From: "Alex Bennée" <alex.bennee@linaro.org>
To: Aaron Lindsay <aaron@os.amperecomputing.com>
Cc: Richard Henderson <richard.henderson@linaro.org>,
qemu-devel@nongnu.org, "Emilio G. Cota" <cota@braap.org>
Subject: Re: Plugin Memory Callback Debugging
Date: Thu, 01 Dec 2022 19:32:14 +0000 [thread overview]
Message-ID: <87edtic3rq.fsf@linaro.org> (raw)
In-Reply-To: <Y4Ztn91bFssBdbmR@strawberry.localdomain>
Aaron Lindsay <aaron@os.amperecomputing.com> writes:
> On Nov 22 10:57, Aaron Lindsay wrote:
>> On Nov 21 18:22, Richard Henderson wrote:
>> > On 11/21/22 13:51, Alex Bennée wrote:
>> > >
>> > > Aaron Lindsay <aaron@os.amperecomputing.com> writes:
>> > >
>> > > > On Nov 15 22:36, Alex Bennée wrote:
>> > > > > Aaron Lindsay <aaron@os.amperecomputing.com> writes:
>> > > > > > I believe the code *should* always reset `cpu->plugin_mem_cbs` to NULL at the
>> > > > > > end of an instruction/TB's execution, so its not exactly clear to me how this
>> > > > > > is occurring. However, I suspect it may be relevant that we are calling
>> > > > > > `free_dyn_cb_arr()` because my plugin called `qemu_plugin_reset()`.
>> > > > >
>> > > > > Hmm I'm going to have to remind myself about how this bit works.
>> > > >
>> > > > When is it expected that cpu->plugin_mem_cbs is reset to NULL if it is
>> > > > set for an instruction? Is it guaranteed it is reset by the end of the
>> > > > tb?
>> > >
>> > > It should be by the end of the instruction. See
>> > > inject_mem_disable_helper() which inserts TCG code to disable the
>> > > helpers. We also have plugin_gen_disable_mem_helpers() which should
>> > > catch every exit out of a block (exit_tb, goto_tb, goto_ptr). That is
>> > > why qemu_plugin_disable_mem_helpers() is only really concerned about
>> > > when we longjmp out of the loop.
>> > >
>> > > > If I were to put an assertion in cpu_tb_exec() just after the call
>> > > > to tcg_qemu_tb_exec(), should cpu->plugin_mem_cbs always be NULL
>> > > > there?
>> > >
>> > > Yes I think so.
>> >
>> > Indeed.
>>
>> Well, the good news is that if this is an assumption we're relying on, it is
>> now trivial to reproduce the problem!
>>
>> Compile some simple program (doesn't really matter, the issue gets triggered
>> early):
>>
>> $ echo "int main() { return 0; }" > simple.c && gcc simple.c -o simple
>>
>> Make this change to cpu_tb_exec():
>>
>> > diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
>> > index 356fe348de..50a010327d 100644
>> > --- a/accel/tcg/cpu-exec.c
>> > +++ b/accel/tcg/cpu-exec.c
>> > @@ -436,6 +436,9 @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
>> >
>> > qemu_thread_jit_execute();
>> > ret = tcg_qemu_tb_exec(env, tb_ptr);
>> > + if (cpu->plugin_mem_cbs != NULL) {
>> > + g_assert_not_reached();
>> > + }
>> > cpu->can_do_io = 1;
>> > /*
>> > * TODO: Delay swapping back to the read-write region of the TB
>>
>> And run:
>>
>> $ ./build/qemu-aarch64 -plugin contrib/plugins/libexeclog.so -d plugin ./simple
>>
>> You should fairly quickly see something like:
>>
>> > [snip]
>> > 0, 0x5502814d04, 0xb4000082, ""
>> > 0, 0x5502814d08, 0xf9400440, "", load, 0x5502844ed0
>> > 0, 0x5502814d0c, 0xf1001c1f, ""
Hmm why are you not getting any opcodes there? Missing capstone?
