* [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed
@ 2013-07-11 2:35 Max Filippov
2013-07-11 4:01 ` Max Filippov
0 siblings, 1 reply; 4+ messages in thread
From: Max Filippov @ 2013-07-11 2:35 UTC (permalink / raw)
To: Peter Maydell, Richard Henderson, qemu-devel
Hi Peter,
I suddenly found qemu built with debug enabled aborting with an assertion on one of xtensa tests:
qemu-system-xtensa -M sim -cpu dc232b -nographic -semihosting -kernel ./test_sr.tst
QEMU 1.4.50 monitor - type 'help' for more information
(qemu) QEMU 1.4.50 monitor - type 'help' for more information
(qemu) qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
This happens in the mainline as well, bisection points to the following commit:
commit 378df4b23753a11be650af7664ca76bc75cb9f01
Author: Peter Maydell <peter.maydell@linaro.org>
Date: Fri Feb 22 18:10:03 2013 +0000
Handle CPU interrupts by inline checking of a flag
I have the following traces when it happens, any idea of what could go wrong?
OP:
ld_i32 loc0,env,$0xffffffffffffffc8
movi_i32 tmp1,$0x0
brcond_i32 loc0,tmp1,ne,$0x0
---- 0xd0000fde
---- 0xd0000fe0
movi_i32 tmp1,$0xd0000fe0
movi_i32 tmp2,$0x1
movi_i32 tmp3,$0x2
movi_i64 tmp4,$advance_ccount
call tmp4,$0x0,$0,env,tmp3
movi_i64 tmp4,$window_check
call tmp4,$0x0,$0,env,tmp1,tmp2
movi_i32 ar4,$0x0
---- 0xd0000fe2
movi_i32 tmp1,$0xd00003f0
qemu_ld32 ar2,tmp1,$0x0
---- 0xd0000fe5
movi_i32 tmp1,$0xd0000470
qemu_ld32 ar3,tmp1,$0x0
---- 0xd0000fe8
mov_i32 tmp1,ar2
qemu_st32 ar3,tmp1,$0x0
---- 0xd0000fea
movi_i32 tmp1,$0xd0000fea
movi_i32 tmp2,$0x0
movi_i32 tmp3,$0x4
movi_i64 tmp4,$advance_ccount
call tmp4,$0x0,$0,env,tmp3
movi_i64 tmp4,$exception_cause
call tmp4,$0x0,$0,env,tmp1,tmp2
mov_i32 env,ar4
set_label $0x0
exit_tb $0x7fffed6373b3
qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffed633700 (LWP 29011)]
0x00007ffff545bc55 in raise () from /lib64/libc.so.6
...
(gdb) bt
#0 temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
#1 0x0000555555730fd6 in save_globals (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1688
#2 0x00005555557311b9 in tcg_reg_alloc_bb_end (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1731
#3 0x0000555555732e5d in tcg_gen_code_common (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200",
search_pc=-1) at tcg/tcg.c:2300
#4 0x0000555555733029 in tcg_gen_code (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200") at
tcg/tcg.c:2356
#5 0x0000555555733d3d in cpu_xtensa_gen_code (env=0x5555562b43c0, tb=0x7fffed6373b0, gen_code_size_ptr=0x7fffed632a70) at translate-all.c:175
#6 0x00005555557351cf in tb_gen_code (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0, cflags=0) at translate-all.c:958
#7 0x00005555556c8216 in tb_find_slow (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0) at cpu-exec.c:141
#8 0x00005555556c839d in tb_find_fast (env=0x5555562b43c0) at cpu-exec.c:168
#9 0x00005555556c8722 in cpu_xtensa_exec (env=0x5555562b43c0) at cpu-exec.c:583
#10 0x00005555556cb719 in tcg_cpu_exec (env=0x5555562b43c0) at cpus.c:1117
#11 0x00005555556cb850 in tcg_exec_all () at cpus.c:1150
#12 0x00005555556cab40 in qemu_tcg_cpu_thread_fn (arg=0x5555562b42b0) at cpus.c:843
#13 0x00007ffff64d0d15 in start_thread () from /lib64/libpthread.so.0
#14 0x00007ffff551853d in clone () from /lib64/libc.so.6
(gdb) f 4
#4 0x0000555555730f85 in temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
1673 assert(s->temps[temp].val_type == TEMP_VAL_MEM || s->temps[temp].fixed_reg);
(gdb) p s->temps[temp]
$2 = {
base_type = TCG_TYPE_I32,
type = TCG_TYPE_I32,
val_type = 1,
reg = 5,
val = 0,
mem_reg = 14,
mem_offset = 24,
fixed_reg = 0,
mem_coherent = 1,
mem_allocated = 1,
temp_local = 0,
temp_allocated = 0,
next_free_temp = 0,
name = 0x5555557826e0 "ar4"
}
--
Thanks.
