# QEMU contribution ## build env setup ``` ERROR: pkg-config binary 'pkg-config' not found -> brew install pkg-config -> sudo apt install pkg-config ERROR: glib-2.48 gthread-2.0 is required to compile QEMU -> https://packages.ubuntu.com/focal/libglib2.0-dev ../meson.build:131:2: ERROR: Dependency "pixman-1" not found, tried pkgconfig -> https://packages.ubuntu.com/source/focal/pixman -> sudo apt install libpixman-1-dev ``` ## build ``` ./configure --target-list=x86_64-softmmu or ./configure --target-list=x86_64-softmmu --enable-debug then make ``` `git clean -fx` `x86_64-softmmu/qemu-system-x86_64` に出力される ``` git format-patch -v3 -s HEAD~ ``` ## commit ``` git config user.name "hikalium" git config user.email "hikalium@hikalium.com" or git -c 'user.name=hikalium' -c 'user.email=hikalium@hikalium.com' commit --signoff ``` ## links - https://wiki.qemu.org/Contribute/SubmitAPatch - https://github.com/hikalium/note/blob/master/qemu.md ## Ctrl-Cで終了した際にSegmentation faultになる問題 ``` ~/repo/qemu/x86_64-softmmu/qemu-system-x86_64 -drive format=raw,file=fat:rw:mnt ``` のように，-driveでフォルダをfatとしてマウントすると，Ctrl-Cで落としたときにSegfaultで死ぬ Cocoa UIのCloseを押して閉じるとSegfaultしない enable-debugでビルドしなおしてlldbでアタッチしてどこで落ちてるか見てみよう． ``` ~/repo/qemu/x86_64-softmmu/qemu-system-x86_64 -drive format=raw,file=fat:rw:mnt で走らせて TMP_FILE=`mktemp` && \ echo "attach `pgrep qemu-system-x86_64`" >> ${TMP_FILE} && \ echo 'process handle -p true -s false SIGUSR2' >> ${TMP_FILE} && \ echo 'process handle -p true -s false SIGINT' >> ${TMP_FILE} && \ echo 'c' >> ${TMP_FILE} && \ cat ${TMP_FILE} && \ lldb -s ${TMP_FILE} ``` ``` * thread #3, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) frame #0: 0x000000010a71b637 qemu-system-x86_64`bdrv_unset_inherits_from(root=0x00007ff8fc87f000, child=0x00007ff8fac088d0) at block.c:2530:20 2527 { 2528 BdrvChild *c; 2529 -> 2530 if (child->bs->inherits_from == root) { 2531 /* 2532 * Remove inherits_from only when the last reference between root and 2533 * child->bs goes away. Target 0: (qemu-system-x86_64) stopped. ``` ``` * thread #3, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) * frame #0: 0x000000010a71b637 qemu-system-x86_64`bdrv_unset_inherits_from(root=0x00007ff8fc87f000, child=0x00007ff8fac088d0) at block.c:2530:20 frame #1: 0x000000010a71b60d qemu-system-x86_64`bdrv_unref_child(parent=0x00007ff8fc87f000, child=0x00007ff8fac088d0) at block.c:2556:5 frame #2: 0x000000010a727e10 qemu-system-x86_64`bdrv_close(bs=0x00007ff8fc87f000) at block.c:4069:9 frame #3: 0x000000010a723d20 qemu-system-x86_64`bdrv_delete(bs=0x00007ff8fc87f000) at block.c:4303:5 frame #4: 0x000000010a719f79 qemu-system-x86_64`bdrv_unref(bs=0x00007ff8fc87f000) at block.c:5670:9 frame #5: 0x000000010a71b549 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007ff8fad01000) at block.c:2519:5 frame #6: 0x000000010a71b616 