From patchwork Thu Mar 15 19:19:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 886413 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=vivier.eu Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 402JNC0NFjz9sBt for ; Fri, 16 Mar 2018 06:20:57 +1100 (AEDT) Received: from localhost ([::1]:53010 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ewYQo-0000WS-Nq for incoming@patchwork.ozlabs.org; Thu, 15 Mar 2018 15:20:54 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54471) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ewYQH-0000Tg-Uj for qemu-devel@nongnu.org; Thu, 15 Mar 2018 15:20:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewYQD-0005rO-UP for qemu-devel@nongnu.org; Thu, 15 Mar 2018 15:20:21 -0400 Received: from mout.kundenserver.de ([212.227.126.134]:37289) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ewYQD-0005qa-Ga for qemu-devel@nongnu.org; Thu, 15 Mar 2018 15:20:17 -0400 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue007 [212.227.15.167]) with ESMTPSA (Nemesis) id 0MB6Ce-1eosuH1Te8-009zzI; Thu, 15 Mar 2018 20:20:13 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Thu, 15 Mar 2018 20:19:55 +0100 Message-Id: <20180315191958.28937-1-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 X-Provags-ID: V03:K0:Ldtuywsnh9rXCrFeSz4P3jgJIBEiUU/cdHG7V6z3ft0WjSl3BkD YpIIZzcq34S1KFA8XjM0A70PA6o6Zq+vNhxHe4AVcrBRrsjMJ/itfka5cmleP0n0PZnkxBI x3OYhMFPBpugVCIayYEDv7BOQYW2R/d/z3QmV8ZgJeBj4V0YVv8fr7QLkdtzbIeZYQHctHy G4bD7BupOFWyEPhePiVhQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:X97EvGZczbU=:LYNcjkuQP+UbsTip0m51Oi kMax0KeouJdZg7Hk6KwbzYX1FslvnL78V2fVPmWVMIPjs3OrveUhsBqXZtZC7clJ//2+J/RCB HEeORDY+GI6JX4JGdWiipi3geJZ8Mnb7SRqcnwWTNaNJq1b3XjP0Yga4G8ZXzj5F1f1opy0jJ deN/9fFRnLyGpwPUHcf4h4Ngu+2Fu2wAAwYIu47fwyOg8O3xGLt3+KDW8Jz0nGurkE5fAH5Kt Gfo0Uq/z1tZ3oUv1yvGgGoUUCtE6PyqS1Yg+M9w/QDYyPf4TDs3ho3lxPPoljrDhZddeSIbZY VCVHgZFdgDXlcyqOhKGqRVZWrfke6yWEeWZ4AOJM026BtrI5uk0S6UVrkDjcKX79Ie9KiDc3P NEZUJXw+pdOlIMgKnlFNFw/LgEo2GDUmRn513r4hXEBe34q+d7WX8dUk6NNgFDNo2DCLJE5Rr KWHNLqwxxRBjYw44FAQ/isMtWU6i9ZNf5rCrk4dZB4SxSixrkDe1Fe/K1bCCh23v6+Cge42pv OUcDKlUZ3xtlxpghwYJYNyDh21Yshs8t6CHn+JZVyTxhV1wa6jpEh3Z4rgalkE4XVVFZ+oZ1W 1n6dW/NL4dlrW5+dr/8ooNjsmoGgbs43GNp4ja2h2V9sG+U3IAl1j3FuiRWi4Jgq6AhzkSidC mxE7Rpiq6BpOjYzimDKQBLoq2jdCKkKKeEkML+KLiGuGGxYKxZuWUmnE09bi5shxEzDFilrF4 l2B6gsDapAxESuowdio4b+nmwq3Cegd8kARwvg== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.126.134 Subject: [Qemu-devel] [RFC 0/3] target/m68k: fix TCGv array overflow X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Richard Henderson Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" Since commit 15fa08f845 ("tcg: Dynamically allocate TCGOps") we have no limit to fill the TCGOps cache and we can fill the entire TCG variables array and overflow it. It seems to happen only with m68k, because m68k translator doesn't free some TCGv at end of instruction translation because the variable can be either temporary one or an allocated one, I try to fix this by introducing a new TCG function to try to free a TCGv if it is a temporary one and do nothing otherwise (patches 1 and 2) The last patch is here to avoid the error and stop the translation before the buffer overflows (but I guess we should not need this with correctly written translation functions...) Laurent Vivier (3): tcg: introduce tcg_temp_try_free() target/m68k: use tcg_temp_try_free() m68k: Test if we overflow the temp variable array target/m68k/translate.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++- tcg/tcg-op.h | 2 ++ tcg/tcg.c | 28 +++++++++++++++------ tcg/tcg.h | 9 +++++++ 4 files changed, 98 insertions(+), 8 deletions(-)