Linaro QEMU

qemu-i386-static segfault on armel

Bug #760413 reported by Steve Langasek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linaro QEMU
New
Undecided
Unassigned
qemu-linaro (Ubuntu)
New
Undecided
Unassigned

Bug Description

Running nspluginwrapper under qemu on armel yields a segfault. This is after rebuilding locally with -U_FORTIFY_SOURCE, because when the default FORTIFY_SOURCE settings are used, it instead aborts with "*** longjmp causes uninitialized stack frame ***"; I was hoping this was a false positive but it seems it might not be.

Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 16563]
0x600942f8 in __pthread_mutex_lock (mutex=0x6225dff4) at pthread_mutex_lock.c:54
54 pthread_mutex_lock.c: No such file or directory.
        in pthread_mutex_lock.c
(gdb) thread apply all bt full

Thread 2 (LWP 16563):
#0 0x600942f8 in __pthread_mutex_lock (mutex=0x6225dff4)
    at pthread_mutex_lock.c:54
        __PRETTY_FUNCTION__ = "__pthread_mutex_lock"
        type = 0
        id = <value optimized out>
#1 0x60029564 in cpu_x86_exec (env1=0x6225dff4)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/cpu-exec.c:545
        saved_env_reg = 0x1
        ret = -1
        interrupt_request = -1216
        next_tb = 0
#2 0x60000324 in cpu_loop (env=0x63a67600)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/linux-user/main.c:311
        trapnr = 0
        info = {si_signo = 0, si_errno = 0, si_code = 0, _sifields = {_pad = {
              0 <repeats 29 times>}, _kill = {_pid = 0, _uid = 0}, _timer = {
              _timer1 = 0, _timer2 = 0}, _rt = {_pid = 0, _uid = 0,
              _sigval = {sival_int = 0, sival_ptr = 0}}, _sigchld = {
              _pid = 0, _uid = 0, _status = 0, _utime = 0, _stime = 0},
            _sigfault = {_addr = 0}, _sigpoll = {_band = 0, _fd = 0}}}
#3 0x600043d4 in clone_func (arg=0x6225dff4)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/linux-user/syscall.c:3746
No locals.
#4 0x600cf718 in clone ()
No symbol table info available.
#5 0x600cf718 in clone ()
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 1 (LWP 16560):
#0 tcg_temp_new_internal (temp_local=0)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/tcg/tcg.c:457
No locals.
#1 tcg_temp_new_internal_i32 (temp_local=0)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/tcg/tcg.c:460
        idx = 1
#2 0x6007320c in tcg_temp_new_i32 (env=0x63a58e28, tb=0x40208d00)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/tcg/tcg.h:371
No locals.
#3 gen_intermediate_code_internal (env=0x63a58e28, tb=0x40208d00)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/target-i386/translate.c:7769
        dc1 = {override = 1646841484, prefix = 41347, aflag = 1646650108,
          dflag = 1611106976, pc = 0, is_jmp = 3, cs_base = 0, pe = 1,
          code32 = 1, ss32 = 1, cc_op = 0, addseg = 0, f_st = 0, vm86 = 0,
          cpl = 3, iopl = 0, tf = 0, singlestep_enabled = 0, jmp_opt = 1,
          mem_index = 0, flags = 4194483, tb = 0x40208d00, popl_esp_hack = 0,
          rip_offset = 1613076184, cpuid_features = 125938681,
          cpuid_ext_features = -2139095039, cpuid_ext2_features = 0,
          cpuid_ext3_features = 0}
        bp = 0x0
        flags = 4194483
        num_insns = 4194483
        max_insns = 0
        cs_base = 0
#4 gen_intermediate_code (env=0x63a58e28, tb=0x40208d00)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/target-i386/translate.c:7885
No locals.
#5 0x600291d8 in cpu_x86_gen_code (env=0x63a58e28, tb=0x40208d00,
    gen_code_size_ptr=0xbe8e490c)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/translate-all.c:73
        gen_code_buf = 0x0
        gen_code_size = 1
#6 0x60028498 in tb_gen_code (env=0x63a58e28, pc=1134487336, cs_base=0,
