From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Ljp5s-00024w-CR
	for qemu-devel@nongnu.org; Wed, 18 Mar 2009 02:17:36 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Ljp5n-00023X-7l
	for qemu-devel@nongnu.org; Wed, 18 Mar 2009 02:17:35 -0400
Received: from [199.232.76.173] (port=49789 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Ljp5n-00023R-1x
	for qemu-devel@nongnu.org; Wed, 18 Mar 2009 02:17:31 -0400
Received: from kuber.nabble.com ([216.139.236.158]:40052)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <bounces@nabble.com>) id 1Ljp5m-0007Ti-Gw
	for qemu-devel@nongnu.org; Wed, 18 Mar 2009 02:17:30 -0400
Received: from isper.nabble.com ([192.168.236.156])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <bounces@nabble.com>) id 1Ljp5i-0004j8-0O
	for qemu-devel@nongnu.org; Tue, 17 Mar 2009 23:17:26 -0700
Message-ID: <22573338.post@talk.nabble.com>
Date: Tue, 17 Mar 2009 23:17:26 -0700 (PDT)
From: TeLeMan <geleman@gmail.com>
Subject: [Qemu-devel] MAX_OP_PER_INSTR should be larger
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org


MAX_OP_PER_INSTR is 64 now,but the x64 instruction "ROR" will be translated
into more than 64 ops.
It will cause gen_opc_buf overflowed and tcg_ctx overwritten.

qemu.log:

IN: 
0x00000000004463d3:  and    %ecx,%ebx
0x00000000004463d5:  add    %edi,%esi
0x00000000004463d7:  mov    %esi,-0x14(%ebp)
0x00000000004463da:  mov    %ecx,%esi
0x00000000004463dc:  ror    $0x19,%esi
0x00000000004463df:  mov    %ecx,%edi
0x00000000004463e1:  ror    $0xb,%edi
0x00000000004463e4:  xor    %edi,%esi
0x00000000004463e6:  mov    %ecx,%edi
0x00000000004463e8:  ror    $0x6,%edi
0x00000000004463eb:  xor    %edi,%esi
0x00000000004463ed:  mov    %ecx,%edi
0x00000000004463ef:  not    %edi
0x00000000004463f1:  and    -0x28(%ebp),%edi
0x00000000004463f4:  xor    %ebx,%edi
0x00000000004463f6:  add    %edi,%esi
0x00000000004463f8:  add    0x501280(,%eax,4),%esi
0x00000000004463ff:  mov    -0x14(%ebp),%edi
0x0000000000446402:  add    -0x70(%ebp,%eax,4),%esi

OP:
 ---- 0x4463d3
 ld_i32 tmp2,env,$0x8
 ld_i32 tmp3,env,$0xc
 ld_i32 tmp0,env,$0x18
 ld_i32 tmp1,env,$0x1c
 and_i32 tmp0,tmp0,tmp2
 and_i32 tmp1,tmp1,tmp3
 st_i32 tmp0,env,$0x18
 movi_i32 tmp8,$0x0
 movi_i32 tmp9,$0x0
 st_i32 tmp8,env,$0x1c
 discard cc_src_0
 discard cc_src_1
 mov_i32 cc_dst_0,tmp0
 mov_i32 cc_dst_1,tmp1

 ---- 0x4463d5
 ld_i32 tmp2,env,$0x38
 ld_i32 tmp3,env,$0x3c
 ld_i32 tmp0,env,$0x30
 ld_i32 tmp1,env,$0x34
 add2_i32 tmp0,tmp1,tmp0,tmp1,tmp2,tmp3
 st_i32 tmp0,env,$0x30
 movi_i32 tmp8,$0x0
 movi_i32 tmp9,$0x0
 st_i32 tmp8,env,$0x34
 mov_i32 cc_src_0,tmp2
 mov_i32 cc_src_1,tmp3
 mov_i32 cc_dst_0,tmp0
 mov_i32 cc_dst_1,tmp1

