From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:56936) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEleg-0003hW-88 for qemu-devel@nongnu.org; Tue, 26 Apr 2011 13:02:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QElef-0008AD-5X for qemu-devel@nongnu.org; Tue, 26 Apr 2011 13:02:30 -0400 Received: from mail-qy0-f173.google.com ([209.85.216.173]:32865) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QElee-0008A7-W5 for qemu-devel@nongnu.org; Tue, 26 Apr 2011 13:02:29 -0400 Received: by qyk36 with SMTP id 36so1409480qyk.4 for ; Tue, 26 Apr 2011 10:02:28 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20110425202927.GD21831@volta.aurel32.net> References: <20110425202927.GD21831@volta.aurel32.net> From: Artyom Tarasenko Date: Tue, 26 Apr 2011 19:02:08 +0200 Message-ID: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] tcg/tcg.c:1892: tcg fatal error List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Aurelien Jarno Cc: Laurent Desnogues , Blue Swirl , qemu-devel , peter.maydell@linaro.org On Mon, Apr 25, 2011 at 10:29 PM, Aurelien Jarno wro= te: > On Fri, Apr 22, 2011 at 06:14:06PM +0400, Igor Kovalenko wrote: >> On Fri, Apr 22, 2011 at 2:39 AM, Laurent Desnogues >> wrote: >> > On Thu, Apr 21, 2011 at 9:45 PM, Igor Kovalenko >> > wrote: >> >> On Thu, Apr 21, 2011 at 7:44 PM, Laurent Desnogues >> >> wrote: >> >>> On Thu, Apr 21, 2011 at 4:57 PM, Artyom Tarasenko wrote: >> >>>> On Tue, Apr 12, 2011 at 4:14 AM, Igor Kovalenko >> >>>> wrote: >> >>>>>>> Do you have public test case? >> >>>>>>> It is possible to code this delay slot write test but real issue= may >> >>>>>>> be corruption elsewhere. >> >>>> >> >>>> The test case is trivial: it's just the two instructions, branch an= d wrpr. >> >>>> >> >>>>> In theory there could be multiple issues including compiler induce= d ones. >> >>>>> I'd prefer to see some kind of reproducible testcase. >> >>>> >> >>>> Ok, attached a 40 byte long test (the first 32 bytes are not used a= nd >> >>>> needed only because the bios entry point is 0x20). >> >>>> >> >>>> $ git pull && make && sparc64-softmmu/qemu-system-sparc64 -bios >> >>>> test-wrpr.bin -nographic >> >>>> Already up-to-date. >> >>>> make[1]: Nothing to be done for `all'. >> >>>> /mnt/terra/projects/vanilla/qemu/tcg/tcg.c:1892: tcg fatal error >> >>>> Aborted >> >>> >> >>> The problem seems to be that wrpr is using a non-local >> >>> TCG tmp (cpu_tmp0). >> >> >> >> Just tried the test case with write to %pil - seems like write itself= is OK. >> >> The issue appears to be with save_state() call since adding save_stat= e >> >> to %pil case provokes the same tcg abort. >> > >> > The problem is that cpu_tmp0, not being a local tmp, doesn't >> > need to be saved across helper calls. =A0This results in the >> > TCG "optimizer" getting rid of it even though it's later used. >> > Look at the log and you'll see what I mean :-) >> >> I'm not very comfortable with tcg yet. Would it be possible to teach >> optimizer working with delay slots? Or do I look in the wrong place. >> > > The problem is not on the TCG side, but on the target-sparc/translate.c > side: > > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case 0x32: /* wrwim, V9 wrpr */ > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 { > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (!supervisor= (dc)) > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 goto pr= iv_insn; > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 tcg_gen_xor_tl(= cpu_tmp0, cpu_src1, cpu_src2); > |=A0#ifdef TARGET_SPARC64 > > Here cpu_tmp0 is loaded. cpu_tmp0 is a TCG temp, which means it is not > saved across TCG branches. > > [...] > > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case 6: // psta= te > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 save_st= ate(dc, cpu_cond); > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 gen_hel= per_wrpstate(cpu_tmp0); > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 dc->npc= =3D DYNAMIC_PC; > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; > > save_state() calls save_npc(), which in turns might call > gen_generic_branch(): Hmm. This is not the only instruction using save_state() and cpu_tmp0. At least ldd is another example. > |=A0static inline void gen_generic_branch(target_ulong npc1, target_ulong= npc2, > |=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0TCGv r_cond) > | { > | =A0 =A0 int l1, l2; > | > | =A0 =A0 l1 =3D gen_new_label(); > |=A0 =A0 =A0l2 =3D gen_new_label(); > | > | =A0 =A0 tcg_gen_brcondi_tl(TCG_COND_EQ, r_cond, 0, l1); > | > | =A0 =A0 tcg_gen_movi_tl(cpu_npc, npc1); > | =A0 =A0 tcg_gen_br(l2); > | > | =A0 =A0 gen_set_label(l1); > |=A0 =A0 =A0tcg_gen_movi_tl(cpu_npc, npc2); > | =A0 =A0 gen_set_label(l2); > | } > > And here is the TCG branch, which drop the TCG temp cpu_temp0. > > The solution is either to rewrite gen_generic_branch() without TCG > branches, or to use a TCG temp local instead of a TCG temp. You mean something like case 6: // pstate { TCGv r_temp; r_temp =3D tcg_temp_new(); tcg_gen_mov_tl(r_temp, cpu_tmp0); save_state(dc, cpu_cond); gen_helper_wrpstate(r_temp); tcg_temp_free(r_temp); dc->npc =3D DYNAMIC_PC; } break; ? This fails with the same error message. Artyom