* [PATCH 0/2] cmpxchg and lock cmpxchg should not touch accumulator [not found] <20220319160658.336882-1-lw945lw945.ref@yahoo.com> @ 2022-03-19 16:06 ` Wei Li 2022-03-19 16:06 ` [PATCH 1/2] fix cmpxchg instruction Wei Li 2022-03-19 16:06 ` [PATCH 2/2] fix lock " Wei Li 0 siblings, 2 replies; 6+ messages in thread From: Wei Li @ 2022-03-19 16:06 UTC (permalink / raw) To: pbonzini, richard.henderson, eduardo; +Cc: qemu-devel, Wei Li Resolves: https://gitlab.com/qemu-project/qemu/-/issues/508 This series fix a bug reported on issues 508. The problem is cmpxchg and lock cmpxchg would touch accumulator when they should not do that. Wei Li (2): fix cmpxchg instruction fix lock cmpxchg instruction target/i386/tcg/translate.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) -- 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] fix cmpxchg instruction 2022-03-19 16:06 ` [PATCH 0/2] cmpxchg and lock cmpxchg should not touch accumulator Wei Li @ 2022-03-19 16:06 ` Wei Li 2022-03-20 19:07 ` Richard Henderson 2022-03-19 16:06 ` [PATCH 2/2] fix lock " Wei Li 1 sibling, 1 reply; 6+ messages in thread From: Wei Li @ 2022-03-19 16:06 UTC (permalink / raw) To: pbonzini, richard.henderson, eduardo; +Cc: qemu-devel, Wei Li We need a branch to determine when the instruction can touch the accumulator. But there is a branch provided by movcond. So it is redundant to use both branch and movcond. Just use one branch to solve the problem according to intel manual. Signed-off-by: Wei Li <lw945lw945@yahoo.com> --- target/i386/tcg/translate.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c index 2a94d33742..05be8d08e6 100644 --- a/target/i386/tcg/translate.c +++ b/target/i386/tcg/translate.c @@ -5339,15 +5339,17 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) case 0x1b0: case 0x1b1: /* cmpxchg Ev, Gv */ { - TCGv oldv, newv, cmpv; + TCGLabel *label1, *label2; + TCGv oldv, newv, cmpv, a0; ot = mo_b_d(b, dflag); modrm = x86_ldub_code(env, s); reg = ((modrm >> 3) & 7) | REX_R(s); mod = (modrm >> 6) & 3; - oldv = tcg_temp_new(); - newv = tcg_temp_new(); - cmpv = tcg_temp_new(); + oldv = tcg_temp_local_new(); + newv = tcg_temp_local_new(); + cmpv = tcg_temp_local_new(); + a0 = tcg_temp_local_new(); gen_op_mov_v_reg(s, ot, newv, reg); tcg_gen_mov_tl(cmpv, cpu_regs[R_EAX]); @@ -5365,24 +5367,32 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) gen_op_mov_v_reg(s, ot, oldv, rm); } else { gen_lea_modrm(env, s, modrm); - gen_op_ld_v(s, ot, oldv, s->A0); + tcg_gen_mov_tl(a0, s->A0); + gen_op_ld_v(s, ot, oldv, a0); rm = 0; /* avoid warning */ } + label1 = gen_new_label(); gen_extu(ot, oldv); gen_extu(ot, cmpv); - /* store value = (old == cmp ? new : old); */ - tcg_gen_movcond_tl(TCG_COND_EQ, newv, oldv, cmpv, newv, oldv); + tcg_gen_brcond_tl(TCG_COND_EQ, oldv, cmpv, label1); + label2 = gen_new_label(); if (mod == 3) { gen_op_mov_reg_v(s, ot, R_EAX, oldv); + tcg_gen_br(label2); + gen_set_label(label1); gen_op_mov_reg_v(s, ot, rm, newv); } else { /* Perform an unconditional store cycle like physical cpu; must be before changing accumulator to ensure idempotency if the store faults and the instruction is restarted */ - gen_op_st_v(s, ot, newv, s->A0); + gen_op_st_v(s, ot, oldv, a0); gen_op_mov_reg_v(s, ot, R_EAX, oldv); + tcg_gen_br(label2); + gen_set_label(label1); + gen_op_st_v(s, ot, newv, a0); } + gen_set_label(label2); } tcg_gen_mov_tl(cpu_cc_src, oldv); tcg_gen_mov_tl(s->cc_srcT, cmpv); @@ -5391,6 +5401,7 