QEMU

Floating-point exception in ide_set_sector

Bug #1887309 reported by Alexander Bulekov on 2020-07-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	John Snow

Bug Description

Hello,
Here is a reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc,accel=qtest\
-qtest null -nographic -vga qxl -qtest stdio -nodefaults\
-drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw\
-drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw\
-device ide-cd,drive=drive0 -device ide-hd,drive=drive1
outw 0x176 0x3538
outl 0xcf8 0x80000903
outl 0xcfc 0x184275c
outb 0x376 0x2f
outb 0x376 0x0
outw 0x176 0xa1a4
outl 0xcf8 0x80000920
outb 0xcfc 0xff
outb 0xf8 0x9
EOF

The stack-trace:
==16513==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x556783603fdc (pc 0x556783603fdc bp 0x7fff82143b10 sp 0x7fff82143ab0 T16513)
    #0 0x556783603fdc in ide_set_sector /home/alxndr/Development/qemu/hw/ide/core.c:626:26
    #1 0x556783603fdc in ide_dma_cb /home/alxndr/Development/qemu/hw/ide/core.c:883:9
    #2 0x55678349d74d in dma_complete /home/alxndr/Development/qemu/dma-helpers.c:120:9
    #3 0x55678349d74d in dma_blk_cb /home/alxndr/Development/qemu/dma-helpers.c:138:9
    #4 0x556783962f25 in blk_aio_complete /home/alxndr/Development/qemu/block/block-backend.c:1402:9
    #5 0x556783962f25 in blk_aio_complete_bh /home/alxndr/Development/qemu/block/block-backend.c:1412:5
    #6 0x556783ac030f in aio_bh_call /home/alxndr/Development/qemu/util/async.c:136:5
    #7 0x556783ac030f in aio_bh_poll /home/alxndr/Development/qemu/util/async.c:164:13
    #8 0x556783a9a863 in aio_dispatch /home/alxndr/Development/qemu/util/aio-posix.c:380:5
    #9 0x556783ac1b4c in aio_ctx_dispatch /home/alxndr/Development/qemu/util/async.c:306:5
    #10 0x7f4f1c0fe9ed in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e9ed)
    #11 0x556783acdccb in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
    #12 0x556783acdccb in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
    #13 0x556783acdccb in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
    #14 0x5567833613e5 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
    #15 0x556783a07a4d in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
    #16 0x7f4f1ac84e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
    #17 0x5567830a9089 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x7d2089)

With -trace ide*

12163@1594585516.671265:ide_reset IDEstate 0x56162a269058
[R +0.024963] outw 0x176 0x3538
12163@1594585516.673676:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0x38; bus 0x56162a268c00 IDEState 0x56162a268c88
12163@1594585516.673683:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; bus 0x56162a268c00 IDEState 0x56162a269058
12163@1594585516.673686:ide_exec_cmd IDE exec cmd: bus 0x56162a268c00; state 0x56162a269058; cmd 0x35
OK
[S +0.025002] OK
[R +0.025012] outl 0xcf8 0x80000903
OK
[S +0.025018] OK
[R +0.025026] outl 0xcfc 0x184275c
OK
[S +0.025210] OK
[R +0.025219] outb 0x376 0x2f
12163@1594585516.673916:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x2f; bus 0x56162a268c00
OK
[S +0.025229] OK
[R +0.025234] outb 0x376 0x0
12163@1594585516.673928:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x00; bus 0x56162a268c00
OK
[S +0.025240] OK
[R +0.025246] outw 0x176 0xa1a4
12163@1594585516.673940:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0xa4; bus 0x56162a268c00 IDEState 0x56162a269058
12163@1594585516.673943:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0xa1; bus 0x56162a268c00 IDEState 0x56162a268c88
12163@1594585516.673946:ide_exec_cmd IDE exec cmd: bus 0x56162a268c00; state 0x56162a268c88; cmd 0xa1
OK
[S +0.025265] OK
[R +0.025270] outl 0xcf8 0x80000920
OK
[S +0.025274] OK
[R +0.025279] outb 0xcfc 0xff
OK
[S +0.025443] OK
[R +0.025451] outb 0xf8 0x9
12163@1594585516.674221:ide_dma_cb IDEState 0x56162a268c88; sector_num=0 n=1 cmd=DMA READ
OK
[S +0.025724] OK
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==12163==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x5616279cffdc (pc 0x5616279cffdc bp 0x7ffcdaabae90 sp 0x7ffcdaabae30 T12163)

