From: Max Filippov <jcmvbkbc@gmail.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] Actual TB code doesn't look like what was intended (TCG issue)?
Date: Fri, 24 Jun 2011 06:44:01 +0400 [thread overview]
Message-ID: <201106240644.02325.jcmvbkbc@gmail.com> (raw)
Hello guys.
I'm running qemu on x86_64 host.
It's clean build from git sources dated 2011.05.19, commit 1fddfba129f5435c80eda14e8bc23fdb888c7187
I have the following output from "log trace,op,out_asm":
Trace 0x4000a310 [d0026c92]
OP:
---- 0xd00000c0
movi_i32 tmp1,$0xfffffff4
add_i32 tmp0,ar9,tmp1
qemu_ld32 ar1,tmp0,$0x0
---- 0xd00000c3
movi_i32 tmp1,$0xfffffff0
add_i32 tmp0,ar9,tmp1
qemu_ld32 ar0,tmp0,$0x0
[...snip...]
OUT: [size=664]
0x4000a330: mov 0x2c(%r14),%ebp
0x4000a334: lea -0xc(%rbp),%ebx
0x4000a337: mov %ebx,%esi
0x4000a339: mov %ebx,%edi
0x4000a33b: shr $0x7,%esi
0x4000a33e: and $0xfffff003,%edi
0x4000a344: and $0x1fe0,%esi
0x4000a34a: lea 0x1000(%r14,%rsi,1),%rsi
0x4000a352: cmp (%rsi),%edi
0x4000a354: mov %ebx,%edi
0x4000a356: jne 0x4000a360
0x4000a358: add 0x10(%rsi),%rdi
0x4000a35c: mov (%rdi),%ebp
0x4000a35e: jmp 0x4000a369
0x4000a360: xor %esi,%esi
0x4000a362: callq 0x52edc2
0x4000a367: mov %eax,%ebp
0x4000a369: mov 0x2c(%r14),%ebx
0x4000a36d: lea -0x10(%rbx),%r12d
0x4000a371: mov %ebp,0xc(%r14)
0x4000a375: mov %r12d,%esi
0x4000a378: mov %r12d,%edi
[...snip...]
Execution of this fragment eventually causes SIGSEGV.
In gdb actually generated code for this TB looks like this:
(gdb) x/25i 0x4000a330
0x4000a330: mov 0x2c(%r14),%ebp
0x4000a334: lea -0xc(%rbp),%ebx
0x4000a337: mov %ebx,%esi
0x4000a339: mov %ebx,%edi
0x4000a33b: shr $0x7,%esi
0x4000a33e: and $0xfffff003,%edi
0x4000a344: and $0x1fe0,%esi
0x4000a34a: lea 0x3000(%r14,%rsi,1),%rsi
0x4000a352: cmp (%rsi),%edi
0x4000a354: mov %ebx,%edi
0x4000a356: jne 0x4000a360
0x4000a358: add 0x10(%rsi),%rdi
0x4000a35c: mov (%rdi),%ebp
0x4000a35e: jmp 0x4000a36c
0x4000a360: mov $0x1,%esi
0x4000a365: callq 0x52edc2 <__ldl_mmu>
0x4000a36a: mov %eax,%ebp
0x4000a36c: sub $0x44,%al
=> 0x4000a36e: lea -0x10(%rbx),%esp
0x4000a371: mov %ebp,0xc(%r14)
0x4000a375: mov %r12d,%esi
0x4000a378: mov %r12d,%edi
Please note how the current instruction in gdb differ from what was said in OUT. This lea corrupts stack pointer and the next callq generates segfault.
Could please anyone familiar with TCG take a look at this, or suggest where I should look myself?
Thanks.
-- Max
next reply other threads:[~2011-06-24 2:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-24 2:44 Max Filippov [this message]
2011-06-24 7:46 ` [Qemu-devel] Actual TB code doesn't look like what was intended (TCG issue)? Peter Maydell
2011-06-24 8:34 ` Max Filippov
2011-06-24 9:42 ` Peter Maydell
2011-06-24 10:08 ` Max Filippov
2011-06-24 10:32 ` Peter Maydell
2011-06-24 17:06 ` Max Filippov
2011-06-24 8:14 ` Laurent Desnogues
2011-06-24 8:35 ` Max Filippov
2011-06-24 9:38 ` Laurent Desnogues
2011-06-24 9:48 ` Max Filippov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201106240644.02325.jcmvbkbc@gmail.com \
--to=jcmvbkbc@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).