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) tcg_temp_free(oldv); tcg_temp_free(newv); tcg_temp_free(cmpv); + tcg_temp_free(a0); } break; case 0x1c7: /* cmpxchg8b */ -- 2.30.2 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] fix cmpxchg instruction 2022-03-19 16:06 ` [PATCH 1/2] fix cmpxchg instruction Wei Li @ 2022-03-20 19:07 ` Richard Henderson 0 siblings, 0 replies; 6+ messages in thread From: Richard Henderson @ 2022-03-20 19:07 UTC (permalink / raw) To: Wei Li, pbonzini, eduardo; +Cc: qemu-devel On 3/19/22 09:06, Wei Li wrote: > We need a branch to determine when the instruction can touch the > accumulator. But there is a branch provided by movcond. There is no branch in movcond -- this expands to cmov. > - /* store value = (old == cmp ? new : old); */ > - tcg_gen_movcond_tl(TCG_COND_EQ, newv, oldv, cmpv, newv, oldv); > + tcg_gen_brcond_tl(TCG_COND_EQ, oldv, cmpv, label1); ... > /* Perform an unconditional store cycle like physical cpu; > must be before changing accumulator to ensure > idempotency if the store faults and the instruction > is restarted */ Your branch invalidates the comment -- the store becomes conditional, and we no longer get a write fault on read-only pages when the comparison fails. OTOH, we're already getting the incorrect SIGSEGV behaviour, since we get a read fault on an unmapped page instead of a write fault. The faulting behaviour could be addressed with a write_probe prior to the original load. Alternately, we can use the tcg_gen_atomic_cmpxchg_tl path whenever mod != 3. While an unlocked cmpxchg need not be atomic, it is not required to be non-atomic either, and it would reduce code duplication. r~ ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2/2] fix lock cmpxchg instruction 2022-03-19 16:06 ` [PATCH 0/2] cmpxchg and lock cmpxchg should not touch accumulator Wei Li 2022-03-19 16:06 ` [PATCH 1/2] fix cmpxchg instruction Wei Li @ 2022-03-19 16:06 ` Wei Li 2022-03-20 19:21 ` Richard Henderson 1 sibling, 1 reply; 6+ messages in thread From: Wei Li @ 2022-03-19 16:06 UTC (permalink / raw) To: pbonzini, richard.henderson, eduardo; +Cc: qemu-devel, Wei Li For lock cmpxchg, the situation is more complex. After the instruction is completed by tcg_gen_atomic_cmpxchg_tl, it needs a branch to judge if oldv == cmpv or not. The instruction only touches accumulator when oldv != cmpv. Signed-off-by: Wei Li <lw945lw945@yahoo.com> --- target/i386/tcg/translate.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c index 05be8d08e6..4fd9c03cb7 100644 --- a/target/i386/tcg/translate.c +++ b/target/i386/tcg/translate.c @@ -5360,7 +5360,12 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) gen_lea_modrm(env, s, modrm); tcg_gen_atomic_cmpxchg_tl(oldv, s->A0, cmpv, newv, s->mem_index, ot | MO_LE); + label1 = gen_new_label(); + gen_extu(ot, oldv); + gen_extu(ot, cmpv); + tcg_gen_brcond_tl(TCG_COND_EQ, oldv, cmpv, label1); gen_op_mov_reg_v(s, ot, R_EAX, oldv); + gen_set_label(label1); } else { if (mod == 3) { rm = (modrm & 7) | REX_B(s); -- 2.30.2 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] fix lock cmpxchg instruction 2022-03-19 16:06 ` [PATCH 2/2] fix lock " Wei Li @ 2022-03-20 19:21 ` Richard Henderson 2022-03-21 8:50 ` Wei Li 0 siblings, 1 reply; 6+ messages in thread From: Richard Henderson @ 2022-03-20 19:21 UTC (permalink / raw) To: Wei Li, pbonzini, eduardo; +Cc: qemu-devel On 3/19/22 09:06, Wei Li wrote: > For lock cmpxchg, the situation is more complex. After the instruction > is completed by tcg_gen_atomic_cmpxchg_tl, it needs a branch to judge > if oldv == cmpv or not. The instruction only touches accumulator when > oldv != cmpv. > > Signed-off-by: Wei Li <lw945lw945@yahoo.com> > --- > target/i386/tcg/translate.