I''ve been tracking a strange bug which leaves qemu spinning at 100% and the hvm domain stalled. The final vmexit before this happens is a pio read from an unused port (0x23), leading me to fairly quickly start believing the final vmexit is actually unrelated to the bug itself. I''ve seen very similar symptoms before, but I haven''t previously looked into what qemu-dm was actually doing when it was "spinning". Now I know: The problem is caused by something corrupting buffered_iopage by writing a value into buffered_iopage->read_pointer which is bigger than buffered_iopage->write_pointer. Since the loop in __handle_buffered_iopage is looping on != rather than <, it never exits (well... it would eventually, but it''s a 64bit value, so it''d take a while...). I checked around in the qemu code as well as steppting through the execution with a debugger, but I could find nothing there that appears to write anything "bad" into the read_pointer. In fact, when inserting logging to trace where, exactly, the corrupted value gets inserted, it seemed to happen at a "random" point, rather than tied to the execution of any specific function that I could see. read_pointer is the first member of buffered_ioreq_t, so on the hunch that the corruption was occuring by something other than a wrong value actually being written into the structure member, either overflowing a previous structure in memory or a pointer var mistake. I thus added a 64bit dummy member to "pad" the buffered_ioreq_t structure at the start, and as I had suspected, the bad value does get written into this dummy member rather than the read_pointer. I haven''t (yet) been able to track down what it is that actually writes the bad value, and any help finding it would be welcome. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
> read_pointer is the first member of buffered_ioreq_t, so on the hunchthat> the corruption was occuring by something other than a wrong valueactually> being written into the structure member, either overflowing a previous > structure in memory or a pointer var mistake. I thus added a 64bitdummy> member to "pad" the buffered_ioreq_t structure at the start, and as Ihad> suspected, the bad value does get written into this dummy memberrather> than the read_pointer. I haven''t (yet) been able to track down what itis> that actually writes the bad value, and any help finding it would be > welcome.What compiler are you using? What guest OS? Are you using PV or emulated drivers? Any idea if there are particular workloads that provoke the problem? Best, Ian _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Petersson, Mats
2006-Dec-07 09:35 UTC
RE: [Xen-devel] [HVM] Corruption of buffered_io_page
> -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Ian Pratt > Sent: 06 December 2006 22:05 > To: Trolle Selander; xen-devel@lists.xensource.com > Subject: RE: [Xen-devel] [HVM] Corruption of buffered_io_page > > > read_pointer is the first member of buffered_ioreq_t, so on > the hunch > that > > the corruption was occuring by something other than a wrong value > actually > > being written into the structure member, either overflowing > a previous > > structure in memory or a pointer var mistake. I thus added a 64bit > dummy > > member to "pad" the buffered_ioreq_t structure at the > start, and as I > had > > suspected, the bad value does get written into this dummy member > rather > > than the read_pointer. I haven''t (yet) been able to track > down what it > is > > that actually writes the bad value, and any help finding it would be > > welcome. > > What compiler are you using? What guest OS? Are you using PV > or emulated > drivers? Any idea if there are particular workloads that provoke the > problem?I''ll answer for Trolle as best as I can: Compiler: gcc 4.1 I believe. Guest OS: OS/2 Drivers would be emulated ones. I think it''s failing during initial boot, as Trolle hasn''t told me "It works" yet... ;-) By the way, I''m still a bit worried that this is caused by segment base != 0 in x86_emulate.c - this can cause all sorts of "interesting" interaction between the page-table updates and actual memory being affected. -- Mats> > Best, > Ian > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Trolle Selander
2006-Dec-07 09:50 UTC
Re: [Xen-devel] [HVM] Corruption of buffered_io_page