-Alex

Revision history for this message

Alexander Bulekov (a1xndr) wrote on 2020-07-12: Re: [Bug 1887309] [NEW] Floating-point exception in ide_set_sector

Download full text (9.7 KiB)

On 200712 2025, Alexander Bulekov wrote:
> Public bug reported:
> 
> Hello,
> Here is a reproducer:
> cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc,accel=qtest\
>  -qtest null -nographic -vga qxl -qtest stdio -nodefaults\
>  -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw\
>  -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw\
>  -device ide-cd,drive=drive0 -device ide-hd,drive=drive1
> outw 0x176 0x3538
> outl 0xcf8 0x80000903
> outl 0xcfc 0x184275c
> outb 0x376 0x2f
> outb 0x376 0x0
> outw 0x176 0xa1a4
> outl 0xcf8 0x80000920
> outb 0xcfc 0xff
> outb 0xf8 0x9
> EOF
> 
> The stack-trace:
> ==16513==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x556783603fdc (pc 0x556783603fdc bp 0x7fff82143b10 sp 0x7fff82143ab0 T16513)
>     #0 0x556783603fdc in ide_set_sector /home/alxndr/Development/qemu/hw/ide/core.c:626:26
>     #1 0x556783603fdc in ide_dma_cb /home/alxndr/Development/qemu/hw/ide/core.c:883:9
>     #2 0x55678349d74d in dma_complete /home/alxndr/Development/qemu/dma-helpers.c:120:9
>     #3 0x55678349d74d in dma_blk_cb /home/alxndr/Development/qemu/dma-helpers.c:138:9
>     #4 0x556783962f25 in blk_aio_complete /home/alxndr/Development/qemu/block/block-backend.c:1402:9
>     #5 0x556783962f25 in blk_aio_complete_bh /home/alxndr/Development/qemu/block/block-backend.c:1412:5
>     #6 0x556783ac030f in aio_bh_call /home/alxndr/Development/qemu/util/async.c:136:5
>     #7 0x556783ac030f in aio_bh_poll /home/alxndr/Development/qemu/util/async.c:164:13
>     #8 0x556783a9a863 in aio_dispatch /home/alxndr/Development/qemu/util/aio-posix.c:380:5
>     #9 0x556783ac1b4c in aio_ctx_dispatch /home/alxndr/Development/qemu/util/async.c:306:5
>     #10 0x7f4f1c0fe9ed in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e9ed)
>     #11 0x556783acdccb in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
>     #12 0x556783acdccb in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
>     #13 0x556783acdccb in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
>     #14 0x5567833613e5 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
>     #15 0x556783a07a4d in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
>     #16 0x7f4f1ac84e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
>     #17 0x5567830a9089 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x7d2089)
> 
> With -trace ide*
> 
> 12163@1594585516.671265:ide_reset IDEstate 0x56162a269058
> [R +0.024963] outw 0x176 0x3538
> 12163@1594585516.673676:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0x38; bus 0x56162a268c00 IDEState 0x56162a268c88
> 12163@1594585516.673683:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; bus 0x56162a268c00 IDEState 0x56162a269058
> 12163@1594585516.673686:ide_exec_cmd IDE exec cmd: bus 0x56162a268c00; state 0x56162a269058; cmd 0x35
> OK
> [S +0.025002] OK
> [R +0.025012] outl 0xcf8 0x80000903
> OK
> [S +0.025018] OK
> [R +0.025026] outl 0xcfc 0x184275c
> OK
> [S +0.025210] OK
> [R +0.025219] outb 0x376 0x2f
> 12163@1594585516.673916:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x2f; bus 0x56162a268c00
> OK
> [S +0.025229] OK
> [R +0.025234] outb 0x376 0x0
> 12163@1594585516.673928:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x00; bus 0x56162a268c00
> OK
> [S +0.025240] OK
> [R +0.025246] outw 0x176 0xa1a4