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c > index 05be8d08e6..4fd9c03cb7 100644 > --- a/target/i386/tcg/translate.c > +++ b/target/i386/tcg/translate.c > @@ -5360,7 +5360,12 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) > gen_lea_modrm(env, s, modrm); > tcg_gen_atomic_cmpxchg_tl(oldv, s->A0, cmpv, newv, > s->mem_index, ot | MO_LE); > + label1 = gen_new_label(); > + gen_extu(ot, oldv); > + gen_extu(ot, cmpv); > + tcg_gen_brcond_tl(TCG_COND_EQ, oldv, cmpv, label1); > gen_op_mov_reg_v(s, ot, R_EAX, oldv); This is better addressed with a movcond: TCGv temp = tcg_temp_new(); tcg_gen_mov_tl(temp, cpu_regs[R_EAX]); /* Perform the merge into %al or %ax as required by ot. */ gen_op_mov_reg_v(s, ot, R_EAX, oldv); /* Undo the entire modification to %rax if comparison equal. */ tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EAX], oldv, cmpv, cpu_regs[R_EAX], temp); tcg_temp_free(temp); r~ ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] fix lock cmpxchg instruction 2022-03-20 19:21 ` Richard Henderson @ 2022-03-21 8:50 ` Wei Li 0 siblings, 0 replies; 6+ messages in thread From: Wei Li @ 2022-03-21 8:50 UTC (permalink / raw) To: pbonzini@redhat.com, eduardo@habkost.net, Richard Henderson Cc: qemu-devel@nongnu.org [-- Attachment #1: Type: text/plain, Size: 1935 bytes --] >This is better addressed with a movcond: OK. a movcond is better than a branch. : ) I will update in patch v2. Wei Li On Monday, March 21, 2022, 03:21:27 AM GMT+8, Richard Henderson <richard.henderson@linaro.org> wrote: On 3/19/22 09:06, Wei Li wrote: > For lock cmpxchg, the situation is more complex. After the instruction > is completed by tcg_gen_atomic_cmpxchg_tl, it needs a branch to judge > if oldv == cmpv or not. The instruction only touches accumulator when > oldv != cmpv. > > Signed-off-by: Wei Li <lw945lw945@yahoo.com> > --- > target/i386/tcg/translate.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c > index 05be8d08e6..4fd9c03cb7 100644 > --- a/target/i386/tcg/translate.c > +++ b/target/i386/tcg/translate.c > @@ -5360,7 +5360,12 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) > gen_lea_modrm(env, s, modrm); > tcg_gen_atomic_cmpxchg_tl(oldv, s->A0, cmpv, newv, > s->mem_index, ot | MO_LE); > + label1 = gen_new_label(); > + gen_extu(ot, oldv); > + gen_extu(ot, cmpv); > + tcg_gen_brcond_tl(TCG_COND_EQ, oldv, cmpv, label1); > gen_op_mov_reg_v(s, ot, R_EAX, oldv); This is better addressed with a movcond: TCGv temp = tcg_temp_new(); tcg_gen_mov_tl(temp, cpu_regs[R_EAX]); /* Perform the merge into %al or %ax as required by ot. */ gen_op_mov_reg_v(s, ot, R_EAX, oldv); /* Undo the entire modification to %rax if comparison equal. */ tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EAX], oldv, cmpv, cpu_regs[R_EAX], temp); tcg_temp_free(temp); r~ [-- Attachment #2: Type: text/html, Size: 4090 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-03-21 8:51 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20220319160658.336882-1-lw945lw945.ref@yahoo.com>
2022-03-19 16:06 ` [PATCH 0/2] cmpxchg and lock cmpxchg should not touch accumulator Wei Li
2022-03-19 16:06 ` [PATCH 1/2] fix cmpxchg instruction Wei Li
2022-03-20 19:07 ` Richard Henderson
2022-03-19 16:06 ` [PATCH 2/2] fix lock " Wei Li
2022-03-20 19:21 ` Richard Henderson
2022-03-21 8:50 ` Wei Li
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).