[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] sha1sum segfaults on x86_64 target / i386 host
From: |
Aurelien Jarno |
Subject: |
Re: [Qemu-devel] sha1sum segfaults on x86_64 target / i386 host |
Date: |
Tue, 22 Sep 2009 21:06:20 +0200 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
On Tue, Sep 22, 2009 at 07:48:52PM +0200, Laurent Desnogues wrote:
> On Tue, Sep 22, 2009 at 5:49 PM, Aurelien Jarno <address@hidden> wrote:
> [...]
> >
> > Actually I am not really convinced it has been fixed, I really think the
> > bug is still present, but not triggerable anymore this way.
> >
> > It looks like very long translation are not stopped correctly. This part
> > of code looks suspicious:
> >
> > /* if too long translation, stop generation too */
> > if (gen_opc_ptr >= gen_opc_end ||
> > (pc_ptr - pc_start) >= (TARGET_PAGE_SIZE - 32) ||
> > num_insns >= max_insns) {
> > gen_jmp_im(pc_ptr - dc->cs_base);
> > gen_eob(dc);
> > break;
> > }
> >
> > If I understand correctly, when the end of the buffer is reached, the
> > translation is stopped, but some more opc are added by gen_jmp_im()
> > and gen_eob().
> >
> > OTOH, on MIPS the following code leaves some space at the end of the
> > buffer for a few more opc:
> >
> > /* Leave some spare opc slots for branch handling. */
> > gen_opc_end = gen_opc_buf + OPC_MAX_SIZE - 16;
> >
> > Applying the same changes to the x86_64 target fixes the bug. However, I
> > am not sure it is fully correct. Any comment?
>
> You mean that if you sub 16 and go back just previous malc's commit
> you don't experience the crash anymore?
Exactly, or even reverting his commit on the current tree.
> To me it looks like using gen_opc_buf + OPC_MAX_SIZE is rather
> safe given that it gives room for 64 extra ops (cf exec-all.h).
>
I have played a bit with this number, it seems the buffer is too short
by 3 opc.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
address@hidden http://www.aurel32.net