blob: 687e13252c620ec9dd6d15f0ec4439e542fe36ff (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
Illegal delay slot code causes abort on mips64
During some randomised testing of an experimental MIPS implementation I found an instruction sequence that also causes aborts on mainline qemu's MIPS support. The problem is triggered by an MSA branch instruction appearing in a delay slot when emulating a processor without MSA support.
For example, with the current repository HEAD (f073cd3a2bf1054135271b837c58a7da650dd84b) configured for mips64-softmmu, if I run the attached binary using
mips64-softmmu/qemu-system-mips64 -bios ../abort2.bin -machine mipssim -nographic
it will report
unknown branch 0x13000
Aborted (core dumped)
The binary contains the following two instructions:
00200008 jr at
47081e61 bz.b w8,0xffffffffbfc0798c
The jr sets up a jump, and hflags is set accordingly in gen_compute_branch (in target/mips/translate.c). When processing the bz.b, check_insn generates an exception because the instruction isn't support, but gen_msa_branch skips the usual delay slot check for the same reason, and sets more bits in hflags, leading to an abort in gen_branch because the hflags are now invalid.
I suspect the best fix is to remove the instruction set condition from the delay slot check in gen_msa_branch.
|