Assertion failure in *bmdma_active_if `bmdma->bus->retry_unit != (uint8_t)-1' failed.

Bug #1887303 reported by Alexander Bulekov on 2020-07-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
John Snow

Bug Description

Hello,
Here is a QTest Reproducer:

cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc,accel=qtest\
 -qtest null -nographic -vga qxl -qtest stdio -nodefaults\
 -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw\
 -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw\
 -device ide-cd,drive=drive0 -device ide-hd,drive=drive1
outw 0x176 0x3538
outw 0x376 0x6007
outw 0x376 0x6b6b
outw 0x176 0x985c
outl 0xcf8 0x80000903
outl 0xcfc 0x2f2931
outl 0xcf8 0x80000920
outb 0xcfc 0x6b
outb 0x68 0x7
outw 0x176 0x2530
EOF

Here is the call-stack:

    #8 0x7f00e0443091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
    #9 0x55e163f5a1af in bmdma_active_if /home/alxndr/Development/qemu/include/hw/ide/pci.h:59:5
    #10 0x55e163f5a1af in bmdma_prepare_buf /home/alxndr/Development/qemu/hw/ide/pci.c:132:19
    #11 0x55e163f4f00d in ide_dma_cb /home/alxndr/Development/qemu/hw/ide/core.c:898:17
    #12 0x55e163de86ad in dma_complete /home/alxndr/Development/qemu/dma-helpers.c:120:9
    #13 0x55e163de86ad in dma_blk_cb /home/alxndr/Development/qemu/dma-helpers.c:138:9
    #14 0x55e1642ade85 in blk_aio_complete /home/alxndr/Development/qemu/block/block-backend.c:1402:9
    #15 0x55e1642ade85 in blk_aio_complete_bh /home/alxndr/Development/qemu/block/block-backend.c:1412:5
    #16 0x55e16443556f in aio_bh_call /home/alxndr/Development/qemu/util/async.c:136:5
    #17 0x55e16443556f in aio_bh_poll /home/alxndr/Development/qemu/util/async.c:164:13
    #18 0x55e16440fac3 in aio_dispatch /home/alxndr/Development/qemu/util/aio-posix.c:380:5
    #19 0x55e164436dac in aio_ctx_dispatch /home/alxndr/Development/qemu/util/async.c:306:5
    #20 0x7f00e16e29ed in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e9ed)
    #21 0x55e164442f2b in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
    #22 0x55e164442f2b in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
    #23 0x55e164442f2b in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
    #24 0x55e164376953 in flush_events /home/alxndr/Development/qemu/tests/qtest/fuzz/fuzz.c:47:9
    #25 0x55e16437b8fa in general_fuzz /home/alxndr/Development/qemu/tests/qtest/fuzz/general_fuzz.c:544:17

=================================

Here is the same assertion failure but triggered through a different call-stack:

cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc,accel=qtest\
 -qtest null -nographic -vga qxl -qtest stdio -nodefaults\
 -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw\
 -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw\
 -device ide-cd,drive=drive0 -device ide-hd,drive=drive1
outw 0x171 0x2fe9
outb 0x177 0xa0
outl 0x170 0x928
outl 0x170 0x2b923b31
outl 0x170 0x800a24d7
outl 0xcf8 0x80000903
outl 0xcfc 0x842700
outl 0xcf8 0x80000920
outb 0xcfc 0x5e
outb 0x58 0x7
outb 0x376 0x5
outw 0x376 0x11
outw 0x176 0x3538
EOF

Call-stack:
    #8 0x7f00e0443091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
    #9 0x55e163f5a622 in bmdma_active_if /home/alxndr/Development/qemu/include/hw/ide/pci.h:59:5
    #10 0x55e163f5a622 in bmdma_rw_buf /home/alxndr/Development/qemu/hw/ide/pci.c:187:19
    #11 0x55e163f57577 in ide_atapi_cmd_read_dma_cb /home/alxndr/Development/qemu/hw/ide/atapi.c:375:13
    #12 0x55e163f44c55 in ide_buffered_readv_cb /home/alxndr/Development/qemu/hw/ide/core.c:650:9
    #13 0x55e1642ade85 in blk_aio_complete /home/alxndr/Development/qemu/block/block-backend.c:1402:9
    #14 0x55e1642ade85 in blk_aio_complete_bh /home/alxndr/Development/qemu/block/block-backend.c:1412:5
    #15 0x55e16443556f in aio_bh_call /home/alxndr/Development/qemu/util/async.c:136:5
    #16 0x55e16443556f in aio_bh_poll /home/alxndr/Development/qemu/util/async.c:164:13
    #17 0x55e16440fac3 in aio_dispatch /home/alxndr/Development/qemu/util/aio-posix.c:380:5
    #18 0x55e164436dac in aio_ctx_dispatch /home/alxndr/Development/qemu/util/async.c:306:5
    #19 0x7f00e16e29ed in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e9ed)
    #20 0x55e164442f2b in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
    #21 0x55e164442f2b in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
    #22 0x55e164442f2b in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
    #23 0x55e164376953 in flush_events /home/alxndr/Development/qemu/tests/qtest/fuzz/fuzz.c:47:9
    #24 0x55e16437b8fa in general_fuzz /home/alxndr/Development/qemu/tests/qtest/fuzz/general_fuzz.c:544:17