>> > **
>> > ERROR:../accel/tcg/cpu-exec.c:440:cpu_tb_exec: code should not be reached
>> > Bail out! ERROR:../accel/tcg/cpu-exec.c:440:cpu_tb_exec: code
>> > should not be reached
Hmm I can replicate so I need to check my understanding. It fails in the
first block:
./qemu-aarch64 -plugin contrib/plugins/libexeclog.so -d \
plugin,in_asm,op,op_opt,out_asm ./tests/tcg/aarch64-linux-user/sha512
gives:
PROLOGUE: [size=45]
0x7f4b64000000: 55 pushq %rbp
0x7f4b64000001: 53 pushq %rbx
0x7f4b64000002: 41 54 pushq %r12
0x7f4b64000004: 41 55 pushq %r13
0x7f4b64000006: 41 56 pushq %r14
0x7f4b64000008: 41 57 pushq %r15
0x7f4b6400000a: 48 8b ef movq %rdi, %rbp
0x7f4b6400000d: 48 81 c4 78 fb ff ff addq $-0x488, %rsp
0x7f4b64000014: ff e6 jmpq *%rsi
0x7f4b64000016: 33 c0 xorl %eax, %eax
0x7f4b64000018: 48 81 c4 88 04 00 00 addq $0x488, %rsp
0x7f4b6400001f: c5 f8 77 vzeroupper
0x7f4b64000022: 41 5f popq %r15
0x7f4b64000024: 41 5e popq %r14
0x7f4b64000026: 41 5d popq %r13
0x7f4b64000028: 41 5c popq %r12
0x7f4b6400002a: 5b popq %rbx
0x7f4b6400002b: 5d popq %rbp
0x7f4b6400002c: c3 retq
----------------
IN:
0x004005d0: d280001d movz x29, #0
0x004005d4: d280001e movz x30, #0
0x004005d8: aa0003e5 mov x5, x0
0x004005dc: f94003e1 ldr x1, [sp]
0x004005e0: 910023e2 add x2, sp, #8
0x004005e4: 910003e6 mov x6, sp
0x004005e8: 90000000 adrp x0, #0x400000
0x004005ec: 91182000 add x0, x0, #0x608
0x004005f0: b0000023 adrp x3, #0x405000
0x004005f4: 91014063 add x3, x3, #0x50
0x004005f8: b0000024 adrp x4, #0x405000
0x004005fc: 91044084 add x4, x4, #0x110
0x00400600: 940010e8 bl #0x4049a0
OP:
ld_i32 tmp0,env,$0xfffffffffffffff0
brcond_i32 tmp0,$0x0,lt,$L0
---- 00000000004005d0 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff203430
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x29,$0x0
---- 00000000004005d4 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff202800
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 lr,$0x0
---- 00000000004005d8 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff203400
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x5,x0
This is a memory annotated instruction:
---- 00000000004005dc 0000000000000000 0000000000000f06
mov_i64 tmp2,$0x55c0ff1a6150
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 tmp2,sp
shl_i64 tmp4,tmp2,$0x8
sar_i64 tmp4,tmp4,$0x8
and_i64 tmp4,tmp4,tmp2
mov_i64 tmp7,tmp4
qemu_ld_i64 x1,tmp7,leq,0
mov_i32 tmp8,$0x10030
mov_i64 tmp11,$0x0
ld_i32 tmp0,env,$0xffffffffffffffa8
mov_i64 tmp10,tmp7
call plugin(0x7f4b71c14388),$0x1,$0,tmp0,tmp8,tmp10,tmp11
---- 00000000004005e0 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff1fa4e0
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,sp,$0x8
mov_i64 x2,tmp2
---- 00000000004005e4 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff193500
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 tmp2,sp
mov_i64 x6,tmp2
---- 00000000004005e8 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff219700
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x0,$0x400000
---- 00000000004005ec 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff21d160
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,x0,$0x608
mov_i64 x0,tmp2
---- 00000000004005f0 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff217f80
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x3,$0x405000
---- 00000000004005f4 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff2180c0
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,x3,$0x50
mov_i64 x3,tmp2
