Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

Regression: can no longer load iOS 15.3.1 #48

Closed
asdfugil opened this issue Apr 17, 2022 · 2 comments
Closed

Regression: can no longer load iOS 15.3.1 #48

asdfugil opened this issue Apr 17, 2022 · 2 comments

Comments

@asdfugil
Copy link

asdfugil commented Apr 17, 2022
edited
Loading

I cannot load my iOS 15.3.1 VM anymore (it is working previously)

qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.

QEMU output:

Loading iOS 15.3...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a120738
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007d51ae0
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff009d0b8f0
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
qemu-system-aarch64: ../hw/arm/t8030.c:854: void t8030_create_i2c(MachineState *, const char *): Assertion `child' failed.
Aborted

it looks like there is a problem during machine init
boot command:

${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
# kernelcache.research.iphone12b.out
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-92126-069.dmg.trustcache.out,ticket-filename=${HOME}/vm_images/t8030/root_ticket.der \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "rd=disk0s1s1 kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1" \
-initrd 018-92126-069.dmg.out \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Using ecb8ff6 with FastSim workaround.
Host: Debian 11 bullseye, Linux 5.16.0-0.bpo.3-amd64
I have a core dump, not sure how useful it is.
@TrungNguyen1909
Copy link
Owner

Yeah, this is a regression.
You can temporary workaround that by replacing the assert with if (!child) return;

I will push a fix when appropriate.

@TrungNguyen1909
Copy link
Owner

Fixed in ba738a1

shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/intel-hda-test: Add reproducer for issue #542
19a5452 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/542.
Without the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test tests/qtest/intel-hda-test
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0
      #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356
      TrungNguyen1909#1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15
      TrungNguyen1909#2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15
      TrungNguyen1909#3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10
      TrungNguyen1909#4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      ...
  SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal
  ==1580408==ABORTING
  Broken pipe
  Aborted (core dumped)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211218160912.1591633-4-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TrungNguyen1909 @asdfugil