Re: [Qemu-devel] [PATCH v4 0/5] Fix exceptions handling for MIPS and i38

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v4 0/5] Fix exceptions handling for MIPS and i38

From:	Pavel Dovgaluk
Subject:	Re: [Qemu-devel] [PATCH v4 0/5] Fix exceptions handling for MIPS and i386
Date:	Mon, 29 Jun 2015 10:24:44 +0300

Forgot to fix the subject.
These patches also fix exceptions handling for PowerPC.

Pavel Dovgalyuk


> -----Original Message-----
> From: Pavel Dovgalyuk [mailto:address@hidden
> Sent: Monday, June 29, 2015 10:23 AM
> To: address@hidden
> Cc: address@hidden; address@hidden; address@hidden; address@hidden;
> address@hidden; address@hidden
> Subject: [PATCH v4 0/5] Fix exceptions handling for MIPS and i386
> 
> QEMU targets ISAs contain instruction that can break the execution
> flow with exceptions. When exception breaks the execution of the translation
> block it may corrupt PC and icount values.
> 
> This set of patches fixes exception handling for MIPS and i386 targets.
> 
> Incorrect execution for i386 is causes by exceptions raised by MMU functions.
> MMU helper functions are called from generated code and other helper
> functions. In both cases they try to get function's return address for
> restoring virtual CPU state.
> 
> When MMU helper is called from some other helper function
> (like helper_maskmov_xmm) through cpu_st* function, the return address
> will point to that helper. That is why CPU state cannot be restored in
> the case of MMU fault.
> 
> This bug can occur when maskmov instruction is located in the middle of the
> translation block.
> 
> Execution sequence for this example:
> 
> TB start:
> PC1: instr1
>      instr2
> PC2: maskmov <page fault>
>      <page fault processing>
> PC1: instr1
>      instr2
>      maskmov
> 
> At the start of TB execution guest PC points to instr1. When page fault occurs
> QEMU tries to restore guest PC (which should be equal to PC2). It reads host 
> PC
> from the call stack and checks whether it points to TB or not. Bug in ldst
> helpers implementation provides incorrect host PC, which is not located within
> the TB. That's why QEMU cannot recover guest PC and it remains the same (PC1).
> After page fault processing QEMU restarts TB and executes instr1 and instr2
> for the second time, because guest PC was not recovered.
> 
> Bugs in MIPS helper functions do not break the execution in regular TCG mode,
> because PC value is updated before calling the functions that can raise
> an exception. But icount value cannot be updated this way. Therefore
> exceptions make execution in icount mode non-determinisic.
> In icount mode every translation block looks as follows:
> 
> if icount < n then exit
> icount -= n
> instr1
> instr2
> ...
> instrn
> exit
> 
> When one of these instructions initiates an exception, icount should be
> restored and adjusted number of instructions should be subtracted from icount
> instead of initial n.
> 
> tlb_fill function passes retaddr to raise_exception, which allows restoring
> current instructions in TB and correct icount calculation.
> 
> When exception triggered with other function (e.g. by embedding call to
> exception raising helper into TB), then PC is not passed as retaddr and
> correct icount is not recovered. In such cases icount will be decreased
> by the value equal to the size of TB.
> 
> This behavior leads to incorrect values of virtual clock and
> non-deterministic execution of the code.
> 
> These patches passes pointer to the translation block code to the exception
> handler. It allows correct restoring of PC and icount values.
> 
> v4 changes:
>  * Fixed exceptions handling for PowerPC
>  * Fixed passing of mmu_idx into helpers (as suggested by Aurelien Jarno)
>  * Added cpu_loop_exit_restore function (as suggested by Aurelien Jarno)
>  * Fixed exceptions handling in compare helper functions for MIPS (as 
> suggested by Aurelien
> Jarno)
>  * Removed several CPU state saving calls for MIPS (as suggested by Aurelien 
> Jarno)
> 
> v3 changes:
>  * Modified exception handling for syscall (as suggested by Aurelien Jarno)
>  * Removed redundant calls to save_cpu_state (as suggested by Aurelien Jarno)
>  * Removed helper_call* functions from softmmu (as suggested by Paolo Bonzini)
> 
> v2 changes:
>  * Added softmmu functions to pass TB return value into memory operations 
> handlers
>  * Fixed memory operations handling for MIPS
>  * Disabled updates of the PC that are overridden with cpu_restore_state
>  * Fixed memory operations and exceptions invoked by i386 helpers
> 
> ---
> 
> Pavel Dovgalyuk (5):
>       softmmu: add helper function to pass through retaddr
>       cpu-exec: introduce loop exit with restore function
>       target-mips: improve exceptions handling
>       target-i386: fix memory operations in helpers
>       target-ppc: exceptions handling in icount mode
> 
> 
>  cpu-exec.c                       |    9
>  include/exec/cpu_ldst_template.h |   59 +++
>  include/exec/exec-all.h          |    1
>  softmmu_template.h               |    6
>  target-i386/cc_helper.c          |    2
>  target-i386/cpu.h                |    5
>  target-i386/excp_helper.c        |   21 +
>  target-i386/fpu_helper.c         |  146 ++++----
>  target-i386/helper.c             |    4
>  target-i386/int_helper.c         |   32 +-
>  target-i386/mem_helper.c         |   39 +-
>  target-i386/misc_helper.c        |   12 -
>  target-i386/ops_sse.h            |    2
>  target-i386/seg_helper.c         |  712 
> +++++++++++++++++++-------------------
>  target-i386/svm_helper.c         |    4
>  target-i386/translate.c          |   25 -
>  target-mips/cpu.h                |   23 +
>  target-mips/helper.h             |    1
>  target-mips/msa_helper.c         |  158 +++++---
>  target-mips/op_helper.c          |  179 ++++------
>  target-mips/translate.c          |  372 +++++++++-----------
>  target-ppc/cpu.h                 |    3
>  target-ppc/excp_helper.c         |   38 ++
>  target-ppc/fpu_helper.c          |  191 +++++-----
>  target-ppc/helper.h              |    1
>  target-ppc/mem_helper.c          |    6
>  target-ppc/misc_helper.c         |    8
>  target-ppc/mmu-hash64.c          |   12 -
>  target-ppc/mmu_helper.c          |   18 -
>  target-ppc/timebase_helper.c     |   20 +
>  target-ppc/translate.c           |   84 ----
>  tcg/tcg.h                        |   23 +
>  32 files changed, 1122 insertions(+), 1094 deletions(-)
> 
> --
> Pavel Dovgalyuk

