Single stepping Windows 10 bootloader results in Assertion `ret < cpu->num_ases && ret >= 0' failed.
Host environment
- Operating system: Debian 11
- OS/kernel version: 5.10.0-14-amd64
- Architecture: x86_64
- QEMU flavor: qemu-system-i386
- QEMU version: QEMU emulator version 7.0.0
- QEMU command line:
./qemu-system-i386 --drive media=disk,file=w.img,format=raw,index=1 -s -S -enable-kvm
Emulated/Virtualized environment
- Operating system: Windows 10
- OS/kernel version: 21H2
- Architecture: x64
- The guest can be simplified as
w.img. It is can be downloaded / constructed using- Download as an attachment with this bug: w.img.xz
- Download from Google Drive
- Install Windows 7 or Windows 10 in QEMU. Use MBR and BIOS (i.e. do not use GPT and UEFI). For example, I installed Windows on a 32G disk, and it results in around 3 partitions: 50M, 31.5G (this is C:), 450M. Only the MBR header (around 1 M) and the 50M disk is needed.
Description of problem
When I am trying to debug Windows bootloader, I see an assertion error in QEMU when single stepping some instructions in SeaBIOS.
qemu-system-i386: ../hw/core/cpu-sysemu.c:77: cpu_asidx_from_attrs: Assertion `ret < cpu->num_ases && ret >= 0' failed. Steps to reproduce
- Download / construct
w.img, see above - Start QEMU using
./qemu-system-i386 --drive media=disk,file=w.img,format=raw,index=1 -s -S -enable-kvm - Start GDB using
gdb --ex 'target remote :::1234' --ex 'hb *0x7c00' --ex c --ex 'si 1000' --ex q - See error message
Expected behavior
I am not sure whether the BIOS (default SeaBIOS used) or KVM is bad, but I think at least QEMU should not run into assertion error.
Additional information
The GDB script first breaks at 0x7c00, then tries to execute 1000 instructions using single step (si). On my machine, after executing around 772 instructions, the assertion error in QEMU happens.
Here is an interactive GDB session on my machine.
(gdb) hb *0x7c00
Hardware assisted breakpoint 1 at 0x7c00
(gdb) c
Continuing.
Breakpoint 1, 0x00007c00 in ?? ()
(gdb) d
Delete all breakpoints? (y or n) y
(gdb) si 770
0x000f7d7b in ?? ()
(gdb) x/10i $eip
=> 0xf7d7b: mov $0x7d85,%ebx
0xf7d80: out %al,$0xb2
0xf7d82: pause
0xf7d84: hlt
0xf7d85: mov %bp,%sp
0xf7d88: jmp 0xf7dd1
0xf7d8a: mov %cx,%si
0xf7d8d: mov $0x1,%ax
0xf7d91: add %al,(%eax)
0xf7d93: callw 0x6b66
(gdb) si
0x000f7d80 in ?? ()
(gdb) info reg
eax 0xb5 181
ecx 0x5678 22136
edx 0x0 0
ebx 0x7d85 32133
esp 0xe96d4 0xe96d4
ebp 0xfed4 0xfed4
esi 0xe0346 918342
edi 0xefd91 982417
eip 0xf7d80 0xf7d80
eflags 0x6 [ IOPL=0 PF ]
cs 0x8 8
ss 0x10 16
ds 0x10 16
es 0x10 16
fs 0x10 16
gs 0x10 16
fs_base 0x0 0
gs_base 0x0 0
k_gs_base 0x0 0
cr0 0x11 [ ET PE ]
cr2 0x0 0
cr3 0x0 [ PDBR=0 PCID=0 ]
cr4 0x0 [ ]
cr8 0x0 0
efer 0x0 [ ]
...
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
(gdb) si
0x000f7d82 in ?? ()
(gdb) info reg
eax 0xb5 181
ecx 0x5678 22136
edx 0x0 0
ebx 0x7d85 32133
esp 0xe96d4 0xe96d4
ebp 0xfed4 0xfed4
esi 0xe0346 918342
edi 0xefd91 982417
eip 0xf7d82 0xf7d82
eflags 0x6 [ IOPL=0 PF ]
cs 0x8 8
ss 0x10 16
ds 0x10 16
es 0x10 16
fs 0x10 16
gs 0x10 16
fs_base 0x0 0
gs_base 0x0 0
k_gs_base 0x0 0
cr0 0x11 [ ET PE ]
cr2 0x0 0
cr3 0x0 [ PDBR=0 PCID=0 ]
cr4 0x0 [ ]
cr8 0x0 0
efer 0x0 [ ]
...
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
(gdb) si
Remote connection closed
(gdb) This bug was first incorrectly filed in KVM's bug tracker at https://bugzilla.kernel.org/show_bug.cgi?id=216003.