QEMU

qemu-3.1.0-rc0: tcg.c crash in temp_load

Bug #1803160 reported by Alberto Ortega
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

QEMU version:
-------------

qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)

Summary:
--------

TCG crashes in i386 and x86_64 when it tries to execute some specific illegal instructions. When running full OS emulation, both the guest system and QEMU crash.

The issue has been reproduced in two scenarios:

Ubuntu x64 host running Debian x86 guest with the following command line: qemu-system-x86_64 -m 4G debian.qcow

When the attached ELF file is executed inside the guest, QEMU crashes.

It can also be reproduced from the command line:

$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf

GDB backtrace:

(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
    at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
    at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)

Testcase:
---------

Find ELF file attached.

See original description
Tags: tcg
Revision history for this message
Alberto Ortega (aortega) wrote :
description: updated
Alex Bennée (ajbennee)
tags: added: tcg
Revision history for this message
Alex Bennée (ajbennee) wrote :

Can you please re-test on the current master, I think this was fixed by:

commit e84fcd7f662a0d8198703f6f89416d7ac2c32767
Author: Richard Henderson <email address hidden>
Date: Tue Nov 13 20:35:10 2018 +0100

    target/i386: Generate #UD when applying LOCK to a register destination

Testing on my box:

12:14:20 [alex@idun:~/l/qemu.git] master + ./i386-linux-user/qemu-i386 ~/tcg_crash.elf
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
fish: “./i386-linux-user/qemu-i386 ~/t…” terminated by signal SIGILL (Illegal instruction)

Changed in qemu:
status: New → Fix Committed
Revision history for this message
Alberto Ortega (aortega) wrote :

I've tested this again and I haven't been able to reproduce it anymore on the current master, it looks fixed.

Thanks! :)

Revision history for this message
Alberto Ortega (aortega) wrote :

Hello again,

After more testing I've been able to trigger this bug again using qemu from git master. Find attached a new ELF that will reproduce the problem:

$ qemu-i386 tcg_crash1.elf
/home/alberto/Documents/qemu/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ./qemu/build/i386-linux-user/qemu-i386 tcg_crash1.elf

Invalid instructions:

f0 invalid
40 inc eax
a7 cmpsd dword [esi], dword ptr es:[edi]
48 dec eax

GDB backtrace is the same as before.

Revision history for this message
Richard Henderson (rth) wrote :

This second crash is of course a different bug.

Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote : Re: [Qemu-devel] [Bug 1803160] Re: qemu-3.1.0-rc0: tcg.c crash in temp_load

Hi Alberto,

Can you open another ticket for your new bug?

Thanks.

On Fri, Dec 7, 2018 at 6:22 PM Richard Henderson <email address hidden> wrote:
>
> This second crash is of course a different bug.
>
> --
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1803160
>
> Title:
> qemu-3.1.0-rc0: tcg.c crash in temp_load
>
> Status in QEMU:
> Fix Committed
>
> Bug description:
> QEMU version:
> -------------
>
> qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
>
> Summary:
> --------
>
> TCG crashes in i386 and x86_64 when it tries to execute some specific
> illegal instructions. When running full OS emulation, both the guest
> system and QEMU crash.
>
> The issue has been reproduced in two scenarios:
>
> Ubuntu x64 host running Debian x86 guest with the following command
> line: qemu-system-x86_64 -m 4G debian.qcow
>
> When the attached ELF file is executed inside the guest, QEMU crashes.
>
> It can also be reproduced from the command line:
>
> $ qemu-i386 tcg_crash.elf
> /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
> qemu: uncaught target signal 11 (Segmentation fault) - core dumped
> zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
>
> GDB backtrace:
>
> (gdb) bt
> #0 0x0000000060206488 in raise ()
> #1 0x0000000060206b8a in abort ()
> #2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
> at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
> #3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
> #4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
> #5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
> at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
> #6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
> #7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
> #8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
> #9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
> (gdb)
>
> Testcase:
> ---------
>
> Find ELF file attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1803160/+subscriptions
>

Revision history for this message
Alberto Ortega (aortega) wrote :

I've just opened #1807675 for the new bug.

Thanks!

Thomas Huth (th-huth)
Changed in qemu:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.