[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] sha1sum segfaults on x86_64 target / i386 host
|
From: |
Laurent Desnogues |
|
Subject: |
Re: [Qemu-devel] sha1sum segfaults on x86_64 target / i386 host |
|
Date: |
Tue, 22 Sep 2009 19:48:52 +0200 |
On Tue, Sep 22, 2009 at 5:49 PM, Aurelien Jarno <address@hidden> wrote:
[...]
>
> Actually I am not really convinced it has been fixed, I really think the
> bug is still present, but not triggerable anymore this way.
>
> It looks like very long translation are not stopped correctly. This part
> of code looks suspicious:
>
> /* if too long translation, stop generation too */
> if (gen_opc_ptr >= gen_opc_end ||
> (pc_ptr - pc_start) >= (TARGET_PAGE_SIZE - 32) ||
> num_insns >= max_insns) {
> gen_jmp_im(pc_ptr - dc->cs_base);
> gen_eob(dc);
> break;
> }
>
> If I understand correctly, when the end of the buffer is reached, the
> translation is stopped, but some more opc are added by gen_jmp_im()
> and gen_eob().
>
> OTOH, on MIPS the following code leaves some space at the end of the
> buffer for a few more opc:
>
> /* Leave some spare opc slots for branch handling. */
> gen_opc_end = gen_opc_buf + OPC_MAX_SIZE - 16;
>
> Applying the same changes to the x86_64 target fixes the bug. However, I
> am not sure it is fully correct. Any comment?
You mean that if you sub 16 and go back just previous malc's commit
you don't experience the crash anymore?
To me it looks like using gen_opc_buf + OPC_MAX_SIZE is rather
safe given that it gives room for 64 extra ops (cf exec-all.h).
Laurent