blob: 6706be6f5d6fa5965e4600ea83c5ba7829e8318e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
loongarch64 crashes caused by lenient instruction decoding of vldi and xvldi
Description of problem:
Lenient instruction decoding of `vldi` and `xvldi` leads to Qemu crashes.
The decoding of `vldi` and `xvldi` instruction allows for instructions with illegal immediates.
`target/loongarch/insns.decode`:
```
vldi 0111 00111110 00 ............. ..... @v_i13
xvldi 0111 01111110 00 ............. ..... @v_i13
```
This is considered in `target/loongarch/tcg/insn_trans/trans_vec.c.inc`:
```C
/*
* imm bit [11:8] is mode, mode value is 0-12.
* other values are invalid.
*/
```
However, an assertion error is raised when this condition is violated and qemu crashes:
```
**
ERROR:target/loongarch/insn_trans/trans_vec.c.inc:3574:vldi_get_value: code should not be reached
Bail out! ERROR:target/loongarch/insn_trans/trans_vec.c.inc:3574:vldi_get_value: code should not be reached
```
On hardware (Loongson 3A5000), these instructions cause a SIGILL.
Steps to reproduce:
1. compile the `test_inv_vldi` test program for loongarch64 (see additional information)
2. run `qemu-loongarch64-static ./test_inv_vldi`
Additional information:
I will post a patch for this issue to the mailing list soon.
`test_inv_vldi` source code:
```C
int main(int argc, char** argv) {
asm volatile(".4byte 0x73e3a000");
}
```
|