blob: a0e4d976fb9226e2a50198f3bae680df895540d2 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
id = 514
title = "MTE reports false positive for \"str\" instruction with the SP as the base register."
state = "closed"
created_at = "2021-08-04T17:17:17.140Z"
closed_at = "2021-09-07T15:05:49.630Z"
labels = ["Closed::Invalid", "accel: TCG", "target: arm"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/514"
host-os = "Android"
host-arch = "ARM"
qemu-version = "QEMU emulator version 6.0.0"
guest-os = "Android"
guest-arch = "ARM"
description = """When PE executes "sp"-based store instruction with offset I got tag check fault exception. But according to arm spec. load or store that uses "sp" register should generate Tag Unchecked access."""
reproduce = """Clang version: clang version 12.0.1.
I compiled my code using "-target aarch64-linux -march=armv8+memtag -fsanitize=memtag" for Clang. Clang generates following code:
```
0000000000000c14 <test_func>:
c14: a9bc7bfd stp x29, x30, [sp, #-64]!
c18: f9000bf7 str x23, [sp, #16]
...
```
Whole stack was mapped in translation tables as Tagged memory."SCTLR" register was configured to trigger synchronous exception on tag mismatch.
When cpu executes firs instruction "stp x29, x30, [sp, #-64]!" I got tag check fault exception: "0b010001 When FEAT_MTE is implemented Synchronous Tag Check Fault":
ESR_EL1=0x96000051.
According to ARM specification load or store that uses "sp" register should generate Tag Unchecked access:
```
A Tag Unchecked access will be generated for a load or store that uses either of the following:
• A base register only, with the SP as the base register.
• A base register plus immediate offset addressing form, with the SP as the base register.
```
Looks like qemu erroneously generates tag mismatch exceptions for SP-based loads and stores with immediate offset."""
additional = """"""
|