From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56820)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rth7680@gmail.com>) id 1YxHR7-0008IC-9b
	for qemu-devel@nongnu.org; Tue, 26 May 2015 12:10:38 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rth7680@gmail.com>) id 1YxHR1-000381-On
	for qemu-devel@nongnu.org; Tue, 26 May 2015 12:10:37 -0400
Received: from mail-qk0-x235.google.com ([2607:f8b0:400d:c09::235]:35347)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rth7680@gmail.com>) id 1YxHR1-00037x-KF
	for qemu-devel@nongnu.org; Tue, 26 May 2015 12:10:31 -0400
Received: by qkdn188 with SMTP id n188so93208970qkd.2
	for <qemu-devel@nongnu.org>; Tue, 26 May 2015 09:10:31 -0700 (PDT)
Sender: Richard Henderson <rth7680@gmail.com>
Message-ID: <55649AF2.4080006@twiddle.net>
Date: Tue, 26 May 2015 09:10:26 -0700
From: Richard Henderson <rth@twiddle.net>
MIME-Version: 1.0
References: <1432644395-45207-1-git-send-email-yongbok.kim@imgtec.com>
	<556495FC.2050405@twiddle.net> <556497D8.7030708@imgtec.com>
In-Reply-To: <556497D8.7030708@imgtec.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] tcg: fix segfault when MO_UNALN is set
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Yongbok Kim <yongbok.kim@imgtec.com>, qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, leon.alrae@imgtec.com

On 05/26/2015 08:57 AM, Yongbok Kim wrote:
> On 26/05/2015 16:49, Richard Henderson wrote:
>> On 05/26/2015 05:46 AM, Yongbok Kim wrote:
>>> MO_UNALN caused segfaults when it is set, it reached out of boundary of
>>> load/ store function pointer arrays in tcg_out_qemu_{ld,st}_slow_path()
>>> or its equivalents.
>>
>> I'd like to know more about this crash please.  Where does it happen?
>>
>>
>> r~
>>
> 
> tcg/i386/tcg-target.c
> 
>> static void * const qemu_st_helpers[16] = {
>>     [MO_UB]   = helper_ret_stb_mmu,
>>     [MO_LEUW] = helper_le_stw_mmu,
>>     [MO_LEUL] = helper_le_stl_mmu,
>>     [MO_LEQ]  = helper_le_stq_mmu,
>>     [MO_BEUW] = helper_be_stw_mmu,
>>     [MO_BEUL] = helper_be_stl_mmu,
>>     [MO_BEQ]  = helper_be_stq_mmu,
>> };
> 
> ...
> 
>> static void tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
>> {
> 
>>     TCGMemOp opc = get_memop(oi);
> 
>>     /* "Tail call" to the helper, with the return address back inline.  */
>>     tcg_out_push(s, retaddr);
>>     tcg_out_jmp(s, qemu_st_helpers[opc]);
> 
> Here is the crashing point...

Ah, I think I'd masked things in there.  But clearly not.

Your patch has the nice property of not having to modify all the backends, but
it has the unfortunate property that make* and get* become asymmetrical.

I'll try to come up with an alternative soon, and we'll see how messy it gets.


r~