From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=43539 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Q8vL5-0006Si-LS
	for qemu-devel@nongnu.org; Sun, 10 Apr 2011 10:10:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <atar4qemu@gmail.com>) id 1Q8vL3-0004js-Rc
	for qemu-devel@nongnu.org; Sun, 10 Apr 2011 10:10:07 -0400
Received: from mail-qw0-f45.google.com ([209.85.216.45]:37713)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <atar4qemu@gmail.com>) id 1Q8vL3-0004jg-OH
	for qemu-devel@nongnu.org; Sun, 10 Apr 2011 10:10:05 -0400
Received: by qwj8 with SMTP id 8so3380283qwj.4
	for <qemu-devel@nongnu.org>; Sun, 10 Apr 2011 07:10:05 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <20110410132415.GA6719@volta.aurel32.net>
References: <BANLkTi=NRjw8Md+PU+JcvkZ-cTeJO+zP-A@mail.gmail.com>
	<20110410132415.GA6719@volta.aurel32.net>
From: Artyom Tarasenko <atar4qemu@gmail.com>
Date: Sun, 10 Apr 2011 16:09:45 +0200
Message-ID: <BANLkTin4X94gZVBQXoBLmedQbGoGWNjmyA@mail.gmail.com>
Subject: Re: [Qemu-devel] tcg/tcg.c:1892: tcg fatal error
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Aurelien Jarno <aurelien@aurel32.net>
Cc: Blue Swirl <blauwirbel@gmail.com>, qemu-devel <qemu-devel@nongnu.org>

On Sun, Apr 10, 2011 at 3:24 PM, Aurelien Jarno <aurelien@aurel32.net> wrot=
e:
> On Sun, Apr 10, 2011 at 02:29:59PM +0200, Artyom Tarasenko wrote:
>> Trying to boot some proprietary OS I get qemu-system-sparc64 crash with =
a
>>
>> tcg/tcg.c:1892: tcg fatal error
>>
>> error message.
>>
>> It looks like it can be a platform independent bug though, because
>> when a '-singlestep' option IS present, qemu doesn't crash and seems
>> to translate the code properly.
>>
>> (gdb) bt
>> #0 =A00x00000032c2e327f5 in raise () from /lib64/libc.so.6
>> #1 =A00x00000032c2e33fd5 in abort () from /lib64/libc.so.6
>> #2 =A00x000000000051933d in tcg_reg_alloc_call (s=3D<value optimized out=
>,
>> def=3D0x89d340, opc=3DINDEX_op_call, args=3D0x10acc98, dead_iargs=3D3) a=
t
>> qemu/tcg/tcg.c:1892
>> #3 =A00x000000000051a557 in tcg_gen_code_common (s=3D0x10b8940,
>> gen_code_buf=3D0x40338b60 "I\213n@H\213] 3\355I\211\256\220") at
>> qemu/tcg/tcg.c:2099
>> #4 =A0tcg_gen_code (s=3D0x10b8940, gen_code_buf=3D0x40338b60 "I\213n@H\2=
13]
>> 3\355I\211\256\220") at qemu/tcg/tcg.c:2142
>> #5 =A00x00000000004d38f1 in cpu_sparc_gen_code (env=3D0x10cce10,
>> tb=3D0x7fffe91bc218, gen_code_size_ptr=3D0x7fffffffd9b4) at
>> qemu/translate-all.c:93
>> #6 =A00x00000000004d1fd7 in tb_gen_code (env=3D0x10cce10, pc=3D18868776,
>> cs_base=3D18868780, flags=3D15, cflags=3D0) at qemu/exec.c:989
>> #7 =A00x00000000004d4029 in tb_find_slow (env1=3D<value optimized out>) =
at
>> qemu/cpu-exec.c:167
>> #8 =A0tb_find_fast (env1=3D<value optimized out>) at cpu-exec.c:194
>> #9 =A0cpu_sparc_exec (env1=3D<value optimized out>) at qemu/cpu-exec.c:5=
56
>> #10 0x0000000000408868 in tcg_cpu_exec () at qemu/cpus.c:1066
>> #11 cpu_exec_all () at qemu/cpus.c:1102
>> #12 0x000000000053c756 in main_loop (argc=3D<value optimized out>,
>> argv=3D<value optimized out>, envp=3D<value optimized out>) at
>> qemu/vl.c:1430
>>
>> I inspected ts->val_type causing the abort() case and it turned out to b=
e 0.
>>
>> The last lines of qemu.log (without -singlestep)
>> IN:
>> 0x00000000011fe9f0: =A0rdpr =A0%pstate, %g1
>> 0x00000000011fe9f4: =A0wrpr =A0%g1, 2, %pstate
>> --------------
>> IN:
>> 0x00000000011fe9f8: =A0ldub =A0[ %o0 ], %o1
>> 0x00000000011fe9fc: =A0mov =A0%o1, %o2
>> 0x00000000011fea00: =A0rdpr =A0%tick, %o3
>> 0x00000000011fea04: =A0cmp =A0%o1, %o2
>> 0x00000000011fea08: =A0be =A0%icc, 0x11fea00
>> 0x00000000011fea0c: =A0ldub =A0[ %o0 ], %o2
>>
>> Search PC...
>> Search PC...
>> Search PC...
>> Search PC...
>> Search PC...
>> Search PC...
>> --------------
>> IN:
>> 0x00000000011fe9f8: =A0ldub =A0[ %o0 ], %o1
>> 0x00000000011fe9fc: =A0mov =A0%o1, %o2
>> 0x00000000011fea00: =A0rdpr =A0%tick, %o3
>> 0x00000000011fea04: =A0cmp =A0%o1, %o2
>> 0x00000000011fea08: =A0be =A0%icc, 0x11fea00
>> 0x00000000011fea0c: =A0ldub =A0[ %o0 ], %o2
>>
>> 110521: Data Access MMU Miss (v=3D0068) pc=3D00000000011fe9f8
>> npc=3D00000000011fe9fc SP=3D000000000180ae41
>> pc: 00000000011fe9f8 =A0npc: 00000000011fe9fc
>>
>> IN:
>> 0x00000000011fea00: =A0rdpr =A0%tick, %o3
>> 0x00000000011fea04: =A0cmp =A0%o1, %o2
>> 0x00000000011fea08: =A0be =A0%icc, 0x11fea00
>> 0x00000000011fea0c: =A0ldub =A0[ %o0 ], %o2
>> --------------
>> IN:
>> 0x00000000011fea10: =A0brz,pn =A0 %o2, 0x11fe9f8
>> 0x00000000011fea14: =A0mov =A0%o2, %o4
>> --------------
>> IN:
>> 0x00000000011fea18: =A0rdpr =A0%tick, %o5
>> 0x00000000011fea1c: =A0cmp =A0%o2, %o4
>> 0x00000000011fea20: =A0be =A0%icc, 0x11fea18
>> 0x00000000011fea24: =A0ldub =A0[ %o0 ], %o4
>> --------------
>> IN:
>> 0x00000000011fea28: =A0brz,pn =A0 %o4, 0x11fe9f4
>> 0x00000000011fea2c: =A0wrpr =A0%g0, %g1, %pstate
>> <EOF>
>>
>> The crash is 100% reproducible and happens always on the same place,
>> so it's probably a pure TCG issue, not related on getting the
>> external/timer interrupts.
>>
>> Do you need any additional info?
>>
>
> What would be interesting would be to get the corresponding TCG code
> from qemu.log (-d op,op_opt).


