From: "Alex Bennée" <alex.bennee@linaro.org>
To: peter.maydell@linaro.org
Cc: qemu-devel@nongnu.org, qemu-arm@nongnu.org,
Etienne Carriere <etienne.carriere@linaro.org>,
Joakim Bech <joakim.bech@linaro.org>,
"Emilio G . Cota" <cota@braap.org>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [RFC PATCH] target/arm: ensure eret exits the run-loop
Date: Fri, 07 Jul 2017 18:32:02 +0100 [thread overview]
Message-ID: <87inj49mr1.fsf@linaro.org> (raw)
In-Reply-To: <20170707161822.29659-1-alex.bennee@linaro.org>
Alex Bennée <alex.bennee@linaro.org> writes:
> Previously DISAS_JUMP did ensure this but with the optimisation of
> 8a6b28c7 (optimize indirect branches) we might not leave the loop.
> This means if any pending interrupts are cleared by changing IRQ flags
> we might never get around to servicing them. You usually notice this
> by seeing the lookup_tb_ptr() helper gainfully chaining TBs together
> while cpu->interrupt_request remains high and the exit_request has not
> been set.
>
> This breaks amongst other things the OPTEE test suite which executes
> an eret from the secure world after a non-secure world IRQ has gone
> pending which then never gets serviced.
>
> An alternate approach might be for the exception helpers to ensure the
> exit request flag is set if an IRQ is now unmasked.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> CC: Etienne Carriere <etienne.carriere@linaro.org>
> CC: Joakim Bech <joakim.bech@linaro.org>
> CC: Peter Maydell <peter.maydell@linaro.org>
> CC: Emilio G. Cota <cota@braap.org>
> CC: Richard Henderson <rth@twiddle.net>
> ---
> target/arm/translate-a64.c | 3 ++-
> target/arm/translate.c | 6 ++++--
> 2 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
> index e55547d95d..3ee88b2590 100644
> --- a/target/arm/translate-a64.c
> +++ b/target/arm/translate-a64.c
> @@ -1788,7 +1788,8 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
> return;
> }
> gen_helper_exception_return(cpu_env);
> - s->is_jmp = DISAS_JUMP;
> + /* Must exit loop to check un-masked IRQs */
> + s->is_jmp = DISAS_EXIT;
Given the wording of:
/* is_jmp field values */
#define DISAS_NEXT 0 /* next instruction can be analyzed */
#define DISAS_JUMP 1 /* only pc was modified dynamically */
#define DISAS_UPDATE 2 /* cpu state was modified dynamically */
#define DISAS_TB_JUMP 3 /* only pc was modified statically */
I'm thinking that really these DISAS_JUMP's should be DISAS_UPDATEs and
we need to disable the TB chaining optimisations for this. I'll prepare
a more comprehensive series next week. However testing this patch for
known failure modes will be useful.
> return;
> case 5: /* DRPS */
> if (rn != 0x1f) {
> diff --git a/target/arm/translate.c b/target/arm/translate.c
> index 0862f9e4aa..920fb41395 100644
> --- a/target/arm/translate.c
> +++ b/target/arm/translate.c
> @@ -4475,7 +4475,8 @@ static void gen_rfe(DisasContext *s, TCGv_i32 pc, TCGv_i32 cpsr)
> */
> gen_helper_cpsr_write_eret(cpu_env, cpsr);
> tcg_temp_free_i32(cpsr);
> - s->is_jmp = DISAS_JUMP;
> + /* Must exit loop to check un-masked IRQs */
> + s->is_jmp = DISAS_EXIT;
> }
>
> /* Generate an old-style exception return. Marks pc as dead. */
> @@ -9519,7 +9520,8 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
> tmp = load_cpu_field(spsr);
> gen_helper_cpsr_write_eret(cpu_env, tmp);
> tcg_temp_free_i32(tmp);
> - s->is_jmp = DISAS_JUMP;
> + /* Must exit loop to check un-masked IRQs */
> + s->is_jmp = DISAS_EXIT;
> }
> }
> break;
--
Alex Bennée
WARNING: multiple messages have this Message-ID (diff)
From: "Alex Bennée" <alex.bennee@linaro.org>
To: peter.maydell@linaro.org
Cc: qemu-devel@nongnu.org, qemu-arm@nongnu.org,
Etienne Carriere <etienne.carriere@linaro.org>,
Joakim Bech <joakim.bech@linaro.org>,
"Emilio G . Cota" <cota@braap.org>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-devel] [RFC PATCH] target/arm: ensure eret exits the run-loop
Date: Fri, 07 Jul 2017 18:32:02 +0100 [thread overview]
Message-ID: <87inj49mr1.fsf@linaro.org> (raw)
In-Reply-To: <20170707161822.29659-1-alex.bennee@linaro.org>
Alex Bennée <alex.bennee@linaro.org> writes:
> Previously DISAS_JUMP did ensure this but with the optimisation of
> 8a6b28c7 (optimize indirect branches) we might not leave the loop.
