1. Patchew
  2. QEMU
  3. [PATCH v2 0/2] target/s390x: Fix R[NOX]SBG with T=1
  4. View patch

[PATCH v2 1/2] target/s390x: Fix R[NOX]SBG with T=1

Ilya Leoshkevich posted 2 patches 1 year, 7 months ago
Maintainers: Richard Henderson <richard.henderson@linaro.org>, David Hildenbrand <david@redhat.com>, Ilya Leoshkevich <iii@linux.ibm.com>, Thomas Huth <thuth@redhat.com>
There is a newer version of this series
[PATCH v2 1/2] target/s390x: Fix R[NOX]SBG with T=1
Posted by Ilya Leoshkevich 1 year, 7 months ago 
RXSBG usage in the "filetests" test from the wasmtime testsuite makes
tcg_reg_alloc_op() attempt to temp_load() a TEMP_VAL_DEAD temporary,
causing an assertion failure:

    0x01000a70:  ec14 b040 3057  rxsbg    %r1, %r4, 0xb0, 0x40, 0x30

    OP after optimization and liveness analysis:
     ---- 0000000001000a70 0000000000000004 0000000000000006
     rotl_i64 tmp2,r4,$0x30                   dead: 1 2  pref=0xffff
     and_i64 tmp2,tmp2,$0x800000000000ffff    dead: 1  pref=0xffff
    [xor_i64 tmp3,tmp3,tmp2                   dead: 1 2  pref=0xffff]
     and_i64 cc_dst,tmp3,$0x800000000000ffff  sync: 0  dead: 0 1 2  pref=0xffff
     mov_i64 psw_addr,$0x1000a76              sync: 0  dead: 0 1  pref=0xffff
     mov_i32 cc_op,$0x6                       sync: 0  dead: 0 1  pref=0xffff
     call lookup_tb_ptr,$0x6,$1,tmp8,env      dead: 1  pref=none
     goto_ptr tmp8                            dead: 0
     set_label $L0
     exit_tb $0x7fffe809d183

    ../tcg/tcg.c:3865: tcg fatal error

The reason is that tmp3 does not have an initial value, which confuses
the register allocator. This also affects the correctness of the
results.

Fix by assigning R1 to it.

Fixes: d6c6372e186e ("target-s390: Implement R[NOX]SBG")
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
---
 target/s390x/tcg/translate.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index 14c3896d529..6dd2f41ad08 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -3696,10 +3696,13 @@ static DisasJumpType op_rosbg(DisasContext *s, DisasOps *o)
     int i4 = get_field(s, i4);
     int i5 = get_field(s, i5);
     uint64_t mask;
+    TCGv_i64 tmp;
 
     /* If this is a test-only form, arrange to discard the result.  */
     if (i3 & 0x80) {
+        tmp = o->out;
         o->out = tcg_temp_new_i64();
+        tcg_gen_mov_i64(o->out, tmp);
     }
 
     i3 &= 63;
-- 
2.39.2
Re: [PATCH v2 1/2] target/s390x: Fix R[NOX]SBG with T=1
Posted by Philippe Mathieu-Daudé 1 year, 7 months ago 
On 16/3/23 00:56, Ilya Leoshkevich wrote:
> RXSBG usage in the "filetests" test from the wasmtime testsuite makes
> tcg_reg_alloc_op() attempt to temp_load() a TEMP_VAL_DEAD temporary,
> causing an assertion failure:
> 
>      0x01000a70:  ec14 b040 3057  rxsbg    %r1, %r4, 0xb0, 0x40, 0x30
> 
>      OP after optimization and liveness analysis:
>       ---- 0000000001000a70 0000000000000004 0000000000000006
>       rotl_i64 tmp2,r4,$0x30                   dead: 1 2  pref=0xffff
>       and_i64 tmp2,tmp2,$0x800000000000ffff    dead: 1  pref=0xffff
>      [xor_i64 tmp3,tmp3,tmp2                   dead: 1 2  pref=0xffff]
>       and_i64 cc_dst,tmp3,$0x800000000000ffff  sync: 0  dead: 0 1 2  pref=0xffff
>       mov_i64 psw_addr,$0x1000a76              sync: 0  dead: 0 1  pref=0xffff
>       mov_i32 cc_op,$0x6                       sync: 0  dead: 0 1  pref=0xffff
>       call lookup_tb_ptr,$0x6,$1,tmp8,env      dead: 1  pref=none
>       goto_ptr tmp8                            dead: 0
>       set_label $L0
>       exit_tb $0x7fffe809d183
> 
>      ../tcg/tcg.c:3865: tcg fatal error
> 
> The reason is that tmp3 does not have an initial value, which confuses
> the register allocator. This also affects the correctness of the
> results.
> 
> Fix by assigning R1 to it.
> 
> Fixes: d6c6372e186e ("target-s390: Implement R[NOX]SBG")

Exposed by 3ac6f91bca..dd161de75f?