-- Max
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed
2013-07-11 2:35 [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed Max Filippov
@ 2013-07-11 4:01 ` Max Filippov
2013-07-28 23:01 ` Aurelien Jarno
0 siblings, 1 reply; 4+ messages in thread
From: Max Filippov @ 2013-07-11 4:01 UTC (permalink / raw)
To: Peter Maydell, Richard Henderson, qemu-devel, Aurelien Jarno
On Thu, Jul 11, 2013 at 6:35 AM, Max Filippov <jcmvbkbc@gmail.com> wrote:
> Hi Peter,
>
> I suddenly found qemu built with debug enabled aborting with an assertion on one of xtensa tests:
>
> qemu-system-xtensa -M sim -cpu dc232b -nographic -semihosting -kernel ./test_sr.tst
> QEMU 1.4.50 monitor - type 'help' for more information
> (qemu) QEMU 1.4.50 monitor - type 'help' for more information
> (qemu) qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
Déjà vu:
commit e5138db510efb61523be92c225d8c65eb985fff0
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat Nov 24 11:53:55 2012 +0100
tcg: mark local temps as MEM in dead_temp()
In dead_temp, local temps should always be marked as back to memory,
even if they have not been allocated (i.e. they are discared before
cross a basic block).
It fixes the following assertion in target-xtensa:
qemu-system-xtensa: tcg/tcg.c:1665: temp_save: Assertion
`s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
Aborted
> This happens in the mainline as well, bisection points to the following commit:
>
> commit 378df4b23753a11be650af7664ca76bc75cb9f01
> Author: Peter Maydell <peter.maydell@linaro.org>
> Date: Fri Feb 22 18:10:03 2013 +0000
>
> Handle CPU interrupts by inline checking of a flag
>
>
> I have the following traces when it happens, any idea of what could go wrong?
>
> OP:
> ld_i32 loc0,env,$0xffffffffffffffc8
> movi_i32 tmp1,$0x0
> brcond_i32 loc0,tmp1,ne,$0x0
> ---- 0xd0000fde
>
> ---- 0xd0000fe0
> movi_i32 tmp1,$0xd0000fe0
> movi_i32 tmp2,$0x1
> movi_i32 tmp3,$0x2
> movi_i64 tmp4,$advance_ccount
> call tmp4,$0x0,$0,env,tmp3
> movi_i64 tmp4,$window_check
> call tmp4,$0x0,$0,env,tmp1,tmp2
> movi_i32 ar4,$0x0
>
> ---- 0xd0000fe2
> movi_i32 tmp1,$0xd00003f0
> qemu_ld32 ar2,tmp1,$0x0
>
> ---- 0xd0000fe5
> movi_i32 tmp1,$0xd0000470
> qemu_ld32 ar3,tmp1,$0x0
>
> ---- 0xd0000fe8
> mov_i32 tmp1,ar2
> qemu_st32 ar3,tmp1,$0x0
>
> ---- 0xd0000fea
> movi_i32 tmp1,$0xd0000fea
> movi_i32 tmp2,$0x0
> movi_i32 tmp3,$0x4
> movi_i64 tmp4,$advance_ccount
> call tmp4,$0x0,$0,env,tmp3
> movi_i64 tmp4,$exception_cause
> call tmp4,$0x0,$0,env,tmp1,tmp2
> mov_i32 env,ar4
> set_label $0x0
> exit_tb $0x7fffed6373b3
>
> qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
>
> Program received signal SIGABRT, Aborted.
> [Switching to Thread 0x7fffed633700 (LWP 29011)]
> 0x00007ffff545bc55 in raise () from /lib64/libc.so.6
> ...
