[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1663287] [NEW] Illegal delay slot code causes abort on
|
From: |
Brian Campbell |
|
Subject: |
[Qemu-devel] [Bug 1663287] [NEW] Illegal delay slot code causes abort on mips64 |
|
Date: |
Thu, 09 Feb 2017 15:49:37 -0000 |
Public bug reported:
During some randomised testing of an experimental MIPS implementation I
found an instruction sequence that also causes aborts on mainline qemu's
MIPS support. The problem is triggered by an MSA branch instruction
appearing in a delay slot when emulating a processor without MSA
support.
For example, with the current repository HEAD
(f073cd3a2bf1054135271b837c58a7da650dd84b) configured for
mips64-softmmu, if I run the attached binary using
mips64-softmmu/qemu-system-mips64 -bios ../abort2.bin -machine
mipssim -nographic
it will report
unknown branch 0x13000
Aborted (core dumped)
The binary contains the following two instructions:
00200008 jr at
47081e61 bz.b w8,0xffffffffbfc0798c
The jr sets up a jump, and hflags is set accordingly in
gen_compute_branch (in target/mips/translate.c). When processing the
bz.b, check_insn generates an exception because the instruction isn't
support, but gen_msa_branch skips the usual delay slot check for the
same reason, and sets more bits in hflags, leading to an abort in
gen_branch because the hflags are now invalid.
I suspect the best fix is to remove the instruction set condition from
the delay slot check in gen_msa_branch.
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "Binary instruction sequence that causes the abort"
https://bugs.launchpad.net/bugs/1663287/+attachment/4815912/+files/abort2.bin
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1663287
Title:
Illegal delay slot code causes abort on mips64
Status in QEMU:
New
Bug description:
During some randomised testing of an experimental MIPS implementation
I found an instruction sequence that also causes aborts on mainline
qemu's MIPS support. The problem is triggered by an MSA branch
instruction appearing in a delay slot when emulating a processor
without MSA support.
For example, with the current repository HEAD
(f073cd3a2bf1054135271b837c58a7da650dd84b) configured for
mips64-softmmu, if I run the attached binary using
mips64-softmmu/qemu-system-mips64 -bios ../abort2.bin -machine
mipssim -nographic
it will report
unknown branch 0x13000
Aborted (core dumped)
The binary contains the following two instructions:
00200008 jr at
47081e61 bz.b w8,0xffffffffbfc0798c
The jr sets up a jump, and hflags is set accordingly in
gen_compute_branch (in target/mips/translate.c). When processing the
bz.b, check_insn generates an exception because the instruction isn't
support, but gen_msa_branch skips the usual delay slot check for the
same reason, and sets more bits in hflags, leading to an abort in
gen_branch because the hflags are now invalid.
I suspect the best fix is to remove the instruction set condition from
the delay slot check in gen_msa_branch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1663287/+subscriptions
- [Qemu-devel] [Bug 1663287] [NEW] Illegal delay slot code causes abort on mips64,
Brian Campbell <=