3ac6f91bca target/s390x: Drop tcg_temp_free from translate.c
dd161de75f target/s390x: Remove g_out, g_out2, g_in1, g_in2

> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
> ---
>   target/s390x/tcg/translate.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
> index 14c3896d529..6dd2f41ad08 100644
> --- a/target/s390x/tcg/translate.c
> +++ b/target/s390x/tcg/translate.c
> @@ -3696,10 +3696,13 @@ static DisasJumpType op_rosbg(DisasContext *s, DisasOps *o)
>       int i4 = get_field(s, i4);
>       int i5 = get_field(s, i5);
>       uint64_t mask;
> +    TCGv_i64 tmp;
>   
>       /* If this is a test-only form, arrange to discard the result.  */
>       if (i3 & 0x80) {

           tcg_debug_assert(o->out != NULL); ?

> +        tmp = o->out;
>           o->out = tcg_temp_new_i64();
> +        tcg_gen_mov_i64(o->out, tmp);

Something bugs me with this pattern but I can't say why yet :(

>       }
>   
>       i3 &= 63;
Re: [PATCH v2 1/2] target/s390x: Fix R[NOX]SBG with T=1
Posted by Ilya Leoshkevich 1 year, 7 months ago 
On Thu, 2023-03-16 at 09:41 +0100, Philippe Mathieu-Daudé wrote:
> On 16/3/23 00:56, Ilya Leoshkevich wrote:
> > RXSBG usage in the "filetests" test from the wasmtime testsuite
> > makes
> > tcg_reg_alloc_op() attempt to temp_load() a TEMP_VAL_DEAD
> > temporary,
> > causing an assertion failure:
> > 
> >      0x01000a70:  ec14 b040 3057  rxsbg    %r1, %r4, 0xb0, 0x40,
> > 0x30
> > 
> >      OP after optimization and liveness analysis:
> >       ---- 0000000001000a70 0000000000000004 0000000000000006
> >       rotl_i64 tmp2,r4,$0x30                   dead: 1 2 
> > pref=0xffff
> >       and_i64 tmp2,tmp2,$0x800000000000ffff    dead: 1  pref=0xffff
> >      [xor_i64 tmp3,tmp3,tmp2                   dead: 1 2 
> > pref=0xffff]
> >       and_i64 cc_dst,tmp3,$0x800000000000ffff  sync: 0  dead: 0 1
> > 2  pref=0xffff
> >       mov_i64 psw_addr,$0x1000a76              sync: 0  dead: 0 1 
> > pref=0xffff
> >       mov_i32 cc_op,$0x6                       sync: 0  dead: 0 1 
> > pref=0xffff
> >       call lookup_tb_ptr,$0x6,$1,tmp8,env      dead: 1  pref=none
> >       goto_ptr tmp8                            dead: 0
> >       set_label $L0
> >       exit_tb $0x7fffe809d183
> > 
> >      ../tcg/tcg.c:3865: tcg fatal error
> > 
> > The reason is that tmp3 does not have an initial value, which
> > confuses
> > the register allocator. This also affects the correctness of the
> > results.
> > 
> > Fix by assigning R1 to it.
> > 
> > Fixes: d6c6372e186e ("target-s390: Implement R[NOX]SBG")
> 
> Exposed by 3ac6f91bca..dd161de75f?

Bisect points to:

commit e2e641fa3d5e730f128562d6901dcc729c9bf8a0
Author: Richard Henderson <richard.henderson@linaro.org>
Date:   Sun Jan 29 14:09:00 2023 -1000

    tcg: Change default temp lifetime to TEMP_TB

I will mention this.

> 3ac6f91bca target/s390x: Drop tcg_temp_free from translate.c
> dd161de75f target/s390x: Remove g_out, g_out2, g_in1, g_in2
> 
> > Reviewed-by: David Hildenbrand <david@redhat.com>
> > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
> > ---
> >   target/s390x/tcg/translate.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/target/s390x/tcg/translate.c
> > b/target/s390x/tcg/translate.c
> > index 14c3896d529..6dd2f41ad08 100644
> > --- a/target/s390x/tcg/translate.c
> > +++ b/target/s390x/tcg/translate.c
> > @@ -3696,10 +3696,13 @@ static DisasJumpType op_rosbg(DisasContext
> > *s, DisasOps *o)
> >       int i4 = get_field(s, i4);
> >       int i5 = get_field(s, i5);
> >       uint64_t mask;
> > +    TCGv_i64 tmp;
> >   
> >       /* If this is a test-only form, arrange to discard the
> > result.  */
> >       if (i3 & 0x80) {
> 
>            tcg_debug_assert(o->out != NULL); ?

Ok, I will add this.

> 
> > +        tmp = o->out;
> >           o->out = tcg_temp_new_i64();
> > +        tcg_gen_mov_i64(o->out, tmp);
> 
> Something bugs me with this pattern but I can't say why yet :(

Please let me know once you come up with something.
I will do s/tmp/orig_out/ send a v3 in the meantime.

> >       }
> >   
> >       i3 &= 63;

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.