---- 00000000004005f8 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff21c4b0
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x4,$0x405000
---- 00000000004005fc 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff21c590
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,x4,$0x110
mov_i64 x4,tmp2
---- 0000000000400600 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff217cd0
st_i64 tmp2,env,$0xffffffffffffff90
mov_i64 tmp2,$0x55c0ff21c670
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 lr,$0x400604
mov_i64 pc,$0x4049a0
call lookup_tb_ptr,$0x6,$1,tmp2,env
goto_ptr tmp2
set_label $L0
exit_tb $0x7f4b64000043
OP after optimization and liveness analysis:
ld_i32 tmp0,env,$0xfffffffffffffff0 pref=0xffff
brcond_i32 tmp0,$0x0,lt,$L0 dead: 0 1
---- 00000000004005d0 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff203430 dead: 0 1
mov_i64 x29,$0x0 sync: 0 dead: 0 pref=0xffff
---- 00000000004005d4 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff202800 dead: 0 1
mov_i64 lr,$0x0 sync: 0 dead: 0 pref=0xffff
---- 00000000004005d8 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff203400 dead: 0 1
mov_i64 x5,x0 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005dc 0000000000000000 0000000000000f06
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff1a6150 dead: 0 1
shl_i64 tmp4,sp,$0x8 pref=0xffff
sar_i64 tmp4,tmp4,$0x8 dead: 1 pref=0xffff
and_i64 tmp4,tmp4,sp dead: 1 pref=0xffff
mov_i64 tmp7,tmp4 dead: 1 pref=0xf038
qemu_ld_i64 x1,tmp7,leq,0 sync: 0 dead: 0 pref=0xffff
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
mov_i64 tmp10,tmp7 dead: 1 pref=0x4
call plugin(0x7f4b71c14388),$0x1,$0,tmp0,$0x10030,tmp10,$0x0 dead: 0 1 2 3
---- 00000000004005e0 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff1fa4e0 dead: 0 1
add_i64 tmp2,sp,$0x8 dead: 2 pref=0xffff
mov_i64 x2,tmp2 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005e4 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff193500 dead: 0 1
mov_i64 x6,sp sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005e8 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff219700 dead: 0 1
---- 00000000004005ec 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21d160 dead: 0 1
mov_i64 x0,$0x400608 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005f0 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff217f80 dead: 0 1
---- 00000000004005f4 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff2180c0 dead: 0 1
mov_i64 x3,$0x405050 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005f8 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21c4b0 dead: 0 1
---- 00000000004005fc 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21c590 dead: 0 1
mov_i64 x4,$0x405110 sync: 0 dead: 0 1 pref=0xffff
---- 0000000000400600 0000000000000000 0000000000000000
st_i64 $0x55c0ff217cd0,env,$0xffffffffffffff90 dead: 0
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21c670 dead: 0 1
mov_i64 lr,$0x400604 sync: 0 dead: 0 1 pref=0xffff
mov_i64 pc,$0x4049a0 sync: 0 dead: 0 1 pref=0xffff
call lookup_tb_ptr,$0x6,$1,tmp2,env dead: 1 pref=none
goto_ptr tmp2 dead: 0
set_label $L0
exit_tb $0x7f4b64000043
OUT: [size=432]
-- guest addr 0x00000000004005d0 + tb prologue
0x7f4b64000100: 8b 5d f0 movl -0x10(%rbp), %ebx
0x7f4b64000103: 85 db testl %ebx, %ebx
0x7f4b64000105: 0f 8c 8a 01 00 00 jl 0x7f4b64000295
0x7f4b6400010b: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400010e: 48 be 30 34 20 ff c0 55 movabsq $0x55c0ff203430, %rsi
0x7f4b64000116: 00 00
