From: Artyom Tarasenko <atar4qemu@gmail.com>
To: qemu-devel <qemu-devel@nongnu.org>, Blue Swirl <blauwirbel@gmail.com>
Subject: [Qemu-devel] another TCG branch weirdness
Date: Fri, 5 Aug 2011 18:36:46 +0200 [thread overview]
Message-ID: <CACXAS8C5Hvr+aM4xxtOzWG_pc=Y5NdvbrnFPuCakLax2OVa6=w@mail.gmail.com> (raw)
Host x86_64, guest sparc64. Found a case where a branch instruction
(brz,pn %o0) unexpectedly jumps to an unexpected address. I.e.
branch shouldn't be taken at all, but even if it were it should have
been to 0x13e26e4 and not to 0x5.
Was about to write that the generated OP for brz,pn usually looks
different, when realized that in fact it was even generated for this
very address just before, but with another branch in the delay slot.
The bug looks familiar, Blue, isn't it? :)
IN:
0x00000000013e26c0: brz,pn %o0, 0x13e26e4
0x00000000013e26c4: brlez,pn %o1, 0x13e26e4
OP:
---- 0x13e26c0
ld_i64 tmp6,regwptr,$0x0
movi_i64 cond,$0x0
movi_i64 tmp8,$0x0
brcond_i64 tmp6,tmp8,ne,$0x0
movi_i64 cond,$0x1
set_label $0x0
^^^ Ok, that's how brz,pn usually looks like
---- 0x13e26c4
ld_i64 tmp7,regwptr,$0x8
movi_i64 tmp8,$0x0
brcond_i64 cond,tmp8,eq,$0x1
movi_i64 npc,$0x13e26e4
br $0x2
set_label $0x1
movi_i64 npc,$0x13e26c8
set_label $0x2
movi_i64 cond,$0x0
movi_i64 tmp8,$0x0
brcond_i64 tmp7,tmp8,gt,$0x3
movi_i64 cond,$0x1
set_label $0x3
movi_i64 tmp0,$0x0
brcond_i64 cond,tmp0,eq,$0x4
movi_i64 npc,$0x13e26e4
br $0x5
set_label $0x4
movi_i64 npc,$0x5
set_label $0x5
exit_tb $0x0
--------------
IN:
0x00000000013e26c0: brz,pn %o0, 0x13e26e4
OP:
---- 0x13e26c0
ld_i64 tmp6,regwptr,$0x0
movi_i64 cond,$0x0
movi_i64 tmp8,$0x0
brcond_i64 tmp6,tmp8,ne,$0x0
movi_i64 cond,$0x1
set_label $0x0
movi_i64 pc,$0x5
^^^ What's that?
movi_i64 tmp0,$0x0
brcond_i64 cond,tmp0,eq,$0x1
movi_i64 npc,$0x13e26e4
br $0x2
set_label $0x1
movi_i64 npc,$0x9
set_label $0x2
exit_tb $0x0
33062: Instruction Access MMU Miss (v=0064) pc=0000000000000005
npc=0000000000000009 SP=000000000c3d2d81
...
Current Register Window:
%o0-3: 0000000002483d00 0000000000000018 0000000000000028 00000000000232bd
^^^^^^ not zero
--
Regards,
Artyom Tarasenko
solaris/sparc under qemu blog: http://tyom.blogspot.com/
next reply other threads:[~2011-08-05 16:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-05 16:36 Artyom Tarasenko [this message]
2011-08-05 20:32 ` [Qemu-devel] another TCG branch weirdness Blue Swirl
2011-08-05 22:21 ` Artyom Tarasenko
2011-08-06 12:09 ` Blue Swirl
2011-08-06 14:53 ` Artyom Tarasenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACXAS8C5Hvr+aM4xxtOzWG_pc=Y5NdvbrnFPuCakLax2OVa6=w@mail.gmail.com' \
--to=atar4qemu@gmail.com \
--cc=blauwirbel@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).