From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1JzcLn-0004wp-WB for qemu-devel@nongnu.org; Fri, 23 May 2008 14:50:48 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1JzcLm-0004vE-S7 for qemu-devel@nongnu.org; Fri, 23 May 2008 14:50:47 -0400 Received: from [199.232.76.173] (port=58312 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JzcLm-0004uu-Lp for qemu-devel@nongnu.org; Fri, 23 May 2008 14:50:46 -0400 Received: from savannah.gnu.org ([199.232.41.3]:33467 helo=sv.gnu.org) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1JzcLm-00041K-8S for qemu-devel@nongnu.org; Fri, 23 May 2008 14:50:46 -0400 Received: from cvs.savannah.gnu.org ([199.232.41.69]) by sv.gnu.org with esmtp (Exim 4.63) (envelope-from ) id 1JzcLl-0005TD-KR for qemu-devel@nongnu.org; Fri, 23 May 2008 18:50:45 +0000 Received: from balrog by cvs.savannah.gnu.org with local (Exim 4.63) (envelope-from ) id 1JzcLl-0005T4-Bc for qemu-devel@nongnu.org; Fri, 23 May 2008 18:50:45 +0000 MIME-Version: 1.0 Errors-To: balrog Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Andrzej Zaborowski Message-Id: Date: Fri, 23 May 2008 18:50:45 +0000 Subject: [Qemu-devel] [4547] A branch insn must not overwrite the branch target before relocation . Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Revision: 4547 http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=4547 Author: balrog Date: 2008-05-23 18:50:44 +0000 (Fri, 23 May 2008) Log Message: ----------- A branch insn must not overwrite the branch target before relocation. When a branch to label is translated it generates a reloc that is filled in when the label is translated. However, when handling an exception and searching for the pc we abort the translation early and we sometimes translate the branch but not the corresponding label and so no relocation is done. When the block is executed again the branch points to no-where. It seems tcg/sparc/ is going to suffer from the same issue. Modified Paths: -------------- trunk/tcg/arm/tcg-target.c Modified: trunk/tcg/arm/tcg-target.c =================================================================== --- trunk/tcg/arm/tcg-target.c 2008-05-23 18:10:51 UTC (rev 4546) +++ trunk/tcg/arm/tcg-target.c 2008-05-23 18:50:44 UTC (rev 4547) @@ -78,8 +78,8 @@ tcg_abort(); case R_ARM_PC24: - *(uint32_t *) code_ptr |= - ((value - ((tcg_target_long) code_ptr + 8)) >> 2) & 0xffffff; + *(uint32_t *) code_ptr |= (*(uint32_t *) code_ptr & 0xff000000) | + (((value - ((tcg_target_long) code_ptr + 8)) >> 2) & 0xffffff); break; } } @@ -272,6 +272,17 @@ (((offset - 8) >> 2) & 0x00ffffff)); } +static inline void tcg_out_b_noaddr(TCGContext *s, int cond) +{ +#ifdef WORDS_BIGENDIAN + tcg_out8(s, (cond << 4) | 0x0a); + s->code_ptr += 3; +#else + s->code_ptr += 3; + tcg_out8(s, (cond << 4) | 0x0a); +#endif +} + static inline void tcg_out_bl(TCGContext *s, int cond, int32_t offset) { tcg_out32(s, (cond << 28) | 0x0b000000 | @@ -734,7 +745,7 @@ } else { /* Probably this should be preferred even for COND_AL... */ tcg_out_reloc(s, s->code_ptr, R_ARM_PC24, label_index, 31337); - tcg_out_b(s, cond, 8); + tcg_out_b_noaddr(s, cond); } }