From: "Alex Bennée" <alex.bennee@linaro.org>
To: Richard Henderson <rth@twiddle.net>
Cc: peter.maydell@linaro.org, pbonzini@redhat.com,
qemu-devel@nongnu.org, mttcg@greensocs.com,
fred.konrad@greensocs.com, a.rigo@virtualopensystems.com,
cota@braap.org, bobby.prani@gmail.com, nikunj@linux.vnet.ibm.com,
Peter Crosthwaite <crosthwaite.peter@gmail.com>
Subject: Re: [Qemu-devel] [PATCH v2 05/11] translate-all: exit cpu_restore_state early if translating
Date: Fri, 03 Mar 2017 10:03:07 +0000 [thread overview]
Message-ID: <87r32e1xus.fsf@linaro.org> (raw)
In-Reply-To: <4054a3ea-c278-11c3-9c0a-5ec952ef8598@twiddle.net>
Richard Henderson <rth@twiddle.net> writes:
> On 03/03/2017 06:53 AM, Alex Bennée wrote:
>> The translation code uses cpu_ld*_code which can trigger a tlb_fill
>> which if it fails will attempt a fault resolution. This never works
>> during translation as the TB being generated hasn't been added yet.
>> However with the new locking regime we end up double locking the
>> tb_lock(). As the tcg_ctx.cpu is only set during translation we use
>> this to short circuit the restore code and return with a fail.
>
> We *should* have retaddr == 0 for this case, which indicates that we
> should not attempt to restore state. Are you seeing a non-zero value?
Actually looking at xtensa I see:
Attempt to resolve CPU state @ 0x0 while translating
So maybe I should check just that - but I don't see where we ensure we
always pass zero.
>
> Hmm.. Or rather we should not have called cpu_restore_state in the
> first place. What is the call chain leading to this point?
Thread 3 "qemu-system-xte" hit Breakpoint 2, cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
338 qemu_log_mask(LOG_UNIMP, "Attempt to resolve CPU state @ 0x%" PRIxPTR
#0 0x00005555555e3712 in cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
#1 0x000055555564cb38 in tlb_fill (cs=cs@entry=0x555556032600, vaddr=vaddr@entry=537034752, access_type=access_type@entry=MMU_INST_FETCH, mmu_idx=mmu_idx@entry=1, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/op_helper.c:73
#2 0x000055555562d604 in helper_ret_ldb_cmmu (env=env@entry=0x55555603a890, addr=537034752, oi=<optimised out>, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/softmmu_template.h:127
#3 0x00005555556448df in gen_intermediate_code (retaddr=0, ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:102
#4 0x00005555556448df in gen_intermediate_code (ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:114
#5 0x00005555556448df in gen_intermediate_code (dc=0x7fffcca0f4d0, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:1052
#6 0x00005555556448df in gen_intermediate_code (env=0x55555603a890, tb=0x7fffccc7de00) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:3214
#7 0x00005555555e383b in tb_gen_code (cpu=cpu@entry=0x555556032600, pc=pc@entry=537034751, cs_base=cs_base@entry=0, flags=flags@entry=229393, cflags=<optimised out>, cflags@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:1288
#8 0x00005555555e5e41 in cpu_exec (tb_exit=0, last_tb=<optimised out>, cpu=0x38011) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:370
#9 0x00005555555e5e41 in cpu_exec (cpu=cpu@entry=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:685
#10 0x0000555555611898 in tcg_cpu_exec (cpu=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1254
#11 0x0000555555611bd4 in qemu_tcg_rr_cpu_thread_fn (arg=<optimised out>) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1350
#12 0x00007fffdf6606ba in start_thread (arg=0x7fffcca12700) at pthread_create.c:333
#13 0x00007fffdf39682d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Continuing.
Thread 3 "qemu-system-xte" hit Breakpoint 2, cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
338 qemu_log_mask(LOG_UNIMP, "Attempt to resolve CPU state @ 0x%" PRIxPTR
#0 0x00005555555e3712 in cpu_restore_state (cpu=cpu@entry=0x555556032600, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:338
#1 0x000055555564cb38 in tlb_fill (cs=cs@entry=0x555556032600, vaddr=vaddr@entry=4308992, access_type=access_type@entry=MMU_INST_FETCH, mmu_idx=mmu_idx@entry=1, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/op_helper.c:73
#2 0x000055555562d604 in helper_ret_ldb_cmmu (env=env@entry=0x55555603a890, addr=4308992, oi=<optimised out>, retaddr=retaddr@entry=0) at /home/alex/lsrc/qemu/qemu.git/softmmu_template.h:127
#3 0x00005555556448df in gen_intermediate_code (retaddr=0, ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:102
#4 0x00005555556448df in gen_intermediate_code (ptr=<optimised out>, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/include/exec/cpu_ldst_template.h:114
#5 0x00005555556448df in gen_intermediate_code (dc=0x7fffcca0f4d0, env=0x55555603a890) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:1052
#6 0x00005555556448df in gen_intermediate_code (env=0x55555603a890, tb=0x7fffccd0b1b0) at /home/alex/lsrc/qemu/qemu.git/target/xtensa/translate.c:3214
#7 0x00005555555e383b in tb_gen_code (cpu=cpu@entry=0x555556032600, pc=pc@entry=4308991, cs_base=cs_base@entry=0, flags=flags@entry=229393, cflags=<optimised out>, cflags@entry=0) at /home/alex/lsrc/qemu/qemu.git/translate-all.c:1288
#8 0x00005555555e5e41 in cpu_exec (tb_exit=0, last_tb=<optimised out>, cpu=0x38011) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:370
#9 0x00005555555e5e41 in cpu_exec (cpu=cpu@entry=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpu-exec.c:685
#10 0x0000555555611898 in tcg_cpu_exec (cpu=0x555556032600) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1254
#11 0x0000555555611bd4 in qemu_tcg_rr_cpu_thread_fn (arg=<optimised out>) at /home/alex/lsrc/qemu/qemu.git/cpus.c:1350
#12 0x00007fffdf6606ba in start_thread (arg=0x7fffcca12700) at pthread_create.c:333
#13 0x00007fffdf39682d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
> Is this in fact linux-user, not softmmu, as you imply from tlb_fill?
