From: BALATON Zoltan <balaton@eik.bme.hu>
To: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Cc: Howard Spoelstra <hsp.cat7@gmail.com>,
Richard Henderson <richard.henderson@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Aleksandar Markovic <aleksandar.m.mail@gmail.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [Qemu-devel] [PATCH v4 0/7] tcg/ppc: Add vector opcodes
Date: Wed, 26 Jun 2019 20:18:05 +0200 (CEST) [thread overview]
Message-ID: <alpine.BSF.2.21.9999.1906262010500.23988@zero.eik.bme.hu> (raw)
In-Reply-To: <0ceec012-fcdc-ccde-291a-121a4e475f86@ilande.co.uk>
On Wed, 26 Jun 2019, Mark Cave-Ayland wrote:
> On 26/06/2019 08:45, Richard Henderson wrote:
>> On 6/25/19 7:55 PM, Mark Cave-Ayland wrote:
>>> And here's where we are blowing up according to -d in_asm,op_out_asm:
>>>
>>> IN:
>>> 0x00f22ca0: 101ffc84 vor v0, v31, v31
>>>
>>> OP:
>>> ld_i32 tmp0,env,$0xfffffff8
>>> movi_i32 tmp1,$0x0
>>> brcond_i32 tmp0,tmp1,lt,$L0
>>>
>>> ---- 00f22ca0
>>> ld_vec v128,e8,tmp2,env,$0xd6b0
>>> st_vec v128,e8,tmp2,env,$0xd4c0
>>
>> Yep, that looks right.
>>
>> As an aside, this does suggest to me that target/ppc might be well served in
>> moving the ppc_vsr_t members of CPUPPCState earlier, so that this offset is
>> smaller.
>>
>>> movi_i32 nip,$0xf22ca4
>>> movi_i32 nip,$0xf22ca4
>>> movi_i32 tmp0,$0x10002
>>> call raise_exception,$0x2,$0,env,tmp0
>>
>> And this, presumably is the single-step debug exception.
>>
>>> 0xa4e7f12c: 3c400000 lis r2, 0
>>> 0xa4e7f130: 6042d6b0 ori r2, r2, 0xd6b0
>>> 0xa4e7f134: 7c5b10ce lvx v2, r27, r2
>>
>>> 0xa4e7f138: 3c400000 lis r2, 0
>>> 0xa4e7f13c: 6042d4c0 ori r2, r2, 0xd4c0
>>> 0xa4e7f140: 7c5b11ce stvx v2, r27, r2
>>
>> These also look correct. Form an offset into r2, load or store from env+r2.
>>
>> This also shows what I mention above re offset. For a ppc host, the offset is
>> large enough to require two instructions to form them.
>>
>>> Any ideas what might be going on here?
>>
>> What is the observed problem that makes you think that this is the incorrect
>> instruction?
>
> What I've been doing is set a breakpoint a few instructions before and then issuing
> "stepi" commands via the gdbstub. As I step over the "vor v0, v31, v31" instruction
> then either the qemu-system-ppc process segfaults outside of gdb, or inside gdb it
> goes to bg. Bringing it back to fg just causes gdb to get confused and in the end the
> only thing I can do is kill the gdb process.
>
> On the plus side I've managed to work out where we are faulting by hacking the load
> and store functions to inject trap opcodes in the ld_vec and st_vec and it appears
> that we are segfaulting here:
>
> OUT: [size=96]
> 0xa4e7f120: 81dbfff8 lwz r14, -8(r27)
> 0xa4e7f124: 2f8e0000 cmpwi cr7, r14, 0
> 0xa4e7f128: 419c004c blt cr7, 0xa4e7f174
> 0xa4e7f12c: 3c400000 lis r2, 0
> ^^^^^^^^^^^^^^
> 0xa4e7f130: 6042d6b0 ori r2, r2, 0xd6b0
> 0xa4e7f134: 7c5b10ce lvx v2, r27, r2
> 0xa4e7f138: 3c400000 lis r2, 0
> 0xa4e7f13c: 6042d4c0 ori r2, r2, 0xd4c0
> 0xa4e7f140: 7c5b11ce stvx v2, r27, r2
> 0xa4e7f144: 3dc000f2 lis r14, 0xf2
> 0xa4e7f148: 61ce2ca4 ori r14, r14, 0x2ca4
> 0xa4e7f14c: 91db016c stw r14, 0x16c(r27)
> 0xa4e7f150: 7f63db78 mr r3, r27
> 0xa4e7f154: 3c800001 lis r4, 1
> 0xa4e7f158: 60840002 ori r4, r4, 2
> 0xa4e7f15c: 3c000087 lis r0, 0x87
> 0xa4e7f160: 6000b618 ori r0, r0, 0xb618
> 0xa4e7f164: 7c0903a6 mtctr r0
> 0xa4e7f168: 4e800421 bctrl
> 0xa4e7f16c: 38600000 li r3, 0
> 0xa4e7f170: 4bfffef0 b 0xa4e7f060
> 0xa4e7f174: 3c60a4e7 lis r3, -0x5b19
> 0xa4e7f178: 6063f0c3 ori r3, r3, 0xf0c3
> 0xa4e7f17c: 4bfffee4 b 0xa4e7f060
>
> Interestingly if I set a trap and then switch the opcode to "lis r4,0" (0x3c800000)
> then we carry on as normal until the next "lis r2,0" instruction. Looking through the
> whole output of -d out_asm this is the first mention of r2 which makes me wonder if
> it is special somehow? At least a quick search indicates that for 32-bit PPC r2 is
> supposed to be dedicated as a TOC pointer.
