From: "Alex Bennée" <alex.bennee@linaro.org>
To: Richard Henderson <rth@twiddle.net>
Cc: peter.maydell@linaro.org, pbonzini@redhat.com,
qemu-devel@nongnu.org, mttcg@greensocs.com,
fred.konrad@greensocs.com, a.rigo@virtualopensystems.com,
cota@braap.org, bobby.prani@gmail.com, nikunj@linux.vnet.ibm.com,
Peter Crosthwaite <crosthwaite.peter@gmail.com>
Subject: Re: [Qemu-devel] [PATCH v2 05/11] translate-all: exit cpu_restore_state early if translating
Date: Fri, 03 Mar 2017 10:03:07 +0000 [thread overview]
Message-ID: <87r32e1xus.fsf@linaro.org> (raw)
In-Reply-To: <4054a3ea-c278-11c3-9c0a-5ec952ef8598@twiddle.net>
Richard Henderson <rth@twiddle.net> writes:
> On 03/03/2017 06:53 AM, Alex Bennée wrote:
>> The translation code uses cpu_ld*_code which can trigger a tlb_fill
>> which if it fails will attempt a fault resolution. This never works
>> during translation as the TB being generated hasn't been added yet.
>> However with the new locking regime we end up double locking the
>> tb_lock(). As the tcg_ctx.cpu is only set during translation we use
>> this to short circuit the restore code and return with a fail.
>
> We *should* have retaddr == 0 for this case, which indicates that we
> should not attempt to restore state. Are you seeing a non-zero value?
Actually looking at xtensa I see:
Attempt to resolve CPU state @ 0x0 while translating
So maybe I should check just that - but I don't see where we ensure we
always pass zero.
>
> Hmm.. Or rather we should not have called cpu_restore_state in the
> first place. What is the call chain leading to this point?
Thread 3 "qemu-system-xte" hit Breakpoint 2, cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
338 qemu_log_mask(LOG_UNIMP, "Attempt to resolve CPU state @ 0x%" PRIxPTR
#0 0x00005555555e3712 in cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
#1 0x000055555564cb38 in tlb_fill (cs=cs@entry=0x555556032600, vaddr=vaddr@entry=537034752, access_type=access_type@entry=MMU_INST_FETCH, mmu_idx=mmu_idx@entry=1, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/op_helper.c:73
#2 0x000055555562d604 in helper_ret_ldb_cmmu (env=env@entry=0x55555603a890, addr=537034752, oi=<optimised out>, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/softmmu_template.h:127
#3 0x00005555556448df in gen_intermediate_code (retaddr=0, ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:102
#4 0x00005555556448df in gen_intermediate_code (ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:114
#5 0x00005555556448df in gen_intermediate_code (dc=0x7fffcca0f4d0, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:1052
#6 0x00005555556448df in gen_intermediate_code (env=0x55555603a890, tb=0x7fffccc7de00) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:3214
#7 0x00005555555e383b in tb_gen_code (cpu=cpu@entry=0x555556032600, pc=pc@entry=537034751, cs_base=cs_base@entry=0, flags=flags@entry=229393, cflags=<optimised out>, cflags@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:1288
#8 0x00005555555e5e41 in cpu_exec (tb_exit=0, last_tb=<optimised out>, cpu=0x38011) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:370
#9 0x00005555555e5e41 in cpu_exec (cpu=cpu@entry=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:685
#10 0x0000555555611898 in tcg_cpu_exec (cpu=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1254
#11 0x0000555555611bd4 in qemu_tcg_rr_cpu_thread_fn (arg=<optimised out>) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1350
#12 0x00007fffdf6606ba in start_thread (arg=0x7fffcca12700) at pthread_create.c:333
#13 0x00007fffdf39682d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Continuing.
Thread 3 "qemu-system-xte" hit Breakpoint 2, cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
338 qemu_log_mask(LOG_UNIMP, "Attempt to resolve CPU state @ 0x%" PRIxPTR
#0 0x00005555555e3712 in cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
#1 0x000055555564cb38 in tlb_fill (cs=cs@entry=0x555556032600, vaddr=vaddr@entry=4308992, access_type=access_type@entry=MMU_INST_FETCH, mmu_idx=mmu_idx@entry=1, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/op_helper.c:73
#2 0x000055555562d604 in helper_ret_ldb_cmmu (env=env@entry=0x55555603a890, addr=4308992, oi=<optimised out>, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/softmmu_template.h:127
#3 0x00005555556448df in gen_intermediate_code (retaddr=0, ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:102
#4 0x00005555556448df in gen_intermediate_code (ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:114
#5 0x00005555556448df in gen_intermediate_code (dc=0x7fffcca0f4d0, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:1052
#6 0x00005555556448df in gen_intermediate_code (env=0x55555603a890, tb=0x7fffccd0b1b0) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:3214
#7 0x00005555555e383b in tb_gen_code (cpu=cpu@entry=0x555556032600, pc=pc@entry=4308991, cs_base=cs_base@entry=0, flags=flags@entry=229393, cflags=<optimised out>, cflags@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:1288
#8 0x00005555555e5e41 in cpu_exec (tb_exit=0, last_tb=<optimised out>, cpu=0x38011) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:370
#9 0x00005555555e5e41 in cpu_exec (cpu=cpu@entry=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:685
#10 0x0000555555611898 in tcg_cpu_exec (cpu=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1254
#11 0x0000555555611bd4 in qemu_tcg_rr_cpu_thread_fn (arg=<optimised out>) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1350
#12 0x00007fffdf6606ba in start_thread (arg=0x7fffcca12700) at pthread_create.c:333
#13 0x00007fffdf39682d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
> Is this in fact linux-user, not softmmu, as you imply from tlb_fill?
> Because handle_cpu_signal will in fact pass a genuine non-zero retaddr
> for the SIGSEGV resulting from a cpu_ld*_code from a non-mapped
> address.
I think that is another call chain that might trip us up. Peter
mentioned he'd hit it. This one is definitely softmmu.
> So... for linux-user I think the qemu_log is unnecessary -- that's
> just the way things are. For softmmu, I don't know what to think
> except that we shouldn't have gotten here.
I kinda agree but all SoftMMU targets have this potential path. Having
saif that I haven't seen it hit ARM, maybe because we take care not to
cross a page boundary?
I agree it would be better to handle fetching code bytes without this
potential for breakage but that would be a much bigger change and need
more testing this close to rc0.
>
>
> r~
--
Alex Bennée
next prev parent reply other threads:[~2017-03-03 10:03 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-02 19:53 [Qemu-devel] [PATCH v2 00/11] MTTCG fixups for 2.9 Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 01/11] vl/cpus: be smarter with icount and MTTCG Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 02/11] target/i386/cpu.h: declare TCG_GUEST_DEFAULT_MO Alex Bennée
2017-03-03 19:28 ` Eduardo Habkost
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 03/11] cpus.c: add additional error_report when !TARGET_SUPPORT_MTTCG Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 04/11] translate: downgrade IRQ BQL asserts to tcg_debug_assert Alex Bennée
2017-03-03 10:08 ` Peter Maydell
2017-03-03 11:05 ` Alex Bennée
2017-03-03 11:19 ` Peter Maydell
2017-03-03 19:35 ` Richard Henderson
2017-03-03 19:47 ` Eric Blake
2017-03-03 19:48 ` Eric Blake
2017-03-03 11:49 ` Paolo Bonzini
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 05/11] translate-all: exit cpu_restore_state early if translating Alex Bennée
2017-03-02 21:46 ` Richard Henderson
2017-03-03 10:03 ` Alex Bennée [this message]
2017-03-03 19:50 ` Richard Henderson
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 06/11] sparc/sparc64: grab BQL before calling cpu_check_irqs Alex Bennée
2017-03-03 11:47 ` Paolo Bonzini
2017-03-06 10:28 ` Alex Bennée
2017-03-06 13:22 ` Paolo Bonzini
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 07/11] s390x/misc_helper.c: wrap IO instructions in BQL Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 08/11] target/xtensa: hold BQL for interrupt processing Alex Bennée
2017-03-07 0:15 ` Max Filippov
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 09/11] target/mips/op_helper: hold BQL before calling cpu_mips_get_count Alex Bennée
2017-03-03 11:18 ` Yongbok Kim
2017-03-03 12:54 ` Alex Bennée
2017-03-03 13:00 ` Yongbok Kim
2017-03-02 19:53 ` [PATCH v2 10/11] target/arm/helper: make it clear the EC field is also in hex Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] " Alex Bennée
2017-03-03 17:07 ` Frederic Konrad
2017-03-03 18:10 ` Peter Maydell
2017-03-03 18:10 ` [Qemu-devel] " Peter Maydell
2017-03-02 19:53 ` [PATCH v2 11/11] hw/intc/arm_gic: modernise the DPRINTF Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] " Alex Bennée
2017-03-03 17:05 ` Frederic Konrad
2017-03-03 17:09 ` Peter Maydell
2017-03-03 18:09 ` Peter Maydell
2017-03-03 18:09 ` [Qemu-devel] " Peter Maydell
2017-03-03 17:38 ` [Qemu-devel] [PATCH v2 00/11] MTTCG fixups for 2.9 Frederic Konrad
2017-03-06 9:43 ` Alex Bennée
2017-03-06 10:45 ` Frederic Konrad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r32e1xus.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=a.rigo@virtualopensystems.com \
--cc=bobby.prani@gmail.com \
--cc=cota@braap.org \
--cc=crosthwaite.peter@gmail.com \
--cc=fred.konrad@greensocs.com \
--cc=mttcg@greensocs.com \
--cc=nikunj@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.