Bug 1314483

Summary: qemu crash on ppc64
Product: [Fedora] Fedora Reporter: Than Ngo <than>
Component: gperftoolsAssignee: Tom "spot" Callaway <tcallawa>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: amit.shah, arjun.is, berrange, cfergeau, codonell, dan, dj, dwmw2, fweimer, itamar, jakub, law, mfabian, pbonzini, pfrankli, rjones, siddhesh, tcallawa, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: ppc64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-08 14:20:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1312462    
Bug Blocks:    

Description Than Ngo 2016-03-03 17:42:00 UTC 
/usr/bin/qemu-system-x86_64 -help crashes on ppc64

gdb ./qemu-system-x86_64 
GNU gdb (GDB) Fedora 7.11-58.fc24
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "ppc64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./qemu-system-x86_64...done.

(gdb) r -help
Starting program: /home/than/rpmbuild/BUILD/qemu-2.5.0/x86_64-softmmu/qemu-system-x86_64 -help
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00003fffb0c70298 in ?? ()
#2  0x00003fffb0c72d84 in ?? ()
#3  0x00003fffb7fb8c38 in resolve_ifunc (sym_map=0x3fffb11b3088, map=0x3fffb11b3088, value=0) at ../sysdeps/powerpc/powerpc64/dl-machine.h:666
#4  elf_machine_rela (skip_ifunc=<optimized out>, reloc_addr_arg=0x3fffb0ccd218, version=<optimized out>, sym=<optimized out>, reloc=0x3fffb0c688c0, 
    map=0x3fffb11b3088) at ../sysdeps/powerpc/powerpc64/dl-machine.h:708
#5  elf_dynamic_do_Rela (skip_ifunc=<optimized out>, lazy=<optimized out>, nrelative=<optimized out>, relsize=<optimized out>, reladdr=<optimized out>, 
    map=<optimized out>) at do-rel.h:137
#6  _dl_relocate_object (scope=0x3fffb11b3400, reloc_mode=<optimized out>, consider_profiling=<optimized out>) at dl-reloc.c:258
#7  0x00003fffb7fa6f04 in dl_main (phdr=<optimized out>, phnum=<optimized out>, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:2066
#8  0x00003fffb7fcb3bc in _dl_sysdep_start (start_argptr=<optimized out>, dl_main=@0x3fffb7ff0110: 0x3fffb7fa4800 <dl_main>) at ../elf/dl-sysdep.c:249
#9  0x00003fffb7fa4018 in _dl_start_final (arg=arg@entry=0x3ffffffff320, info=info@entry=0x3fffffffed70) at rtld.c:305
#10 0x00003fffb7fa84f0 in _dl_start (arg=0x3ffffffff320) at rtld.c:413
#11 0x00003fffb7fa37b0 in ._start () from /lib64/ld64.so.1

---
qemu-2.5.0-4.fc24.ppc64
Comment 1 Carlos O'Donell 2016-03-03 17:49:02 UTC 
Same issue as bug 1312462. The tcmalloc ifunc needs to be rewritten or removed. I'm investigating this right now to provide some guidance to gperftools on the issue.
Comment 2 Carlos O'Donell 2016-03-03 21:23:09 UTC 
See: https://bugzilla.redhat.com/show_bug.cgi?id=1312462#c27

Moving to gperftools.
Comment 3 Dan HorĂ¡k 2016-03-03 22:04:00 UTC 
I think we should disable usage of tcmalloc in qemu for ppc64/ppc64le (same as it is disabled for s390(x)) until gperftools are fixed and updated. Or even keep tcmalloc enabled only for x86/x86_64. Will cycle the component to get the qemu people into CC.
Comment 4 Richard W.M. Jones 2016-03-03 22:09:08 UTC 
While the bug only affects ppc64, ppc64le and armv7, gperftools is
using an undefined feature and so this could affect any architecture
in future.

There are two possible workarounds:

(1) Disable C++ dynamic sized delete support in gperftools.  See:
https://bugzilla.redhat.com/show_bug.cgi?id=1312462#c7

(2) Disabling `-z now', which I did already:
http://pkgs.fedoraproject.org/cgit/rpms/gperftools.git/commit/?id=c1b9c95df2ccff32d30da7e5a3a02da4eff713b2
does appear to work around the problem on armv7.  Does it fix it
on ppc64/ppc64le?
Comment 5 Than Ngo 2016-03-04 10:46:52 UTC 
i'm trying the workarounds and will post the feedbacks today
Comment 6 Than Ngo 2016-03-04 12:16:37 UTC 
i can confirm that the workaround (2) does fix the crash on ppc64
Comment 7 Than Ngo 2016-03-04 12:20:39 UTC 
i also disabled hardened in gperftools, built in f24/rawhide.
http://koji.fedoraproject.org/koji/buildinfo?buildID=741708
Comment 8 Carlos O'Donell 2016-03-04 14:10:48 UTC 
(In reply to Ngo Than from comment #7)
> i also disabled hardened in gperftools, built in f24/rawhide.
> http://koji.fedoraproject.org/koji/buildinfo?buildID=741708

I recommend against disabling hardening. Of all things qemu and its dependent libraries like tcmalloc should absolutely be hardened. We should be moving forward with more secure virtualized systems not less secure.
Comment 9 Richard W.M. Jones 2016-03-04 14:51:37 UTC 
I agree with Carlos here.  It was fine when we didn't understand
the problem and that was the only available workaround, but I
think a better workaround (assuming we don't get a proper fix
from upstream) is to disable the C++ dynamic sized delete feature.
Comment 10 Carlos O'Donell 2016-03-04 15:01:00 UTC 
(In reply to Richard W.M. Jones from comment #9)
> I agree with Carlos here.  It was fine when we didn't understand
> the problem and that was the only available workaround, but I
> think a better workaround (assuming we don't get a proper fix
> from upstream) is to disable the C++ dynamic sized delete feature.

Alternatively, don't use IFUNC, and use a pointer dispatch at runtime, taking the extra cost while keeping the feature.
Comment 11 Carlos O'Donell 2016-03-04 15:03:26 UTC 
I also think packaging guidelines apply here, we want hardening enabled for gperftools, particularly if qemu is going to continue to use tcmalloc:
https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
Comment 12 Carlos O'Donell 2016-03-08 14:20:10 UTC 
I'm going to mark this as a duplicate of the original issue.

*** This bug has been marked as a duplicate of bug 1312462 ***