blob: db075773106630a2b9d78b699c275fa2ab0a675e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
4.0.0-rc3 crashes with tcg/tcg.c:3952: tcg_gen_code: Assertion `s->gen_insn_end_off[num_insns] == off' failed
I tried to bootstrap and regtested gcc trunk (gcc svn rev 270278, datestamp 20190411) inside my arm64-gentoo installation under qemu-system-aarch64.
Qemu version was 4.0.0-rc3 and -cpu cortex-a57. Qemu configured with only --target-list=aarch64-softmmu,aarch64-linux-user and compiled using gcc "version 5.5.0 20171010 (Ubuntu 5.5.0-12ubuntu1~16.04)".
Executable created from gcc/testsuite/gcc.target/aarch64/advsimd-intrinsics/vldX.c compiled with -O2 crashed the whole qemu-system.
To investigate a bit I also manually run
~/gcc/inst/trunk/bin/gcc ~/gcc/src/trunk/gcc/testsuite/gcc.target/aarch64/advsimd-intrinsics/vldX.c
with different options like:
-O0 -lm -o d0.exe
-O1 -lm -o d1.exe
-O2 -lm -o d2.exe
-O0 -static -lm -o s0.exe
-O1 -static -lm -o s1.exe
-O2 -static -lm -o s2.exe
So, now I have 6 different arm64 executables created with different optimization levels. O0 and O1 versions run ok.
Three sN.exe static executables I've also tried in qemu user mode (with same -cpu), no issue in user mode.
And inside qemu-system I can see that
running "d2.exe" (attached) gives:
tcg/tcg.c:3952: tcg_gen_code: Assertion `s->gen_insn_end_off[num_insns] == off' failed.
And running "s2.exe" gives:
tcg/tcg.c:320: set_jmp_reset_offset: Assertion `s->tb_jmp_reset_offset[which] == off' failed.
It seems like this test is an counter-example for logic that "tcg_ctx->nb_ops < 4000" implies tcg will fit into 16-bit signed size (see tcg_op_buf_full comments).
Richard's changes in abebf92597186 and 9f754620651d were not enough, translation block must be smaller, or we have to find some proper way to bail out when buffer overflows.
I don't know why this situation is not caught by code_gen_highwater logic in tcg.c
I've also tried this "bail out" patch
diff --git a/tcg/tcg.c b/tcg/tcg.c
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -3949,7 +3949,8 @@ int tcg_gen_code(TCGContext *s, TranslationBlock *tb)
size_t off = tcg_current_code_size(s);
s->gen_insn_end_off[num_insns] = off;
/* Assert that we do not overflow our stored offset. */
- assert(s->gen_insn_end_off[num_insns] == off);
+ if (s->gen_insn_end_off[num_insns] != off)
+ return -1;
}
num_insns++;
for (i = 0; i < TARGET_INSN_START_WORDS; ++i) {
But then running "d2.exe" just hangs the whole qemu-system. It seems that when tcg_gen_code return -1 (like in highwater logic mentioned before), we just re-call it again and again.
|