[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v7 00/11] Fix exceptions handling for MIPS, PowerPC,
From: |
Pavel Dovgalyuk |
Subject: |
[Qemu-devel] [PATCH v7 00/11] Fix exceptions handling for MIPS, PowerPC, and i386 |
Date: |
Fri, 10 Jul 2015 12:56:44 +0300 |
User-agent: |
StGit/0.16 |
QEMU targets ISAs contain instruction that can break the execution
flow with exceptions. When exception breaks the execution of the translation
block it may corrupt PC and icount values.
This set of patches fixes exception handling for MIPS, PowerPC, and i386
targets.
Incorrect execution for i386 is causes by exceptions raised by MMU functions.
MMU helper functions are called from generated code and other helper
functions. In both cases they try to get function's return address for
restoring virtual CPU state.
When MMU helper is called from some other helper function
(like helper_maskmov_xmm) through cpu_st* function, the return address
will point to that helper. That is why CPU state cannot be restored in
the case of MMU fault.
This bug can occur when maskmov instruction is located in the middle of the
translation block.
Execution sequence for this example:
TB start:
PC1: instr1
instr2
PC2: maskmov <page fault>
<page fault processing>
PC1: instr1
instr2
maskmov
At the start of TB execution guest PC points to instr1. When page fault occurs
QEMU tries to restore guest PC (which should be equal to PC2). It reads host PC
from the call stack and checks whether it points to TB or not. Bug in ldst
helpers implementation provides incorrect host PC, which is not located within
the TB. That's why QEMU cannot recover guest PC and it remains the same (PC1).
After page fault processing QEMU restarts TB and executes instr1 and instr2
for the second time, because guest PC was not recovered.
Bugs in helper functions for other targets do not break the execution in
regular TCG mode, because PC value is updated before calling the functions
that can raise an exception. But icount value cannot be updated this way.
Therefore exceptions make execution in icount mode non-determinisic.
In icount mode every translation block looks as follows:
if icount < n then exit
icount -= n
instr1
instr2
...
instrn
exit
When one of these instructions initiates an exception, icount should be
restored and adjusted number of instructions should be subtracted from icount
instead of initial n.
tlb_fill function passes retaddr to raise_exception, which allows restoring
current instructions in TB and correct icount calculation.
When exception triggered with other function (e.g. by embedding call to
exception raising helper into TB), then PC is not passed as retaddr and
correct icount is not recovered. In such cases icount will be decreased
by the value equal to the size of TB.
This behavior leads to incorrect values of virtual clock and
non-deterministic execution of the code.
These patches passes pointer to the translation block code to the exception
handler. It allows correct restoring of PC and icount values.
v7 changes:
* Removed cur_eip parameter of gen_movl_seg_T0 function for i386 (as suggested
by Richard Henderson)
* Made direct next_eip passing to lcall_protected and ljmp_protected for i386
(as suggested by Richard Henderson)
* Removed changes for unimplemented instructions (as suggested by Richard
Henderson)
* Added patch for removing unused softmmu functions (as suggested by Aurelien
Jarno)
v6 changes:
* Removed several calls to gen_update_cc_op(s) (as suggested by Aurelien Jarno)
* Introduced do_* versions for fxsave and fxrstor (as suggested by Richard
Henderson)
* Removed useless seg functions changes (as suggested by Richard Henderson)
* Fixed ppc linux user build (as suggested by Aurelien Jarno)
v5 changes:
* Added helper functions for usermode ldst (as suggested by Aurelien Jarno)
* Fixed memory helpers for MIPS (as suggested by Aurelien Jarno)
* Added _ra version of raise_exception functions (as suggested by Richard
Henderson)
* Split i386 patch into several parts (as suggested by Richard Henderson)
v4 changes:
* Fixed exceptions handling for PowerPC
* Fixed passing of mmu_idx into helpers (as suggested by Aurelien Jarno)
* Added cpu_loop_exit_restore function (as suggested by Aurelien Jarno)
* Fixed exceptions handling in compare helper functions for MIPS (as suggested
by Aurelien Jarno)
* Removed several CPU state saving calls for MIPS (as suggested by Aurelien
Jarno)
v3 changes:
* Modified exception handling for syscall (as suggested by Aurelien Jarno)
* Removed redundant calls to save_cpu_state (as suggested by Aurelien Jarno)
* Removed helper_call* functions from softmmu (as suggested by Paolo Bonzini)
v2 changes:
* Added softmmu functions to pass TB return value into memory operations
handlers
* Fixed memory operations handling for MIPS
* Disabled updates of the PC that are overridden with cpu_restore_state
* Fixed memory operations and exceptions invoked by i386 helpers
---
Pavel Dovgalyuk (11):
softmmu: add helper function to pass through retaddr
softmmu: remove now unused functions
cpu-exec: introduce loop exit with restore function
target-mips: improve exception handling
target-i386: introduce new raise_exception functions
target-i386: exception handling for FPU instructions
target-i386: exception handling for div instructions
target-i386: exception handling for memory helpers
target-i386: exception handling for seg_helper functions
target-i386: exception handling for other helper functions
target-ppc: exceptions handling in icount mode
cpu-exec.c | 9
include/exec/cpu_ldst.h | 19 -
include/exec/cpu_ldst_template.h | 59 ++-
include/exec/cpu_ldst_useronly_template.h | 25 +
include/exec/exec-all.h | 1
softmmu_template.h | 22 -
target-i386/cc_helper.c | 2
target-i386/cpu.h | 4
target-i386/excp_helper.c | 30 +
target-i386/fpu_helper.c | 164 ++++----
target-i386/helper.h | 4
target-i386/int_helper.c | 32 +-
target-i386/mem_helper.c | 39 +-
target-i386/misc_helper.c | 8
target-i386/ops_sse.h | 2
target-i386/seg_helper.c | 616 +++++++++++++++--------------
target-i386/translate.c | 77 ----
target-mips/cpu.h | 23 +
target-mips/helper.h | 1
target-mips/msa_helper.c | 158 ++++---
target-mips/op_helper.c | 169 ++++----
target-mips/translate.c | 363 ++++++++---------
target-ppc/cpu.h | 3
target-ppc/excp_helper.c | 38 +-
target-ppc/fpu_helper.c | 191 +++++----
target-ppc/helper.h | 1
target-ppc/mem_helper.c | 6
target-ppc/misc_helper.c | 8
target-ppc/mmu-hash64.c | 12 -
target-ppc/mmu_helper.c | 18 -
target-ppc/timebase_helper.c | 20 -
target-ppc/translate.c | 84 ----
tcg/tcg.h | 23 +
33 files changed, 1126 insertions(+), 1105 deletions(-)
--
Pavel Dovgalyuk
- [Qemu-devel] [PATCH v7 00/11] Fix exceptions handling for MIPS, PowerPC, and i386,
Pavel Dovgalyuk <=
- [Qemu-devel] [PATCH v7 01/11] softmmu: add helper function to pass through retaddr, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 02/11] softmmu: remove now unused functions, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 03/11] cpu-exec: introduce loop exit with restore function, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 05/11] target-i386: introduce new raise_exception functions, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 04/11] target-mips: improve exception handling, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 06/11] target-i386: exception handling for FPU instructions, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 07/11] target-i386: exception handling for div instructions, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 08/11] target-i386: exception handling for memory helpers, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 10/11] target-i386: exception handling for other helper functions, Pavel Dovgalyuk, 2015/07/10
- [Qemu-devel] [PATCH v7 09/11] target-i386: exception handling for seg_helper functions, Pavel Dovgalyuk, 2015/07/10