QEMU

null pointer dereference in tcg_emit_op

Bug #1799200 reported by wwb1234
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Invalid
Undecided
Unassigned

Bug Description

I am insert a custom tcg helper function in i386_tr_insn_start for trace the instructions.

most of time the qemu runed ok ,but when execute some special software will lead to crash.

the below is the insert code:
=======================================================================================

 8514 static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 8515 {
 8516 DisasContext *dc = container_of(dcbase, DisasContext, base);
 8517 TCGv_ptr ptr= tcg_const_ptr((void*)cpu); // inserted hepler code
 8518 gen_helper_mad_exec(ptr);// insert helper code
 8519 tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
 8520 }
======================================================================================

below is the callstack

#0 0x000055555581df5e in tcg_emit_op (opc=opc@entry=INDEX_op_movi_i64) at /root/qemu/tcg/tcg.c:2205
#1 0x0000555555825911 in tcg_gen_op2 (opc=opc@entry=INDEX_op_movi_i64, a1=140734736923704, a2=a2@entry=792) at /root/qemu/tcg/tcg-op.c:53
#2 0x000055555581d713 in tcg_const_i64 (opc=INDEX_op_movi_i64, a2=792, a1=0x7378) at /root/qemu/tcg/tcg-op.h:109
#3 0x000055555581d713 in tcg_const_i64 (arg=792, ret=<optimized out>) at /root/qemu/tcg/tcg-op.h:579
#4 0x000055555581d713 in tcg_const_i64 (val=val@entry=792) at /root/qemu/tcg/tcg.c:1314
#5 0x000055555582732d in tcg_gen_addi_i64 (ret=0xd18, arg1=0x378, arg2=arg2@entry=792) at /root/qemu/tcg/tcg-op.c:1200
#6 0x000055555590ffaf in gen_sse (b=792, a=<optimized out>, r=<optimized out>) at /root/qemu/tcg/tcg-op.h:1258
#7 0x000055555590ffaf in gen_sse (env=env@entry=0x5555567424d0, s=s@entry=0x7fffea99a610, b=b@entry=366, pc_start=pc_start@entry=4513509698, rex_r=rex_r@entry=0) at /root/qemu/target/i386/translate.c:3150
#8 0x0000555555911d7f in disas_insn (s=s@entry=0x7fffea99a610, cpu=<optimized out>) at /root/qemu/target/i386/translate.c:8336
#9 0x00005555559207a0 in i386_tr_translate_insn (dcbase=0x7fffea99a610, cpu=<optimized out>) at /root/qemu/target/i386/translate.c:8543
#10 0x0000555555892649 in translator_loop (ops=0x55555622dee0 <i386_tr_ops>, db=0x7fffea99a610, cpu=0x55555673a220, tb=<optimized out>) at /root/qemu/accel/tcg/translator.c:110
#11 0x00005555559209ef in gen_intermediate_code (cpu=cpu@entry=0x55555673a220, tb=tb@entry=0x7fff70682040 <code_gen_buffer+208150547>) at /root/qemu/target/i386/translate.c:8605
#12 0x0000555555891437 in tb_gen_code (cpu=cpu@entry=0x55555673a220, pc=pc@entry=4513506448, cs_base=cs_base@entry=0, flags=flags@entry=4244147, cflags=cflags@entry=0) at /root/qemu/accel/tcg/translate-all.c:1728
#13 0x000055555588f97b in cpu_exec (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /root/qemu/accel/tcg/cpu-exec.c:410
#14 0x000055555588f97b in cpu_exec (cpu=cpu@entry=0x55555673a220) at /root/qemu/accel/tcg/cpu-exec.c:734
#15 0x000055555584b152 in tcg_cpu_exec (cpu=0x55555673a220) at /root/qemu/cpus.c:1405
#16 0x000055555584d1b8 in qemu_tcg_rr_cpu_thread_fn (arg=<optimized out>) at /root/qemu/cpus.c:1505
#17 0x00007ffff2585e25 in start_thread () at /lib64/libpthread.so.0
#18 0x00007ffff22afbad in clone () at /lib64/libc.so.6

wwb1234 (wwb111)
Changed in qemu:
status: New → In Progress
wwb1234 (wwb111)
summary: - pointer dereference in tcg_emit_op
+ null pointer dereference in tcg_emit_op
Revision history for this message
Alex Bennée (ajbennee) wrote :

Does this bug occur with a normal build of QEMU or only with your changes to it?

Changed in qemu:
status: In Progress → Invalid
Revision history for this message
Emilio G. Cota (cota) wrote :

1. You're leaking the "ptr" TCG temp. Fix it, and also test your code with the --enable-debug-tcg configure flag.
2. Don't insert your helper in .insn_start; you'll have better luck in .translate_insn.

Revision history for this message
wwb1234 (wwb111) wrote :

Hi Emilio G. Cota (cota),
 for point 1, I don't know what you mean about leaking the ptr TCG temp
 for point 2. what I want to do is call callback function when execute every guest instructions
 so I think it's not should inset code in .translate_insn. what do you think about it?

Revision history for this message
wwb1234 (wwb111) wrote :

Hi Emilio G. Cota (cota),
  thank you,
  after I free the "ptr",there is no crash occur :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.