qemu-system-x86_64`bdrv_unref_child(parent=0x00007ff8fc87a600, child=0x00007ff8fad01000) at block.c:2557:5 frame #7: 0x000000010a727e10 qemu-system-x86_64`bdrv_close(bs=0x00007ff8fc87a600) at block.c:4069:9 frame #8: 0x000000010a723d20 qemu-system-x86_64`bdrv_delete(bs=0x00007ff8fc87a600) at block.c:4303:5 frame #9: 0x000000010a719f79 qemu-system-x86_64`bdrv_unref(bs=0x00007ff8fc87a600) at block.c:5670:9 frame #10: 0x000000010a71b549 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007ff8fad00890) at block.c:2519:5 frame #11: 0x000000010a79523e qemu-system-x86_64`blk_remove_bs(blk=0x00007ff8fc18d810) at block-backend.c:803:5 frame #12: 0x000000010a7950e5 qemu-system-x86_64`blk_remove_all_bs at block-backend.c:501:13 frame #13: 0x000000010a72032d qemu-system-x86_64`bdrv_close_all at block.c:4108:5 frame #14: 0x000000010a4208b7 qemu-system-x86_64`qemu_main(argc=3, argv=0x00007ffee59e9638, envp=0x00007ff8fc000370) at vl.c:4464:5 frame #15: 0x000000010a6e4774 qemu-system-x86_64`call_qemu_main(opaque=0x0000000000000000) at cocoa.m:1767:14 frame #16: 0x000000010a8943bc qemu-system-x86_64`qemu_thread_start(args=0x00007ff8fc024990) at qemu-thread-posix.c:519:9 frame #17: 0x00007fff6dc90e65 libsystem_pthread.dylib`_pthread_start + 148 frame #18: 0x00007fff6dc8c83b libsystem_pthread.dylib`thread_start + 15 ``` ``` (lldb) p child->bs (BlockDriverState *) $0 = 0x2000000000000000 ``` たしかにnon-canonicalなアドレスをderefしようとしてるね ~/repo/qemu/block/vvfat.c:332 vvfat_open(bs, ...)に仕込んでみる．うん，ここで指定されてるbsに対して ``` bdrv_close(bs=0x00007f97c5081800) bdrv_unref_child(parent=0x00007f97c5081800, child=0x00007f97c4e00390) bdrv_unset_inherits_from(root=0x00007f97c5081800, child=0x00007f97c4e00390) ``` と呼んでいって落ちてる block/vvfat.c: .bdrv_file_open = vvfat_open, なので，vvfatのデバイスがopenされるときに指定されてるんだねえ うん，vvfat_closeが呼ばれた後に死んでる bdrv_closeから処理を見てみよう bdrv_closeでbs->childrenの要素(BdrvChild)に対してbdrv_unref_child(bs, child);を呼んでる childrenに対しては特にvvfat.c内では参照してない vvfat_child_permでchildが通知されるのかな？表示させてみよう 2番目のアドレスが問題のchildである child->bsがおかしいので，こいつをwatchしたい watchpoint set expression -- my_ptr watchpoint set expression -- &((BdrvChild *)0x7fa4ee500b60)->bs ``` Watchpoint 1 hit: old value: 0x00007fa4ee87ac00 new value: 0x0000000000000000 Process 12666 stopped * thread #3, stop reason = watchpoint 1 frame #0: 0x0000000106ceb8b6 qemu-system-x86_64`bdrv_replace_child_noperm(child=0x00007fa4ee500b60, new_bs=0x0000000000000000) at block.c:2308:9 2305 2306 child->bs = new_bs; 2307 -> 2308 if (new_bs) { 2309 QLIST_INSERT_HEAD(&new_bs->parents, child, next_parent); 2310 2311 /* Target 0: (qemu-system-x86_64) stopped. (lldb) bt * thread #3, stop reason = watchpoint 1 * frame #0: 0x0000000106ceb8b6 qemu-system-x86_64`bdrv_replace_child_noperm(child=0x00007fa4ee500b60, new_bs=0x0000000000000000) at block.c:2308:9 frame #1: 0x0000000106ce60d6 qemu-system-x86_64`bdrv_replace_child(child=0x00007fa4ee500b60, new_bs=0x0000000000000000) at