[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].v
|
From: |
Aurelien Jarno |
|
Subject: |
Re: [Qemu-devel] qemu aborts with temp_save: Assertion `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed |
|
Date: |
Mon, 29 Jul 2013 01:01:30 +0200 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, Jul 11, 2013 at 08:01:19AM +0400, Max Filippov wrote:
> On Thu, Jul 11, 2013 at 6:35 AM, Max Filippov <address@hidden> wrote:
> > Hi Peter,
> >
> > I suddenly found qemu built with debug enabled aborting with an assertion
> > on one of xtensa tests:
> >
> > qemu-system-xtensa -M sim -cpu dc232b -nographic -semihosting -kernel
> > ./test_sr.tst
> > QEMU 1.4.50 monitor - type 'help' for more information
> > (qemu) QEMU 1.4.50 monitor - type 'help' for more information
> > (qemu) qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion
> > `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
>
> Déjà vu:
>
> commit e5138db510efb61523be92c225d8c65eb985fff0
> Author: Aurelien Jarno <address@hidden>
> Date: Sat Nov 24 11:53:55 2012 +0100
>
> tcg: mark local temps as MEM in dead_temp()
>
> In dead_temp, local temps should always be marked as back to memory,
> even if they have not been allocated (i.e. they are discared before
> cross a basic block).
>
> It fixes the following assertion in target-xtensa:
>
> qemu-system-xtensa: tcg/tcg.c:1665: temp_save: Assertion
> `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
> Aborted
>
> > This happens in the mainline as well, bisection points to the following
> > commit:
> >
> > commit 378df4b23753a11be650af7664ca76bc75cb9f01
> > Author: Peter Maydell <address@hidden>
> > Date: Fri Feb 22 18:10:03 2013 +0000
> >
> > Handle CPU interrupts by inline checking of a flag
> >
> >
> > I have the following traces when it happens, any idea of what could go
> > wrong?
> >
> > OP:
> > ld_i32 loc0,env,$0xffffffffffffffc8
> > movi_i32 tmp1,$0x0
> > brcond_i32 loc0,tmp1,ne,$0x0
> > ---- 0xd0000fde
> >
> > ---- 0xd0000fe0
> > movi_i32 tmp1,$0xd0000fe0
> > movi_i32 tmp2,$0x1
> > movi_i32 tmp3,$0x2
> > movi_i64 tmp4,$advance_ccount
> > call tmp4,$0x0,$0,env,tmp3
> > movi_i64 tmp4,$window_check
> > call tmp4,$0x0,$0,env,tmp1,tmp2
> > movi_i32 ar4,$0x0
> >
> > ---- 0xd0000fe2
> > movi_i32 tmp1,$0xd00003f0
> > qemu_ld32 ar2,tmp1,$0x0
> >
> > ---- 0xd0000fe5
> > movi_i32 tmp1,$0xd0000470
> > qemu_ld32 ar3,tmp1,$0x0
> >
> > ---- 0xd0000fe8
> > mov_i32 tmp1,ar2
> > qemu_st32 ar3,tmp1,$0x0
> >
> > ---- 0xd0000fea
> > movi_i32 tmp1,$0xd0000fea
> > movi_i32 tmp2,$0x0
> > movi_i32 tmp3,$0x4
> > movi_i64 tmp4,$advance_ccount
> > call tmp4,$0x0,$0,env,tmp3
> > movi_i64 tmp4,$exception_cause
> > call tmp4,$0x0,$0,env,tmp1,tmp2
> > mov_i32 env,ar4
I think it might be a bug in the current TCG code not handling the case
of writing to a fixed register TCG temp as it is a quite uncommon case.
I will try to look at the code, but it would be easier if you can
provide a way to reproduce the issue.
On the other hand, is it correct to override the value of the env
pointer, with a value from a CPU register? This doesn't smell good and
looks like it can be a security issue.
