From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1JqukT-0006iw-MZ for qemu-devel@nongnu.org; Tue, 29 Apr 2008 14:40:17 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1JqukR-0006gt-VN for qemu-devel@nongnu.org; Tue, 29 Apr 2008 14:40:17 -0400 Received: from [199.232.76.173] (port=38896 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JqukR-0006gd-QJ for qemu-devel@nongnu.org; Tue, 29 Apr 2008 14:40:15 -0400 Received: from os.inf.tu-dresden.de ([141.76.48.99]) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1JqukR-0003hr-AK for qemu-devel@nongnu.org; Tue, 29 Apr 2008 14:40:15 -0400 Received: from erwin.inf.tu-dresden.de ([141.76.48.80] helo=os.inf.tu-dresden.de) by os.inf.tu-dresden.de with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) id 1JqukP-0003Pr-IL for qemu-devel@nongnu.org; Tue, 29 Apr 2008 20:40:13 +0200 Date: Tue, 29 Apr 2008 20:40:11 +0200 From: Adam Lackorzynski Subject: Re: [Qemu-devel] Crash due to invalid env->current_tb Message-ID: <20080429184011.GK17356@os.inf.tu-dresden.de> References: <20080429115614.GA15524@os.inf.tu-dresden.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On Tue Apr 29, 2008 at 20:09:00 +0300, Blue Swirl wrote: > On 4/29/08, Adam Lackorzynski wrote: > > Hi, > > > > I've been experiencing crashes of latest svn Qemu, host ia32 and target > > arm, host gcc is 'gcc version 3.4.6 (Debian 3.4.6-7)'. > > The segfault happens because of an invalid env->current_tb which seems > > to be caused by generated code. The following code in cpu_exec > > > > tc_ptr = tb->tc_ptr; > > env->current_tb = tb; > > gen_func = (void *)tc_ptr; > > T0 = gen_func(); > > env->current_tb = NULL; > > > > is being compiled to the following > > > > mov 0x14(%ecx),%eax > > mov %ecx,0x56c(%ebp) > > xor %edi,%edi > > call *%eax > > mov %edi,0x56c(%ebp) > > > > After the call edi isn't 0 anymore and gets the bogus value. As edi is > > callee saved the code itself seems ok. > > When I add a barrier before "env->current_tb = NULL" the xor is placed > > after the call and everything works fine. So might the problem be that > > generated code isn't preserving edi/registers? > > Right. How did you make the barrier? My version (attached) just > crashes, I'm not fluent on i386 assembly. Maybe your version could > serve as a temporary fix. I just added an 'asm volatile("")' to stop reordering of instructions which of course isn't enough. The following works for me: =================================================================== --- cpu-exec.c (revision 4276) +++ cpu-exec.c (working copy) @@ -690,6 +691,11 @@ fp.ip = tc_ptr; fp.gp = code_gen_buffer + 2 * (1 << 20); (*(void (*)(void)) &fp)(); +#elif defined(__i386) + asm volatile ("call *%1\n" + : "=a" (T0) + : "r" (gen_func) + : "esi", "edi"); #else T0 = gen_func(); #endif Adam -- Adam adam@os.inf.tu-dresden.de Lackorzynski http://os.inf.tu-dresden.de/~adam/