Re: [Qemu-devel] [Bug 1180970] [NEW] qemu: fatal: Trying to execute code

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [Bug 1180970] [NEW] qemu: fatal: Trying to execute code

From:	Paolo Bonzini
Subject:	Re: [Qemu-devel] [Bug 1180970] [NEW] qemu: fatal: Trying to execute code outside RAM or ROM; worked in 1.4.0, fails in 1.4.92
Date:	Fri, 17 May 2013 12:20:54 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130311 Thunderbird/17.0.4

Il 16/05/2013 23:46, Laszlo Ersek ha scritto:
> On 05/16/13 21:58, Duane Voth wrote:> Public bug reported:
>>
>> I'm using qemu to run and debug the EDK2 uEFI environment. OVMF is
>> being built out of the EDK2 tree I've checked out (r14367).
>> (Reproducing all this could be tedious so I am available for
>> debugging/testing.)
>>
>> qemu 1.4.0 was able to execute this guest environment with no trouble,
>> qemu 1.4.92 however issues an error message and aborts.  The command
>> line I use to start qemu is:
>>
>> $ /usr/local/bin/qemu-system-x86_64 -m 1024 -bios OVMF.fd -monitor stdio
>>
>> 1.4.92 gives the following register dump:
>>
>> QEMU 1.4.92 monitor - type 'help' for more information
>> (qemu) qemu: fatal: Trying to execute code outside RAM or ROM at 
>> 0x0000000100000000
>>
>> RAX=000000003e084da8 RBX=000000003e084868 RCX=0000000000000000 
>> RDX=000000003e084f00
>> RSI=0000000000000001 RDI=000000003e085000 RBP=000000003e084708 
>> RSP=000000003fac8510
>> R8 =0000000000000000 R9 =000000003e14c3e3 R10=0000000000000033 
>> R11=00000000000000d3
>> R12=000000003e0848a0 R13=0000000000000000 R14=0000000000000000 
>> R15=0000000000000000
>> RIP=00000000ffffffe4 RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
>> ES =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> CS =0028 0000000000000000 ffffffff 00af9b00 DPL=0 CS64 [-RA]
>> SS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> DS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> FS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> GS =0008 0000000000000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
>> LDT=0000 0000000000000000 0000ffff 00008200 DPL=0 LDT
>> TR =0000 0000000000000000 0000ffff 00008b00 DPL=0 TSS64-busy
>> GDT=     000000003fa50e98 0000003f
>> IDT=     000000003f9d6e20 00000fff
>> CR0=80000033 CR2=0000000000000000 CR3=000000003fa67000 CR4=00000668
>> ...
>>
>>
>> Questions:
>> 1) Is this problem relevant?  (is full backward compatability to be
>> supported?)
>> 2) Are there new guest execution controls in 1.4.9x that might cause
>> this?
>> 3) If #2, can they be disabled by a qemu command line switch?
>> 4) If not #2, in what qemu source file specifically can I find the
>> logic causing the abort? (help me help you :)
>> 5) If guest memory is corrupted or improperly mapped, how can I keep
>> qemu alive to examime/dump guest memory?
> 
> I reckon you don't see this with KVM enabled. (Because I don't see it
> with KVM enabled, with my own OVMF builds anyway :), plus the "Trying to
> execute code outside RAM or ROM" message comes from code that strikes me
> as part of TCG.)
> 
> It surprises me that RIP=00000000ffffffe4 whereas get_page_addr_code()
> [cputlb.c] logs "at 0x0000000100000000".
> 
> The RIP seems to be in OVMF init code.
> 
> 0x0000000100000000 is 4G exactly and looks suspicious.
> 
> Can you try bisecting TCG between 1.4.0 and current master?
> 
> git log --oneline --reverse v1.4.0.. -- tcg \
> | egrep -v 'tcg[-/](arm|ppc|sparc|s390|mips)'
> 
>   0b0d332 TCG: Final globals clean-up
>   5e5f07e TCG: Move translation block variables to new context inside 
> tcg_ctx: tb_ctx
>   24537a0 qemu-log: Rename the public-facing cpu_set_log function to 
> qemu_set_log
>   e6a7273 tcg: Make 32-bit multiword operations optional for 64-bit hosts
>   bbc863b tcg-i386: Always implement 32-bit multiword ops
>   d7156f7 tcg: Add 64-bit multiword arithmetic operations
>   4d3203f tcg: Add signed multiword multiplication operations
>   3c51a98 tcg: Implement a 64-bit to 32-bit extraction helper
>   696a8be tcg: Implement multiword multiply helpers
>   f6953a7 tcg: Implement multiword addition helpers
>   624988a tcg-i386: Implement multiword arithmetic ops
>   f402f38 tcg: Implement muls2 with mulu2
>   f1fae40 tcg: Apply life analysis to 64-bit multiword arithmetic ops
>   989b697 qemu-log: default to stderr for logging output
>   0980011 tcg: Document tcg_qemu_tb_exec() and provide constants for low bit 
> uses
>   378df4b Handle CPU interrupts by inline checking of a flag
>   294e466 Use proper term in TCG README
>   2d49754 tcg-optimize: Fold sub r,0,x to neg r,x
>   03fc054 tci: Use 32-bit signed offsets to loads/stores
>   4699ca6 tci: Delete unused tb_ret_addr
>   ee79c35 tci: Make tcg temporaries local to tcg_qemu_tb_exec
>   0a9c234 Merge branch 'tci' of git://qemu.weilnetz.de/qemu
>   ed60512 tcg: fix deposit_i64 op on 32-bit targets
>   d6b64b2 tcg: Log the contents of the prologue with -d out_asm
>   66e61b5 tcg/optimize: fix setcond2 optimization
> 
> Anyway I'm just throwing around words and waving my hand, hoping that
> someone with actual insight will chime in.

You also need to add target-i386/ to this list, but yes, bisection
sounds like a plan.

I suggest that you bisect using a new build directory on every
compilation step, something like "rm -rf build; mkdir build; (cd build
&& ../configure --target-list=x86_64-softmmu && make -jNN)".

Paolo

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH 1/2] Split out dump-guest-memory memory mapping code, Andreas Färber, 2013/05/17

Prev by Date: Re: [Qemu-devel] [PATCH 1/2] Split out dump-guest-memory memory mapping code
Next by Date: Re: [Qemu-devel] VFIO-VGA Issue
Previous by thread: [Qemu-devel] [PATCH for-next] dump: Move stubs into libqemustub.a
Index(es):
- Date
- Thread