[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] qemu vga crash
|
From: |
Vladimir Sementsov-Ogievskiy |
|
Subject: |
[Qemu-devel] qemu vga crash |
|
Date: |
Wed, 15 May 2019 12:28:15 +0000 |
Hi Gerd!
Writing to you, as you were the last one who committed to vga_draw_graphic,
hope you can help.
We faced the following crash in 2.12-based Qemu, but code seems not really
changed:
#0 __GI_raise (address@hidden) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 __GI_abort () at abort.c:90
#2 __assert_fail_base (
fmt=0x7f01126b9520 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
address@hidden "start + length <= snap->end",
address@hidden "/builddir/build/BUILD/qemu-2.10.0/exec.c", address@hidden,
address@hidden <__PRETTY_FUNCTION__.33659>
"cpu_physical_memory_snapshot_get_dirty") at assert.c:92
#3 __GI___assert_fail (
address@hidden "start + length <= snap->end",
address@hidden "/builddir/build/BUILD/qemu-2.10.0/exec.c", address@hidden,
address@hidden <__PRETTY_FUNCTION__.33659>
"cpu_physical_memory_snapshot_get_dirty") at assert.c:101
#4 cpu_physical_memory_snapshot_get_dirty (address@hidden,
start=<optimized out>, length=<optimized out>) at
/usr/src/debug/qemu-2.10.0/exec.c:1198
#5 memory_region_snapshot_get_dirty (address@hidden,
address@hidden, addr=<optimized out>, size=<optimized out>)
at /usr/src/debug/qemu-2.10.0/memory.c:1949
#6 vga_draw_graphic (full_update=0, s=0x5613092e08e0)
at /usr/src/debug/qemu-2.10.0/hw/display/vga.c:1678
#7 vga_update_display (opaque=0x5613092e08e0) at
/usr/src/debug/qemu-2.10.0/hw/display/vga.c:1774
#8 vnc_refresh (dcl=0x561309116060) at ui/vnc.c:3013
#9 dpy_refresh (s=0x5613088f8e10) at ui/console.c:1613
#10 gui_update (opaque=0x5613088f8e10) at ui/console.c:201
#11 timerlist_run_timers (timer_list=0x5612fba05340) at util/qemu-timer.c:536
#12 qemu_clock_run_timers (type=<optimized out>) at util/qemu-timer.c:547
#13 qemu_clock_run_all_timers () at util/qemu-timer.c:662
#14 main_loop_wait (address@hidden) at util/main-loop.c:521
#15 main_loop () at vl.c:1937
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at
vl.c:4829
It's an assertion "assert(start + length <= snap->end);" in
cpu_physical_memory_snapshot_get_dirty,
and seems that start = snap->end, when length is 511.
Digging in, I found, that in vga_draw_graphic we most probably have
s->get_bpp() returning zero, which leads
to region_end = region_start, i.e. region of zero length, which then leads to
snap->end == snap->start == s->vram.ram_block->offset.
On the other hand
page0 = addr & s->vbe_size_mask = 0
page1 = (addr + bwidth - 1) & s->vbe_size_mask = 511
which finally leads to assert fail in cpu_physical_memory_snapshot_get_dirty()
(addr is 0, bwidth is 512, width is 1024 and height is 768)..
I don't understand, what get_bpp = 0 means? For me it looks strange (it is bits
per pixel, isn't it?)..
Hope you can shed some light on this.
