From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33203)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rth7680@gmail.com>) id 1ZFJHA-0002sJ-Ix
	for qemu-devel@nongnu.org; Wed, 15 Jul 2015 05:46:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rth7680@gmail.com>) id 1ZFJH1-0007Su-27
	for qemu-devel@nongnu.org; Wed, 15 Jul 2015 05:46:48 -0400
Received: from mail-wg0-x22e.google.com ([2a00:1450:400c:c00::22e]:35808)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rth7680@gmail.com>) id 1ZFJH0-0007S5-KM
	for qemu-devel@nongnu.org; Wed, 15 Jul 2015 05:46:42 -0400
Received: by wgjx7 with SMTP id x7so28853565wgj.2
	for <qemu-devel@nongnu.org>; Wed, 15 Jul 2015 02:46:40 -0700 (PDT)
Sender: Richard Henderson <rth7680@gmail.com>
References: <1436891912-14742-1-git-send-email-leon.alrae@imgtec.com>
From: Richard Henderson <rth@twiddle.net>
Message-ID: <55A62BFD.6010108@twiddle.net>
Date: Wed, 15 Jul 2015 10:46:37 +0100
MIME-Version: 1.0
In-Reply-To: <1436891912-14742-1-git-send-email-leon.alrae@imgtec.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] target-mips: apply workaround for TCG
 optimizations for MFC1
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Leon Alrae <leon.alrae@imgtec.com>, qemu-devel@nongnu.org
Cc: aurelien@aurel32.net

On 07/14/2015 05:38 PM, Leon Alrae wrote:
> There seems to be an issue when trying to keep a pointer in bottom 32-bits
> of a 64-bit floating point register. Load and store instructions accessing
> this address for some reason use the whole 64-bit content of floating point
> register rather than truncated 32-bit value. The following load uses
> incorrect address which leads to a crash if upper 32 bits of $f0 isn't 0:
>
> 0x00400c60:  mfc1       t8,$f0
> 0x00400c64:  lw t9,0(t8)
>
> It can be reproduced with the following linux userland program when running
> on a MIPS32 with CP0.Status.FR=1 (by default mips32r5-generic and
> mips32r6-generic CPUs have this bit set in linux-user).
>
> int main(int argc, char *argv[])
> {
>      int tmp = 0x11111111;
>      /* Set f0 */
>      __asm__ ("mtc1  %0, $f0\n"
>               "mthc1 %1, $f0\n"
>               : : "r" (&tmp), "r" (tmp));
>      /* At this point $f0: w:76fff040 d:1111111176fff040 */
>      __asm__ ("mfc1 $t8, $f0\n"
>               "lw   $t9, 0($t8)\n"); /* <--- crash! */
>      return 0;
> }

What compilation options, exactly?  I'm having trouble reproducing.
Alternately, perhaps you can send me a binary.


r~