[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1663287] Re: Illegal delay slot code causes abort on mips64
|
From: |
martin short |
|
Subject: |
[Bug 1663287] Re: Illegal delay slot code causes abort on mips64 |
|
Date: |
Mon, 06 Apr 2020 21:07:15 -0000 |
I found the exact same bug. Tested on several hosts and qemu releases.
The newest one I tested was on FreeBSD 12.1 host and qemu-4.1.1_1 built
from ports.
Instructions:
4000d0: 0320f809 jalr t9
4000d4: 45454545 0x45454545 # bc1any4t $fcc1,0x800101f8
I was running qemu-mips as:
qemu-system-mipsel -s -m 1024 -M malta \
-kernel vmlinux-3.16.0-6-4kc-malta -initrd
initrd.img-3.16.0-6-4kc-malta \
-device virtio-blk-pci,drive=hd0 -drive
if=none,id=hd0,format=qcow2,file=debian_wheezy_mipsel_standard.qcow2 \
-append "root=/dev/vda1" \
-device virtio-net-pci,netdev=net0 \
-netdev user,id=net0,hostfwd=tcp::1666-:22,ipv6=off \
-curses
abort() was in target/mips/translate.c:12945, in gen_branch().
Doesn't really matter if the instruction is supported on given CPU, user
can crash the qemu within guest.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1663287
Title:
Illegal delay slot code causes abort on mips64
Status in QEMU:
New
Bug description:
During some randomised testing of an experimental MIPS implementation
I found an instruction sequence that also causes aborts on mainline
qemu's MIPS support. The problem is triggered by an MSA branch
instruction appearing in a delay slot when emulating a processor
without MSA support.
For example, with the current repository HEAD
(f073cd3a2bf1054135271b837c58a7da650dd84b) configured for
mips64-softmmu, if I run the attached binary using
mips64-softmmu/qemu-system-mips64 -bios ../abort2.bin -machine
mipssim -nographic
it will report
unknown branch 0x13000
Aborted (core dumped)
The binary contains the following two instructions:
00200008 jr at
47081e61 bz.b w8,0xffffffffbfc0798c
The jr sets up a jump, and hflags is set accordingly in
gen_compute_branch (in target/mips/translate.c). When processing the
bz.b, check_insn generates an exception because the instruction isn't
support, but gen_msa_branch skips the usual delay slot check for the
same reason, and sets more bits in hflags, leading to an abort in
gen_branch because the hflags are now invalid.
I suspect the best fix is to remove the instruction set condition from
the delay slot check in gen_msa_branch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1663287/+subscriptions
- [Bug 1663287] Re: Illegal delay slot code causes abort on mips64,
martin short <=
- [Bug 1663287] Re: Illegal delay slot code causes abort on mips64, Philippe Mathieu-Daudé, 2020/04/06
- [Bug 1663287] Re: Illegal delay slot code causes abort on mips64, martin short, 2020/04/07
- [Bug 1663287] Re: Illegal delay slot code causes abort on mips64, Peter Maydell, 2020/04/07
- [Bug 1663287] Re: Illegal delay slot code causes abort on mips64, martin short, 2020/04/07
- [Bug 1663287] Re: Illegal delay slot code causes abort on mips64, Brian Campbell, 2020/04/07