlap through e1000e_write_to_rx_buffers Status in QEMU: Invalid Bug description: Hello, While fuzzing, I found an input that triggers an overlapping memcpy (caught by AddressSanitizer). Overlapping memcpys are undefined behavior according to the POSIX and C standards, and can lead to bugs. ==22287==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges #0 0x563c9f4823d4 in __asan_memcpy (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x97a3d4) #1 0x563c9f4cb2b1 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3142:13 #2 0x563c9f4c3b97 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14 #3 0x563c9f4c3b97 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18 #4 0x563c9fbc457b in dma_memory_rw_relaxed /home/alxndr/Development/qemu/include/sysemu/dma.h:87:18 #5 0x563c9fbc457b in dma_memory_rw /home/alxndr/Development/qemu/include/sysemu/dma.h:110:12 #6 0x563c9fbc457b in pci_dma_rw /home/alxndr/Development/qemu/include/hw/pci/pci.h:787:5 #7 0x563c9fbc457b in pci_dma_write /home/alxndr/Development/qemu/include/hw/pci/pci.h:800:12 #8 0x563c9fbc457b in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1412:9 #9 0x563c9fbb9c98 in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1582:21 #10 0x563c9fbb9c98 in e1000e_receive_iov /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1709:9 #11 0x563c9fba8080 in net_tx_pkt_sendv /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:544:9 #12 0x563c9fba8080 in net_tx_pkt_send /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620:9 #13 0x563c9fba8827 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:633:11 #14 0x563c9fbd2052 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/hw/net/e1000e_core.c:664:16 #15 0x563c9fbd2052 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743:17 #16 0x563c9fbd2052 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9 #17 0x563c9fbcecf0 in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9 #18 0x563c9fbbf20c in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9 #19 0x563c9f5b68d6 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5 #20 0x563c9f5b627f in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18 #21 0x563c9f5b627f in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16 I can reproduce it in qemu 5.0 built with --enable-sanitizers using: cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -nographic -monitor none -serial none outl 0xcf8 0x80001010 outl 0xcfc 0xe102 outl 0xcf8 0x80001014 outl 0xcf8 0x80001004 outw 0xcfc 0x7 outl 0xcf8 0x800010a2 write 0xe102003a 0x3ff
[Bug 1888714] Re: Memory Leak in hpet_timer results in unusable machine
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1888714 Title: Memory Leak in hpet_timer results in unusable machine Status in QEMU: Invalid Bug description: Fair warning: this might be specific to QTest (specifically its clock_step) command. This reproducer only works with -accel qtest. Build with --enable-sanitizers to exit once we hit 1G RSS. export ASAN_OPTIONS=hard_rss_limit_mb=1000 cat << EOF | ./i386-softmmu/qemu-system-i386 -nographic \ -nodefaults -qtest stdio -accel qtest writeq 0xfede 0x15151515151515f1 clock_step clock_step clock_step clock_step writeq 0xfed00100 0x5e90c5be00ff5e9e writeq 0xfed00109 0xe0ff5cfec0ff clock_step EOF On my machine it takes around 10 seconds to reach the RSS limit. Unfortunately, I can't find a way to tell ASAN to log each malloc to figure out whats going on, but running the original fuzzing test case with the libfuzzer -trace_malloc=2 flag, I found that the allocations happen here: MALLOC[130968] 0x60300069ac90 32 #0 0x55fa3f615851 in __sanitizer_print_stack_trace (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-fuzz-i386+0x2683851) #1 0x55fa3f55fe88 in fuzzer::PrintStackTrace() (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-fuzz-i386+0x25cde88) #2 0x55fa3f5447d6 in fuzzer::MallocHook(void const volatile*, unsigned long) (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-fuzz-i386+0x25b27d6) #3 0x55fa3f61bbb7 in __sanitizer::RunMallocHooks(void const*, unsigned long) (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-fuzz-i386+0x2689bb7) #4 0x55fa3f596d75 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-fuzz-i386+0x2604d75) #5 0x55fa3f596f7a in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-fuzz-i386+0x2604f7a) #6 0x55fa3f60d173 in calloc (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-fuzz-i386+0x267b173) #7 0x7fb300737548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548) #8 0x55fa40157689 in async_run_on_cpu /home/alxndr/Development/qemu/cpus-common.c:163:10 #9 0x55fa409fab83 in hpet_timer /home/alxndr/Development/qemu/hw/timer/hpet.c:376:9 #10 0x55fa416a5751 in timerlist_run_timers /home/alxndr/Development/qemu/util/qemu-timer.c:572:9 #11 0x55fa3fcfdac4 in qtest_clock_warp /home/alxndr/Development/qemu/softmmu/cpus.c:507:9 #12 0x55fa3fd65c35 in qtest_process_command /home/alxndr/Development/qemu/softmmu/qtest.c:665:9 #13 0x55fa3fd5e128 in qtest_process_inbuf /home/alxndr/Development/qemu/softmmu/qtest.c:710:9 #14 0x55fa3fd5de67 in qtest_server_inproc_recv /home/alxndr/Development/qemu/softmmu/qtest.c:817:9 #15 0x55fa4142b64b in qtest_sendf /home/alxndr/Development/qemu/tests/qtest/libqtest.c:424:5 #16 0x55fa4142c482 in qtest_clock_step_next /home/alxndr/Development/qemu/tests/qtest/libqtest.c:864:5 #17 0x55fa414b12d1 in general_fuzz /home/alxndr/Development/qemu/tests/qtest/fuzz/general_fuzz.c:581:17 It doesn't look like we ever exit out of the loop in timerlist_run_timers, ie timer_list->active_timers is always True. Info From GDB: #0 0x58070d31 in address_space_stl_internal (as=0x5f0e8f20 , addr=0x0, val=0x0, attrs=..., result=0x0, endian=DEVICE_LITTLE_ENDIAN) at /home/alxndr/Development/qemu/memory_ldst.inc.c:323 #1 0x58071339 in address_space_stl_le (as=0x5f0e8f20 , addr=0x0, val=0x0, attrs=..., result=0x0) at /home/alxndr/Development/qemu/memory_ldst.inc.c:357 #2 0x5a6a6f95 in update_irq (timer=0x61f005b8, set=0x1) at /home/alxndr/Development/qemu/hw/timer/hpet.c:210 #3 0x5a6ae55f in hpet_timer (opaque=0x61f005b8) at /home/alxndr/Development/qemu/hw/timer/hpet.c:386 #4 0x5c03d178 in timerlist_run_timers (timer_list=0x60b528f0) at /home/alxndr/Development/qemu/util/qemu-timer.c:572 #5 0x5c03d6b5 in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at /home/alxndr/Development/qemu/util/qemu-timer.c:586 #6 0x58c3d0c4 in qtest_clock_warp (dest=0x3461864) at /home/alxndr/Development/qemu/softmmu/cpus.c:507 -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1888714/+subscriptions
[Bug 1878651] Re: Assertion failure in e1000e_write_to_rx_buffers
Thanks for moving it over! ... let's close this one here on Launchpad now. ** Changed in: qemu Status: Confirmed => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1878651 Title: Assertion failure in e1000e_write_to_rx_buffers Status in QEMU: Invalid Bug description: Hello, While fuzzing, I found an input which triggers an assertion failure in e1000e_write_to_rx_buffers: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424: void e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, const char *, dma_addr_t): Assertion `bastate->cur_idx < MAX_PS_BUFFERS' failed. #0 0x7686d761 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x7685755b in __GI_abort () at abort.c:79 #2 0x7685742f in __assert_fail_base (fmt=0x769bdb48 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x57f691e0 "bastate->cur_idx < MAX_PS_BUFFERS", file=0x57f5a080 "/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, function=) at assert.c:92 #3 0x76866092 in __GI___assert_fail (assertion=0x57f691e0 "bastate->cur_idx < MAX_PS_BUFFERS", file=0x57f5a080 "/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, function=0x57f69240 <__PRETTY_FUNCTION__.e1000e_write_to_rx_buffers> "void e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, const char *, dma_addr_t)") at assert.c:101 #4 0x56f8fbcd in e1000e_write_to_rx_buffers (core=0x7fffee07c4e0, ba=0x7fff8860, bastate=0x7fff88a0, data=0x7fffe61b8021 "", data_len=0x2000) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424 #5 0x56f82f14 in e1000e_write_packet_to_guest (core=0x7fffee07c4e0, pkt=0x6114b900, rxr=0x7fff8d10, rss_info=0x7fff8d30) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1582 #6 0x56f80960 in e1000e_receive_iov (core=0x7fffee07c4e0, iov=0x6194e780, iovcnt=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1709 #7 0x56f7d457 in e1000e_nc_receive_iov (nc=0x61407460, iov=0x6194e780, iovcnt=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e.c:213 #8 0x56f64738 in net_tx_pkt_sendv (pkt=0x63128800, nc=0x61407460, iov=0x6194e780, iov_cnt=0x4) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:544 #9 0x56f63f0e in net_tx_pkt_send (pkt=0x63128800, nc=0x61407460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620 #10 0x56f650e5 in net_tx_pkt_send_loopback (pkt=0x63128800, nc=0x61407460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:633 #11 0x56fb026a in e1000e_tx_pkt_send (core=0x7fffee07c4e0, tx=0x7fffee09c748, queue_index=0x0) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:664 #12 0x56faebf6 in e1000e_process_tx_desc (core=0x7fffee07c4e0, tx=0x7fffee09c748, dp=0x7fff9520, queue_index=0x0) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743 #13 0x56fadfa8 in e1000e_start_xmit (core=0x7fffee07c4e0, txr=0x7fff9720) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934 #14 0x56fa308b in e1000e_set_tdt (core=0x7fffee07c4e0, index=0xe06, val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451 #15 0x56f84d7e in e1000e_core_write (core=0x7fffee07c4e0, addr=0x438, val=0x563, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261 #16 0x56f79497 in e1000e_mmio_write (opaque=0x7fffee079800, addr=0x438, val=0x563, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e.c:109 #17 0x564938b5 in memory_region_write_accessor (mr=0x7fffee07c110, addr=0x438, value=0x7fff9d90, size=0x4, shift=0x0, mask=0x, attrs=...) at /home/alxndr/Development/qemu/memory.c:483 #18 0x5649328a in access_with_adjusted_size (addr=0x438, value=0x7fff9d90, size=0x2, access_size_min=0x4, access_size_max=0x4, access_fn=0x56493360 , mr=0x7fffee07c110, attrs=...) at /home/alxndr/Development/qemu/memory.c:544 #19 0x56491df6 in memory_region_dispatch_write (mr=0x7fffee07c110, addr=0x438, data=0x563, op=MO_16, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476 #20 0x562cbbf4 in flatview_write_continue (fv=0x60637820, addr=0xe1020438, attrs=..., ptr=0x6199ba80, len=0x2, addr1=0x438, l=0x2, mr=0x7fffee07c110) at /home/alxndr/Development/qemu/exec.c:3137 #21 0x562bbad9 in flatview_write (fv=0x60637820, addr=0xe1020023, attrs=..., buf=0x6199ba80, len=0x417) at /home/alxndr/Development/qemu/exec.c:3177 #22 0x562bb609 in address_space_write (as=0x608027a0, addr=0xe1020023, attrs=..., buf=0x6199ba80, len=0x417) at /home/alxndr/Development/qemu/exec.c:3268 #23 0x56488c07 in qtest_process_command
