Volker Rümelin [Sun, 10 Jan 2021 10:02:36 +0000 (11:02 +0100)]
dsoundaudio: replace GetForegroundWindow()
GetForegroundWindow() doesn't necessarily return the own window
handle. It just returns a handle to the currently active window
and can even return NULL. At the time dsound_open() gets called
the active window is most likely the shell window and not the
QEMU window.
Replace GetForegroundWindow() with GetDesktopWindow() which
always returns a valid window handle, and at the same time
replace the DirectSound buffer flag DSBCAPS_STICKYFOCUS with
DSBCAPS_GLOBALFOCUS where Windows only expects a valid window
handle for DirectSound function SetCooperativeLevel(). The
Microsoft online docs for IDirectSound::SetCooperativeLevel
recommend this in the remarks.
This fixes a bug where you can't hear sound from the guest.
To reproduce start qemu with -machine pcspk-audiodev=audio0
-device intel-hda -device hda-duplex,audiodev=audio0
-audiodev dsound,id=audio0,out.mixing-engine=off
from a shell and start audio playback with the hda device in the
guest. The guest will be silent. To hear guest audio you have to
activate the shell window once.
Volker Rümelin [Sun, 10 Jan 2021 10:02:35 +0000 (11:02 +0100)]
paaudio: send recorded data in smaller chunks
Tell PulseAudio to send recorded audio data in smaller chunks
than timer_period, so there's a good chance that qemu can read
recorded audio data every time it looks for new data.
PulseAudio tries to send buffer updates at a fragsize / 2 rate.
With fragsize = timer_period / 2 * 3 the update rate is 75% of
timer_period. The lower limit for the recording buffer size
maxlength is fragsize * 2.
Volker Rümelin [Sun, 10 Jan 2021 10:02:34 +0000 (11:02 +0100)]
paaudio: limit minreq to 75% of audio timer_rate
Currently with the playback buffer attribute minreq = -1 and flag
PA_STREAM_EARLY_REQUESTS PulseAudio uses minreq = tlength / 4.
To improve audio playback with larger PulseAudio server side
buffers, limit minreq to a maximum of 75% of audio timer_rate.
That way there is a good chance qemu receives a stream buffer
size update before it tries to write data to the playback stream.
Volker Rümelin [Sun, 10 Jan 2021 10:02:33 +0000 (11:02 +0100)]
paaudio: comment bugs in functions qpa_init_*
The audio buffer size in audio/paaudio.c is typically larger
than expected. Just comment the bugs in qpa_init_in() and
qpa_init_out() for now. Fixing these bugs may break glitch free
audio playback with fine tuned user audio settings.
Volker Rümelin [Sun, 10 Jan 2021 10:02:32 +0000 (11:02 +0100)]
paaudio: remove unneeded code
Commit baea032ec7 "audio/paaudio: fix ignored buffer_length setting"
added code to handle buffer_length defaults. This was unnecessary
because the audio_buffer_* functions in audio/audio.c already handle
this. Remove the unneeded code.
Volker Rümelin [Sun, 10 Jan 2021 10:02:31 +0000 (11:02 +0100)]
paaudio: wait until the playback stream is ready
Don't call pa_stream_writable_size() in qpa_get_buffer_out()
before the playback stream is ready. This prevents a lot of the
following pulseaudio error messages.
pulseaudio: pa_stream_writable_size failed
pulseaudio: Reason: Bad state
To reproduce start qemu with
-parallel none -device gus,audiodev=audio0 -audiodev pa,id=audio0
Volker Rümelin [Sun, 10 Jan 2021 10:02:30 +0000 (11:02 +0100)]
paaudio: wait for PA_STREAM_READY in qpa_write()
Don't call pa_stream_writable_size() in qpa_write() before the
playback stream is ready. This prevents a lot of the following
pulseaudio error messages.
pulseaudio: pa_stream_writable_size failed
pulseaudio: Reason: Bad state
To reproduce start qemu with
-parallel none -device gus,audiodev=audio0
-audiodev pa,id=audio0,out.mixing-engine=off
Volker Rümelin [Sun, 10 Jan 2021 10:02:29 +0000 (11:02 +0100)]
paaudio: avoid to clip samples multiple times
The pulseaudio backend currently converts, clips and copies audio
playback samples in the mixing-engine sample buffer multiple
times.
In qpa_get_buffer_out() the function pa_stream_begin_write()
returns a rather large buffer and this allows audio_pcm_hw_run_out()
in audio/audio.c to copy all samples in the mixing-engine buffer
to the pulse audio buffer. Immediately after copying, qpa_write()
notices with a call to pa_stream_writable_size() that pulse audio
only needs a smaller part of the copied samples and ignores the
rest. This copy and ignore process happens several times for each
audio sample.
