qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1878136] Re: Assertion failures in ati_reg_read_offs/ati_reg_write_

From: Alexander Bulekov
Subject: [Bug 1878136] Re: Assertion failures in ati_reg_read_offs/ati_reg_write_offs
Date: Tue, 12 May 2020 04:58:31 -0000 
** Attachment added: "The qtest commands for triggering the assertion in 
ati_reg_read_offs"
   
https://bugs.launchpad.net/qemu/+bug/1878136/+attachment/5370129/+files/attachment2

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878136

Title:
   Assertion failures in ati_reg_read_offs/ati_reg_write_offs

Status in QEMU:
  New

Bug description:
  Hello,
  While fuzzing, I found inputs that trigger assertion failures in
  ati_reg_read_offs/ati_reg_write_offs

  uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 &&
  length > 0 && length <= 32 - start' failed

  #3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> 
"start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> 
"/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, 
function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t 
extract32(uint32_t, int, int)") at assert.c:101
  #4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, 
size=<optimized out>) at 
/home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
  #5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, 
size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
  #6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, 
addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:434
  #7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, 
value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, 
access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, 
addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:1396

  I can reproduce it in qemu 5.0 built with using:
  cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M 
pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
  outl 0xcf8 0x80001018
  outl 0xcfc 0xe2000000
  outl 0xcf8 0x8000101c
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x8000fa20
  write 0xe2000004 0x1 0x1a
  readq 0xe2000000
  EOF

  Similarly for ati_reg_write_offs:
  cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M 
pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
  outl 0xcf8 0x80001018
  outl 0xcfc 0xe2000000
  outl 0xcf8 0x8000101c
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x8000fa20
  write 0xe2000000 0x8 0x6a00000000006a00
  EOF

  I also attached the traces to this launchpad report, in case the
  formatting is broken:

  qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio
  -monitor none -serial none < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878136/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]