From: Paolo Bonzini <pbonzini@redhat.com>
To: Aurelien Jarno <aurelien@aurel32.net>
Cc: Stefan Weil <weil@mail.berlios.de>, qemu-devel <qemu-devel@nongnu.org>
Subject: [Qemu-devel] 64-on-32 TCG broken [was Re: x86_64-softmmu broken on Windows (TCG?)]
Date: Tue, 30 Oct 2012 09:15:55 +0100 [thread overview]
Message-ID: <508F8CBB.8090101@redhat.com> (raw)
In-Reply-To: <20121029182958.GB29866@ohm.aurel32.net>
Il 29/10/2012 19:29, Aurelien Jarno ha scritto:
> On Mon, Oct 29, 2012 at 06:53:14PM +0100, Paolo Bonzini wrote:
>> > Known-good commit: 8473f377393219390ea6f2d8d450a2b054bb823e
>> > Known-bad commit: d262cb02861dd33375c08fc798930653b14769e9
>> >
>> > i386-softmmu seems to work. I may try to bisect it tomorrow, but I'd be
>> > glad if somebody else beats me. It can be reproduced with Wine and
>> > "x86_64-softmmu/qemu-system-x86_64.exe -L ../pc-bios"; it hangs at iPXE.
> Oops, sorry about that. Is it win32 or win64? I'll try to fix it asap,
> but right now I don't have a good network connection enough to either
> setup a mingw build environment or to connect to a remote machine with
> such an environment.
It's win32, and the first bad commit is 9c43b68 (tcg: rework liveness
analysis, 2012-10-09). But it looks like 64-on-32 emulation is more
generally broken. I now tried x86_64-linux-user compiled for 32-bit,
and it segfaults on startup. Even the previous commit cannot run
qemu-x86_64 /bin/ls correctly:
$ git whatis HEAD
ec7a869 (tcg: sync output arguments on liveness request, 2012-10-09)
$ x86_64-linux-user/qemu-x86_64 /bin/ls
inux-user
$ git whatis HEAD
9c43b68 (tcg: rework liveness analysis, 2012-10-09)
$ x86_64-linux-user/qemu-x86_64 /bin/ls
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Errore di segmentazione
Regarding the win32 failure, it's early enough that the TCG logs give
an idea of what is happening. This *might* be a reduced testcase,
but the general breakage makes it impossible to check:
asm("\n\
h:\n\
.byte 2\n\
f:\n\
push %rax\n\
push %rdx\n\
movb h, %al\n\
cmp $0x12, %al\n\
pop %rdx\n\
pop %rax\n\
ret\n\
g:\n\
xor %eax, %eax\n\
call f\n\
setne %al\n\
ret\n\
");
extern int g();
int main()
{
printf("%d\n", g());
}
Anyhow, here are the logs (good on the left, differences on the
right). A write to cc_dst is incorrectly deleted as dead:
IN: (
0x00000000000c83e9: push %ax (
0x00000000000c83ea: push %dx (
0x00000000000c83eb: mov $0x9206,%ax (
0x00000000000c83ee: mov $0x3c4,%dx (
0x00000000000c83f1: out %ax,(%dx) (
0x00000000000c83f2: inc %dx (
0x00000000000c83f3: in (%dx),%al (
0x00000000000c83f4: cmp $0x12,%al (
0x00000000000c83f6: pop %dx (
0x00000000000c83f7: pop %ax (
0x00000000000c83f8: ret (
(
OP: (
---- 0xc83e9 (
mov_i32 tmp0,rax_0 (
mov_i32 tmp1,rax_1 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
movi_i32 tmp20,$0xfffffffe (
movi_i32 tmp21,$0xffffffff (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp20,tmp21 (
nop (
movi_i32 tmp5,$0x0 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
mov_i32 tmp2,tmp4 (
mov_i32 tmp3,tmp5 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_st16 tmp0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83ea (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
movi_i32 tmp20,$0xfffffffe (
movi_i32 tmp21,$0xffffffff (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp20,tmp21 (
nop (
movi_i32 tmp5,$0x0 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
mov_i32 tmp2,tmp4 (
mov_i32 tmp3,tmp5 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_st16 tmp0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83eb (
movi_i32 tmp0,$0x9206 (
movi_i32 tmp1,$0x0 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83ee (
movi_i32 tmp0,$0x3c4 (
movi_i32 tmp1,$0x0 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f1 (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
mov_i32 tmp2,rax_0 (
mov_i32 tmp3,rax_1 (
mov_i32 tmp12,tmp0 (
mov_i32 tmp13,tmp2 (
movi_i32 tmp22,$outw (
call tmp22,$0x0,$0,tmp12,tmp13 (
(
---- 0xc83f2 (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
movi_i32 tmp20,$0x1 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp0,tmp1,tmp0,tmp1,tmp20,tmp21 (
nop (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
movi_i32 tmp22,$cc_compute_c (
call tmp22,$0x10,$1,tmp12,env,cc_op (
mov_i32 cc_src_0,tmp12 (
movi_i32 cc_src_1,$0x0 (
mov_i32 cc_dst_0,tmp0 (
mov_i32 cc_dst_1,tmp1 (
(
---- 0xc83f3 (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
mov_i32 tmp12,tmp0 (
movi_i32 tmp22,$inb (
call tmp22,$0x0,$2,tmp2,tmp3,tmp12 (
deposit_i32 rax_0,rax_0,tmp2,$0x0,$0x8 (
(
---- 0xc83f4 (
movi_i32 tmp2,$0x12 (
movi_i32 tmp3,$0x0 (
mov_i32 tmp0,rax_0 (
mov_i32 tmp1,rax_1 (
mov_i32 cc_src_0,tmp2 (
mov_i32 cc_src_1,tmp3 (
sub2_i32 cc_dst_0,cc_dst_1,tmp0,tmp1,tmp2 (
nop (
(
---- 0xc83f6 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