To fix this behaviour, call pa_stream_writable_size() in
qpa_get_buffer_out() to limit the number of samples
audio_pcm_hw_run_out() will convert. With this change the
pulseaudio pcm_ops functions put_buffer_out and write are no
longer identical and a separate qpa_put_buffer_out is needed.
Volker Rümelin [Sun, 10 Jan 2021 10:02:25 +0000 (11:02 +0100)]
sdlaudio: add recording functions
Add audio recording functions. SDL 2.0.5 or later is required to
use the recording functions. Playback continues to work with
earlier SDL 2.0 versions.
Volker Rümelin [Sun, 10 Jan 2021 10:02:21 +0000 (11:02 +0100)]
sdlaudio: always clear the sample buffer
Always fill the remaining audio callback buffer with silence.
SDL 2.0 doesn't initialize the audio callback buffer. This was
an incompatible change compared to SDL 1.2. For reference read
the SDL 1.2 to 2.0 migration guide.
Volker Rümelin [Sun, 10 Jan 2021 10:02:20 +0000 (11:02 +0100)]
sdlaudio: don't start playback in init routine
Every emulated audio device has a way to enable audio playback. Don't
start playback until the guest enables the audio device. This patch
keeps the SDL2 device pause state in sync with hw->enabled.
Currently there is a crackling noise with SDL2 audio playback.
Commit bcf19777df: "audio/sdlaudio: Allow audio playback with
SDL2" already mentioned the crackling noise.
Add an out.buffer-count option to give users a chance to select
sane settings for glitch free audio playback. The idea was taken
from the coreaudio backend.
The in.buffer-count option will be used with one of the next
patches.
Lukas Straub [Mon, 28 Dec 2020 15:09:02 +0000 (16:09 +0100)]
tests/test-char.c: Wait for the chardev to connect in char_socket_client_dupid_test
A connecting chardev object has an additional reference by the connecting
thread, so if the chardev is still connecting by the end of the test,
then the chardev object won't be freed. This in turn means that the yank
instance won't be unregistered and when running the next test-case
yank_register_instance will abort, because the yank instance is
already/still registered.
Lukas Straub [Mon, 28 Dec 2020 15:08:59 +0000 (16:08 +0100)]
io: Document qmp oob suitability of qio_channel_shutdown and io_shutdown
Migration and yank code assume that qio_channel_shutdown is thread
-safe and can be called from qmp oob handler. Document this after
checking the code.
Lukas Straub [Mon, 28 Dec 2020 15:08:41 +0000 (16:08 +0100)]
Introduce yank feature
The yank feature allows to recover from hanging qemu by "yanking"
at various parts. Other qemu systems can register themselves and
multiple yank functions. Then all yank functions for selected
instances can be called by the 'yank' out-of-band qmp command.
Available instances can be queried by a 'query-yank' oob command.
* remotes/bonzini-gitlab/tags/for-upstream:
target/i386: Use X86Seg enum for segment registers
configure: quote command line arguments in config.status
configure: move Cocoa incompatibility checks to Meson
configure: move GTK+ detection to Meson
configure: move X11 detection to Meson
gtk: remove CONFIG_GTK_GL
cocoa: do not enable coreaudio automatically
virtio-scsi: trace events
meson: Propagate gnutls dependency
Docs/RCU: Correct sample code of qatomic_rcu_set
scripts/gdb: implement 'qemu bt'
scripts/gdb: fix 'qemu coroutine' when users selects a non topmost stack frame
meson: fix Cocoa option in summary
whpx: move whpx_lapic_state from header to c file
maintainers: Add me as Windows Hosted Continuous Integration maintainer
cirrus/msys2: Cache msys2 mingw in a better way.