    flags=4194483, cflags=0)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/exec.c:989
        tb = 0x40208d00
        virt_page2 = 1
        code_gen_size = 1615849440
#7 0x600297dc in tb_find_slow (env1=0x0)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/cpu-exec.c:167
        ptb1 = 0x62271810
        h = 14794
        phys_page1 = 1134485504
#8 tb_find_fast (env1=0x0)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/cpu-exec.c:194
No locals.
#9 cpu_x86_exec (env1=0x0)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/cpu-exec.c:546
        saved_env_reg = 0x1
        ret = 628
        interrupt_request = 1
        next_tb = 0
#10 0x60000324 in cpu_loop (env=0x63a58e28)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/linux-user/main.c:311
        trapnr = 1615849440
        info = {si_signo = -1, si_errno = -1, si_code = 1646664384,
          _sifields = {_pad = {-1 <repeats 20 times>, 255, 255, 0, 71,
              13629952, 1671794216, 5, 1646664384, 1671788904}, _kill = {
              _pid = -1, _uid = 4294967295}, _timer = {_timer1 = 4294967295,
              _timer2 = 4294967295}, _rt = {_pid = -1, _uid = 4294967295,
              _sigval = {sival_int = -1, sival_ptr = 4294967295}},
            _sigchld = {_pid = -1, _uid = 4294967295, _status = -1,
              _utime = -1, _stime = -1}, _sigfault = {_addr = 4294967295},
            _sigpoll = {_band = -1, _fd = -1}}}
#11 0x60000ee4 in main (argc=5, argv=0x47, envp=0x1)
    at /builddir/qemu-linaro-0.14.50-2011.03-1/linux-user/main.c:3381
        cpu_model = 0x63a58e28 "\263@"
        regs1 = {ebx = 0, ecx = 0, edx = 0, esi = 0, edi = 0, ebp = 0,
          eax = 0, xds = 0, xes = 0, orig_eax = 0, eip = 1122375760, xcs = 0,
          eflags = 0, esp = 1121272152, xss = 0}
        info1 = {load_bias = 0, load_addr = 1122373632,
          start_code = 134512640, end_code = 134657628,
          start_data = 134665584, end_data = 134669128, start_brk = 0,
          brk = 134692840, start_mmap = 2147483648, mmap = 0, rss = 1,
          start_stack = 1121272152, stack_limit = 1112887296,
          entry = 1122375760, code_offset = 0, data_offset = 0,
          saved_auxv = 1121272300, arg_start = 1121272449,
          arg_end = 1121272618, personality = 0}
        bprm = {
          buf = "\177ELF\001\001\001\000\000\000\000\000\000\000\000\000\003\000\003\000\001\000\000\000P\b\000\000\064\000\000\000\060\311\001\000\000\000\000\000\064\000 \000\a\000(\000\027\000\026\000\001", '\000' <repeats 15 times>"\344, \270\001\000\344\270\001\000\005\000\000\000\000\020\000\000\001\000\000\000\200\274\001\000\200\314\001\000\200\314\001\000\324\v\000\000\224\f\000\000\006\000\000\000\000\020\000\000\002\000\000\000\024\277\001\000\024\317\001\000\024\317\001\000\270\000\000\000\270\000\000\000\006\000\000\000\004\000\000\000\004\000\000\000\024\001\000\000\024\001\000\000\024\001\000\000$\000\000\000$\000\000\000\004\000\000\000\004\000\000\000P\345td@\261\001\000@\261\001\000@\261\001\000\\\001\000\000\\\001\000\000\004\000\000\000\004\000\000\000Q\345td", '\000' <repeats 20 times>, "\006\000\000\000"..., page = {
            0x0 <repeats 32 times>, 0x63a5f5f0}, p = 1121272152, fd = 6,
          e_uid = 1000, e_gid = 1000, argc = 5, envc = 29, argv = 0x63a57968,
          envp = 0x63a5e880,
          filename = 0xbe8e5298 "/usr/lib/nspluginwrapper/i386/linux/npviewer.bin", core_dump = 0x600169f4 <elf_core_dump>}
        ts = 0x604fe7e0
        env = 0x63a58e28
        r = 0xbe8e5298 "/usr/lib/nspluginwrapper/i386/linux/npviewer.bin"
        gdbstub_port = 0
        target_environ = 0x63a5e880
        wrk = 0x0
        target_argc = 5
        envlist = 0x63a57968
        argv0 = 0x0
        ret = 0
(gdb)

