[Qemu-devel] x86 tcg problem

[Vince Weaver <vince@csl.cornell.edu>]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2337 bytes --]

Hello

I've spent a day now trying to figure out why bzip2 compress/decompress 
doesn't work when using sparc32plus-linux-user on x86.

I've tracked the problem to the Zero flag being improperly set (attached 
is a small exe/src that reproduces the problem.. it reports "Greater"
on real hardware, "Less Than" on qemu current).

The issue seems to be a misordering of an x86 sub instruction.  I tried to 
track this down in the tcg code but I quickly got lost.

The code does this for a compare (on sparc the compare turns into a 
subtract with result as the [ignores] zero reg):

  mov_i32 cc_src_0,g4_0                          ;
  mov_i32 cc_src_1,g4_1                          ; load g4  (0xaae60)
  mov_i32 cc_src2_0,g3_0                         ;
  mov_i32 cc_src2_1,g3_1                         ; load g3  (0)
  sub2_i32 cc_dst_0,cc_dst_1,cc_src2_0,cc_src2_1,cc_src_0,cc_src_1
                                                 ; result = 0xaafe0-0
  movi_i32 psr,$0x0                              ; clear psr
  mov_i32 tmp42,cc_dst_0                         ; get cc_dst_0
  movi_i32 tmp43,$0x0                            ;
  movi_i32 tmp44,$0x0                            ;
  movi_i32 tmp45,$0x0                            ; zero extends
  brcond2_i32 tmp42,tmp43,tmp44,tmp45,$0x1,$0x0  ; if not zero, skip
  movi_i32 tmp19,$0x400000                       ; else set zero flag



which converts into x86:
  0xb80da04d:  sub    %ecx,%eax          ; %ecx = g4-g3
  0xb80da04f:  sbb    %ebx,%edx
  0xb80da051:  mov    %eax,0x6c(%ebp)    ; saving g3, not the result (ecx)!
  0xb80da054:  mov    %edx,0x70(%ebp)	;
  0xb80da057:  xor    %edx,%edx
  0xb80da059:  xor    %ecx,%ecx		; clearing our result for use as psr
 					; result is lost!
 					; the later test for zero is done
 					; against g3 instead, which
 					; sets the zero flag when it
  ...					; shouldn't
  0xb80da06f:  test   %eax,%eax
  0xb80da071:  jne    0xb80da091		; skip if not zero
  ..
  0xb80da07f:  mov    0x8c(%ebp),%eax	; load psr
  0xb80da085:  or     $0x400000,%eax	; set zero flag


So unless there's some weird AT&T/intel ordering thing that is confusing 
me (please let me know if I am missing something), TCG is getting confused 
about which argument of the subtract is the result.  I'm not sure how to 
fix this though...

Thanks for any help

Vince

[-- Attachment #2: Type: TEXT/PLAIN, Size: 1471 bytes --]

!     + Syscalls have number in %g1, options in %o0,%o1,...
!	Result returned in %o0
!	Linux syscall is called by "ta 0x10"

.equ SYSCALL_EXIT,1	
.equ SYSCALL_WRITE,4

.equ STDOUT,1

	.globl _start
_start:
       set	data_region,%i0
       set	0xae60,%g4
       ld	[ %i0 + 0x4 ], %g3
       inc	%g3
       
       cmp	%g4,%g3
       ble	less_equal
       nop
       ba	greater
       nop
       
less_equal:
       set	lessequal_string,%o1
       ba	write_stdout
       nop

greater:
       set	greater_string,%o1
       
	#================================
	# WRITE_STDOUT
	#================================
	# %o1 has string

write_stdout:

	set	SYSCALL_WRITE,%g1	! Write syscall in %g1
	set	STDOUT,%o0		! 1 in %o0 (stdout)
	set	0,%o2			! 0 (count) in %o2

str_loop1:
	ldub	[%o1+%o2],%l0		! load byte
	cmp	%l0,%g0			! compare against zero
	bnz	str_loop1		! if not nul, repeat
	# BRANCH DELAY SLOT
	inc	%o2			! increment count

	dec	%o2			! correct count	
	ta	0x10			! run the syscall

exit:		
        mov	0,%o0			! exit value
        mov	SYSCALL_EXIT,%g1        ! put the exit syscall number in g1
        ta      0x10			! and exit




!===========================================================================
.data
!===========================================================================

data_region:		.int -1,-1
greater_string:		.ascii  "Greater\n\0"
lessequal_string:	.ascii  "Less Equal\n\0"

[-- Attachment #3: Type: APPLICATION/octet-stream, Size: 985 bytes --]