cirrus/msys2: Exit powershell with $LastExitCode
whpx: move internal definitions to whpx-internal.h
whpx: rename whp-dispatch to whpx-internal.h
meson: do not use CONFIG_VIRTFS
Peter Maydell [Tue, 12 Jan 2021 21:23:25 +0000 (21:23 +0000)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20210112-1' into staging
target-arm queue:
* arm: Support emulation of ARMv8.4-TTST extension
* arm: Update cpu.h ID register field definitions
* arm: Fix breakage of XScale instruction emulation
* hw/net/lan9118: Fix RX Status FIFO PEEK value
* npcm7xx: Add ADC and PWM emulation
* ui/cocoa: Make "open docs" help menu entry work again when binary
is run from the build tree
* ui/cocoa: Fix openFile: deprecation on Big Sur
* docs: Add qemu-storage-daemon(1) manpage to meson.build
* remotes/pmaydell/tags/pull-target-arm-20210112-1:
ui/cocoa: Fix openFile: deprecation on Big Sur
hw/*: Use type casting for SysBusDevice in NPCM7XX
hw/misc: Add QTest for NPCM7XX PWM Module
hw/misc: Add a PWM module for NPCM7XX
hw/adc: Add an ADC module for NPCM7XX
hw/timer: Refactor NPCM7XX Timer to use CLK clock
hw/misc: Add clock converter in NPCM7XX CLK module
hw/net/lan9118: Add symbolic constants for register offsets
hw/net/lan9118: Fix RX Status FIFO PEEK value
target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
docs: Add qemu-storage-daemon(1) manpage to meson.build
ui/cocoa: Update path to docs in build tree
target/arm: add aarch32 ID register fields to cpu.h
target/arm: add aarch64 ID register fields to cpu.h
target/arm: add descriptions of CLIDR_EL1, CCSIDR_EL1, CTR_EL0 to cpu.h
target/arm: make ARMCPU.ctr 64-bit
target/arm: make ARMCPU.clidr 64-bit
target/arm: fix typo in cpu.h ID_AA64PFR1 field name
target/arm: enable Small Translation tables in max CPU
target/arm: ARMv8.4-TTST extension
Hao Wu [Fri, 8 Jan 2021 19:09:45 +0000 (11:09 -0800)]
hw/*: Use type casting for SysBusDevice in NPCM7XX
A device shouldn't access its parent object which is QOM internal.
Instead it should use type cast for this purporse. This patch fixes this
issue for all NPCM7XX Devices.
Hao Wu [Fri, 8 Jan 2021 19:09:43 +0000 (11:09 -0800)]
hw/misc: Add a PWM module for NPCM7XX
The PWM module is part of NPCM7XX module. Each NPCM7XX module has two
identical PWM modules. Each module contains 4 PWM entries. Each PWM has
two outputs: frequency and duty_cycle. Both are computed using inputs
from software side.
This module does not model detail pulse signals since it is expensive.
It also does not model interrupts and watchdogs that are dependant on
the detail models. The interfaces for these are left in the module so
that anyone in need for these functionalities can implement on their
own.
The user can read the duty cycle and frequency using qom-get command.
Hao Wu [Fri, 8 Jan 2021 19:09:42 +0000 (11:09 -0800)]
hw/adc: Add an ADC module for NPCM7XX
The ADC is part of NPCM7XX Module. Its behavior is controled by the
ADC_CON register. It converts one of the eight analog inputs into a
digital input and stores it in the ADC_DATA register when enabled.
Users can alter input value by using qom-set QMP command.
Hao Wu [Fri, 8 Jan 2021 19:09:40 +0000 (11:09 -0800)]
hw/misc: Add clock converter in NPCM7XX CLK module
This patch allows NPCM7XX CLK module to compute clocks that are used by
other NPCM7XX modules.
Add a new struct NPCM7xxClockConverterState which represents a
single converter. Each clock converter in CLK module represents one
converter in NPCM7XX CLK Module(PLL, SEL or Divider). Each converter
takes one or more input clocks and converts them into one output clock.
They form a clock hierarchy in the CLK module and are responsible for
outputing clocks for various other modules in an NPCM7XX SoC.
Each converter has a function pointer called "convert" which represents
the unique logic for that converter.
The clock contains two initialization information: ConverterInitInfo and
ConverterConnectionInfo. They represent the vertices and edges in the
clock diagram respectively.
Peter Maydell [Fri, 8 Jan 2021 18:04:01 +0000 (18:04 +0000)]
hw/net/lan9118: Add symbolic constants for register offsets
The lan9118 code mostly uses symbolic constants for register offsets;
the exceptions are those which the datasheet doesn't give an official
symbolic name to.
Add some names for the registers which don't already have them, based
on the longer names they are given in the memory map.
Peter Maydell [Fri, 8 Jan 2021 18:04:00 +0000 (18:04 +0000)]
hw/net/lan9118: Fix RX Status FIFO PEEK value
A copy-and-paste error meant that the return value for register offset 0x44
(the RX Status FIFO PEEK register) returned a byte from a bogus offset in
the rx status FIFO. Fix the typo.
Peter Maydell [Fri, 8 Jan 2021 19:51:57 +0000 (19:51 +0000)]
target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
In commit cd8be50e58f63413c0 we converted the A32 coprocessor
insns to decodetree. This accidentally broke XScale/iWMMXt insns,
because it moved the handling of "cp insns which are handled
by looking up the cp register in the hashtable" from after the
call to the legacy disas_xscale_insn() decode to before it,
with the result that all XScale/iWMMXt insns now UNDEF.
