[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Plugin Memory Callback Debugging
|
From: |
Alex Bennée |
|
Subject: |
Re: Plugin Memory Callback Debugging |
|
Date: |
Thu, 01 Dec 2022 19:32:14 +0000 |
|
User-agent: |
mu4e 1.9.3; emacs 29.0.60 |
Aaron Lindsay <aaron@os.amperecomputing.com> writes:
> On Nov 22 10:57, Aaron Lindsay wrote:
>> On Nov 21 18:22, Richard Henderson wrote:
>> > On 11/21/22 13:51, Alex Bennée wrote:
>> > >
>> > > Aaron Lindsay <aaron@os.amperecomputing.com> writes:
>> > >
>> > > > On Nov 15 22:36, Alex Bennée wrote:
>> > > > > Aaron Lindsay <aaron@os.amperecomputing.com> writes:
>> > > > > > I believe the code *should* always reset `cpu->plugin_mem_cbs` to
>> > > > > > NULL at the
>> > > > > > end of an instruction/TB's execution, so its not exactly clear to
>> > > > > > me how this
>> > > > > > is occurring. However, I suspect it may be relevant that we are
>> > > > > > calling
>> > > > > > `free_dyn_cb_arr()` because my plugin called `qemu_plugin_reset()`.
>> > > > >
>> > > > > Hmm I'm going to have to remind myself about how this bit works.
>> > > >
>> > > > When is it expected that cpu->plugin_mem_cbs is reset to NULL if it is
>> > > > set for an instruction? Is it guaranteed it is reset by the end of the
>> > > > tb?
>> > >
>> > > It should be by the end of the instruction. See
>> > > inject_mem_disable_helper() which inserts TCG code to disable the
>> > > helpers. We also have plugin_gen_disable_mem_helpers() which should
>> > > catch every exit out of a block (exit_tb, goto_tb, goto_ptr). That is
>> > > why qemu_plugin_disable_mem_helpers() is only really concerned about
>> > > when we longjmp out of the loop.
>> > >
>> > > > If I were to put an assertion in cpu_tb_exec() just after the call
>> > > > to tcg_qemu_tb_exec(), should cpu->plugin_mem_cbs always be NULL
>> > > > there?
>> > >
>> > > Yes I think so.
>> >
>> > Indeed.
>>
>> Well, the good news is that if this is an assumption we're relying on, it is
>> now trivial to reproduce the problem!
>>
>> Compile some simple program (doesn't really matter, the issue gets triggered
>> early):
>>
>> $ echo "int main() { return 0; }" > simple.c && gcc simple.c -o simple
>>
>> Make this change to cpu_tb_exec():
>>
>> > diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
>> > index 356fe348de..50a010327d 100644
>> > --- a/accel/tcg/cpu-exec.c
>> > +++ b/accel/tcg/cpu-exec.c
>> > @@ -436,6 +436,9 @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int
>> > *tb_exit)
>> >
>> > qemu_thread_jit_execute();
>> > ret = tcg_qemu_tb_exec(env, tb_ptr);
>> > + if (cpu->plugin_mem_cbs != NULL) {
>> > + g_assert_not_reached();
>> > + }
>> > cpu->can_do_io = 1;
>> > /*
>> > * TODO: Delay swapping back to the read-write region of the TB
>>
>> And run:
>>
>> $ ./build/qemu-aarch64 -plugin contrib/plugins/libexeclog.so -d plugin
>> ./simple
>>
>> You should fairly quickly see something like:
>>
>> > [snip]
>> > 0, 0x5502814d04, 0xb4000082, ""
>> > 0, 0x5502814d08, 0xf9400440, "", load, 0x5502844ed0
>> > 0, 0x5502814d0c, 0xf1001c1f, ""
Hmm why are you not getting any opcodes there? Missing capstone?