Revision history for this message
Steve Langasek (vorlon) wrote :

I've rebuilt again without -U_FORTIFY_SOURCE and it fails the same way. I'm not sure what triggered the earlier aborts then.

Revision history for this message
Steve Langasek (vorlon) wrote :

possibly related to bug #758424, which seems to be caused by the lack of support for TLS when targeting x86.

Revision history for this message
Ira Rosen (irar) wrote : AUTO: Ira Rosen is out of the office. (returning 17/04/2011)

I am out of the office until 17/04/2011.

Note: This is an automated response to your message "[Bug 760413] Re:
qemu-i386-static segfault on armel" sent on 14/4/2011 8:37:30.

This is the only notification you will receive while this person is away.

Revision history for this message
Steve Langasek (vorlon) wrote :

My reproducer for this is the nspluginwrapper 'npviewer.bin' executable for i386. To setup for reproducing on a Linaro 11.05 system:

echo foreign-architecture i386 | sudo tee -a /etc/dpkg/dpkg.cfg > /dev/null
echo 'deb [arch=i386] http://archive.ubuntu.com/ubuntu natty main universe multiverse' | sudo tee -a /etc/apt/sources.list > /dev/null
sudo apt-get install python-software-properties
sudo apt-add-repository ppa:vorlon/multiarch
sudo apt-get update
sudo apt-get install nspluginwrapper
sudo apt-get install flashplugin-installer:i386 libasound2-plugins:i386-
DISPLAY=:0.0 nspluginplayer type=application/x-shockwave-flash src=arbitrary_url_that_we_never_make_it_to

The actual i386 executable is /usr/lib/nspluginwrapper/i386/linux/npviewer.bin; it can't be invoked directly, the segfault is only reproducible if it has a wrapper client to talk to over its socket. The actual invocation of qemu happens in /usr/lib/nspluginwrapper/noarch/npviewer (at the very bottom) so you can attach there. Note that npviewer.bin gets called *twice*, the first time with a --info option that just queries the supported mime types and then returns successfully and the second time for the actual launching of the plugin.

If you're going to be doing anything that significantly slows down the npviewer.bin startup, you probably want to pass a NPW_INIT_TIMEOUT value (in seconds) in nspluginplayer's environment; otherwise it gives up waiting for a connection after 20 seconds.

Revision history for this message
Steve Langasek (vorlon) wrote :

if your environment isn't entirely up-to-date, you probably want to do a 'sudo apt-get dist-upgrade' before the 'sudo apt-get install nspluginwrapper', otherwise apt will sometimes suggest some rather strange solutions for the upgrade... like replacing libc-bin:armel with libc-bin:i386... :)

Revision history for this message
Peter Maydell (pmaydell) wrote :

So at the moment qemu doesn't support emulating threaded x86 programs in linux-user mode. (-> target_nptl isn't set in configure for x86 targets). I think this is because the target-i386 code doesn't have the necessary support for bouncing atomic memory access ops up to the linux-user top level loop to be implemented with mutexes, the way the arm/mips/ppc/alpha targets do. This isn't a trivial feature to add, unfortunately.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.