I thought i had replied to the list, but apparently gmail''s default reply action goes to the last poster, not the mailing list. Ian got these answers already, but I''ll cut & paste to make sure it gets to the general list as well: Distro is FC6, compiler is gcc-4.1.1, guest os is OS/2, worload is the boot> process. :) > No drivers are loaded yet at this stage - it happens fairly early in the > boot. However, after I added the corruption-catching "padding" struct > member, the boot does in fact progress to the driver loading stage, although > with severely corrupted boot-logo graphics. > Since it currently happens reproducibly after a specific "no op" vmexit > (read from an unused port), Mats''s suggestion of marking the iopage > read-only sounds doable if I insert code to set the page readonly when this > specific vmexit occurs. From what I saw when running qemu in the debugger, > there''s no "proper" use of the page about to occur, so the only thing that > will write to it should be whatever is doing it erroneously. I''ll try that > tomorrow. > > One correction: I managed to confuse myself a bit here. The very last > vmexit_ioio at which the guest stalls is a read from 0x1f7, but when that io > happens, the iopage is already corrupted, and that''s why it stalls - qemu-dm > is "stuck" and never performs the io. The port 0x23 is the io preceeding > that one - the last one that "gets through", which is why that was the one > I''ve used to trace things. > > I don''t know if it''s any clue to anyone, but the bad value that gets > written into read_pointer is 0x1df1000. >Now to what you said - I thought Keir''s patch to fixed up all the segment base = 0 assumptions in x86_emulate? At least we''re past the problem that was causing that I posted about before. I must confess I never actually looked at the code, because Keir said the patch would fix all the segment base = 0 assumptions, and once the patch showed up in mercurial and I built from that changeset, I didn''t hit the seg.base != 0 problem anymore. On 12/7/06, Petersson, Mats <Mats.Petersson@amd.com> wrote:> > > > > -----Original Message----- > > From: xen-devel-bounces@lists.xensource.com > > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Ian Pratt > > Sent: 06 December 2006 22:05 > > To: Trolle Selander; xen-devel@lists.xensource.com > > Subject: RE: [Xen-devel] [HVM] Corruption of buffered_io_page > > > > > read_pointer is the first member of buffered_ioreq_t, so on > > the hunch > > that > > > the corruption was occuring by something other than a wrong value > > actually > > > being written into the structure member, either overflowing > > a previous > > > structure in memory or a pointer var mistake. I thus added a 64bit > > dummy > > > member to "pad" the buffered_ioreq_t structure at the > > start, and as I > > had > > > suspected, the bad value does get written into this dummy member > > rather > > > than the read_pointer. I haven''t (yet) been able to track > > down what it > > is > > > that actually writes the bad value, and any help finding it would be > > > welcome. > > > > What compiler are you using? What guest OS? Are you using PV > > or emulated > > drivers? Any idea if there are particular workloads that provoke the > > problem? > > I''ll answer for Trolle as best as I can: > Compiler: gcc 4.1 I believe. > Guest OS: OS/2 > Drivers would be emulated ones. > I think it''s failing during initial boot, as Trolle hasn''t told me "It > works" yet... ;-) > > By the way, I''m still a bit worried that this is caused by segment base > != 0 in x86_emulate.c - this can cause all sorts of "interesting" > interaction between the page-table updates and actual memory being > affected. > > -- > Mats > > > > Best, > > Ian > > > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > > > > > > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Petersson, Mats
2006-Dec-07 10:11 UTC
RE: [Xen-devel] [HVM] Corruption of buffered_io_page
> -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of > Trolle Selander > Sent: 07 December 2006 09:51 > To: xen-devel@lists.xensource.com > Subject: Re: [Xen-devel] [HVM] Corruption of buffered_io_page > > I thought i had replied to the list, but apparently gmail''s > default reply action goes to the last poster, not the mailing > list. Ian got these answers already, but I''ll cut & paste to > make sure it gets to the general list as well: > > > > Distro is FC6, compiler is gcc-4.1.1, guest os is OS/2, > worload is the boot process. :) > No drivers are loaded yet at this stage - it happens > fairly early in the boot. However, after I added the > corruption-catching "padding" struct member, the boot does in > fact progress to the driver loading stage, although with > severely corrupted boot-logo graphics. > Since it currently happens reproducibly after a > specific "no op" vmexit (read from an unused port), Mats''s > suggestion of marking the iopage read-only sounds doable if I > insert code to set the page readonly when this specific > vmexit occurs. From what I saw when running qemu in the > debugger, there''s no "proper" use of the page about to occur, > so the only thing that will write to it should be whatever is > doing it erroneously. I''ll try that tomorrow. > > One correction: I managed to confuse myself a bit here. > The very last vmexit_ioio at which the guest stalls is a read > from 0x1f7, but when that io happens, the iopage is already > corrupted, and that''s why it stalls - qemu-dm is "stuck" and > never performs the io. The port 0x23 is the io preceeding > that one - the last one that "gets through", which is why > that was the one I''ve used to trace things. > > I don''t know if it''s any clue to anyone, but the bad > value that gets written into read_pointer is 0x1df1000.One thing is for sure, it''s not a page-table entry. But it could be the value of a physical page-address. Is this value in any of the registers around the time of the crash?