* [Qemu-devel] [Bug 1843133] [NEW] Possibly incorrect branch in qemu-system-hppa
@ 2019-09-07 15:51 Paulo César Pereira de Andrade
2019-09-07 16:18 ` [Qemu-devel] [Bug 1843133] " Paulo César Pereira de Andrade
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Paulo César Pereira de Andrade @ 2019-09-07 15:51 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
I plan to release a new GNU Lightning soon.
I no longer have access to any physical HPPA, but code that
was tested some years ago did work on HPPA/HP-UX, and now it
appears qemu-system-hppa incorrectly branches in code generated
by GNU Lightning. Currently only 32 bit hppa jit generation
supported.
In the lightning check/test tool, the code would be:
.code
prolog
movi %r0 0x7fffffff
movi %r1 1
boaddr L0 %r0 %r1
calli @abort
L0:
ret
epilog
The code/debug information looks like this:
movi r4 0x7fffffff
0xf8ef5018 ldil L%7ffff800,r4
0xf8ef501c ldo 7ff(r4),r4
movi r5 0x1
0xf8ef5020 ldi 1,r5
boaddr L1 r4 r5
0xf8ef5024 addb,sv,n r5,r4,0xf8ef5044 :a.tst:291
0xf8ef5028 nop
calli 0xf8eeb68a
[...]
L1:
Apparently it is not understanding 0x7fffffff + 1 is a signed overflow.
Tested in Fedora with qemu-system-hppa-3.1.1-2.fc30.x86_64 and using
the debian-10 image.
To make it a bit easier to test (partially transformed the
not so optimized code generated by lightning to gcc -S output):
# cat a.s
.LEVEL 1.1
.text
.align 4
.globl main
.type main, @function
main:
.PROC
.CALLINFO FRAME=64,NO_CALLS,SAVE_SP,ENTRY_GR=3
.ENTRY
copy %r3,%r1
copy %r30,%r3
stwm %r1,64(%r30)
zdepi -1,31,31,%r23
ldi 1,%r24
addb,sv,n %r24,%r23,.L0
nop
ldi 1,%r28
b,n .L1
nop
.L0:
ldi 0,%r28
.L1:
ldo 64(%r3),%r30
ldwm -64(%r30),%r3
bv,n %r0(%r2)
.EXIT
.PROCEND
.size main, .-main
# gcc a.s
# ./a.out; echo $?
1
It should have returned 0.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1843133
Title:
Possibly incorrect branch in qemu-system-hppa
Status in QEMU:
New
Bug description:
I plan to release a new GNU Lightning soon.
I no longer have access to any physical HPPA, but code that
was tested some years ago did work on HPPA/HP-UX, and now it
appears qemu-system-hppa incorrectly branches in code generated
by GNU Lightning. Currently only 32 bit hppa jit generation
supported.
In the lightning check/test tool, the code would be:
.code
prolog
movi %r0 0x7fffffff
movi %r1 1
boaddr L0 %r0 %r1
calli @abort
L0:
ret
epilog
The code/debug information looks like this:
movi r4 0x7fffffff
0xf8ef5018 ldil L%7ffff800,r4
0xf8ef501c ldo 7ff(r4),r4
movi r5 0x1
0xf8ef5020 ldi 1,r5
boaddr L1 r4 r5
0xf8ef5024 addb,sv,n r5,r4,0xf8ef5044 :a.tst:291
0xf8ef5028 nop
calli 0xf8eeb68a
[...]
L1:
Apparently it is not understanding 0x7fffffff + 1 is a signed
overflow.
Tested in Fedora with qemu-system-hppa-3.1.1-2.fc30.x86_64 and using
the debian-10 image.
To make it a bit easier to test (partially transformed the
not so optimized code generated by lightning to gcc -S output):
# cat a.s
.LEVEL 1.1
.text
.align 4
.globl main
.type main, @function
main:
.PROC
.CALLINFO FRAME=64,NO_CALLS,SAVE_SP,ENTRY_GR=3
.ENTRY
copy %r3,%r1
copy %r30,%r3
stwm %r1,64(%r30)
zdepi -1,31,31,%r23
ldi 1,%r24
addb,sv,n %r24,%r23,.L0
nop
ldi 1,%r28
b,n .L1
nop
.L0:
ldi 0,%r28
.L1:
ldo 64(%r3),%r30
ldwm -64(%r30),%r3
bv,n %r0(%r2)