Update valid_cp() so that it knows that on XScale cp 0 and 1
are not standard coprocessor instructions; this will cause
the decodetree trans_ functions to ignore them, so that
execution will correctly get through to the legacy decode again.
Paolo Bonzini [Tue, 8 Sep 2020 11:20:45 +0000 (13:20 +0200)]
configure: quote command line arguments in config.status
Make config.status generation a bit more robust. (The quote_sh
function will also be reused to parse configure's command line
arguments in an external script driven by Meson build option
introspection).
Paolo Bonzini [Thu, 7 Jan 2021 13:04:00 +0000 (14:04 +0100)]
configure: move Cocoa incompatibility checks to Meson
The cocoa UI code currently assumes it is always the active UI
and does not interact well with other UI frontend code. Move
the relevant checks to Meson now that all other frontends
have become Meson options. This way, SDL/GTK+/Cocoa can be
parsed entirely by scripts/configure-parse-buildoptions.pl.
Paolo Bonzini [Thu, 7 Jan 2021 12:46:32 +0000 (13:46 +0100)]
gtk: remove CONFIG_GTK_GL
CONFIG_GTK_GL is defined if OpenGL is present and GTK+
is 3.16 or newer. Since GTK+ 3.22 is the minimum supported
version, just use CONFIG_OPENGL instead.
Paolo Bonzini [Thu, 7 Jan 2021 12:32:12 +0000 (13:32 +0100)]
cocoa: do not enable coreaudio automatically
Remove the automagic connection between --enable-cocoa
and enabling coreaudio in audio_drv_list. It can be
overridden anyway just by placing --enable-cocoa before
--audio-drv-list.
Roman Bolshakov [Sat, 2 Jan 2021 12:52:13 +0000 (15:52 +0300)]
meson: Propagate gnutls dependency
crypto/tlscreds.h includes GnuTLS headers if CONFIG_GNUTLS is set, but
GNUTLS_CFLAGS, that describe include path, are not propagated
transitively to all users of crypto and build fails if GnuTLS headers
reside in non-standard directory (which is a case for homebrew on Apple
Silicon).
Maxim Levitsky [Thu, 17 Dec 2020 15:54:36 +0000 (17:54 +0200)]
scripts/gdb: implement 'qemu bt'
This script first runs the regular gdb's 'bt' command, and then if we are in a
coroutine it prints the coroutines backtraces in the order in which they
were called.
Maxim Levitsky [Thu, 17 Dec 2020 15:54:35 +0000 (17:54 +0200)]
scripts/gdb: fix 'qemu coroutine' when users selects a non topmost stack frame
The code that dumps the stack frame works like that:
* save current registers
* overwrite current registers (including rip/rsp) with coroutine snapshot
in the jmpbuf
* print backtrace
* restore the saved registers.
If the user has currently selected a non topmost stack frame in gdb,
the above code will still restore the selected frame registers,
but the gdb will then lose the selected frame index, which makes it impossible
to switch back to frame 0, to continue debugging the executable.
Therefore switch temporarily to the topmost frame of the stack
for the above code.
Peter Maydell [Fri, 8 Jan 2021 16:14:15 +0000 (16:14 +0000)]
docs: Add qemu-storage-daemon(1) manpage to meson.build
In commit 1982e1602d15 we added a new qemu-storage-daemon(1) manpage.
At the moment new manpages have to be listed both in the conf.py for
Sphinx and also in docs/meson.build for Meson. We forgot the second
of those -- correct the omission.
Leif Lindholm [Fri, 8 Jan 2021 18:51:51 +0000 (18:51 +0000)]
target/arm: make ARMCPU.ctr 64-bit
When FEAT_MTE is implemented, the AArch64 view of CTR_EL0 adds the
TminLine field in bits [37:32].
Extend the ctr field to be able to hold this context.
Leif Lindholm [Fri, 8 Jan 2021 18:51:50 +0000 (18:51 +0000)]
target/arm: make ARMCPU.clidr 64-bit
The AArch64 view of CLIDR_EL1 extends the ICB field to include also bit
32, as well as adding a Ttype<n> field when FEAT_MTE is implemented.
Extend the clidr field to be able to hold this context.