0x7f4b64000118: e8 82 43 c1 0d callq 0x7f4b71c1449f
0x7f4b6400011d: 48 c7 85 28 01 00 00 00 movq $0, 0x128(%rbp)
0x7f4b64000125: 00 00 00
-- guest addr 0x00000000004005d4
0x7f4b64000128: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400012b: 48 be 00 28 20 ff c0 55 movabsq $0x55c0ff202800, %rsi
0x7f4b64000133: 00 00
0x7f4b64000135: e8 65 43 c1 0d callq 0x7f4b71c1449f
0x7f4b6400013a: 48 c7 85 30 01 00 00 00 movq $0, 0x130(%rbp)
0x7f4b64000142: 00 00 00
-- guest addr 0x00000000004005d8
0x7f4b64000145: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000148: 48 be 00 34 20 ff c0 55 movabsq $0x55c0ff203400, %rsi
0x7f4b64000150: 00 00
0x7f4b64000152: e8 48 43 c1 0d callq 0x7f4b71c1449f
0x7f4b64000157: 48 8b 5d 40 movq 0x40(%rbp), %rbx
0x7f4b6400015b: 48 89 5d 68 movq %rbx, 0x68(%rbp)
-- guest addr 0x00000000004005dc
0x7f4b6400015f: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000162: 48 be 50 61 1a ff c0 55 movabsq $0x55c0ff1a6150, %rsi
0x7f4b6400016a: 00 00
0x7f4b6400016c: e8 2e 43 c1 0d callq 0x7f4b71c1449f
0x7f4b64000171: 48 8b 9d 38 01 00 00 movq 0x138(%rbp), %rbx
0x7f4b64000178: 4c 8b e3 movq %rbx, %r12
0x7f4b6400017b: 49 c1 e4 08 shlq $8, %r12
0x7f4b6400017f: 49 c1 fc 08 sarq $8, %r12
0x7f4b64000183: 4c 23 e3 andq %rbx, %r12
0x7f4b64000186: 4d 8b 2c 24 movq (%r12), %r13
0x7f4b6400018a: 4c 89 6d 48 movq %r13, 0x48(%rbp)
0x7f4b6400018e: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000191: be 30 00 01 00 movl $0x10030, %esi
0x7f4b64000196: 49 8b d4 movq %r12, %rdx
0x7f4b64000199: 33 c9 xorl %ecx, %ecx
0x7f4b6400019b: e8 e8 41 c1 0d callq 0x7f4b71c14388
-- guest addr 0x00000000004005e0
0x7f4b640001a0: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001a3: 48 be e0 a4 1f ff c0 55 movabsq $0x55c0ff1fa4e0, %rsi
0x7f4b640001ab: 00 00
0x7f4b640001ad: e8 ed 42 c1 0d callq 0x7f4b71c1449f
0x7f4b640001b2: 4c 8d 63 08 leaq 8(%rbx), %r12
0x7f4b640001b6: 4c 89 65 50 movq %r12, 0x50(%rbp)
-- guest addr 0x00000000004005e4
0x7f4b640001ba: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001bd: 48 be 00 35 19 ff c0 55 movabsq $0x55c0ff193500, %rsi
0x7f4b640001c5: 00 00
0x7f4b640001c7: e8 d3 42 c1 0d callq 0x7f4b71c1449f
0x7f4b640001cc: 48 89 5d 70 movq %rbx, 0x70(%rbp)
-- guest addr 0x00000000004005e8
0x7f4b640001d0: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001d3: 48 be 00 97 21 ff c0 55 movabsq $0x55c0ff219700, %rsi
0x7f4b640001db: 00 00
0x7f4b640001dd: e8 bd 42 c1 0d callq 0x7f4b71c1449f
-- guest addr 0x00000000004005ec
0x7f4b640001e2: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001e5: 48 be 60 d1 21 ff c0 55 movabsq $0x55c0ff21d160, %rsi
0x7f4b640001ed: 00 00
0x7f4b640001ef: e8 ab 42 c1 0d callq 0x7f4b71c1449f
0x7f4b640001f4: 48 c7 45 40 08 06 40 00 movq $0x400608, 0x40(%rbp)
-- guest addr 0x00000000004005f0
0x7f4b640001fc: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001ff: 48 be 80 7f 21 ff c0 55 movabsq $0x55c0ff217f80, %rsi
0x7f4b64000207: 00 00
0x7f4b64000209: e8 91 42 c1 0d callq 0x7f4b71c1449f
-- guest addr 0x00000000004005f4
0x7f4b6400020e: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000211: 48 be c0 80 21 ff c0 55 movabsq $0x55c0ff2180c0, %rsi
0x7f4b64000219: 00 00
0x7f4b6400021b: e8 7f 42 c1 0d callq 0x7f4b71c1449f
0x7f4b64000220: 48 c7 45 58 50 50 40 00 movq $0x405050, 0x58(%rbp)
-- guest addr 0x00000000004005f8
0x7f4b64000228: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400022b: 48 be b0 c4 21 ff c0 55 movabsq $0x55c0ff21c4b0, %rsi
0x7f4b64000233: 00 00