.EXIT
.PROCEND
.size main, .-main
# gcc a.s
# ./a.out; echo $?
1
It should have returned 0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1843133/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread* [Qemu-devel] [Bug 1843133] Re: Possibly incorrect branch in qemu-system-hppa
2019-09-07 15:51 [Qemu-devel] [Bug 1843133] [NEW] Possibly incorrect branch in qemu-system-hppa Paulo César Pereira de Andrade
@ 2019-09-07 16:18 ` Paulo César Pereira de Andrade
2019-09-14 20:24 ` Richard Henderson
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Paulo César Pereira de Andrade @ 2019-09-07 16:18 UTC (permalink / raw)
To: qemu-devel
As a side note, the branch is correct if testing 0xffffffe + 2
or other combinations to cause a signed overflow. The only
special pattern that fails is '0x7ffffff + 1'.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1843133
Title:
Possibly incorrect branch in qemu-system-hppa
Status in QEMU:
New
Bug description:
I plan to release a new GNU Lightning soon.
I no longer have access to any physical HPPA, but code that
was tested some years ago did work on HPPA/HP-UX, and now it
appears qemu-system-hppa incorrectly branches in code generated
by GNU Lightning. Currently only 32 bit hppa jit generation
supported.
In the lightning check/test tool, the code would be:
.code
prolog
movi %r0 0x7fffffff
movi %r1 1
boaddr L0 %r0 %r1
calli @abort
L0:
ret
epilog
The code/debug information looks like this:
movi r4 0x7fffffff
0xf8ef5018 ldil L%7ffff800,r4
0xf8ef501c ldo 7ff(r4),r4
movi r5 0x1
0xf8ef5020 ldi 1,r5
boaddr L1 r4 r5
0xf8ef5024 addb,sv,n r5,r4,0xf8ef5044 :a.tst:291
0xf8ef5028 nop
calli 0xf8eeb68a
[...]
L1:
Apparently it is not understanding 0x7fffffff + 1 is a signed
overflow.
Tested in Fedora with qemu-system-hppa-3.1.1-2.fc30.x86_64 and using
the debian-10 image.
To make it a bit easier to test (partially transformed the
not so optimized code generated by lightning to gcc -S output):
# cat a.s
.LEVEL 1.1
.text
.align 4
.globl main
.type main, @function
main:
.PROC
.CALLINFO FRAME=64,NO_CALLS,SAVE_SP,ENTRY_GR=3
.ENTRY
copy %r3,%r1
copy %r30,%r3
stwm %r1,64(%r30)
zdepi -1,31,31,%r23
ldi 1,%r24
addb,sv,n %r24,%r23,.L0
nop
ldi 1,%r28
b,n .L1
nop
.L0:
ldi 0,%r28
.L1:
ldo 64(%r3),%r30
ldwm -64(%r30),%r3
bv,n %r0(%r2)
.EXIT
.PROCEND
.size main, .-main
# gcc a.s
# ./a.out; echo $?
1
It should have returned 0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1843133/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread* [Qemu-devel] [Bug 1843133] Re: Possibly incorrect branch in qemu-system-hppa
2019-09-07 15:51 [Qemu-devel] [Bug 1843133] [NEW] Possibly incorrect branch in qemu-system-hppa Paulo César Pereira de Andrade
2019-09-07 16:18 ` [Qemu-devel] [Bug 1843133] " Paulo César Pereira de Andrade
@ 2019-09-14 20:24 ` Richard Henderson
2019-09-14 20:29 ` Richard Henderson
2019-09-17 12:04 ` Paulo César Pereira de Andrade
3 siblings, 0 replies; 5+ messages in thread
From: Richard Henderson @ 2019-09-14 20:24 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1843133
Title:
Possibly incorrect branch in qemu-system-hppa
Status in QEMU:
Incomplete
Bug description:
I plan to release a new GNU Lightning soon.
I no longer have access to any physical HPPA, but code that
was tested some years ago did work on HPPA/HP-UX, and now it
appears qemu-system-hppa incorrectly branches in code generated
by GNU Lightning. Currently only 32 bit hppa jit generation
supported.
In the lightning check/test tool, the code would be:
.code
prolog
movi %r0 0x7fffffff
movi %r1 1
boaddr L0 %r0 %r1
calli @abort
L0:
ret
epilog
The code/debug information looks like this:
movi r4 0x7fffffff
0xf8ef5018 ldil L%7ffff800,r4
0xf8ef501c ldo 7ff(r4),r4
movi r5 0x1
0xf8ef5020 ldi 1,r5
boaddr L1 r4 r5
0xf8ef5024 addb,sv,n r5,r4,0xf8ef5044 :a.tst:291
0xf8ef5028 nop
calli 0xf8eeb68a
[...]
L1:
Apparently it is not understanding 0x7fffffff + 1 is a signed
overflow.
Tested in Fedora with qemu-system-hppa-3.1.1-2.fc30.x86_64 and using
the debian-10 image.
