1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
graphic: 0.988
instruction: 0.939
assembly: 0.789
vnc: 0.759
device: 0.756
network: 0.482
other: 0.446
mistranslation: 0.406
semantic: 0.358
socket: 0.340
boot: 0.235
KVM: 0.107
Executing LD1SB + MTE on Arm64 fails an assert
Description of problem:
I'm getting
```
qemu-system-aarch64: ../tcg/tcg-op-gvec.c:91: simd_desc: Assertion `data == sextract32(data, 0, (32 - ((0 + 8) + 2)))' failed.
```
This is caused by the upper bits of `data` being set to 1, which violates the condition.
Steps to reproduce:
1. build QEMU with assertions enabled (e.g., `configure --enable-debug-tcg`).
2. have a `LD1SB f{z25.d}, p3/z, [x14, x9]` (binary a5894dd9) instruction in the executed code.
3. enable mte
4. Let QEMU execute the ld1sb instruction.
Additional information:
{width=699 height=141}
This issue happens because for ld1sb, nregs=0 in `sve.decode`:
```
# SVE contiguous load (scalar plus scalar)
LD_zprr 1010010 .... ..... 010 ... ..... ..... @rprr_load_dt nreg=0
```
As a result, in do_mem_zpa is called with n_reg=0, which becomes mte_n inside do_mem_zpa.
Since mte_n==0, and mte_active, then
```c
desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (mte_n << msz) - 1);
```
sets (0) - 1 == -1 to the field, which also sets the upper bits of `desc`.
The `desc` with upper bits set to 1 is used to call:
```c
desc = simd_desc(vsz, vsz, zt | desc);
```
Inside `simd_desc`, the last parameter is named `data` and it fails the assertion:
```c
tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS))
```
#
|