From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55286)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1Ux6ji-0002O9-E4
	for qemu-devel@nongnu.org; Wed, 10 Jul 2013 22:36:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1Ux6jh-00041Z-15
	for qemu-devel@nongnu.org; Wed, 10 Jul 2013 22:36:02 -0400
Received: from mail-lb0-x22a.google.com ([2a00:1450:4010:c04::22a]:63367)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1Ux6jg-00041H-Jf
	for qemu-devel@nongnu.org; Wed, 10 Jul 2013 22:36:00 -0400
Received: by mail-lb0-f170.google.com with SMTP id t13so6206669lbd.29
	for <qemu-devel@nongnu.org>; Wed, 10 Jul 2013 19:35:59 -0700 (PDT)
Message-ID: <51DE1A04.1080602@gmail.com>
Date: Thu, 11 Jul 2013 06:35:48 +0400
From: Max Filippov <jcmvbkbc@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: [Qemu-devel] qemu aborts with temp_save: Assertion
 `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>, Richard Henderson <rth@twiddle.net>, qemu-devel <qemu-devel@nongnu.org>

Hi Peter,

I suddenly found qemu built with debug enabled aborting with an assertion on one of xtensa tests:

qemu-system-xtensa -M sim -cpu dc232b -nographic -semihosting  -kernel ./test_sr.tst
QEMU 1.4.50 monitor - type 'help' for more information
(qemu) QEMU 1.4.50 monitor - type 'help' for more information
(qemu) qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.

This happens in the mainline as well, bisection points to the following commit:

commit 378df4b23753a11be650af7664ca76bc75cb9f01
Author: Peter Maydell <peter.maydell@linaro.org>
Date:   Fri Feb 22 18:10:03 2013 +0000

    Handle CPU interrupts by inline checking of a flag


I have the following traces when it happens, any idea of what could go wrong?

OP:
 ld_i32 loc0,env,$0xffffffffffffffc8
 movi_i32 tmp1,$0x0
 brcond_i32 loc0,tmp1,ne,$0x0
 ---- 0xd0000fde

 ---- 0xd0000fe0
 movi_i32 tmp1,$0xd0000fe0
 movi_i32 tmp2,$0x1
 movi_i32 tmp3,$0x2
 movi_i64 tmp4,$advance_ccount
 call tmp4,$0x0,$0,env,tmp3
 movi_i64 tmp4,$window_check
 call tmp4,$0x0,$0,env,tmp1,tmp2
 movi_i32 ar4,$0x0

 ---- 0xd0000fe2
 movi_i32 tmp1,$0xd00003f0
 qemu_ld32 ar2,tmp1,$0x0

 ---- 0xd0000fe5
 movi_i32 tmp1,$0xd0000470
 qemu_ld32 ar3,tmp1,$0x0

 ---- 0xd0000fe8
 mov_i32 tmp1,ar2
 qemu_st32 ar3,tmp1,$0x0

 ---- 0xd0000fea
 movi_i32 tmp1,$0xd0000fea
 movi_i32 tmp2,$0x0
 movi_i32 tmp3,$0x4
 movi_i64 tmp4,$advance_ccount
 call tmp4,$0x0,$0,env,tmp3
 movi_i64 tmp4,$exception_cause
 call tmp4,$0x0,$0,env,tmp1,tmp2
 mov_i32 env,ar4
 set_label $0x0
 exit_tb $0x7fffed6373b3

qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffed633700 (LWP 29011)]
0x00007ffff545bc55 in raise () from /lib64/libc.so.6
...
(gdb) bt
#0  temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
#1  0x0000555555730fd6 in save_globals (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1688
#2  0x00005555557311b9 in tcg_reg_alloc_bb_end (s=0x55555624a2a0 <tcg_ctx>, allocated_regs=16400) at tcg/tcg.c:1731
#3  0x0000555555732e5d in tcg_gen_code_common (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200",
search_pc=-1) at tcg/tcg.c:2300
#4  0x0000555555733029 in tcg_gen_code (s=0x55555624a2a0 <tcg_ctx>, gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200") at
tcg/tcg.c:2356
#5  0x0000555555733d3d in cpu_xtensa_gen_code (env=0x5555562b43c0, tb=0x7fffed6373b0, gen_code_size_ptr=0x7fffed632a70) at translate-all.c:175
#6  0x00005555557351cf in tb_gen_code (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0, cflags=0) at translate-all.c:958
#7  0x00005555556c8216 in tb_find_slow (env=0x5555562b43c0, pc=3489664990, cs_base=0, flags=0) at cpu-exec.c:141
#8  0x00005555556c839d in tb_find_fast (env=0x5555562b43c0) at cpu-exec.c:168
#9  0x00005555556c8722 in cpu_xtensa_exec (env=0x5555562b43c0) at cpu-exec.c:583
#10 0x00005555556cb719 in tcg_cpu_exec (env=0x5555562b43c0) at cpus.c:1117
#11 0x00005555556cb850 in tcg_exec_all () at cpus.c:1150
#12 0x00005555556cab40 in qemu_tcg_cpu_thread_fn (arg=0x5555562b42b0) at cpus.c:843
#13 0x00007ffff64d0d15 in start_thread () from /lib64/libpthread.so.0
#14 0x00007ffff551853d in clone () from /lib64/libc.so.6
(gdb) f 4
#4  0x0000555555730f85 in temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at tcg/tcg.c:1673
1673        assert(s->temps[temp].val_type == TEMP_VAL_MEM || s->temps[temp].fixed_reg);
(gdb) p s->temps[temp]
$2 = {
  base_type = TCG_TYPE_I32,
  type = TCG_TYPE_I32,
  val_type = 1,
  reg = 5,
  val = 0,
  mem_reg = 14,
  mem_offset = 24,
  fixed_reg = 0,
  mem_coherent = 1,
  mem_allocated = 1,
  temp_local = 0,
  temp_allocated = 0,
  next_free_temp = 0,
  name = 0x5555557826e0 "ar4"
}

-- 
Thanks.
-- Max