According to a PowerPC ABI doc:
http://refspecs.linux-foundation.org/elf/elfspec_ppc.pdf
r2 is system reserved and should not be used by application code and
another one (probably the same you were referring to mentions TOC
https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi-1.9.html#REG.
I'm not sure if that's relevant for the above but it looks like clobbering
r2 might cause problems.
Regards,
BALATON Zoltan
next prev parent reply other threads:[~2019-06-26 18:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-19 4:15 [Qemu-devel] [PATCH v4 0/7] tcg/ppc: Add vector opcodes Richard Henderson
2019-05-19 4:15 ` [Qemu-devel] [PATCH v4 1/7] tcg/ppc: Initial backend support for Altivec Richard Henderson
2019-05-19 4:15 ` [Qemu-devel] [PATCH v4 2/7] tcg/ppc: Support vector shift by immediate Richard Henderson
2019-05-19 4:15 ` [Qemu-devel] [PATCH v4 3/7] tcg/ppc: Support vector multiply Richard Henderson
2019-05-19 5:05 ` Aleksandar Markovic
2019-05-19 14:45 ` Richard Henderson
2019-05-19 4:15 ` [Qemu-devel] [PATCH v4 4/7] tcg/ppc: Support vector dup2 Richard Henderson
2019-05-19 4:15 ` [Qemu-devel] [PATCH v4 5/7] tcg/ppc: Update vector support to v2.06 Richard Henderson
2019-05-19 4:15 ` [Qemu-devel] [PATCH v4 6/7] tcg/ppc: Update vector support to v2.07 Richard Henderson
2019-05-19 4:15 ` [Qemu-devel] [PATCH v4 7/7] tcg/ppc: Update vector support to v3.00 Richard Henderson
2019-06-18 5:00 ` [Qemu-devel] [PATCH v4 0/7] tcg/ppc: Add vector opcodes Richard Henderson
2019-06-19 5:07 ` Mark Cave-Ayland
2019-06-20 11:51 ` Howard Spoelstra
2019-06-22 14:20 ` Mark Cave-Ayland
2019-06-22 15:01 ` Mark Cave-Ayland
2019-06-23 17:10 ` Aleksandar Markovic
2019-06-25 6:56 ` Richard Henderson
2019-06-25 15:37 ` Mark Cave-Ayland
2019-06-25 15:56 ` Richard Henderson
2019-06-25 17:55 ` Mark Cave-Ayland
2019-06-26 7:45 ` Richard Henderson
2019-06-26 17:00 ` Mark Cave-Ayland
2019-06-26 18:18 ` BALATON Zoltan [this message]
2019-06-26 18:42 ` Richard Henderson
2019-06-26 19:38 ` Mark Cave-Ayland
2019-06-26 20:21 ` BALATON Zoltan
2019-06-27 17:24 ` Mark Cave-Ayland
2019-06-27 17:51 ` Richard Henderson
2019-06-27 17:54 ` Richard Henderson
2019-06-27 18:21 ` Mark Cave-Ayland
2019-06-26 8:33 ` David Gibson
2019-06-26 15:25 ` Richard Henderson
2019-06-25 18:01 ` Aleksandar Markovic
2019-06-19 8:11 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.BSF.2.21.9999.1906262010500.23988@zero.eik.bme.hu \
--to=balaton@eik.bme.hu \
--cc=aleksandar.m.mail@gmail.com \
--cc=david@gibson.dropbear.id.au \
--cc=hsp.cat7@gmail.com \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).