Skip to content

HVF accelerator crash in vmx_write_mem (mmu_gva_to_gpa)

Host environment

  • Operating system: macOS
  • OS/kernel version: 13.6.1 (22G313)
  • Architecture: x86_64
  • QEMU flavor: qemu-system-x86_64
  • QEMU version: 8.2.0
  • QEMU command line: 
    qemu-system-x86_64 -cpu host -machine type=pc,accel=hvf -m 4G -hda main-pro.disk -rtc base=localtime -vga std -usb -device usb-kbd -device usb-tablet -cdrom EN_WIN2000_PRO_SP4.ISO

Emulated/Virtualized environment

  • Operating system: Windows 2000 (SP4)
  • OS/kernel version: 5.00.2195.6717
  • Architecture: x86

Description of problem

During the installation of Windows 2000 from CD-ROM (image), following disk initialization/formatting, a base operating system is copied to the (virtual) hard disk and the system is rebooted. During the start from hard disk to resume installation, QEMU crashes.

This crash occurs whether using installation media for Windows 2000 Professional or Windows 2000 Advanced Server. It can be reproduced before any product key or Terminal Services licensing information is entered.

Undertaking the same process with TCG accelerator on the same host, the issue is not observed.

Unlike in #1603 (closed), -pdpe1gb does not work around this crash.

Steps to reproduce

  1. In HVF QEMU accelerator on x86_64 macOS, start up a pc-i440fx virtual machine w/ Windows 2000 (SP4) installation media.
  2. Initialize/format a (qcow2-powered) hard drive as NTFS when prompted.
  3. Allow the system to reboot.

Additional information

Crash stderr:

vmx_write_mem: mmu_gva_to_gpa bfd391f0 failed
<pid> Abort trap: 6

(it's always "bfd391f0")

Stacktrace:

0   libsystem_kernel.dylib              0x7ff8164771e2 __pthread_kill + 10
1   libsystem_pthread.dylib             0x7ff8164aeee6 pthread_kill + 263
2   libsystem_c.dylib                   0x7ff8163d5b45 abort + 123
3   qemu-system-x86_64                     0x106a3d98d vmx_write_mem + 190
4   qemu-system-x86_64                     0x106a39f1c write_val_ext + 88
5   qemu-system-x86_64                     0x106a3cb1c exec_movs_single + 92
6   qemu-system-x86_64                     0x106a3c412 exec_movs + 61
7   qemu-system-x86_64                     0x106a3b35e exec_instruction + 48
8   qemu-system-x86_64                     0x106a36707 hvf_vcpu_exec + 2411
9   qemu-system-x86_64                     0x106b16532 hvf_cpu_thread_fn + 283
10  qemu-system-x86_64                     0x106c752fc qemu_thread_start + 130
11  libsystem_pthread.dylib             0x7ff8164af1d3 _pthread_start + 125
12  libsystem_pthread.dylib             0x7ff8164aabd3 thread_start + 15

Registers at crash:

rax: 0x0000000000000000  rbx: 0x000070000322d000  rcx: 0x000070000322cc58  rdx: 0x0000000000000000
rdi: 0x0000000000001103  rsi: 0x0000000000000006  rbp: 0x000070000322cc80  rsp: 0x000070000322cc58
 r8: 0x00007ff859b93d08   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000246
r12: 0x0000000000001103  r13: 0x0000000000000000  r14: 0x0000000000000006  r15: 0x0000000000000016
rip: 0x00007ff8164771e2  rfl: 0x0000000000000246  cr2: 0x0000000000000000

OS response:
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6
Logical CPU: 0
Error Code: 0x02000148
Trap Number: 133

Edited by Justin Arthur
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information