> > > > Now to what you said - I thought Keir''s patch to fixed up all > the segment base = 0 assumptions in x86_emulate? At least > we''re past the problem that was causing that I posted about > before. I must confess I never actually looked at the code, > because Keir said the patch would fix all the segment base = > 0 assumptions, and once the patch showed up in mercurial and > I built from that changeset, I didn''t hit the seg.base != 0 > problem anymore.There was patch(es) from Jan Beulich to fix the HVM side of seg.base !0, but as far as I''ve seen, Keir hasn''t posted his "big patch" yet - it''s possible that Keir could send you a "private patch". This patch fixed x86_emulate.c, which isn''t in the HVM section, it''s the part that fixes up page-table writes (which you may not see many of at the early part of boot, so it may not be an issue, of course). Whilst marking the page read-only and trapping on the page-fault is indeed doable, I''d also add a check on every vmexit and just at the time of doing vmrun (in the C code just before calling svm_asm_do_resume() or some such). -- Mats> > > On 12/7/06, Petersson, Mats <Mats.Petersson@amd.com> wrote: > > > > > -----Original Message----- > > From: xen-devel-bounces@lists.xensource.com > > [mailto: xen-devel-bounces@lists.xensource.com > <mailto:xen-devel-bounces@lists.xensource.com> ] On Behalf Of > Ian Pratt > > Sent: 06 December 2006 22:05 > > To: Trolle Selander; xen-devel@lists.xensource.com > > Subject: RE: [Xen-devel] [HVM] Corruption of buffered_io_page > > > > > read_pointer is the first member of buffered_ioreq_t, so on > > the hunch > > that > > > the corruption was occuring by something other than > a wrong value > > actually > > > being written into the structure member, either overflowing > > a previous > > > structure in memory or a pointer var mistake. I > thus added a 64bit > > dummy > > > member to "pad" the buffered_ioreq_t structure at the > > start, and as I > > had > > > suspected, the bad value does get written into this > dummy member > > rather > > > than the read_pointer. I haven''t (yet) been able to track > > down what it > > is > > > that actually writes the bad value, and any help > finding it would be > > > welcome. > > > > What compiler are you using? What guest OS? Are you using PV > > or emulated > > drivers? Any idea if there are particular workloads > that provoke the > > problem? > > I''ll answer for Trolle as best as I can: > Compiler: gcc 4.1 I believe. > Guest OS: OS/2 > Drivers would be emulated ones. > I think it''s failing during initial boot, as Trolle > hasn''t told me "It > works" yet... ;-) > > By the way, I''m still a bit worried that this is caused > by segment base > != 0 in x86_emulate.c - this can cause all sorts of > "interesting" > interaction between the page-table updates and actual > memory being > affected. > > -- > Mats > > > > Best, > > Ian > > > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > <mailto:Xen-devel@lists.xensource.com> > > http://lists.xensource.com/xen-devel > > > > > > > > > > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Trolle Selander
2006-Dec-07 10:56 UTC
Re: [Xen-devel] [HVM] Corruption of buffered_io_page
Changeset 12622 was the one i thought was the "big patch" since it showed up one or two days after Keir said he was going to post it. In any case, it fixed both the first segment base issue i ran into that I originally mailed you about as well as a second one with a non-zero stack segment base that I hit immediately after when I did a "quick and dirty" fix for the cs seg_base. I haven''t seen any "obviously" segment-base related things since then. As for seeing the bad value in any of the registers around the time the corruption occurs, I''ve looked, but I haven''t spotted it yet. On 12/7/06, Petersson, Mats <Mats.Petersson@amd.com> wrote:> > > > > -----Original Message----- > > From: xen-devel-bounces@lists.xensource.com > > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of > > Trolle Selander > > Sent: 07 December 2006 09:51 > > To: xen-devel@lists.xensource.com > > Subject: Re: [Xen-devel] [HVM] Corruption of buffered_io_page > > > > I thought i had replied to the list, but apparently gmail''s > > default reply action goes to the last poster, not the mailing > > list. Ian got these answers already, but I''ll cut & paste to > > make sure it gets to the general list as well: > > > > > > > > Distro is FC6, compiler is gcc-4.1.1, guest os is OS/2, > > worload is the