Re: [Qemu-devel] pci_change_irq_level is broken...

From: Alan Amaral
Subject: Re: [Qemu-devel] pci_change_irq_level is broken...
Date: Wed, 21 Sep 2011 12:34:24 -0400

Ok.  Cases to the contrary notwithstanding, what I'm seeing is the size of the irq_count array
is 4 and the code is clearly accessing entry 4 and beyond.  We are using Xen (sorry if I didn't
mention that earlier).
#0  pci_change_irq_level (pci_dev=0x1c3a730, irq_num=4, change=0)
    at /home/aamaral/orc-next/orc-tree/orc-xen/xen-4.0/tools/ioemu-dir/hw/pci.c:125
125     bus->irq_count[irq_num] += change;
(gdb) p irq_num
$23 = 4                <- It was zero on entry to this function but was changed by xen_pci_slot_get_pirq
(gdb) p bus->nirq
$24 = 4
Please see my earlier reply to Jan Kiszka for full details.

From: Richard Henderson
Sent: Tue 9/20/2011 3:56 PM
To: Alan Amaral
Cc: address@hidden
Subject: Re: [Qemu-devel] pci_change_irq_level is broken...

On 09/20/2011 12:19 PM, Alan Amaral wrote:
> QEMU emulator version 0.14.50, Copyright (c) 2003-2008 Fabrice Bellard
> You are correct, it's not hardcoded to 4.  However, when it's allocated the number of elements IS 4.  Also,
> there's a comment just above pci_set_irq which says:
> /* 0 <= irq_num <= 3. level must be 0 or 1 */
> static void pci_set_irq(void *opaque, int irq_num, int level)
> so, that implies to me that it's probably always 4...

The first use I examined was apb_pci.c:

    d->bus = pci_register_bus(&d->busdev.qdev, "pci",
                              pci_apb_set_irq, pci_pbm_map_irq, d,
                              0, 32);

where the last argument indicates that we allocate 32 irqs, 
and the pci_pbm_map_irq function returns a value in the set
{ 0, 1, 2, 3, 16, 17, 18, 19 }.