> Because handle_cpu_signal will in fact pass a genuine non-zero retaddr
> for the SIGSEGV resulting from a cpu_ld*_code from a non-mapped
> address.
I think that is another call chain that might trip us up. Peter
mentioned he'd hit it. This one is definitely softmmu.
> So... for linux-user I think the qemu_log is unnecessary -- that's
> just the way things are. For softmmu, I don't know what to think
> except that we shouldn't have gotten here.
I kinda agree but all SoftMMU targets have this potential path. Having
saif that I haven't seen it hit ARM, maybe because we take care not to
cross a page boundary?
I agree it would be better to handle fetching code bytes without this
potential for breakage but that would be a much bigger change and need
more testing this close to rc0.
>
>
> r~
--
Alex Bennée
next prev parent reply other threads:[~2017-03-03 10:03 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-02 19:53 [Qemu-devel] [PATCH v2 00/11] MTTCG fixups for 2.9 Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 01/11] vl/cpus: be smarter with icount and MTTCG Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 02/11] target/i386/cpu.h: declare TCG_GUEST_DEFAULT_MO Alex Bennée
2017-03-03 19:28 ` Eduardo Habkost
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 03/11] cpus.c: add additional error_report when !TARGET_SUPPORT_MTTCG Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 04/11] translate: downgrade IRQ BQL asserts to tcg_debug_assert Alex Bennée
2017-03-03 10:08 ` Peter Maydell
2017-03-03 11:05 ` Alex Bennée
2017-03-03 11:19 ` Peter Maydell
2017-03-03 19:35 ` Richard Henderson
2017-03-03 19:47 ` Eric Blake
2017-03-03 19:48 ` Eric Blake
2017-03-03 11:49 ` Paolo Bonzini
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 05/11] translate-all: exit cpu_restore_state early if translating Alex Bennée
2017-03-02 21:46 ` Richard Henderson
2017-03-03 10:03 ` Alex Bennée [this message]
2017-03-03 19:50 ` Richard Henderson
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 06/11] sparc/sparc64: grab BQL before calling cpu_check_irqs Alex Bennée
2017-03-03 11:47 ` Paolo Bonzini
2017-03-06 10:28 ` Alex Bennée
2017-03-06 13:22 ` Paolo Bonzini
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 07/11] s390x/misc_helper.c: wrap IO instructions in BQL Alex Bennée
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 08/11] target/xtensa: hold BQL for interrupt processing Alex Bennée
2017-03-07 0:15 ` Max Filippov
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 09/11] target/mips/op_helper: hold BQL before calling cpu_mips_get_count Alex Bennée
2017-03-03 11:18 ` Yongbok Kim
2017-03-03 12:54 ` Alex Bennée
2017-03-03 13:00 ` Yongbok Kim
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 10/11] target/arm/helper: make it clear the EC field is also in hex Alex Bennée
2017-03-03 17:07 ` Frederic Konrad
2017-03-03 18:10 ` Peter Maydell
2017-03-02 19:53 ` [Qemu-devel] [PATCH v2 11/11] hw/intc/arm_gic: modernise the DPRINTF Alex Bennée
2017-03-03 17:05 ` Frederic Konrad
2017-03-03 17:09 ` Peter Maydell
2017-03-03 18:09 ` Peter Maydell
2017-03-03 17:38 ` [Qemu-devel] [PATCH v2 00/11] MTTCG fixups for 2.9 Frederic Konrad
2017-03-06 9:43 ` Alex Bennée
2017-03-06 10:45 ` Frederic Konrad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r32e1xus.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=a.rigo@virtualopensystems.com \
--cc=bobby.prani@gmail.com \
--cc=cota@braap.org \
--cc=crosthwaite.peter@gmail.com \
--cc=fred.konrad@greensocs.com \
--cc=mttcg@greensocs.com \
--cc=nikunj@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).