_timeout_fn() still being called after emulation finishes

[gaffe23]

I modified samples/sample_arm.c to use a 5-second timeout when calling uc_emu_start(). This caused it to segfault intermittently while calling uc_emu_start() for the second emulation session (the one in test_thumb()).

It looks like this happened because the emu timer tried to call uc_emu_stop() on the previous emulation session (the one in test_arm()), which had already been cleaned up by that point. This led to a null dereference in cpu_exit() looking pretty similar to #65, but with a different cause:

Thread 3 (Thread 0x7fffdfbff700 (LWP 15210)):
#0  0x00007fffe338e391 in cpu_exit (cpu=0x0) at qom/cpu.c:112
#1  0x00007fffe3a04389 in uc_emu_stop (handle=0x603010) at ../uc.c:570
#2  0x00007fffe3a0404c in _timeout_fn (arg=0x603010) at ../uc.c:457
#3  0x00007fffe2435182 in start_thread (arg=0x7fffdfbff700) at pthread_create.c:312
#4  0x00007fffe2f9147d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7ffff7fde740 (LWP 15208)):
#0  0x00007fffe33d6abf in arm_feature_arm (env=0x7a1840, feature=0xe) at /home/gaffe/repos/unicorn/qemu/target-arm/cpu.h:755
#1  0x00007fffe33dc9ab in register_cp_regs_for_features_arm (cpu=0x799610) at /home/gaffe/repos/unicorn/qemu/target-arm/helper.c:2992
#2  0x00007fffe342ad4d in arm_cpu_realizefn_arm (uc=0x603010, dev=0x799610, errp=0x7fffffffe060) at /home/gaffe/repos/unicorn/qemu/target-arm/cpu.c:393
#3  0x00007fffe3393d18 in device_set_realized (uc=0x603010, obj=0x799610, value=0x1, errp=0x7fffffffe210) at hw/core/qdev.c:184
#4  0x00007fffe3392b0f in property_set_bool (uc=0x603010, obj=0x799610, v=0x7ac9d0, opaque=0x62c800, name=0x7fffe3a12380 "realized", errp=0x7fffffffe210) at qom/object.c:1504
#5  0x00007fffe3390ed4 in object_property_set (uc=0x603010, obj=0x799610, v=0x7ac9d0, name=0x7fffe3a12380 "realized", errp=0x7fffffffe210) at qom/object.c:829
#6  0x00007fffe3393503 in object_property_set_qobject (uc=0x603010, obj=0x799610, value=0x631bc0, name=0x7fffe3a12380 "realized", errp=0x7fffffffe210) at qom/qom-qobject.c:24
#7  0x00007fffe339123a in object_property_set_bool (uc=0x603010, obj=0x799610, value=0x1, name=0x7fffe3a12380 "realized", errp=0x7fffffffe210) at qom/object.c:897
#8  0x00007fffe338e126 in cpu_generic_init (uc=0x603010, typename=0x7fffe3a183d0 "arm-cpu", cpu_model=0x7fffe3a1aff2 "pxa255") at qom/cpu.c:66
#9  0x00007fffe33dcee5 in cpu_arm_init_arm (uc=0x603010, cpu_model=0x7fffe3a1aff2 "pxa255") at /home/gaffe/repos/unicorn/qemu/target-arm/helper.c:3088
#10 0x00007fffe3447ab3 in tosa_init_arm (uc=0x603010, machine=0x617fa0) at /home/gaffe/repos/unicorn/qemu/hw/arm/tosa.c:22
#11 0x00007fffe338da2b in machine_initialize (uc=0x603010) at vl.c:136
#12 0x00007fffe3a038e1 in uc_open (arch=UC_ARCH_ARM, mode=UC_MODE_THUMB, handle=0x7fffffffe378) at ../uc.c:236
#13 0x0000000000400c1f in test_thumb ()
#14 0x0000000000400da5 in main ()
#15 0x00007fffe2eb8ec5 in __libc_start_main (main=0x400d7e <main>, argc=0x1, argv=0x7fffffffe4a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe498) at libc-start.c:287
#16 0x00000000004008d9 in _start ()

It sounds like there should be a check in uc_emu_start() to see if emulation ends before the emu timer fires. If that does happen, uc_emu_start() should disable the timer so that it won't call _timeout_fn() after emulation is already over.

[aquynh]

can you send a PR to put your code under regress/ directory?

thanks.

[lunixbochs]

Wait, won't this block until the timeout is done even if you have an error? I don't think that's good behavior.

[aquynh]

no block, since in that case we signal the timer to quit immediately. this is done by setting emulation_done to True at https://github.com/unicorn-engine/unicorn/blob/master/uc.c#L550