qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 912216] [NEW] ARM: QEMU crashes with segmentation faul


From: Arie
Subject: [Qemu-devel] [Bug 912216] [NEW] ARM: QEMU crashes with segmentation fault on supervisor call
Date: Thu, 05 Jan 2012 11:46:23 -0000

Public bug reported:

I am working on some mixed C/ASM code for the ARM Cortex-M3 but when I try to 
simulate it, QEMU crashes with a segmentation fault. The exact instruction it 
crashes on is a supervisor call from the assembly file.
I am using the default Sourcery CodeBench Lite 2011.09-69 for ARM\EABI (Not 
GNU\Linux). The build environment is mingw32 on a win7 x64 machine.

The following code is what I used to trigger the segmentation fault.

main.c:
extern void testFunc( void );

int main()
{
    testFunc();
    
    while(1);
}

test.s:
    .syntax     unified
    .global     testFunc
    .global     __cs3_isr_svcall


    .text
    .balign     4
__cs3_isr_svcall:
    bx      lr

    .balign     4
testFunc:
    svc     #1

    BX      LR

    .end

    
This is build in an MSYS shell with the command:
arm-none-eabi-gcc -o test1.elf main.c test.s -g -mcpu=cortex-m3 -march=armv7-m 
-mthumb -lc -lgcc -T generic-m-hosted.ld

The output elf file is also attached to this bug report.


To get information on the segmentation fault I start Qemu from GDB in a 
debian-6 Virtual Machine (VMWare Player). This Qemu is configured with 
--enable-debug and the output of this configure is:
Install prefix    /usr/local
BIOS directory    /usr/local/share/qemu
binary directory  /usr/local/bin
library directory /usr/local/lib
include directory /usr/local/include
config directory  /usr/local/etc
Manual directory  /usr/local/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path       /home/testbox/Downloads/qemu-1.0
C compiler        gcc
Host C compiler   gcc
CFLAGS            -g 
QEMU_CFLAGS       -fPIE -DPIE -m64 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE 
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes 
-Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes 
-fno-strict-aliasing  -fstack-protector-all -Wendif-labels 
-Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security 
-Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration 
-Wold-style-definition -Wtype-limits -I/usr/include/libpng12  
LDFLAGS           -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m64 -g 
make              make
install           install
python            python
smbd              /usr/sbin/smbd
host CPU          x86_64
host big endian   no
target list       i386-softmmu x86_64-softmmu alpha-softmmu arm-softmmu 
cris-softmmu lm32-softmmu m68k-softmmu microblaze-softmmu microblazeel-softmmu 
mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu ppc-softmmu 
ppcemb-softmmu ppc64-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu 
sparc64-softmmu s390x-softmmu xtensa-softmmu xtensaeb-softmmu i386-linux-user 
x86_64-linux-user alpha-linux-user arm-linux-user armeb-linux-user 
cris-linux-user m68k-linux-user microblaze-linux-user microblazeel-linux-user 
mips-linux-user mipsel-linux-user ppc-linux-user ppc64-linux-user 
ppc64abi32-linux-user sh4-linux-user sh4eb-linux-user sparc-linux-user 
sparc64-linux-user sparc32plus-linux-user unicore32-linux-user s390x-linux-user 
tcg debug enabled yes
Mon debug enabled yes
gprof enabled     no
sparse enabled    no
strip binaries    no
profiler          no
static build      no
-Werror enabled   no
SDL support       no
curses support    yes
curl support      no
check support     no
mingw32 support   no
Audio drivers     oss
Extra audio cards ac97 es1370 sb16 hda
Block whitelist   
Mixer emulation   no
VNC support       yes
VNC TLS support   yes
VNC SASL support  no
VNC JPEG support  yes
VNC PNG support   yes
VNC thread        no
xen support       no
brlapi support    no
bluez  support    no
Documentation     yes
NPTL support      yes
GUEST_BASE        yes
PIE               yes
vde support       no
Linux AIO support no
ATTR/XATTR support yes
Install blobs     yes
KVM support       yes
TCG interpreter   no
fdt support       no
preadv support    yes
fdatasync         yes
madvise           yes
posix_madvise     yes
uuid support      no
vhost-net support yes
Trace backend     nop
Trace output file trace-<pid>
spice support     no
rbd support       no
xfsctl support    no
nss used          no
usb net redir     no
OpenGL support    yes
libiscsi support  no
build guest agent yes


