From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: James Hogan <james.hogan@imgtec.com>,
qemu-stable@nongnu.org, Aurelien Jarno <aurelien@aurel32.net>,
Michael Roth <mdroth@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH 27/40] tcg/mips: Fix clobbering of qemu_ld inputs
Date: Wed, 21 Oct 2015 12:51:57 -0500 [thread overview]
Message-ID: <1445449930-23525-28-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1445449930-23525-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: James Hogan <james.hogan@imgtec.com>
The MIPS TCG backend implements qemu_ld with 64-bit targets using the v0
register (base) as a temporary to load the upper half of the QEMU TLB
comparator (see line 5 below), however this happens before the input
address is used (line 8 to mask off the low bits for the TLB
comparison, and line 12 to add the host-guest offset). If the input
address (addrl) also happens to have been placed in v0 (as in the second
column below), it gets clobbered before it is used.
addrl in t2 addrl in v0
1 srl a0,t2,0x7 srl a0,v0,0x7
2 andi a0,a0,0x1fe0 andi a0,a0,0x1fe0
3 addu a0,a0,s0 addu a0,a0,s0
4 lw at,9136(a0) lw at,9136(a0) set TCG_TMP0 (at)
5 lw v0,9140(a0) lw v0,9140(a0) set base (v0)
6 li t9,-4093 li t9,-4093
7 lw a0,9160(a0) lw a0,9160(a0) set addend (a0)
8 and t9,t9,t2 and t9,t9,v0 use addrl
9 bne at,t9,0x836d8c8 bne at,t9,0x836d838 use TCG_TMP0
10 nop nop
11 bne v0,t8,0x836d8c8 bne v0,a1,0x836d838 use base
12 addu v0,a0,t2 addu v0,a0,v0 use addrl, addend
13 lw t0,0(v0) lw t0,0(v0)
Fix by using TCG_TMP0 (at) as the temporary instead of v0 (base),
pushing the load on line 5 forward into the delay slot of the low
comparison (line 10). The early load of the addend on line 7 also needs
pushing even further for 64-bit targets, or it will clobber a0 before
we're done with it. The output for 32-bit targets is unaffected.
srl a0,v0,0x7
andi a0,a0,0x1fe0
addu a0,a0,s0
lw at,9136(a0)
-lw v0,9140(a0) load high comparator
li t9,-4093
-lw a0,9160(a0) load addend
and t9,t9,v0
bne at,t9,0x836d838
- nop
+ lw at,9140(a0) load high comparator
+lw a0,9160(a0) load addend
-bne v0,a1,0x836d838
+bne at,a1,0x836d838
addu v0,a0,v0
lw t0,0(v0)
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 5eb4f645eba8a79ea643b228c74a79183d436c97)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
tcg/mips/tcg-target.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/tcg/mips/tcg-target.c b/tcg/mips/tcg-target.c
index e97980d..2ccd0e8 100644
--- a/tcg/mips/tcg-target.c
+++ b/tcg/mips/tcg-target.c
@@ -962,30 +962,34 @@ static void tcg_out_tlb_load(TCGContext *s, TCGReg base, TCGReg addrl,
add_off -= 0x7ff0;
}
- /* Load the tlb comparator. */
- if (TARGET_LONG_BITS == 64) {
- tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, TCG_REG_A0, cmp_off + LO_OFF);
- tcg_out_opc_imm(s, OPC_LW, base, TCG_REG_A0, cmp_off + HI_OFF);
- } else {
- tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, TCG_REG_A0, cmp_off);
- }
+ /* Load the (low half) tlb comparator. */
+ tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, TCG_REG_A0,
+ cmp_off + (TARGET_LONG_BITS == 64 ? LO_OFF : 0));
/* Mask the page bits, keeping the alignment bits to compare against.
