From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:52716) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEmfr-0001Eh-3Y for qemu-devel@nongnu.org; Tue, 26 Apr 2011 14:07:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QEmfp-0005lF-E6 for qemu-devel@nongnu.org; Tue, 26 Apr 2011 14:07:47 -0400 Received: from mail-ey0-f173.google.com ([209.85.215.173]:34440) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEmfp-0005kw-5O for qemu-devel@nongnu.org; Tue, 26 Apr 2011 14:07:45 -0400 Received: by eyb6 with SMTP id 6so324959eyb.4 for ; Tue, 26 Apr 2011 11:07:44 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <20110425202927.GD21831@volta.aurel32.net> Date: Tue, 26 Apr 2011 22:07:43 +0400 Message-ID: From: Igor Kovalenko Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] tcg/tcg.c:1892: tcg fatal error List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Artyom Tarasenko Cc: Laurent Desnogues , Blue Swirl , qemu-devel , Aurelien Jarno , peter.maydell@linaro.org On Tue, Apr 26, 2011 at 8:26 PM, Artyom Tarasenko wro= te: > On Tue, Apr 26, 2011 at 5:34 AM, Igor Kovalenko > wrote: >> On Tue, Apr 26, 2011 at 12:29 AM, Aurelien Jarno = wrote: >>> On Fri, Apr 22, 2011 at 06:14:06PM +0400, Igor Kovalenko wrote: >>>> On Fri, Apr 22, 2011 at 2:39 AM, Laurent Desnogues >>>> wrote: >>>> > On Thu, Apr 21, 2011 at 9:45 PM, Igor Kovalenko >>>> > wrote: >>>> >> On Thu, Apr 21, 2011 at 7:44 PM, Laurent Desnogues >>>> >> wrote: >>>> >>> On Thu, Apr 21, 2011 at 4:57 PM, Artyom Tarasenko wrote: >>>> >>>> On Tue, Apr 12, 2011 at 4:14 AM, Igor Kovalenko >>>> >>>> wrote: >>>> >>>>>>> Do you have public test case? >>>> >>>>>>> It is possible to code this delay slot write test but real iss= ue may >>>> >>>>>>> be corruption elsewhere. >>>> >>>> >>>> >>>> The test case is trivial: it's just the two instructions, branch = and wrpr. >>>> >>>> >>>> >>>>> In theory there could be multiple issues including compiler indu= ced ones. >>>> >>>>> I'd prefer to see some kind of reproducible testcase. >>>> >>>> >>>> >>>> Ok, attached a 40 byte long test (the first 32 bytes are not used= and >>>> >>>> needed only because the bios entry point is 0x20). >>>> >>>> >>>> >>>> $ git pull && make && sparc64-softmmu/qemu-system-sparc64 -bios >>>> >>>> test-wrpr.bin -nographic >>>> >>>> Already up-to-date. >>>> >>>> make[1]: Nothing to be done for `all'. >>>> >>>> /mnt/terra/projects/vanilla/qemu/tcg/tcg.c:1892: tcg fatal error >>>> >>>> Aborted >>>> >>> >>>> >>> The problem seems to be that wrpr is using a non-local >>>> >>> TCG tmp (cpu_tmp0). >>>> >> >>>> >> Just tried the test case with write to %pil - seems like write itse= lf is OK. >>>> >> The issue appears to be with save_state() call since adding save_st= ate >>>> >> to %pil case provokes the same tcg abort. >>>> > >>>> > The problem is that cpu_tmp0, not being a local tmp, doesn't >>>> > need to be saved across helper calls. =A0This results in the >>>> > TCG "optimizer" getting rid of it even though it's later used. >>>> > Look at the log and you'll see what I mean :-) >>>> >>>> I'm not very comfortable with tcg yet. Would it be possible to teach >>>> optimizer working with delay slots? Or do I look in the wrong place. >>>> >>> >>> The problem is not on the TCG side, but on the target-sparc/translate.c >>> side: >>> >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case 0x32: /* wrwim, V9 wrpr *= / >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 { >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (!supervis= or(dc)) >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 goto = priv_insn; >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 tcg_gen_xor_t= l(cpu_tmp0, cpu_src1, cpu_src2); >>> |=A0#ifdef TARGET_SPARC64 >>> >>> Here cpu_tmp0 is loaded. cpu_tmp0 is a TCG temp, which means it is not >>> saved across TCG branches. >>> >>> [...] >>> >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case 6: // ps= tate >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 save_= state(dc, cpu_cond); >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 gen_h= elper_wrpstate(cpu_tmp0); >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 dc->n= pc =3D DYNAMIC_PC; >>> | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break= ; >>> >>> save_state() calls save_npc(), which in turns might call >>> gen_generic_branch(): >>> >>> |=A0static inline void gen_generic_branch(target_ulong npc1, target_ulo= ng npc2, >>> |=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0TCGv r_cond) >>> | { >>> | =A0 =A0 int l1, l2; >>> | >>> | =A0 =A0 l1 =3D gen_new_label(); >>> |=A0 =A0 =A0l2 =3D gen_new_label(); >>> | >>> | =A0 =A0 tcg_gen_brcondi_tl(TCG_COND_EQ, r_cond, 0, l1); >>> | >>> | =A0 =A0 tcg_gen_movi_tl(cpu_npc, npc1); >>> | =A0 =A0 tcg_gen_br(l2); >>> | >>> | =A0 =A0 gen_set_label(l1); >>> |=A0 =A0 =A0tcg_gen_movi_tl(cpu_npc, npc2); >>> | =A0 =A0 gen_set_label(l2); >>> | } >>> >>> And here is the TCG branch, which drop the TCG temp cpu_temp0. >>> >>> The solution is either to rewrite gen_generic_branch() without TCG >>> branches, or to use a TCG temp local instead of a TCG temp. >> >> Thanks! >> >> I think the issue is more clear now, and loading to local temporary >> works in this case. >> Does not explain why unmodified qemu works with wrpr pstate not in delay= slot. > > Because the TCG branch is not generated in save_npc()? > >> I looked at my linux kernel builds and do not see any wrpr pstate in del= ay slot. > > Meaning you are not going to fix the bug? ;-) More like I need to know where the bug is because there is no issue running without wrpr in delay slot. --=20 Kind regards, Igor V. Kovalenko