Subtle combination causing printk to go astray

[Mellvik]

A rather interesting issue related to the discussion in #71, the implementation of a precision timer and a fix for divide-by-zero.

The problem occurs only in QEMU, which means that QEMU itself may be the culprit. That said, it takes either a very fast or very recent version (maybe both) of QEMU for the problem to occur. Which makes the analysis even harder. The symptoms simply don't make sense. A classic start of a real rabbit chase.

The problem: A special sequence of actions cause printk to either cause the current function to exit or the system to hang, a classic stack pollution case.

The situation leading to the problem:

• using the value returned from get_ptime
• a long divide involving that returned value
• a call to printk using the result of that division
• and encapsulating it all, a very fast QEMU - or possibly just a very fast processor, which may be a clue to where the rabbit hides, a race condition??

@ghaerr, it would be interesting if you run this code snippet on ELKS on your QEMU which is likely quite a bit faster than my Mac Mini, which does not show the problem.

Anyway, this code snippet (not doing anything other than demonstrating the problem) demonstrates the problem: Either the statements from the second printk to the end of the function are skipped (like an immediate return) - or we have a hang (the experimental code resides in init/main.c):

{               unsigned long temp;
                int dd;
                unsigned d5, d6;

                d5 = 50;
                get_ptime();
                temp = get_ptime();
                printk("Direct %lu $$", temp);       <--- this is printed, value between 3 and 6 (11 on the MacMini)
                //temp = 3UL;
                dd = temp*838UL/1000UL;
                printk("XXXX %lu", temp);                 <---- this prints too, showing that the div is OK and temp us unaffected
                printk("UL dd=%d $$ ", dd);    <--- this and any printk below in the same function never show, the function just exits - or the system hangs right here
                dd = ((long)temp * 100L)/(long)d5;
                printk("Signed dd=%d $$ ", dd);
                ...
}

Some observations from a seemingly infinite number of testvariants:

1. Activating the //temp = 3UL; line eliminates the problem - which is very interesting because it means that...

   int d5;
   get_ptime();
   d5 = get_ptime();

... is not the same as

   d5 = 4351;

... even if that number is exactly what was returned from get_ptime();. So it's not the number returned but the call to get_ptime() that seems to be important. That said,

   get_ptime();
   get_ptime();
   d5 = 4351;

... doesn't cut it either. The error cannot be provoked unless the actual return value from get_ptime() is used. Very strange indeed.

2. Still, the variable itself is unimportant - as is its size. Setting d6 = temp; where d6 is an unsigned int and subsequently use d6 instead of temp in the division still triggers the problem.
3. Adding delays between the two get_ptime() calls to increase the # of pticks to > 64k makes no difference, IOW whether get_ptime returns a long or a short doesn't make any difference.
4. This observation is supported by changing temp to unsigned int and casting the 2nd call to get_ptime(), still no difference.
5. Changing the dd (int) in the first divide statement to d6 (unsigned) changes behaviour slightly, from 'exit function and continue' to 'hang right there' - which means nothing other than that a 'stray' return happens to 'land' on a slightly different address.
6. The only way to make the routine 'work' with the return value from get_ptime() is to AVOID long divide.

                d5 = d6*838/1000;       /* THIS ONE WORKS */
                printk("2: Direct %x $$", d5);

... which obviously is no good if d6 > 78 - but we're closer to a conclusion: Somehow the interaction between get_ptime() and long div (signed and unsigned) cause a stack pollution which in turn cause printk to malfunction on very fast machines - or there is a bug in QEMU 7.2.0.

And the hunt continues.

[ghaerr]

I'll take a look and try to analyze the problem. But first - are you running this code in the function start_kernel? The function has the following comment at the top of it:

/* this procedure called using temp stack then switched, no temp vars allowed */
void start_kernel(void)
{
    ...
    setsp(&task->t_regs.ax);    /* change to idle task stack */
    ...
// are your variables being declared here? If so, that's disallowed as the stack has been switched within this function.
}

It seems from your description that local variables are being declared within a block, which the compiler will then expect them in certain registers or stack locations. The setsp call above switches stacks midway through the function, which is required long story short for the way the dynamically allocated task array works. Thus, if any local variables are declared within kernel_start, the variables may or may not be accessible and/or overwritten, depending on system activity. This is all part of the trickiness of running code within kernel init (the complex startup sequences having been previously described).

If the locals are declared within start_kernel, then this is likely the issue. The entire set of testing needs to be performed in a separate function, much like was done with testloop, etc. If this is not the issue, let me know and I'll investigate further.

[EDIT: I probably need to change "no temp variables allowed" to "no local variables allowed" to be more clear.]

[Mellvik]

Thank you @ghaerr ,
The test routine is called next to testloop after kernel_banner in kernel_init.

Possibly the most weird thing is that everything works fine except in this very fast instance of QEMU.