> (gdb) bt
> #0 temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
> #1 0x0000555555730fd6 in save_globals (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1688
> #2 0x00005555557311b9 in tcg_reg_alloc_bb_end (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1731
> #3 0x0000555555732e5d in tcg_gen_code_common (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200",
> search_pc=-1) at tcg/tcg.c:2300
> #4 0x0000555555733029 in tcg_gen_code (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200") at
> tcg/tcg.c:2356
> #5 0x0000555555733d3d in cpu_xtensa_gen_code (env=0x5555562b43c0, tb=0x7fffed6373b0, gen_code_size_ptr=0x7fffed632a70) at translate-all.c:175
> #6 0x00005555557351cf in tb_gen_code (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0, cflags=0) at translate-all.c:958
> #7 0x00005555556c8216 in tb_find_slow (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0) at cpu-exec.c:141
> #8 0x00005555556c839d in tb_find_fast (env=0x5555562b43c0) at cpu-exec.c:168
> #9 0x00005555556c8722 in cpu_xtensa_exec (env=0x5555562b43c0) at cpu-exec.c:583
> #10 0x00005555556cb719 in tcg_cpu_exec (env=0x5555562b43c0) at cpus.c:1117
> #11 0x00005555556cb850 in tcg_exec_all () at cpus.c:1150
> #12 0x00005555556cab40 in qemu_tcg_cpu_thread_fn (arg=0x5555562b42b0) at cpus.c:843
> #13 0x00007ffff64d0d15 in start_thread () from /lib64/libpthread.so.0
> #14 0x00007ffff551853d in clone () from /lib64/libc.so.6
> (gdb) f 4
> #4 0x0000555555730f85 in temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
> 1673 assert(s->temps[temp].val_type == TEMP_VAL_MEM || s->temps[temp].fixed_reg);
> (gdb) p s->temps[temp]
> $2 = {
> base_type = TCG_TYPE_I32,
> type = TCG_TYPE_I32,
> val_type = 1,
> reg = 5,
> val = 0,
> mem_reg = 14,
> mem_offset = 24,
> fixed_reg = 0,
> mem_coherent = 1,
> mem_allocated = 1,
> temp_local = 0,
> temp_allocated = 0,
> next_free_temp = 0,
> name = 0x5555557826e0 "ar4"
> }
>
> --
> Thanks.
> -- Max
--
Thanks.
-- Max
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed
2013-07-11 4:01 ` Max Filippov
@ 2013-07-28 23:01 ` Aurelien Jarno
2013-07-28 23:14 ` Max Filippov
0 siblings, 1 reply; 4+ messages in thread
From: Aurelien Jarno @ 2013-07-28 23:01 UTC (permalink / raw)
To: Max Filippov; +Cc: Peter Maydell, qemu-devel, Richard Henderson
On Thu, Jul 11, 2013 at 08:01:19AM +0400, Max Filippov wrote:
> On Thu, Jul 11, 2013 at 6:35 AM, Max Filippov <jcmvbkbc@gmail.com> wrote:
> > Hi Peter,
> >
> > I suddenly found qemu built with debug enabled aborting with an assertion on one of xtensa tests:
> >
> > qemu-system-xtensa -M sim -cpu dc232b -nographic -semihosting -kernel ./test_sr.tst
> > QEMU 1.4.50 monitor - type 'help' for more information
> > (qemu) QEMU 1.4.50 monitor - type 'help' for more information
> > (qemu) qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
>
> Déjà vu:
>
> commit e5138db510efb61523be92c225d8c65eb985fff0
> Author: Aurelien Jarno <aurelien@aurel32.net>
> Date: Sat Nov 24 11:53:55 2012 +0100
>
> tcg: mark local temps as MEM in dead_temp()
>
> In dead_temp, local temps should always be marked as back to memory,
> even if they have not been allocated (i.e. they are discared before
> cross a basic block).
>
> It fixes the following assertion in target-xtensa:
>
> qemu-system-xtensa: tcg/tcg.c:1665: temp_save: Assertion
> `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
> Aborted
>
> > This happens in the mainline as well, bisection points to the following commit:
> >
> > commit 378df4b23753a11be650af7664ca76bc75cb9f01
> > Author: Peter Maydell <peter.maydell@linaro.org>
> > Date: Fri Feb 22 18:10:03 2013 +0000
> >
> > Handle CPU interrupts by inline checking of a flag
> >
> >
> > I have the following traces when it happens, any idea of what could go wrong?
> >
> > OP:
> > ld_i32 loc0,env,$0xffffffffffffffc8
> > movi_i32 tmp1,$0x0
> > brcond_i32 loc0,tmp1,ne,$0x0
> > ---- 0xd0000fde
> >
> > ---- 0xd0000fe0
> > movi_i32 tmp1,$0xd0000fe0
> > movi_i32 tmp2,$0x1
> > movi_i32 tmp3,$0x2
> > movi_i64 tmp4,$advance_ccount
> > call tmp4,$0x0,$0,env,tmp3
> > movi_i64 tmp4,$window_check
> > call tmp4,$0x0,$0,env,tmp1,tmp2
> > movi_i32 ar4,$0x0
> >
> > ---- 0xd0000fe2
> > movi_i32 tmp1,$0xd00003f0
> > qemu_ld32 ar2,tmp1,$0x0
> >
> > ---- 0xd0000fe5
> > movi_i32 tmp1,$0xd0000470
> > qemu_ld32 ar3,tmp1,$0x0
> >
> > ---- 0xd0000fe8
> > mov_i32 tmp1,ar2
> > qemu_st32 ar3,tmp1,$0x0
> >
> > ---- 0xd0000fea
> > movi_i32 tmp1,$0xd0000fea
> > movi_i32 tmp2,$0x0
> > movi_i32 tmp3,$0x4
> > movi_i64 tmp4,$advance_ccount
> > call tmp4,$0x0,$0,env,tmp3
> > movi_i64 tmp4,$exception_cause
> > call tmp4,$0x0,$0,env,tmp1,tmp2
> > mov_i32 env,ar4
I think it might be a bug in the current TCG code not handling the case
of writing to a fixed register TCG temp as it is a quite uncommon case.
I will try to look at the code, but it would be easier if you can
provide a way to reproduce the issue.
On the other hand, is it correct to override the value of the env
pointer, with a value from a CPU register? This doesn't smell good and
looks like it can be a security issue.
> > set_label $0x0
> > exit_tb $0x7fffed6373b3
> >
> > qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
> >
> > Program received signal SIGABRT, Aborted.
> > [Switching to Thread 0x7fffed633700 (LWP 29011)]
> > 0x00007ffff545bc55 in raise () from /lib64/libc.so.6
> > ...
> > (gdb) bt
> > #0 temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
> > #1 0x0000555555730fd6 in save_globals (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1688
> > #2 0x00005555557311b9 in tcg_reg_alloc_bb_end (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1731
> > #3 0x0000555555732e5d in tcg_gen_code_common (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200",
> > search_pc=-1) at tcg/tcg.c:2300
> > #4 0x0000555555733029 in tcg_gen_code (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200") at
> > tcg/tcg.c:2356
> > #5 0x0000555555733d3d in cpu_xtensa_gen_code (env=0x5555562b43c0, tb=0x7fffed6373b0, gen_code_size_ptr=0x7fffed632a70) at translate-all.c:175
> > #6 0x00005555557351cf in tb_gen_code (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0, cflags=0) at translate-all.c:958
> > #7 0x00005555556c8216 in tb_find_slow (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0) at cpu-exec.c:141
> > #8 0x00005555556c839d in tb_find_fast (env=0x5555562b43c0) at cpu-exec.c:168
> > #9 0x00005555556c8722 in cpu_xtensa_exec (env=0x5555562b43c0) at cpu-exec.c:583
> > #10 0x00005555556cb719 in tcg_cpu_exec (env=0x5555562b43c0) at cpus.c:1117
> > #11 0x00005555556cb850 in tcg_exec_all () at cpus.c:1150
> > #12 0x00005555556cab40 in qemu_tcg_cpu_thread_fn (arg=0x5555562b42b0) at cpus.c:843
> > #13 0x00007ffff64d0d15 in start_thread () from /lib64/libpthread.so.0
> > #14 0x00007ffff551853d in clone () from /lib64/libc.so.6
> > (gdb) f 4
> > #4 0x0000555555730f85 in temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
> > 1673 assert(s->temps[temp].val_type == TEMP_VAL_MEM || s->temps[temp].fixed_reg);
> > (gdb) p s->temps[temp]
> > $2 = {
> > base_type = TCG_TYPE_I32,
> > type = TCG_TYPE_I32,
> > val_type = 1,
> > reg = 5,
> > val = 0,
> > mem_reg = 14,
> > mem_offset = 24,
> > fixed_reg = 0,
> > mem_coherent = 1,
> > mem_allocated = 1,
> > temp_local = 0,
> > temp_allocated = 0,
> > next_free_temp = 0,
> > name = 0x5555557826e0 "ar4"
> > }
> >
> > --
> > Thanks.
> > -- Max
>
>
>
> --
> Thanks.