>> > **
>> > ERROR:../accel/tcg/cpu-exec.c:440:cpu_tb_exec: code should not be reached
>> > Bail out! ERROR:../accel/tcg/cpu-exec.c:440:cpu_tb_exec: code
>> > should not be reached
Hmm I can replicate so I need to check my understanding. It fails in the
first block:
./qemu-aarch64 -plugin contrib/plugins/libexeclog.so -d \
plugin,in_asm,op,op_opt,out_asm ./tests/tcg/aarch64-linux-user/sha512
gives:
PROLOGUE: [size=45]
0x7f4b64000000: 55 pushq %rbp
0x7f4b64000001: 53 pushq %rbx
0x7f4b64000002: 41 54 pushq %r12
0x7f4b64000004: 41 55 pushq %r13
0x7f4b64000006: 41 56 pushq %r14
0x7f4b64000008: 41 57 pushq %r15
0x7f4b6400000a: 48 8b ef movq %rdi, %rbp
0x7f4b6400000d: 48 81 c4 78 fb ff ff addq $-0x488, %rsp
0x7f4b64000014: ff e6 jmpq *%rsi
0x7f4b64000016: 33 c0 xorl %eax, %eax
0x7f4b64000018: 48 81 c4 88 04 00 00 addq $0x488, %rsp
0x7f4b6400001f: c5 f8 77 vzeroupper
0x7f4b64000022: 41 5f popq %r15
0x7f4b64000024: 41 5e popq %r14
0x7f4b64000026: 41 5d popq %r13
0x7f4b64000028: 41 5c popq %r12
0x7f4b6400002a: 5b popq %rbx
0x7f4b6400002b: 5d popq %rbp
0x7f4b6400002c: c3 retq
----------------
IN:
0x004005d0: d280001d movz x29, #0
0x004005d4: d280001e movz x30, #0
0x004005d8: aa0003e5 mov x5, x0
0x004005dc: f94003e1 ldr x1, [sp]
0x004005e0: 910023e2 add x2, sp, #8
0x004005e4: 910003e6 mov x6, sp
0x004005e8: 90000000 adrp x0, #0x400000
0x004005ec: 91182000 add x0, x0, #0x608
0x004005f0: b0000023 adrp x3, #0x405000
0x004005f4: 91014063 add x3, x3, #0x50
0x004005f8: b0000024 adrp x4, #0x405000
0x004005fc: 91044084 add x4, x4, #0x110
0x00400600: 940010e8 bl #0x4049a0
OP:
ld_i32 tmp0,env,$0xfffffffffffffff0
brcond_i32 tmp0,$0x0,lt,$L0
---- 00000000004005d0 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff203430
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x29,$0x0
---- 00000000004005d4 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff202800
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 lr,$0x0
---- 00000000004005d8 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff203400
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x5,x0
This is a memory annotated instruction:
---- 00000000004005dc 0000000000000000 0000000000000f06
mov_i64 tmp2,$0x55c0ff1a6150
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 tmp2,sp
shl_i64 tmp4,tmp2,$0x8
sar_i64 tmp4,tmp4,$0x8
and_i64 tmp4,tmp4,tmp2
mov_i64 tmp7,tmp4
qemu_ld_i64 x1,tmp7,leq,0
mov_i32 tmp8,$0x10030
mov_i64 tmp11,$0x0
ld_i32 tmp0,env,$0xffffffffffffffa8
mov_i64 tmp10,tmp7
call plugin(0x7f4b71c14388),$0x1,$0,tmp0,tmp8,tmp10,tmp11
---- 00000000004005e0 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff1fa4e0
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,sp,$0x8
mov_i64 x2,tmp2
---- 00000000004005e4 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff193500
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 tmp2,sp
mov_i64 x6,tmp2
---- 00000000004005e8 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff219700
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x0,$0x400000
---- 00000000004005ec 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff21d160
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,x0,$0x608
mov_i64 x0,tmp2
---- 00000000004005f0 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff217f80
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x3,$0x405000