[ghaerr]

This is strange, but I still have my theories about stack over/underflow. Can you post your init/main.c as main.zip so I can see it exactly for duplication on my side?

[Mellvik]

main.c.zip

[Mellvik]

Probably obvious, everything is in the calibrate_delay routine at the end.

[ghaerr]

I'm just starting to look at this... I am also wondering whether this behavior might have something to do with the DIV trap handler you just copied over a few days ago... and your statement that things only go bad when the long div routine(s) are called. The DIV instructions can also throw an overflow fault - if by chance the DIV handler isn't working and an overflow is occurring, is that possible something funny might be happening there? This could be tested by executing a DIV by 0 (make sure the compiler doesn't optimize that out) to test the fault handler, which should immediately panic. I never tested DIV overflow, and am not entirely sure when it happens.

I'll take your calibrate_delay routine and look at the code generated, and add it to my main.c and see what happens.

[ghaerr]

Just ran calibrate_delay on my system/qemu (v5.2, MacBook Pro x64 3.1Ghz) and it is not failing. Still looking into code generated, not finding anything obvious. Will set console to serial see if that makes any difference...

[ghaerr]

Looking at this hard, but not getting it to fail on my QEMU, I have the following thoughts and suggestions:

First, add a clr_irq() at the start of calibrate_delay(), just in case there's something strange with interrupts trashing the stack early on during kernel init. It doesn't seem this should help, but try it.

Second, it appears that GCC is very much rearranging the statements in calibrate_delay, and what you think is happening is likely not. In order to be precise, I saw that GC doesn't even compile statements whose result is not passed to another function or used in another calculation. So for instance, the dd = (temp*838UL/1000UL); can be entirely deleted and it doesn't change the code output. (I am performing a ia16-elf-objdump -D -r -Mi8086 main.o > file to save the results, then diffing that with a previous disassembly).

In order to be more precise with what I'm looking at, I then also removed all "unused variables" and statements that did nothing as described above. This ended up with the following, which produced the exact same code as your version:

void calibrate_delay(void)
{
    unsigned long temp = 0;

    sys_dly_base = 0;
    sys_dly_index = 1;
#if 1
    { /* div test */
        unsigned d5;
        unsigned d6 = 33;

        d5 = 50;
        get_ptime();
        d6 = (unsigned)get_ptime();
        printk("Direct %u $$", d6);
        d5 = (unsigned)((long)d6*838L/1000L);   /* this fails */
        printk("YYY;");
        printk("2: Direct %u $$", d5); /* HANGS HERE */
        d6 = (temp*838UL/1000UL);
        printk("XXXX %lu\n", temp);
        printk("New (UL) dd=%x $$", d6);
    }
#endif
    printk("\n");
}

Now, disassemble the output. Notice that the printk of YYY is compiled BEFORE the "d6 this fails" statement! So for sure what is compiled is out of order with the statements. This means you can't trust what order things are occurring in, if GCC deems it better to reorder function calls! (All variables can be declared volatile to stop this, but first perhaps try turning off optimization as suggested below).

In order to get around this, I suggest turning off optimization for this function. This produces lots more code, and probably will affect what seems to be a timing-depending problem. This can be done by changing the function declaration to:

void __attribute__((optimize(0))) calibrate_delay(void) { ...

You will see the compiled code now orders the statements you're writing.

In summary, I would try:

• testing divide by zero as described above to see panic
• disable interrupts at beginning of function to remove possible interrupt handler issues
• run test on console, not on serial console, as QEMU might be getting ahead/behind of the action with serial emulation lead/lag
• turn off optimization for function to see whether you can get problem to repeat
• declare variables volatile and keep optimization on just to see what happens

If this fixes things, then we need to take a hard look at the GCC optimizations that are taking place in this function. I traced it a bit, but its complicated. There is a small chance there could be an issue with the compiler, but I still can't see a place where the stack gets clobbered unless its through a kernel hardware interrupt or task switch, neither of which would take place with the above suggestions.

[Mellvik]

Just ran calibrate_delay on my system/qemu (v5.2, MacBook Pro x64 3.1Ghz) and it is not failing. Still looking into code generated, not finding anything obvious. Will set console to serial see if that makes any difference...

Thank you @ghaerr, I really needed some fresh eyes in on this, after having banged my head against the wall for a few days.

FWIW - my wife's iMac is a 2020 3.1GHz 6 core Core i5, quite similar in terms of performance to your Macbook Pro, but with the most recent OS. I just installed homebrew, then qemu on it, got version 9.0.2 (!!)(why don't I get this on my M1??) and ran the same floppy image I sent to you, which fails on the M1. Lo and behold, it fails in exactly the same way. (BTW - on this version -accel hvf is not available.)