- In between, load the tlb addend for the fast path. */
+ In between on 32-bit targets, load the tlb addend for the fast path. */
tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1,
TARGET_PAGE_MASK | ((1 << s_bits) - 1));
- tcg_out_opc_imm(s, OPC_LW, TCG_REG_A0, TCG_REG_A0, add_off);
+ if (TARGET_LONG_BITS == 32) {
+ tcg_out_opc_imm(s, OPC_LW, TCG_REG_A0, TCG_REG_A0, add_off);
+ }
tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrl);
label_ptr[0] = s->code_ptr;
tcg_out_opc_br(s, OPC_BNE, TCG_TMP1, TCG_TMP0);
+ /* Load and test the high half tlb comparator. */
if (TARGET_LONG_BITS == 64) {
/* delay slot */
- tcg_out_nop(s);
+ tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, TCG_REG_A0, cmp_off + HI_OFF);
+
+ /* Load the tlb addend for the fast path. We can't do it earlier with
+ 64-bit targets or we'll clobber a0 before reading the high half tlb
+ comparator. */
+ tcg_out_opc_imm(s, OPC_LW, TCG_REG_A0, TCG_REG_A0, add_off);
label_ptr[1] = s->code_ptr;
- tcg_out_opc_br(s, OPC_BNE, addrh, base);
+ tcg_out_opc_br(s, OPC_BNE, addrh, TCG_TMP0);
}
/* delay slot */
--
1.9.1
next prev parent reply other threads:[~2015-10-21 17:54 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-21 17:51 [Qemu-devel] [PATCH 00/40] Patch Round-up for stable 2.4.1, freeze on 2015-10-29 Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 01/40] scsi-disk: Fix assertion failure on WRITE SAME Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 02/40] mirror: Fix coroutine reentrance Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 03/40] target-arm/arm-semi.c: Fix broken SYS_WRITE0 via gdb Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 04/40] block/iscsi: validate block size returned from target Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 05/40] exec-all: Translate TCI return addresses backwards too Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 06/40] block/nfs: fix calculation of allocated file size Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 07/40] qemu-img: Fix crash in amend invocation Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 08/40] mac_dbdma: always clear FLUSH bit once DBDMA channel flush is complete Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 09/40] vhost-scsi: fix wrong vhost-scsi firmware path Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 10/40] scripts/dump-guest-memory.py: fix after RAMBlock change Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 11/40] PPC: E500: Update u-boot to commit 79c884d7e4 Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 12/40] s390x/css: start with cleared cstat/dstat Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 13/40] rtl8139: Fix receive buffer overflow check Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 14/40] rtl8139: Do not consume the packet during overflow in standard mode Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 15/40] cpus.c: qemu_mutex_lock_iothread fix race condition at cpu thread init Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 16/40] virtio dataplane: adapt dataplane for virtio Version 1 Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 17/40] target-arm: Share all common TCG temporaries Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 18/40] qcow2: Make size_to_clusters() return uint64_t Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 19/40] ide: fix ATAPI command permissions Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 20/40] gtk: use setlocale() for LC_MESSAGES only Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 21/40] spapr_pci: fix device tree props for MSI/MSI-X Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 22/40] nbd: release exp->blk after all clients are closed Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 23/40] slirp: Fix non blocking connect for w32 Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 24/40] ide: unify io_buffer_offset increments Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 25/40] qom: Do not reuse errp after a possible error Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 26/40] qom: Fix invalid error check in property_get_str() Michael Roth
2015-10-21 17:51 ` Michael Roth [this message]
2015-10-21 17:51 ` [Qemu-devel] [PATCH 28/40] target-ppc: fix vcipher, vcipherlast, vncipherlast and vpermxor Michael Roth
2015-10-21 17:51 ` [Qemu-devel] [PATCH 29/40] target-ppc: fix xscmpodp and xscmpudp decoding Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 30/40] virtio: avoid leading underscores for helpers Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 31/40] virtio-net: unbreak self announcement and guest offloads after migration Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 32/40] vmxnet3: Drop net_vmxnet3_info.can_receive Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 33/40] qmp: Fix device-list-properties not to crash for abstract device Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 34/40] qdev: Protect device-list-properties against broken devices Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 35/40] Revert "qdev: Use qdev_get_device_class() for -device <type>, help" Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 36/40] misc: zynq_slcr: Fix MMIO writes Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 37/40] s390x/kvm: Fix vector validity bit in device machine checks Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 38/40] util/qemu-config: fix missing machine command line options Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 39/40] Migration: Generate the completed event only when we complete Michael Roth
2015-10-21 17:52 ` [Qemu-devel] [PATCH 40/40] virtio-input: ignore events until the guest driver is ready Michael Roth
2015-10-21 18:05 ` [Qemu-devel] [PATCH 00/40] Patch Round-up for stable 2.4.1, freeze on 2015-10-29 Cole Robinson
2015-10-21 18:43 ` Michael Roth
2015-10-22 17:36 ` Cole Robinson
2015-10-22 8:01 ` Markus Armbruster
2015-10-29 19:19 ` Michael Roth
2015-10-29 20:53 ` Denis V. Lunev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445449930-23525-28-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=aurelien@aurel32.net \
--cc=james.hogan@imgtec.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).