To make it a bit easier to test (partially transformed the
not so optimized code generated by lightning to gcc -S output):
# cat a.s
.LEVEL 1.1
.text
.align 4
.globl main
.type main, @function
main:
.PROC
.CALLINFO FRAME=64,NO_CALLS,SAVE_SP,ENTRY_GR=3
.ENTRY
copy %r3,%r1
copy %r30,%r3
stwm %r1,64(%r30)
zdepi -1,31,31,%r23
ldi 1,%r24
addb,sv,n %r24,%r23,.L0
nop
ldi 1,%r28
b,n .L1
nop
.L0:
ldi 0,%r28
.L1:
ldo 64(%r3),%r30
ldwm -64(%r30),%r3
bv,n %r0(%r2)
.EXIT
.PROCEND
.size main, .-main
# gcc a.s
# ./a.out; echo $?
1
It should have returned 0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1843133/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread* [Qemu-devel] [Bug 1843133] Re: Possibly incorrect branch in qemu-system-hppa
2019-09-07 15:51 [Qemu-devel] [Bug 1843133] [NEW] Possibly incorrect branch in qemu-system-hppa Paulo César Pereira de Andrade
2019-09-07 16:18 ` [Qemu-devel] [Bug 1843133] " Paulo César Pereira de Andrade
2019-09-14 20:24 ` Richard Henderson
@ 2019-09-14 20:29 ` Richard Henderson
2019-09-17 12:04 ` Paulo César Pereira de Andrade
3 siblings, 0 replies; 5+ messages in thread
From: Richard Henderson @ 2019-09-14 20:29 UTC (permalink / raw)
To: qemu-devel
This test case works for me.
$ ./hppa-linux-user/qemu-hppa ~/a.out
$ echo $?
0
>From -d in_asm,cpu logs:
IN: main
0x000112d0: addb,*<,n r24,r23,0x112e4
IA_F 000112d3 IA_B 000112d7
PSW 0000bf00 CB 11111111 ------------------
GR00 00000000 GR01 00000000 GR02 0001162b GR03 ff7fe9c0
GR04 00011b94 GR05 00011c6c GR06 00000000 GR07 00000000
GR08 00000000 GR09 00000000 GR10 00000000 GR11 00000000
GR12 00000000 GR13 00000000 GR14 00000000 GR15 00000000
GR16 00000000 GR17 00000000 GR18 00000000 GR19 ff7fe888
GR20 00000000 GR21 00000000 GR22 000112bc GR23 7fffffff
GR24 00000001 GR25 ff7fe674 GR26 00000001 GR27 0009a0e0
GR28 0009f080 GR29 00000001 GR30 ff7fea00 GR31 0001162b
About to execute the addb; r23 and r24 as expected.
----------------
IN: main
0x000112e4: ldi 0,ret0
IA_F 000112e7 IA_B 000112eb
PSW 0000bf00 CB 11111111 ------------------
GR00 00000000 GR01 00000000 GR02 0001162b GR03 ff7fe9c0
GR04 00011b94 GR05 00011c6c GR06 00000000 GR07 00000000
GR08 00000000 GR09 00000000 GR10 00000000 GR11 00000000
GR12 00000000 GR13 00000000 GR14 00000000 GR15 00000000
GR16 00000000 GR17 00000000 GR18 00000000 GR19 ff7fe888
GR20 00000000 GR21 00000000 GR22 000112bc GR23 80000000
GR24 00000001 GR25 ff7fe674 GR26 00000001 GR27 0009a0e0
GR28 0009f080 GR29 00000001 GR30 ff7fea00 GR31 0001162b
The branch has been taken, correctly.
We can see the expected result in r23.
I've also tested this in system mode, though getting logs
from that is significantly more difficult.
I am testing git master, not v3.1.1. Can you please try
the development version?
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1843133
Title:
Possibly incorrect branch in qemu-system-hppa
Status in QEMU:
Incomplete
Bug description:
I plan to release a new GNU Lightning soon.
I no longer have access to any physical HPPA, but code that
was tested some years ago did work on HPPA/HP-UX, and now it
appears qemu-system-hppa incorrectly branches in code generated
by GNU Lightning. Currently only 32 bit hppa jit generation
supported.
In the lightning check/test tool, the code would be:
.code
prolog
movi %r0 0x7fffffff
movi %r1 1
boaddr L0 %r0 %r1
calli @abort
L0:
ret
epilog
The code/debug information looks like this:
movi r4 0x7fffffff
0xf8ef5018 ldil L%7ffff800,r4
0xf8ef501c ldo 7ff(r4),r4
movi r5 0x1
0xf8ef5020 ldi 1,r5
boaddr L1 r4 r5
0xf8ef5024 addb,sv,n r5,r4,0xf8ef5044 :a.tst:291
0xf8ef5028 nop
calli 0xf8eeb68a
[...]
