[Qemu-devel] Bug in PPC TCG for rlwimi ?

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] Bug in PPC TCG for rlwimi ?
@ 2014-05-13 20:56 Tom Musta
  2014-05-13 21:09 ` Peter Maydell
  0 siblings, 1 reply; 6+ messages in thread
From: Tom Musta @ 2014-05-13 20:56 UTC (permalink / raw)
  To: QEMU Developers, Richard Henderson

I am chasing a bug in ppc64-linux-user when hosted on PPC 64.

I believe I have narrowed the problem to QEMU's emulation of an rlwimi instruction
in ld64.so.  The in/out asm and register dump are below.  And so is the ppc translation source.

The inbound contents of r4 is 0x24.  The expected value of r4 after "rlwimi r4,r4,8,16,23"
is 0x2424 but is zero.  What looks strange to me in the out_asm is the "lwz r14,32(r27)"
instruction, which appears to be generated from the "tcg_gen_trun_i64_i32(t2,cpu_gpr[rS(ctx->opcode)])"
statement.  If it is going to load only 4 bytes, shouldn't it be at offset 32+4 ?

I have not yet been able to connect the dots between the QEMU source and the emitted (TCG)
code.

Here is the main piece of the rlwimi translation code (target-ppc/translate.c):

        target_ulong mask;
        TCGv t1;
        TCGv t0 = tcg_temp_new();
#if defined(TARGET_PPC64)
        TCGv_i32 t2 = tcg_temp_new_i32();
        tcg_gen_trunc_i64_i32(t2, cpu_gpr[rS(ctx->opcode)]);
        tcg_gen_rotli_i32(t2, t2, sh);
        tcg_gen_extu_i32_i64(t0, t2);
        tcg_temp_free_i32(t2);
#else
        tcg_gen_rotli_i32(t0, cpu_gpr[rS(ctx->opcode)], sh);
#endif
#if defined(TARGET_PPC64)
        mb += 32;
        me += 32;
#endif
        mask = MASK(mb, me);
         t1 = tcg_temp_new();
        tcg_gen_andi_tl(t0, t0, mask);
        tcg_gen_andi_tl(t1, cpu_gpr[rA(ctx->opcode)], ~mask);
        tcg_gen_or_tl(cpu_gpr[rA(ctx->opcode)], t0, t1);
        tcg_temp_free(t0);
        tcg_temp_free(t1);


And here is the input/output asm from


IN:
0x00000fffa7fc2ae4:  rlwimi  r4,r4,8,16,23

OUT: [size=136]
0x603638c0:  lwz     r14,-4(r27)
0x603638c4:  cmpwi   cr7,r14,0
0x603638c8:  bne-    cr7,0x60363934
0x603638cc:  lwz     r14,32(r27)  # this looks strange
0x603638d0:  mr      r15,r14
0x603638d4:  rotlwi  r15,r15,8
0x603638d8:  andi.   r15,r15,65280
0x603638dc:  lis     r0,-1
0x603638e0:  ori     r0,r0,255
0x603638e4:  and     r14,r14,r0
0x603638e8:  or      r14,r15,r14
0x603638ec:  std     r14,32(r27)
0x603638f0:  .long 0x0
0x603638f4:  .long 0x0
0x603638f8:  .long 0x0
0x603638fc:  .long 0x0
0x60363900:  .long 0x0
0x60363904:  .long 0x0
0x60363908:  .long 0x0
0x6036390c:  li      r14,4095
0x60363910:  rldicr  r14,r14,32,31
0x60363914:  oris    r14,r14,43004
0x60363918:  ori     r14,r14,10984
0x6036391c:  std     r14,696(r27)
0x60363920:  li      r3,4095
0x60363924:  rldicr  r3,r3,32,31
0x60363928:  oris    r3,r3,43021
0x6036392c:  ori     r3,r3,56368
0x60363930:  b       0x6231d668
0x60363934:  li      r3,4095
0x60363938:  rldicr  r3,r3,32,31
0x6036393c:  oris    r3,r3,43021
0x60363940:  ori     r3,r3,56371
0x60363944:  b       0x6231d668

