QEMU

QEMU crash after a QuickBASIC program integer overflow

Bug #1920602 reported by Aaro Koskinen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

A trivial program compiled with QuickBASIC 4.5 with integer overflow will crash QEMU when ran under MS-DOS 5.0 or FreeDOS 1.2:

C:\KILLER>type killer.bas
A% = VAL("99999"):PRINT A%

C:\KILLER>killer.exe
**
  ERROR:../qemu-5.2.0/accel/tcg/tcg-cpus.c:541:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked())
Aborted

QEMU version v5.2, compiler for ARM, and started with command line:

qemu-system-i386 -curses -cpu 486 -m 1 -drive dos.img

The same test under Ubuntu QEMU and KVM/x86_64 (QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.14)) will just silently hang the QEMU. On DOSBOX, the machine does not die and program outputs the value -31073.

The EXE to reproduce the issue is attached.

See original description
Tags: i386 tcg
Revision history for this message
Aaro Koskinen (aaro-koskinen) wrote :
Aaro Koskinen (aaro-koskinen)
description: updated
Revision history for this message
Aaro Koskinen (aaro-koskinen) wrote :

The program works (in TCQ mode) with QEMU v5.0.0.

QEMU starts crashing with the commit:

commit 975af797f1e04e4d1b1a12f1731141d3770fdbce
Author: Joseph Myers <email address hidden>
Date: Fri May 15 21:21:24 2020 +0000

    target/i386: fix IEEE x87 floating-point exception raising

Revision history for this message
Aaro Koskinen (aaro-koskinen) wrote :

For -enable-kvm I haven't been able to find a working commit. All versions since v3.1.0 just silently hang with the program.

Revision history for this message
Aaro Koskinen (aaro-koskinen) wrote :

Attached is a minimal FreeDOS floppy disk to reproduce the TCG crash. Still reproducible with QEMU v6.0.0:

WARNING: Image format was not specified for 'test-floppy.img' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
SeaBIOS (version rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org)
Booting from Floppy...
................................................123
FreeDOS kernel 2042 (build 2042 OEM:0xfd) [compiled May 11 2016]
Kernel compatibility 7.10 - WATCOMC - FAT32 support

(C) Copyright 1995-2012 Pasquale J. Villani and The FreeDOS Project.
All Rights Reserved. This is free software and comes with ABSOLUTELY NO
WARRANTY; you can redistribute it and/or modify it under the terms of the
GNU General Public License as published by the Free Software Foundation;
either version 2, or (at your option) any later version.
 - InitDiskno hard disks detected

FreeCom version 0.84-pre2 XMS_Swap [Aug 28 2006 00:29:00]
A:\>KILLER.EXE
**
ERROR:../accel/tcg/tcg-accel-ops.c:80:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked())
Bail out! ERROR:../accel/tcg/tcg-accel-ops.c:80:tcg_handle_interrupt: assertion failed: (qemu_mutex_iothread_locked())
Aborted

Philippe Mathieu-Daudé (philmd)
Changed in qemu:
status: New → Confirmed
tags: added: i386 tcg
Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :

Since commit 975af797f1e helper_fist_ST0() sets float_flag_invalid.

Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :

FErr# IRQ raise since bf13bfab084 ("i386: implement IGNNE"):

  Change the handling of port F0h writes and FPU exceptions to implement IGNNE.

  The implementation mixes a bit what the chipset and processor do in real
  hardware, but the effect is the same as what happens with actual FERR#
  and IGNNE# pins: writing to port F0h asserts IGNNE# in addition to lowering
  FP_IRQ; while clearing the SE bit in the FPU status word deasserts IGNNE#.

Revision history for this message
Thomas Huth (th-huth) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/318

Changed in qemu:
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.