=================================

The first reproducer with -trace ide*:
[I 1594579788.601818] OPENED
26995@1594579788.617583:ide_reset IDEstate 0x565534a7b898
26995@1594579788.617684:ide_reset IDEstate 0x565534a7bc68
26995@1594579788.618019:ide_reset IDEstate 0x565534a7c188
26995@1594579788.618087:ide_reset IDEstate 0x565534a7c558
26995@1594579788.619271:ide_reset IDEstate 0x565534a7c188
26995@1594579788.619377:ide_reset IDEstate 0x565534a7c558
26995@1594579788.623224:ide_reset IDEstate 0x565534a7b898
26995@1594579788.623267:ide_reset IDEstate 0x565534a7bc68
26995@1594579788.623273:ide_reset IDEstate 0x565534a7c188
26995@1594579788.623275:ide_reset IDEstate 0x565534a7c558
[R +0.023386] outw 0x176 0x3538
26995@1594579788.625224:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0x38; bus 0x565534a7c100 IDEState 0x565534a7c188
26995@1594579788.625228:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; bus 0x565534a7c100 IDEState 0x565534a7c558
26995@1594579788.625230:ide_exec_cmd IDE exec cmd: bus 0x565534a7c100; state 0x565534a7c558; cmd 0x35
[S +0.023416] OK
[R +0.023442] outw 0x376 0x6007
26995@1594579788.625263:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x07; bus 0x565534a7c100
[S +0.023447] OK
[R +0.023455] outw 0x376 0x6b6b
26995@1594579788.625276:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x6b; bus 0x565534a7c100
[S +0.023460] OK
[R +0.023464] outw 0x176 0x985c
26995@1594579788.625285:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0x5c; bus 0x565534a7c100 IDEState 0x565534a7c558
26995@1594579788.625287:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x98; bus 0x565534a7c100 IDEState 0x565534a7c558
26995@1594579788.625289:ide_exec_cmd IDE exec cmd: bus 0x565534a7c100; state 0x565534a7c558; cmd 0x98
[S +0.023473] OK
[R +0.023477] outl 0xcf8 0x80000903
[S +0.023481] OK
[R +0.023485] outl 0xcfc 0x2f2931
[S +0.023492] OK
[R +0.023496] outl 0xcf8 0x80000920
[S +0.023498] OK
[R +0.023503] outb 0xcfc 0x6b
[S +0.023644] OK
[R +0.023651] outb 0x68 0x7
26995@1594579788.625548:ide_dma_cb IDEState 0x565534a7c558; sector_num=1 n=255 cmd=DMA WRITE
[S +0.023809] OK
[R +0.023817] outw 0x176 0x2530
26995@1594579788.625638:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0x30; bus 0x565534a7c100 IDEState 0x565534a7c558
26995@1594579788.625640:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x25; bus 0x565534a7c100 IDEState 0x565534a7c558
26995@1594579788.625642:ide_exec_cmd IDE exec cmd: bus 0x565534a7c100; state 0x565534a7c558; cmd 0x25
[S +0.023827] OK
qemu-system-i386: /home/alxndr/Development/qemu/include/hw/ide/pci.h:59: IDEState *bmdma_active_if(BMDMAState *): Assertion `bmdma->bus->retry_unit != (uint8_t)-1' failed.