> 12163@1594585516.673940:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0xa4; bus 0x56162a268c00 IDEState 0x56162a269058
> 12163@1594585516.673943:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0xa1; bus 0x56162a268c00 IDEState 0x56162a268c88
> 12163@1594585516.673946:ide_exec_cmd IDE exec cmd: bus 0x56162a268c00; state 0x56162a268c88; cmd 0xa1
> OK
> [S +0.025265] OK
> [R +0.025270] outl 0xcf8 0x80000920
> OK
> [S +0.025274] OK
> [R +0.025279] outb 0xcfc 0xff
> OK
> [S +0.025443] OK
> [R +0.025451] outb 0xf8 0x9
> 12163@1594585516.674221:ide_dma_cb IDEState 0x56162a268c88; sector_num=0 n=1 cmd=DMA READ
> OK
> [S +0.025724] OK
> UndefinedBehaviorSanitizer:DEADLYSIGNAL
> ==12163==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x5616279cffdc (pc 0x5616279cffdc bp 0x7ffcdaabae90 sp 0x7ffcdaabae30 T12163)
> 
> -Alex
> 
> ** Affects: qemu
>      Importance: Undecided
>          Status: New
> 
> -- 
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1887309
> 
> Title:
>   Floating-point exception in ide_set_sector
> 
> Status in QEMU:
>   New
> 
> Bug description:
>   Hello,
>   Here is a reproducer:
>   cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc,accel=qtest\
>    -qtest null -nographic -vga qxl -qtest stdio -nodefaults\
>    -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw\
>    -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw\
>    -device ide-cd,drive=drive0 -device ide-hd,drive=drive1
>   outw 0x176 0x3538
>   outl 0xcf8 0x80000903
>   outl 0xcfc 0x184275c
>   outb 0x376 0x2f
>   outb 0x376 0x0
>   outw 0x176 0xa1a4
>   outl 0xcf8 0x80000920
>   outb 0xcfc 0xff
>   outb 0xf8 0x9
>   EOF
> 
>   The stack-trace:
>   ==16513==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x556783603fdc (pc 0x556783603fdc bp 0x7fff82143b10 sp 0x7fff82143ab0 T16513)
>       #0 0x556783603fdc in ide_set_sector /home/alxndr/Development/qemu/hw/ide/core.c:626:26
>       #1 0x556783603fdc in ide_dma_cb /home/alxndr/Development/qemu/hw/ide/core.c:883:9
>       #2 0x55678349d74d in dma_complete /home/alxndr/Development/qemu/dma-helpers.c:120:9
>       #3 0x55678349d74d in dma_blk_cb /home/alxndr/Development/qemu/dma-helpers.c:138:9
>       #4 0x556783962f25 in blk_aio_complete /home/alxndr/Development/qemu/block/block-backend.c:1402:9
>       #5 0x556783962f25 in blk_aio_complete_bh /home/alxndr/Development/qemu/block/block-backend.c:1412:5
>       #6 0x556783ac030f in aio_bh_call /home/alxndr/Development/qemu/util/async.c:136:5
>       #7 0x556783ac030f in aio_bh_poll /home/alxndr/Development/qemu/util/async.c:164:13
>       #8 0x556783a9a863 in aio_dispatch /home/alxndr/Development/qemu/util/aio-posix.c:380:5
>       #9 0x556783ac1b4c in aio_ctx_dispatch /home/alxndr/Development/qemu/util/async.c:306:5
>       #10 0x7f4f1c0fe9ed in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e9ed)
>       #11 0x556783acdccb in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
>       #12 0x556783acdccb in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
>       #13 0x556783acdccb in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
>       #14 0x5567833613e5 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
>       #15 0x556783a07a4d in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
>       #16 0x7f4f1ac84e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
>       #17 0x5567830a9089 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x7d2089)
>

This adds a check to avoid the FPE, but I don't know how to properly
report the error, and whether this is the correct place to add this
check.

