CCing RTH who was the last person to do something with this area of the code I think. I thought the correct answer to this problem was "don't use the cpu_st* functions but use something else you can pass GETRA() to" ?
On 15 September 2014 03:50, Pavel Dovgalyuk <pavel.dovga...@ispras.ru> wrote: > MMU helper functions are called from generated code and other helper > functions. In both cases they try to get function's return address for > using it while restoring virtual CPU state. > > When MMU helper is called from some other helper function > (like helper_maskmov_xmm) through cpu_st* function, the return address > will point to that helper. That is why CPU state cannot be restored in > the case of MMU fault. > > This bug can occur when maskmov instruction is located in the middle of the > translation block. > > Execution sequence for this example: > > TB start: > PC1: instr1 > instr2 > PC2: maskmov <page fault> > <page fault processing> > PC1: instr1 > instr2 > maskmov > > At the start of TB execution guest PC points to instr1. When page fault occurs > QEMU tries to restore guest PC (which should be equal to PC2). It reads host > PC > from the call stack and checks whether it points to TB or not. Bug in ldst > helpers implementation provides incorrect host PC, which is not located within > the TB. That's why QEMU cannot recover guest PC and it remains the same (PC1). > After page fault processing QEMU restarts TB and executes instr1 and instr2 > for the second time, because guest PC was not recovered. > > This patch introduces several inline helpers to load return address > which points to the right place. Correct return address allows correct > restoring of the guest PC. thanks -- PMM
