[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] another TCG branch weirdness
From: |
Blue Swirl |
Subject: |
Re: [Qemu-devel] another TCG branch weirdness |
Date: |
Fri, 5 Aug 2011 20:32:22 +0000 |
On Fri, Aug 5, 2011 at 4:36 PM, Artyom Tarasenko <address@hidden> wrote:
> Host x86_64, guest sparc64. Found a case where a branch instruction
> (brz,pn %o0) unexpectedly jumps to an unexpected address. I.e.
> branch shouldn't be taken at all, but even if it were it should have
> been to 0x13e26e4 and not to 0x5.
>
> Was about to write that the generated OP for brz,pn usually looks
> different, when realized that in fact it was even generated for this
> very address just before, but with another branch in the delay slot.
> The bug looks familiar, Blue, isn't it? :)
Sorry, does not ring a bell.
> IN:
> 0x00000000013e26c0: brz,pn %o0, 0x13e26e4
> 0x00000000013e26c4: brlez,pn %o1, 0x13e26e4
>
> OP:
> ---- 0x13e26c0
> ld_i64 tmp6,regwptr,$0x0
> movi_i64 cond,$0x0
> movi_i64 tmp8,$0x0
> brcond_i64 tmp6,tmp8,ne,$0x0
> movi_i64 cond,$0x1
> set_label $0x0
>
> ^^^ Ok, that's how brz,pn usually looks like
>
> ---- 0x13e26c4
> ld_i64 tmp7,regwptr,$0x8
> movi_i64 tmp8,$0x0
> brcond_i64 cond,tmp8,eq,$0x1
> movi_i64 npc,$0x13e26e4
> br $0x2
> set_label $0x1
> movi_i64 npc,$0x13e26c8
> set_label $0x2
> movi_i64 cond,$0x0
> movi_i64 tmp8,$0x0
> brcond_i64 tmp7,tmp8,gt,$0x3
> movi_i64 cond,$0x1
> set_label $0x3
> movi_i64 tmp0,$0x0
> brcond_i64 cond,tmp0,eq,$0x4
> movi_i64 npc,$0x13e26e4
> br $0x5
> set_label $0x4
> movi_i64 npc,$0x5
> set_label $0x5
> exit_tb $0x0
> --------------
> IN:
> 0x00000000013e26c0: brz,pn %o0, 0x13e26e4
>
> OP:
> ---- 0x13e26c0
> ld_i64 tmp6,regwptr,$0x0
> movi_i64 cond,$0x0
> movi_i64 tmp8,$0x0
> brcond_i64 tmp6,tmp8,ne,$0x0
> movi_i64 cond,$0x1
> set_label $0x0
> movi_i64 pc,$0x5
>
> ^^^ What's that?
Probably DYNAMIC_PC + 4. I guess we are hitting this ancient comment
in target-sparc/translate.c:1372:
/* XXX: potentially incorrect if dynamic npc */
> movi_i64 tmp0,$0x0
> brcond_i64 cond,tmp0,eq,$0x1
> movi_i64 npc,$0x13e26e4
> br $0x2
> set_label $0x1
> movi_i64 npc,$0x9
> set_label $0x2
> exit_tb $0x0
>
>
> 33062: Instruction Access MMU Miss (v=0064) pc=0000000000000005
> npc=0000000000000009 SP=000000000c3d2d81
> ...
> Current Register Window:
> %o0-3: 0000000002483d00 0000000000000018 0000000000000028 00000000000232bd
> ^^^^^^ not zero
>
>
> --
> Regards,
> Artyom Tarasenko
>
> solaris/sparc under qemu blog: http://tyom.blogspot.com/
>