* remotes/huth-gitlab/tags/pull-request-2021-01-11v2:
fuzz: map all BARs and enable PCI devices
tests/acceptance: Fix race conditions in s390x tests & skip fedora on gitlab-CI
bsd-user: Update strace.list for FreeBSD's latest syscalls
bsd-user: move strace OS/arch dependent code to host/arch dirs
bsd-user: regenerate FreeBSD's system call numbers
fuzz: heuristic split write based on past IOs
fuzz: add minimization options
fuzz: set bits in operand of write/out to zero
fuzz: remove IO commands iteratively
fuzz: split write operand using binary approach
fuzz: double the IOs to remove for every loop
fuzz: accelerate non-crash detection
util/oslib-win32: Fix _aligned_malloc() arguments order
qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine()
gitlab-ci.yml: Add openSUSE Leap 15.2 for gitlab CI/CD
Prior to this patch, the fuzzer found inputs to map PCI device BARs and
enable the device. While it is nice that the fuzzer can do this, it
added significant overhead, since the fuzzer needs to map all the
BARs (regenerating the memory topology), at the start of each input.
With this patch, we do this once, before fuzzing, mitigating some of
this overhead.
Thomas Huth [Fri, 8 Jan 2021 18:56:45 +0000 (19:56 +0100)]
tests/acceptance: Fix race conditions in s390x tests & skip fedora on gitlab-CI
There was a race condition in the first test where there was already the
"crw" output in the dmesg, but the "0.0.4711" entry has not been created
in the /sys fs yet. Fix it by waiting until it is there.
The second test has even more problems on gitlab-CI. Even after adding some
more synchronization points (that wait for some messages in the "dmesg"
output to make sure that the modules got loaded correctly), there are still
occasionally some hangs in this test when it is running in the gitlab-CI.
So far I was unable to reproduce these hangs locally on my computer, so
this issue might take a while to debug. Thus disable the 2nd test in the
gitlab-CI until the problems are better understood and fixed.
Stacey Son [Fri, 18 Dec 2020 20:54:50 +0000 (13:54 -0700)]
bsd-user: move strace OS/arch dependent code to host/arch dirs
This change moves host OS and arch dependent code for the sysarch
system call related to the -strace functionality into the
appropriate host OS and target arch directories.
Warner Losh [Fri, 18 Dec 2020 20:54:48 +0000 (13:54 -0700)]
bsd-user: regenerate FreeBSD's system call numbers
Recreate the FreeBSD system call numbers from current sys/syscall.h. Since this
isn't guaranteed to be on all systems, continue the practice of generating it
with some variation on:
sed -e s/SYS_/TARGET_NR_/ < $FREEBSD_SRC/sys/syscall.h > syscall_nr.h
until a more comprehensive system can be put in place.
Qiuhao Li [Mon, 11 Jan 2021 06:11:50 +0000 (14:11 +0800)]
fuzz: set bits in operand of write/out to zero
Simplifying the crash cases by opportunistically setting bits in operands of
out/write to zero may help to debug, since usually bit one means turn on or
trigger a function while zero is the default turn-off setting.
Qiuhao Li [Mon, 11 Jan 2021 06:11:49 +0000 (14:11 +0800)]
fuzz: remove IO commands iteratively
Now we use a one-time scan and remove strategy in the minimizer,
which is not suitable for timing dependent instructions.
For example, instruction A will indicate an address where the config
chunk locates, and instruction B will make the configuration active.
If we have the following instruction sequence:
...
A1
B1
A2
B2
...
A2 and B2 are the actual instructions that trigger the bug.
If we scan from top to bottom, after we remove A1, the behavior of B1
might be unknowable, including not to crash the program. But we will
successfully remove B1 later cause A2 and B2 will crash the process
anyway:
...
A1
A2
B2
...
Now one more trimming will remove A1.
In the perfect case, we would need to be able to remove A and B (or C!) at
the same time. But for now, let's just add a loop around the minimizer.
Since we only remove instructions, this iterative algorithm is converging.
Qiuhao Li [Mon, 11 Jan 2021 06:11:48 +0000 (14:11 +0800)]
fuzz: split write operand using binary approach
Currently, we split the write commands' data from the middle. If it does not
work, try to move the pivot left by one byte and retry until there is no
space.
But, this method has two flaws:
1. It may fail to trim all unnecessary bytes on the right side.
For example, there is an IO write command:
write addr uuxxxxuu
u is the unnecessary byte for the crash. Unlike ram write commands, in most
case, a split IO write won't trigger the same crash, So if we split from the
middle, we will get:
write addr uu (will be removed in next round)
write addr xxxxuu
For xxxxuu, since split it from the middle and retry to the leftmost byte
won't get the same crash, we will be stopped from removing the last two
bytes.
2. The algorithm complexity is O(n) since we move the pivot byte by byte.
To solve the first issue, we can try a symmetrical position on the right if
we fail on the left. As for the second issue, instead moving by one byte, we
can approach the boundary exponentially, achieving O(log(n)).
