SIGSEGV in memory_region_access_valid on Sabre Lite board
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I'm trying to emulate a Sabre Lite board and booting U-Boot, but I'm encountering a SIGSEGV almost immediately after starting QEMU.
QEMU version: 6f1d2d1c5ad20d4
U-Boot version: mx6qsabrelite_
$ gdb --args ./arm-softmmu/
GNU gdb (Ubuntu 7.7.1-0ubuntu5~
...
(gdb) r
Starting program: /home/kota/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_
[New Thread 0x7fffe9074700 (LWP 18025)]
[New Thread 0x7fffe58c0700 (LWP 18027)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe58c0700 (LWP 18027)]
0x00005555557aaaa8 in memory_
1143 if (!mr->ops-
(gdb) print mr->ops
$1 = (const MemoryRegionOps *) 0x0
(gdb) print *mr
$2 = {parent_obj = {class = 0x555556678990, free = 0x0, properties = 0x555557002d20, ref = 1, parent = 0x555556693d10}, romd_mode = true, ram = false, subpage = false, readonly = false, rom_device = true,
flush_
lo = 98304, hi = 0}, addr = 0, destructor = 0x5555557a70b0 <memory_
vga_logging_count = 0 '\000', alias = 0x0, alias_offset = 0, priority = 0, subregions = {tqh_first = 0x0, tqh_last = 0x7fffe594e188}, subregions_link = {tqe_next = 0x7fffe594d988, tqe_prev = 0x7fffe594e290},
coalesced = {tqh_first = 0x0, tqh_last = 0x7fffe594e1a8}, name = 0x555557022710 "imx6.rom", ioeventfd_nb = 0, ioeventfds = 0x0, iommu_notify = {notifiers = {lh_first = 0x0}}}
(gdb) bt
#0 0x00005555557aaaa8 in memory_
#1 0x00005555557aacbd in memory_
#2 0x00007fffe645a4e4 in code_gen_buffer ()
#3 0x0000555555778d4d in cpu_tb_exec (itb=<optimized out>, itb=<optimized out>, cpu=0x7fffe58c92e0) at /home/kota/
#4 cpu_loop_exec_tb (sc=0x7fffe58bfab0, tb_exit=<synthetic pointer>, last_tb=
#5 cpu_arm_exec (cpu=cpu@
#6 0x0000555555798a20 in tcg_cpu_exec (cpu=0x7fffe58c
#7 tcg_exec_all () at /home/kota/
#8 qemu_tcg_
#9 0x00007ffff27f1184 in start_thread (arg=0x7fffe58c
#10 0x00007ffff251e37d in clone () at ../sysdeps/
description: | updated |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
I've narrowed the crash to a stmia instruction in U-Boot's relocate_code:
Breakpoint 3, relocate_code () at arch/arm/ lib/relocate. S:81 lib/relocate. S:87 lib/crt0. S:121
81 subs r4, r0, r1 /* r4 <- relocation offset */
(gdb) disas
Dump of assembler code for function relocate_code:
0x17802620 <+0>: ldr r1, [pc, #76] ; 0x17802674 <relocate_done+4>
=> 0x17802624 <+4>: subs r4, r0, r1
0x17802628 <+8>: beq 0x17802670 <relocate_done>
0x1780262c <+12>: ldr r2, [pc, #68] ; 0x17802678 <relocate_done+8>
0x17802630 <+16>: ldm r1!, {r10, r11}
0x17802634 <+20>: stmia r0!, {r10, r11}
0x17802638 <+24>: cmp r1, r2
0x1780263c <+28>: bcc 0x17802630 <relocate_code+16>
0x17802640 <+32>: ldr r2, [pc, #52] ; 0x1780267c <relocate_done+12>
0x17802644 <+36>: ldr r3, [pc, #52] ; 0x17802680 <relocate_done+16>
0x17802648 <+0>: ldm r2!, {r0, r1}
0x1780264c <+4>: and r1, r1, #255 ; 0xff
0x17802650 <+8>: cmp r1, #23
0x17802654 <+12>: bne 0x17802668 <fixnext>
0x17802658 <+16>: add r0, r0, r4
0x1780265c <+20>: ldr r1, [r0]
0x17802660 <+24>: add r1, r1, r4
0x17802664 <+28>: str r1, [r0]
0x17802668 <+0>: cmp r2, r3
0x1780266c <+4>: bcc 0x17802648 <fixloop>
0x17802670 <+0>: bx lr
End of assembler dump.
(gdb) si
82 beq relocate_done /* skip relocation */
(gdb)
83 ldr r2, =__image_copy_end /* r2 <- SRC &__image_copy_end */
(gdb)
86 ldmia r1!, {r10-r11} /* copy from source address [r1] */
(gdb)
87 stmia r0!, {r10-r11} /* copy to target address [r0] */
(gdb) bt
#0 relocate_code () at arch/arm/
#1 0x178025cc in _main () at arch/arm/
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) si
Remote connection closed