Date: Sun, 11 Nov 2018 03:24:16 -0800 From: Mark Millard <marklmi@yahoo.com> To: Kyle Evans <kevans@freebsd.org> Cc: Sean Bruno <sbruno@freebsd.org>, ports-list freebsd <freebsd-ports@freebsd.org> Subject: Re: ports -r484565 : qemu-arm-static fails with: (start < end): backtrace included; start+len arithmetic overflow (abi_ulong wrap) for TARGET_FREEBSD_NR_mmap use Message-ID: <09E0609A-B10E-4D00-89D2-4E102C4F3537@yahoo.com> In-Reply-To: <7F3A94B8-C6E9-42D5-A5DF-94BF910B1D0C@yahoo.com> References: <783DE9B1-F1F5-45B5-8C3E-0B0D8BF4CC03@yahoo.com> <eeaa53e1-0d2c-f8d1-7d99-d82c7cffb9cb@freebsd.org> <C18EF212-7C23-4FFB-B0A0-49DAEF87705C@yahoo.com> <04F7FF99-96DE-4A51-B17F-7F2FEE667417@yahoo.com> <B680E29F-7E04-447B-8A17-D0C82B521998@yahoo.com> <CACNAnaGNUOEcSsTuZk-sb4976Y25kgQ87H8PGn9UAUGNUo97kw@mail.gmail.com> <AF2D0AA0-A1BD-4C5D-843A-3280D1BE1309@yahoo.com> <CACNAnaG%2Bqpi5BAwL1EHPB=17Vu2Uikb_4mAC67jtoLaS%2Bv4DXA@mail.gmail.com> <7F3A94B8-C6E9-42D5-A5DF-94BF910B1D0C@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I attached with gdb in order to stop at the assert and look around.
The following is a backtrace with notes and prints mixed in:
(gdb) bt
#0 thr_kill () at thr_kill.S:3
#1 0x000000006028a21f in __raise (s=3D6) at =
/usr/src/lib/libc/gen/raise.c:52
#2 0x0000000060204949 in abort () at =
/usr/src/lib/libc/stdlib/abort.c:67
#3 0x000000006027855a in __assert (func=3D<optimized out>, =
file=3D<optimized out>, line=3D<optimized out>, failedexpr=3D<optimized =
out>) at /usr/src/lib/libc/gen/assert.c:51
Note end=3D=3D37146624 below vs. start (37146624 will show up again in =
later notes)
#4 0x0000000060036243 in page_set_flags (start=3D4143968256, =
end=3D37146624, flags=3D9) at =
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-2cb0cdd/a=
ccel/tcg/translate-all.c:2077
Note start and len below:
#5 0x000000006003df2b in target_mmap (start=3D4143968256, =
len=3D188145664, prot=3D<optimized out>, flags=3D<optimized out>, =
fd=3D<optimized out>, offset=3D<optimized out>)
at =
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-2cb0cdd/b=
sd-user/mmap.c:626
(gdb) print/x start
$5 =3D 0xf6fff000
(gdb) print/x len
$6 =3D 0xb36e000
Note start+len for the above (without wrapping):
(gdb) print/x (long long)start + (long long)len
$10 =3D 0x10236d000
(gdb) print (long long)start + (long long)len
$11 =3D 4332113920
With wrapping:
(gdb) print/x start+len
$8 =3D 0x236d000
(gdb) print start+len
$9 =3D 37146624
And there is end's value again.
The code doing the wrapping is (with more context):
621 if (p =3D=3D MAP_FAILED)
622 goto fail;
623 }
624 }
625 the_end1:
626 page_set_flags(start, start + len, prot | PAGE_VALID);
627 the_end:
628 #ifdef DEBUG_MMAP
629 printf("ret=3D0x" TARGET_ABI_FMT_lx "\n", start);
630 page_dump(stdout);
#6 0x000000006004219c in do_bsd_mmap (arg1=3D<optimized out>, =
arg2=3D<optimized out>, arg3=3D<optimized out>, arg4=3D2, =
arg5=3D<optimized out>, arg6=3D<optimized out>, arg7=3D<optimized out>, =
arg8=3D0,=20
cpu_env=3D<optimized out>) at =
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-2cb0cdd/b=
sd-user/bsd-mem.h:75
The code for the above is:
if (regpairs_aligned(cpu_env) !=3D 0) {
arg6 =3D arg7;
arg7 =3D arg8;
}
return get_errno(target_mmap(arg1, arg2, arg3,
target_to_host_bitmask(arg4, mmap_flags_tbl), arg5,
target_arg64(arg6, arg7)));
#7 do_freebsd_syscall (cpu_env=3D0x860c08318, num=3D477, =
arg1=3D<optimized out>, arg2=3D<optimized out>, arg3=3D<optimized out>, =
arg4=3D2, arg5=3D9, arg6=3D0, arg7=3D0, arg8=3D0)
at =
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-2cb0cdd/b=
sd-user/syscall.c:946
The code above is (with some context):
break;
/*
* Memory management system calls.
*/
case TARGET_FREEBSD_NR_mmap: /* mmap(2) */
ret =3D do_bsd_mmap(cpu_env, arg1, arg2, arg3, arg4, arg5, arg6, =
arg7,
arg8);
break;
#8 0x0000000060038be3 in target_cpu_loop (env=3D0x860c08318) at =
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-2cb0cdd/b=
sd-user/arm/target_arch_cpu.h:207
The code and its context for the above is:
break;
case EXCP_SWI:
case EXCP_BKPT:
. . .
/*
* system call
* See arm/arm/trap.c cpu_fetch_syscall_args()
*/
. . .
DEBUG_PRINTF("AVANT CALL %d\n", n);
if (bsd_type =3D=3D target_freebsd) {
int ret;
abi_ulong params =3D get_sp_from_cpustate(env);
int32_t syscall_nr =3D n;
int32_t arg1, arg2, arg3, arg4, arg5, arg6, arg7, =
arg8;
if (syscall_nr =3D=3D TARGET_FREEBSD_NR_syscall) {
. . .
} else if (syscall_nr =3D=3D =
TARGET_FREEBSD_NR___syscall) {
. . .
} else {
arg1 =3D env->regs[0];
arg2 =3D env->regs[1];
arg3 =3D env->regs[2];
arg4 =3D env->regs[3];
get_user_s32(arg5, params);
params +=3D sizeof(int32_t);
get_user_s32(arg6, params);
params +=3D sizeof(int32_t);
get_user_s32(arg7, params);
params +=3D sizeof(int32_t);
get_user_s32(arg8, params);
}
ret =3D do_freebsd_syscall(env, syscall_nr, arg1, =
arg2, arg3,
arg4, arg5, arg6, arg7, arg8);
#9 0x0000000060038589 in cpu_loop (env=3D0x18b2f) at =
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-2cb0cdd/b=
sd-user/main.c:121
#10 0x0000000060039802 in main (argc=3D-10089, argv=3D0x7fffffffd4e0) at =
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-2cb0cdd/b=
sd-user/main.c:513
=3D=3D=3D
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?09E0609A-B10E-4D00-89D2-4E102C4F3537>