 ---- 0x4463d7
 ld_i32 tmp4,env,$0x28
 movi_i32 tmp5,$0x0
 movi_i32 tmp22,$0xffffffec
 movi_i32 tmp23,$0xffffffff
 add2_i32 tmp4,tmp5,tmp4,tmp5,tmp22,tmp23
 movi_i32 tmp5,$0x0
 ld_i32 tmp0,env,$0x30
 ld_i32 tmp1,env,$0x34
 qemu_st32 tmp0,tmp4,tmp5,$0x0

 ---- 0x4463da
 ld_i32 tmp0,env,$0x8
 ld_i32 tmp1,env,$0xc
 st_i32 tmp0,env,$0x30
 movi_i32 tmp8,$0x0
 movi_i32 tmp9,$0x0
 st_i32 tmp8,env,$0x34

 ---- 0x4463dc
 movi_i32 tmp2,$0x19
 movi_i32 tmp3,$0x0
 ld_i32 loc24,env,$0x30
 ld_i32 loc25,env,$0x34
 mov_i32 loc26,tmp2
 mov_i32 loc27,tmp3
 movi_i32 tmp32,$0x1f
 and_i32 loc26,loc26,tmp32
 movi_i32 loc27,$0x0
 movi_i32 tmp22,$0x0
 movi_i32 tmp23,$0x0
 brcond2_i32 loc26,loc27,tmp22,tmp23,eq,$0x0
 mov_i32 tmp8,loc26
 mov_i32 tmp9,loc27
 movi_i32 loc25,$0x0
 mov_i32 loc28,loc24
 mov_i32 loc29,loc25
 movi_i32 tmp32,$0x54d17c
 call tmp32,$0x0,$2,tmp14,tmp15,loc24,loc25,tmp8,tmp9
 movi_i32 tmp22,$0x20
 movi_i32 tmp23,$0x0
 sub2_i32 tmp8,tmp9,tmp22,tmp23,tmp8,tmp9
 movi_i32 tmp32,$0x54d160
 call tmp32,$0x0,$2,loc24,loc25,loc24,loc25,tmp8,tmp9
 or_i32 loc24,loc24,tmp14
 or_i32 loc25,loc25,tmp15
 set_label $0x0
 st_i32 loc24,env,$0x30
 movi_i32 tmp8,$0x0
 movi_i32 tmp9,$0x0
 st_i32 tmp8,env,$0x34
 movi_i32 cc_op,$0x8
 movi_i32 tmp33,$0x0
 movi_i32 tmp34,$0x0
 brcond2_i32 loc26,loc27,tmp33,tmp34,eq,$0x1
 movi_i32 tmp32,$cc_compute_all
 call tmp32,$0x10,$1,tmp12,cc_op
 mov_i32 cc_src_0,tmp12
 movi_i32 cc_src_1,$0x0
 movi_i32 tmp32,$0xfffff7fe
 and_i32 cc_src_0,cc_src_0,tmp32
 xor_i32 tmp8,loc28,loc24
 xor_i32 tmp9,loc29,loc25
 movi_i32 tmp36,$0xc
 shl_i32 tmp32,tmp9,tmp36
 movi_i32 tmp36,$0x14
 shr_i32 tmp35,tmp9,tmp36
 movi_i32 tmp36,$0x14
 shr_i32 tmp8,tmp8,tmp36
 or_i32 tmp8,tmp8,tmp32
 mov_i32 tmp9,tmp35
 movi_i32 tmp35,$0x800
 and_i32 tmp8,tmp8,tmp35
 movi_i32 tmp9,$0x0
 or_i32 cc_src_0,cc_src_0,tmp8
 or_i32 cc_src_1,cc_src_1,tmp9
 movi_i32 tmp36,$0x1
 shl_i32 tmp35,loc25,tmp36
 movi_i32 tmp36,$0x1f
 shr_i32 tmp32,loc25,tmp36
 movi_i32 tmp36,$0x1f
 shr_i32 loc24,loc24,tmp36
 or_i32 loc24,loc24,tmp35
 mov_i32 loc25,tmp32
 movi_i32 tmp32,$0x1
 and_i32 loc24,loc24,tmp32
 movi_i32 loc25,$0x0
 or_i32 cc_src_0,cc_src_0,loc24
 or_i32 cc_src_1,cc_src_1,loc25
 discard cc_dst_0
 discard cc_dst_1
 movi_i32 cc_op,$0x1
 set_label $0x1