movi_i32 tmp1,$0x0 (
movi_i32 tmp20,$0x2 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp8,tmp9,rsp_0,rsp_1,tmp20,tmp2 (
nop (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f7 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
movi_i32 tmp1,$0x0 (
movi_i32 tmp20,$0x2 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp8,tmp9,rsp_0,rsp_1,tmp20,tmp2 (
nop (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f8 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
movi_i32 tmp1,$0x0 (
movi_i32 tmp20,$0x2 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp8,tmp9,rsp_0,rsp_1,tmp20,tmp2 (
nop (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
st_i32 tmp0,env,$0x80 (
st_i32 tmp1,env,$0x84 (
movi_i32 cc_op,$0xe (
exit_tb $0x0 (
(
OP after optimization and liveness analysi (
---- 0xc83e9 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0xfffffffe (
nopn $0x2,$0x2 (
add_i32 tmp4,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,tmp4 (
nopn $0x2,$0x2 (
mov_i32 tmp2,tmp4 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_st16 rax_0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83ea (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0xfffffffe (
nopn $0x2,$0x2 (
add_i32 tmp4,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,tmp4 (
nopn $0x2,$0x2 (
mov_i32 tmp2,tmp4 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_st16 rdx_0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83eb (
movi_i32 tmp0,$0x9206 (
nopn $0x2,$0x2 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83ee (
movi_i32 tmp0,$0x3c4 (
nopn $0x2,$0x2 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f1 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp0,rdx_0 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
mov_i32 tmp12,tmp0 (
nopn $0x2,$0x2 (
movi_i32 tmp22,$outw (
call tmp22,$0x0,$0,tmp12,rax_0 (
(
---- 0xc83f2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x1 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp0,tmp1,rdx_0,rdx_1,tmp20,tmp2 (
nop (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
movi_i32 tmp22,$cc_compute_c (
call tmp22,$0x10,$1,tmp12,env,cc_op (
mov_i32 cc_src_0,tmp12 (
movi_i32 cc_src_1,$0x0 (
mov_i32 cc_dst_0,tmp0 (
mov_i32 cc_dst_1,tmp1 (
(
---- 0xc83f3 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp0,rdx_0 (
nopn $0x2,$0x2 (
mov_i32 tmp12,tmp0 (
movi_i32 tmp22,$inb (
call tmp22,$0x0,$2,tmp2,tmp3,tmp12 (
deposit_i32 rax_0,rax_0,tmp2,$0x0,$0x8 (
(
---- 0xc83f4 (
movi_i32 tmp2,$0x12 | nopn $0x2,$0x2
movi_i32 tmp3,$0x0 | nopn $0x2,$0x2
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 cc_src_0,$0x12 (
movi_i32 cc_src_1,$0x0 (
sub2_i32 cc_dst_0,cc_dst_1,rax_0,rax_1,tm | nopn $0x6,$0x5,$0x8,$0x9,$0x2a,$0x6
nop (
(
---- 0xc83f6 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,rsp_0 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x2 (
nopn $0x2,$0x2 (
add_i32 tmp8,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f7 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,rsp_0 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x2 (
nopn $0x2,$0x2 (
add_i32 tmp8,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f8 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,rsp_0 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x2 (
nopn $0x2,$0x2 (
add_i32 tmp8,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
st_i32 tmp0,env,$0x80 (
st_i32 tmp1,env,$0x84 (
movi_i32 cc_op,$0xe (
exit_tb $0x0 (
end (
(
and then the next basic block jumps in the weeds:
IN: (
0x00000000000c83a0: jne 0xc83d3 (
IN: (
0x00000000000c83a2: push %ds | 0x00000000000c83d3: ret
0x00000000000c83a3: xor %ax,%ax <
0x00000000000c83a5: mov %ax,%ds <
0x00000000000c83a7: mov $0x83f9,%ax <
0x00000000000c83aa: mov %ax,0x40 <
0x00000000000c83ad: mov $0xc000,%ax <
0x00000000000c83b0: mov %ax,0x42 <
0x00000000000c83b3: pop %ds <
etc.
next prev parent reply other threads:[~2012-10-30 8:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-29 17:53 [Qemu-devel] x86_64-softmmu broken on Windows (TCG?) Paolo Bonzini
2012-10-29 18:29 ` Aurelien Jarno
2012-10-30 8:15 ` Paolo Bonzini [this message]
2012-10-30 22:24 ` [Qemu-devel] 64-on-32 TCG broken Stefan Weil
2012-10-30 23:22 ` Aurelien Jarno
2012-10-30 23:56 ` Aurelien Jarno
2012-10-31 12:40 ` Aurelien Jarno
2012-10-31 14:01 ` Paolo Bonzini
2012-10-31 14:05 ` Peter Maydell
2012-10-31 14:08 ` Paolo Bonzini
2012-10-31 15:23 ` Aurelien Jarno
2012-10-31 17:05 ` Stefan Weil
2012-10-31 21:48 ` Aurelien Jarno
2012-11-07 13:26 ` Kirill Batuzov
2012-11-11 16:05 ` Aurelien Jarno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=508F8CBB.8090101@redhat.com \
--to=pbonzini@redhat.com \
--cc=aurelien@aurel32.net \
--cc=qemu-devel@nongnu.org \
--cc=weil@mail.berlios.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.