OP:
 ---- 0x11fea28
 ld_i64 tmp6,regwptr,$0x20
 movi_i64 cond,$0x0
 movi_i64 tmp8,$0x0
 brcond_i64 tmp6,tmp8,ne,$0x0
 movi_i64 cond,$0x1
 set_label $0x0

 ---- 0x11fea2c
 movi_i64 tmp7,$0x0
 xor_i64 tmp0,tmp7,g1
 movi_i64 pc,$0x11fea2c
 movi_i64 tmp8,$compute_psr
 call tmp8,$0x0,$0
 movi_i64 tmp8,$0x0
 brcond_i64 cond,tmp8,eq,$0x1
 movi_i64 npc,$0x11fe9f4
 br $0x2
 set_label $0x1
 movi_i64 npc,$0x11fea30
 set_label $0x2
 movi_i64 tmp8,$wrpstate
 call tmp8,$0x0,$0,tmp0
 mov_i64 pc,npc
 movi_i64 tmp8,$0x4
 add_i64 npc,npc,tmp8
 exit_tb $0x0

OP after liveness analysis:
 ---- 0x11fea28
 ld_i64 tmp6,regwptr,$0x20
 movi_i64 cond,$0x0
 movi_i64 tmp8,$0x0
 brcond_i64 tmp6,tmp8,ne,$0x0
 movi_i64 cond,$0x1
 set_label $0x0

 ---- 0x11fea2c
 nopn $0x2,$0x2
 nopn $0x3,$0x68,$0x3
 movi_i64 pc,$0x11fea2c
 movi_i64 tmp8,$compute_psr
 call tmp8,$0x0,$0
 movi_i64 tmp8,$0x0
 brcond_i64 cond,tmp8,eq,$0x1
 movi_i64 npc,$0x11fe9f4
 br $0x2
 set_label $0x1
 movi_i64 npc,$0x11fea30
 set_label $0x2
 movi_i64 tmp8,$wrpstate
 call tmp8,$0x0,$0,tmp0
 mov_i64 pc,npc
 movi_i64 tmp8,$0x4
 add_i64 npc,npc,tmp8
 exit_tb $0x0
 end

Does it mean the last block is processed correctly and the crash
happens on the next instruction which doesn't make it to the log?
The next instruction would be a

0x00000000011fea30:  retl

Since it's a branch instruction I guess this would also be a tcg block boun=
dary.


--=20
Regards,
Artyom Tarasenko

solaris/sparc under qemu blog: http://tyom.blogspot.com/