[Qemu-devel] Actual TB code doesn't look like what was intended (TCG issue)?

Thu, 23 Jun 2011 19:50:20 -0700 

Hello guys.

I'm running qemu on x86_64 host.
It's clean build from git sources dated 2011.05.19, commit 
1fddfba129f5435c80eda14e8bc23fdb888c7187
I have the following output from "log trace,op,out_asm":

Trace 0x4000a310 [d0026c92]
OP:
 ---- 0xd00000c0
 movi_i32 tmp1,$0xfffffff4
 add_i32 tmp0,ar9,tmp1
 qemu_ld32 ar1,tmp0,$0x0

 ---- 0xd00000c3
 movi_i32 tmp1,$0xfffffff0
 add_i32 tmp0,ar9,tmp1
 qemu_ld32 ar0,tmp0,$0x0

[...snip...]

OUT: [size=664]
0x4000a330:  mov    0x2c(%r14),%ebp
0x4000a334:  lea    -0xc(%rbp),%ebx
0x4000a337:  mov    %ebx,%esi
0x4000a339:  mov    %ebx,%edi
0x4000a33b:  shr    $0x7,%esi
0x4000a33e:  and    $0xfffff003,%edi
0x4000a344:  and    $0x1fe0,%esi
0x4000a34a:  lea    0x1000(%r14,%rsi,1),%rsi
0x4000a352:  cmp    (%rsi),%edi
0x4000a354:  mov    %ebx,%edi
0x4000a356:  jne    0x4000a360
0x4000a358:  add    0x10(%rsi),%rdi
0x4000a35c:  mov    (%rdi),%ebp
0x4000a35e:  jmp    0x4000a369
0x4000a360:  xor    %esi,%esi
0x4000a362:  callq  0x52edc2
0x4000a367:  mov    %eax,%ebp
0x4000a369:  mov    0x2c(%r14),%ebx
0x4000a36d:  lea    -0x10(%rbx),%r12d
0x4000a371:  mov    %ebp,0xc(%r14)
0x4000a375:  mov    %r12d,%esi
0x4000a378:  mov    %r12d,%edi
[...snip...]

Execution of this fragment eventually causes SIGSEGV.
In gdb actually generated code for this TB looks like this:

(gdb) x/25i 0x4000a330
   0x4000a330:  mov    0x2c(%r14),%ebp
   0x4000a334:  lea    -0xc(%rbp),%ebx
   0x4000a337:  mov    %ebx,%esi
   0x4000a339:  mov    %ebx,%edi
   0x4000a33b:  shr    $0x7,%esi
   0x4000a33e:  and    $0xfffff003,%edi
   0x4000a344:  and    $0x1fe0,%esi
   0x4000a34a:  lea    0x3000(%r14,%rsi,1),%rsi
   0x4000a352:  cmp    (%rsi),%edi
   0x4000a354:  mov    %ebx,%edi
   0x4000a356:  jne    0x4000a360
   0x4000a358:  add    0x10(%rsi),%rdi
   0x4000a35c:  mov    (%rdi),%ebp
   0x4000a35e:  jmp    0x4000a36c
   0x4000a360:  mov    $0x1,%esi
   0x4000a365:  callq  0x52edc2 <__ldl_mmu>
   0x4000a36a:  mov    %eax,%ebp
   0x4000a36c:  sub    $0x44,%al
=> 0x4000a36e:  lea    -0x10(%rbx),%esp
   0x4000a371:  mov    %ebp,0xc(%r14)
   0x4000a375:  mov    %r12d,%esi
   0x4000a378:  mov    %r12d,%edi

Please note how the current instruction in gdb differ from what was said in 
OUT. This lea corrupts stack pointer and the next callq generates segfault.
Could please anyone familiar with TCG take a look at this, or suggest where I 
should look myself?

Thanks.
-- Max

Reply via email to