Another SIGFPE in display code, now in cirrus

Michael Tokarev <mjt@xxxxxxxxxx> · Fri, 07 May 2010 00:07:20 +0400

There was a bug recently fixed in vnc code.  Apparently
there's something similar in the cirrus emulation as well.
Here it triggers _always_ (including old versions of kvm)
when running windows NT and hitting "test" button in its
display resolution dialog.  Here's what gdb is to say:

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xf76cab70 (LWP 580)]
0x080c5e45 in cirrus_do_copy (s=0x86134dc, dst=960000, src=0, w=2, h=9)
    at hw/cirrus_vga.c:687
687	    sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
(gdb) p depth
$1 = 2
(gdb) p s->cirrus_blt_srcpitch
$2 = 0
(gdb) p *s
$3 = {vga = {
    vram_ptr = 0xd5e42000 
"\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"..., 
vram_offset = 537133056,
    vram_size = 16777216, lfb_addr = 4026531840, lfb_end = 4043309056,
    map_addr = 4026531840, map_end = 4043309056, lfb_vram_mapped = 1,
    bios_offset = 0, bios_size = 0, latch = 3876589584, sr_index = 19 '\023',
    sr = "\003!\017\000\016\000\022\027\000\000\030####\230\000\000\000?\000\004\017$\000\000\000\024\024\024\024-", '\000' <repeats 223 times>,
    gr_index = 56 '8',
    gr = "\000\000\000\000\000@\005\017\377\000\000$", '\000' <repeats 12 times>, "\017\000\000\000\000\000\000\000\001\000\b\000\001\000\000\000\000\246\016\000\000\000\000\000\000\201\016", '\000' <repeats 204 times>, ar_index = 32 ' ',
    ar = "\000\001\002\003\004\005\024\a89:;<=>?\005\000\017\b",
    ar_flip_flop = 1, cr_index = 39 '\'',
    cr = "}cc\200k\032\230\360\000`\016\017\000\000\000\000}#W\310@W\230\303\377\000\000\"", '\000' <repeats 11 times>"\270, ", '\000' <repeats 215 times>,
    msr = 103 'g', fcr = 0 '\000', st00 = 0 '\000', st01 = 0 '\000',
    dac_state = 0 '\000', dac_sub_index = 0 '\000',
    dac_read_index = 16 '\020', dac_write_index = 16 '\020',
    dac_cache = "**?", dac_8bit = 0,
    palette = "\000\000\000\000\000*\000*\000\000***\000\000*\000***\000***\000\000\025\000\000?\000*\025\000*?*\000\025*\000?**\025**?\000\025\000\000\025*\000?\000\000?**\025\000*\025**?\000*?*\000\025\025\000\025?\000?\025\000??*\025\025*\025?*?\025*??\025\000\000\025\000*\025*\000\025**?\000\000?\000*?*\000?**\025\000\025\025\000?\025*\025\025*??\000\025?\000??*\025?*?\025\025\000\025\025*\025?\000\025?*?\025\000?\025*??\000??*\025\025\025\025\025?\025?\025\025???\025\025?\025???\025???", '\000' <repeats 575 times>, bank_offset = 0,
    vga_io_memory = 56, get_bpp = 0x80c70e0 <cirrus_get_bpp>,
    get_offsets = 0x80c6f9e <cirrus_get_offsets>,
    get_resolution = 0x80c717e <cirrus_get_resolution>, vbe_index = 0,
    vbe_regs = {45248, 0, 0, 0, 0, 0, 0, 0, 0, 0}, vbe_start_addr = 0,
    vbe_line_offset = 0, vbe_bank_mask = 255, vbe_mapped = 0, ds = 0x8489fb0,
    font_offsets = {2, 2}, graphic_mode = 1, shift_control = 2 '\002',
    double_scan = 0 '\000', line_offset = 1600, line_compare = 1023,
    start_addr = 0, plane_updated = 0, last_line_offset = 1600,
    last_cw = 9 '\t', last_ch = 16 '\020', last_width = 800,
    last_height = 600, last_scr_width = 800, last_scr_height = 600,
    last_depth = 16, cursor_start = 14 '\016', cursor_end = 15 '\017',
    cursor_offset = 0, rgb_to_pixel = 0x809fadb <rgb_to_pixel16_dup>,
    update = 0x80a19f4 <vga_update_display>,
    invalidate = 0x80a1ac1 <vga_invalidate_display>,
    screen_dump = 0x80a2fda <vga_screen_dump>,
    text_update = 0x80a1e83 <vga_update_text>, invalidated_y_table = {
      0 <repeats 64 times>},
    cursor_invalidate = 0x80c8b9c <cirrus_cursor_invalidate>,
    cursor_draw_line = 0x80c8e33 <cirrus_cursor_draw_line>, last_palette = {0,
      168, 43008, 43176, 11010048, 11010216, 11032320, 11053224, 5723991,
      5724159, 5766999, 5767167, 16734039, 16734207, 16777047, 16777215,
      0 <repeats 240 times>}, last_ch_attr = {0 <repeats 10160 times>,
      4294967295, 0 <repeats 5839 times>},
    retrace = 0x809b64c <vga_dumb_retrace>,
    update_retrace_info = 0x809b298 <vga_dumb_update_retrace_info>,
    retrace_info = {precise = {ticks_per_char = 0, total_chars = 0,
        htotal = 0, hstart = 0, hend = 0, vstart = 0, vend = 0, freq = 0}},
    is_vbe_vmstate = 1 '\001'}, cirrus_linear_io_addr = 64,
  cirrus_linear_bitblt_io_addr = 72, cirrus_mmio_io_addr = 80,
  cirrus_addr_mask = 4194303, linear_mmio_mask = 4194048,
  cirrus_shadow_gr0 = 0 '\000', cirrus_shadow_gr1 = 0 '\000',
  cirrus_hidden_dac_lockindex = 0 '\000', cirrus_hidden_dac_data = 225 '\341',
  cirrus_bank_base = {0, 32768}, cirrus_bank_limit = {4194304, 4161536},
  cirrus_hidden_palette = '\000' <repeats 45 times>"\377, \377\377",
  hw_cursor_x = 0, hw_cursor_y = 0, cirrus_blt_pixelwidth = 1,
  cirrus_blt_width = 2, cirrus_blt_height = 9, cirrus_blt_dstpitch = 1,
  cirrus_blt_srcpitch = 0, cirrus_blt_fgcol = 0, cirrus_blt_bgcol = 0,
  cirrus_blt_dstaddr = 960000, cirrus_blt_srcaddr = 0,
  cirrus_blt_mode = 0 '\000', cirrus_blt_modeext = 0 '\000',
  cirrus_rop = 0x80b60f5 <cirrus_bitblt_rop_fwd_1>,
  cirrus_bltbuf = '\000' <repeats 8191 times>, cirrus_srcptr = 0x8623b94 "",
  cirrus_srcptr_end = 0x8623b94 "", cirrus_srccounter = 0,
  last_hw_cursor_size = 0, last_hw_cursor_x = 0, last_hw_cursor_y = 0,
  last_hw_cursor_y_start = 0, last_hw_cursor_y_end = 0,
  real_vram_size = 4194304, device_id = 184, bustype = 32}

