QEMU

FPE in npcm7xx_adc_convert

Bug #1913669 reported by Alexander Bulekov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Invalid
Undecided
Unassigned

Bug Description

Reproducer:
cat << EOF | ./qemu-system-aarch64 -M npcm750-evb \
-accel qtest -qtest stdio
write 0xf000c000 0x4 0x02400200
clock_step
EOF

Trace:
../hw/adc/npcm7xx_adc.c:60:51: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/adc/npcm7xx_adc.c:60:51 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==717962==ERROR: AddressSanitizer: FPE on unknown address 0x55901aa6e67a (pc 0x55901aa6e67a bp 0x7fff0ac087e0 sp 0x7fff0ac087a0 T0)
#0 0x55901aa6e67a in npcm7xx_adc_convert /hw/adc/npcm7xx_adc.c:60:51
#1 0x55901aa6e67a in npcm7xx_adc_convert_done /hw/adc/npcm7xx_adc.c:106:15
#2 0x55901ceb847e in timerlist_run_timers /util/qemu-timer.c:574:9
#3 0x55901c05d804 in qtest_clock_warp /softmmu/qtest.c:356:9
#4 0x55901c059781 in qtest_process_command /softmmu/qtest.c:752:9
#5 0x55901c051b97 in qtest_process_inbuf /softmmu/qtest.c:797:9
#6 0x55901c8a2286 in fd_chr_read /chardev/char-fd.c:68:9
#7 0x7fa5c43f1aae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
#8 0x55901cefd363 in glib_pollfds_poll /util/main-loop.c:232:9
#9 0x55901cefd363 in os_host_main_loop_wait /util/main-loop.c:255:5
#10 0x55901cefd363 in main_loop_wait /util/main-loop.c:531:11
#11 0x55901bfb8599 in qemu_main_loop /softmmu/runstate.c:721:9
#12 0x55901a2451fd in main /softmmu/main.c:50:5
#13 0x7fa5c3e96cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#14 0x55901a198bc9 in _start (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /hw/adc/npcm7xx_adc.c:60:51 in npcm7xx_adc_convert

Tags: arm fuzzer
Alexander Bulekov (a1xndr)
tags: added: fuzzer
Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote : Re: [Bug 1913669] [NEW] FPE in npcm7xx_adc_convert

Cc'ing supporters:

$ ./scripts/get_maintainer.pl -f hw/arm/npcm7xx.c
Havard Skinnemoen <email address hidden> (supporter:Nuvoton NPCM7xx)
Tyrone Ting <email address hidden> (supporter:Nuvoton NPCM7xx)

On 1/29/21 3:36 AM, Alexander Bulekov wrote:
> Public bug reported:
>
> Reproducer:
> cat << EOF | ./qemu-system-aarch64 -M npcm750-evb \
> -accel qtest -qtest stdio
> write 0xf000c000 0x4 0x02400200
> clock_step
> EOF
>
> Trace:
> ../hw/adc/npcm7xx_adc.c:60:51: runtime error: division by zero
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/adc/npcm7xx_adc.c:60:51 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==717962==ERROR: AddressSanitizer: FPE on unknown address 0x55901aa6e67a (pc 0x55901aa6e67a bp 0x7fff0ac087e0 sp 0x7fff0ac087a0 T0)
> #0 0x55901aa6e67a in npcm7xx_adc_convert /hw/adc/npcm7xx_adc.c:60:51
> #1 0x55901aa6e67a in npcm7xx_adc_convert_done /hw/adc/npcm7xx_adc.c:106:15
> #2 0x55901ceb847e in timerlist_run_timers /util/qemu-timer.c:574:9
> #3 0x55901c05d804 in qtest_clock_warp /softmmu/qtest.c:356:9
> #4 0x55901c059781 in qtest_process_command /softmmu/qtest.c:752:9
> #5 0x55901c051b97 in qtest_process_inbuf /softmmu/qtest.c:797:9
> #6 0x55901c8a2286 in fd_chr_read /chardev/char-fd.c:68:9
> #7 0x7fa5c43f1aae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
> #8 0x55901cefd363 in glib_pollfds_poll /util/main-loop.c:232:9
> #9 0x55901cefd363 in os_host_main_loop_wait /util/main-loop.c:255:5
> #10 0x55901cefd363 in main_loop_wait /util/main-loop.c:531:11
> #11 0x55901bfb8599 in qemu_main_loop /softmmu/runstate.c:721:9
> #12 0x55901a2451fd in main /softmmu/main.c:50:5
> #13 0x7fa5c3e96cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
> #14 0x55901a198bc9 in _start (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: FPE /hw/adc/npcm7xx_adc.c:60:51 in npcm7xx_adc_convert

The ADC realization in npcm7xx_realize is incomplete, vref/iref
properties are not set, thus 0.

Looking at the qtests (npcm7xx_adc-test.c) these are set via
'qom-set' QMP calls.

Assuming vref/iref are constant on a board, shouldn't we have
a npcm7xx_adc_realize() method checking these properties are
set, returning a proper error message if not?

Thanks,

Phil.

tags: added: arm
Changed in qemu:
status: New → Confirmed
Revision history for this message
Alexander Bulekov (a1xndr) wrote :

I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:

https://gitlab.com/qemu-project/qemu/-/issues/550

Revision history for this message
Thomas Huth (th-huth) wrote :

Thanks for moving it over! ... let's close this one here on Launchpad now.

Changed in qemu:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.