boot process. :) > > No drivers are loaded yet at this stage - it happens > > fairly early in the boot. However, after I added the > > corruption-catching "padding" struct member, the boot does in > > fact progress to the driver loading stage, although with > > severely corrupted boot-logo graphics. > > Since it currently happens reproducibly after a > > specific "no op" vmexit (read from an unused port), Mats''s > > suggestion of marking the iopage read-only sounds doable if I > > insert code to set the page readonly when this specific > > vmexit occurs. From what I saw when running qemu in the > > debugger, there''s no "proper" use of the page about to occur, > > so the only thing that will write to it should be whatever is > > doing it erroneously. I''ll try that tomorrow. > > > > One correction: I managed to confuse myself a bit here. > > The very last vmexit_ioio at which the guest stalls is a read > > from 0x1f7, but when that io happens, the iopage is already > > corrupted, and that''s why it stalls - qemu-dm is "stuck" and > > never performs the io. The port 0x23 is the io preceeding > > that one - the last one that "gets through", which is why > > that was the one I''ve used to trace things. > > > > I don''t know if it''s any clue to anyone, but the bad > > value that gets written into read_pointer is 0x1df1000. > > One thing is for sure, it''s not a page-table entry. But it could be the > value of a physical page-address. Is this value in any of the registers > around the time of the crash? > > > > > > > > > Now to what you said - I thought Keir''s patch to fixed up all > > the segment base = 0 assumptions in x86_emulate? At least > > we''re past the problem that was causing that I posted about > > before. I must confess I never actually looked at the code, > > because Keir said the patch would fix all the segment base > > 0 assumptions, and once the patch showed up in mercurial and > > I built from that changeset, I didn''t hit the seg.base != 0 > > problem anymore. > > There was patch(es) from Jan Beulich to fix the HVM side of seg.base !> 0, but as far as I''ve seen, Keir hasn''t posted his "big patch" yet - > it''s possible that Keir could send you a "private patch". This patch > fixed x86_emulate.c, which isn''t in the HVM section, it''s the part that > fixes up page-table writes (which you may not see many of at the early > part of boot, so it may not be an issue, of course). > > Whilst marking the page read-only and trapping on the page-fault is > indeed doable, I''d also add a check on every vmexit and just at the time > of doing vmrun (in the C code just before calling svm_asm_do_resume() or > some such). > > -- > Mats > > > > > > On 12/7/06, Petersson, Mats <Mats.Petersson@amd.com> wrote: > > > > > > > > > -----Original Message----- > > > From: xen-devel-bounces@lists.xensource.com > > > [mailto: xen-devel-bounces@lists.xensource.com > > <mailto:xen-devel-bounces@lists.xensource.com> ] On Behalf Of > > Ian Pratt > > > Sent: 06 December 2006 22:05 > > > To: Trolle Selander; xen-devel@lists.xensource.com > > > Subject: RE: [Xen-devel] [HVM] Corruption of buffered_io_page > > > > > > > read_pointer is the first member of buffered_ioreq_t, so on > > > the hunch > > > that > > > > the corruption was occuring by something other than > > a wrong value > > > actually > > > > being written into the structure member, either overflowing > > > a previous > > > > structure in memory or a pointer var mistake. I > > thus added a 64bit > > > dummy > > > > member to "pad" the buffered_ioreq_t structure at the > > > start, and as I > > > had > > > > suspected, the bad value does get written into this > > dummy member > > > rather > > > > than the read_pointer. I haven''t (yet) been able to track > > > down what it > > > is > > > > that actually writes the bad value, and any help > > finding it would be > > > > welcome. > > > > > > What compiler are you using? What guest OS? Are you using PV > > > or emulated > > > drivers? Any idea if there are particular workloads > > that provoke the > > > problem? > > > > I''ll answer for Trolle as best as I can: > > Compiler: gcc 4.1 I believe. > > Guest OS: OS/2 > > Drivers would be emulated ones. > > I think it''s failing during initial boot, as Trolle > > hasn''t told me "It > > works" yet... ;-) > > > > By the way, I''m still a bit worried that this is caused > > by segment base > > != 0 in x86_emulate.c - this can cause all sorts of > > "interesting" > > interaction between the page-table updates and actual > > memory being > > affected. > > > > -- > > Mats > > > > > > Best, > > > Ian > > > > > > > > > _______________________________________________ > > > Xen-devel mailing list > > > Xen-devel@lists.xensource.com > > <mailto:Xen-devel@lists.xensource.com> > > > http://lists.xensource.com/xen-devel > > > > > > > > > > > > > > > > > > > > > > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel