Merge tag 'pull-10.2-maintainer-260925-1' of https://gitlab.com/stsquad/qemu into staging
September maintainer updates (scripts, semihosting, plugins)
- new gitlab-failure-analysis script
- tweak checkpath to ignore license in removed lines
- refactor semihosting to build once
- add explicit assert to execlog for coverity
- new uftrace plugin
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmjWWJYACgkQ+9DbCVqe
# KkS1sgf+LsP0jsc1wKhzBhO4WarXXacWCDxK22riJ3aolm+gJ+b0WI4ds18A0e3R
# z/J8VJVxBZ+6Hid+tOCQwfZ+Hb1p9IofzBdZryGUvwguviNdlpEChhXXnoZkicym
# aGcC/jYRkhTx42dKRdZrSzPd3ccipqop9RvGx57bjCSBAEHYNz679p4z91kNR5a9
# UfcCzIQHbBUPZo0F9gQkNnBrjsJQhvF+gXPmmsmBI1pby6gNRQvFshrTQ1C32VpL
# VgXNc9cZ6vaREWlgb6izNjsMP7cYTMH2Ppxty/FyEMg7GTfWRjI6Ec8fJKjPFtKr
# ZbCNNAeJ9uLK6pJfTk2YxYabxx3JuQ==
# =cR9e
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 26 Sep 2025 02:10:46 AM PDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-10.2-maintainer-260925-1' of https://gitlab.com/stsquad/qemu: (24 commits)
contrib/plugins/uftrace: add documentation
contrib/plugins/uftrace_symbols.py
contrib/plugins/uftrace: implement x64 support
contrib/plugins/uftrace: generate additional files for uftrace
contrib/plugins/uftrace: implement privilege level tracing
contrib/plugins/uftrace: implement tracing
contrib/plugins/uftrace: track callstack
contrib/plugins/uftrace: define cpu operations and implement aarch64
contrib/plugins/uftrace: skeleton file
contrib/plugins/execlog: Explicitly check for qemu_plugin_read_register() failure
semihosting/arm-compat-semi: compile once in system and per target for user mode
semihosting/arm-compat-semi: remove dependency on cpu.h
semihosting/arm-compat-semi: eradicate target_long
semihosting/arm-compat-semi: replace target_ulong
semihosting/arm-compat-semi: eradicate sizeof(target_ulong)
include/semihosting/common-semi: extract common_semi API
target/{arm, riscv}/common-semi-target: eradicate target_ulong
target/riscv/common-semi-target: remove sizeof(target_ulong)
semihosting/arm-compat-semi: change common_semi_sys_exit_extended
semihosting/guestfd: compile once for system/user
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
* tag 'pull-vfio-20250926' of https://github.com/legoater/qemu: (29 commits)
include/hw/vfio/vfio-device.h: fix include header guard name
vfio-user/pci.c: rename vfio_user_pci_dev_info to vfio_user_pci_info
vfio-user/pci.c: rename vfio_user_instance_finalize() to vfio_user_pci_finalize()
vfio-user/pci.c: rename vfio_user_instance_init() to vfio_user_pci_init()
vfio-user/pci.c: rename vfio_user_pci_dev_properties[] to vfio_user_pci_properties[]
vfio-user/pci.c: rename vfio_user_pci_dev_class_init() to vfio_user_pci_class_init()
vfio/pci.c: rename vfio_pci_nohotplug_dev_info to vfio_pci_nohotplug_info
vfio/pci.c: rename vfio_pci_nohotplug_dev_class_init() to vfio_pci_nohotplug_class_init()
vfio/pci.c: rename vfio_pci_dev_nohotplug_properties[] to vfio_pci_nohotplug_properties[]
vfio/pci.c: rename vfio_pci_dev_properties[] to vfio_pci_properties[]
vfio/pci.c: rename vfio_pci_base_dev_info to vfio_pci_device_info
vfio/pci.c: rename vfio_pci_base_dev_class_init() to vfio_pci_device_class_init()
hw/vfio/types.h: rename TYPE_VFIO_PCI_BASE to TYPE_VFIO_PCI_DEVICE
vfio/pci.c: rename vfio_pci_dev_info to vfio_pci_info
vfio/pci.c: rename vfio_pci_dev_class_init() to vfio_pci_class_init()
vfio/pci.c: rename vfio_instance_finalize() to vfio_pci_finalize()
vfio/pci.c: rename vfio_instance_init() to vfio_pci_init()
vfio/spapr.c: rename VFIOContainer bcontainer field to parent_obj
vfio/spapr.c: use QOM casts where appropriate
vfio/vfio-iommufd.h: rename VFIOContainer bcontainer field to parent_obj
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
contrib/plugins/uftrace: generate additional files for uftrace
Beyond traces per cpu, uftrace expect to find some specific files.
- info: contains information about machine/program run
those values are not impacting uftrace behaviour (only reported by
uftrace info), and we simply added empty strings.
- memory mapping: how every binary is mapped in memory. For system mode,
we generate an empty mapping (uftrace_symbols.py, coming in future
commit, will take care of that). For user mode, we copy current
/proc/self/maps. We don't need to do any special filtering, as
reported addresses will necessarily concern guest program, and not
QEMU and its libraries.
- task: list of tasks. We present every vcpu/privilege level as a
separate process, as it's the best view we can have when generating a
(visual) chrome trace. Using threads is less convenient in terms of
UI.
We add new option trace-privilege-level=bool, which will create a
separate trace for each privilege level.
This allows to follow changes of privilege during execution.
We implement aarch64 operations to track current privilege level
accordingly.
We implement tracing, following uftrace format.
Trace is flushed every 32 MB, so file operations don't impact
performance at runtime.
A different trace is generated per cpu, and we ensure they have a unique
name, based on vcpu_index, while keeping room for privilege level coming
in next commit.
Uftrace format is not officially documented, but it can be found here:
https://github.com/namhyung/uftrace/blob/v0.18/libmcount/record.c#L909
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250902075042.223990-5-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-21-alex.bennee@linaro.org>
We now track callstack, based on frame pointer analysis. We can detect
function calls, returns, and discontinuities.
We implement a frame pointer based unwinding that is used for
discontinuities.
We define a scoreboard that will hold our data per cpu. As well, we
define a buffer per cpu that will be used to read registers and memories
in a thread-safe way.
For now, we just instrument all instructions with an empty callback.
Peter Maydell [Mon, 22 Sep 2025 09:37:01 +0000 (10:37 +0100)]
contrib/plugins/execlog: Explicitly check for qemu_plugin_read_register() failure
In insn_check_regs() we don't explicitly check whether
qemu_plugin_read_register() failed, which confuses Coverity into
thinking that sz can be -1 in the memcmp(). In fact the assertion
that sz == reg->last->len means this can't happen, but it's clearer
to both humans and Coverity if we explicitly assert that sz > 0, as
we already do in init_vcpu_register().
Coverity: CID 1611901, 1611902 Fixes: af6e4e0a22c1 ("contrib/plugins: extend execlog to track register changes") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250710144543.1187715-1-peter.maydell@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-17-alex.bennee@linaro.org>
include/semihosting/common-semi: extract common_semi API
We transform target/{arm,riscv}/common-semi-target.h headers to proper
compilation units, and use them in arm-compat-semi.c.
This way, we can include only the declaration header (which is target
agnostic), and selectively link the appropriate implementation based on
current target.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-8-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-11-alex.bennee@linaro.org>
We now check only is sys_exit is extended.
This allows to break dependency to TARGET_SYS_EXIT_EXTENDED which will
not be available anymore from this code.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-5-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-8-alex.bennee@linaro.org>
semihosting/syscalls: compile once in system and per target for user mode
We replace target_ulong mechanically by uint64_t.
We can't compile (easily) this code once for user, as it relies on
various target/function types, so leave it in specific_ss for user mode.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-2-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-5-alex.bennee@linaro.org>
When running the license check, if we are updating a license it is
possible for the checkpatch script to test against old license lines
instead of newer ones, since the removal lines appear before the
addition lines in a .patch file.
Fix this by skipping over lines that start with "-" in the checkpatch
script.
Signed-off-by: Nabih Estefan <nabihestefan@google.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250916165928.10048-1-nabihestefan@google.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-4-alex.bennee@linaro.org>
Alex Bennée [Mon, 22 Sep 2025 09:36:47 +0000 (10:36 +0100)]
scripts/ci: add gitlab-failure-analysis script
This is a script designed to collect data from multiple pipelines and
analyse the failure modes they have. By default it will probe the last
3 failed jobs on the staging branch. However this can all be
controlled by the CLI:
./scripts/ci/gitlab-failure-analysis --count 2 --branch=testing/next --id 39915562 --status=
running pipeline 2028486060, total jobs 125, skipped 5, failed 0, 39742 tests, 0 failed tests
success pipeline 2015018135, total jobs 125, skipped 5, failed 0, 49219 tests, 0 failed tests
You can also skip failing jobs and just dump the tests:
./scripts/ci/gitlab-failure-analysis --branch= --id 39915562 --status= --skip-jobs --pipeline 19462024911919542960
failed pipeline 1946202491, total jobs 127, skipped 5, failed 26, 38742 tests, 278 skipped tests, 2 failed tests
Failed test qemu.qemu:qtest+qtest-s390x / qtest-s390x/boot-serial-test, check-system-opensuse, 1 /s390x/boot-serial/s390-ccw-virtio - FATAL-ERROR: Failed to find expected string. Please check '/tmp/qtest-boot-serial-sW77EA3'
Failed test qemu.qemu:qtest+qtest-aarch64 / qtest-aarch64/arm-cpu-features, check-system-opensuse, 1 /aarch64/arm/query-cpu-model-expansion - ERROR:../tests/qtest/arm-cpu-features.c:459:test_query_cpu_model_expansion: assertion failed (_error == "The CPU type 'host' requires KVM"): ("The CPU type 'host' requires hardware accelerator" == "The CPU type 'host' requires KVM")
failed pipeline 1919542960, total jobs 127, skipped 5, failed 2, 48753 tests, 441 skipped tests, 1 failed tests
Failed test qemu.qemu:unit / test-aio, msys2-64bit, 12 /aio/timer/schedule - ERROR:../tests/unit/test-aio.c:413:test_timer_schedule: assertion failed: (aio_poll(ctx, true))
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-3-alex.bennee@linaro.org>
Mark Cave-Ayland [Thu, 25 Sep 2025 11:31:13 +0000 (12:31 +0100)]
hw/vfio/container.c: rename file to container-legacy.c
This file is mostly concerned with the VFIOLegacyContainer implementation so
rename it to reflect the previous rename of VFIOContainer to
VFIOLegacyContainer.
Mark Cave-Ayland [Thu, 25 Sep 2025 11:31:12 +0000 (12:31 +0100)]
include/hw/vfio/vfio-container-base.h: rename file to vfio-container.h
With the rename of VFIOContainerBase to VFIOContainer, the vfio-container-base.h
header file containing the struct definition is misleading. Rename it from
vfio-container-base.h to vfio-container.h accordingly, fixing up the name
of the include guard at the same time.
Mark Cave-Ayland [Thu, 25 Sep 2025 11:31:11 +0000 (12:31 +0100)]
include/hw/vfio/vfio-container.h: rename file to vfio-container-legacy.h
With the rename of VFIOContainer to VFIOLegacyContainer, the vfio-container.h
header file containing the struct definition is misleading. Rename it from
vfio-container.h to vfio-container-legacy.h accordingly, fixing up the name
of the include guard at the same time.
Mark Cave-Ayland [Thu, 25 Sep 2025 11:31:10 +0000 (12:31 +0100)]
include/hw/vfio/vfio-container-base.h: rename VFIOContainerBase to VFIOContainer
Now that the VFIOContainer struct name is available, rename VFIOContainerBase
to VFIOContainer to better indicate that it is the superclass of other
VFIOFooContainer structs.
Mark Cave-Ayland [Thu, 25 Sep 2025 11:31:09 +0000 (12:31 +0100)]
include/hw/vfio/vfio-container.h: rename VFIOContainer to VFIOLegacyContainer
The VFIOContainer struct represents the legacy VFIO container even though the
name suggests it may be the common superclass of all VFIO containers. Rename it
to VFIOLegacyContainer to make this clearer, which is also a better match for
its VFIO_IOMMU_LEGACY QOM type name.
Mark Cave-Ayland [Thu, 11 Sep 2025 21:09:05 +0000 (23:09 +0200)]
tests/functional: add a vfio-user smoke test
Add a basic test of the vfio-user PCI client implementation.
Co-authored-by: John Levon <john.levon@nutanix.com> Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Signed-off-by: John Levon <john.levon@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Link: https://lore.kernel.org/qemu-devel/20250911210905.2070474-1-john.levon@nutanix.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* qom: Do not unparent in instance_finalize
* linux-user: avoid -Werror=int-in-bool-context
* docs: use the pyvenv version of Meson
* rust: parse attributes using the attrs crate
* rust: complete conversion of qdev properties to proc macro
* docs: clarify AI-generated content policy
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmjTnTgUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroNYUwf9EpJbiCN8Qif9JU3XQEaOMDGTDO07
# nMvn6RnRTFyn4iYzCc+pn6GFKWfJGZ6/cD9Qby7lyi3lHlhW8fLYbAcTXn1HoLNk
# lr/Ibmyaa8U2WP5u/QG+3dwn9zTgNFza3BFLguKrOhWjbv3ZL85xez29yChGgtYq
# sTUTigtl261JF4SvtOhzCMqUPo4wzqD0m0Vc/pjxrlgpHAb3rKf32Y6xPkNMVN84
# 81egbF0ZRtUbubjvGzPFstMdRcVBdrac5wnFPWum9GazuWwB4K8p2iBFdmuXMOhy
# NW6M8HP516zhoNk7bA5zQghxmhPWLXah4iA7MflAzLTI30s23TNIMCeJRw==
# =ug+J
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 24 Sep 2025 12:26:48 AM PDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [unknown]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (29 commits)
docs/code-provenance: AI exceptions are in addition to DCO
docs/code-provenance: make the exception process more prominent
docs/code-provenance: clarify scope very early
hw/xen: Do not unparent in instance_finalize()
vfio: Do not unparent in instance_finalize()
hw/sd/sdhci: Do not unparent in instance_finalize()
hv-balloon: hw/core/register: Do not unparent in instance_finalize()
hw/core/register: Do not unparent in instance_finalize()
vfio/pci: Do not unparent in instance_finalize()
docs/devel: Do not unparent in instance_finalize()
linux-user: avoid -Werror=int-in-bool-context
rust/qdev: Drop declare_properties & define_property macros
rust/hpet: Convert qdev properties to #property macro
rust/hpet: Clean up type mismatch for num_timers property
rust/qdev: Test bit property for #property
rust/qdev: Support bit property in #property macro
rust/qdev: Support property info for more common types
rust/qdev: Refine the documentation for QDevProp trait
rust/qdev: use addr_of! in QDevProp
rust/common/uninit: Fix Clippy's complaints about lifetime
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-request-2025-09-24' of https://gitlab.com/thuth/qemu into staging
* New functional tests to check via the vmstate-static-checker.py script
* New functional tests for CD-ROM boot on hppa
* Skip functional tests on more exotic network errors, too
* Fix another issue with htags in the gitlab CI
* Some additional minor fixes to various functional tests
# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCgAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmjTkIkRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbUZCA/9Fb3bVlK108aD5ipuMLlgsXlRI+leEQC6
# h8BJgrb1GvYLlxEguHZJcSIxQN0F6TZsj31xWjpsSMNQro7tbmBcDZtj9FkCrAuG
# E99tG67A6RCTeFbqCfi19QlU9C0UOhJPPEkzZ56D+jik9NJKSG0fM0OFVEt0vBEt
# NLFrfOS6Tgc4XP6qXDXQ7v61SldZtJdDEvkMo2CkXqxu8pDz4vw8G6CSMWPfCH5v
# vkZydxLw38mkp8OtGX/tYiGn5s7/N59B29nlDkfuyOaJXjjKb+kid1XE58Y5R3Lm
# FYEuyGYgOcycH/hLiFtAFQpYYxy2yrbaHnySCP/GkMftmynz2w49hCvXca6gtcxO
# MFwzxdzDkGpPGhgANP9P3xNuZceObq6nKOdlo/tI5vG3rQp5V/n6A8T3JWIWgRHd
# 71HNPYlLf53lYLbiOPAZ9SRaPjElcnJoIF0jrplOWfz8vo1NzanPV4MMOw480uFW
# HDD77dZWrFTox1Unmv1E/TS/85h5b93dbnG9XRiUUn+k8TGtBA71kDme2KEdTZzw
# 3eNkOHUyc6RIwaSjBHWKOfXsaxa9EmS33dfg/jiJ9EpyGie30/faGhK1SiMr9HEp
# 35s4qcpFE71eZKRqXojv8XQJmc5uRCIa30MWGwl0QoU1XaLrF2NUEPECdZRNOBCO
# Jrb+UWMEIsE=
# =RTPq
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 23 Sep 2025 11:32:41 PM PDT
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [unknown]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [unknown]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5
* tag 'pull-request-2025-09-24' of https://gitlab.com/thuth/qemu:
tests/functional: treat unknown exceptions as transient faults
tests/functional: retry when seeing ConnectionError exception
tests: Fix "make check-functional" for targets without thorough tests
tests/functional/hppa: Add a CD-ROM boot test for qemu-system-hppa
.gitlab-ci.d/buildtest.yml: Unset CI_COMMIT_DESCRIPTION for htags
tests/functional: use self.log for all logging
tests/functional: Use vmstate-static-checker.py to test data from v7.2
tests/data/vmstate-static-checker: Add dump files from QEMU 7.2.17
tests/functional: Test whether the vmstate-static-checker script works fine
tests: Move the old vmstate-static-checker files to tests/data/
tests/functional/s390x/test_pxelinux: Fix warnings from pylint
tests/functional/m68k: Use proper polling in the next-cube test
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-misc-20250924' of https://gitlab.com/rth7680/qemu into staging
hw/pci-host/{dino,astro}: Don't call pci_register_root_bus() in init
target/sparc: Loosen various decode for v7
linux-user: Add syscall dispatch support
tcg/optimize: Fix folding of vector bitsel
include/hw/core/cpu: Introduce MMUIdxMap
include/hw/core/cpu: Introduce cpu_tlb_fast
include/hw/core/cpu: Invert the indexing into CPUTLBDescFast
accel/tcg: Remove dead mmap_unlock() call in invalidate_phys_page_range
accel/tcg: Remove cpu_loop_exit_restore() stub
accel/tcg: Properly unlink a TB linked to itself
accel/tcg: Introduce and use tb_flush__exclusive_or_serial
* tag 'pull-misc-20250924' of https://gitlab.com/rth7680/qemu: (32 commits)
accel/tcg: Remove cpu_loop_exit_restore() stub
accel/tcg: Remove dead mmap_unlock() call in invalidate_phys_page_range
accel/tcg: Improve buffer overflow in tb_gen_code
accel/tcg: Create queue_tb_flush from tb_flush
linux-user: Split out begin_parallel_context
plugins: Use tb_flush__exclusive_or_serial
accel/tcg: Move post-load tb_flush to vm_change_state hook
accel/tcg: Split out tb_flush__exclusive_or_serial
hw/ppc/spapr: Use tb_invalidate_phys_range in h_page_init
target/riscv: Record misa_ext in TCGTBCPUState.cs_base
target/alpha: Simplify call_pal implementation
gdbstub: Remove tb_flush uses
tests/tcg/multiarch: Add tb-link test
accel/tcg: Properly unlink a TB linked to itself
target/hppa: Adjust mmu indexes to begin with 0
include/hw/core/cpu: Invert the indexing into CPUTLBDescFast
include/hw/core/cpu: Introduce cpu_tlb_fast
include/hw/core/cpu: Introduce MMUIdxMap
tcg/optimize: Fix folding of vector bitsel
hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Not needed since commit 63e7af20352 ("hw/mips: Restrict ITU to TCG").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250924165039.52250-1-philmd@linaro.org>
accel/tcg: Remove dead mmap_unlock() call in invalidate_phys_page_range
Since commit a97d5d2c8be ("accel/tcg: Use interval tree for TBs in
user-only mode") this code is guarded with #ifdef'ry and only build
for system emulation where mmap_unlock() is meaningless. Remove the
call.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250924164824.51971-1-philmd@linaro.org>
accel/tcg: Move post-load tb_flush to vm_change_state hook
We need not call tb_flush once per cpu, only once per vmload.
By moving the call from cpu_common_post_load to a tcg-specific
vm_change_state_handler, we do even better than that: we only
flush when called from HMP triggered loadvm, when we had old
state to flush.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
accel/tcg: Split out tb_flush__exclusive_or_serial
Expose a routine to be called when no cpus are running.
Simplify the do_tb_flush run_on_cpu callback, because
that is explicitly called with start_exclusive; there
is no need for the mmap_lock as well.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
hw/ppc/spapr: Use tb_invalidate_phys_range in h_page_init
We only need invalidate tbs from a single page, not flush
all translations.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
target/riscv: Record misa_ext in TCGTBCPUState.cs_base
The tb_flush within write_misa was incorrect. It assumed
that we could adjust the ISA of the current processor and
discard all TB and all would be well. But MISA is per vcpu,
so globally flushing TB does not mean that the TB matches
the MISA of any given vcpu.
By recording misa in the tb state, we ensure that the code
generated matches the vcpu.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Since 288a5fe980f, we don't link translation blocks
directly to palcode entry points. If we load palbr
from env instead of encoding the constant, we avoid
all need for tb_flush().
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
When we remove dest from orig's links, we lose the link
that we rely on later to reset links. This can lead to
failure to release from spinlock with self-modifying code.
Cc: qemu-stable@nongnu.org Reported-by: 李威威 <liweiwei@kubuds.cn> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Tested-by: Anton Johansson <anjo@rev.ng>
Paolo Bonzini [Mon, 22 Sep 2025 11:14:01 +0000 (13:14 +0200)]
docs/code-provenance: AI exceptions are in addition to DCO
Using phrasing from https://openinfra.org/legal/ai-policy (with just
"commit" replaced by "submission", because we do not submit changes
as commits but rather emails), clarify that the contributor remains
responsible for its copyright or license status.
[This is not my preferred phrasing. I would prefer something lighter
like "the "Signed-off-by" label in the contribution gives the author
responsibility". But for the sake of not reinventing the wheel I am
keeping the exact words from the OpenInfra policy.]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 22 Sep 2025 10:51:37 +0000 (12:51 +0200)]
docs/code-provenance: make the exception process more prominent
QEMU's AI generated content policy does not flesh out the exception
process yet. Do it, while at the same time keeping things informal: ask
contributors to explain what they would like to use AI for, and let them
reach a consensus with the project on why it is credible to claim DCO
compliance in that specific scenario.
In other words, exceptions do not "solve the AI copyright problem". They
take a position that a reasonable contributor could have, and assert that
we're comfortable with the argument.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 22 Sep 2025 10:45:21 +0000 (12:45 +0200)]
docs/code-provenance: clarify scope very early
The AI policy in QEMU is not about content generators, it is about generated
content. Other uses are explicitly not covered. Rename the policy and clarify
its scope in the TL;DR section, as a matter of convenience to the reader.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the instance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the instance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
hw/sd/sdhci: Do not unparent in instance_finalize()
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the instance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
hv-balloon: hw/core/register: Do not unparent in instance_finalize()
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the instance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
hw/core/register: Do not unparent in instance_finalize()
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the instance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the insntance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
docs/devel: Do not unparent in instance_finalize()
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the instance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
Remove the instruction to call object_unparent(), and the exception
of the "do not call object_unparent()" rule for instance_finalize().
tests/functional: treat unknown exceptions as transient faults
To maximise the robustness of the functional tests we want to treat most
asset download failures as non-fatal to the test suite. Instead it
should just skip the tests which need that particular asset. The only
time aim to make it fatal is for 404 errors which are highly likely to
reflect genuine problems to be fixed.
We catch certain exception classes and handle them as transient errors,
but unfortunately it is proving difficult to predict what exception
classes urlopen() is capable of raising, with new possibilities being
discovered.
To provide a fail-safe, treat the generic Exception class as being a
transient error too. This may well mask certain genuine bugs, but it is
preferrable to prioritize running the test suite to the greatest extent
practical.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250918125746.1165658-3-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: retry when seeing ConnectionError exception
This base class is used for many different socket connection
errors, corresponding to ECONNRESET, ECONNREFUSED, ECONNABORTED
and more. Most of these are things you might expect to see every
now and then as transient flaws. We should thus retry the asset
download when seeing them.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250918125746.1165658-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Thu, 18 Sep 2025 12:51:54 +0000 (14:51 +0200)]
tests: Fix "make check-functional" for targets without thorough tests
If QEMU gets configured for a single target that does not have
any thorough functional tests, "make check-functional" currently
fails with the error message "No rule to make target 'check-func'".
This happens because "check-func" only gets defined for thorough
tests (quick ones get added to "check-func-quick" instead).
The same problem can happen with the quick tests for targets that
do not have any functional test at all. To fix it, simply make sure
that the targets are always available in the Makefile.
Reported-by: Peter Maydell <peter.maydell@linaro.org> Closes: https://gitlab.com/qemu-project/qemu/-/issues/3119 Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250918125154.126072-1-thuth@redhat.com>
Thomas Huth [Thu, 18 Sep 2025 12:24:47 +0000 (14:24 +0200)]
tests/functional/hppa: Add a CD-ROM boot test for qemu-system-hppa
Add a test which boots a HP-UX firmware upgrade CD-ROM. It exercise
the PCI LSI53C895A SCSI controller. The ISO image comes from:
https://web.archive.org/web/20101204061612/http://ftp.parisc-linux.org/kernels/712/PF_C7120023
The test is very quick, less than 3s.
Based on an old patch from Philippe that has been posted here:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg651012.html
Suggested-by: Sven Schnelle <svens@stackframe.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
[thuth: Adjusted the patch to the functional framework,
and adjusted the commit message]
Message-ID: <20250918122447.105861-1-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Peter Maydell [Tue, 16 Sep 2025 16:30:30 +0000 (17:30 +0100)]
.gitlab-ci.d/buildtest.yml: Unset CI_COMMIT_DESCRIPTION for htags
In commit 52a21689cd829 we added a workaround for a bug in older
versions of htags where they fail with a weird error message if the
environment is too large. However, we missed one variable which
gitlab CI can set to the body of the commit message:
CI_COMMIT_DESCRIPTION.
Add this to the variables we unset when running htags, so that
the 'pages' job doesn't fail if the most recent commit happens
to have a very large commit message.
Cc: qemu-stable@nongnu.org Fixes: 52a21689cd8 (".gitlab-ci.d/buildtest.yml: Work around htags bug when environment is large") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20250916163030.1467893-1-peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Some tests are creating their on logger category which means any
output they log is not captured in base.log.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
[thuth: drop changes to reverse_debugging.py (it's WIP in other patches)]
Message-ID: <20250912182200.643909-7-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Fri, 12 Sep 2025 10:07:55 +0000 (12:07 +0200)]
tests/functional: Use vmstate-static-checker.py to test data from v7.2
We've got this nice vmstate-static-checker.py script that can help to
detect screw-ups in the migration states. Unfortunately, it's currently
only run manually, which can be cumbersome. Let's run it from a functional
test automatically with the reference data from QEMU 7.2, so that we get
at least a basic coverage here. Since the test can fail when the checker
script detects a false positive, mark the test with a skipFlakyTest
decorator for now, so that it is only run when the user also set the
QEMU_TEST_FLAKY_TESTS environment variable.
Acked-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250912100755.316518-5-thuth@redhat.com>
Thomas Huth [Fri, 12 Sep 2025 10:07:54 +0000 (12:07 +0200)]
tests/data/vmstate-static-checker: Add dump files from QEMU 7.2.17
For automatic tests, we need reference files from older QEMU versions.
QEMU 7.2 is a long term stable release, so it's a good candidate for
checking whether the migration could still work correctly. Let's add the
files from that version that have been taken with the "-dump-vmstate"
parameter of QEMU (compiled with single machines and the configure switch
"--without-default-devices" to keep the json files reasonable small).
Some devices also have been removed manually from the json files, e.g.
the "pci-bridge" (which can be disabled in later QEMU versions via Kconfig),
and some Linux-related devices like "scsi-block" and "scsi-generic" and
KVM-related devices. Without removing them, we might get errors otherwise
if these devices have not been compiled into the destination QEMU build.
Acked-by: Peter Xu <peterx@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250912100755.316518-4-thuth@redhat.com>
Thomas Huth [Fri, 12 Sep 2025 10:07:53 +0000 (12:07 +0200)]
tests/functional: Test whether the vmstate-static-checker script works fine
We've got two vmstate dump files in the repository which are meant
for verifying whether the vmstate-static-checker.py works as expected.
Since running this manually is a cumbersome job, let's add an automated
test for this instead that runs the script with the two dump files
and checks for the expected output.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250912100755.316518-3-thuth@redhat.com>
Thomas Huth [Fri, 12 Sep 2025 08:52:51 +0000 (10:52 +0200)]
tests/functional/s390x/test_pxelinux: Fix warnings from pylint
pylint complains about wrong indentation in one of the lines and
that the pxelinux_cfg_contents is a constant that should be written
with capital letters. While we're at it, also add the missing doc
strings.
Reviewed-by: Jared Rossi <jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250912085251.274294-1-thuth@redhat.com>
This is a logical reversion of 2ad04500543, though
there have been additions to the set of mmu indexes
since then. The impetus to that original patch,
"9-15 will use shorter assembler instructions when
run on a x86-64 host" is now handled generically.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
include/hw/core/cpu: Invert the indexing into CPUTLBDescFast
This array is within CPUNegativeOffsetState, which means the
last element of the array has an offset from env with the
smallest magnitude. This can be encoded into fewer bits
when generating TCG fast path memory references.
