summary refs log tree commit diff stats
path: root/results/scraper/launchpad-without-comments/1663287
diff options
context:
space:
mode:
Diffstat (limited to 'results/scraper/launchpad-without-comments/1663287')
-rw-r--r--results/scraper/launchpad-without-comments/166328721
1 files changed, 21 insertions, 0 deletions
diff --git a/results/scraper/launchpad-without-comments/1663287 b/results/scraper/launchpad-without-comments/1663287
new file mode 100644
index 00000000..687e1325
--- /dev/null
+++ b/results/scraper/launchpad-without-comments/1663287
@@ -0,0 +1,21 @@
+Illegal delay slot code causes abort on mips64
+
+During some randomised testing of an experimental MIPS implementation I found an instruction sequence that also causes aborts on mainline qemu's MIPS support.  The problem is triggered by an MSA branch instruction appearing in a delay slot when emulating a processor without MSA support.
+
+For example, with the current repository HEAD (f073cd3a2bf1054135271b837c58a7da650dd84b) configured for mips64-softmmu, if I run the attached binary using
+
+    mips64-softmmu/qemu-system-mips64 -bios ../abort2.bin -machine mipssim -nographic
+
+it will report
+
+    unknown branch 0x13000
+    Aborted (core dumped)
+
+The binary contains the following two instructions:
+
+    00200008 jr at
+    47081e61 bz.b       w8,0xffffffffbfc0798c
+
+The jr sets up a jump, and hflags is set accordingly in gen_compute_branch (in target/mips/translate.c).  When processing the bz.b, check_insn generates an exception because the instruction isn't support, but gen_msa_branch skips the usual delay slot check for the same reason, and sets more bits in hflags, leading to an abort in gen_branch because the hflags are now invalid.
+
+I suspect the best fix is to remove the instruction set condition from the delay slot check in gen_msa_branch.
\ No newline at end of file