On 06/26/2018 03:07 PM, Stafford Horne wrote: > Hello, > > I think I found out something. > > in: target/openrisc/sys_helper.c:92 > > When we write to `env->tlb.dtlb[idx].tr` in helper_mtspr(): > 93 case TO_SPR(1, 640) ... TO_SPR(1, 640 + TLB_SIZE - 1): > /* DTLBW0TR 0-127 */ > 94 idx = spr - TO_SPR(1, 640); > 95 env->tlb.dtlb[idx].tr = rb; > > > Somehow we are overlapping with `cpu->tb_jmp_cache`, these are both > pointing to the same spot in memory. > > (gdb) p &cs->tb_jmp_cache[3014] > $9 = (struct TranslationBlock **) 0x55555608b300 > (gdb) p &env->tlb.dtlb[idx].tr > $10 = (uint32_t *) 0x55555608b304
That is definitely weird. How about (gdb) p openrisc_env_get_cpu(env) $1 = xxxx (gdb) p &$1->parent_obj (gdb) p &$1->env (gdb) p cs->env_ptr There should be 4096 entries in tb_jmp_cache, so there should be no way that overlaps. I can only imagine either CS or ENV is incorrect somehow. How that would be, I don't know... r~
