From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:46119) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEZ2S-000790-EU for qemu-devel@nongnu.org; Mon, 25 Apr 2011 23:34:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QEZ2R-00041B-6y for qemu-devel@nongnu.org; Mon, 25 Apr 2011 23:34:12 -0400 Received: from mail-ew0-f45.google.com ([209.85.215.45]:56969) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEZ2Q-000416-TE for qemu-devel@nongnu.org; Mon, 25 Apr 2011 23:34:11 -0400 Received: by ewy24 with SMTP id 24so75007ewy.4 for ; Mon, 25 Apr 2011 20:34:09 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20110425202927.GD21831@volta.aurel32.net> References: <20110425202927.GD21831@volta.aurel32.net> Date: Tue, 26 Apr 2011 07:34:09 +0400 Message-ID: From: Igor Kovalenko Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] tcg/tcg.c:1892: tcg fatal error List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Aurelien Jarno Cc: Laurent Desnogues , Blue Swirl , qemu-devel , Artyom Tarasenko , peter.maydell@linaro.org On Tue, Apr 26, 2011 at 12:29 AM, Aurelien Jarno wro= te: > On Fri, Apr 22, 2011 at 06:14:06PM +0400, Igor Kovalenko wrote: >> On Fri, Apr 22, 2011 at 2:39 AM, Laurent Desnogues >> wrote: >> > On Thu, Apr 21, 2011 at 9:45 PM, Igor Kovalenko >> > wrote: >> >> On Thu, Apr 21, 2011 at 7:44 PM, Laurent Desnogues >> >> wrote: >> >>> On Thu, Apr 21, 2011 at 4:57 PM, Artyom Tarasenko wrote: >> >>>> On Tue, Apr 12, 2011 at 4:14 AM, Igor Kovalenko >> >>>> wrote: >> >>>>>>> Do you have public test case? >> >>>>>>> It is possible to code this delay slot write test but real issue= may >> >>>>>>> be corruption elsewhere. >> >>>> >> >>>> The test case is trivial: it's just the two instructions, branch an= d wrpr. >> >>>> >> >>>>> In theory there could be multiple issues including compiler induce= d ones. >> >>>>> I'd prefer to see some kind of reproducible testcase. >> >>>> >> >>>> Ok, attached a 40 byte long test (the first 32 bytes are not used a= nd >> >>>> needed only because the bios entry point is 0x20). >> >>>> >> >>>> $ git pull && make && sparc64-softmmu/qemu-system-sparc64 -bios >> >>>> test-wrpr.bin -nographic >> >>>> Already up-to-date. >> >>>> make[1]: Nothing to be done for `all'. >> >>>> /mnt/terra/projects/vanilla/qemu/tcg/tcg.c:1892: tcg fatal error >> >>>> Aborted >> >>> >> >>> The problem seems to be that wrpr is using a non-local >> >>> TCG tmp (cpu_tmp0). >> >> >> >> Just tried the test case with write to %pil - seems like write itself= is OK. >> >> The issue appears to be with save_state() call since adding save_stat= e >> >> to %pil case provokes the same tcg abort. >> > >> > The problem is that cpu_tmp0, not being a local tmp, doesn't >> > need to be saved across helper calls. =A0This results in the >> > TCG "optimizer" getting rid of it even though it's later used. >> > Look at the log and you'll see what I mean :-) >> >> I'm not very comfortable with tcg yet. Would it be possible to teach >> optimizer working with delay slots? Or do I look in the wrong place. >> > > The problem is not on the TCG side, but on the target-sparc/translate.c > side: > > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case 0x32: /* wrwim, V9 wrpr */ > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 { > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (!supervisor= (dc)) > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 goto pr= iv_insn; > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 tcg_gen_xor_tl(= cpu_tmp0, cpu_src1, cpu_src2); > |=A0#ifdef TARGET_SPARC64 > > Here cpu_tmp0 is loaded. cpu_tmp0 is a TCG temp, which means it is not > saved across TCG branches. > > [...] > > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case 6: // psta= te > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 save_st= ate(dc, cpu_cond); > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 gen_hel= per_wrpstate(cpu_tmp0); > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 dc->npc= =3D DYNAMIC_PC; > | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; > > save_state() calls save_npc(), which in turns might call > gen_generic_branch(): > > |=A0static inline void gen_generic_branch(target_ulong npc1, target_ulong= npc2, > |=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0TCGv r_cond) > | { > | =A0 =A0 int l1, l2; > | > | =A0 =A0 l1 =3D gen_new_label(); > |=A0 =A0 =A0l2 =3D gen_new_label(); > | > | =A0 =A0 tcg_gen_brcondi_tl(TCG_COND_EQ, r_cond, 0, l1); > | > | =A0 =A0 tcg_gen_movi_tl(cpu_npc, npc1); > | =A0 =A0 tcg_gen_br(l2); > | > | =A0 =A0 gen_set_label(l1); > |=A0 =A0 =A0tcg_gen_movi_tl(cpu_npc, npc2); > | =A0 =A0 gen_set_label(l2); > | } > > And here is the TCG branch, which drop the TCG temp cpu_temp0. > > The solution is either to rewrite gen_generic_branch() without TCG > branches, or to use a TCG temp local instead of a TCG temp. Thanks! I think the issue is more clear now, and loading to local temporary works in this case. Does not explain why unmodified qemu works with wrpr pstate not in delay sl= ot. I looked at my linux kernel builds and do not see any wrpr pstate in delay = slot. --=20 Kind regards, Igor V. Kovalenko