NIP 00000fffa7fc2ae4   LR 00000fffa7fb5af0 CTR 0000000000000007 XER 0000000000000000
MSR 8000000002806000 HID0 0000000000000000  HF 0000000002806000 idx 0
TB 00000000 00000000
GPR00 00000000100002d9 0000004000a0e070 00000fffa7fe8ae8 00000000100002d9
GPR04 0000000000000024 0000000000000000 0000000000000000 0000000000000000
GPR08 0000000000000000 0000000010010978 000000007fffffff 0000000000000001
GPR12 0000000034000042 0000000000000000 fffffffffffffffd 0000004000a0e0e0
GPR16 0000004000a0e0e0 00000fffa7fe2a58 0000000000000001 0000004000a0e0e0
GPR20 0000004000a0e0e0 0000000000000001 0000000000000000 0000004000a0e130
GPR24 0000004000a0e128 0000004000a0e138 0000004000a0e120 00000000100002d8
GPR28 00000fffa7fe2a58 0000000000000000 0000000010010938 0000004000a0e0b0
CR 34002042  [ EO G  -  -  E  -  G  E  ]             RES ffffffffffffffff
FPR00 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPR04 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPR08 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPR12 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPR16 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPR20 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPR24 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPR28 0000000000000000 0000000000000000 0000000000000000 0000000000000000
FPSCR 0000000000000000
IN:
0x00000fffa7fc2ae8:  li      r11,-1

OUT: [size=108]
0x60363950:  lwz     r14,-4(r27)
0x60363954:  cmpwi   cr7,r14,0
0x60363958:  bne-    cr7,0x603639a8
0x6036395c:  li      r14,-1
0x60363960:  std     r14,88(r27)
0x60363964:  .long 0x0
0x60363968:  .long 0x0
0x6036396c:  .long 0x0
0x60363970:  .long 0x0
0x60363974:  .long 0x0
0x60363978:  .long 0x0
0x6036397c:  .long 0x0
0x60363980:  li      r14,4095
0x60363984:  rldicr  r14,r14,32,31
0x60363988:  oris    r14,r14,43004
0x6036398c:  ori     r14,r14,10988
0x60363990:  std     r14,696(r27)
0x60363994:  li      r3,4095
0x60363998:  rldicr  r3,r3,32,31
0x6036399c:  oris    r3,r3,43021
0x603639a0:  ori     r3,r3,56488
0x603639a4:  b       0x6231d668
0x603639a8:  li      r3,4095
0x603639ac:  rldicr  r3,r3,32,31
0x603639b0:  oris    r3,r3,43021
0x603639b4:  ori     r3,r3,56491
0x603639b8:  b       0x6231d668

NIP 00000fffa7fc2ae8   LR 00000fffa7fb5af0 CTR 0000000000000007 XER 0000000000000000
MSR 8000000002806000 HID0 0000000000000000  HF 0000000002806000 idx 0
TB 00000000 00000000
GPR00 00000000100002d9 0000004000a0e070 00000fffa7fe8ae8 00000000100002d9
GPR04 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR08 0000000000000000 0000000010010978 000000007fffffff 0000000000000001
GPR12 0000000034000042 0000000000000000 fffffffffffffffd 0000004000a0e0e0
GPR16 0000004000a0e0e0 00000fffa7fe2a58 0000000000000001 0000004000a0e0e0
GPR20 0000004000a0e0e0 0000000000000001 0000000000000000 0000004000a0e130
GPR24 0000004000a0e128 0000004000a0e138 0000004000a0e120 00000000100002d8
GPR28 00000fffa7fe2a58 0000000000000000 0000000010010938 0000004000a0e0b0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] Bug in PPC TCG for rlwimi ?
  2014-05-13 20:56 [Qemu-devel] Bug in PPC TCG for rlwimi ? Tom Musta
@ 2014-05-13 21:09 ` Peter Maydell
  2014-05-13 21:11   ` Richard Henderson
  0 siblings, 1 reply; 6+ messages in thread
From: Peter Maydell @ 2014-05-13 21:09 UTC (permalink / raw)
  To: Tom Musta; +Cc: QEMU Developers, Richard Henderson

