QEMU-Devel Archive on lore.kernel.org
 help / color / Atom feed
From: "Alex Bennée" <alex.bennee@linaro.org>
To: Richard Henderson <richard.henderson@linaro.org>
Cc: sw@weilnetz.de, qemu-devel@nongnu.org
Subject: Re: [PATCH 02/23] tcg: Manage splitwx in tc_ptr_to_region_tree by hand
Date: Thu, 28 Jan 2021 13:09:55 +0000
Message-ID: <87ft2lw6hh.fsf@linaro.org> (raw)
In-Reply-To: <20210128082331.196801-3-richard.henderson@linaro.org>


Richard Henderson <richard.henderson@linaro.org> writes:

> The use in tcg_tb_lookup is given a random pc that comes from the pc
> of a signal handler.  Do not assert that the pointer is already within
> the code gen buffer at all, much less the writable mirror of it.
>
> Fixes: db0c51a3803
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

OK I bisected to this regression while running:

  "cd builds/bisect && rm -rf * && ../../configure --disable-docs --target-list=m68k-linux-user && make -j30 && make check-tcg"

which ultimately fails during the threadcount test for m68k-linux-user.
I'm just testing now to see if that also broke my ARM system test
images.

> ---
>
> For TCI, this indicates a bug in handle_cpu_signal, in that we
> are taking PC from the host signal frame.  Which is, nearly,
> unrelated to TCI at all.
>
> The TCI "pc" is tci_tb_ptr (fixed in the next patch to at least
> be thread-local).  We update this only on calls, since we don't
> expect SEGV during the interpretation loop.  Which works ok for
> softmmu, in which we pass down pc by hand to the helpers, but
> is not ok for user-only, where we simply perform the raw memory
> operation.
>
> I don't know how to fix this, exactly.  Probably by storing to
> tci_tb_ptr before each qemu_ld/qemu_st operation, with barriers.
> Then Doing the Right Thing in handle_cpu_signal.  And perhaps
> by clearing tci_tb_ptr whenever we're not expecting a SEGV on
> behalf of the guest (and thus anything left is a qemu host bug).
>
>
> r~
>
> ---
>  tcg/tcg.c | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/tcg/tcg.c b/tcg/tcg.c
> index 9e1b0d73c7..78701cf359 100644
> --- a/tcg/tcg.c
> +++ b/tcg/tcg.c
> @@ -407,11 +407,21 @@ static void tcg_region_trees_init(void)
>      }
>  }
>  
> -static struct tcg_region_tree *tc_ptr_to_region_tree(const void *cp)
> +static struct tcg_region_tree *tc_ptr_to_region_tree(const void *p)
>  {
> -    void *p = tcg_splitwx_to_rw(cp);
>      size_t region_idx;
>  
> +    /*
> +     * Like tcg_splitwx_to_rw, with no assert.  The pc may come from
> +     * a signal handler over which the caller has no control.
> +     */
> +    if (!in_code_gen_buffer(p)) {
> +        p -= tcg_splitwx_diff;
> +        if (!in_code_gen_buffer(p)) {
> +            return NULL;
> +        }
> +    }
> +
>      if (p < region.start_aligned) {
>          region_idx = 0;
>      } else {
> @@ -430,6 +440,7 @@ void tcg_tb_insert(TranslationBlock *tb)
>  {
>      struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
>  
> +    g_assert(rt != NULL);
>      qemu_mutex_lock(&rt->lock);
>      g_tree_insert(rt->tree, &tb->tc, tb);
>      qemu_mutex_unlock(&rt->lock);
> @@ -439,6 +450,7 @@ void tcg_tb_remove(TranslationBlock *tb)
>  {
>      struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
>  
> +    g_assert(rt != NULL);
>      qemu_mutex_lock(&rt->lock);
>      g_tree_remove(rt->tree, &tb->tc);
>      qemu_mutex_unlock(&rt->lock);
> @@ -453,8 +465,13 @@ TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr)
>  {
>      struct tcg_region_tree *rt = tc_ptr_to_region_tree((void *)tc_ptr);
>      TranslationBlock *tb;
> -    struct tb_tc s = { .ptr = (void *)tc_ptr };
> +    struct tb_tc s;
>  
> +    if (rt == NULL) {
> +        return NULL;
> +    }
> +
> +    s.ptr = (void *)tc_ptr;
>      qemu_mutex_lock(&rt->lock);
>      tb = g_tree_lookup(rt->tree, &s);
>      qemu_mutex_unlock(&rt->lock);