Qiuhao Li [Mon, 11 Jan 2021 06:11:47 +0000 (14:11 +0800)]
fuzz: double the IOs to remove for every loop
Instead of removing IO instructions one by one, we can try deleting multiple
instructions at once. According to the locality of reference, we double the
number of instructions to remove for the next round and recover it to one
once we fail.
This patch is usually significant for large input.
Test with quadrupled trace input at:
https://bugs.launchpad.net/qemu/+bug/1890333/comments/1
Patched 1/6 version:
real 0m45.904s
user 0m16.874s
sys 0m10.042s
Refined version:
real 0m11.412s
user 0m6.888s
sys 0m3.325s
Signed-off-by: Qiuhao Li <[email protected]> Reviewed-by: Alexander Bulekov <[email protected]> Tested-by: Alexander Bulekov <[email protected]>
Message-Id: <SYCPR01MB350280A67BB55C3FADF173E3FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <[email protected]>
Qiuhao Li [Mon, 11 Jan 2021 06:11:46 +0000 (14:11 +0800)]
fuzz: accelerate non-crash detection
We spend much time waiting for the timeout program during the minimization
process until it passes a time limit. This patch hacks the CLOSED (indicates
the redirection file closed) notification in QTest's output if it doesn't
crash.
Test with quadrupled trace input at:
https://bugs.launchpad.net/qemu/+bug/1890333/comments/1
Original version:
real 1m37.246s
user 0m13.069s
sys 0m8.399s
Refined version:
real 0m45.904s
user 0m16.874s
sys 0m10.042s
Note:
Sometimes the mutated or the same trace may trigger a different crash
summary (second-to-last line) but indicates the same bug. For example, Bug 1910826 [1], which will trigger a stack overflow, may output summaries
like:
SUMMARY: AddressSanitizer: stack-overflow
/home/qiuhao/hack/qemu/build/../softmmu/physmem.c:488 in
flatview_do_translate
or
SUMMARY: AddressSanitizer: stack-overflow
(/home/qiuhao/hack/qemu/build/qemu-system-i386+0x27ca049) in __asan_memcpy
Etc.
If we use the whole summary line as the token, we may be prevented from
further minimization. So in this patch, we only use the first three words
which indicate the type of crash:
Gan Qixin [Wed, 6 Jan 2021 05:06:25 +0000 (13:06 +0800)]
qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine()
When the length of mname is less than 5, memcpy("xenfv", mname, 5) will cause
heap buffer overflow. Therefore, use strncmp to avoid this problem.
The asan showed stack:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at
pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at
0x60200000f2f4 thread T0
#0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
#1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282
#2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
#3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
#4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)
Peter Maydell [Fri, 8 Jan 2021 15:37:04 +0000 (15:37 +0000)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20210108' into staging
target-arm queue:
* intc/arm_gic: Fix gic_irq_signaling_enabled() for vCPUs
* target/arm: Fix MTE0_ACTIVE
* target/arm: Implement v8.1M and Cortex-M55 model
* hw/arm/highbank: Drop dead KVM support code
* util/qemu-timer: Make timer_free() imply timer_del()
* various devices: Use ptimer_free() in finalize function
* docs/system: arm: Add sabrelite board description
* sabrelite: Minor fixes to allow booting U-Boot
* remotes/pmaydell/tags/pull-target-arm-20210108: (23 commits)
docs/system: arm: Add sabrelite board description
hw/arm: sabrelite: Connect the Ethernet PHY at address 6
hw/msic: imx6_ccm: Correct register value for silicon type
hw/misc: imx6_ccm: Update PMU_MISC0 reset value
exynos4210_mct: Use ptimer_free() in the finalize function to avoid memleaks
musicpal: Use ptimer_free() in the finalize function to avoid memleaks
mss-timer: Use ptimer_free() in the finalize function to avoid memleaks
exynos4210_pwm: Use ptimer_free() in the finalize function to avoid memleaks
exynos4210_rtc: Use ptimer_free() in the finalize function to avoid memleaks
allwinner-a10-pit: Use ptimer_free() in the finalize function to avoid memleaks
digic-timer: Use ptimer_free() in the finalize function to avoid memleaks
target/arm: Remove timer_del()/timer_deinit() before timer_free()
Remove superfluous timer_del() calls
scripts/coccinelle: New script to remove unnecessary timer_del() calls
util/qemu-timer: Make timer_free() imply timer_del()
hw/arm/highbank: Drop dead KVM support code
target/arm: Implement Cortex-M55 model
target/arm: Implement FPCXT_NS fp system register
target/arm: Correct store of FPSCR value via FPCXT_S
hw/intc/armv7m_nvic: Correct handling of CCR.BFHFNMIGN
...
