[PULL 38/47] tcg/riscv: Fix branch range checks

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, Alistair Francis <alistair.francis@wdc.com>
Subject: [PULL 38/47] tcg/riscv: Fix branch range checks
Date: Thu,  7 Jan 2021 10:14:39 -1000	[thread overview]
Message-ID: <20210107201448.1152301-39-richard.henderson@linaro.org> (raw)
In-Reply-To: <20210107201448.1152301-1-richard.henderson@linaro.org>

The offset even checks were folded into the range check incorrectly.
By offsetting by 1, and not decrementing the width, we silently
allowed out of range branches.

Assert that the offset is always even instead.  Move tcg_out_goto
down into the CONFIG_SOFTMMU block so that it is not unused.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/riscv/tcg-target.c.inc | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc
index 0518595742..5b4c500a4b 100644
--- a/tcg/riscv/tcg-target.c.inc
+++ b/tcg/riscv/tcg-target.c.inc
@@ -429,7 +429,8 @@ static bool reloc_sbimm12(tcg_insn_unit *code_ptr, tcg_insn_unit *target)
 {
     intptr_t offset = (intptr_t)target - (intptr_t)code_ptr;
 
-    if (offset == sextreg(offset, 1, 12) << 1) {
+    tcg_debug_assert((offset & 1) == 0);
+    if (offset == sextreg(offset, 0, 12)) {
         code_ptr[0] |= encode_sbimm12(offset);
         return true;
     }
@@ -441,7 +442,8 @@ static bool reloc_jimm20(tcg_insn_unit *code_ptr, tcg_insn_unit *target)
 {
     intptr_t offset = (intptr_t)target - (intptr_t)code_ptr;
 
-    if (offset == sextreg(offset, 1, 20) << 1) {
+    tcg_debug_assert((offset & 1) == 0);
+    if (offset == sextreg(offset, 0, 20)) {
         code_ptr[0] |= encode_ujimm20(offset);
         return true;
     }
@@ -854,28 +856,21 @@ static void tcg_out_setcond2(TCGContext *s, TCGCond cond, TCGReg ret,
     g_assert_not_reached();
 }
 
-static inline void tcg_out_goto(TCGContext *s, tcg_insn_unit *target)
-{
-    ptrdiff_t offset = tcg_pcrel_diff(s, target);
-    tcg_debug_assert(offset == sextreg(offset, 1, 20) << 1);
-    tcg_out_opc_jump(s, OPC_JAL, TCG_REG_ZERO, offset);
-}
-
 static void tcg_out_call_int(TCGContext *s, const tcg_insn_unit *arg, bool tail)
 {
     TCGReg link = tail ? TCG_REG_ZERO : TCG_REG_RA;
     ptrdiff_t offset = tcg_pcrel_diff(s, arg);
     int ret;
 
-    if (offset == sextreg(offset, 1, 20) << 1) {
+    tcg_debug_assert((offset & 1) == 0);
+    if (offset == sextreg(offset, 0, 20)) {
         /* short jump: -2097150 to 2097152 */
         tcg_out_opc_jump(s, OPC_JAL, link, offset);
-    } else if (TCG_TARGET_REG_BITS == 32 ||
-        offset == sextreg(offset, 1, 31) << 1) {
+    } else if (TCG_TARGET_REG_BITS == 32 || offset == (int32_t)offset) {
         /* long jump: -2147483646 to 2147483648 */
         tcg_out_opc_upper(s, OPC_AUIPC, TCG_REG_TMP0, 0);
         tcg_out_opc_imm(s, OPC_JALR, link, TCG_REG_TMP0, 0);
-        ret = reloc_call(s->code_ptr - 2, arg);\
+        ret = reloc_call(s->code_ptr - 2, arg);
         tcg_debug_assert(ret == true);
     } else if (TCG_TARGET_REG_BITS == 64) {
         /* far jump: 64-bit */
@@ -962,6 +957,13 @@ QEMU_BUILD_BUG_ON(TCG_TARGET_REG_BITS < TARGET_LONG_BITS);
 QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
 QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
 
+static void tcg_out_goto(TCGContext *s, tcg_insn_unit *target)
+{
+    tcg_out_opc_jump(s, OPC_JAL, TCG_REG_ZERO, 0);
+    bool ok = reloc_jimm20(s->code_ptr - 1, target);
+    tcg_debug_assert(ok);
+}
+
 static void tcg_out_tlb_load(TCGContext *s, TCGReg addrl,
                              TCGReg addrh, TCGMemOpIdx oi,
                              tcg_insn_unit **label_ptr, bool is_load)
-- 
2.25.1

next prev parent reply	other threads:[~2021-01-07 20:54 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-07 20:14 [PULL 00/47] tcg patch queue Richard Henderson
2021-01-07 20:14 ` [PULL 01/47] linux-user: Conditionalize TUNSETVNETLE Richard Henderson
2021-01-07 20:14 ` [PULL 02/47] tcg/i386: Adjust TCG_TARGET_HAS_MEMORY_BSWAP Richard Henderson
2021-01-07 20:14 ` [PULL 03/47] tcg: Introduce INDEX_op_qemu_st8_i32 Richard Henderson
2021-01-07 20:14 ` [PULL 04/47] util/oslib-win32: Use _aligned_malloc for qemu_try_memalign Richard Henderson
2021-01-10 23:18   ` Volker Rümelin
2021-01-11  3:10     ` 罗勇刚(Yonggang Luo)
2021-01-07 20:14 ` [PULL 05/47] util/oslib: Assert qemu_try_memalign() alignment is a power of 2 Richard Henderson
2021-01-07 20:14 ` [PULL 06/47] tcg: Do not flush icache for interpreter Richard Henderson
2021-01-07 20:14 ` [PULL 07/47] util: Enhance flush_icache_range with separate data pointer Richard Henderson
2021-01-07 20:14 ` [PULL 08/47] util: Specialize flush_idcache_range for aarch64 Richard Henderson
2021-01-07 20:14 ` [PULL 09/47] tcg: Move tcg prologue pointer out of TCGContext Richard Henderson
2021-01-07 20:14 ` [PULL 10/47] tcg: Move tcg epilogue " Richard Henderson
2021-01-07 20:14 ` [PULL 11/47] tcg: Add in_code_gen_buffer Richard Henderson
2021-01-07 20:14 ` [PULL 12/47] tcg: Introduce tcg_splitwx_to_{rx,rw} Richard Henderson
2021-01-07 20:14 ` [PULL 13/47] tcg: Adjust TCGLabel for const Richard Henderson
2021-01-07 20:14 ` [PULL 14/47] tcg: Adjust tcg_out_call " Richard Henderson
2021-01-07 20:14 ` [PULL 15/47] tcg: Adjust tcg_out_label " Richard Henderson
2021-01-07 20:14 ` [PULL 16/47] tcg: Adjust tcg_register_jit " Richard Henderson
2021-01-07 20:14 ` [PULL 17/47] tcg: Adjust tb_target_set_jmp_target for split-wx Richard Henderson
2021-01-07 20:14 ` [PULL 18/47] tcg: Make DisasContextBase.tb const Richard Henderson
2021-01-07 20:14 ` [PULL 19/47] tcg: Make tb arg to synchronize_from_tb const Richard Henderson
2021-01-07 20:14 ` [PULL 20/47] tcg: Use Error with alloc_code_gen_buffer Richard Henderson
2021-01-07 20:14 ` [PULL 21/47] tcg: Add --accel tcg,split-wx property Richard Henderson
2021-01-07 20:14 ` [PULL 22/47] accel/tcg: Support split-wx for linux with memfd Richard Henderson
2021-01-07 20:14 ` [PULL 23/47] accel/tcg: Support split-wx for darwin/iOS with vm_remap Richard Henderson
2021-01-07 20:14 ` [PULL 24/47] tcg: Return the TB pointer from the rx region from exit_tb Richard Henderson
2021-01-07 20:14 ` [PULL 25/47] tcg/i386: Support split-wx code generation Richard Henderson
2021-01-07 20:14 ` [PULL 26/47] tcg/aarch64: Use B not BL for tcg_out_goto_long Richard Henderson
2021-01-07 20:14 ` [PULL 27/47] tcg/aarch64: Support split-wx code generation Richard Henderson
2021-01-07 20:14 ` [PULL 28/47] disas: Push const down through host disassembly Richard Henderson
2021-01-07 20:14 ` [PULL 29/47] tcg/tci: Push const down through bytecode reading Richard Henderson
2021-01-07 20:14 ` [PULL 30/47] tcg: Introduce tcg_tbrel_diff Richard Henderson
2021-01-07 20:14 ` [PULL 31/47] tcg/ppc: Use tcg_tbrel_diff Richard Henderson
2021-01-07 20:14 ` [PULL 32/47] tcg/ppc: Use tcg_out_mem_long to reset TCG_REG_TB Richard Henderson
2021-01-07 20:14 ` [PULL 33/47] tcg/ppc: Support split-wx code generation Richard Henderson
2021-01-07 20:14 ` [PULL 34/47] tcg/sparc: Use tcg_tbrel_diff Richard Henderson
2021-01-07 20:14 ` [PULL 35/47] tcg/sparc: Support split-wx code generation Richard Henderson
2021-01-07 20:14 ` [PULL 36/47] tcg/s390: Use tcg_tbrel_diff Richard Henderson
2021-01-07 20:14 ` [PULL 37/47] tcg/s390: Support split-wx code generation Richard Henderson
2021-01-07 20:14 ` Richard Henderson [this message]
2021-01-07 20:14 ` [PULL 39/47] tcg/riscv: Remove branch-over-branch fallback Richard Henderson
2021-01-07 20:14 ` [PULL 40/47] tcg/riscv: Support split-wx code generation Richard Henderson
2021-01-07 20:14 ` [PULL 41/47] accel/tcg: Add mips support to alloc_code_gen_buffer_splitwx_memfd Richard Henderson
2021-01-07 20:14 ` [PULL 42/47] tcg/mips: Do not assert on relocation overflow Richard Henderson
2021-01-07 20:14 ` [PULL 43/47] tcg/mips: Support split-wx code generation Richard Henderson
2021-01-07 20:14 ` [PULL 44/47] tcg/arm: " Richard Henderson
2021-01-07 20:14 ` [PULL 45/47] tcg: Remove TCG_TARGET_SUPPORT_MIRROR Richard Henderson
2021-01-07 20:14 ` [PULL 46/47] tcg: Constify tcg_code_gen_epilogue Richard Henderson
2021-01-07 20:14 ` [PULL 47/47] tcg: Constify TCGLabelQemuLdst.raddr Richard Henderson
2021-01-07 21:03 ` [PULL 00/47] tcg patch queue no-reply
2021-01-08 10:28 ` Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:051859574 dfblob:5b4c500a4 )
 OR (
bs:"[PULL 38/47] tcg/riscv: Fix branch range checks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210107201448.1152301-39-richard.henderson@linaro.org \
    --to=richard.henderson@linaro.org \
    --cc=alistair.francis@wdc.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).