> > set_label $0x0
> > exit_tb $0x7fffed6373b3
> >
> > qemu-system-xtensa: tcg/tcg.c:1673: temp_save: Assertion
> > `s->temps[temp].val_type == 2 || s->temps[temp].fixed_reg' failed.
> >
> > Program received signal SIGABRT, Aborted.
> > [Switching to Thread 0x7fffed633700 (LWP 29011)]
> > 0x00007ffff545bc55 in raise () from /lib64/libc.so.6
> > ...
> > (gdb) bt
> > #0 temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6, allocated_regs=16400) at
> > tcg/tcg.c:1673
> > #1 0x0000555555730fd6 in save_globals (s=0x55555624a2a0 <tcg_ctx>,
> > allocated_regs=16400) at tcg/tcg.c:1688
> > #2 0x00005555557311b9 in tcg_reg_alloc_bb_end (s=0x55555624a2a0 <tcg_ctx>,
> > allocated_regs=16400) at tcg/tcg.c:1731
> > #3 0x0000555555732e5d in tcg_gen_code_common (s=0x55555624a2a0 <tcg_ctx>,
> > gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200",
> > search_pc=-1) at tcg/tcg.c:2300
> > #4 0x0000555555733029 in tcg_gen_code (s=0x55555624a2a0 <tcg_ctx>,
> > gen_code_buf=0x7fffef240150 <code_gen_buffer+49488> "A\213nȉ\254$\200") at
> > tcg/tcg.c:2356
> > #5 0x0000555555733d3d in cpu_xtensa_gen_code (env=0x5555562b43c0,
> > tb=0x7fffed6373b0, gen_code_size_ptr=0x7fffed632a70) at translate-all.c:175
> > #6 0x00005555557351cf in tb_gen_code (env=0x5555562b43c0, pc=3489664990,
> > cs_base=0, flags=0, cflags=0) at translate-all.c:958
> > #7 0x00005555556c8216 in tb_find_slow (env=0x5555562b43c0, pc=3489664990,
> > cs_base=0, flags=0) at cpu-exec.c:141
> > #8 0x00005555556c839d in tb_find_fast (env=0x5555562b43c0) at
> > cpu-exec.c:168
> > #9 0x00005555556c8722 in cpu_xtensa_exec (env=0x5555562b43c0) at
> > cpu-exec.c:583
> > #10 0x00005555556cb719 in tcg_cpu_exec (env=0x5555562b43c0) at cpus.c:1117
> > #11 0x00005555556cb850 in tcg_exec_all () at cpus.c:1150
> > #12 0x00005555556cab40 in qemu_tcg_cpu_thread_fn (arg=0x5555562b42b0) at
> > cpus.c:843
> > #13 0x00007ffff64d0d15 in start_thread () from /lib64/libpthread.so.0
> > #14 0x00007ffff551853d in clone () from /lib64/libc.so.6
> > (gdb) f 4
> > #4 0x0000555555730f85 in temp_save (s=0x55555624a2a0 <tcg_ctx>, temp=6,
> > allocated_regs=16400) at tcg/tcg.c:1673
> > 1673 assert(s->temps[temp].val_type == TEMP_VAL_MEM ||
> > s->temps[temp].fixed_reg);
> > (gdb) p s->temps[temp]
> > $2 = {
> > base_type = TCG_TYPE_I32,
> > type = TCG_TYPE_I32,
> > val_type = 1,
> > reg = 5,
> > val = 0,
> > mem_reg = 14,
> > mem_offset = 24,
> > fixed_reg = 0,
> > mem_coherent = 1,
> > mem_allocated = 1,
> > temp_local = 0,
> > temp_allocated = 0,
> > next_free_temp = 0,
> > name = 0x5555557826e0 "ar4"
> > }
> >
> > --
> > Thanks.
> > -- Max
>
>
>
> --
> Thanks.
> -- Max
>
--
Aurelien Jarno GPG: 1024D/F1BCDB73
address@hidden http://www.aurel32.net