mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-12-28 18:20:29 -07:00
7407d2319d
If the guest code has an ISB or SB insn inside an IT block, we
generate incorrect code which trips a TCG assertion:
qemu-system-arm: ../tcg/tcg-op.c:3343: void tcg_gen_goto_tb(unsigned int): Assertion `(tcg_ctx->goto_tb_issue_mask & (1 << idx)) == 0' failed.
This is because we call gen_goto_tb(dc, 1, ...) twice:
brcond_i32 ZF,$0x0,ne,$L1
add_i32 pc,pc,$0x4
goto_tb $0x1
exit_tb $0x73d948001b81
set_label $L1
add_i32 pc,pc,$0x4
goto_tb $0x1
exit_tb $0x73d948001b81
Both calls are in arm_tr_tb_stop(), one for the
DISAS_NEXT/DISAS_TOO_MANY handling, and one for the dc->condjump
condition-failed codepath. The DISAS_NEXT handling doesn't have this
problem because arm_post_translate_insn() does the handling of "emit
the label for the condition-failed conditional execution" and so
arm_tr_tb_stop() doesn't have dc->condjump set. But for
DISAS_TOO_MANY we don't do that.
Fix the bug by making arm_post_translate_insn() handle the
DISAS_TOO_MANY case. This only affects the SB and ISB insns when
used in Thumb mode inside an IT block: only these insns specifically
set is_jmp to TOO_MANY, and their A32 encodings are unconditional.
For the major TOO_MANY case (breaking the TB because it would cross a
page boundary) we do that check and set is_jmp to TOO_MANY only after
the call to arm_post_translate_insn(); so arm_post_translate_insn()
sees is_jmp == DISAS_NEXT, and we emit the correct code for that
situation.
With this fix we generate the somewhat more sensible set of TCG ops:
brcond_i32 ZF,$0x0,ne,$L1
set_label $L1
add_i32 pc,pc,$0x4
goto_tb $0x1
exit_tb $0x7c5434001b81
(NB: the TCG optimizer doesn't optimize out the jump-to-next, but
we can't really avoid emitting it because we don't know at the
point we're emitting the handling for the condexec check whether
this insn is going to happen to be a nop for us or not.)
Cc: qemu-stable@nongnu.org
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2942
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250501125544.727038-1-peter.maydell@linaro.org
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| hvf | ||
| tcg | ||
| arch_dump.c | ||
| arm-powerctl.c | ||
| arm-powerctl.h | ||
| arm-qmp-cmds.c | ||
| common-semi-target.h | ||
| cortex-regs.c | ||
| cpregs.h | ||
| cpu-features.h | ||
| cpu-param.h | ||
| cpu-qom.h | ||
| cpu.c | ||
| cpu.h | ||
| cpu64.c | ||
| debug_helper.c | ||
| gdbstub.c | ||
| gdbstub64.c | ||
| gtimer.h | ||
| helper.c | ||
| helper.h | ||
| hvf_arm.h | ||
| hyp_gdbstub.c | ||
| idau.h | ||
| internals.h | ||
| Kconfig | ||
| kvm-consts.h | ||
| kvm-stub.c | ||
| kvm.c | ||
| kvm_arm.h | ||
| machine.c | ||
| meson.build | ||
| multiprocessing.h | ||
| op_addsub.h | ||
| ptw.c | ||
| syndrome.h | ||
| tcg-stubs.c | ||
| trace-events | ||
| trace.h | ||
| vfp_helper.c | ||