From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1JqtKH-0004od-Lf for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:09:09 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1JqtKF-0004nw-BI for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:09:08 -0400 Received: from [199.232.76.173] (port=34421 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JqtKF-0004nt-6j for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:09:07 -0400 Received: from nf-out-0910.google.com ([64.233.182.185]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1JqtKE-0000Hh-Od for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:09:07 -0400 Received: by nf-out-0910.google.com with SMTP id 30so78445nfu.12 for ; Tue, 29 Apr 2008 10:09:00 -0700 (PDT) Message-ID: Date: Tue, 29 Apr 2008 20:09:00 +0300 From: "Blue Swirl" Subject: Re: [Qemu-devel] Crash due to invalid env->current_tb In-Reply-To: <20080429115614.GA15524@os.inf.tu-dresden.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_7712_19974034.1209488940523" References: <20080429115614.GA15524@os.inf.tu-dresden.de> Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org ------=_Part_7712_19974034.1209488940523 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 4/29/08, Adam Lackorzynski wrote: > Hi, > > I've been experiencing crashes of latest svn Qemu, host ia32 and target > arm, host gcc is 'gcc version 3.4.6 (Debian 3.4.6-7)'. > The segfault happens because of an invalid env->current_tb which seems > to be caused by generated code. The following code in cpu_exec > > tc_ptr = tb->tc_ptr; > env->current_tb = tb; > gen_func = (void *)tc_ptr; > T0 = gen_func(); > env->current_tb = NULL; > > is being compiled to the following > > mov 0x14(%ecx),%eax > mov %ecx,0x56c(%ebp) > xor %edi,%edi > call *%eax > mov %edi,0x56c(%ebp) > > After the call edi isn't 0 anymore and gets the bogus value. As edi is > callee saved the code itself seems ok. > When I add a barrier before "env->current_tb = NULL" the xor is placed > after the call and everything works fine. So might the problem be that > generated code isn't preserving edi/registers? Right. How did you make the barrier? My version (attached) just crashes, I'm not fluent on i386 assembly. Maybe your version could serve as a temporary fix. ------=_Part_7712_19974034.1209488940523 Content-Type: plain/text; name=fix_i386.diff Content-Transfer-Encoding: base64 X-Attachment-Id: f_ffmqdrd2 Content-Disposition: attachment; filename=fix_i386.diff SW5kZXg6IHFlbXUvY3B1LWV4ZWMuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBxZW11Lm9yaWcvY3B1LWV4ZWMu YwkyMDA4LTA0LTI5IDE2OjI3OjAzLjAwMDAwMDAwMCArMDAwMAorKysgcWVtdS9jcHUtZXhlYy5j CTIwMDgtMDQtMjkgMTY6MzI6NTcuMDAwMDAwMDAwICswMDAwCkBAIC02OTAsNiArNjkwLDExIEBA CiAJCWZwLmlwID0gdGNfcHRyOwogCQlmcC5ncCA9IGNvZGVfZ2VuX2J1ZmZlciArIDIgKiAoMSA8 PCAyMCk7CiAJCSgqKHZvaWQgKCopKHZvaWQpKSAmZnApKCk7CisjZWxpZiBkZWZpbmVkKF9faTM4 NikKKyAgICAgICAgICAgICAgICBhc20gdm9sYXRpbGUgKCJjYWxsIColMFxuXHQiCisgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICA6ICI9ciIgKFQwKQorICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgOiAiciIgKGdlbl9mdW5jKQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg OiAiZWJ4IiwgImVzaSIsICJlZGkiKTsKICNlbHNlCiAgICAgICAgICAgICAgICAgVDAgPSBnZW5f ZnVuYygpOwogI2VuZGlmCg== ------=_Part_7712_19974034.1209488940523--