[Qemu-devel] [Bug] MIPS code fails at branch instruction

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stefan Weil <weil@mail.berlios.de>
To: QEMU Developers <qemu-devel@nongnu.org>
Subject: [Qemu-devel] [Bug] MIPS code fails at branch instruction
Date: Sat, 17 Mar 2007 00:12:28 +0100	[thread overview]
Message-ID: <45FB245C.2010900@mail.berlios.de> (raw)

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

Hi,

QEMU MIPS emulation fails with code using "illegal" commands
in the delay slot of a branch.

I had an endless loop with QEMU running the firmware of a
MIPS based router.

MIPS says: branches, jumps, ... instructions should not be
placed in the delay slot of a branch or jump.

Nevertheless, some routers use this kind of code.

I wrote a test program to examine the difference between emulation
and a real MIPS CPU (see appendices).

Results are given below for real hardware, normal emulation and
emulation using single stepping.

Stefan


Compile branch test like this:
mipsel-linux-gcc -Os -g btest.c btest2.S

AR7 (MIPS 4KEc) router:
# ./a.out
0
1100
1000

qemu-system-mipsel (unmodified):
# ./a.out
0
# (program hangs)

qemu-system-mipsel (single stepping / MIPS_SINGLE_STEP in translate.c):
# ./a.out
0
1221
1221


[-- Attachment #2: btest.c --]
[-- Type: text/x-csrc, Size: 746 bytes --]

/*

Compile branch test like this:
mipsel-linux-gcc -Os -g btest.c btest2.S

Original code failing with emulation:
218:       8d090000        lw      t1,0(t0)
21c:       31290001        andi    t1,t1,0x1
220:       1120fffd        beqz    t1,0x218
224:       03e00008        jr      ra
228:       3c088000        lui     t0,0x8000
22c:       3c093c1a        lui     t1,0x3c1a

AR7 router:
# ./a.out
0
1100
1000

qemu-system-mipsel (unmodified):
# ./a.out
0
# (program hangs)

qemu-system-mipsel (unmodified):
# ./a.out
0
1221
1221

*/

#include <stdio.h>

extern int test1(int i);
extern int test2(int i);

int main(void)
{
  int i = 0;
  printf("%d\n", i);
  i = test1(0);
  printf("%d\n", i);
  i = test2(0);
  printf("%d\n", i);
  return 0;
}

[-- Attachment #3: btest2.S --]
[-- Type: text/plain, Size: 1141 bytes --]

#if 0
218:       8d090000        lw      t1,0(t0)
21c:       31290001        andi    t1,t1,0x1
220:       1120fffd        beqz    t1,0x218
224:       03e00008        jr      ra
228:       3c088000        lui     t0,0x8000
22c:       3c093c1a        lui     t1,0x3c1a
230:       35299400        ori     t1,t1,0x9400
234:       ad090000        sw      t1,0(t0)
238:       3c09275a        lui     t1,0x275a
23c:       ad090004        sw      t1,4(t0)
#endif

#include <asm/asm.h>
#include <asm/regdef.h>

        .text
        .set noreorder
        .set mips32r2

        LEAF(test1)
        move    v0,a0
        addiu   v0,v0,1000
        bnez    a0,$L1
        jr      ra
        addiu   v0,v0,100
$L1:
        beqz    a0,$L2
        jr      ra
        addiu   v0,v0,10
$L2:
        addiu   v0,v0,1
        jr      ra
        nop
        END(test1)

        LEAF(test2)
        move    v0,a0
        addiu   v0,v0,1000
        beqz    a0,$L3
        jr      ra
        addiu   v0,v0,100
$L3:
        bnez    a0,$L4
        jr      ra
        addiu   v0,v0,10
$L4:
        addiu   v0,v0,1
        jr      ra
        nop
        END(test2)

next             reply	other threads:[~2007-03-16 23:13 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-16 23:12 Stefan Weil [this message]
2007-03-17  0:46 ` [Qemu-devel] [Bug] MIPS code fails at branch instruction Thiemo Seufer
2007-03-17 11:37   ` Stefan Weil
2007-03-17 14:31     ` Thiemo Seufer
2007-03-17 18:57       ` Stefan Weil
2007-03-17 20:32         ` Paul Brook
2007-03-19 21:04           ` [Qemu-devel] [Bug] [Patch] " Stefan Weil
2007-03-19 21:34             ` Thiemo Seufer
2007-03-19 22:34               ` Thiemo Seufer
2007-03-20  7:54                 ` Alexander Voropay
2007-03-20  9:51                   ` Thiemo Seufer
2007-03-20 18:27                 ` Stefan Weil
2007-03-25  0:22                   ` Thiemo Seufer
2007-03-25  1:43                     ` Aurelien Jarno
2007-03-25 12:51                       ` Stuart Brady
2007-03-25 16:26                         ` Thiemo Seufer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45FB245C.2010900@mail.berlios.de \
    --to=weil@mail.berlios.de \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.