From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53445)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Yongbok.Kim@imgtec.com>) id 1YxHGH-0005xM-OG
	for qemu-devel@nongnu.org; Tue, 26 May 2015 11:59:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Yongbok.Kim@imgtec.com>) id 1YxHGC-0007MF-5M
	for qemu-devel@nongnu.org; Tue, 26 May 2015 11:59:25 -0400
Received: from mailapp01.imgtec.com ([195.59.15.196]:37332)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Yongbok.Kim@imgtec.com>) id 1YxHGB-0007M3-Tk
	for qemu-devel@nongnu.org; Tue, 26 May 2015 11:59:20 -0400
Message-ID: <556497D8.7030708@imgtec.com>
Date: Tue, 26 May 2015 16:57:12 +0100
From: Yongbok Kim <yongbok.kim@imgtec.com>
MIME-Version: 1.0
References: <1432644395-45207-1-git-send-email-yongbok.kim@imgtec.com>
	<556495FC.2050405@twiddle.net>
In-Reply-To: <556495FC.2050405@twiddle.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] tcg: fix segfault when MO_UNALN is set
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Richard Henderson <rth@twiddle.net>, qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, leon.alrae@imgtec.com

On 26/05/2015 16:49, Richard Henderson wrote:
> On 05/26/2015 05:46 AM, Yongbok Kim wrote:
>> MO_UNALN caused segfaults when it is set, it reached out of boundary of
>> load/ store function pointer arrays in tcg_out_qemu_{ld,st}_slow_path()
>> or its equivalents.
> 
> I'd like to know more about this crash please.  Where does it happen?
> 
> 
> r~
> 

tcg/i386/tcg-target.c

> static void * const qemu_st_helpers[16] = {
>     [MO_UB]   = helper_ret_stb_mmu,
>     [MO_LEUW] = helper_le_stw_mmu,
>     [MO_LEUL] = helper_le_stl_mmu,
>     [MO_LEQ]  = helper_le_stq_mmu,
>     [MO_BEUW] = helper_be_stw_mmu,
>     [MO_BEUL] = helper_be_stl_mmu,
>     [MO_BEQ]  = helper_be_stq_mmu,
> };

...

> static void tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
> {

>     TCGMemOp opc = get_memop(oi);

>     /* "Tail call" to the helper, with the return address back inline.  */
>     tcg_out_push(s, retaddr);
>     tcg_out_jmp(s, qemu_st_helpers[opc]);

Here is the crashing point...

Regards,
Yongbok