=============== some additional debugging information if it helps ========
(gdb) fr 4
#4 0x00005612f95d7a11 in cpu_physical_memory_snapshot_get_dirty
(address@hidden,
start=<optimized out>, length=<optimized out>) at
/usr/src/debug/qemu-2.10.0/exec.c:1198
1198 assert(start + length <= snap->end);
(gdb) list
1193 ram_addr_t length)
1194 {
1195 unsigned long page, end;
1196
1197 assert(start >= snap->start);
1198 assert(start + length <= snap->end);
1199
1200 end = TARGET_PAGE_ALIGN(start + length - snap->start) >>
TARGET_PAGE_BITS;
1201 page = (start - snap->start) >> TARGET_PAGE_BITS;
1202
(gdb) info locals
page = <optimized out>
end = <optimized out>
__PRETTY_FUNCTION__ = "cpu_physical_memory_snapshot_get_dirty"
(gdb) p snap
$61 = (DirtyBitmapSnapshot *) 0x5613087bdcb0
(gdb) p *snap
$62 = {start = 77310459904, end = 77310459904, dirty = 0x5613087bdcc0}
(gdb) fr 5
#5 0x00005612f9621d2e in memory_region_snapshot_get_dirty (address@hidden,
address@hidden, addr=<optimized out>, size=<optimized out>)
at /usr/src/debug/qemu-2.10.0/memory.c:1949
1949 return cpu_physical_memory_snapshot_get_dirty(snap,
(gdb) list
1944
1945 bool memory_region_snapshot_get_dirty(MemoryRegion *mr,
DirtyBitmapSnapshot *snap,
1946 hwaddr addr, hwaddr size)
1947 {
1948 assert(mr->ram_block);
1949 return cpu_physical_memory_snapshot_get_dirty(snap,
1950 memory_region_get_ram_addr(mr) + addr, size);
1951 }
1952
1953 void memory_region_sync_dirty_bitmap(MemoryRegion *mr)
(gdb) info locals
__PRETTY_FUNCTION__ = "memory_region_snapshot_get_dirty"
(gdb) p *mr->ram_block
$63 = {rcu = {next = 0x0, func = 0x0}, mr = 0x5613092e08f0,
host = 0x7eeef9000000 <Address 0x7eeef9000000 out of bounds>, offset =
77310459904,
used_length = 33554432, max_length = 33554432, resized = 0x0, flags = 0,
idstr = "vga.vram", '\000' <repeats 247 times>, next = {le_next =
0x5613075fca80,
le_prev = 0x5612fba2c748}, ramblock_notifiers = {lh_first = 0x0}, fd = -1,
page_size = 4096,
bmap = 0x0, unsentmap = 0x0}
(gdb) fr 6
#6 0x00005612f9644af5 in vga_draw_graphic (full_update=0, s=0x5613092e08e0)
at /usr/src/debug/qemu-2.10.0/hw/display/vga.c:1678
1678 update = memory_region_snapshot_get_dirty(&s->vram, snap,
(gdb) list
1673 update = memory_region_snapshot_get_dirty(&s->vram, snap,
1674 page0, 0);
1675 update |= memory_region_snapshot_get_dirty(&s->vram, snap,
1676 page1, 0);
1677 } else {
1678 update = memory_region_snapshot_get_dirty(&s->vram, snap,
1679 page0, page1 -
page0);
1680 }
1681 /* explicit invalidation for the hardware cursor (cirrus only)
*/
1682 update |= vga_scanline_invalidated(s, y);
(gdb) info locals
double_scan = <optimized out>
width = 1024
multi_scan = 0
y = 0
bits = <optimized out>
snap = 0x5613087bdcb0
byteswap = <optimized out>
region_end = <optimized out>
addr1 = 0
addr = 0
share_surface = <optimized out>
format = <optimized out>
y1 = 0
y_start = -1
multi_run = 0
surface = 0x561308ac5c80
update = 0
depth = <optimized out>
height = 768
bwidth = 512
region_start = <optimized out>
vga_draw_line = 0x5612f96418d0 <vga_draw_line8d2>
mask = <optimized out>
page0 = <optimized out>
d = 0x56130a68c000 ""
v = <optimized out>
force_shadow = false
shift_control = <optimized out>
page1 = <optimized out>
disp_width = 1024
(gdb) p full_update
$64 = 0
(gdb) p s->line_offset
$65 = 0
(gdb) p s->get_bpp
$66 = (int (*)(struct VGACommonState *)) 0x5612f9641f60 <vga_get_bpp>
(gdb) p s->vbe_regs
$67 = {45248, 1024, 768, 32, 0, 0, 1024, 8192, 0, 0} // which means that
vbe_enabled should return 0 and then vga_get_bpp should return 0
(gdb) p (s->gr[5] >> 5) & 3
$68 = 2 // it should be shift_control
--
Best regards,
Vladimir
- [Qemu-devel] qemu vga crash,
Vladimir Sementsov-Ogievskiy <=