(gdb) bt
#0  0x080c5e45 in cirrus_do_copy (s=0x86134dc, dst=960000, src=0, w=2, h=9)
    at hw/cirrus_vga.c:687
#1  0x080c6226 in cirrus_bitblt_videotovideo_copy (s=0x86134dc)
    at hw/cirrus_vga.c:748
#2  0x080c6692 in cirrus_bitblt_videotovideo (s=0x86134dc)
    at hw/cirrus_vga.c:870
#3  0x080c6ccc in cirrus_bitblt_start (s=0x86134dc)
    at hw/cirrus_vga.c:1011
#4  0x080c7b3c in cirrus_vga_write_gr (s=0x86134dc, reg_index=42, reg_value=14)
    at hw/cirrus_vga.c:1526
#5  0x080c82d1 in cirrus_mmio_blt_write (s=0x86134dc, address=18,
    value=14 '\016') at hw/cirrus_vga.c:1848
#6  0x080c8a79 in cirrus_vga_mem_writeb (opaque=0x86134dc, addr=98322,
    mem_value=14) at hw/cirrus_vga.c:2089
#7  0x080c8b6f in cirrus_vga_mem_writel (opaque=0x86134dc, addr=98320,
    val=960000) at hw/cirrus_vga.c:2120
#8  0x0816b41e in cpu_physical_memory_rw (addr=753680, buf=0xf7fdc270 "",
    len=4, is_write=1) at exec.c:3207
#9  0x08073198 in kvm_run (env=0x847cff0)
    at qemu-kvm.c:937
#10 0x0807454f in kvm_cpu_exec (env=0x847cff0)
    at qemu-kvm.c:1651
#11 0x08074ceb in kvm_main_loop_cpu (env=0x847cff0)
    at qemu-kvm.c:1893
#12 0x08074e36 in ap_main_loop (_env=0x847cff0)
    at qemu-kvm.c:1943
#13 0xf7fad3d0 in start_thread () from /lib/libpthread.so.0
#14 0xf7bb010e in clone () from /lib/libc.so.6

This qemu-kvm-0.12.3 - actually a debian package of it,
but there's no patches relevant to video applied.

Anything can be done with it?

Thanks!

/mjt
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html