Re: [Qemu-devel] [PATCH v2 13/22] target/openrisc: Fix cpu_mmu_index

[Stafford Horne]

On Tue, Jun 26, 2018 at 03:26:01PM -0700, Richard Henderson wrote:
> On 06/26/2018 03:07 PM, Stafford Horne wrote:
> > Hello,
> > 
> > I think I found out something.
> > 
> > in: target/openrisc/sys_helper.c:92
> > 
> > When we write to `env->tlb.dtlb[idx].tr`  in helper_mtspr():
> >   93          case TO_SPR(1, 640) ... TO_SPR(1, 640 + TLB_SIZE - 1):
> > /* DTLBW0TR 0-127 */
> >   94              idx = spr - TO_SPR(1, 640);
> >   95              env->tlb.dtlb[idx].tr = rb;
> > 
> > 
> > Somehow we are overlapping with `cpu->tb_jmp_cache`,  these are both
> > pointing to the same spot in memory.
> > 
> > (gdb) p &cs->tb_jmp_cache[3014]
> > $9 = (struct TranslationBlock **) 0x55555608b300
> > (gdb) p &env->tlb.dtlb[idx].tr
> > $10 = (uint32_t *) 0x55555608b304
> 
> That is definitely weird.  How about
> 
> (gdb) p openrisc_env_get_cpu(env)
> $1 = xxxx
> (gdb) p &$1->parent_obj
> (gdb) p &$1->env
> (gdb) p cs->env_ptr
> 
> There should be 4096 entries in tb_jmp_cache, so there should
> be no way that overlaps.  I can only imagine either CS or ENV
> is incorrect somehow.  How that would be, I don't know...

Nothing looks strange there... but this does... :)

(gdb) p &cs->tb_jmp_cache[3014]
$56 = (struct TranslationBlock **) 0x55555606c570
(gdb) p &env->tlb.dtlb[idx].tr
$57 = (uint32_t *) 0x55555606c574
(gdb) p &env->tlb.dtlb[idx].mr
$58 = (uint32_t *) 0x55555606c570
(gdb) p idx
$59 = -1502

The index is negative... this patch should fix that.

@@ -78,6 +78,7 @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr,
target_ulong rb)
     case TO_SPR(0, 1024) ... TO_SPR(0, 1024 + (16 * 32)): /* Shadow GPRs */
         idx = (spr - 1024);
         env->shadow_gpr[idx / 32][idx % 32] = rb;
+        break;
 
     case TO_SPR(1, 512) ... TO_SPR(1, 512 + TLB_SIZE - 1): /* DTLBW0MR 0-127 */
         idx = spr - TO_SPR(1, 512);

-Stafford