On 13 May 2014 21:56, Tom Musta <tommusta@gmail.com> wrote:
> I am chasing a bug in ppc64-linux-user when hosted on PPC 64.
>
> I believe I have narrowed the problem to QEMU's emulation of an rlwimi instruction
> in ld64.so.  The in/out asm and register dump are below.  And so is the ppc translation source.
>
> The inbound contents of r4 is 0x24.  The expected value of r4 after "rlwimi r4,r4,8,16,23"
> is 0x2424 but is zero.  What looks strange to me in the out_asm is the "lwz r14,32(r27)"
> instruction, which appears to be generated from the "tcg_gen_trun_i64_i32(t2,cpu_gpr[rS(ctx->opcode)])"
> statement.  If it is going to load only 4 bytes, shouldn't it be at offset 32+4 ?

Is the host big or little endian PPC? Offset 32 is right for little-endian...

> I have not yet been able to connect the dots between the QEMU source and the emitted (TCG)
> code.

Dumping the TCG opcodes would probably help here (-d op)...

thanks
-- PMM

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] Bug in PPC TCG for rlwimi ?
  2014-05-13 21:09 ` Peter Maydell
@ 2014-05-13 21:11   ` Richard Henderson
  2014-05-13 21:32     ` Tom Musta
  0 siblings, 1 reply; 6+ messages in thread
From: Richard Henderson @ 2014-05-13 21:11 UTC (permalink / raw)
  To: Peter Maydell, Tom Musta; +Cc: QEMU Developers

On 05/13/2014 02:09 PM, Peter Maydell wrote:
> Dumping the TCG opcodes would probably help here (-d op)...

Use -d op if you suspect a bug in the translator.
Use -d op_opt if you suspect a bug in the out_asm.


r~

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] Bug in PPC TCG for rlwimi ?
  2014-05-13 21:11   ` Richard Henderson
@ 2014-05-13 21:32     ` Tom Musta
  2014-05-13 21:40       ` Richard Henderson
  0 siblings, 1 reply; 6+ messages in thread
From: Tom Musta @ 2014-05-13 21:32 UTC (permalink / raw)
  To: Richard Henderson, Peter Maydell; +Cc: QEMU Developers

On 5/13/2014 4:11 PM, Richard Henderson wrote:
> On 05/13/2014 02:09 PM, Peter Maydell wrote:
>> Dumping the TCG opcodes would probably help here (-d op)...
> 
> Use -d op if you suspect a bug in the translator.
> Use -d op_opt if you suspect a bug in the out_asm.
> 
> 
> r~
> 

It is big endian.

Here is the -d op output.  What does the "mov_i32 tmp0,r4" op mean
when r4 is an i64?

IN:
0x00000fffa87a2ae4:  rlwimi  r4,r4,8,16,23

OP:
 ld_i32 tmp0,env,$0xfffffffffffffffc
 movi_i32 tmp1,$0x0
 brcond_i32 tmp0,tmp1,ne,$0x0
 ---- 0xfffa87a2ae4
 mov_i32 tmp0,r4
 movi_i32 tmp1,$0x8
 rotl_i32 tmp0,tmp0,tmp1
 movi_i64 tmp3,$0xffffffff
 and_i64 tmp2,tmp0,tmp3
 movi_i64 tmp4,$0xff00
 and_i64 tmp2,tmp2,tmp4
 movi_i64 tmp4,$0xffffffffffff00ff
 and_i64 tmp3,r4,tmp4
 or_i64 r4,tmp2,tmp3
 goto_tb $0x0
 movi_i64 nip,$0xfffa87a2ae8
 exit_tb $0xfffa88bdc30
 set_label $0x0
 exit_tb $0xfffa88bdc33



The op_opt output is this:

OP after optimization and liveness analysis:
 ld_i32 tmp0,env,$0xfffffffffffffffc
 movi_i32 tmp1,$0x0
 brcond_i32 tmp0,tmp1,ne,$0x0
 ---- 0xfff7efa2ae4
 mov_i32 tmp0,r4
 movi_i32 tmp1,$0x8
 rotl_i32 tmp0,tmp0,tmp1
 nopn $0x2,$0x2
 mov_i64 tmp2,tmp0
 movi_i64 tmp4,$0xff00
 and_i64 tmp2,tmp2,tmp4
 movi_i64 tmp4,$0xffffffffffff00ff
 and_i64 tmp3,r4,tmp4
 or_i64 r4,tmp2,tmp3
 goto_tb $0x0
 movi_i64 nip,$0xfff7efa2ae8
 exit_tb $0xfff7f0bdc30
 set_label $0x0
 exit_tb $0xfff7f0bdc33
 end

