QEMU

x86 Floating point exceptions - incorrect support?

Bug #1668041 reported by Nadav Har'El
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

It seems that qemu does not correctly emulate the x86 support for optionally causing a floating-point exception (#FP) when, for example, dividing by zero. Reports such as:

https://github.com/cloudius-systems/osv/issues/855
http://stackoverflow.com/questions/15134189/qemu-div-by-zero-mxcsr-register

suggest that setting the exception mask in the fpu cw or mxcsr (e.g., using a function like feenableexcept() in the guest OS) does not generate floating point exceptions on divide by zero. The problem only happens on pure QEMU - when a QEMU/KVM combination is used, the actual hardware does the floating point work, and does throw the exception on divide by zero if so requested.

Looking at the qemu (2.8.0) source code, it seems to me it really lacks support for generating fpu exceptions: For example, helper_fdiv() in target-i386/fpu_helper.c, when it notices the divisor is zero, seems to set the divide-by-zero exception bit, but doesn't seem to check whether it needs to trigger an exception (when the right bits on the x87 or SSE control words are enabled).

Revision history for this message
Rin Okuyama (rokuyama) wrote :

Hi,

This problem still exists on QEMU 5.0.0 both for i386 and x86_64;
floating-point zero division is not trapped at all, while integer
one is trapped correctly.

This seriously affects NetBSD project, which carries out periodic
regression tests on QEMU:

https://releng.netbsd.org/test-results.html

Tests including floating-point zero division are falling on QEMU,
while they are successfully passing on real hardwares.

HOW TO REPEAT:

Compile and run this program on Unix like operating systems:

---
#include <fenv.h>
#include <stdlib.h>
#include <unistd.h>

int
main(void)
{
        volatile double a = getpid();
        volatile double b = atoi("0");

        feenableexcept(FE_ALL_EXCEPT);

        usleep((int)(a / b));

        return 0;
}
---

It crashes by SIGFPE on real hardware, but normally exits on QEMU.

I ran this program on NetBSD 9.0 for x86_64 and i386 on QEMU 5.0.0:

(1) Obtain NetBSD 9.0 release from here:

For x86_64:
http://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0/images/NetBSD-9.0-amd64.iso

For i386:
http://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0/images/NetBSD-9.0-i386.iso

(2) Install it for disk image.

(3) qemu-system-x86_64 NetBSD.qcow2 or qemu-system-i386 NetBSD.qcow2

(4) Compile and run the test program above:

# cc fpe.c -lm -o fpe
# ./fpe

(5) Then, it exits normally, while it should abort due to SIGFPE.

Revision history for this message
Thomas Huth (th-huth) wrote :

The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting all older bugs to
"Incomplete" now.
If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Thank you and sorry for the inconvenience.

Changed in qemu:
status: New → Incomplete
Revision history for this message
Peter Maydell (pmaydell) wrote :

Bug still present as of commit 7fbd7e710323c8f4c (just before 5.2 release); tested with a Linux guest in system emulation and with Linux usermode.

The underlying problem is that we don't properly implement trapping FP exceptions; see the final paragraph in the commit message for commit 418b0f93d12a1589d50.

Changed in qemu:
status: Incomplete → Confirmed
Revision history for this message
Thomas Huth (th-huth) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/215

Changed in qemu:
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.