| Message ID | 20180108193124.mjei33w5wopmadmk@kentang.home |
|---|---|
| State | New |
| Headers | show |
| Series | [PULL] qemu-sparc updates | expand |
On 8 January 2018 at 19:31, Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> wrote: > Hi Peter, > > Here is the first set of SPARC updates for 2.12. Please pull. > > > ATB, > > Mark. > > > The following changes since commit 4124ea4f5bd367ca6412fb2dfe7ac4d80e1504d9: > > Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20171229' into staging (2018-01-08 16:17:04 +0000) > > are available in the git repository at: > > https://github.com/mcayland/qemu.git tags/qemu-sparc-signed > > for you to fetch changes up to 6a52624720e5abc6a1f067a7e7b8239b428e0c95: > > sun4u_iommu: add trace event for IOMMU translations (2018-01-08 19:07:55 +0000) > > ---------------------------------------------------------------- > qemu-sparc update > > ---------------------------------------------------------------- Hi. This seems to crash in 'make check'. One of the crashes has a memory corruption splat: TEST: tests/device-introspect-test... (pid=20423) /sparc64/device/introspect/list: OK /sparc64/device/introspect/list-fields: OK /sparc64/device/introspect/none: OK /sparc64/device/introspect/abstract: OK /sparc64/device/introspect/concrete: *** Error in `sparc64-softmmu/qemu-system-spar c64': corrupted double-linked list (not small): 0x0000010033b823a0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0xb0b94)[0x3fff90ce0b94] /lib64/libc.so.6(+0xb5b18)[0x3fff90ce5b18] /lib64/libc.so.6(__libc_calloc-0x14b664)[0x3fff90ce9934] /lib64/libglib-2.0.so.0(g_malloc0-0x100d54)[0x3fff97a634d4] sparc64-softmmu/qemu-system-sparc64[0x1030a9bc] sparc64-softmmu/qemu-system-sparc64[0x103062c8] sparc64-softmmu/qemu-system-sparc64[0x103062a0] Running it under valgrind with QTEST_QEMU_BINARY='valgrind sparc64-softmmu/qemu-system-sparc64' ./tests/device-introspect-test -p /sparc64/device/introspect/concrete gives this write-after-free: ==1931== Invalid write of size 8 ==1931== at 0x55EA51: pci_host_bus_register (pci.c:331) ==1931== by 0x55ECBD: pci_bus_init (pci.c:393) ==1931== by 0x55EE18: pci_bus_new (pci.c:424) ==1931== by 0x55EEE2: pci_register_bus (pci.c:447) ==1931== by 0x55D14F: pci_pbm_init (apb.c:464) ==1931== by 0x69179B: object_init_with_type (object.c:353) ==1931== by 0x6919D0: object_initialize_with_type (object.c:384) ==1931== by 0x691E3B: object_new_with_type (object.c:492) ==1931== by 0x691E78: object_new (object.c:502) ==1931== by 0x479A3C: qmp_device_list_properties (qmp.c:537) ==1931== by 0x455479: qdev_device_help (qdev-monitor.c:279) ==1931== by 0x456C9E: qmp_device_add (qdev-monitor.c:802) ==1931== Address 0x2ca7af08 is 1,528 bytes inside a block of size 3,312 free'd ==1931== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1931== by 0x691DC6: object_finalize (object.c:480) ==1931== by 0x692CBD: object_unref (object.c:911) ==1931== by 0x479B91: qmp_device_list_properties (qmp.c:572) ==1931== by 0x469EA0: qmp_marshal_device_list_properties (qmp-marshal.c:1393) ==1931== by 0x7A25D2: do_qmp_dispatch (qmp-dispatch.c:104) ==1931== by 0x7A2703: qmp_dispatch (qmp-dispatch.c:131) ==1931== by 0x39E36D: handle_qmp_command (monitor.c:3839) ==1931== by 0x7AA357: json_message_process_token (json-streamer.c:105) ==1931== by 0x7D70CB: json_lexer_feed_char (json-lexer.c:323) ==1931== by 0x7D7213: json_lexer_feed (json-lexer.c:373) ==1931== by 0x7AA3FE: json_message_parser_feed (json-streamer.c:124) ==1931== Block was alloc'd at ==1931== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1931== by 0x1C004718: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2) ==1931== by 0x691E1C: object_new_with_type (object.c:491) ==1931== by 0x691E78: object_new (object.c:502) ==1931== by 0x479A3C: qmp_device_list_properties (qmp.c:537) ==1931== by 0x469EA0: qmp_marshal_device_list_properties (qmp-marshal.c:1393) ==1931== by 0x7A25D2: do_qmp_dispatch (qmp-dispatch.c:104) ==1931== by 0x7A2703: qmp_dispatch (qmp-dispatch.c:131) ==1931== by 0x39E36D: handle_qmp_command (monitor.c:3839) ==1931== by 0x7AA357: json_message_process_token (json-streamer.c:105) ==1931== by 0x7D70CB: json_lexer_feed_char (json-lexer.c:323) ==1931== by 0x7D7213: json_lexer_feed (json-lexer.c:373) thanks -- PMM