block.c:2354:5 frame #2: 0x0000000106ce64cf qemu-system-x86_64`bdrv_detach_child(child=0x00007fa4ee500b60) at block.c:2507:5 frame #3: 0x0000000106ce6450 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fa4ee500b60) at block.c:2518:5 frame #4: 0x0000000106ce6526 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fa4ee874600, child=0x00007fa4ee500b60) at block.c:2557:5 frame #5: 0x0000000106d13713 qemu-system-x86_64`write_target_close(bs=0x00007fa4de801200) at vvfat.c:3131:5 frame #6: 0x0000000106cf2cbc qemu-system-x86_64`bdrv_close(bs=0x00007fa4de801200) at block.c:4063:13 frame #7: 0x0000000106ceec30 qemu-system-x86_64`bdrv_delete(bs=0x00007fa4de801200) at block.c:4303:5 frame #8: 0x0000000106ce4e89 qemu-system-x86_64`bdrv_unref(bs=0x00007fa4de801200) at block.c:5670:9 frame #9: 0x0000000106ce6459 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fa4ee500c90) at block.c:2519:5 frame #10: 0x0000000106ce6526 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fa4ee874600, child=0x00007fa4ee500c90) at block.c:2557:5 frame #11: 0x0000000106cf2d20 qemu-system-x86_64`bdrv_close(bs=0x00007fa4ee874600) at block.c:4069:9 frame #12: 0x0000000106ceec30 qemu-system-x86_64`bdrv_delete(bs=0x00007fa4ee874600) at block.c:4303:5 frame #13: 0x0000000106ce4e89 qemu-system-x86_64`bdrv_unref(bs=0x00007fa4ee874600) at block.c:5670:9 frame #14: 0x0000000106ce6459 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fa4ee501840) at block.c:2519:5 frame #15: 0x0000000106ce6526 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fa4ee86fc00, child=0x00007fa4ee501840) at block.c:2557:5 frame #16: 0x0000000106cf2d20 qemu-system-x86_64`bdrv_close(bs=0x00007fa4ee86fc00) at block.c:4069:9 frame #17: 0x0000000106ceec30 qemu-system-x86_64`bdrv_delete(bs=0x00007fa4ee86fc00) at block.c:4303:5 frame #18: 0x0000000106ce4e89 qemu-system-x86_64`bdrv_unref(bs=0x00007fa4ee86fc00) at block.c:5670:9 frame #19: 0x0000000106ce6459 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fa4ee501000) at block.c:2519:5 frame #20: 0x0000000106d601be qemu-system-x86_64`blk_remove_bs(blk=0x00007fa4ee772b70) at block-backend.c:803:5 frame #21: 0x0000000106d60065 qemu-system-x86_64`blk_remove_all_bs at block-backend.c:501:13 frame #22: 0x0000000106ceb23d qemu-system-x86_64`bdrv_close_all at block.c:4108:5 frame #23: 0x00000001069eb7c7 qemu-system-x86_64`qemu_main(argc=3, argv=0x00007ffee941e638, envp=0x00007fa4ee600740) at vl.c:4464:5 frame #24: 0x0000000106caf684 qemu-system-x86_64`call_qemu_main(opaque=0x0000000000000000) at cocoa.m:1767:14 frame #25: 0x0000000106e5f33c qemu-system-x86_64`qemu_thread_start(args="4294969300") at qemu-thread-posix.c:519:9 frame #26: 0x00007fff6dc90e65 libsystem_pthread.dylib`_pthread_start + 148 frame #27: 0x00007fff6dc8c83b libsystem_pthread.dylib`thread_start + 15 ``` bdrv_unref_child なるほど，根本的な要因は，bdrv_detach_childが同じchildに対して2回呼ばれていることにありそう． bdrv_root_attach_child