Bin Meng [Wed, 6 Jan 2021 06:35:03 +0000 (14:35 +0800)]
hw/arm: sabrelite: Connect the Ethernet PHY at address 6
At present, when booting U-Boot on QEMU sabrelite, we see:
Net: Board Net Initialization Failed
No ethernet found.
U-Boot scans PHY at address 4/5/6/7 (see board_eth_init() in the
U-Boot source: board/boundary/nitrogen6x/nitrogen6x.c). On the real
board, the Ethernet PHY is at address 6. Adjust this by updating the
"fec-phy-num" property of the fsl_imx6 SoC object.
With this change, U-Boot sees the PHY but complains MAC address:
Net: using phy at 6
FEC [PRIME]
Error: FEC address not set.
This is due to U-Boot tries to read the MAC address from the fuse,
which QEMU does not have any valid content filled in. However this
does not prevent the Ethernet from working in QEMU. We just need to
set up the MAC address later in the U-Boot command shell, by:
Bin Meng [Wed, 6 Jan 2021 06:35:02 +0000 (14:35 +0800)]
hw/msic: imx6_ccm: Correct register value for silicon type
Currently when U-Boot boots, it prints "??" for i.MX processor:
CPU: Freescale i.MX?? rev1.0 at 792 MHz
The register that was used to determine the silicon type is
undocumented in the latest IMX6DQRM (Rev. 6, 05/2020), but we
can refer to get_cpu_rev() in arch/arm/mach-imx/mx6/soc.c in
the U-Boot source codes that USB_ANALOG_DIGPROG is used.
Bin Meng [Wed, 6 Jan 2021 06:35:01 +0000 (14:35 +0800)]
hw/misc: imx6_ccm: Update PMU_MISC0 reset value
U-Boot expects PMU_MISC0 register bit 7 is set (see init_bandgap()
in arch/arm/mach-imx/mx6/soc.c) during boot. This bit indicates the
bandgap has stabilized.
With this change, the latest upstream U-Boot (v2021.01-rc3) for imx6
sabrelite board (mx6qsabrelite_defconfig), with a slight change made
by switching CONFIG_OF_SEPARATE to CONFIG_OF_EMBED, boots to U-Boot
shell on QEMU with the following command:
CPU: Freescale i.MX?? rev1.0 at 792 MHz
Reset cause: POR
Model: Freescale i.MX6 Quad SABRE Lite Board
Board: SABRE Lite
I2C: ready
DRAM: 1 GiB
force_idle_bus: sda=0 scl=0 sda.gp=0x5c scl.gp=0x55
force_idle_bus: failed to clear bus, sda=0 scl=0
force_idle_bus: sda=0 scl=0 sda.gp=0x6d scl.gp=0x6c
force_idle_bus: failed to clear bus, sda=0 scl=0
force_idle_bus: sda=0 scl=0 sda.gp=0xcb scl.gp=0x5
force_idle_bus: failed to clear bus, sda=0 scl=0
MMC: FSL_SDHC: 0, FSL_SDHC: 1
Loading Environment from MMC... *** Warning - No block device, using default environment
In: serial
Out: serial
Err: serial
Net: Board Net Initialization Failed
No ethernet found.
starting USB...
Bus usb@2184000: usb dr_mode not found
USB EHCI 1.00
Bus usb@2184200: USB EHCI 1.00
scanning bus usb@2184000 for devices... 1 USB Device(s) found
scanning bus usb@2184200 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
scanning usb for ethernet devices... 0 Ethernet Device(s) found
Hit any key to stop autoboot: 0
=>
Gan Qixin [Thu, 17 Dec 2020 11:31:50 +0000 (19:31 +0800)]
exynos4210_mct: Use ptimer_free() in the finalize function to avoid memleaks
When running device-introspect-test, a memory leak occurred in the
exynos4210_mct_init function, so use ptimer_free() in the finalize function to
avoid it.
