Re: [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed

[Aurelien Jarno <aurelien@aurel32.net>]

On Thu, Jul 11, 2013 at 08:01:19AM +0400, Max Filippov wrote:
> On Thu, Jul 11, 2013 at 6:35 AM, Max Filippov <jcmvbkbc@gmail.com> wrote:
> > Hi Peter,
> >
> > I suddenly found qemu built with debug enabled aborting with an assertion on one of xtensa tests:
> >
> > qemu-system-xtensa -M sim -cpu dc232b -nographic -semihosting  -kernel ./test_sr.tst
> > QEMU 1.4.50 monitor - type 'help' for more information
> > (qemu) QEMU 1.4.50 monitor - type 'help' for more information
> > (qemu) qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
> 
> Déjà vu:
> 
> commit e5138db510efb61523be92c225d8c65eb985fff0
> Author: Aurelien Jarno <aurelien@aurel32.net>
> Date:   Sat Nov 24 11:53:55 2012 +0100
> 
>     tcg: mark local temps as MEM in dead_temp()
> 
>     In dead_temp, local temps should always be marked as back to memory,
>     even if they have not been allocated (i.e. they are discared before
>     cross a basic block).
> 
>     It fixes the following assertion in target-xtensa:
> 
>         qemu-system-xtensa: tcg/tcg.c:1665: temp_save: Assertion
> `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
>         Aborted
> 
> > This happens in the mainline as well, bisection points to the following commit:
> >
> > commit 378df4b23753a11be650af7664ca76bc75cb9f01
> > Author: Peter Maydell <peter.maydell@linaro.org>
> > Date:   Fri Feb 22 18:10:03 2013 +0000
> >
> >     Handle CPU interrupts by inline checking of a flag
> >
> >
> > I have the following traces when it happens, any idea of what could go wrong?
> >
> > OP:
> >  ld_i32 loc0,env,$0xffffffffffffffc8
> >  movi_i32 tmp1,$0x0
> >  brcond_i32 loc0,tmp1,ne,$0x0
> >  ---- 0xd0000fde
> >
> >  ---- 0xd0000fe0
> >  movi_i32 tmp1,$0xd0000fe0
> >  movi_i32 tmp2,$0x1
> >  movi_i32 tmp3,$0x2
> >  movi_i64 tmp4,$advance_ccount
> >  call tmp4,$0x0,$0,env,tmp3
> >  movi_i64 tmp4,$window_check
> >  call tmp4,$0x0,$0,env,tmp1,tmp2
> >  movi_i32 ar4,$0x0
> >
> >  ---- 0xd0000fe2
> >  movi_i32 tmp1,$0xd00003f0
> >  qemu_ld32 ar2,tmp1,$0x0
> >
> >  ---- 0xd0000fe5
> >  movi_i32 tmp1,$0xd0000470
> >  qemu_ld32 ar3,tmp1,$0x0
> >
> >  ---- 0xd0000fe8
> >  mov_i32 tmp1,ar2
> >  qemu_st32 ar3,tmp1,$0x0
> >
> >  ---- 0xd0000fea
> >  movi_i32 tmp1,$0xd0000fea
> >  movi_i32 tmp2,$0x0
> >  movi_i32 tmp3,$0x4
> >  movi_i64 tmp4,$advance_ccount
> >  call tmp4,$0x0,$0,env,tmp3
> >  movi_i64 tmp4,$exception_cause
> >  call tmp4,$0x0,$0,env,tmp1,tmp2
> >  mov_i32 env,ar4

I think it might be a bug in the current TCG code not handling the case
of writing to a fixed register TCG temp as it is a quite uncommon case.
I will try to look at the code, but it would be easier if you can
provide a way to reproduce the issue.

On the other hand, is it correct to override the value of the env
pointer, with a value from a CPU register? This doesn't smell good and
looks like it can be a security issue.

> >  set_label $0x0
> >  exit_tb $0x7fffed6373b3
> >
> > qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
> >
> > Program received signal SIGABRT, Aborted.
> > [Switching to Thread 0x7fffed633700 (LWP 29011)]
> > 0x00007ffff545bc55 in raise () from /lib64/libc.so.6
> > ...
> > (gdb) bt
> > #0  temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
> > #1  0x0000555555730fd6 in save_globals (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1688
> > #2  0x00005555557311b9 in tcg_reg_alloc_bb_end (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1731
> > #3  0x0000555555732e5d in tcg_gen_code_common (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200",
> > search_pc=-1) at tcg/tcg.c:2300
> > #4  0x0000555555733029 in tcg_gen_code (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200") at
> > tcg/tcg.c:2356
> > #5  0x0000555555733d3d in cpu_xtensa_gen_code (env=0x5555562b43c0, tb=0x7fffed6373b0, gen_code_size_ptr=0x7fffed632a70) at translate-all.c:175
> > #6  0x00005555557351cf in tb_gen_code (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0, cflags=0) at translate-all.c:958
> > #7  0x00005555556c8216 in tb_find_slow (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0) at cpu-exec.c:141
> > #8  0x00005555556c839d in tb_find_fast (env=0x5555562b43c0) at cpu-exec.c:168
> > #9  0x00005555556c8722 in cpu_xtensa_exec (env=0x5555562b43c0) at cpu-exec.c:583
> > #10 0x00005555556cb719 in tcg_cpu_exec (env=0x5555562b43c0) at cpus.c:1117
> > #11 0x00005555556cb850 in tcg_exec_all () at cpus.c:1150
> > #12 0x00005555556cab40 in qemu_tcg_cpu_thread_fn (arg=0x5555562b42b0) at cpus.c:843
> > #13 0x00007ffff64d0d15 in start_thread () from /lib64/libpthread.so.0
> > #14 0x00007ffff551853d in clone () from /lib64/libc.so.6
> > (gdb) f 4
> > #4  0x0000555555730f85 in temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
> > 1673        assert(s->temps[temp].val_type == TEMP_VAL_MEM || s->temps[temp].fixed_reg);
> > (gdb) p s->temps[temp]
> > $2 = {
> >   base_type = TCG_TYPE_I32,
> >   type = TCG_TYPE_I32,
> >   val_type = 1,
> >   reg = 5,
> >   val = 0,
> >   mem_reg = 14,
> >   mem_offset = 24,
> >   fixed_reg = 0,
> >   mem_coherent = 1,
> >   mem_allocated = 1,
> >   temp_local = 0,
> >   temp_allocated = 0,
> >   next_free_temp = 0,
> >   name = 0x5555557826e0 "ar4"
> > }
> >
> > --
> > Thanks.
> > -- Max
> 
> 
> 
> -- 
> Thanks.
> -- Max
> 

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net