[Qemu-devel] another TCG branch weirdness

[Artyom Tarasenko]

Host x86_64, guest sparc64. Found a case where a branch instruction
(brz,pn   %o0) unexpectedly jumps to an unexpected address. I.e.
branch shouldn't be taken at all, but even if it were it should have
been to 0x13e26e4 and not to 0x5.

Was about to write that the generated OP for brz,pn usually looks
different, when realized that in fact it was even generated for this
very address just before, but with another branch in the delay slot.
The bug looks familiar, Blue, isn't it? :)

IN:
0x00000000013e26c0:  brz,pn   %o0, 0x13e26e4
0x00000000013e26c4:  brlez,pn   %o1, 0x13e26e4

OP:
 ---- 0x13e26c0
 ld_i64 tmp6,regwptr,$0x0
 movi_i64 cond,$0x0
 movi_i64 tmp8,$0x0
 brcond_i64 tmp6,tmp8,ne,$0x0
 movi_i64 cond,$0x1
 set_label $0x0

^^^ Ok, that's how brz,pn  usually looks like

 ---- 0x13e26c4
 ld_i64 tmp7,regwptr,$0x8
 movi_i64 tmp8,$0x0
 brcond_i64 cond,tmp8,eq,$0x1
 movi_i64 npc,$0x13e26e4
 br $0x2
 set_label $0x1
 movi_i64 npc,$0x13e26c8
 set_label $0x2
 movi_i64 cond,$0x0
 movi_i64 tmp8,$0x0
 brcond_i64 tmp7,tmp8,gt,$0x3
 movi_i64 cond,$0x1
 set_label $0x3
 movi_i64 tmp0,$0x0
 brcond_i64 cond,tmp0,eq,$0x4
 movi_i64 npc,$0x13e26e4
 br $0x5
 set_label $0x4
 movi_i64 npc,$0x5
 set_label $0x5
 exit_tb $0x0
--------------
IN:
0x00000000013e26c0:  brz,pn   %o0, 0x13e26e4

OP:
 ---- 0x13e26c0
 ld_i64 tmp6,regwptr,$0x0
 movi_i64 cond,$0x0
 movi_i64 tmp8,$0x0
 brcond_i64 tmp6,tmp8,ne,$0x0
 movi_i64 cond,$0x1
 set_label $0x0
 movi_i64 pc,$0x5

^^^ What's that?

 movi_i64 tmp0,$0x0
 brcond_i64 cond,tmp0,eq,$0x1
 movi_i64 npc,$0x13e26e4
 br $0x2
 set_label $0x1
 movi_i64 npc,$0x9
 set_label $0x2
 exit_tb $0x0


 33062: Instruction Access MMU Miss (v=0064) pc=0000000000000005
npc=0000000000000009 SP=000000000c3d2d81
...
Current Register Window:
%o0-3: 0000000002483d00 0000000000000018 0000000000000028 00000000000232bd
            ^^^^^^ not zero


-- 
Regards,
Artyom Tarasenko

solaris/sparc under qemu blog: http://tyom.blogspot.com/