=================================

The second reproducer with -trace ide*:

[I 1594579681.691528] OPENED
8293@1594579681.707423:ide_reset IDEstate 0x55fc044c3898
8293@1594579681.707540:ide_reset IDEstate 0x55fc044c3c68
8293@1594579681.707902:ide_reset IDEstate 0x55fc044c4188
8293@1594579681.707969:ide_reset IDEstate 0x55fc044c4558
8293@1594579681.709859:ide_reset IDEstate 0x55fc044c4188
8293@1594579681.709976:ide_reset IDEstate 0x55fc044c4558
8293@1594579681.714051:ide_reset IDEstate 0x55fc044c3898
8293@1594579681.714073:ide_reset IDEstate 0x55fc044c3c68
8293@1594579681.714076:ide_reset IDEstate 0x55fc044c4188
8293@1594579681.714079:ide_reset IDEstate 0x55fc044c4558
[R +0.024386] outw 0x171 0x2fe9
8293@1594579681.715950:ide_ioport_write IDE PIO wr @ 0x171 (Features); val 0xe9; bus 0x55fc044c4100 IDEState 0x55fc044c4188
8293@1594579681.715955:ide_ioport_write IDE PIO wr @ 0x172 (Sector Count); val 0x2f; bus 0x55fc044c4100 IDEState 0x55fc044c4188
OK
[S +0.024430] OK
[R +0.024436] outb 0x177 0xa0
8293@1594579681.715967:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0xa0; bus 0x55fc044c4100 IDEState 0x55fc044c4188
8293@1594579681.715970:ide_exec_cmd IDE exec cmd: bus 0x55fc044c4100; state 0x55fc044c4188; cmd 0xa0
OK
[S +0.024444] OK
[R +0.024448] outl 0x170 0x928
8293@1594579681.715978:ide_data_writel IDE PIO wr @ 0x170 (Data: Long); val 0x00000928; bus 0x55fc044c4100; IDEState 0x55fc044c4188
OK
[S +0.024453] OK
[R +0.024456] outl 0x170 0x2b923b31
8293@1594579681.715986:ide_data_writel IDE PIO wr @ 0x170 (Data: Long); val 0x2b923b31; bus 0x55fc044c4100; IDEState 0x55fc044c4188
OK
[S +0.024460] OK
[R +0.024464] outl 0x170 0x800a24d7
8293@1594579681.715994:ide_data_writel IDE PIO wr @ 0x170 (Data: Long); val 0x800a24d7; bus 0x55fc044c4100; IDEState 0x55fc044c4188
8293@1594579681.715996:ide_atapi_cmd IDEState: 0x55fc044c4188; cmd: 0x28
8293@1594579681.716000:ide_atapi_cmd_packet IDEState: 0x55fc044c4188; limit=0xeb14 packet: 28 09 00 00 31 3b 92 2b d7 24 0a 80
8293@1594579681.716004:ide_atapi_cmd_read IDEState: 0x55fc044c4188; read dma: LBA=12603 nb_sectors=11223
OK
[S +0.024479] OK
[R +0.024483] outl 0xcf8 0x80000903
OK
[S +0.024485] OK
[R +0.024489] outl 0xcfc 0x842700
OK
[S +0.024604] OK
[R +0.024610] outl 0xcf8 0x80000920
OK
[S +0.024613] OK
[R +0.024616] outb 0xcfc 0x5e
OK
[S +0.024720] OK
[R +0.024726] outb 0x58 0x7
8293@1594579681.716258:ide_atapi_cmd_read_dma_cb_aio IDEState: 0x55fc044c4188; aio read: lba=12603 n=64
OK
[S +0.024786] OK
[R +0.024791] outb 0x376 0x5
8293@1594579681.716322:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x05; bus 0x55fc044c4100
OK
[S +0.024797] OK
[R +0.024800] outw 0x376 0x11
8293@1594579681.716330:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x11; bus 0x55fc044c4100
OK
[S +0.024804] OK
[R +0.024807] outw 0x176 0x3538
8293@1594579681.716337:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0x38; bus 0x55fc044c4100 IDEState 0x55fc044c4188
8293@1594579681.716340:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; bus 0x55fc044c4100 IDEState 0x55fc044c4558
8293@1594579681.716342:ide_exec_cmd IDE exec cmd: bus 0x55fc044c4100; state 0x55fc044c4558; cmd 0x35
8293@1594579681.716388:ide_dma_cb IDEState 0x55fc044c4558; sector_num=504 n=257 cmd=DMA WRITE
OK
[S +0.024882] OK
qemu-system-i386: /home/alxndr/Development/qemu/include/hw/ide/pci.h:59: IDEState *bmdma_active_if(BMDMAState *): Assertion `bmdma->bus->retry_unit != (uint8_t)-1' failed.

John Snow (jnsnow) wrote :

This is another manifestation of the SRST bug.

New proposal: https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg06974.html

More analysis of the problem in response to Philippe's proposed fix: https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg06237.html

Changed in qemu:
status: New → In Progress
assignee: nobody → John Snow (jnsnow)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers