From: Paolo Bonzini <pbonzini@redhat.com>
To: Aurelien Jarno <aurelien@aurel32.net>
Cc: Stefan Weil <weil@mail.berlios.de>, qemu-devel <qemu-devel@nongnu.org>
Subject: [Qemu-devel] 64-on-32 TCG broken [was Re: x86_64-softmmu broken on Windows (TCG?)]
Date: Tue, 30 Oct 2012 09:15:55 +0100 [thread overview]
Message-ID: <508F8CBB.8090101@redhat.com> (raw)
In-Reply-To: <20121029182958.GB29866@ohm.aurel32.net>
Il 29/10/2012 19:29, Aurelien Jarno ha scritto:
> On Mon, Oct 29, 2012 at 06:53:14PM +0100, Paolo Bonzini wrote:
>> > Known-good commit: 8473f377393219390ea6f2d8d450a2b054bb823e
>> > Known-bad commit: d262cb02861dd33375c08fc798930653b14769e9
>> >
>> > i386-softmmu seems to work. I may try to bisect it tomorrow, but I'd be
>> > glad if somebody else beats me. It can be reproduced with Wine and
>> > "x86_64-softmmu/qemu-system-x86_64.exe -L ../pc-bios"; it hangs at iPXE.
> Oops, sorry about that. Is it win32 or win64? I'll try to fix it asap,
> but right now I don't have a good network connection enough to either
> setup a mingw build environment or to connect to a remote machine with
> such an environment.
It's win32, and the first bad commit is 9c43b68 (tcg: rework liveness
analysis, 2012-10-09). But it looks like 64-on-32 emulation is more
generally broken. I now tried x86_64-linux-user compiled for 32-bit,
and it segfaults on startup. Even the previous commit cannot run
qemu-x86_64 /bin/ls correctly:
$ git whatis HEAD
ec7a869 (tcg: sync output arguments on liveness request, 2012-10-09)
$ x86_64-linux-user/qemu-x86_64 /bin/ls
inux-user
$ git whatis HEAD
9c43b68 (tcg: rework liveness analysis, 2012-10-09)
$ x86_64-linux-user/qemu-x86_64 /bin/ls
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Errore di segmentazione
Regarding the win32 failure, it's early enough that the TCG logs give
an idea of what is happening. This *might* be a reduced testcase,
but the general breakage makes it impossible to check:
asm("\n\
h:\n\
.byte 2\n\
f:\n\
push %rax\n\
push %rdx\n\
movb h, %al\n\
cmp $0x12, %al\n\
pop %rdx\n\
pop %rax\n\
ret\n\
g:\n\
xor %eax, %eax\n\
call f\n\
setne %al\n\
ret\n\
");
extern int g();
int main()
{
printf("%d\n", g());
}
Anyhow, here are the logs (good on the left, differences on the
right). A write to cc_dst is incorrectly deleted as dead:
IN: (
0x00000000000c83e9: push %ax (
0x00000000000c83ea: push %dx (
0x00000000000c83eb: mov $0x9206,%ax (
0x00000000000c83ee: mov $0x3c4,%dx (
0x00000000000c83f1: out %ax,(%dx) (
0x00000000000c83f2: inc %dx (
0x00000000000c83f3: in (%dx),%al (
0x00000000000c83f4: cmp $0x12,%al (
0x00000000000c83f6: pop %dx (
0x00000000000c83f7: pop %ax (
0x00000000000c83f8: ret (
(
OP: (
---- 0xc83e9 (
mov_i32 tmp0,rax_0 (
mov_i32 tmp1,rax_1 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
movi_i32 tmp20,$0xfffffffe (
movi_i32 tmp21,$0xffffffff (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp20,tmp21 (
nop (
movi_i32 tmp5,$0x0 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
mov_i32 tmp2,tmp4 (
mov_i32 tmp3,tmp5 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_st16 tmp0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83ea (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
movi_i32 tmp20,$0xfffffffe (
movi_i32 tmp21,$0xffffffff (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp20,tmp21 (
nop (
movi_i32 tmp5,$0x0 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
mov_i32 tmp2,tmp4 (
mov_i32 tmp3,tmp5 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_st16 tmp0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83eb (
movi_i32 tmp0,$0x9206 (
movi_i32 tmp1,$0x0 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83ee (
movi_i32 tmp0,$0x3c4 (
movi_i32 tmp1,$0x0 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f1 (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
mov_i32 tmp2,rax_0 (
mov_i32 tmp3,rax_1 (
mov_i32 tmp12,tmp0 (
mov_i32 tmp13,tmp2 (
movi_i32 tmp22,$outw (
call tmp22,$0x0,$0,tmp12,tmp13 (
(
---- 0xc83f2 (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
movi_i32 tmp20,$0x1 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp0,tmp1,tmp0,tmp1,tmp20,tmp21 (
nop (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
movi_i32 tmp22,$cc_compute_c (
call tmp22,$0x10,$1,tmp12,env,cc_op (
mov_i32 cc_src_0,tmp12 (
movi_i32 cc_src_1,$0x0 (
mov_i32 cc_dst_0,tmp0 (
mov_i32 cc_dst_1,tmp1 (
(
---- 0xc83f3 (
mov_i32 tmp0,rdx_0 (
mov_i32 tmp1,rdx_1 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
mov_i32 tmp12,tmp0 (
movi_i32 tmp22,$inb (
call tmp22,$0x0,$2,tmp2,tmp3,tmp12 (
deposit_i32 rax_0,rax_0,tmp2,$0x0,$0x8 (
(
---- 0xc83f4 (
movi_i32 tmp2,$0x12 (
movi_i32 tmp3,$0x0 (
mov_i32 tmp0,rax_0 (
mov_i32 tmp1,rax_1 (
mov_i32 cc_src_0,tmp2 (
mov_i32 cc_src_1,tmp3 (
sub2_i32 cc_dst_0,cc_dst_1,tmp0,tmp1,tmp2 (
nop (
(
---- 0xc83f6 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
movi_i32 tmp1,$0x0 (
movi_i32 tmp20,$0x2 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp8,tmp9,rsp_0,rsp_1,tmp20,tmp2 (
nop (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f7 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
movi_i32 tmp1,$0x0 (
movi_i32 tmp20,$0x2 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp8,tmp9,rsp_0,rsp_1,tmp20,tmp2 (
nop (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f8 (
mov_i32 tmp4,rsp_0 (
mov_i32 tmp5,rsp_1 (
ext16u_i32 tmp4,tmp4 (
movi_i32 tmp5,$0x0 (
ld_i32 tmp8,env,$0xe8 (
ld_i32 tmp9,env,$0xec (
add2_i32 tmp4,tmp5,tmp4,tmp5,tmp8,tmp9 (
nop (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
movi_i32 tmp1,$0x0 (
movi_i32 tmp20,$0x2 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp8,tmp9,rsp_0,rsp_1,tmp20,tmp2 (
nop (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
st_i32 tmp0,env,$0x80 (
st_i32 tmp1,env,$0x84 (
movi_i32 cc_op,$0xe (
exit_tb $0x0 (
(
OP after optimization and liveness analysi (
---- 0xc83e9 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0xfffffffe (
nopn $0x2,$0x2 (
add_i32 tmp4,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,tmp4 (
nopn $0x2,$0x2 (
mov_i32 tmp2,tmp4 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_st16 rax_0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83ea (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0xfffffffe (
nopn $0x2,$0x2 (
add_i32 tmp4,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,tmp4 (
nopn $0x2,$0x2 (
mov_i32 tmp2,tmp4 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_st16 rdx_0,tmp4,tmp5,$0x0 (
deposit_i32 rsp_0,rsp_0,tmp2,$0x0,$0x10 (
(
---- 0xc83eb (
movi_i32 tmp0,$0x9206 (
nopn $0x2,$0x2 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83ee (
movi_i32 tmp0,$0x3c4 (
nopn $0x2,$0x2 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f1 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp0,rdx_0 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
mov_i32 tmp12,tmp0 (
nopn $0x2,$0x2 (
movi_i32 tmp22,$outw (
call tmp22,$0x0,$0,tmp12,rax_0 (
(
---- 0xc83f2 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x1 (
movi_i32 tmp21,$0x0 (
add2_i32 tmp0,tmp1,rdx_0,rdx_1,tmp20,tmp2 (
nop (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
movi_i32 tmp22,$cc_compute_c (
call tmp22,$0x10,$1,tmp12,env,cc_op (
mov_i32 cc_src_0,tmp12 (
movi_i32 cc_src_1,$0x0 (
mov_i32 cc_dst_0,tmp0 (
mov_i32 cc_dst_1,tmp1 (
(
---- 0xc83f3 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp0,rdx_0 (
nopn $0x2,$0x2 (
mov_i32 tmp12,tmp0 (
movi_i32 tmp22,$inb (
call tmp22,$0x0,$2,tmp2,tmp3,tmp12 (
deposit_i32 rax_0,rax_0,tmp2,$0x0,$0x8 (
(
---- 0xc83f4 (
movi_i32 tmp2,$0x12 | nopn $0x2,$0x2
movi_i32 tmp3,$0x0 | nopn $0x2,$0x2
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
movi_i32 cc_src_0,$0x12 (
movi_i32 cc_src_1,$0x0 (
sub2_i32 cc_dst_0,cc_dst_1,rax_0,rax_1,tm | nopn $0x6,$0x5,$0x8,$0x9,$0x2a,$0x6
nop (
(
---- 0xc83f6 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,rsp_0 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x2 (
nopn $0x2,$0x2 (
add_i32 tmp8,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rdx_0,rdx_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f7 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,rsp_0 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x2 (
nopn $0x2,$0x2 (
add_i32 tmp8,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
deposit_i32 rax_0,rax_0,tmp0,$0x0,$0x10 (
(
---- 0xc83f8 (
nopn $0x2,$0x2 (
nopn $0x2,$0x2 (
ext16u_i32 tmp4,rsp_0 (
nopn $0x2,$0x2 (
ld_i32 tmp8,env,$0xe8 (
nopn $0x3,$0x0,$0x3 (
add_i32 tmp4,tmp4,tmp8 (
nopn $0x3,$0x30,$0x3 (
movi_i32 tmp5,$0x0 (
qemu_ld16u tmp0,tmp4,tmp5,$0x0 (
nopn $0x2,$0x2 (
movi_i32 tmp20,$0x2 (
nopn $0x2,$0x2 (
add_i32 tmp8,rsp_0,tmp20 (
nopn $0x3,$0x3c,$0x3 (
deposit_i32 rsp_0,rsp_0,tmp8,$0x0,$0x10 (
ext16u_i32 tmp0,tmp0 (
movi_i32 tmp1,$0x0 (
st_i32 tmp0,env,$0x80 (
st_i32 tmp1,env,$0x84 (
movi_i32 cc_op,$0xe (
exit_tb $0x0 (
end (
(
and then the next basic block jumps in the weeds:
IN: (
0x00000000000c83a0: jne 0xc83d3 (
IN: (
0x00000000000c83a2: push %ds | 0x00000000000c83d3: ret
0x00000000000c83a3: xor %ax,%ax <
0x00000000000c83a5: mov %ax,%ds <
0x00000000000c83a7: mov $0x83f9,%ax <
0x00000000000c83aa: mov %ax,0x40 <
0x00000000000c83ad: mov $0xc000,%ax <
0x00000000000c83b0: mov %ax,0x42 <
0x00000000000c83b3: pop %ds <
etc.
next prev parent reply other threads:[~2012-10-30 8:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-29 17:53 [Qemu-devel] x86_64-softmmu broken on Windows (TCG?) Paolo Bonzini
2012-10-29 18:29 ` Aurelien Jarno
2012-10-30 8:15 ` Paolo Bonzini [this message]
2012-10-30 22:24 ` [Qemu-devel] 64-on-32 TCG broken Stefan Weil
2012-10-30 23:22 ` Aurelien Jarno
2012-10-30 23:56 ` Aurelien Jarno
2012-10-31 12:40 ` Aurelien Jarno
2012-10-31 14:01 ` Paolo Bonzini
2012-10-31 14:05 ` Peter Maydell
2012-10-31 14:08 ` Paolo Bonzini
2012-10-31 15:23 ` Aurelien Jarno
2012-10-31 17:05 ` Stefan Weil
2012-10-31 21:48 ` Aurelien Jarno
2012-11-07 13:26 ` Kirill Batuzov
2012-11-11 16:05 ` Aurelien Jarno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=508F8CBB.8090101@redhat.com \
--to=pbonzini@redhat.com \
--cc=aurelien@aurel32.net \
--cc=qemu-devel@nongnu.org \
--cc=weil@mail.berlios.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).