On 09/01/18 18:22, Peter Maydell wrote: >> The following changes since commit 4124ea4f5bd367ca6412fb2dfe7ac4d80e1504d9: >> >> Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20171229' into staging (2018-01-08 16:17:04 +0000) >> >> are available in the git repository at: >> >> https://github.com/mcayland/qemu.git tags/qemu-sparc-signed >> >> for you to fetch changes up to 6a52624720e5abc6a1f067a7e7b8239b428e0c95: >> >> sun4u_iommu: add trace event for IOMMU translations (2018-01-08 19:07:55 +0000) >> >> ---------------------------------------------------------------- >> qemu-sparc update >> >> ---------------------------------------------------------------- > > Hi. This seems to crash in 'make check'. One of the crashes has a > memory corruption splat: > > TEST: tests/device-introspect-test... (pid=20423) > /sparc64/device/introspect/list: OK > /sparc64/device/introspect/list-fields: OK > /sparc64/device/introspect/none: OK > /sparc64/device/introspect/abstract: OK > /sparc64/device/introspect/concrete: > *** Error in `sparc64-softmmu/qemu-system-spar > c64': corrupted double-linked list (not small): 0x0000010033b823a0 *** > ======= Backtrace: ========= > /lib64/libc.so.6(+0xb0b94)[0x3fff90ce0b94] > /lib64/libc.so.6(+0xb5b18)[0x3fff90ce5b18] > /lib64/libc.so.6(__libc_calloc-0x14b664)[0x3fff90ce9934] > /lib64/libglib-2.0.so.0(g_malloc0-0x100d54)[0x3fff97a634d4] > sparc64-softmmu/qemu-system-sparc64[0x1030a9bc] > sparc64-softmmu/qemu-system-sparc64[0x103062c8] > sparc64-softmmu/qemu-system-sparc64[0x103062a0] > > Running it under valgrind with > QTEST_QEMU_BINARY='valgrind sparc64-softmmu/qemu-system-sparc64' > ./tests/device-introspect-test -p /sparc64/device/introspect/concrete > > gives this write-after-free: > > ==1931== Invalid write of size 8 > ==1931== at 0x55EA51: pci_host_bus_register (pci.c:331) > ==1931== by 0x55ECBD: pci_bus_init (pci.c:393) > ==1931== by 0x55EE18: pci_bus_new (pci.c:424) > ==1931== by 0x55EEE2: pci_register_bus (pci.c:447) > ==1931== by 0x55D14F: pci_pbm_init (apb.c:464) > ==1931== by 0x69179B: object_init_with_type (object.c:353) > ==1931== by 0x6919D0: object_initialize_with_type (object.c:384) > ==1931== by 0x691E3B: object_new_with_type (object.c:492) > ==1931== by 0x691E78: object_new (object.c:502) > ==1931== by 0x479A3C: qmp_device_list_properties (qmp.c:537) > ==1931== by 0x455479: qdev_device_help (qdev-monitor.c:279) > ==1931== by 0x456C9E: qmp_device_add (qdev-monitor.c:802) > ==1931== Address 0x2ca7af08 is 1,528 bytes inside a block of size 3,312 free'd > ==1931== at 0x4C2EDEB: free (in > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) > ==1931== by 0x691DC6: object_finalize (object.c:480) > ==1931== by 0x692CBD: object_unref (object.c:911) > ==1931== by 0x479B91: qmp_device_list_properties (qmp.c:572) > ==1931== by 0x469EA0: qmp_marshal_device_list_properties (qmp-marshal.c:1393) > ==1931== by 0x7A25D2: do_qmp_dispatch (qmp-dispatch.c:104) > ==1931== by 0x7A2703: qmp_dispatch (qmp-dispatch.c:131) > ==1931== by 0x39E36D: handle_qmp_command (monitor.c:3839) > ==1931== by 0x7AA357: json_message_process_token (json-streamer.c:105) > ==1931== by 0x7D70CB: json_lexer_feed_char (json-lexer.c:323) > ==1931== by 0x7D7213: json_lexer_feed (json-lexer.c:373) > ==1931== by 0x7AA3FE: json_message_parser_feed (json-streamer.c:124) > ==1931== Block was alloc'd at > ==1931== at 0x4C2DB8F: malloc (in > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) > ==1931== by 0x1C004718: g_malloc (in > /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2) > ==1931== by 0x691E1C: object_new_with_type (object.c:491) > ==1931== by 0x691E78: object_new (object.c:502) > ==1931== by 0x479A3C: qmp_device_list_properties (qmp.c:537) > ==1931== by 0x469EA0: qmp_marshal_device_list_properties (qmp-marshal.c:1393) > ==1931== by 0x7A25D2: do_qmp_dispatch (qmp-dispatch.c:104) > ==1931== by 0x7A2703: qmp_dispatch (qmp-dispatch.c:131) > ==1931== by 0x39E36D: handle_qmp_command (monitor.c:3839) > ==1931== by 0x7AA357: json_message_process_token (json-streamer.c:105) > ==1931== by 0x7D70CB: json_lexer_feed_char (json-lexer.c:323) > ==1931== by 0x7D7213: json_lexer_feed (json-lexer.c:373) Thanks for the hint - while it didn't crash locally, I was certainly able to reproduce the above trace in valgrind. Turns out the issue was that thought I could move pci_register_bus() from realize to init in patch 10, but evidently not :) I've moved it back and repushed the signed tag if you can try and apply the PR once again? Many thanks, Mark.