 ---- 0x4463df
 ld_i32 tmp0,env,$0x8
 ld_i32 tmp1,env,$0xc
 st_i32 tmp0,env,$0x38
 movi_i32 tmp8,$0x0
 movi_i32 tmp9,$0x0
 st_i32 tmp8,env,$0x3c

 ---- 0x4463e1
 movi_i32 tmp2,$0xb
 movi_i32 tmp3,$0x0
 ld_i32 loc30,env,$0x38
 ld_i32 loc31,env,$0x3c
 mov_i32 loc28,tmp2
 mov_i32 loc29,tmp3
 movi_i32 tmp32,$0x1f
 and_i32 loc28,loc28,tmp32
 movi_i32 loc29,$0x0
 movi_i32 tmp33,$0x0
 movi_i32 tmp34,$0x0
 brcond2_i32 loc28,loc29,tmp33,tmp34,eq,$0x2
 mov_i32 tmp8,loc28
 mov_i32 tmp9,loc29
 movi_i32 loc31,$0x0
 mov_i32 loc26,loc30
 mov_i32 loc27,loc31
 movi_i32 tmp32,$0x54d17c
 call tmp32,$0x0,$2,tmp14,tmp15,loc30,loc31,tmp8,tmp9
 movi_i32 tmp33,$0x20
 movi_i32 tmp34,$0x0
 sub2_i32 tmp8,tmp9,tmp33,tmp34,tmp8,tmp9
 movi_i32 tmp32,$0x54d160
 call tmp32,$0x0,$2,loc30,loc31,loc30,loc31,tmp8,tmp9
 or_i32 loc30,loc30,tmp14
 or_i32 loc31,loc31,tmp15
 set_label $0x2
 st_i32 loc30,env,$0x38
 movi_i32 tmp8,$0x0
 movi_i32 tmp9,$0x0
 st_i32 tmp8,env,$0x3c
 movi_i32 tmp37,$0x0
 movi_i32 tmp38,$0x0
 brcond2_i32 loc28,loc29,tmp37,tmp38,eq,$0x3
 movi_i32 tmp32,$cc_compute_all
 call tmp32,$0x10,$1,tmp12,cc_op
 mov_i32 cc_src_0,tmp12
 movi_i32 cc_src_1,$0x0
 movi_i32 tmp32,$0xfffff7fe
 and_i32 cc_src_0,cc_src_0,tmp32
 xor_i32 tmp8,loc26,loc30
 xor_i32 tmp9,loc27,loc31
 movi_i32 tmp36,$0xc
 shl_i32 tmp32,tmp9,tmp36
 movi_i32 tmp36,$0x14
 shr_i32 tmp35,tmp9,tmp36
 movi_i32 tmp36,$0x14
 shr_i32 tmp8,tmp8,tmp36
 or_i32 tmp8,tmp8,tmp32
 mov_i32 tmp9,tmp35
 movi_i32 tmp35,$0x800
 and_i32 tmp8,tmp8,tmp35
 movi_i32 tmp9,$0x0
 or_i32 cc_src_0,cc_src_0,tmp8
 or_i32 cc_src_1,cc_src_1,tmp9
 movi_i32 tmp36,$0x1
 shl_i32 tmp35,loc31,tmp36
 movi_i32 tmp36,$0x1f
 shr_i32 tmp32,loc31,tmp36
 movi_i32 tmp36,$0x1f
 shr_i32 loc30,loc30,tmp36
 or_i32 loc30,loc30,tmp35
 mov_i32 loc31,tmp32
 movi_i32 tmp32,$0x1
 and_i32 loc30,loc30,tmp32
 movi_i32 loc31,$0x0
 or_i32 cc_src_0,cc_src_0,loc30
 or_i32 cc_src_1,cc_src_1,loc31
 discard cc_dst_0
 discard cc_dst_1
 movi_i32 cc_op,$0x1
 set_label $0x3
-- 
View this message in context: http://www.nabble.com/MAX_OP_PER_INSTR-should-be-larger-tp22573338p22573338.html
Sent from the QEMU - Dev mailing list archive at Nabble.com.