QEMU

qemu-system-ppc assertion "!mr->container" failed

Bug #1922391 reported by Håvard Eidnes
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

Hi,

I'm trying to run the NetBSD/macppc 8.2 installer (which is 32-bit ppc) in qemu-system-ppc version 5.2.0, and I'm hitting this assertion failure
quite a bit into the "unpacking sets" part of the installation procedure,
unpacking from the install iso image.

Qemu is run on a NetBSD/amd64 9.1 host system.

The asert message from qemu is

assertion "!mr->container" failed: file "../softmmu/memory.c", line 1739, function "memory_region_finalize"

The stack backtrace from the core file (when built with debug symbols) is

Core was generated by `qemu-system-ppc'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007a8f2596791a in _lwp_kill () from /usr/lib/libc.so.12
[Current thread is 1 (process 1)]
(gdb) where
#0 0x00007a8f2596791a in _lwp_kill () from /usr/lib/libc.so.12
#1 0x00007a8f259671ca in abort () from /usr/lib/libc.so.12
#2 0x00007a8f258a8507 in __assert13 () from /usr/lib/libc.so.12
#3 0x000000003e79d8a0 in memory_region_finalize (obj=<optimized out>)
    at ../softmmu/memory.c:1739
#4 0x000000003e87aacc in object_deinit (type=0x7a8f2c280780,
    obj=<optimized out>) at ../qom/object.c:671
#5 object_finalize (data=0x7a8f2b62baa0) at ../qom/object.c:685
#6 object_unref (objptr=0x7a8f2b62baa0) at ../qom/object.c:1183
#7 0x000000003e87aa96 in object_property_del_all (obj=0x7a8f2b629000)
    at ../qom/object.c:623
#8 object_finalize (data=0x7a8f2b629000) at ../qom/object.c:684
#9 object_unref (objptr=0x7a8f2b629000) at ../qom/object.c:1183
#10 0x000000003e79ab6b in memory_region_unref (mr=<optimized out>)
    at ../softmmu/memory.c:1787
#11 0x000000003e7d8eb4 in address_space_unmap (
    as=as@entry=0x3f4731a0 <address_space_memory>, buffer=<optimized out>,
    len=<optimized out>, is_write=<optimized out>, access_len=<optimized out>)
    at ../softmmu/physmem.c:3222
#12 0x000000003e66389a in dma_memory_unmap (access_len=<optimized out>,
    dir=<optimized out>, len=<optimized out>, buffer=<optimized out>,
    as=<optimized out>)
    at /usr/pkgsrc/emulators/qemu/work/qemu-5.2.0/include/sysemu/dma.h:145
#13 pmac_ide_atapi_transfer_cb (opaque=0x7a8f2ab4aef0, ret=<optimized out>)
    at ../hw/ide/macio.c:122
#14 0x000000003e5b22a0 in dma_complete (ret=0, dbs=0x7a8f2bb4d380)
    at ../softmmu/dma-helpers.c:120
#15 dma_blk_cb (opaque=0x7a8f2bb4d380, ret=0) at ../softmmu/dma-helpers.c:138
#16 0x000000003e864ef7 in blk_aio_complete (acb=0x7a8f2af2be90)
    at ../block/block-backend.c:1412
#17 0x000000003e9a9be1 in coroutine_trampoline (i0=<optimized out>,
    i1=<optimized out>) at ../util/coroutine-ucontext.c:173
#18 0x00007a8f25864150 in ?? () from /usr/lib/libc.so.12
Backtrace stopped: Cannot access memory at address 0x7a8e137ec000
(gdb)

I start qemu with this small script:

---
#!/bin/sh

MEM=3g
qemu-system-ppc \
        -M mac99,via=pmu \
        -m $MEM \
        -nographic \
        -drive id=hda,format=raw,file=disk.img \
        -L pc-bios \
        -netdev user,id=net0,hostfwd=tcp::2223-:22,ipv6=off \
        -net nic,model=rtl8139,netdev=net0 \
        -boot d \
        -cdrom NetBSD-8.2-macppc.iso
---

and boot the install kernel with "boot cd:ofwboot.xcf". If someone wants
to replicate this I can provide more detailed instructions to repeat the
procedure I used to start the install.

Any hints about what more to look for?

Regards,

- Håvard

See original description
Tags: ppc
Håvard Eidnes (he-uninett)
tags: added: ppc
description: updated
description: updated
Håvard Eidnes (he-uninett)
description: updated
Revision history for this message
Håvard Eidnes (he-uninett) wrote :

Hmm,

it seems I need to retract this bug. It turns out that the 32-bit macppc port
of NetBSD only supports a maximum of 2GB of memory. As a NetBSD developer said it:

> The physical memory map on G4 Macs doesn't have room for more than 2G of RAM.

So, I've set the status of this bug report to "Invalid", as that seemed to be the
best fit.

Regards,

- Håvard

Changed in qemu:
status: New → Invalid
Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :

If the machine can not support more than 2GB, QEMU should report an error when the user tries to assign too many memory, not crash and let it figure out.
Setting the bug status to confirmed.

Changed in qemu:
status: Invalid → Confirmed
Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :

Proposed fix:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg00570.html

Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote : Re: [PATCH-for-6.0] hw/ppc/mac_newworld: Restrict RAM to 2 GiB

On 4/7/21 3:11 PM, Mark Cave-Ayland wrote:
> On 06/04/2021 09:48, Philippe Mathieu-Daudé wrote:
>
>> On Mac99 and newer machines, the Uninorth PCI host bridge maps
>> the PCI hole region at 2GiB, so the RAM area beside 2GiB is not
>> accessible by the CPU. Restrict the memory to 2GiB to avoid
>> problems such the one reported in the buglink.
>>
>> Buglink: https://bugs.launchpad.net/qemu/+bug/1922391
>> Reported-by: Håvard Eidnes <email address hidden>
>> Signed-off-by: Philippe Mathieu-Daudé <email address hidden>
>> ---
>>   hw/ppc/mac_newworld.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
>> index 21759628466..d88b38e9258 100644
>> --- a/hw/ppc/mac_newworld.c
>> +++ b/hw/ppc/mac_newworld.c
>> @@ -157,6 +157,10 @@ static void ppc_core99_init(MachineState *machine)
>>       }
>>         /* allocate RAM */
>> +    if (machine->ram_size > 2 * GiB) {
>> +        error_report("RAM size more than 2 GiB is not supported");
>> +        exit(1);
>> +    }
>>       memory_region_add_subregion(get_system_memory(), 0, machine->ram);
>>         /* allocate and load firmware ROM */
>
> I think the patch is correct, however I'm fairly sure that the default
> g3beige machine also has the PCI hole located at 0x80000000 so the same
> problem exists there too.
>
> Also are you keen to get this merged for 6.0? It doesn't seem to solve a
> security issue/release blocker and I'm sure the current behaviour has
> been like this for a long time...

No problem. I wanted to revisit this bug anyway, I realized during the
night, while this patch makes QEMU exit cleanly, it hides the bug which
is likely in TYPE_MACIO_IDE (I haven't tried Håvard's full reproducer).

Regards,

Phil.

Revision history for this message
Thomas Huth (th-huth) wrote :

Philippe's fix has been merged here:
https://gitlab.com/qemu-project/qemu/-/commit/03b3542ac93cb196bf6a6

Changed in qemu:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.