bdrv_unref_childにbをはる 1回目 ``` * frame #0: 0x000000010aa7d387 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fc547874600, child=0x00007fc537500590) at block.c:2555:11 frame #1: 0x000000010aaaa603 qemu-system-x86_64`write_target_close(bs=0x00007fc527801200) at vvfat.c:3131:5 frame #2: 0x000000010aa89b7e qemu-system-x86_64`bdrv_close(bs=0x00007fc527801200) at block.c:4069:13 frame #3: 0x000000010aa85ad0 qemu-system-x86_64`bdrv_delete(bs=0x00007fc527801200) at block.c:4311:5 frame #4: 0x000000010aa7bcb9 qemu-system-x86_64`bdrv_unref(bs=0x00007fc527801200) at block.c:5678:9 frame #5: 0x000000010aa7d2b9 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fc537500760) at block.c:2522:5 frame #6: 0x000000010aa7d3c9 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fc547874600, child=0x00007fc537500760) at block.c:2561:5 frame #7: 0x000000010aa89be2 qemu-system-x86_64`bdrv_close(bs=0x00007fc547874600) at block.c:4075:9 frame #8: 0x000000010aa85ad0 qemu-system-x86_64`bdrv_delete(bs=0x00007fc547874600) at block.c:4311:5 frame #9: 0x000000010aa7bcb9 qemu-system-x86_64`bdrv_unref(bs=0x00007fc547874600) at block.c:5678:9 frame #10: 0x000000010aa7d2b9 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fc537501310) at block.c:2522:5 frame #11: 0x000000010aa7d3c9 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fc54786fc00, child=0x00007fc537501310) at block.c:2561:5 frame #12: 0x000000010aa89be2 qemu-system-x86_64`bdrv_close(bs=0x00007fc54786fc00) at block.c:4075:9 frame #13: 0x000000010aa85ad0 qemu-system-x86_64`bdrv_delete(bs=0x00007fc54786fc00) at block.c:4311:5 frame #14: 0x000000010aa7bcb9 qemu-system-x86_64`bdrv_unref(bs=0x00007fc54786fc00) at block.c:5678:9 frame #15: 0x000000010aa7d2b9 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fc537500ad0) at block.c:2522:5 ``` 2回目 ``` * thread #3, stop reason = breakpoint 1.1 * frame #0: 0x000000010aa7d387 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fc547874600, child=0x00007fc537500590) at block.c:2555:11 frame #1: 0x000000010aa89be2 qemu-system-x86_64`bdrv_close(bs=0x00007fc547874600) at block.c:4075:9 frame #2: 0x000000010aa85ad0 qemu-system-x86_64`bdrv_delete(bs=0x00007fc547874600) at block.c:4311:5 frame #3: 0x000000010aa7bcb9 qemu-system-x86_64`bdrv_unref(bs=0x00007fc547874600) at block.c:5678:9 frame #4: 0x000000010aa7d2b9 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fc537501310) at block.c:2522:5 frame #5: 0x000000010aa7d3c9 qemu-system-x86_64`bdrv_unref_child(parent=0x00007fc54786fc00, child=0x00007fc537501310) at block.c:2561:5 frame #6: 0x000000010aa89be2 qemu-system-x86_64`bdrv_close(bs=0x00007fc54786fc00) at block.c:4075:9 frame #7: 0x000000010aa85ad0 qemu-system-x86_64`bdrv_delete(bs=0x00007fc54786fc00) at block.c:4311:5 frame #8: 0x000000010aa7bcb9 qemu-system-x86_64`bdrv_unref(bs=0x00007fc54786fc00) at block.c:5678:9 frame #9: 0x000000010aa7d2b9 qemu-system-x86_64`bdrv_root_unref_child(child=0x00007fc537500ad0) at block.c:2522:5 ``` はー，2つの親から参照されてる？？？？ struct BdrvChild @ ~/repo/qemu/include/block/block_int.h:739 はい，write_target_closeで bdrv_unref_child(s->bs, s->qcow);としており… ``` diff --git a/block/vvfat.c b/block/vvfat.c index 019b8f1341..e4f045022e 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -3124,17 +3126,11 @@ write_target_commit(BlockDriverState *bs, uint64_t offset, uint64_t bytes, return ret; } -static void write_target_close(BlockDriverState *bs) { - BDRVVVFATState* s = *((BDRVVVFATState**) bs->opaque); - bdrv_unref_child(s->bs, s->qcow); - g_free(s->qcow_filename); -} - static BlockDriver vvfat_write_target = { .format_name = "vvfat_write_target", .instance_size = sizeof(void*), .bdrv_co_pwritev = write_target_commit, - .bdrv_close = write_target_close, + .bdrv_close = NULL, }; BDRVVVFATState.qcow enable_write_target via bdrv_open_child ``` enable_write_targetはvvfatでrwが指定されているときに呼ばれる．これが，s->qcowを確保する．qcowはbdrv_open_childでbsの子としてopenされている．そのためbsのchildrenにいる．一方，s->qcowにいることから，writeを担当するbackingのBlockDriverStateがbdrv_closeされるときもunrefされようとしており，これが問題になっている． QLIST_FOREACH_SAFEは，elemがlistから外れても追跡できるようになってる．今回はこれが仇となって，次が本当は消えているのにアクセスしてしまっていた． bdrv_close(BlockDriverState *bs) QLIST_FOREACH_SAFE(child, &bs->children, next, next) bdrv_unref_child(bs, child); bdrv_new_open_driver https://github.com/qemu/qemu/commit/eecc77473b153fbd3700d68802b48fd0fe8ce4bc このコミットでbdrv_unref_childが呼ばれるようになった． do_not_unref_bdev_child_on_closing_vvfat_write_target ``` block/vvfat: Do not unref qcow on closing backing bdrv Before this commit, BDRVVVFATState.qcow is unrefed in write_target_close on closing backing bdrv of vvfat. However, qcow bdrv is opend as a child of vvfat in enable_write_target() so it will be also unrefed on closing vvfat itself. This causes use-after-free of qcow on freeing vvfat which has backing bdrv and qcow bdrv as children in this order because bdrv_close(vvfat) tries to free qcow bdrv after freeing backing bdrv as QLIST_FOREACH_SAFE() loop keeps next pointer, but BdrvChild of qcow is already freed in bdrv_close(backing bdrv). ``` ## Cocoa UI https://bugs.launchpad.net/qemu/+bug/1847906 ``` * thread #1: tid = 0xd0133, 0x00007fff656a0f7a libsystem_kernel.dylib`__psynch_mutexwait + 10, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP thread #2: tid = 0xd0150, 0x00007fff656a0f7a libsystem_kernel.dylib`__psynch_mutexwait + 10 thread #3: tid = 0xd0151, 0x00007fff656a18f6 libsystem_kernel.dylib`__psynch_cvwait + 10 thread #4: tid = 0xd0155, 0x00007fff656a6026 libsystem_kernel.dylib`__sigwait + 10 thread #5: tid = 0xd0158, 0x00007fff656a0f7a libsystem_kernel.dylib`__psynch_mutexwait + 10 thread #6: tid = 0xd0162, 0x00007fff6569fb7a libsystem_kernel.dylib`__workq_kernreturn + 10 ``` ``` * thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP * frame #0: 0x00007fff656a0f7a libsystem_kernel.dylib`__psynch_mutexwait + 10 frame #1: 0x00007fff6575fa3a libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_wait + 96 frame #2: 0x00007fff6575d75d libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 222 frame #3: 0x000000010f4e1b3b qemu-system-x86_64`qemu_mutex_lock_impl(mutex=0x000000010fae2b40, file="ui/cocoa.m", line=160) at qemu-thread-posix.c:78:11 frame #4: 0x000000010eeea476 qemu-system-x86_64`qemu_mutex_lock_iothread_impl(file="ui/cocoa.m", line=160) at cpus.c:1878:5 frame #5: 0x000000010f33b131 qemu-system-x86_64`bool_with_iothread_lock(block=0x000000010f33b160) at cocoa.m:160:9 frame #6: 0x000000010f33b0cd qemu-system-x86_64`-[QemuCocoaView handleEvent:](self=0x00007fdc0a4624f0, _cmd="handleEvent:", event=0x00007fdc0c894320) at cocoa.m:732:12 frame #7: 0x000000010f33ec7d qemu-system-x86_64`-[QemuApplication sendEvent:](self=0x00007fdc0a51f340, _cmd="sendEvent:", event=0x00007fdc0c894320) at cocoa.m:1539:10 frame #8: 0x00007fff2b472005 AppKit`-[NSApplication run] + 707 frame #9: 0x000000010f33ee84 qemu-system-x86_64`main(argc=1, argv=0x00007ffee0d82428) at cocoa.m:1806:5 frame #10: 0x00007fff65555405 libdyld.dylib`start + 1 frame #11: 0x00007fff65555405 libdyld.dylib`start + 1 ``` `- (bool) handleEvent:(NSEvent *)event` bool_with_iothread_lockが終わるのを待ってる qemu_mutex_lock_iothread ``` * thread #2 frame #0: 0x00007fff656a0f7a libsystem_kernel.dylib`__psynch_mutexwait + 10 libsystem_kernel.dylib`__psynch_mutexwait: -> 0x7fff656a0f7a <+10>: jae 0x7fff656a0f84 ; <+20> 0x7fff656a0f7c <+12>: movq %rax, %rdi 0x7fff656a0f7f <+15>: jmp 0x7fff6569e397 ; cerror_nocancel 0x7fff656a0f84 <+20>: retq (lldb) bt * thread #2 * frame #0: 0x00007fff656a0f7a libsystem_kernel.dylib`__psynch_mutexwait + 10 frame #1: 0x00007fff6575fa3a libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_wait + 96 frame #2: 0x00007fff6575d75d libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 222 frame #3: 0x000000010f4e1b3b qemu-system-x86_64`qemu_mutex_lock_impl(mutex=0x000000010fae2b40, file="util/rcu.c", line=268) at qemu-thread-posix.c:78:11 frame #4: 0x000000010eeea476 qemu-system-x86_64`qemu_mutex_lock_iothread_impl(file="util/rcu.c", line=268) at cpus.c:1878:5 frame #5: 0x000000010f50267b qemu-system-x86_64`call_rcu_thread(opaque=0x0000000000000000) at rcu.c:268:9 frame #6: 0x000000010f4e2eec qemu-system-x86_64`qemu_thread_start(args=0x00007fdc0a420190) at qemu-thread-posix.c:519:9 frame #7: 0x00007fff65761d76 libsystem_pthread.dylib`_pthread_start + 125 frame #8: 0x00007fff6575e5d7 libsystem_pthread.dylib`thread_start + 15 ``` 上と同じlockを待ってる ``` * thread #3 * frame #0: 0x00007fff656a18f6 libsystem_kernel.dylib`__psynch_cvwait + 10 frame #1: 0x00007fff65762082 libsystem_pthread.dylib`_pthread_cond_wait + 701 frame #2: 0x000000010f4e26a9 qemu-system-x86_64`qemu_sem_wait(sem=0x000000010fb00538) at