---- 00000000004005f4 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff2180c0
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,x3,$0x50
mov_i64 x3,tmp2
---- 00000000004005f8 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff21c4b0
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 x4,$0x405000
---- 00000000004005fc 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff21c590
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
add_i64 tmp2,x4,$0x110
mov_i64 x4,tmp2
---- 0000000000400600 0000000000000000 0000000000000000
mov_i64 tmp2,$0x55c0ff217cd0
st_i64 tmp2,env,$0xffffffffffffff90
mov_i64 tmp2,$0x55c0ff21c670
ld_i32 tmp0,env,$0xffffffffffffffa8
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,tmp2
mov_i64 lr,$0x400604
mov_i64 pc,$0x4049a0
call lookup_tb_ptr,$0x6,$1,tmp2,env
goto_ptr tmp2
set_label $L0
exit_tb $0x7f4b64000043
OP after optimization and liveness analysis:
ld_i32 tmp0,env,$0xfffffffffffffff0 pref=0xffff
brcond_i32 tmp0,$0x0,lt,$L0 dead: 0 1
---- 00000000004005d0 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff203430 dead: 0 1
mov_i64 x29,$0x0 sync: 0 dead: 0 pref=0xffff
---- 00000000004005d4 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff202800 dead: 0 1
mov_i64 lr,$0x0 sync: 0 dead: 0 pref=0xffff
---- 00000000004005d8 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff203400 dead: 0 1
mov_i64 x5,x0 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005dc 0000000000000000 0000000000000f06
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff1a6150 dead: 0 1
shl_i64 tmp4,sp,$0x8 pref=0xffff
sar_i64 tmp4,tmp4,$0x8 dead: 1 pref=0xffff
and_i64 tmp4,tmp4,sp dead: 1 pref=0xffff
mov_i64 tmp7,tmp4 dead: 1 pref=0xf038
qemu_ld_i64 x1,tmp7,leq,0 sync: 0 dead: 0 pref=0xffff
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
mov_i64 tmp10,tmp7 dead: 1 pref=0x4
call plugin(0x7f4b71c14388),$0x1,$0,tmp0,$0x10030,tmp10,$0x0 dead: 0 1 2 3
---- 00000000004005e0 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff1fa4e0 dead: 0 1
add_i64 tmp2,sp,$0x8 dead: 2 pref=0xffff
mov_i64 x2,tmp2 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005e4 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff193500 dead: 0 1
mov_i64 x6,sp sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005e8 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff219700 dead: 0 1
---- 00000000004005ec 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21d160 dead: 0 1
mov_i64 x0,$0x400608 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005f0 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff217f80 dead: 0 1
---- 00000000004005f4 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff2180c0 dead: 0 1
mov_i64 x3,$0x405050 sync: 0 dead: 0 1 pref=0xffff
---- 00000000004005f8 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21c4b0 dead: 0 1
---- 00000000004005fc 0000000000000000 0000000000000000
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21c590 dead: 0 1
mov_i64 x4,$0x405110 sync: 0 dead: 0 1 pref=0xffff
---- 0000000000400600 0000000000000000 0000000000000000
st_i64 $0x55c0ff217cd0,env,$0xffffffffffffff90 dead: 0
ld_i32 tmp0,env,$0xffffffffffffffa8 pref=0x80
call plugin(0x7f4b71c1449f),$0x1,$0,tmp0,$0x55c0ff21c670 dead: 0 1
mov_i64 lr,$0x400604 sync: 0 dead: 0 1 pref=0xffff
