1 files changed, 22 insertions, 0 deletions

diff --git a/results/classifier/accel-gemma3:12b/tcg/1663287 b/results/classifier/accel-gemma3:12b/tcg/1663287
new file mode 100644
index 000000000..0af901d84
--- /dev/null
+++ b/results/classifier/accel-gemma3:12b/tcg/1663287
@@ -0,0 +1,22 @@
+
+Illegal delay slot code causes abort on mips64
+
+During some randomised testing of an experimental MIPS implementation I found an instruction sequence that also causes aborts on mainline qemu's MIPS support.  The problem is triggered by an MSA branch instruction appearing in a delay slot when emulating a processor without MSA support.
+
+For example, with the current repository HEAD (f073cd3a2bf1054135271b837c58a7da650dd84b) configured for mips64-softmmu, if I run the attached binary using
+
+    mips64-softmmu/qemu-system-mips64 -bios ../abort2.bin -machine mipssim -nographic
+
+it will report
+
+    unknown branch 0x13000
+    Aborted (core dumped)
+
+The binary contains the following two instructions:
+
+    00200008 jr at
+    47081e61 bz.b       w8,0xffffffffbfc0798c
+
+The jr sets up a jump, and hflags is set accordingly in gen_compute_branch (in target/mips/translate.c).  When processing the bz.b, check_insn generates an exception because the instruction isn't support, but gen_msa_branch skips the usual delay slot check for the same reason, and sets more bits in hflags, leading to an abort in gen_branch because the hflags are now invalid.
+
+I suspect the best fix is to remove the instruction set condition from the delay slot check in gen_msa_branch.
\ No newline at end of file