> -- Max
>
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed
2013-07-28 23:01 ` Aurelien Jarno
@ 2013-07-28 23:14 ` Max Filippov
0 siblings, 0 replies; 4+ messages in thread
From: Max Filippov @ 2013-07-28 23:14 UTC (permalink / raw)
To: Aurelien Jarno; +Cc: Peter Maydell, qemu-devel, Richard Henderson
On Mon, Jul 29, 2013 at 3:01 AM, Aurelien Jarno <aurelien@aurel32.net> wrote:
> On Thu, Jul 11, 2013 at 08:01:19AM +0400, Max Filippov wrote:
>> On Thu, Jul 11, 2013 at 6:35 AM, Max Filippov <jcmvbkbc@gmail.com> wrote:
>> > Hi Peter,
>> >
>> > I suddenly found qemu built with debug enabled aborting with an assertion on one of xtensa tests:
>> >
>> > qemu-system-xtensa -M sim -cpu dc232b -nographic -semihosting -kernel ./test_sr.tst
>> > QEMU 1.4.50 monitor - type 'help' for more information
>> > (qemu) QEMU 1.4.50 monitor - type 'help' for more information
>> > (qemu) qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
>>
>> Déjà vu:
>>
>> commit e5138db510efb61523be92c225d8c65eb985fff0
>> Author: Aurelien Jarno <aurelien@aurel32.net>
>> Date: Sat Nov 24 11:53:55 2012 +0100
>>
>> tcg: mark local temps as MEM in dead_temp()
>>
>> In dead_temp, local temps should always be marked as back to memory,
>> even if they have not been allocated (i.e. they are discared before
>> cross a basic block).
>>
>> It fixes the following assertion in target-xtensa:
>>
>> qemu-system-xtensa: tcg/tcg.c:1665: temp_save: Assertion
>> `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
>> Aborted
>>
>> > This happens in the mainline as well, bisection points to the following commit:
>> >
>> > commit 378df4b23753a11be650af7664ca76bc75cb9f01
>> > Author: Peter Maydell <peter.maydell@linaro.org>
>> > Date: Fri Feb 22 18:10:03 2013 +0000
>> >
>> > Handle CPU interrupts by inline checking of a flag
>> >
>> >
>> > I have the following traces when it happens, any idea of what could go wrong?
>> >
>> > OP:
>> > ld_i32 loc0,env,$0xffffffffffffffc8
>> > movi_i32 tmp1,$0x0
>> > brcond_i32 loc0,tmp1,ne,$0x0
>> > ---- 0xd0000fde
>> >
>> > ---- 0xd0000fe0
>> > movi_i32 tmp1,$0xd0000fe0
>> > movi_i32 tmp2,$0x1
>> > movi_i32 tmp3,$0x2
>> > movi_i64 tmp4,$advance_ccount
>> > call tmp4,$0x0,$0,env,tmp3
>> > movi_i64 tmp4,$window_check
>> > call tmp4,$0x0,$0,env,tmp1,tmp2
>> > movi_i32 ar4,$0x0
>> >
>> > ---- 0xd0000fe2
>> > movi_i32 tmp1,$0xd00003f0
>> > qemu_ld32 ar2,tmp1,$0x0
>> >
>> > ---- 0xd0000fe5
>> > movi_i32 tmp1,$0xd0000470
>> > qemu_ld32 ar3,tmp1,$0x0
>> >
>> > ---- 0xd0000fe8
>> > mov_i32 tmp1,ar2
>> > qemu_st32 ar3,tmp1,$0x0
>> >
>> > ---- 0xd0000fea
>> > movi_i32 tmp1,$0xd0000fea
>> > movi_i32 tmp2,$0x0
>> > movi_i32 tmp3,$0x4
>> > movi_i64 tmp4,$advance_ccount
>> > call tmp4,$0x0,$0,env,tmp3
>> > movi_i64 tmp4,$exception_cause
>> > call tmp4,$0x0,$0,env,tmp1,tmp2
>> > mov_i32 env,ar4
>
> I think it might be a bug in the current TCG code not handling the case
> of writing to a fixed register TCG temp as it is a quite uncommon case.
> I will try to look at the code, but it would be easier if you can
> provide a way to reproduce the issue.
>
> On the other hand, is it correct to override the value of the env
> pointer, with a value from a CPU register? This doesn't smell good and
> looks like it can be a security issue.
Aurelien,
thanks for your reply. I've also noticed that strange 'mov_i32 env,ar4' and
dug it a bit: this was caused by an opcode referencing unimplemented SR.
I've posted a fix (http://marc.info/?l=qemu-devel&m=137440837125020&w=2).
This fix also fixed that abort. The 'mov_i32 env,ar4' instruction is unreachable
because an invalid opcode exception is raised just above it.
--
Thanks.
-- Max
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-07-28 23:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-11 2:35 [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed Max Filippov
2013-07-11 4:01 ` Max Filippov
2013-07-28 23:01 ` Aurelien Jarno
2013-07-28 23:14 ` Max Filippov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).