Now, how useful is that? At least we know the problem is not unique to my machine/config and unrelated to whenever the physical platform is Intel or not. But it may still be related to QEMU versions newer than 7.0 and it may still be related to speed (assuming the iMac is slightly faster than the laptop at the same clock rate) and it may be related to the host OS, which is the latest Sonoma on this iMac.

[Mellvik]

I suggest turning off optimization for this function. This produces lots more code, and probably will affect what seems to be a timing-depending problem. This can be done by changing the function declaration to:

void __attribute__((optimize(0))) calibrate_delay(void) { ...

@ghaerr, thanks for this one!! Having pondered too much for too long over object listings these past days, this was the natural first one to check out. And - possibly surprising, then maybe not - the problem goes away.

How interesting! Like you say, a lot more code but here we are, and I'm back at chewing object code, this time with a purpose other than hoping for the needle to magically fall out of the haystack.

[Mellvik]

More findings and observations, @ghaerr:

• clr_irq() doesn't change anything
• div-by-zero works as expected - on real HW too
• Forcing QEMU to use 'real' console doesn't change anything
• Optimization off means it works, as reported above
• your observation about the sequence of things, that the print of 'YYY' actually comes before the bad div, is important. It means that printk is likely not part of the problem, and that it is actually the divsi3 that sends us to oblivion, not a printk.
• volatile d6 didn't change anything. Adding volatile d5 (not removing the first) is an entirely different story: Boot fails after the L1/L2 buffer message. Optimization is active.

... 
24 ext buffers (24576B ram), 10 L1 buffers, 10240B ram
HEAP: no memory (10240 bytes)

panic: No buf mem
SYSTEM HALTED - Press CTRL-ALT-DEL to reboot:

... which is surprising: WTF? This sounds like a compiler problem, doesn't it? Unsurprisingly, removing the volatile on d6 changes the back to normal, the bad division hangs in the same way as before, which way is affected only by the amount of code inserted or deleted ahead of it. So one volatile is ok in the sense it neither breaks anything not changes anything, two bombs the system. Hmmm

BTW, and possibly interesting, the volatiles have no effect when running on real hardware. Now, that's interesting...

The hunt continues.

[ghaerr]

Very interesting. So what is the current prognosis from the test results? It never fails on real hardware, right?

Only certain code sequences cause failures on QEMU, but those sequences cause a fault every time with the same version of QEMU (or higher), right? Are we really dealing with a speed issue here, or just a possible QEMU bug (like DIV trashing some wrong registers or the stack in certain QEMU versions)?

I'm trying to determine if the problem is definitively in QEMU at or above a certain version number, or whether there is a speed/stack trashing issue as well.

If you can determine that the problem only occurs in QEMU and during or as a result of the __divsi3 routine, we may have to pull that from the GCC library (its at cross/build/gcc-src/libgcc/config/ia16/) and possibly comment out some of that code (like the DIV instructions) as a kernel .S file just to see what happens. I am not sure the kernel uses much of long division, but I would bet some of the time routines do. We will need to be sure the problem is within that code first before though. I would bet the kernel would likely function with a broken __divsi3 routine for debugging.

If the problem only occurs on QEMU and never on real hardware, I would say it is not a compiler issue but possibly QEMU interpretation issue with library code...

the volatiles have no effect when running on real hardware.

All a volatile will do is stop optimization and cause a reload from memory instead of using a cached register value in most cases. So if the problem never occurs on real hardware, you won't see a difference with volatile.

[Mellvik]

What we know:

• happens on QEMU only
• is related to either (host) speed or QEMU version (it would be useful to get QEMU 9 running on some really slow hardware, but I don't know if that is possible)
• requires divisor to have been returned from get_ptime() (really makes no sense)
• the error manifests itself in divsi3 (and unsigned version) but the root cause may be somewhere else
• does not happen when optimization is turned off

The effect of using volatile is worth pondering. Adding the 2 volatile declarations I mentioned, changed system behaviour completely: The kernel bombs long before it get to the point where the calibrate_delay is called. This makes even less sense than the rest of the picture, so I need to head back into this one to verify.

My hunch is that we have a processor/compiler problem. That the ia64 architecture that QEMU emulates regardless of the switches we set telling it otherwise, implements some stack related instruction(s) different from its older brethren (like the difference between the 8088/86 and the 286 and later in the way the SP works (vague memory on this, may be slightly different). Speed getting fast enough, possibly caching, pipeline and other effects, I don't know how far down emulation really goes, and we get this effect.

Seems it may be worthwhile to continue my analysis of the optimised vs. unoptimized code. What do you think, @ghaerr ?

[Mellvik]

Update: There is a chance I can get qemu 9.0.2 running on a VERY slow machine. My 10 year old MacBook 12" has a 1,3GHz 2core CoreM processor runs MacOS BigSur and brew says it will install 9.0.2 if the latest version of Xcode command line tools is installed. That may take a while though.
If successful we can eliminate of confirm the speed issue.