[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] found one tcg `bug' (was: testing r4764 svn from 2008-0
|
From: |
Juergen Lock |
|
Subject: |
Re: [Qemu-devel] found one tcg `bug' (was: testing r4764 svn from 2008-06-20 18:25:56 +0200 on FreeBSD) |
|
Date: |
Wed, 2 Jul 2008 23:19:29 +0200 (CEST) |
In article <address@hidden> you write:
>Juergen Lock wrote:
>[snip]
>> > (Memory corruption, right?) I've put the end of a in_asm,out_asm log up
>> > at
>> > http://people.freebsd.org/~nox/qemu/tcgbug-i386host.log.txt
>> > (its long.) That function is MD5Transform() in:
>> > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/md5c.c?annotate=1.27
>> > in the FreeBSD 7.0 amd64 kernel on
>> >
>ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-amd64/7.0/7.0-RELEASE-amd64-livefs.iso
>> > (the bootonly most likely will fail in the same way:
>> >
>ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-amd64/7.0/7.0-RELEASE-amd64-bootonly.iso
>> > , you can go to
>> > http://mirrorlist.freebsd.org/
>> > to find a mirror near you, search for ISOs.)
>>
>> Well, I finally got around looking at this again, and found the cause
>> wasn't exactly a bug, just a too low constant:
>>
>> Index: qemu/exec-all.h
>> @@ -30,7 +30,7 @@
>> struct TranslationBlock;
>>
>> /* XXX: make safe guess about sizes */
>> -#define MAX_OP_PER_INSTR 64
>> +#define MAX_OP_PER_INSTR 128
>> /* A Call op needs up to 6 + 2N parameters (N = number of arguments). */
>> #define MAX_OPC_PARAM 10
>> #define OPC_BUF_SIZE 512
>>
>> With this I can at least boot into fixit and run find /dist (I didn't
>> test an actual install.)
>
>Were you able to isolate the offending instruction? With more than 64
>ops it should probably use a helper function.
Well, I have the backtrace of the overwrite watchpoint hit:
tcg_gen_shifti_i64 (ret=33, arg1=33, c=31, right=34, arith=0) at tcg-op.h:69
69 *gen_opparam_ptr++ = GET_TCGV(arg1);
(gdb) l
64 }
65
66 static inline void tcg_gen_op3(int opc, TCGv arg1, TCGv arg2, TCGv arg3)
67 {
68 *gen_opc_ptr++ = opc;
69 *gen_opparam_ptr++ = GET_TCGV(arg1);
70 *gen_opparam_ptr++ = GET_TCGV(arg2);
71 *gen_opparam_ptr++ = GET_TCGV(arg3);
72 }
73
(gdb) p gen_opc_ptr
$15 = (uint16_t *) 0x83c32e0
(gdb) bt
#0 tcg_gen_shifti_i64 (ret=33, arg1=33, c=31, right=34, arith=0)
at tcg-op.h:69
#1 0x080dbc03 in gen_rot_rm_T1 (s=0xbfbfd570, ot=2, op1=12, is_right=1)
at tcg-op.h:751
#2 0x080f924b in disas_insn (s=0xbfbfd570, pc_start=18446744071566862578)
at
/usr/ports/emulators/qemu-devel/work/qemu-snapshot-2008-06-20_19/target-i386/translate.c:4911
#3 0x08149ada in gen_intermediate_code (env=0x12771000, tb=0x11217a00)
at
/usr/ports/emulators/qemu-devel/work/qemu-snapshot-2008-06-20_19/target-i386/translate.c:7205
#4 0x080d51cb in cpu_x86_gen_code (env=0x12771000, tb=0x11217a00,
gen_code_size_ptr=0xbfbfd6ec)
at
/usr/ports/emulators/qemu-devel/work/qemu-snapshot-2008-06-20_19/translate-all.c:96
#5 0x080d5b90 in cpu_x86_exec (env1=0x83be268)
at
/usr/ports/emulators/qemu-devel/work/qemu-snapshot-2008-06-20_19/cpu-exec.c:141
#6 0x08056056 in main (argc=0, argv=0x0)
at
/usr/ports/emulators/qemu-devel/work/qemu-snapshot-2008-06-20_19/vl.c:7233
Seeing what's at pc_start=18446744071566862578:
0xffffffff804928f2 <MD5Transform+898>: ror $0x17,%r12d
(which is also the insn the mentioned in_asm log ends with.)
But, can't there be more cases like this for amd64 targets on i386 hosts?
Since it has to do most ops in pieces...
Thanx,
Juergen