From patchwork Fri Jun 8 01:05:48 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Maciej W. Rozycki" X-Patchwork-Id: 163703 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id ECFD9B6FAC for ; Fri, 8 Jun 2012 14:01:26 +1000 (EST) Received: from localhost ([::1]:47138 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ScqO4-00007J-OB for incoming@patchwork.ozlabs.org; Fri, 08 Jun 2012 00:01:24 -0400 Received: from eggs.gnu.org ([208.118.235.92]:43291) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ScneN-0007dv-Pt for qemu-devel@nongnu.org; Thu, 07 Jun 2012 21:06:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ScneL-0006WO-Pr for qemu-devel@nongnu.org; Thu, 07 Jun 2012 21:06:03 -0400 Received: from relay1.mentorg.com ([192.94.38.131]:47129) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ScneL-0006Ty-Ix for qemu-devel@nongnu.org; Thu, 07 Jun 2012 21:06:01 -0400 Received: from svr-orw-fem-01.mgc.mentorg.com ([147.34.98.93]) by relay1.mentorg.com with esmtp id 1ScneK-0003BN-0n from Maciej_Rozycki@mentor.com ; Thu, 07 Jun 2012 18:06:00 -0700 Received: from SVR-IES-FEM-01.mgc.mentorg.com ([137.202.0.104]) by svr-orw-fem-01.mgc.mentorg.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Thu, 7 Jun 2012 18:05:59 -0700 Received: from [172.30.1.189] (137.202.0.76) by SVR-IES-FEM-01.mgc.mentorg.com (137.202.0.104) with Microsoft SMTP Server id 14.1.289.1; Fri, 8 Jun 2012 02:05:57 +0100 Date: Fri, 8 Jun 2012 02:05:48 +0100 From: "Maciej W. Rozycki" To: Message-ID: User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 X-OriginalArrivalTime: 08 Jun 2012 01:05:59.0823 (UTC) FILETIME=[DDE6C9F0:01CD4512] X-detected-operating-system: by eggs.gnu.org: Solaris 10 (beta) X-Received-From: 192.94.38.131 X-Mailman-Approved-At: Fri, 08 Jun 2012 00:01:06 -0400 Cc: "Maciej W. Rozycki" , Aurelien Jarno Subject: [Qemu-devel] [PATCH] MIPS: Correct branch-likely single-stepping X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Nathan Froyd We have a problem with single-stepping branch-likely instructions. Here's Nathan's original note: "[This] is a problem with single-stepping in QEMU: it manifests as the program corrupting the register set--specifically the return address--and going into an infinite loop. The problem is that we were not correctly saving state when single-stepping over branch likely instructions. In the program, we had this sequence: 0x8000b328: bnezl v0,0x8000b318 0x8000b32c: lw v0,0(s1) # branch delay slot 0x8000b330: lw ra,28(sp) The cause of the problem was the QEMU sets a flag in its internal translation state indicating that we had previously translated a branch likely instruction. When we generated the "skip over instruction" for a not-taken branch, this flag was not correctly cleared for the beginning of the next translation block. The result was that we skipped the instruction at 0x8000b32c (good) *and* the instruction at 0x8000b330 (bad). $ra therefore never got restored." I have verified the problem is still there, here's a relevant raw GDB session (addresses are different, but code is essentially the same): (gdb) continue Continuing. Breakpoint 2, 0x8000b460 in __libc_init_array () 4: /x $ra = 0x8000b460 2: x/i $pc => 0x8000b460 <__libc_init_array+124>: sltu v0,s0,s2 (gdb) stepi 0x8000b464 in __libc_init_array () 4: /x $ra = 0x8000b460 2: x/i $pc => 0x8000b464 <__libc_init_array+128>: bnezl v0,0x8000b454 <__libc_init_array+112> 0x8000b468 <__libc_init_array+132>: lw v0,0(s1) (gdb) 0x8000b46c in __libc_init_array () 4: /x $ra = 0x8000b460 2: x/i $pc => 0x8000b46c <__libc_init_array+136>: lw ra,28(sp) (gdb) 0x8000b470 in __libc_init_array () 4: /x $ra = 0x8000b460 2: x/i $pc => 0x8000b470 <__libc_init_array+140>: lw s2,24(sp) (gdb) -- oops! -- $ra still the same! Fixed with Nathan's change: (gdb) continue Continuing. Breakpoint 2, 0x8000b460 in __libc_init_array () 4: /x $ra = 0x8000b460 2: x/i $pc => 0x8000b460 <__libc_init_array+124>: sltu v0,s0,s2 (gdb) stepi 0x8000b464 in __libc_init_array () 4: /x $ra = 0x8000b460 2: x/i $pc => 0x8000b464 <__libc_init_array+128>: bnezl v0,0x8000b454 <__libc_init_array+112> 0x8000b468 <__libc_init_array+132>: lw v0,0(s1) (gdb) 0x8000b46c in __libc_init_array () 4: /x $ra = 0x8000b460 2: x/i $pc => 0x8000b46c <__libc_init_array+136>: lw ra,28(sp) (gdb) 0x8000b470 in __libc_init_array () 4: /x $ra = 0x8000891c 2: x/i $pc => 0x8000b470 <__libc_init_array+140>: lw s2,24(sp) (gdb) Signed-off-by: Maciej W. Rozycki --- Sent on behalf of Nathan, who's since left the company. Please apply. Maciej qemu-mips-blikely.diff Index: qemu-git-trunk/target-mips/translate.c =================================================================== --- qemu-git-trunk.orig/target-mips/translate.c 2012-06-04 05:02:44.015407154 +0100 +++ qemu-git-trunk/target-mips/translate.c 2012-06-04 05:02:45.355612652 +0100 @@ -11699,11 +11699,17 @@ static void decode_opc (CPUMIPSState *en /* Handle blikely not taken case */ if ((ctx->hflags & MIPS_HFLAG_BMASK_BASE) == MIPS_HFLAG_BL) { int l1 = gen_new_label(); + uint32_t saved_hflags; MIPS_DEBUG("blikely condition (" TARGET_FMT_lx ")", ctx->pc + 4); tcg_gen_brcondi_tl(TCG_COND_NE, bcond, 0, l1); tcg_gen_movi_i32(hflags, ctx->hflags & ~MIPS_HFLAG_BMASK); + /* Fake saving hflags so that gen_goto_tb doesn't overwrite the + * hflags we saved above. */ + saved_hflags = ctx->saved_hflags; + ctx->saved_hflags = ctx->hflags; gen_goto_tb(ctx, 1, ctx->pc + 4); + ctx->saved_hflags = saved_hflags; gen_set_label(l1); }