From patchwork Mon Apr  9 10:38:34 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Maydell <peter.maydell@linaro.org>
X-Patchwork-Id: 133019
Delivered-To: patches@linaro.org
Received: by 10.46.84.29 with SMTP id i29csp117822ljb;
 Mon, 9 Apr 2018 03:38:38 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49wWbigp8xMyl68RVSZZfCnm4l0giZv4S/cSNMpZuKwRlXVbpG58KO3v8VLvthmLyJAR38k
X-Received: by 10.28.4.216 with SMTP id 207mr17440045wme.99.1523270318688;
 Mon, 09 Apr 2018 03:38:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523270318; cv=none;
 d=google.com; s=arc-20160816;
 b=Iu0eagUHpcfbtxzKXsB7J9ak1n+VTAOQttafT1mrefaZhmvLV99A/I+WVi+fYM23Tk
 bl0V9uusDDn0qHmFLwyed34YwUwUMEXqy9CCGbrfK2F4l7+V7CbIDX5quBaDWQH7BHID
 JRBDkaZCINwSYWvsTyb63AZSMTrTOZ2xX2jDJSh7mmD2qSBPUTa7yK41LMIIC2rV3e22
 l6WJvXZGUXBvznzCyIcJtbfkCuxVRZSQFi4CcdrzAt7imIiS63rEChtFKej+9/K+tYhx
 wWwbdMEr1SMJds2dKP4cvNItdidkT3raqmHHppQ9hYrkW+7XOCp1zqvECFolqzH3M33o
 JcZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=message-id:date:subject:cc:to:from:arc-authentication-results;
 bh=h0NvyXJGp5kBwLzV3fFPo9PbJofvrfohYvu+vyicQNY=;
 b=JJGLrZRe/NSuoVtveIrC+pssWgPHCc0U1mwLoJRp972uUUap5hnkArb3/St+WdgsAL
 WcFiQrR9qjKyDpAoUVDysBHDta0ZtiuQ/ILiBL9FVrAXhZIqrWRLxZnD6z50fPJucDhR
 b2uQy39dxUnkkc1ZvF/RUK7tHMe3gFd4bZsyWX5FpPgKkq0aV0G5vv1yP/E2E8UfpvXd
 cPwYaz1Y6G7ttAk+Hou7eP+kIDOovTXnK04Ms7Xd7ceO9MikZZzgB7RSAvd6533rQcUL
 x+76sRk0E7ykYn0bIJHOpWPmMjej4V1698iJFy3wv5PIVShWyJjznJPd0tc9myOOXTGT
 +z2g==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: best guess record for domain of
 pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted
 sender) smtp.mailfrom=pm215@archaic.org.uk; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <pm215@archaic.org.uk>
Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2])
 by mx.google.com with ESMTPS id
 n62si222352wmn.212.2018.04.09.03.38.38 for <patches@linaro.org>
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 09 Apr 2018 03:38:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted
 sender) client-ip=2001:8b0:1d0::2; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted
 sender) smtp.mailfrom=pm215@archaic.org.uk; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89)
 (envelope-from <pm215@archaic.org.uk>)
 id 1f5UC4-00057C-65; Mon, 09 Apr 2018 11:38:36 +0100
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-arm@nongnu.org,
	qemu-devel@nongnu.org
Cc: patches@linaro.org, Richard Henderson <rth@twiddle.net>,
 alarson@ddci.com, qemu-stable@nongnu.org
Subject: [PATCH for-2.12] target/arm: Don't corrupt insn_start arguments on
 32-bit hosts
Date: Mon,  9 Apr 2018 11:38:34 +0100
Message-Id: <20180409103834.11285-1-peter.maydell@linaro.org>
X-Mailer: git-send-email 2.16.2

For the Arm target, we have a 3-operand tcg_insn_start,
where the 3 arguments are the PC, condexec bits, and
a syndrome value. We set it up like this:

    tcg_gen_insn_start(dc->pc,
                       (dc->condexec_cond << 4) | (dc->condexec_mask >> 1),
                       0);
    dc->insn_start = tcg_last_op();

and then we patch in the 3rd operand later in disas_set_insn_syndrome():
    tcg_set_insn_param(s->insn_start, 2, syn);

Unfortunately, if we're running on a setup where
TARGET_LONG_BITS > TCG_TARGET_REG_BITS (ie 64 bit guest
on 32 bit host), tcg_gen_insn_start() has under the hood
split the 3 operands we gave it into 6, and so we end
up patching a syndrome value into the condexec bits.
This means we'll end up with corrupted guest condexec
state if we have to do a cpu_restore_state(), which happens
often when using icount and occasionally for load/store
instructions that fault.

Fix the bug by using the correct operand offset for the
64-on-32 case.

Cc: qemu-stable@nongnu.org
Reported-by: alarson@ddci.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
This doesn't apply as-is to the stable branch, but the
difference is minor (insn_start was insn_start_idx, but
the 2 vs 4 for argument 2 is still the same.)
---
 target/arm/translate.h | 8 ++++++++
 1 file changed, 8 insertions(+)

-- 
2.16.2

diff --git a/target/arm/translate.h b/target/arm/translate.h
index c47febf99d..f04ece9cfd 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -120,7 +120,15 @@ static inline void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
 
     /* We check and clear insn_start_idx to catch multiple updates.  */
     assert(s->insn_start != NULL);
+#if TARGET_LONG_BITS <= TCG_TARGET_REG_BITS
     tcg_set_insn_param(s->insn_start, 2, syn);
+#else
+    /* tcg_gen_insn_start has split every target_ulong argument to
+     * op_insn_start into two 32-bit arguments, so we want the low
+     * half of the 3rd argument, which is at index 4.
+     */
+    tcg_set_insn_param(s->insn_start, 4, syn);
+#endif
     s->insn_start = NULL;
 }