diff --git a/hw/ide/core.c b/hw/ide/core.c
index d997a78e47..c191d74ca6 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -622,7 +622,7 @@ void ide_set_sector(IDEState *s, int64_t sector_num)
             s->hob_lcyl = sector_num >> 32;
             s->hob_hcyl = sector_num >> 40;
         }
-    } else {
+    } else if (s->heads && s->sectors){
         cyl = sector_num / (s->heads * s->sectors);
         r = sector_num % (s->heads * s->sectors);
         s->hcyl = cyl >> 8;

>   With -trace ide*
> 
>   12163@1594585516.671265:ide_reset IDEstate 0x56162a269058
>   [R +0.024963] outw 0x176 0x3538
>   12163@1594585516.673676:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0x38; bus 0x56162a268c00 IDEState 0x56162a268c88
>   12163@1594585516.673683:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; bus 0x56162a268c00 IDEState 0x56162a269058
>   12163@1594585516.673686:ide_exec_cmd IDE exec cmd: bus 0x56162a268c00; state 0x56162a269058; cmd 0x35
>   OK
>   [S +0.025002] OK
>   [R +0.025012] outl 0xcf8 0x80000903
>   OK
>   [S +0.025018] OK
>   [R +0.025026] outl 0xcfc 0x184275c
>   OK
>   [S +0.025210] OK
>   [R +0.025219] outb 0x376 0x2f
>   12163@1594585516.673916:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x2f; bus 0x56162a268c00
>   OK
>   [S +0.025229] OK
>   [R +0.025234] outb 0x376 0x0
>   12163@1594585516.673928:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x00; bus 0x56162a268c00
>   OK
>   [S +0.025240] OK
>   [R +0.025246] outw 0x176 0xa1a4
>   12163@1594585516.673940:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0xa4; bus 0x56162a268c00 IDEState 0x56162a269058
>   12163@1594585516.673943:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0xa1; bus 0x56162a268c00 IDEState 0x56162a268c88
>   12163@1594585516.673946:ide_exec_cmd IDE exec cmd: bus 0x56162a268c00; state 0x56162a268c88; cmd 0xa1
>   OK
>   [S +0.025265] OK
>   [R +0.025270] outl 0xcf8 0x80000920
>   OK
>   [S +0.025274] OK
>   [R +0.025279] outb 0xcfc 0xff
>   OK
>   [S +0.025443] OK
>   [R +0.025451] outb 0xf8 0x9
>   12163@1594585516.674221:ide_dma_cb IDEState 0x56162a268c88; sector_num=0 n=1 cmd=DMA READ
>   OK
>   [S +0.025724] OK
>   UndefinedBehaviorSanitizer:DEADLYSIGNAL
>   ==12163==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x5616279cffdc (pc 0x5616279cffdc bp 0x7ffcdaabae90 sp 0x7ffcdaabae30 T12163)
> 
>   -Alex
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1887309/+subscriptions
>

Revision history for this message

Philippe Mathieu-Daudé (philmd) wrote on 2020-07-17:

Proposed fix:
https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05528.html

Changed in qemu:
status:	New → Confirmed

Revision history for this message

John Snow (jnsnow) wrote on 2020-07-27:

New proposal: https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg06974.html

(The root cause is that SRST is not handled correctly.)

More analysis in the replies to Philippe's patch: https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05949.html

Changed in qemu:
assignee:	nobody → John Snow (jnsnow)
status:	Confirmed → In Progress

Revision history for this message

John Snow (jnsnow) wrote on 2020-11-04:

Merged upstream:

55adb3c45620c31f29978f209e2a44a08d34e2da
4ac4e7281a2dd1ca5158812198c4d2cbacf2ae25
b45bcd81e05dea2781f2164ca1c9dd86069502ea
1a9925e3390b6adf1125e3abaa17c80ca012bede

Changed in qemu:
status:	In Progress → Fix Committed

Revision history for this message

Thomas Huth (th-huth) wrote on 2020-12-10:

Released with QEMU v5.2.0.

Changed in qemu:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.