* [PULL 1/5] accel/tcg: Trace tb_flush() calls
2025-11-10 11:10 [PULL 0/5] misc patch queue Richard Henderson
@ 2025-11-10 11:10 ` Richard Henderson
2025-11-10 11:10 ` [PULL 2/5] accel/tcg: Trace tb_gen_code() buffer overflow Richard Henderson
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Richard Henderson @ 2025-11-10 11:10 UTC (permalink / raw)
To: qemu-devel; +Cc: Philippe Mathieu-Daudé
From: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250925035610.80605-2-philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
accel/tcg/tb-maint.c | 3 ++-
accel/tcg/trace-events | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index 5a8d0784e7..cd7c32361b 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -40,7 +40,7 @@
#else
#include "system/runstate.h"
#endif
-
+#include "trace.h"
/* List iterators for lists of tagged pointers in TranslationBlock. */
#define TB_FOR_EACH_TAGGED(head, tb, n, field) \
@@ -771,6 +771,7 @@ void tb_flush__exclusive_or_serial(void)
{
CPUState *cpu;
+ trace_tb_flush();
assert(tcg_enabled());
/* Note that cpu_in_serial_context checks cpu_in_exclusive_context. */
assert(!runstate_is_running() ||
diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
index 14f638810c..121d6b5081 100644
--- a/accel/tcg/trace-events
+++ b/accel/tcg/trace-events
@@ -24,3 +24,6 @@ store_atom2_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIx
store_atom4_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
store_atom8_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
store_atom16_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
+
+# tb-maint.c
+tb_flush(void) ""
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PULL 2/5] accel/tcg: Trace tb_gen_code() buffer overflow
2025-11-10 11:10 [PULL 0/5] misc patch queue Richard Henderson
2025-11-10 11:10 ` [PULL 1/5] accel/tcg: Trace tb_flush() calls Richard Henderson
@ 2025-11-10 11:10 ` Richard Henderson
2025-11-10 11:10 ` [PULL 3/5] qapi/parser: Mollify mypy Richard Henderson
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Richard Henderson @ 2025-11-10 11:10 UTC (permalink / raw)
To: qemu-devel; +Cc: Philippe Mathieu-Daudé
From: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250925035610.80605-3-philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
accel/tcg/translate-all.c | 3 +++
accel/tcg/trace-events | 1 +
2 files changed, 4 insertions(+)
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index da9d7f1675..fba4e9dc21 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -290,6 +290,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, TCGTBCPUState s)
if (unlikely(!tb)) {
/* flush must be done */
if (cpu_in_serial_context(cpu)) {
+ trace_tb_gen_code_buffer_overflow("tcg_tb_alloc");
tb_flush__exclusive_or_serial();
goto buffer_overflow;
}
@@ -325,6 +326,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, TCGTBCPUState s)
if (unlikely(gen_code_size < 0)) {
switch (gen_code_size) {
case -1:
+ trace_tb_gen_code_buffer_overflow("setjmp_gen_code");
/*
* Overflow of code_gen_buffer, or the current slice of it.
*
@@ -389,6 +391,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, TCGTBCPUState s)
search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
if (unlikely(search_size < 0)) {
+ trace_tb_gen_code_buffer_overflow("encode_search");
tb_unlock_pages(tb);
goto buffer_overflow;
}
diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
index 121d6b5081..0816cafd33 100644
--- a/accel/tcg/trace-events
+++ b/accel/tcg/trace-events
@@ -12,6 +12,7 @@ memory_notdirty_set_dirty(uint64_t vaddr) "0x%" PRIx64
# translate-all.c
translate_block(void *tb, uintptr_t pc, const void *tb_code) "tb:%p, pc:0x%"PRIxPTR", tb_code:%p"
+tb_gen_code_buffer_overflow(const char *reason) "reason: %s"
# ldst_atomicity
load_atom2_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PULL 3/5] qapi/parser: Mollify mypy
2025-11-10 11:10 [PULL 0/5] misc patch queue Richard Henderson
2025-11-10 11:10 ` [PULL 1/5] accel/tcg: Trace tb_flush() calls Richard Henderson
2025-11-10 11:10 ` [PULL 2/5] accel/tcg: Trace tb_gen_code() buffer overflow Richard Henderson
@ 2025-11-10 11:10 ` Richard Henderson
2025-11-10 11:10 ` [PULL 4/5] tests/functional: Mark another MIPS replay test as flaky Richard Henderson
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Richard Henderson @ 2025-11-10 11:10 UTC (permalink / raw)
To: qemu-devel; +Cc: Markus Armbruster, Vladimir Sementsov-Ogievskiy
From: Markus Armbruster <armbru@redhat.com>
re.match(r'^ *', ...) can't fail, but mypy doesn't know that and
complains:
scripts/qapi/parser.py:444: error: Item "None" of "Match[str] | None" has no attribute "end" [union-attr]
Work around by using must_match() instead.
Fixes: 8107ba47fd78 (qapi: Add documentation format validation)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20251105152219.311154-1-armbru@redhat.com>
---
scripts/qapi/parser.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/qapi/parser.py b/scripts/qapi/parser.py
index 1bb1af7051..c3cf33904e 100644
--- a/scripts/qapi/parser.py
+++ b/scripts/qapi/parser.py
@@ -441,7 +441,7 @@ def get_doc_line(self) -> Optional[str]:
self._literal_mode = True
self._literal_mode_indent = 0
elif self._literal_mode and line:
- indent = re.match(r'^ *', line).end()
+ indent = must_match(r'\s*', line).end()
if self._literal_mode_indent == 0:
self._literal_mode_indent = indent
elif indent < self._literal_mode_indent:
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PULL 4/5] tests/functional: Mark another MIPS replay test as flaky
2025-11-10 11:10 [PULL 0/5] misc patch queue Richard Henderson
` (2 preceding siblings ...)
2025-11-10 11:10 ` [PULL 3/5] qapi/parser: Mollify mypy Richard Henderson
@ 2025-11-10 11:10 ` Richard Henderson
2025-11-10 11:10 ` [PULL 5/5] target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns Richard Henderson
2025-11-10 14:31 ` [PULL 0/5] misc patch queue Richard Henderson
5 siblings, 0 replies; 7+ messages in thread
From: Richard Henderson @ 2025-11-10 11:10 UTC (permalink / raw)
To: qemu-devel; +Cc: Philippe Mathieu-Daudé
From: Philippe Mathieu-Daudé <philmd@linaro.org>
When disabling MIPS tests on commit 1c11aa18071
("tests/functional: Mark the MIPS replay tests as flaky")
we missed the 5KEc test.
Reported-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20251104145955.84091-1-philmd@linaro.org>
---
tests/functional/mips64el/test_replay.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/functional/mips64el/test_replay.py b/tests/functional/mips64el/test_replay.py
index 05cc585f85..e9318448fa 100755
--- a/tests/functional/mips64el/test_replay.py
+++ b/tests/functional/mips64el/test_replay.py
@@ -40,6 +40,7 @@ def test_replay_mips64el_malta(self):
'75ba10cd35fb44e32948eeb26974f061b703c81c4ba2fab1ebcacf1d1bec3b61')
@skipUntrustedTest()
+ @skipFlakyTest("https://gitlab.com/qemu-project/qemu/-/issues/2013")
def test_replay_mips64el_malta_5KEc_cpio(self):
self.set_machine('malta')
self.cpu = '5KEc'
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PULL 5/5] target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns
2025-11-10 11:10 [PULL 0/5] misc patch queue Richard Henderson
` (3 preceding siblings ...)
2025-11-10 11:10 ` [PULL 4/5] tests/functional: Mark another MIPS replay test as flaky Richard Henderson
@ 2025-11-10 11:10 ` Richard Henderson
2025-11-10 14:31 ` [PULL 0/5] misc patch queue Richard Henderson
5 siblings, 0 replies; 7+ messages in thread
From: Richard Henderson @ 2025-11-10 11:10 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, qemu-stable
From: Peter Maydell <peter.maydell@linaro.org>
In the decode_group9() function, if we don't recognise the insn as
one that we should handle, we leave the 'entry' pointer unaltered.
Because the X86OpEntry struct has a union for the gen and decode
pointers, this means that the top level code will call decode.e.gen()
which tries to use the decode function pointer (still set to
decode_group9) as a gen function pointer.
This is undefined behaviour, but seems to be mostly harmless in
practice (we call decode_group9() again with bogus arguments and it
does nothing). If you have CFI enabled then it will trip the CFI
check:
../target/i386/tcg/decode-new.c.inc:2862:9: runtime error: control flow integrity check for type 'void (struct DisasContext *, struct X86DecodedInsn *)' failed during indirect function call
Set *entry to UNKNOWN_OPCODE to provoke the #UD exception, as we do
in decode_group1A() and decode_group11() for similar situations.
Thanks to the bug reporter for the clear description and analysis of
the bug and the simple reproducer.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3172
Fixes: fcd16539ebfe2 ("target/i386: convert CMPXCHG8B/CMPXCHG16B to new decoder")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20251021173152.1695997-1-peter.maydell@linaro.org>
---
target/i386/tcg/decode-new.c.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
index a50f57dbaa..f4192f1006 100644
--- a/target/i386/tcg/decode-new.c.inc
+++ b/target/i386/tcg/decode-new.c.inc
@@ -335,6 +335,8 @@ static void decode_group9(DisasContext *s, CPUX86State *env, X86OpEntry *entry,
*entry = group9_reg;
} else if (op == 1) {
*entry = REX_W(s) ? cmpxchg16b : cmpxchg8b;
+ } else {
+ *entry = UNKNOWN_OPCODE;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PULL 0/5] misc patch queue
2025-11-10 11:10 [PULL 0/5] misc patch queue Richard Henderson
` (4 preceding siblings ...)
2025-11-10 11:10 ` [PULL 5/5] target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns Richard Henderson
@ 2025-11-10 14:31 ` Richard Henderson
5 siblings, 0 replies; 7+ messages in thread
From: Richard Henderson @ 2025-11-10 14:31 UTC (permalink / raw)
To: qemu-devel
On 11/10/25 12:10, Richard Henderson wrote:
> The following changes since commit 917ac07f9aef579b9538a81d45f45850aba42906:
>
> Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2025-11-05 16:07:18 +0100)
>
> are available in the Git repository at:
>
> https://gitlab.com/rth7680/qemu.git tags/pull-misc-20251110
>
> for you to fetch changes up to 4f503afc7eb503997fedad84f24e2cdf696a7a0e:
>
> target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns (2025-11-10 12:02:45 +0100)
>
> ----------------------------------------------------------------
> accel/tcg: Trace tb_flush() calls
> accel/tcg: Trace tb_gen_code() buffer overflow
> qapi/parser: Mollify mypy
> tests/functional: Mark another MIPS replay test as flaky
> target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns
>
Applied, thanks. Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate.
r~
^ permalink raw reply [flat|nested] 7+ messages in thread