qemu-thread-posix.c:327:14 frame #3: 0x000000010f340623 qemu-system-x86_64`cocoa_display_init(ds=0x00007fdc0a433940, opts=0x000000010faf6200) at cocoa.m:1901:5 frame #4: 0x000000010f32d6fa qemu-system-x86_64`qemu_display_init(ds=0x00007fdc0a433940, opts=0x000000010faf6200) at console.c:2330:5 frame #5: 0x000000010f082c6e qemu-system-x86_64`qemu_main(argc=1, argv=0x00007ffee0d82428, envp=0x00007fdc0a4006c0) at vl.c:4421:5 frame #6: 0x000000010f33ef3d qemu-system-x86_64`call_qemu_main(opaque=0x0000000000000000) at cocoa.m:1757:14 frame #7: 0x000000010f4e2eec qemu-system-x86_64`qemu_thread_start(args=0x00007fdc0a420190) at qemu-thread-posix.c:519:9 frame #8: 0x00007fff65761d76 libsystem_pthread.dylib`_pthread_start + 125 frame #9: 0x00007fff6575e5d7 libsystem_pthread.dylib`thread_start + 15 ``` cocoa_display_init applicationDidFinishLaunchingが呼ばれてapp_started_semが開放されるのを待っている ``` * thread #4 * frame #0: 0x00007fff656a6026 libsystem_kernel.dylib`__sigwait + 10 frame #1: 0x00007fff65762244 libsystem_pthread.dylib`sigwait + 52 frame #2: 0x000000010f4df3e1 qemu-system-x86_64`sigwait_compat(opaque=0x00007fdc0a6a7450) at compatfd.c:35:15 frame #3: 0x000000010f4e2eec qemu-system-x86_64`qemu_thread_start(args=0x00007fdc0a6a7460) at qemu-thread-posix.c:519:9 frame #4: 0x00007fff65761d76 libsystem_pthread.dylib`_pthread_start + 125 frame #5: 0x00007fff6575e5d7 libsystem_pthread.dylib`thread_start + 15 ``` ``` * thread #5 * frame #0: 0x00007fff656a0f7a libsystem_kernel.dylib`__psynch_mutexwait + 10 frame #1: 0x00007fff6575fa3a libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_wait + 96 frame #2: 0x00007fff6575d75d libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 222 frame #3: 0x00007fff65762116 libsystem_pthread.dylib`_pthread_cond_wait + 849 frame #4: 0x000000010f4e2073 qemu-system-x86_64`qemu_cond_wait_impl(cond=0x00007fdc0a6bd110, mutex=0x000000010fae2b40, file="/Users/hikalium/repos/qemu/cpus.c", line=1259) at qemu-thread-posix.c:173:11 frame #5: 0x000000010eeec48c qemu-system-x86_64`qemu_wait_io_event(cpu=0x0000000112b81000) at cpus.c:1259:9 frame #6: 0x000000010eeec8e9 qemu-system-x86_64`qemu_tcg_cpu_thread_fn(arg=0x0000000112b81000) at cpus.c:1789:9 frame #7: 0x000000010f4e2eec qemu-system-x86_64`qemu_thread_start(args=0x00007fdc0a6bcb50) at qemu-thread-posix.c:519:9 frame #8: 0x00007fff65761d76 libsystem_pthread.dylib`_pthread_start + 125 frame #9: 0x00007fff6575e5d7 libsystem_pthread.dylib`thread_start + 15 ``` ``` * thread #6 * frame #0: 0x00007fff6569fb7a libsystem_kernel.dylib`__workq_kernreturn + 10 frame #1: 0x7250495500000000 frame #2: 0x00007fff6575e5c3 libsystem_pthread.dylib`start_wqthread + 15 ``` QemuCocoaAppController initはちゃんとおわってる NSApp runは実行されてる ## XHCI No-Op commandに反応しない - エラーイベント(5)が返ってくる - CR_NOOPが実装されていない - コマンドの実装箇所は - xhci_process_commands() http://patchwork.ozlabs.org/patch/1134348/ ##