|
From: | Alexander Graf |
Subject: | Re: [Qemu-devel] Crash due to invalid env->current_tb |
Date: | Wed, 30 Apr 2008 11:08:46 +0200 |
On Apr 29, 2008, at 8:40 PM, Adam Lackorzynski wrote:
On Tue Apr 29, 2008 at 20:09:00 +0300, Blue Swirl wrote:On 4/29/08, Adam Lackorzynski <address@hidden> wrote:Hi,I've been experiencing crashes of latest svn Qemu, host ia32 and targetarm, host gcc is 'gcc version 3.4.6 (Debian 3.4.6-7)'.The segfault happens because of an invalid env->current_tb which seemsto be caused by generated code. The following code in cpu_exec tc_ptr = tb->tc_ptr; env->current_tb = tb; gen_func = (void *)tc_ptr; T0 = gen_func(); env->current_tb = NULL; is being compiled to the following mov 0x14(%ecx),%eax mov %ecx,0x56c(%ebp) xor %edi,%edi call *%eax mov %edi,0x56c(%ebp)After the call edi isn't 0 anymore and gets the bogus value. As edi iscallee saved the code itself seems ok.When I add a barrier before "env->current_tb = NULL" the xor is placed after the call and everything works fine. So might the problem be thatgenerated code isn't preserving edi/registers?Right. How did you make the barrier? My version (attached) just crashes, I'm not fluent on i386 assembly. Maybe your version could serve as a temporary fix.I just added an 'asm volatile("")' to stop reordering of instructions which of course isn't enough. The following works for me: =================================================================== --- cpu-exec.c (revision 4276) +++ cpu-exec.c (working copy) @@ -690,6 +691,11 @@ fp.ip = tc_ptr; fp.gp = code_gen_buffer + 2 * (1 << 20); (*(void (*)(void)) &fp)(); +#elif defined(__i386) + asm volatile ("call *%1\n" + : "=a" (T0) + : "r" (gen_func) + : "esi", "edi"); #else T0 = gen_func(); #endif
There was a comment from Fabrice on how to do prologues in TCG to save / restore the clobbered values. Btw, ebx gets clobbered as well.
Alex
[Prev in Thread] | Current Thread | [Next in Thread] |