mov_i64 pc,$0x4049a0 sync: 0 dead: 0 1 pref=0xffff
call lookup_tb_ptr,$0x6,$1,tmp2,env dead: 1 pref=none
goto_ptr tmp2 dead: 0
set_label $L0
exit_tb $0x7f4b64000043
OUT: [size=432]
-- guest addr 0x00000000004005d0 + tb prologue
0x7f4b64000100: 8b 5d f0 movl -0x10(%rbp), %ebx
0x7f4b64000103: 85 db testl %ebx, %ebx
0x7f4b64000105: 0f 8c 8a 01 00 00 jl 0x7f4b64000295
0x7f4b6400010b: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400010e: 48 be 30 34 20 ff c0 55 movabsq $0x55c0ff203430, %rsi
0x7f4b64000116: 00 00
0x7f4b64000118: e8 82 43 c1 0d callq 0x7f4b71c1449f
0x7f4b6400011d: 48 c7 85 28 01 00 00 00 movq $0, 0x128(%rbp)
0x7f4b64000125: 00 00 00
-- guest addr 0x00000000004005d4
0x7f4b64000128: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400012b: 48 be 00 28 20 ff c0 55 movabsq $0x55c0ff202800, %rsi
0x7f4b64000133: 00 00
0x7f4b64000135: e8 65 43 c1 0d callq 0x7f4b71c1449f
0x7f4b6400013a: 48 c7 85 30 01 00 00 00 movq $0, 0x130(%rbp)
0x7f4b64000142: 00 00 00
-- guest addr 0x00000000004005d8
0x7f4b64000145: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000148: 48 be 00 34 20 ff c0 55 movabsq $0x55c0ff203400, %rsi
0x7f4b64000150: 00 00
0x7f4b64000152: e8 48 43 c1 0d callq 0x7f4b71c1449f
0x7f4b64000157: 48 8b 5d 40 movq 0x40(%rbp), %rbx
0x7f4b6400015b: 48 89 5d 68 movq %rbx, 0x68(%rbp)
-- guest addr 0x00000000004005dc
0x7f4b6400015f: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000162: 48 be 50 61 1a ff c0 55 movabsq $0x55c0ff1a6150, %rsi
0x7f4b6400016a: 00 00
0x7f4b6400016c: e8 2e 43 c1 0d callq 0x7f4b71c1449f
0x7f4b64000171: 48 8b 9d 38 01 00 00 movq 0x138(%rbp), %rbx
0x7f4b64000178: 4c 8b e3 movq %rbx, %r12
0x7f4b6400017b: 49 c1 e4 08 shlq $8, %r12
0x7f4b6400017f: 49 c1 fc 08 sarq $8, %r12
0x7f4b64000183: 4c 23 e3 andq %rbx, %r12
0x7f4b64000186: 4d 8b 2c 24 movq (%r12), %r13
0x7f4b6400018a: 4c 89 6d 48 movq %r13, 0x48(%rbp)
0x7f4b6400018e: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000191: be 30 00 01 00 movl $0x10030, %esi
0x7f4b64000196: 49 8b d4 movq %r12, %rdx
0x7f4b64000199: 33 c9 xorl %ecx, %ecx
0x7f4b6400019b: e8 e8 41 c1 0d callq 0x7f4b71c14388
-- guest addr 0x00000000004005e0
0x7f4b640001a0: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001a3: 48 be e0 a4 1f ff c0 55 movabsq $0x55c0ff1fa4e0, %rsi
0x7f4b640001ab: 00 00
0x7f4b640001ad: e8 ed 42 c1 0d callq 0x7f4b71c1449f
0x7f4b640001b2: 4c 8d 63 08 leaq 8(%rbx), %r12
0x7f4b640001b6: 4c 89 65 50 movq %r12, 0x50(%rbp)
-- guest addr 0x00000000004005e4
0x7f4b640001ba: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001bd: 48 be 00 35 19 ff c0 55 movabsq $0x55c0ff193500, %rsi
0x7f4b640001c5: 00 00
0x7f4b640001c7: e8 d3 42 c1 0d callq 0x7f4b71c1449f
0x7f4b640001cc: 48 89 5d 70 movq %rbx, 0x70(%rbp)
-- guest addr 0x00000000004005e8
0x7f4b640001d0: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001d3: 48 be 00 97 21 ff c0 55 movabsq $0x55c0ff219700, %rsi
0x7f4b640001db: 00 00
0x7f4b640001dd: e8 bd 42 c1 0d callq 0x7f4b71c1449f
-- guest addr 0x00000000004005ec
0x7f4b640001e2: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001e5: 48 be 60 d1 21 ff c0 55 movabsq $0x55c0ff21d160, %rsi
0x7f4b640001ed: 00 00
0x7f4b640001ef: e8 ab 42 c1 0d callq 0x7f4b71c1449f
0x7f4b640001f4: 48 c7 45 40 08 06 40 00 movq $0x400608, 0x40(%rbp)
-- guest addr 0x00000000004005f0