ASAN shows memory leak stack:
Indirect leak of 96 byte(s) in 1 object(s) allocated from:
#0 0xffffab97e1f0 in __interceptor_calloc (/lib64/libasan.so.5+0xee1f0)
#1 0xffffab256800 in g_malloc0 (/lib64/libglib-2.0.so.0+0x56800)
#2 0xaaabf555db78 in ptimer_init /qemu/hw/core/ptimer.c:432
#3 0xaaabf56b01a0 in exynos4210_mct_init /qemu/hw/timer/exynos4210_mct.c:1505
#4 0xaaabf6339f6c in object_initialize_with_type /qemu/qom/object.c:515
#5 0xaaabf633a1e0 in object_new_with_type /qemu/qom/object.c:729
#6 0xaaabf6375e40 in qmp_device_list_properties /qemu/qom/qom-qmp-cmds.c:153
#7 0xaaabf653d8ec in qmp_marshal_device_list_properties /qemu/qapi/qapi-commands-qdev.c:59
#8 0xaaabf6587d08 in do_qmp_dispatch_bh /qemu/qapi/qmp-dispatch.c:110
#9 0xaaabf6552708 in aio_bh_call /qemu/util/async.c:136
#10 0xaaabf6552708 in aio_bh_poll /qemu/util/async.c:164
#11 0xaaabf655f19c in aio_dispatch /qemu/util/aio-posix.c:381
#12 0xaaabf65523f4 in aio_ctx_dispatch /qemu/util/async.c:306
Gan Qixin [Thu, 17 Dec 2020 11:31:54 +0000 (19:31 +0800)]
musicpal: Use ptimer_free() in the finalize function to avoid memleaks
When running device-introspect-test, a memory leak occurred in the
mv88w8618_pit_init function, so use ptimer_free() in the finalize function to
avoid it.
ASAN shows memory leak stack:
Indirect leak of 192 byte(s) in 4 object(s) allocated from:
#0 0xffffab97e1f0 in __interceptor_calloc (/lib64/libasan.so.5+0xee1f0)
#1 0xffffab256800 in g_malloc0 (/lib64/libglib-2.0.so.0+0x56800)
#2 0xaaabf555db84 in timer_new_full /qemu/include/qemu/timer.h:523
#3 0xaaabf555db84 in timer_new /qemu/include/qemu/timer.h:544
#4 0xaaabf555db84 in timer_new_ns /qemu/include/qemu/timer.h:562
#5 0xaaabf555db84 in ptimer_init /qemu/hw/core/ptimer.c:433
#6 0xaaabf5bb2290 in mv88w8618_timer_init /qemu/hw/arm/musicpal.c:862
#7 0xaaabf5bb2290 in mv88w8618_pit_init /qemu/hw/arm/musicpal.c:954
#8 0xaaabf6339f6c in object_initialize_with_type /qemu/qom/object.c:515
#9 0xaaabf633a1e0 in object_new_with_type /qemu/qom/object.c:729
#10 0xaaabf6375e40 in qmp_device_list_properties /qemu/qom/qom-qmp-cmds.c:153
#11 0xaaabf5a95540 in qdev_device_help /qemu/softmmu/qdev-monitor.c:283
#12 0xaaabf5a96940 in qmp_device_add /qemu/softmmu/qdev-monitor.c:801
Gan Qixin [Thu, 17 Dec 2020 11:31:53 +0000 (19:31 +0800)]
mss-timer: Use ptimer_free() in the finalize function to avoid memleaks
When running device-introspect-test, a memory leak occurred in the
mss_timer_init function, so use ptimer_free() in the finalize function to avoid
it.
ASAN shows memory leak stack:
Indirect leak of 192 byte(s) in 2 object(s) allocated from:
#0 0xffffab97e1f0 in __interceptor_calloc (/lib64/libasan.so.5+0xee1f0)
#1 0xffffab256800 in g_malloc0 (/lib64/libglib-2.0.so.0+0x56800)
#2 0xaaabf555db78 in ptimer_init /qemu/hw/core/ptimer.c:432
#3 0xaaabf58a0010 in mss_timer_init /qemu/hw/timer/mss-timer.c:235
#4 0xaaabf6339f6c in object_initialize_with_type /qemu/qom/object.c:515
#5 0xaaabf633ca04 in object_initialize_child_with_propsv /qemu/qom/object.c:564
#6 0xaaabf633cc08 in object_initialize_child_with_props /qemu/qom/object.c:547
#7 0xaaabf5b8316c in m2sxxx_soc_initfn /qemu/hw/arm/msf2-soc.c:70
#8 0xaaabf6339f6c in object_initialize_with_type /qemu/qom/object.c:515
#9 0xaaabf633a1e0 in object_new_with_type /qemu/qom/object.c:729
#10 0xaaabf6375e40 in qmp_device_list_properties /qemu/qom/qom-qmp-cmds.c:153
#11 0xaaabf653d8ec in qmp_marshal_device_list_properties /qemu/qapi/qapi-commands-qdev.c:59
#12 0xaaabf6587d08 in do_qmp_dispatch_bh /qemu/qapi/qmp-dispatch.c:110
projects / qemu.git / log