On 9 January 2018 at 22:18, Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> wrote: > Thanks for the hint - while it didn't crash locally, I was certainly able to > reproduce the above trace in valgrind. > > Turns out the issue was that thought I could move pci_register_bus() from > realize to init in patch 10, but evidently not :) > > I've moved it back and repushed the signed tag if you can try and apply the > PR once again? Applied updated version, thanks. -- PMM
Hi Peter, Here is the first set of SPARC updates for 2.12. Please pull. ATB, Mark. The following changes since commit 4124ea4f5bd367ca6412fb2dfe7ac4d80e1504d9: Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20171229' into staging (2018-01-08 16:17:04 +0000) are available in the git repository at: https://github.com/mcayland/qemu.git tags/qemu-sparc-signed for you to fetch changes up to 6a52624720e5abc6a1f067a7e7b8239b428e0c95: sun4u_iommu: add trace event for IOMMU translations (2018-01-08 19:07:55 +0000) ---------------------------------------------------------------- qemu-sparc update ---------------------------------------------------------------- Jean-Christophe Dubois (1): target/sparc: remove MemoryRegionSection check code from sparc_cpu_get_phys_page_debug() Mark Cave-Ayland (24): apb: move QOM macros and typedefs from apb.c to apb.h sun4u: ebus QOMify tidy-up sun4u: move ISABus inside of EBusState sun4u: remove pci_ebus_init() function sun4u: move initialisation of all ISABus devices into ebus_realize() apb: APB QOMify tidy-up apb: return APBState from pci_apb_init() rather than PCIBus apb: use gpios to wire up the apb device to the SPARC CPU IRQs apb: move the two secondary PCI bridges objects into APBState apb: remove pci_apb_init() and instantiate APB device using qdev apb: split pci_pbm_map_irq() into separate functions for bus A and bus B apb: remove busA property from PBMPCIBridge state ebus: wire up OBIO interrupts to APB pbm via qdev GPIOs apb: replace OBIO interrupt numbers in pci_pbmA_map_irq() with constants sparc64: introduce trace-events for hw/sparc64 sun4u: switch from EBUS_DPRINTF() macro to trace-events sun4m: move sun4m_iommu.c from hw/dma to hw/sparc sun4m: move IOMMU declarations from sun4m.h to sun4m_iommu.h sun4m: remove include/hw/sparc/sun4m.h and all references to it apb: QOMify IOMMU sun4u: split IOMMU device out from apb.c to sun4u_iommu.c sun4u_iommu: update to reflect IOMMU is no longer part of the APB device sun4u_iommu: convert from IOMMU_DPRINTF to trace-events sun4u_iommu: add trace event for IOMMU translations Makefile.objs | 1 + hw/dma/Makefile.objs | 1 - hw/dma/sparc32_dma.c | 2 +- hw/dma/trace-events | 10 - hw/intc/slavio_intctl.c | 1 - hw/net/lance.c | 2 +- hw/pci-host/apb.c | 545 ++++++++-------------------------------- hw/sparc/Makefile.objs | 2 +- hw/sparc/sun4m.c | 2 +- hw/{dma => sparc}/sun4m_iommu.c | 13 +- hw/sparc/trace-events | 10 + hw/sparc64/Makefile.objs | 1 + hw/sparc64/sparc64.c | 2 + hw/sparc64/sun4u.c | 193 ++++++++------ hw/sparc64/sun4u_iommu.c | 342 +++++++++++++++++++++++++ hw/sparc64/trace-events | 9 + hw/timer/slavio_timer.c | 1 - include/hw/pci-host/apb.h | 54 +++- include/hw/sparc/sparc64.h | 2 + include/hw/sparc/sun4m.h | 35 --- include/hw/sparc/sun4m_iommu.h | 51 ++++ include/hw/sparc/sun4u_iommu.h | 50 ++++ target/sparc/mmu_helper.c | 6 - 23 files changed, 744 insertions(+), 591 deletions(-) rename hw/{dma => sparc}/sun4m_iommu.c (98%) create mode 100644 hw/sparc64/sun4u_iommu.c create mode 100644 hw/sparc64/trace-events delete mode 100644 include/hw/sparc/sun4m.h create mode 100644 include/hw/sparc/sun4m_iommu.h create mode 100644 include/hw/sparc/sun4u_iommu.h