Skip to content

qemu-system-x86_64 TCG coredumps when using qemu_plugin_register_vcpu_mem_cb

Host environment

  • Operating system: NixOS 24.05, build environment is nix develop nixpkgs#qemu
  • OS/kernel version: Linux REDACTED 6.9.12 #1-NixOS SMP PREEMPT_DYNAMIC Sat Jul 27 09:36:19 UTC 2024 x86_64 GNU/Linux
  • Architecture: x86
  • QEMU flavor: qemu-system-x86_64
  • QEMU version: QEMU emulator version 9.0.90, commit 6d00c6f9
  • QEMU command line: 
    ./qemu-system-x86_64 -m 1G -M q35 -drive file=disk.qcow2 -nic none -loadvm snapshot -plugin contrib/plugins/libexeclog.so

Emulated/Virtualized environment

  • Operating system: Windows 7 Professional SP1 x64, freshly installed
  • Architecture: x86

Description of problem

QEMU freezes, then exits with Segmentation fault (core dumped).

Steps to reproduce

  1. Install Windows 7 SP1 into disk.qcow2.
  2. Start the machine, and use savevm snapshot at the login screen, then exit.
  3. ./qemu-system-x86_64 -m 1G -M q35 -drive file=disk.qcow2 -nic none -loadvm snapshot -plugin contrib/plugins/libexeclog.so

Additional information

QEMU runs normally without the plugin.

This bug can also be reproduced with a simpler plugin just calling qemu_plugin_register_vcpu_mem_cb once per instruction: minimal_plugin.diff.

Log using -d op,in_asm,out_asm,plugin -D log: log.gz

GDB full backtrace:

(gdb) bt f
#0  stw_he_p (v=0, ptr=0x2) at /REDACTED/qemu/include/qemu/bswap.h:265
No locals.
#1  stw_le_p (v=0, ptr=0x2) at /REDACTED/qemu/include/qemu/bswap.h:319
No locals.
#2  access_stw (ac=ac@entry=0x7f1652dfec70, addr=addr@entry=18446735827410705922, val=val@entry=0) at ../target/i386/tcg/access.c:143
        p = 0x2
#3  0x000055dfca88534e in do_xsave_fpu (ac=ac@entry=0x7f1652dfec70, ptr=ptr@entry=18446735827410705920) at ../target/i386/tcg/fpu_helper.c:2537
        env = 0x55dff34fe630
        fpus = 0
        fptag = <optimized out>
        i = <optimized out>
        addr = <optimized out>
#4  0x000055dfca88caf8 in do_fxsave (ptr=18446735827410705920, ac=0x7f1652dfec70) at ../target/i386/tcg/fpu_helper.c:2632
        env = 0x55dff34fe630
        env = <optimized out>
#5  helper_fxsave (env=<optimized out>, ptr=18446735827410705920) at ../target/i386/tcg/fpu_helper.c:2656
        ra = <optimized out>
        ac = {vaddr = 18446735827410705920, haddr1 = 0x0, haddr2 = 0x0, size = 512, size1 = 512, mmu_idx = 4, env = 0x55dff34fe630, 
          ra = 139732667533971}
#6  0x00007f160c030a93 in code_gen_buffer ()
No locals.
#7  0x000055dfca979986 in cpu_tb_exec (cpu=cpu@entry=0x55dff34fbe70, itb=itb@entry=0x7f160c030940 <code_gen_buffer+198931>, 
    tb_exit=tb_exit@entry=0x7f1652dff228) at ../accel/tcg/cpu-exec.c:458
        ret = <optimized out>
        last_tb = <optimized out>
        tb_ptr = 0x7f160c030a00 <code_gen_buffer+199123>
        __PRETTY_FUNCTION__ = "cpu_tb_exec"
#8  0x000055dfca979edd in cpu_loop_exec_tb (tb_exit=0x7f1652dff228, last_tb=<synthetic pointer>, pc=<optimized out>, 
    tb=0x7f160c030940 <code_gen_buffer+198931>, cpu=0x55dff34fbe70) at ../accel/tcg/cpu-exec.c:908
        insns_left = <optimized out>
        __PRETTY_FUNCTION__ = "cpu_loop_exec_tb"
        insns_left = <optimized out>
        _a15 = <optimized out>
        _b16 = <optimized out>
#9  cpu_exec_loop (cpu=cpu@entry=0x55dff34fbe70, sc=sc@entry=0x7f1652dff2c0) at ../accel/tcg/cpu-exec.c:1022
        tb = 0x7f160c030940 <code_gen_buffer+198931>
        flags = <optimized out>
        cflags = 4278321152
        pc = <optimized out>
        cs_base = <optimized out>
        last_tb = <optimized out>
        tb_exit = 1
        ret = <optimized out>
#10 0x000055dfca97a6fd in cpu_exec_setjmp (cpu=cpu@entry=0x55dff34fbe70, sc=sc@entry=0x7f1652dff2c0) at ../accel/tcg/cpu-exec.c:1039
No locals.
#11 0x000055dfca97ae79 in cpu_exec (cpu=cpu@entry=0x55dff34fbe70) at ../accel/tcg/cpu-exec.c:1065
        ret = <optimized out>
        sc = {diff_clk = 0, last_cpu_icount = 0, realtime_clock = 0}
        _rcu_read_auto = 0x1
#12 0x000055dfca9a35af in tcg_cpu_exec (cpu=cpu@entry=0x55dff34fbe70) at ../accel/tcg/tcg-accel-ops.c:78
--Type <RET> for more, q to quit, c to continue without paging--c
        ret = <optimized out>
        __PRETTY_FUNCTION__ = "tcg_cpu_exec"
#13 0x000055dfca9a3703 in mttcg_cpu_thread_fn (arg=arg@entry=0x55dff34fbe70) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
        r = <optimized out>
        force_rcu = {notifier = {notify = 0x55dfca9a37f0 <mttcg_force_rcu>, node = {le_next = 0x0, le_prev = 0x7f1652e00528}}, cpu = 0x55dff34fbe70}
        cpu = 0x55dff34fbe70
        __PRETTY_FUNCTION__ = "mttcg_cpu_thread_fn"
        __func__ = "mttcg_cpu_thread_fn"
#14 0x000055dfcab7e898 in qemu_thread_start (args=0x55dff355dd80) at ../util/qemu-thread-posix.c:541
        __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {94420348558720, 3438567870158976394, -1656, 0, 140727865026624, 139734089805824, 
                8803266606146106762, 3438582454403577226}, __mask_was_saved = 0}}, __pad = {0x7f1652dff430, 0x0, 0x0, 0x0}}
        __cancel_routine = 0x55dfcab7e8f0 <qemu_thread_atexit_notify>
        __cancel_arg = <optimized out>
        __not_first_call = <optimized out>
        qemu_thread_args = <optimized out>
        start_routine = 0x55dfca9a3600 <mttcg_cpu_thread_fn>
        arg = 0x55dff34fbe70
        r = <optimized out>
#15 0x00007f165e090272 in start_thread () from /nix/store/dbcw19dshdwnxdv5q2g6wldj6syyvq7l-glibc-2.39-52/lib/libc.so.6
No symbol table info available.
#16 0x00007f165e10bdec in clone3 () from /nix/store/dbcw19dshdwnxdv5q2g6wldj6syyvq7l-glibc-2.39-52/lib/libc.so.6
No symbol table info available.
Edited by erdnaxe
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information