64-on-32 TCG broken

Message ID	alpine.DEB.2.02.1211071706360.17415@bulbul
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> Date: Wed, 7 Nov 2012 17:26:58 +0400 (MSK) From: Kirill Batuzov <batuzovk@ispras.ru> To: Aurelien Jarno <aurelien@aurel32.net> In-Reply-To: <20121030235636.GB32197@hall.aurel32.net> Message-ID: <alpine.DEB.2.02.1211071706360.17415@bulbul> References: <508EC28A.5060706@redhat.com> <20121029182958.GB29866@ohm.aurel32.net> <508F8CBB.8090101@redhat.com> <509053A2.6010504@weilnetz.de> <20121030235636.GB32197@hall.aurel32.net> User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="8323329-888998197-1352294819=:17415" Cc: Stefan Weil <sw@weilnetz.de>, qemu-devel <qemu-devel@nongnu.org>, Paolo Bonzini <pbonzini@redhat.com> Subject: Re: [Qemu-devel] 64-on-32 TCG broken Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

alpine.DEB.2.02.1211071706360.17415@bulbul

State

New

Headers

Date: Wed, 7 Nov 2012 17:26:58 +0400 (MSK)
From: Kirill Batuzov <batuzovk@ispras.ru>
To: Aurelien Jarno <aurelien@aurel32.net>
In-Reply-To: <20121030235636.GB32197@hall.aurel32.net>
Message-ID: <alpine.DEB.2.02.1211071706360.17415@bulbul>
References: <508EC28A.5060706@redhat.com>
	<20121029182958.GB29866@ohm.aurel32.net>
	<508F8CBB.8090101@redhat.com> <509053A2.6010504@weilnetz.de>
	<20121030235636.GB32197@hall.aurel32.net>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323329-888998197-1352294819=:17415"
Cc: Stefan Weil <sw@weilnetz.de>, qemu-devel <qemu-devel@nongnu.org>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] 64-on-32 TCG broken
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Kirill Batuzov Nov. 7, 2012, 1:26 p.m. UTC

> diff --git a/tcg/tcg.c b/tcg/tcg.c
> index c3a7f19..1133438 100644
> --- a/tcg/tcg.c
> +++ b/tcg/tcg.c
> @@ -1329,8 +1329,8 @@ static void tcg_liveness_analysis(TCGContext *s)
>                 the low part.  The result can be optimized to a simple
>                 add or sub.  This happens often for x86_64 guest when the
>                 cpu mode is set to 32 bit.  */
> -            if (dead_temps[args[1]]) {
> -                if (dead_temps[args[0]]) {
> +            if (dead_temps[args[1]] && !mem_temps[1]) {
> +                if (dead_temps[args[0]] && !mem_temps[0]) {

This should be mem_temps[args[1]] and mem_temps[args[0]] I believe.

>                      goto do_remove;
>                  }
>                  /* Create the single operation plus nop.  */
> @@ -1355,8 +1355,8 @@ static void tcg_liveness_analysis(TCGContext *s)
>              nb_iargs = 2;
>              nb_oargs = 2;
>              /* Likewise, test for the high part of the operation dead.  */
> -            if (dead_temps[args[1]]) {
> -                if (dead_temps[args[0]]) {
> +            if (dead_temps[args[1]] && !mem_temps[1]) {
> +                if (dead_temps[args[0]] && !mem_temps[0]) {

Same here.

>                      goto do_remove;
>                  }
>                  gen_opc_buf[op_index] = op = INDEX_op_mul_i32;

Looks like for x86_64 guest temp 0 is the env (always mem_temp), temp 1 -
cc_op. As a result it can accidentally remove high part of operation
when it is actually alive but will never optimize out whole operation
even if its output is really dead.

I've attached a small patch to fix this issue.

I was not able to boot gentoo install CD (amd64) with current trunk.
Boot process hangs soon after framebuffer initialization. With the patch
it boots successfully. Command line to reproduce:

