Host x86_64, guest sparc64. Found a case where a branch instruction
(brz,pn %o0) unexpectedly jumps to an unexpected address. I.e.
branch shouldn't be taken at all, but even if it were it should have
been to 0x13e26e4 and not to 0x5.
Was about to write that the generated OP for brz,pn usually looks
different, when realized that in fact it was even generated for this
very address just before, but with another branch in the delay slot.
The bug looks familiar, Blue, isn't it? :)
IN:
0x00000000013e26c0: brz,pn %o0, 0x13e26e4
0x00000000013e26c4: brlez,pn %o1, 0x13e26e4
OP:
---- 0x13e26c0
ld_i64 tmp6,regwptr,$0x0
movi_i64 cond,$0x0
movi_i64 tmp8,$0x0
brcond_i64 tmp6,tmp8,ne,$0x0
movi_i64 cond,$0x1
set_label $0x0
^^^ Ok, that's how brz,pn usually looks like
---- 0x13e26c4
ld_i64 tmp7,regwptr,$0x8
movi_i64 tmp8,$0x0
brcond_i64 cond,tmp8,eq,$0x1
movi_i64 npc,$0x13e26e4
br $0x2
set_label $0x1
movi_i64 npc,$0x13e26c8
set_label $0x2
movi_i64 cond,$0x0
movi_i64 tmp8,$0x0
brcond_i64 tmp7,tmp8,gt,$0x3
movi_i64 cond,$0x1
set_label $0x3
movi_i64 tmp0,$0x0
brcond_i64 cond,tmp0,eq,$0x4
movi_i64 npc,$0x13e26e4
br $0x5
set_label $0x4
movi_i64 npc,$0x5
set_label $0x5
exit_tb $0x0
--------------
IN:
0x00000000013e26c0: brz,pn %o0, 0x13e26e4
OP:
---- 0x13e26c0
ld_i64 tmp6,regwptr,$0x0
movi_i64 cond,$0x0
movi_i64 tmp8,$0x0
brcond_i64 tmp6,tmp8,ne,$0x0
movi_i64 cond,$0x1
set_label $0x0
movi_i64 pc,$0x5
^^^ What's that?
movi_i64 tmp0,$0x0
brcond_i64 cond,tmp0,eq,$0x1
movi_i64 npc,$0x13e26e4
br $0x2
set_label $0x1
movi_i64 npc,$0x9
set_label $0x2
exit_tb $0x0
33062: Instruction Access MMU Miss (v=0064) pc=0000000000000005
npc=0000000000000009 SP=000000000c3d2d81
...
Current Register Window:
%o0-3: 0000000002483d00 0000000000000018 0000000000000028 00000000000232bd
^^^^^^ not zero
--
Regards,
Artyom Tarasenko
solaris/sparc under qemu blog: http://tyom.blogspot.com/