OUT: [size=136]
0x603638c0:  lwz     r14,-4(r27)
0x603638c4:  cmpwi   cr7,r14,0
0x603638c8:  bne-    cr7,0x60363934
0x603638cc:  lwz     r14,32(r27)
0x603638d0:  mr      r15,r14
0x603638d4:  rotlwi  r15,r15,8
0x603638d8:  andi.   r15,r15,65280
0x603638dc:  lis     r0,-1
0x603638e0:  ori     r0,r0,255
0x603638e4:  and     r14,r14,r0
0x603638e8:  or      r14,r15,r14
0x603638ec:  std     r14,32(r27)
0x603638f0:  .long 0x0
0x603638f4:  .long 0x0
0x603638f8:  .long 0x0
0x603638fc:  .long 0x0
0x60363900:  .long 0x0
0x60363904:  .long 0x0
0x60363908:  .long 0x0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] Bug in PPC TCG for rlwimi ?
  2014-05-13 21:32     ` Tom Musta
@ 2014-05-13 21:40       ` Richard Henderson
  2014-05-13 21:59         ` Tom Musta
  0 siblings, 1 reply; 6+ messages in thread
From: Richard Henderson @ 2014-05-13 21:40 UTC (permalink / raw)
  To: Tom Musta, Peter Maydell; +Cc: QEMU Developers, Thomas Huth

On 05/13/2014 02:32 PM, Tom Musta wrote:
> Here is the -d op output.  What does the "mov_i32 tmp0,r4" op mean
> when r4 is an i64?

It's supposed to be the truncate.

I believe I know what's going on.  I've introduced this bug yesterday, of
course.  Thomas Huth bisected a problem with an s390 host, and I strongly
suspect that it's the same bug.  (I haven't been able to reserve an s390 build
system today to verify.)

Try the tree prior to af3cbfbe8018ccc16fb3a0048e928f66f0d05e87 and see
if things work.

Ho hum.  Patch coming soon.

r~

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] Bug in PPC TCG for rlwimi ?
  2014-05-13 21:40       ` Richard Henderson
@ 2014-05-13 21:59         ` Tom Musta
  0 siblings, 0 replies; 6+ messages in thread
From: Tom Musta @ 2014-05-13 21:59 UTC (permalink / raw)
  To: Richard Henderson, Peter Maydell; +Cc: QEMU Developers, Thomas Huth

On 5/13/2014 4:40 PM, Richard Henderson wrote:
> On 05/13/2014 02:32 PM, Tom Musta wrote:
>> Here is the -d op output.  What does the "mov_i32 tmp0,r4" op mean
>> when r4 is an i64?
> 
> It's supposed to be the truncate.
> 
> I believe I know what's going on.  I've introduced this bug yesterday, of
> course.  Thomas Huth bisected a problem with an s390 host, and I strongly
> suspect that it's the same bug.  (I haven't been able to reserve an s390 build
> system today to verify.)
> 
> Try the tree prior to af3cbfbe8018ccc16fb3a0048e928f66f0d05e87 and see
> if things work.
> 
> Ho hum.  Patch coming soon.
> 
> 
> r~
> 

Yes ... that worked ... sort of.

I had to back up prior to this:

fdd8ec71847b5167a4be524c2d22d186fc3b6e3a is the first bad commit

to get to a point that built.

Thanks, Peter and Richard for the help.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-05-13 21:59 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-13 20:56 [Qemu-devel] Bug in PPC TCG for rlwimi ? Tom Musta
2014-05-13 21:09 ` Peter Maydell
2014-05-13 21:11   ` Richard Henderson
2014-05-13 21:32     ` Tom Musta
2014-05-13 21:40       ` Richard Henderson
2014-05-13 21:59         ` Tom Musta

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).