The result of the debug session of GDB (note the parameters to Qemu on the 
command line):

address@hidden:/mnt/build_test1$ gdb -args 
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3 
-nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb 
tcp::2200
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from 
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm...done.
(gdb) run
Starting program: /home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm 
-cpu cortex-m3 -nographic -monitor null -serial null -semihosting -kernel 
test1.elf -gdb tcp::2200
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff36a2700 (LWP 4139)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff36a2700 (LWP 4139)]
0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
    at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
154         if (GIC_TEST_PENDING(irq, cm))
(gdb) thread apply all bt full

Thread 2 (Thread 0x7ffff36a2700 (LWP 4139)):
#0  0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
    at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
        cm = 1
#1  0x00007ffff7dc228f in armv7m_nvic_set_pending (opaque=0x0, irq=11)
    at /home/testbox/Downloads/qemu-1.0/hw/armv7m_nvic.c:95
        s = 0x0
#2  0x00007ffff7df39c7 in do_interrupt_v7m (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:788
        xpsr = 1627389952
        lr = 4294967289
        addr = 1243751108
#3  0x00007ffff7df3c3d in do_interrupt (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:850
        addr = 32767
        mask = 4128067360
        new_mode = 0
        offset = 0
#4  0x00007ffff7dc8cbc in cpu_arm_exec (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/cpu-exec.c:257
        ret = 0
        interrupt_request = 0
---Type <return> to continue, or q <return> to quit---
        tb = 0x7ffff36a4120
        tc_ptr = 0x400020f0 "\277\002"
        next_tb = 140737277214896
#5  0x00007ffff7dcb824 in tcg_cpu_exec (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/cpus.c:1007
        ret = 16809983
#6  0x00007ffff7dcb93d in tcg_exec_all ()
    at /home/testbox/Downloads/qemu-1.0/cpus.c:1039
        env = 0x7ffff8abb810
        r = 0
#7  0x00007ffff7dcaf2d in qemu_tcg_cpu_thread_fn (arg=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/cpus.c:774
        env = 0x0
#8  0x00007ffff60ca8ba in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#9  0x00007ffff5e3202d in clone () from /lib/libc.so.6
No symbol table info available.
#10 0x0000000000000000 in ?? ()
No symbol table info available.

Thread 1 (Thread 0x7ffff7b8e700 (LWP 4136)):
#0  0x00007ffff5e2b8d3 in select () from /lib/libc.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#1  0x00007ffff7d1cb93 in main_loop_wait (nonblocking=0) at main-loop.c:456
        rfds = {fds_bits = {3456, 0 <repeats 15 times>}}
        wfds = {fds_bits = {0 <repeats 16 times>}}
        xfds = {fds_bits = {0 <repeats 16 times>}}
        ret = 32767
        nfds = 11
        tv = {tv_sec = 0, tv_usec = 996976}
        timeout = 1000
#2  0x00007ffff7d14628 in main_loop ()
    at /home/testbox/Downloads/qemu-1.0/vl.c:1481
        nonblocking = false
        last_io = 0
#3  0x00007ffff7d19484 in main (argc=13, argv=0x7fffffffe268, 
    envp=0x7fffffffe2d8) at /home/testbox/Downloads/qemu-1.0/vl.c:3485
        gdbstub_dev = 0x7fffffffe5ee "tcp::2200"
        i = 64
        snapshot = 0
        linux_boot = 1
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x7fffffffe5df "test1.elf"
        kernel_cmdline = 0x7ffff7f594af ""
        boot_devices = "cad", '\000' <repeats 29 times>
---Type <return> to continue, or q <return> to quit---
        ds = 0x7ffff8ccbdb0
        dcl = 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x0
        opts = 0x7fffffffe020
        olist = 0x7ffff7b92358
        optind = 13
        optarg = 0x7fffffffe5ee "tcp::2200"
        loadvm = 0x0
        machine = 0x7ffff82796c0
        cpu_model = 0x7fffffffe59a "cortex-m3"
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = 1
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0x7ffff7d15ed0 <malloc_and_trace>, 
          realloc = 0x7ffff7d15f28 <realloc_and_trace>, 
          free = 0x7ffff7d15f8f <free_and_trace>, calloc = 0, try_malloc = 0, 
---Type <return> to continue, or q <return> to quit---
          try_realloc = 0}
        trace_events = 0x0
        trace_file = 0x0
(gdb) 


