From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <rth@twiddle.net>,
Christian Borntraeger <borntraeger@de.ibm.com>
Subject: [Qemu-devel] TCG problem with cpu_{st,ld}x_data ?
Date: Sun, 24 Jul 2016 22:42:21 +1000 [thread overview]
Message-ID: <1469364141.8568.251.camel@kernel.crashing.org> (raw)
Hi !
I need help from TCG experts here. I was chasing down a bug causing
some stuff to crash when using vector ops with a ppc32 guest on x86,
but pulling that string led to a whole mess that *may* be affecting a
pile of architetures unless I'm misunderstanding something...
So basically what happens is that some instruction emulation helpers,
like in my case stvebx (target-ppc/mem_helper.c) are doing calls to
cpu_{st,ld}x_data. Let's say cpu_stb_data() for the sake of the
argument.
That is equivalent to calling cpu_stb_data_ra() with a "0" retaddr.
However, if that faults, when tlb_fill() gets eventually called, what I
observe is not 0 in "retaddr" but ... -2.
The reason, as far as I understand, is that cpu_stb_data_ra() calls
helper_ret_stb_mmu() which does:
retaddr -= GETPC_ADJ;
(which is -2)
Now a whole pile of tlb_fill() implementations (in fact all of them one
way or another) do:
if (likely(retaddr)) {
/* now we have a real cpu fault */
cpu_restore_state(cs, retaddr);
}
So that test is missed. The result that I obseve is that the fault gets
reported for the wrong instruction (the wrong PC).
Now I did try changing the above test out of curiosity to also check
against -2, but the end result still mis-reported the fault. So
something's going deeper than that I figured out so far...
What *did* work was to copy what x86 does, which is to change my
helper_stvebx() to not use cpu_stb_data at all, but instead use
cpu_stb_data_ra(...., GETPC()), which mimmics what x86 does for some of
it's helpers.
That fixed the specific problem I was chasing.
However, there are a ton of other helpers, in powerpc, s390 and other
archs, doing that cpu_stb_data() the same way we do, so I really wonder
what's going on here.
Some advice would be very much appreciated ;-)
Cheers,
Ben.
next reply other threads:[~2016-07-24 12:42 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-24 12:42 Benjamin Herrenschmidt [this message]
2016-07-24 12:51 ` [Qemu-devel] TCG problem with cpu_{st,ld}x_data ? Benjamin Herrenschmidt
2016-07-24 12:52 ` Benjamin Herrenschmidt
2016-07-25 0:36 ` Richard Henderson
2016-07-25 0:46 ` Benjamin Herrenschmidt
2016-07-25 0:51 ` Benjamin Herrenschmidt
2016-07-25 14:00 ` Richard Henderson
2016-07-25 21:42 ` Benjamin Herrenschmidt
2016-07-25 22:19 ` Peter Maydell
2016-07-25 22:42 ` Benjamin Herrenschmidt
2016-07-25 23:22 ` Benjamin Herrenschmidt
2016-07-25 0:34 ` Richard Henderson
2016-07-25 5:15 ` Benjamin Herrenschmidt
2016-07-25 14:12 ` Richard Henderson
2016-07-25 21:46 ` Benjamin Herrenschmidt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469364141.8568.251.camel@kernel.crashing.org \
--to=benh@kernel.crashing.org \
--cc=borntraeger@de.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).