> This means if any pending interrupts are cleared by changing IRQ flags
> we might never get around to servicing them. You usually notice this
> by seeing the lookup_tb_ptr() helper gainfully chaining TBs together
> while cpu->interrupt_request remains high and the exit_request has not
> been set.
>
> This breaks amongst other things the OPTEE test suite which executes
> an eret from the secure world after a non-secure world IRQ has gone
> pending which then never gets serviced.
>
> An alternate approach might be for the exception helpers to ensure the
> exit request flag is set if an IRQ is now unmasked.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> CC: Etienne Carriere <etienne.carriere@linaro.org>
> CC: Joakim Bech <joakim.bech@linaro.org>
> CC: Peter Maydell <peter.maydell@linaro.org>
> CC: Emilio G. Cota <cota@braap.org>
> CC: Richard Henderson <rth@twiddle.net>
> ---
> target/arm/translate-a64.c | 3 ++-
> target/arm/translate.c | 6 ++++--
> 2 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
> index e55547d95d..3ee88b2590 100644
> --- a/target/arm/translate-a64.c
> +++ b/target/arm/translate-a64.c
> @@ -1788,7 +1788,8 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
> return;
> }
> gen_helper_exception_return(cpu_env);
> - s->is_jmp = DISAS_JUMP;
> + /* Must exit loop to check un-masked IRQs */
> + s->is_jmp = DISAS_EXIT;
Given the wording of:
/* is_jmp field values */
#define DISAS_NEXT 0 /* next instruction can be analyzed */
#define DISAS_JUMP 1 /* only pc was modified dynamically */
#define DISAS_UPDATE 2 /* cpu state was modified dynamically */
#define DISAS_TB_JUMP 3 /* only pc was modified statically */
I'm thinking that really these DISAS_JUMP's should be DISAS_UPDATEs and
we need to disable the TB chaining optimisations for this. I'll prepare
a more comprehensive series next week. However testing this patch for
known failure modes will be useful.
> return;
> case 5: /* DRPS */
> if (rn != 0x1f) {
> diff --git a/target/arm/translate.c b/target/arm/translate.c
> index 0862f9e4aa..920fb41395 100644
> --- a/target/arm/translate.c
> +++ b/target/arm/translate.c
> @@ -4475,7 +4475,8 @@ static void gen_rfe(DisasContext *s, TCGv_i32 pc, TCGv_i32 cpsr)
> */
> gen_helper_cpsr_write_eret(cpu_env, cpsr);
> tcg_temp_free_i32(cpsr);
> - s->is_jmp = DISAS_JUMP;
> + /* Must exit loop to check un-masked IRQs */
> + s->is_jmp = DISAS_EXIT;
> }
>
> /* Generate an old-style exception return. Marks pc as dead. */
> @@ -9519,7 +9520,8 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
> tmp = load_cpu_field(spsr);
> gen_helper_cpsr_write_eret(cpu_env, tmp);
> tcg_temp_free_i32(tmp);
> - s->is_jmp = DISAS_JUMP;
> + /* Must exit loop to check un-masked IRQs */
> + s->is_jmp = DISAS_EXIT;
> }
> }
> break;
--
Alex Bennée
next prev parent reply other threads:[~2017-07-07 17:32 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-07 16:18 [RFC PATCH] target/arm: ensure eret exits the run-loop Alex Bennée
2017-07-07 16:18 ` [Qemu-devel] " Alex Bennée
2017-07-07 17:32 ` Alex Bennée [this message]
2017-07-07 17:32 ` Alex Bennée
2017-07-07 17:36 ` Peter Maydell
2017-07-07 17:36 ` [Qemu-devel] " Peter Maydell
2017-07-07 17:54 ` Richard Henderson
2017-07-07 17:54 ` [Qemu-devel] " Richard Henderson
2017-07-07 18:29 ` Alex Bennée
2017-07-07 18:29 ` [Qemu-devel] " Alex Bennée
2017-07-07 18:52 ` Richard Henderson
2017-07-07 18:52 ` [Qemu-devel] " Richard Henderson
2017-07-08 16:21 ` [Qemu-arm] " Philippe Mathieu-Daudé
2017-07-08 16:21 ` [Qemu-devel] " Philippe Mathieu-Daudé
2017-07-10 12:15 ` Alex Bennée
2017-07-10 12:15 ` [Qemu-devel] " Alex Bennée
2017-07-10 12:19 ` Peter Maydell
2017-07-10 12:19 ` [Qemu-devel] " Peter Maydell
2017-07-10 12:54 ` Alex Bennée
2017-07-10 12:54 ` [Qemu-devel] " Alex Bennée
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87inj49mr1.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=cota@braap.org \
--cc=etienne.carriere@linaro.org \
--cc=joakim.bech@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.