Also tested with GIT commit c47f322 (Wed, 4 Jan 2012 16:06:25).
This produces the same crash, but the line in the source file arm_gic.c it 
crashes on has moved to 161.

I hope I have supplied all the necessary information.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/912216

Title:
  ARM: QEMU crashes with segmentation fault on supervisor call

Status in QEMU:
  New

Bug description:
  I am working on some mixed C/ASM code for the ARM Cortex-M3 but when I try to 
simulate it, QEMU crashes with a segmentation fault. The exact instruction it 
crashes on is a supervisor call from the assembly file.
  I am using the default Sourcery CodeBench Lite 2011.09-69 for ARM\EABI (Not 
GNU\Linux). The build environment is mingw32 on a win7 x64 machine.

  The following code is what I used to trigger the segmentation fault.

  main.c:
  extern void testFunc( void );

  int main()
  {
      testFunc();
      
      while(1);
  }

  test.s:
      .syntax     unified
      .global     testFunc
      .global     __cs3_isr_svcall

  
      .text
      .balign     4
  __cs3_isr_svcall:
      bx      lr

      .balign     4
  testFunc:
      svc     #1

      BX      LR

      .end

      
  This is build in an MSYS shell with the command:
  arm-none-eabi-gcc -o test1.elf main.c test.s -g -mcpu=cortex-m3 
-march=armv7-m -mthumb -lc -lgcc -T generic-m-hosted.ld

  The output elf file is also attached to this bug report.

