[Bug 265749] bhyve NVMe emulation after LLVM 14 import to CURRENT

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 10 Aug 2022 15:29:57 UTC

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
             Status|New                         |Open
                 CC|                            |markj@FreeBSD.org

--- Comment #1 from Mark Johnston <markj@FreeBSD.org> ---
On my system, bhyve segfaults after printing

nvme_opc_write_read command would exceed LBA range(slba=0x2ffff0 nblocks=0x1)

If I disassemble nvme_opc_write_read(), the end of the function (inlined into
pci_nvme_write()) is:

   0x000000000106bfb3 <+7763>:  jmp    0x106bfbc <pci_nvme_write+7772>
   0x000000000106bfb5 <+7765>:  lea    -0x3b292(%rip),%rsi        # 0x1030d2a
   0x000000000106bfbc <+7772>:  lea    -0x4008a(%rip),%rdx        # 0x102bf39
   0x000000000106bfc3 <+7779>:  mov    %r9,%rcx
   0x000000000106bfc6 <+7782>:  xor    %eax,%eax
   0x000000000106bfc8 <+7784>:  call   0x1086010 <fprintf@plt>
End of assembler dump.

and that fprintf() call is the warning.  If I disassemble past that, I get

(gdb) x/16i 0x000000000106bfc8
   0x106bfc8 <pci_nvme_write+7784>:     call   0x1086010 <fprintf@plt>
=> 0x106bfcd:   nopl   (%rax)
   0x106bfd0 <pci_nvme_read>:   push   %rbp
   0x106bfd1 <pci_nvme_read+1>: mov    %rsp,%rbp
   0x106bfd4 <pci_nvme_read+4>: push   %r15
   0x106bfd6 <pci_nvme_read+6>: push   %r14
   0x106bfd8 <pci_nvme_read+8>: push   %r13

so we're just running off the end of the function and going into
pci_nvme_read().  That's pretty weird!  I thought the compiler would insert
breakpoints between functions.

Maybe there is some UB happening here, but compiling bhyve with UBSAN makes the
problem go away.  We compile bhyve with many warnings disabled; enabling them
for pci_nvme.c uncovers some actual bugs, but fixing them doesn't fix the
problem.  And it's really bizarre that the compiler is apparently assuming that
fprintf() won't return.

You are receiving this mail because:
You are the assignee for the bug.