QEMU

aarch64/tcg crash with malloc(): unsorted double linked list corrupted

Bug #1863486 reported by Philippe Mathieu-Daudé
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

Based on commit b29c3e23f64938784c42ef9fca896829e3c19120,
QEMU configured with --enable-debug --extra-cflags=-ggdb.

Download Raspberry Pi 3 UEFI Firmware v1.15 from:
https://github.com/pbatard/RPi3/releases/tag/v1.15
(unzip RPi3_UEFI_Firmware_v1.15.zip)

Run QEMU with:

$ qemu-system-aarch64 -M raspi3 \
  -serial null -serial stdio \
  -device loader,file=RPI_EFI.fd,force-raw=true

Normal behavior:

NOTICE: Booting Trusted Firmware
NOTICE: BL1: v2.1(release):v2.1
NOTICE: BL1: Built : 15:26:06, May 13 2019
NOTICE: rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
NOTICE: BL1: Booting BL2
ERROR: rpi3_sdhost: timeout status 0x40
NOTICE: BL2: v2.1(release):v2.1
NOTICE: BL2: Built : 15:26:01, May 13 2019
NOTICE: BL1: Booting BL31
NOTICE: BL31: v2.1(release):v2.1
NOTICE: BL31: Built : 15:26:04, May 13 2019
=UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 14 2020)
========

Synchronous Exception at 0x0000000037A1A4E8

But I sometimes get:

NOTICE: Booting Trusted Firmware
NOTICE: BL1: v2.1(release):v2.1
NOTICE: BL1: Built : 15:26:06, May 13 2019
NOTICE: rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
NOTICE: BL1: Booting BL2
ERROR: rpi3_sdhost: timeout status 0x40
NOTICE: BL2: v2.1(release):v2.1
NOTICE: BL2: Built : 15:26:01, May 13 2019
NOTICE: BL1: Booting BL31
NOTICE: BL31: v2.1(release):v2.1
NOTICE: BL31: Built : 15:26:04, May 13 2019
=UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 14 2020)
========malloc(): unsorted double linked list corrupted

Thread 3 "qemu-system-aar" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffe9c22700 (LWP 22746)]
0x00007ffff515ce35 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff515ce35 in raise () at /lib64/libc.so.6
#1 0x00007ffff5147895 in abort () at /lib64/libc.so.6
#2 0x00007ffff51a008f in __libc_message () at /lib64/libc.so.6
#3 0x00007ffff51a740c in () at /lib64/libc.so.6
#4 0x00007ffff51aa48c in _int_malloc () at /lib64/libc.so.6
#5 0x00007ffff51aad4e in _int_memalign () at /lib64/libc.so.6
#6 0x00007ffff51abdda in _mid_memalign () at /lib64/libc.so.6
#7 0x00007ffff51ad3c6 in posix_memalign () at /lib64/libc.so.6
#8 0x00007ffff7be2407 in slab_allocator_alloc_chunk () at /lib64/libglib-2.0.so.0
#9 0x00007ffff7be3573 in g_slice_alloc () at /lib64/libglib-2.0.so.0
#10 0x00007ffff7bf410a in g_tree_insert_internal () at /lib64/libglib-2.0.so.0
#11 0x0000555555853f10 in tcg_tb_insert (tb=0x7fffd44b4d80 <code_gen_buffer+4934995>) at tcg/tcg.c:425
#12 0x00005555558dbe3d in tb_gen_code (cpu=0x555556afa640, pc=933332960, cs_base=0, flags=2216689664, cflags=-16252928) at accel/tcg/translate-all.c:1875
#13 0x00005555558d7c73 in tb_find (cpu=0x555556afa640, last_tb=0x7fffd44b4c40 <code_gen_buffer+4934675>, tb_exit=0, cf_mask=524288) at accel/tcg/cpu-exec.c:406
#14 0x00005555558d8543 in cpu_exec (cpu=0x555556afa640) at accel/tcg/cpu-exec.c:730
#15 0x00005555558981e1 in tcg_cpu_exec (cpu=0x555556afa640) at cpus.c:1405
#16 0x0000555555898a37 in qemu_tcg_cpu_thread_fn (arg=0x555556afa640) at cpus.c:1713
#17 0x0000555556057af8 in qemu_thread_start (args=0x555557511570) at util/qemu-thread-posix.c:519
#18 0x00007ffff52f34c0 in start_thread () at /lib64/libpthread.so.0
#19 0x00007ffff5221163 in clone () at /lib64/libc.so.6

Tags: arm tcg
Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :

Maybe the same problem we had with U-boot, the SoC starts with only 1 core enabled.

I'm now trying with `-global bcm2836.enabled-cpus=1`.

Revision history for this message
Peter Maydell (pmaydell) wrote :

Philippe, can you still repro this? I automated it with this expect script:

#!/usr/bin/expect
set timeout 60
spawn /home/petmay01/linaro/qemu-from-laptop/qemu/build/x86/qemu-system-aarch64 -M raspi3 -serial null -serial stdio -display none -device loader,file=/tmp/RPI_EFI.fd,force-raw=true
expect {
   "Synchronous Exception at 0x0000000037A1A4E8" { send_user "\nexiting\n" ; exit 0 }
   timeout { exit 1 }
   eof { exit 1 }
}

and then a shell loop "while rpi.expect; do true; done" and didn't see an assertion either with current master or with the git commit you quote.

Peter Maydell (pmaydell)
Changed in qemu:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for QEMU because there has been no activity for 60 days.]

Changed in qemu:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.