When we changed the NB_MMU_MODES to be a global constant,
rather than a per-target value, we pessimized the code
generated for targets which use only a few mmu indexes.
By inverting the array index, we counteract that.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Thu, 18 Sep 2025 11:42:59 +0000 (12:42 +0100)]
hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init
In the astro PCI host bridge device, we call pci_register_root_bus()
in the device's instance_init. This is a problem for two reasons
* the PCI bridge is then available to the rest of the simulation
(e.g. via pci_qdev_find_device()), even though it hasn't
yet been realized
* we do not attempt to unregister in an instance_deinit,
which means that if you go through an instance_init -> deinit
lifecycle the freed memory for the host-bridge device is
left on the pci_host_bridges list
ASAN reports the resulting use-after-free:
==1776584==ERROR: AddressSanitizer: heap-use-after-free on address 0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48
WRITE of size 8 at 0x51f00000cb00 thread T0
#0 0x5b2d460a89b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
#1 0x5b2d46093566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
#2 0x5b2d460935e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
#3 0x5b2d46093fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
#4 0x5b2d46fe2335 in elroy_pcihost_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16
0x51f00000cb00 is located 1664 bytes inside of 3456-byte region [0x51f00000c480,0x51f00000d200)
freed by thread T0 here:
#0 0x5b2d4582385a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
#1 0x5b2d47160723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
#2 0x5b2d471589db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
#3 0x5b2d477d373c in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5
previously allocated by thread T0 here:
#0 0x5b2d45823af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
#1 0x79728fa08b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5b2d471595fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
#3 0x5b2d47159409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
#4 0x5b2d477d29a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11
Cc: qemu-stable@nongnu.org Fixes: e029bb00a79be ("hw/pci-host: Add Astro system bus adapter found on PA-RISC machines")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250918114259.1802337-3-peter.maydell@linaro.org>
Peter Maydell [Thu, 18 Sep 2025 11:42:58 +0000 (12:42 +0100)]
hw/pci-host/dino: Don't call pci_register_root_bus() in init
In the dino PCI host bridge device, we call pci_register_root_bus()
in the device's instance_init. This is a problem for two reasons
* the PCI bridge is then available to the rest of the simulation
(e.g. via pci_qdev_find_device()), even though it hasn't
yet been realized
* we do not attempt to unregister in an instance_deinit,
which means that if you go through an instance_init -> deinit
lifecycle the freed memory for the host-bridge device is
left on the pci_host_bridges list
ASAN reports the resulting use-after-free:
==1771223==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000018f80 at pc 0x5b4b9d3369b5 bp 0x7ffd01929980 sp 0x7ffd01929978
WRITE of size 8 at 0x527000018f80 thread T0
#0 0x5b4b9d3369b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
#1 0x5b4b9d321566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
#2 0x5b4b9d3215e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
#3 0x5b4b9d321fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
#4 0x5b4b9d390521 in dino_pcihost_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/dino.c:473:16
0x527000018f80 is located 1664 bytes inside of 12384-byte region [0x527000018900,0x52700001b960)
freed by thread T0 here:
#0 0x5b4b9cab185a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
#1 0x5b4b9e3ee723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
#2 0x5b4b9e3e69db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
#3 0x5b4b9ea6173c in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5
#4 0x5b4b9ec4e0f3 in qmp_marshal_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qapi/qapi-commands-qdev.c:65:14
previously allocated by thread T0 here:
#0 0x5b4b9cab1af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
#1 0x799d8270eb09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5b4b9e3e75fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
#3 0x5b4b9e3e7409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
#4 0x5b4b9ea609a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11
where we allocated one instance of the dino device, put it on the
list, freed it, and then trying to allocate a second instance touches
the freed memory on the pci_host_bridges list.
Fix this by deferring all the setup of memory regions and registering
the PCI bridge to the device's realize method. This brings it into
line with almost all other PCI host bridges, which call
pci_register_root_bus() in realize.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118 Fixes: 63901b6cc4d8b4 ("dino: move PCI bus initialisation to dino_pcihost_init()") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250918114259.1802337-2-peter.maydell@linaro.org>
projects / thirdparty / qemu.git / log