-- 
Alex Bennée


  reply index

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-28  8:23 [PATCH 00/23] TCI fixes and cleanups Richard Henderson
2021-01-28  8:23 ` [PATCH 01/23] configure: Fix --enable-tcg-interpreter Richard Henderson
2021-01-28 11:47   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 02/23] tcg: Manage splitwx in tc_ptr_to_region_tree by hand Richard Henderson
2021-01-28 13:09   ` Alex Bennée [this message]
2021-01-28 13:54     ` Alex Bennée
2021-01-28  8:23 ` [PATCH 03/23] exec: Make tci_tb_ptr thread-local Richard Henderson
2021-01-28  8:23 ` [PATCH 04/23] tcg/tci: Implement INDEX_op_ld16s_i32 Richard Henderson
2021-01-28 13:59   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 05/23] tcg/tci: Implement INDEX_op_ld8s_i64 Richard Henderson
2021-01-28 13:59   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 06/23] tcg/tci: Inline tci_write_reg32s into the only caller Richard Henderson
2021-01-28 15:28   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 07/23] tcg/tci: Inline tci_write_reg8 into its callers Richard Henderson
2021-01-28 15:30   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 08/23] tcg/tci: Inline tci_write_reg16 into the only caller Richard Henderson
2021-01-28 15:30   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 09/23] tcg/tci: Inline tci_write_reg32 into all callers Richard Henderson
2021-01-28 15:31   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 10/23] tcg/tci: Inline tci_write_reg64 into 64-bit callers Richard Henderson
2021-01-28 15:32   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 11/23] tcg/tci: Merge INDEX_op_ld8u_{i32,i64} Richard Henderson
2021-01-28 16:18   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 12/23] tcg/tci: Merge INDEX_op_ld8s_{i32,i64} Richard Henderson
2021-01-28 16:18   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 13/23] tcg/tci: Merge INDEX_op_ld16u_{i32,i64} Richard Henderson
2021-01-28 16:19   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 14/23] tcg/tci: Merge INDEX_op_ld16s_{i32,i64} Richard Henderson
2021-01-28 16:20   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 15/23] tcg/tci: Merge INDEX_op_{ld_i32,ld32u_i64} Richard Henderson
2021-01-28 16:20   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 16/23] tcg/tci: Merge INDEX_op_st8_{i32,i64} Richard Henderson
2021-01-28 16:20   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 17/23] tcg/tci: Merge INDEX_op_st16_{i32,i64} Richard Henderson
2021-01-28 16:20   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 18/23] tcg/tci: Move stack bounds check to compile-time Richard Henderson
2021-01-28 16:37   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 19/23] tcg/tci: Merge INDEX_op_{st_i32,st32_i64} Richard Henderson
2021-01-28 16:38   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 20/23] tcg/tci: Use g_assert_not_reached Richard Henderson
2021-01-28 10:07   ` Stefan Weil
2021-01-28 15:34   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 21/23] tcg/tci: Remove dead code for TCG_TARGET_HAS_div2_* Richard Henderson
2021-01-28 15:36   ` Alex Bennée
2021-01-28 15:39   ` Stefan Weil
2021-01-28 17:56     ` Richard Henderson
2021-01-28  8:23 ` [PATCH 22/23] tcg/tci: Implement 64-bit division Richard Henderson
2021-01-28 10:04   ` Stefan Weil
2021-01-28 17:56     ` Richard Henderson
2021-01-28 15:38   ` Alex Bennée
2021-01-28  8:23 ` [PATCH 23/23] tcg/tci: Remove TODO as unused Richard Henderson
2021-01-28 15:38   ` Alex Bennée
2021-01-28 15:38 ` [PATCH 00/23] TCI fixes and cleanups Alex Bennée
2021-01-28 16:39 ` Alex Bennée

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ft2lw6hh.fsf@linaro.org \
    --to=alex.bennee@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=sw@weilnetz.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

QEMU-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/qemu-devel/0 qemu-devel/git/0.git
	git clone --mirror https://lore.kernel.org/qemu-devel/1 qemu-devel/git/1.git
	git clone --mirror https://lore.kernel.org/qemu-devel/2 qemu-devel/git/2.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 qemu-devel qemu-devel/ https://lore.kernel.org/qemu-devel \
		qemu-devel@nongnu.org
	public-inbox-index qemu-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.nongnu.qemu-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git