qemu-system-x86_64 -cdrom install-amd64-minimal-20121013.iso

Comments

Aurelien Jarno Nov. 11, 2012, 4:05 p.m. UTC | #1

On Wed, Nov 07, 2012 at 05:26:58PM +0400, Kirill Batuzov wrote:
> > diff --git a/tcg/tcg.c b/tcg/tcg.c
> > index c3a7f19..1133438 100644
> > --- a/tcg/tcg.c
> > +++ b/tcg/tcg.c
> > @@ -1329,8 +1329,8 @@ static void tcg_liveness_analysis(TCGContext *s)
> >                 the low part.  The result can be optimized to a simple
> >                 add or sub.  This happens often for x86_64 guest when the
> >                 cpu mode is set to 32 bit.  */
> > -            if (dead_temps[args[1]]) {
> > -                if (dead_temps[args[0]]) {
> > +            if (dead_temps[args[1]] && !mem_temps[1]) {
> > +                if (dead_temps[args[0]] && !mem_temps[0]) {
> 
> This should be mem_temps[args[1]] and mem_temps[args[0]] I believe.
> 
> >                      goto do_remove;
> >                  }
> >                  /* Create the single operation plus nop.  */
> > @@ -1355,8 +1355,8 @@ static void tcg_liveness_analysis(TCGContext *s)
> >              nb_iargs = 2;
> >              nb_oargs = 2;
> >              /* Likewise, test for the high part of the operation dead.  */
> > -            if (dead_temps[args[1]]) {
> > -                if (dead_temps[args[0]]) {
> > +            if (dead_temps[args[1]] && !mem_temps[1]) {
> > +                if (dead_temps[args[0]] && !mem_temps[0]) {
> 
> Same here.
> 
> >                      goto do_remove;
> >                  }
> >                  gen_opc_buf[op_index] = op = INDEX_op_mul_i32;
> 
> Looks like for x86_64 guest temp 0 is the env (always mem_temp), temp 1 -
> cc_op. As a result it can accidentally remove high part of operation
> when it is actually alive but will never optimize out whole operation
> even if its output is really dead.
> 
> I've attached a small patch to fix this issue.
> 
> I was not able to boot gentoo install CD (amd64) with current trunk.
> Boot process hangs soon after framebuffer initialization. With the patch
> it boots successfully. Command line to reproduce:
> 
> qemu-system-x86_64 -cdrom install-amd64-minimal-20121013.iso
> 
> -- 
> Kirill Batuzov

> From 33e1fc03934cebea8d32c98ea34961c80f05d94a Mon Sep 17 00:00:00 2001
> From: Kirill Batuzov <batuzovk@ispras.ru>
> Date: Wed, 7 Nov 2012 15:26:38 +0400
> Subject: [PATCH] tcg: properly check that op's output needs to be synced to
>  memory
> 
> Fix typo introduced in b3a1be87bac3a6aaa59bb88c1410f170dc9b22d5.
> 
> Reported-by: Ruslan Savchenko <ruslan.savchenko@gmail.com>
> Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
> ---
>  tcg/tcg.c |    8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/tcg/tcg.c b/tcg/tcg.c
> index 42052db..35fba50 100644
> --- a/tcg/tcg.c
> +++ b/tcg/tcg.c
> @@ -1337,8 +1337,8 @@ static void tcg_liveness_analysis(TCGContext *s)
>                 the low part.  The result can be optimized to a simple
>                 add or sub.  This happens often for x86_64 guest when the
>                 cpu mode is set to 32 bit.  */
> -            if (dead_temps[args[1]] && !mem_temps[1]) {
> -                if (dead_temps[args[0]] && !mem_temps[0]) {
> +            if (dead_temps[args[1]] && !mem_temps[args[1]]) {
> +                if (dead_temps[args[0]] && !mem_temps[args[0]]) {
>                      goto do_remove;
>                  }
>                  /* Create the single operation plus nop.  */
> @@ -1363,8 +1363,8 @@ static void tcg_liveness_analysis(TCGContext *s)
>              nb_iargs = 2;
>              nb_oargs = 2;
>              /* Likewise, test for the high part of the operation dead.  */
> -            if (dead_temps[args[1]] && !mem_temps[1]) {
> -                if (dead_temps[args[0]] && !mem_temps[0]) {
> +            if (dead_temps[args[1]] && !mem_temps[args[1]]) {
> +                if (dead_temps[args[0]] && !mem_temps[args[0]]) {
>                      goto do_remove;
>                  }
>                  gen_opc_buf[op_index] = op = INDEX_op_mul_i32;

Thanks, applied.

From 33e1fc03934cebea8d32c98ea34961c80f05d94a Mon Sep 17 00:00:00 2001
From: Kirill Batuzov <batuzovk@ispras.ru>
Date: Wed, 7 Nov 2012 15:26:38 +0400
Subject: [PATCH] tcg: properly check that op's output needs to be synced to
 memory

Fix typo introduced in b3a1be87bac3a6aaa59bb88c1410f170dc9b22d5.

Reported-by: Ruslan Savchenko <ruslan.savchenko@gmail.com>
Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
---
 tcg/tcg.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tcg/tcg.c b/tcg/tcg.c
index 42052db..35fba50 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -1337,8 +1337,8 @@  static void tcg_liveness_analysis(TCGContext *s)
                the low part.  The result can be optimized to a simple
                add or sub.  This happens often for x86_64 guest when the
                cpu mode is set to 32 bit.  */
-            if (dead_temps[args[1]] && !mem_temps[1]) {
-                if (dead_temps[args[0]] && !mem_temps[0]) {
+            if (dead_temps[args[1]] && !mem_temps[args[1]]) {
+                if (dead_temps[args[0]] && !mem_temps[args[0]]) {
                     goto do_remove;
                 }
                 /* Create the single operation plus nop.  */
@@ -1363,8 +1363,8 @@  static void tcg_liveness_analysis(TCGContext *s)
             nb_iargs = 2;
             nb_oargs = 2;
             /* Likewise, test for the high part of the operation dead.  */
-            if (dead_temps[args[1]] && !mem_temps[1]) {
-                if (dead_temps[args[0]] && !mem_temps[0]) {
+            if (dead_temps[args[1]] && !mem_temps[args[1]]) {
+                if (dead_temps[args[0]] && !mem_temps[args[0]]) {
                     goto do_remove;
                 }
                 gen_opc_buf[op_index] = op = INDEX_op_mul_i32;
-- 
1.7.9.5

64-on-32 TCG broken

Commit Message

Comments

Patch