0x7f4b640001fc: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b640001ff: 48 be 80 7f 21 ff c0 55 movabsq $0x55c0ff217f80, %rsi
0x7f4b64000207: 00 00
0x7f4b64000209: e8 91 42 c1 0d callq 0x7f4b71c1449f
-- guest addr 0x00000000004005f4
0x7f4b6400020e: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000211: 48 be c0 80 21 ff c0 55 movabsq $0x55c0ff2180c0, %rsi
0x7f4b64000219: 00 00
0x7f4b6400021b: e8 7f 42 c1 0d callq 0x7f4b71c1449f
0x7f4b64000220: 48 c7 45 58 50 50 40 00 movq $0x405050, 0x58(%rbp)
-- guest addr 0x00000000004005f8
0x7f4b64000228: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400022b: 48 be b0 c4 21 ff c0 55 movabsq $0x55c0ff21c4b0, %rsi
0x7f4b64000233: 00 00
0x7f4b64000235: e8 65 42 c1 0d callq 0x7f4b71c1449f
-- guest addr 0x00000000004005fc
0x7f4b6400023a: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b6400023d: 48 be 90 c5 21 ff c0 55 movabsq $0x55c0ff21c590, %rsi
0x7f4b64000245: 00 00
0x7f4b64000247: e8 53 42 c1 0d callq 0x7f4b71c1449f
0x7f4b6400024c: 48 c7 45 60 10 51 40 00 movq $0x405110, 0x60(%rbp)
-- guest addr 0x0000000000400600
0x7f4b64000254: 48 bb d0 7c 21 ff c0 55 movabsq $0x55c0ff217cd0, %rbx
0x7f4b6400025c: 00 00
0x7f4b6400025e: 48 89 5d 90 movq %rbx, -0x70(%rbp)
0x7f4b64000262: 8b 7d a8 movl -0x58(%rbp), %edi
0x7f4b64000265: 48 be 70 c6 21 ff c0 55 movabsq $0x55c0ff21c670, %rsi
0x7f4b6400026d: 00 00
0x7f4b6400026f: e8 2b 42 c1 0d callq 0x7f4b71c1449f
0x7f4b64000274: 48 c7 85 30 01 00 00 04 movq $0x400604, 0x130(%rbp)
0x7f4b6400027c: 06 40 00
0x7f4b6400027f: 48 c7 85 40 01 00 00 a0 movq $0x4049a0, 0x140(%rbp)
0x7f4b64000287: 49 40 00
0x7f4b6400028a: 48 8b fd movq %rbp, %rdi
0x7f4b6400028d: ff 15 15 00 00 00 callq *0x15(%rip)
0x7f4b64000293: ff e0 jmpq *%rax
0x7f4b64000295: 48 8d 05 a7 fd ff ff leaq -0x259(%rip), %rax
0x7f4b6400029c: e9 77 fd ff ff jmp 0x7f4b64000018
-- tb slow paths + alignment
0x7f4b640002a1: 90 nop
0x7f4b640002a2: 90 nop
0x7f4b640002a3: 90 nop
0x7f4b640002a4: 90 nop
0x7f4b640002a5: 90 nop
0x7f4b640002a6: 90 nop
0x7f4b640002a7: 90 nop
data: [size=8]
0x7f4b640002a8: .quad 0x000055c0feba1d00
0, 0x4005d0, 0xd280001d, "movz x29, #0"
0, 0x4005d4, 0xd280001e, "movz x30, #0"
0, 0x4005d8, 0xaa0003e5, "mov x5, x0"
0, 0x4005dc, 0xf94003e1, "ldr x1, [sp]", load, 0x55008000f0
0, 0x4005e0, 0x910023e2, "add x2, sp, #8"
0, 0x4005e4, 0x910003e6, "mov x6, sp"
0, 0x4005e8, 0x90000000, "adrp x0, #0x400000"
0, 0x4005ec, 0x91182000, "add x0, x0, #0x608"
0, 0x4005f0, 0xb0000023, "adrp x3, #0x405000"
0, 0x4005f4, 0x91014063, "add x3, x3, #0x50"
0, 0x4005f8, 0xb0000024, "adrp x4, #0x405000"
0, 0x4005fc, 0x91044084, "add x4, x4, #0x110"
cpu_tb_exec: 0
**
ERROR:../../accel/tcg/cpu-exec.c:443:cpu_tb_exec: code should not be reached
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
>>
>> When digging through my other failure in `rr` I saw the cpu->plugin_mem_cbs
>> pointer changing from one non-null value to another (which also seems to
>> indicate it is not being cleared between instructions).
>>
>> Does this hint that there are cases where reset cpu->plugin_mem_cbs to NULL
>> is
>> getting optimized away, but not the code to set it in the first place?
>
> Is there anyone who could help take a look at this from the code gen
> perspective?
>
> -Aaron
--
Alex Bennée
- Re: Plugin Memory Callback Debugging,
Alex Bennée <=