[Qemu-devel] TCG problem with cpu_{st,ld}x_data ?

[Benjamin Herrenschmidt]

Hi !

I need help from TCG experts here. I was chasing down a bug causing
some stuff to crash when using vector ops with a ppc32 guest on x86,
but pulling that string led to a whole mess that *may* be affecting a
pile of architetures unless I'm misunderstanding something...

So basically what happens is that some instruction emulation helpers,
like in my case stvebx (target-ppc/mem_helper.c) are doing calls to
cpu_{st,ld}x_data. Let's say cpu_stb_data() for the sake of the
argument.

That is equivalent to calling cpu_stb_data_ra() with a "0" retaddr.

However, if that faults, when tlb_fill() gets eventually called, what I
observe is not 0 in "retaddr" but ... -2.

The reason, as far as I understand, is that cpu_stb_data_ra() calls
helper_ret_stb_mmu() which does:

     retaddr -= GETPC_ADJ;

(which is -2)

Now a whole pile of tlb_fill() implementations (in fact all of them one
way or another) do:

        if (likely(retaddr)) {
            /* now we have a real cpu fault */
            cpu_restore_state(cs, retaddr);
        }

So that test is missed. The result that I obseve is that the fault gets
reported for the wrong instruction (the wrong PC).

Now I did try changing the above test out of curiosity to also check
against -2, but the end result still mis-reported the fault. So
something's going deeper than that I figured out so far...

What *did* work was to copy what x86 does, which is to change my
helper_stvebx() to not use cpu_stb_data at all, but instead use
cpu_stb_data_ra(...., GETPC()), which mimmics what x86 does for some of
it's helpers.

That fixed the specific problem I was chasing.

However, there are a ton of other helpers, in powerpc, s390 and other
archs, doing that cpu_stb_data() the same way we do, so I really wonder
what's going on here.

Some advice would be very much appreciated ;-)

Cheers,
Ben.