0x7f4b64000235: e8 65 42 c1 0d callq 0x7f4b71c1449f
-- guest addr 0x00000000004005fc
0x7f4b6400023a: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400023d: 48 be 90 c5 21 ff c0 55 movabsq $0x55c0ff21c590, %rsi
0x7f4b64000245: 00 00
0x7f4b64000247: e8 53 42 c1 0d callq 0x7f4b71c1449f
0x7f4b6400024c: 48 c7 45 60 10 51 40 00 movq $0x405110, 0x60(%rbp)
-- guest addr 0x0000000000400600
0x7f4b64000254: 48 bb d0 7c 21 ff c0 55 movabsq $0x55c0ff217cd0, %rbx
0x7f4b6400025c: 00 00
0x7f4b6400025e: 48 89 5d 90 movq %rbx, -0x70(%rbp)
0x7f4b64000262: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000265: 48 be 70 c6 21 ff c0 55 movabsq $0x55c0ff21c670, %rsi
0x7f4b6400026d: 00 00
0x7f4b6400026f: e8 2b 42 c1 0d callq 0x7f4b71c1449f
0x7f4b64000274: 48 c7 85 30 01 00 00 04 movq $0x400604, 0x130(%rbp)
0x7f4b6400027c: 06 40 00
0x7f4b6400027f: 48 c7 85 40 01 00 00 a0 movq $0x4049a0, 0x140(%rbp)
0x7f4b64000287: 49 40 00
0x7f4b6400028a: 48 8b fd movq %rbp, %rdi
0x7f4b6400028d: ff 15 15 00 00 00 callq *0x15(%rip)
0x7f4b64000293: ff e0 jmpq *%rax
0x7f4b64000295: 48 8d 05 a7 fd ff ff leaq -0x259(%rip), %rax
0x7f4b6400029c: e9 77 fd ff ff jmp 0x7f4b64000018
-- tb slow paths + alignment
0x7f4b640002a1: 90 nop
0x7f4b640002a2: 90 nop
0x7f4b640002a3: 90 nop
0x7f4b640002a4: 90 nop
0x7f4b640002a5: 90 nop
0x7f4b640002a6: 90 nop
0x7f4b640002a7: 90 nop
data: [size=8]
0x7f4b640002a8: .quad 0x000055c0feba1d00
0, 0x4005d0, 0xd280001d, "movz x29, #0"
0, 0x4005d4, 0xd280001e, "movz x30, #0"
0, 0x4005d8, 0xaa0003e5, "mov x5, x0"
0, 0x4005dc, 0xf94003e1, "ldr x1, [sp]", load, 0x55008000f0
0, 0x4005e0, 0x910023e2, "add x2, sp, #8"
0, 0x4005e4, 0x910003e6, "mov x6, sp"
0, 0x4005e8, 0x90000000, "adrp x0, #0x400000"
0, 0x4005ec, 0x91182000, "add x0, x0, #0x608"
0, 0x4005f0, 0xb0000023, "adrp x3, #0x405000"
0, 0x4005f4, 0x91014063, "add x3, x3, #0x50"
0, 0x4005f8, 0xb0000024, "adrp x4, #0x405000"
0, 0x4005fc, 0x91044084, "add x4, x4, #0x110"
cpu_tb_exec: 0
**
ERROR:../../accel/tcg/cpu-exec.c:443:cpu_tb_exec: code should not be reached
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
>>
>> When digging through my other failure in `rr` I saw the cpu->plugin_mem_cbs
>> pointer changing from one non-null value to another (which also seems to
>> indicate it is not being cleared between instructions).
>>
>> Does this hint that there are cases where reset cpu->plugin_mem_cbs to NULL is
>> getting optimized away, but not the code to set it in the first place?
>
> Is there anyone who could help take a look at this from the code gen
> perspective?
>
> -Aaron
--
Alex Bennée
next prev parent reply other threads:[~2022-12-01 19:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-15 22:05 Plugin Memory Callback Debugging Aaron Lindsay
2022-11-15 22:36 ` Alex Bennée
2022-11-18 21:58 ` Aaron Lindsay via
2022-11-18 22:02 ` Aaron Lindsay
2022-11-21 22:02 ` Alex Bennée
2022-11-22 17:05 ` Aaron Lindsay via
2022-11-21 20:18 ` Aaron Lindsay via
2022-11-21 21:51 ` Alex Bennée
2022-11-22 2:22 ` Richard Henderson
2022-11-22 15:57 ` Aaron Lindsay via
2022-11-29 20:37 ` Aaron Lindsay via
2022-12-01 19:32 ` Alex Bennée [this message]
2022-12-18 5:24 ` Emilio Cota
2022-12-19 20:11 ` Aaron Lindsay
2023-01-06 10:30 ` Alex Bennée
2023-01-07 3:07 ` Emilio Cota
2022-11-16 6:19 ` Emilio Cota
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87edtic3rq.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=aaron@os.amperecomputing.com \
--cc=cota@braap.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.