From patchwork Wed May 14 12:56:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 889863 Delivered-To: patch@linaro.org Received: by 2002:adf:fd8a:0:b0:3a1:f579:ae88 with SMTP id d10csp2607448wrr; Wed, 14 May 2025 06:02:01 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVNSfQmvMRw7IbhyFEfhT1wCIT7n9vbzqLtG9J1vUAUUhDTIpu90xPZlQ+Fz389e6Q3Jz1DHg==@linaro.org X-Google-Smtp-Source: AGHT+IHB1DbC7HkN1u0wunFD/Xvv5QVBYO7rr+QLS1Z76d3+D+M+JxWwR8oSpLsKaDtwl9Kh0n0Z X-Received: by 2002:a05:6512:609a:b0:54f:cc0b:158f with SMTP id 2adb3069b0e04-550d5fe88aamr1273544e87.40.1747227720891; Wed, 14 May 2025 06:02:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747227720; cv=none; d=google.com; s=arc-20240605; b=jjxUK7wgB9IPkY1JOOF2CCQzRnj6Msa7YzM5kn0ee/Ud/W9KDzumYAEuv5MlQxA6ja VG0hJH165DV/sDJZiSsp9ERCFUieNo/n9b7uF2NA4VV/ZDdH0msQvF9nr4oELo/GI0Yz /0NKuLCXYB/mmqnj5uBoFe/kKjIaPm4MN/qmTC4J4lDN2lLyd70uZHrO5dJv3RAcpGY5 ejfxZzOrL5jTPOmX6Kg6m9YhN0zNrImlv+noyZNE5D7OayYqU+Jsh2vQ8Oje8nqaIJh8 T+6IxzSuycBszOuWb+0666dwh4Vg7XuE5eEnNmufmsfqF1gzE0M52BCaMum70XoGHjFw NC1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=OQr2hCBuzaiCKgqYlHicm5pWvES2ckCRHzvnvFgBC5E=; fh=xJ1URYKcMN3TM0/XAv5v+aCN+5tIbzAdcfBx5UNgoLw=; b=EFEv6eySXdyeYeQ7n3K6Ti3kd/N0k6E/co8Xz7r6piQYoOSNJN99Q0XgoF598jvKI5 SW+1RcL3DQad3YSJHiZTwtMNOxRVaJdGc+yWIG5MVsn8rmUrfnpz+r99HeSQQ7ld0S7w PICATKoD/Mmi1+JN3NjuSQ+imW5MZBpnkiS6o7SHuhYFNFU42SMIU16fCdBdpb3ofEi5 /Q6bGoOwd5sUvM70ASSEc++ntP27nAzDIAaHxxVXBPL30bhIRQ57SIDC8zIy2FTuLCEC Cj8PuSs5MTzMdoWSgAec94HqXGlLY2B+8KqI335KhK7GRKZsUe86QbO1KVH24PAE8mTL EP4A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id 2adb3069b0e04-54fc650a3b5si5268988e87.286.2025.05.14.06.02.00 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 14 May 2025 06:02:00 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uFBgE-0001Y7-4j; Wed, 14 May 2025 08:57:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uFBgC-0001Us-Bm; Wed, 14 May 2025 08:57:48 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uFBgA-0007lL-17; Wed, 14 May 2025 08:57:47 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6C9C7121ACE; Wed, 14 May 2025 15:56:31 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 18E0D20B846; Wed, 14 May 2025 15:56:41 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Richard Henderson , Michael Tokarev Subject: [Stable-7.2.18 14/18] target/arm: Don't assert() for ISB/SB inside IT block Date: Wed, 14 May 2025 15:56:20 +0300 Message-Id: <20250514125640.91677-14-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.5 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell If the guest code has an ISB or SB insn inside an IT block, we generate incorrect code which trips a TCG assertion: qemu-system-arm: ../tcg/tcg-op.c:3343: void tcg_gen_goto_tb(unsigned int): Assertion `(tcg_ctx->goto_tb_issue_mask & (1 << idx)) == 0' failed. This is because we call gen_goto_tb(dc, 1, ...) twice: brcond_i32 ZF,$0x0,ne,$L1 add_i32 pc,pc,$0x4 goto_tb $0x1 exit_tb $0x73d948001b81 set_label $L1 add_i32 pc,pc,$0x4 goto_tb $0x1 exit_tb $0x73d948001b81 Both calls are in arm_tr_tb_stop(), one for the DISAS_NEXT/DISAS_TOO_MANY handling, and one for the dc->condjump condition-failed codepath. The DISAS_NEXT handling doesn't have this problem because arm_post_translate_insn() does the handling of "emit the label for the condition-failed conditional execution" and so arm_tr_tb_stop() doesn't have dc->condjump set. But for DISAS_TOO_MANY we don't do that. Fix the bug by making arm_post_translate_insn() handle the DISAS_TOO_MANY case. This only affects the SB and ISB insns when used in Thumb mode inside an IT block: only these insns specifically set is_jmp to TOO_MANY, and their A32 encodings are unconditional. For the major TOO_MANY case (breaking the TB because it would cross a page boundary) we do that check and set is_jmp to TOO_MANY only after the call to arm_post_translate_insn(); so arm_post_translate_insn() sees is_jmp == DISAS_NEXT, and we emit the correct code for that situation. With this fix we generate the somewhat more sensible set of TCG ops: brcond_i32 ZF,$0x0,ne,$L1 set_label $L1 add_i32 pc,pc,$0x4 goto_tb $0x1 exit_tb $0x7c5434001b81 (NB: the TCG optimizer doesn't optimize out the jump-to-next, but we can't really avoid emitting it because we don't know at the point we're emitting the handling for the condexec check whether this insn is going to happen to be a nop for us or not.) Cc: qemu-stable@nongnu.org Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2942 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20250501125544.727038-1-peter.maydell@linaro.org (cherry picked from commit 8ed7c0b6488a7f20318d6ba414f1cbcd0ed92afe) Signed-off-by: Michael Tokarev diff --git a/target/arm/translate.c b/target/arm/translate.c index 10dfa11a2b..ed9ed8ed0a 100644 --- a/target/arm/translate.c +++ b/target/arm/translate.c @@ -9545,7 +9545,8 @@ static bool arm_check_ss_active(DisasContext *dc) static void arm_post_translate_insn(DisasContext *dc) { - if (dc->condjmp && dc->base.is_jmp == DISAS_NEXT) { + if (dc->condjmp && + (dc->base.is_jmp == DISAS_NEXT || dc->base.is_jmp == DISAS_TOO_MANY)) { if (dc->pc_save != dc->condlabel.pc_save) { gen_update_pc(dc, dc->condlabel.pc_save - dc->pc_save); }