From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Nndib-0007gX-EF
	for qemu-devel@nongnu.org; Fri, 05 Mar 2010 15:01:53 -0500
Received: from [199.232.76.173] (port=55073 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Nndib-0007gG-4P
	for qemu-devel@nongnu.org; Fri, 05 Mar 2010 15:01:53 -0500
Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim
	4.60) (envelope-from <aurelien@aurel32.net>) id 1NndiZ-0004j3-PV
	for qemu-devel@nongnu.org; Fri, 05 Mar 2010 15:01:52 -0500
Received: from hall.aurel32.net ([88.191.82.174]:37245)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <aurelien@aurel32.net>)
	id 1NndiY-0004ia-NM
	for qemu-devel@nongnu.org; Fri, 05 Mar 2010 15:01:50 -0500
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Fri,  5 Mar 2010 21:01:23 +0100
Message-Id: <1267819283-731-1-git-send-email-aurelien@aurel32.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: [Qemu-devel] [PATCH] tcg/arm: correctly save/restore registers in
	prologue/epilogue
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Andrzej Zaborowski <balrog@zabor.org>, Aurelien Jarno <aurelien@aurel32.net>

Since commit 6113d6d3169393c323ac4c82d756a850145a5e7a QEMU crashes
on ARM hosts. This is not a bug of this commit, but a latent bug
revealed by this commit.

The TCG code is called through a procedure call using the prologue
and epilogue code. This code does not save and restore enough registers.
The "Procedure Call Standard for the ARM Architecture" says:

  A subroutine must preserve the contents of the registers r4-r8, r10,
  r11 and SP (and r9 in PCS variants that designate r9 as v6).

The current code only saves and restores r9 to r11, and misses r4 to
r8. The patch fixes that by saving r4 to r12. Theoretically there is
no need to save and restore r12, but an even number of registers have
to be saved as per EABI.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
 tcg/arm/tcg-target.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c
index 0ff8f99..756f971 100644
--- a/tcg/arm/tcg-target.c
+++ b/tcg/arm/tcg-target.c
@@ -1660,12 +1660,15 @@ static inline void tcg_out_movi(TCGContext *s, TCGType type,
 
 void tcg_target_qemu_prologue(TCGContext *s)
 {
-    /* stmdb sp!, { r9 - r11, lr } */
-    tcg_out32(s, (COND_AL << 28) | 0x092d4e00);
+    /* Theoretically there is no need to save r12, but an
+       even number of registers to be saved as per EABI */
+
+    /* stmdb sp!, { r4 - r12, lr } */
+    tcg_out32(s, (COND_AL << 28) | 0x092d5ff0);
 
     tcg_out_bx(s, COND_AL, TCG_REG_R0);
     tb_ret_addr = s->code_ptr;
 
-    /* ldmia sp!, { r9 - r11, pc } */
-    tcg_out32(s, (COND_AL << 28) | 0x08bd8e00);
+    /* ldmia sp!, { r4 - r12, pc } */
+    tcg_out32(s, (COND_AL << 28) | 0x08bd9ff0);
 }
-- 
1.7.0