From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JrEE7-0008VV-Nt
	for qemu-devel@nongnu.org; Wed, 30 Apr 2008 11:28:11 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JrEE6-0008UH-78
	for qemu-devel@nongnu.org; Wed, 30 Apr 2008 11:28:11 -0400
Received: from [199.232.76.173] (port=33864 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JrEE6-0008UE-09
	for qemu-devel@nongnu.org; Wed, 30 Apr 2008 11:28:10 -0400
Received: from ecfrec.frec.bull.fr ([129.183.4.8])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <Laurent.Vivier@bull.net>) id 1JrEE4-00050G-JZ
	for qemu-devel@nongnu.org; Wed, 30 Apr 2008 11:28:10 -0400
Subject: Re: [Qemu-devel] Crash due to invalid env->current_tb
From: Laurent Vivier <Laurent.Vivier@bull.net>
In-Reply-To: <20080430151132.GB6712@os.inf.tu-dresden.de>
References: <20080429115614.GA15524@os.inf.tu-dresden.de>
	<f43fc5580804291009s4dea4233y472c9823f42d021c@mail.gmail.com>
	<20080429184011.GK17356@os.inf.tu-dresden.de>
	<C654F6F0-37A1-4E18-B067-7B8EBC724401@suse.de>
	<20080430151132.GB6712@os.inf.tu-dresden.de>
Content-Type: text/plain; charset=utf-8
Date: Wed, 30 Apr 2008 17:28:04 +0200
Message-Id: <1209569284.4312.35.camel@frecb07144>
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org


Le mercredi 30 avril 2008 =C3=A0 17:11 +0200, Adam Lackorzynski a =C3=A9c=
rit :
> On Wed Apr 30, 2008 at 11:08:46 +0200, Alexander Graf wrote:
> >
> > On Apr 29, 2008, at 8:40 PM, Adam Lackorzynski wrote:
> >
> >>
> >> On Tue Apr 29, 2008 at 20:09:00 +0300, Blue Swirl wrote:
> >>> On 4/29/08, Adam Lackorzynski <adam@os.inf.tu-dresden.de> wrote:
> >>>> Hi,
> >>>>
> >>>> I've been experiencing crashes of latest svn Qemu, host ia32 and =20
> >>>> target
> >>>> arm, host gcc is 'gcc version 3.4.6 (Debian 3.4.6-7)'.
> >>>> The segfault happens because of an invalid env->current_tb which =20
> >>>> seems
> >>>> to be caused by generated code. The following code in cpu_exec
> >>>>
> >>>>   tc_ptr =3D tb->tc_ptr;
> >>>>   env->current_tb =3D tb;
> >>>>   gen_func =3D (void *)tc_ptr;
> >>>>   T0 =3D gen_func();
> >>>>   env->current_tb =3D NULL;
> >>>>
> >>>> is being compiled to the following
> >>>>
> >>>>   mov    0x14(%ecx),%eax
> >>>>   mov    %ecx,0x56c(%ebp)
> >>>>   xor    %edi,%edi
> >>>>   call   *%eax
> >>>>   mov    %edi,0x56c(%ebp)
> >>>>
> >>>> After the call edi isn't 0 anymore and gets the bogus value. As =20
> >>>> edi is
> >>>> callee saved the code itself seems ok.
> >>>> When I add a barrier before "env->current_tb =3D NULL" the xor is =
=20
> >>>> placed
> >>>> after the call and everything works fine. So might the problem be =
=20
> >>>> that
> >>>> generated code isn't preserving edi/registers?
> >>>
> >>> Right. How did you make the barrier? My version (attached) just
> >>> crashes, I'm not fluent on i386 assembly. Maybe your version could
> >>> serve as a temporary fix.
> >>
> >> I just added an 'asm volatile("")' to stop reordering of instruction=
s
> >> which of course isn't enough. The following works for me:
> >>
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >> --- cpu-exec.c	(revision 4276)
> >> +++ cpu-exec.c	(working copy)
> >> @@ -690,6 +691,11 @@
> >> 		fp.ip =3D tc_ptr;
> >> 		fp.gp =3D code_gen_buffer + 2 * (1 << 20);
> >> 		(*(void (*)(void)) &fp)();
> >> +#elif defined(__i386)
> >> +		asm volatile ("call *%1\n"
> >> +		              : "=3Da" (T0)
> >> +			      : "r" (gen_func)
> >> +			      : "esi", "edi");
> >> #else
> >>                 T0 =3D gen_func();
> >> #endif
> >
> > There was a comment from Fabrice on how to do prologues in TCG to sav=
e /=20
> > restore the clobbered values. Btw, ebx gets clobbered as well.
>=20
> tcg/README says that some registers are clobbered. So something like
> this should be safe:
>=20
> Index: cpu-exec.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- cpu-exec.c	(revision 4276)
> +++ cpu-exec.c	(working copy)
> @@ -690,6 +691,15 @@
>  		fp.ip =3D tc_ptr;
>  		fp.gp =3D code_gen_buffer + 2 * (1 << 20);
>  		(*(void (*)(void)) &fp)();
> +#elif defined(__i386)
> +		asm volatile ("push %%ebp\n"
> +		              "push %%ebx\n"
> +		              "call *%1\n"
> +			      "pop %%ebx\n"
> +			      "pop %%ebp\n"
> +		              : "=3Da" (T0)
> +			      : "r" (gen_func)
> +			      : "esi", "edi", "ecx", "edx");

Why don't you add ebp and ebx in the clobbered registers list (like
"esi", "edi", "ecx", "edx") ?

>  #else
>                  T0 =3D gen_func();
>  #endif
>=20
>=20
>=20
>=20
> Adam
--=20
------------- Laurent.Vivier@bull.net ---------------
"The best way to predict the future is to invent it."
- Alan Kay