  
  To get information on the segmentation fault I start Qemu from GDB in a 
debian-6 Virtual Machine (VMWare Player). This Qemu is configured with 
--enable-debug and the output of this configure is:
  Install prefix    /usr/local
  BIOS directory    /usr/local/share/qemu
  binary directory  /usr/local/bin
  library directory /usr/local/lib
  include directory /usr/local/include
  config directory  /usr/local/etc
  Manual directory  /usr/local/share/man
  ELF interp prefix /usr/gnemul/qemu-%M
  Source path       /home/testbox/Downloads/qemu-1.0
  C compiler        gcc
  Host C compiler   gcc
  CFLAGS            -g 
  QEMU_CFLAGS       -fPIE -DPIE -m64 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE 
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes 
-Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes 
-fno-strict-aliasing  -fstack-protector-all -Wendif-labels 
-Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security 
-Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration 
-Wold-style-definition -Wtype-limits -I/usr/include/libpng12  
  LDFLAGS           -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m64 -g 
  make              make
  install           install
  python            python
  smbd              /usr/sbin/smbd
  host CPU          x86_64
  host big endian   no
  target list       i386-softmmu x86_64-softmmu alpha-softmmu arm-softmmu 
cris-softmmu lm32-softmmu m68k-softmmu microblaze-softmmu microblazeel-softmmu 
mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu ppc-softmmu 
ppcemb-softmmu ppc64-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu 
sparc64-softmmu s390x-softmmu xtensa-softmmu xtensaeb-softmmu i386-linux-user 
x86_64-linux-user alpha-linux-user arm-linux-user armeb-linux-user 
cris-linux-user m68k-linux-user microblaze-linux-user microblazeel-linux-user 
mips-linux-user mipsel-linux-user ppc-linux-user ppc64-linux-user 
ppc64abi32-linux-user sh4-linux-user sh4eb-linux-user sparc-linux-user 
sparc64-linux-user sparc32plus-linux-user unicore32-linux-user s390x-linux-user 
  tcg debug enabled yes
  Mon debug enabled yes
  gprof enabled     no
  sparse enabled    no
  strip binaries    no
  profiler          no
  static build      no
  -Werror enabled   no
  SDL support       no
  curses support    yes
  curl support      no
  check support     no
  mingw32 support   no
  Audio drivers     oss
  Extra audio cards ac97 es1370 sb16 hda
  Block whitelist   
  Mixer emulation   no
  VNC support       yes
  VNC TLS support   yes
  VNC SASL support  no
  VNC JPEG support  yes
  VNC PNG support   yes
  VNC thread        no
  xen support       no
  brlapi support    no
  bluez  support    no
  Documentation     yes
  NPTL support      yes
  GUEST_BASE        yes
  PIE               yes
  vde support       no
  Linux AIO support no
  ATTR/XATTR support yes
  Install blobs     yes
  KVM support       yes
  TCG interpreter   no
  fdt support       no
  preadv support    yes
  fdatasync         yes
  madvise           yes
  posix_madvise     yes
  uuid support      no
  vhost-net support yes
  Trace backend     nop
  Trace output file trace-<pid>
  spice support     no
  rbd support       no
  xfsctl support    no
  nss used          no
  usb net redir     no
  OpenGL support    yes
  libiscsi support  no
  build guest agent yes

  
  The result of the debug session of GDB (note the parameters to Qemu on the 
command line):

  address@hidden:/mnt/build_test1$ gdb -args 
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3 
-nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb 
tcp::2200
  GNU gdb (GDB) 7.3.1
  Copyright (C) 2011 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "x86_64-unknown-linux-gnu".
  For bug reporting instructions, please see:
  <http://www.gnu.org/software/gdb/bugs/>...
  Reading symbols from 
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm...done.
  (gdb) run
  Starting program: 
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3 
-nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb 
tcp::2200
  [Thread debugging using libthread_db enabled]
  [New Thread 0x7ffff36a2700 (LWP 4139)]

  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7ffff36a2700 (LWP 4139)]
  0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
      at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
  154       if (GIC_TEST_PENDING(irq, cm))
  (gdb) thread apply all bt full

  Thread 2 (Thread 0x7ffff36a2700 (LWP 4139)):
  #0  0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
      at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
          cm = 1
  #1  0x00007ffff7dc228f in armv7m_nvic_set_pending (opaque=0x0, irq=11)
      at /home/testbox/Downloads/qemu-1.0/hw/armv7m_nvic.c:95
          s = 0x0
  #2  0x00007ffff7df39c7 in do_interrupt_v7m (env=0x7ffff8abb810)
      at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:788
          xpsr = 1627389952
          lr = 4294967289
          addr = 1243751108
  #3  0x00007ffff7df3c3d in do_interrupt (env=0x7ffff8abb810)
      at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:850
          addr = 32767
          mask = 4128067360
          new_mode = 0
          offset = 0
  #4  0x00007ffff7dc8cbc in cpu_arm_exec (env=0x7ffff8abb810)
      at /home/testbox/Downloads/qemu-1.0/cpu-exec.c:257
          ret = 0
          interrupt_request = 0
  ---Type <return> to continue, or q <return> to quit---
          tb = 0x7ffff36a4120
          tc_ptr = 0x400020f0 "\277\002"
          next_tb = 140737277214896
  #5  0x00007ffff7dcb824 in tcg_cpu_exec (env=0x7ffff8abb810)
      at /home/testbox/Downloads/qemu-1.0/cpus.c:1007
          ret = 16809983
  #6  0x00007ffff7dcb93d in tcg_exec_all ()
      at /home/testbox/Downloads/qemu-1.0/cpus.c:1039
          env = 0x7ffff8abb810
          r = 0
  #7  0x00007ffff7dcaf2d in qemu_tcg_cpu_thread_fn (arg=0x7ffff8abb810)
      at /home/testbox/Downloads/qemu-1.0/cpus.c:774
          env = 0x0
  #8  0x00007ffff60ca8ba in start_thread () from /lib/libpthread.so.0
  No symbol table info available.
  #9  0x00007ffff5e3202d in clone () from /lib/libc.so.6
  No symbol table info available.
  #10 0x0000000000000000 in ?? ()
  No symbol table info available.