L1:
Apparently it is not understanding 0x7fffffff + 1 is a signed
overflow.
Tested in Fedora with qemu-system-hppa-3.1.1-2.fc30.x86_64 and using
the debian-10 image.
To make it a bit easier to test (partially transformed the
not so optimized code generated by lightning to gcc -S output):
# cat a.s
.LEVEL 1.1
.text
.align 4
.globl main
.type main, @function
main:
.PROC
.CALLINFO FRAME=64,NO_CALLS,SAVE_SP,ENTRY_GR=3
.ENTRY
copy %r3,%r1
copy %r30,%r3
stwm %r1,64(%r30)
zdepi -1,31,31,%r23
ldi 1,%r24
addb,sv,n %r24,%r23,.L0
nop
ldi 1,%r28
b,n .L1
nop
.L0:
ldi 0,%r28
.L1:
ldo 64(%r3),%r30
ldwm -64(%r30),%r3
bv,n %r0(%r2)
.EXIT
.PROCEND
.size main, .-main
# gcc a.s
# ./a.out; echo $?
1
It should have returned 0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1843133/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread* [Qemu-devel] [Bug 1843133] Re: Possibly incorrect branch in qemu-system-hppa
2019-09-07 15:51 [Qemu-devel] [Bug 1843133] [NEW] Possibly incorrect branch in qemu-system-hppa Paulo César Pereira de Andrade
` (2 preceding siblings ...)
2019-09-14 20:29 ` Richard Henderson
@ 2019-09-17 12:04 ` Paulo César Pereira de Andrade
3 siblings, 0 replies; 5+ messages in thread
From: Paulo César Pereira de Andrade @ 2019-09-17 12:04 UTC (permalink / raw)
To: qemu-devel
I built qemu 4.1.0, and the problem no longer happens.
It is good enough for me.
** Changed in: qemu
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1843133
Title:
Possibly incorrect branch in qemu-system-hppa
Status in QEMU:
Fix Released
Bug description:
I plan to release a new GNU Lightning soon.
I no longer have access to any physical HPPA, but code that
was tested some years ago did work on HPPA/HP-UX, and now it
appears qemu-system-hppa incorrectly branches in code generated
by GNU Lightning. Currently only 32 bit hppa jit generation
supported.
In the lightning check/test tool, the code would be:
.code
prolog
movi %r0 0x7fffffff
movi %r1 1
boaddr L0 %r0 %r1
calli @abort
L0:
ret
epilog
The code/debug information looks like this:
movi r4 0x7fffffff
0xf8ef5018 ldil L%7ffff800,r4
0xf8ef501c ldo 7ff(r4),r4
movi r5 0x1
0xf8ef5020 ldi 1,r5
boaddr L1 r4 r5
0xf8ef5024 addb,sv,n r5,r4,0xf8ef5044 :a.tst:291
0xf8ef5028 nop
calli 0xf8eeb68a
[...]
L1:
Apparently it is not understanding 0x7fffffff + 1 is a signed
overflow.
Tested in Fedora with qemu-system-hppa-3.1.1-2.fc30.x86_64 and using
the debian-10 image.
To make it a bit easier to test (partially transformed the
not so optimized code generated by lightning to gcc -S output):
# cat a.s
.LEVEL 1.1
.text
.align 4
.globl main
.type main, @function
main:
.PROC
.CALLINFO FRAME=64,NO_CALLS,SAVE_SP,ENTRY_GR=3
.ENTRY
copy %r3,%r1
copy %r30,%r3
stwm %r1,64(%r30)
zdepi -1,31,31,%r23
ldi 1,%r24
addb,sv,n %r24,%r23,.L0
nop
ldi 1,%r28
b,n .L1
nop
.L0:
ldi 0,%r28
.L1:
ldo 64(%r3),%r30
ldwm -64(%r30),%r3
bv,n %r0(%r2)
.EXIT
.PROCEND
.size main, .-main
# gcc a.s
# ./a.out; echo $?
1
It should have returned 0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1843133/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-09-17 12:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-07 15:51 [Qemu-devel] [Bug 1843133] [NEW] Possibly incorrect branch in qemu-system-hppa Paulo César Pereira de Andrade
2019-09-07 16:18 ` [Qemu-devel] [Bug 1843133] " Paulo César Pereira de Andrade
2019-09-14 20:24 ` Richard Henderson
2019-09-14 20:29 ` Richard Henderson
2019-09-17 12:04 ` Paulo César Pereira de Andrade
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).