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v4 0/5] Fix exceptions handling for MIPS and i386, Pavel Dovgalyuk, 2015/06/29
- [Qemu-devel] [PATCH v4 2/5] cpu-exec: introduce loop exit with restore function, Pavel Dovgalyuk, 2015/06/29
- [Qemu-devel] [PATCH v4 1/5] softmmu: add helper function to pass through retaddr, Pavel Dovgalyuk, 2015/06/29
- [Qemu-devel] [PATCH v4 3/5] target-mips: improve exceptions handling, Pavel Dovgalyuk, 2015/06/29
- [Qemu-devel] [PATCH v4 5/5] target-ppc: exceptions handling in icount mode, Pavel Dovgalyuk, 2015/06/29
- [Qemu-devel] [PATCH v4 4/5] target-i386: fix memory operations in helpers, Pavel Dovgalyuk, 2015/06/29
- Re: [Qemu-devel] [PATCH v4 0/5] Fix exceptions handling for MIPS and i386, Pavel Dovgaluk <=

Prev by Date: [Qemu-devel] [PATCH v4 4/5] target-i386: fix memory operations in helpers
Next by Date: Re: [Qemu-devel] reset strategy?
Previous by thread: [Qemu-devel] [PATCH v4 4/5] target-i386: fix memory operations in helpers
Next by thread: [Qemu-devel] [PATCH v4 0/6] Refactoring pc_dimm_plug and NUMA node lookup API
Index(es):
- Date
- Thread