  Thread 1 (Thread 0x7ffff7b8e700 (LWP 4136)):
  #0  0x00007ffff5e2b8d3 in select () from /lib/libc.so.6
  No symbol table info available.
  ---Type <return> to continue, or q <return> to quit---
  #1  0x00007ffff7d1cb93 in main_loop_wait (nonblocking=0) at main-loop.c:456
          rfds = {fds_bits = {3456, 0 <repeats 15 times>}}
          wfds = {fds_bits = {0 <repeats 16 times>}}
          xfds = {fds_bits = {0 <repeats 16 times>}}
          ret = 32767
          nfds = 11
          tv = {tv_sec = 0, tv_usec = 996976}
          timeout = 1000
  #2  0x00007ffff7d14628 in main_loop ()
      at /home/testbox/Downloads/qemu-1.0/vl.c:1481
          nonblocking = false
          last_io = 0
  #3  0x00007ffff7d19484 in main (argc=13, argv=0x7fffffffe268, 
      envp=0x7fffffffe2d8) at /home/testbox/Downloads/qemu-1.0/vl.c:3485
          gdbstub_dev = 0x7fffffffe5ee "tcp::2200"
          i = 64
          snapshot = 0
          linux_boot = 1
          icount_option = 0x0
          initrd_filename = 0x0
          kernel_filename = 0x7fffffffe5df "test1.elf"
          kernel_cmdline = 0x7ffff7f594af ""
          boot_devices = "cad", '\000' <repeats 29 times>
  ---Type <return> to continue, or q <return> to quit---
          ds = 0x7ffff8ccbdb0
          dcl = 0x0
          cyls = 0
          heads = 0
          secs = 0
          translation = 0
          hda_opts = 0x0
          opts = 0x7fffffffe020
          olist = 0x7ffff7b92358
          optind = 13
          optarg = 0x7fffffffe5ee "tcp::2200"
          loadvm = 0x0
          machine = 0x7ffff82796c0
          cpu_model = 0x7fffffffe59a "cortex-m3"
          pid_file = 0x0
          incoming = 0x0
          show_vnc_port = 0
          defconfig = 1
          log_mask = 0x0
          log_file = 0x0
          mem_trace = {malloc = 0x7ffff7d15ed0 <malloc_and_trace>, 
            realloc = 0x7ffff7d15f28 <realloc_and_trace>, 
            free = 0x7ffff7d15f8f <free_and_trace>, calloc = 0, try_malloc = 0, 
  ---Type <return> to continue, or q <return> to quit---
            try_realloc = 0}
          trace_events = 0x0
          trace_file = 0x0
  (gdb) 

  
  Also tested with GIT commit c47f322 (Wed, 4 Jan 2012 16:06:25).
  This produces the same crash, but the line in the source file arm_gic.c it 
crashes on has moved to 161.

  I hope I have supplied all the necessary information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/912216/+subscriptions



reply via email to

[Prev in Thread] Current Thread [Next in Thread]