Re: [Qemu-devel] qemu-system-ppc TCG assert with git master

[Mark Cave-Ayland]

On 12/03/15 08:41, Mark Cave-Ayland wrote:

> Hi all,
> 
> Whilst testing git master in preparation for some OpenBIOS updates, I'm
> seeing the following TCG assert in one of my older test images:
> 
> 
> $ gdb --args ./qemu-system-ppc -cdrom
> /home/build/src/qemu/image/ppc/ubuntu-5.10-live-powerpc.iso -boot d -g
> 800x600x8
> GNU gdb (GDB) 7.4.1-debian
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /home/build/rel-qemu-git/bin/qemu-system-ppc...done.
> (gdb) r
> Starting program: /home/build/rel-qemu-git/bin/qemu-system-ppc -cdrom
> /home/build/src/qemu/image/ppc/ubuntu-5.10-live-powerpc.iso -boot d -g
> 800x600x8
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> [New Thread 0x7fffe9ef3700 (LWP 11437)]
> [New Thread 0x7fffe5bf1700 (LWP 11438)]
> [New Thread 0x7fffe53f0700 (LWP 11439)]
> [Thread 0x7fffe5bf1700 (LWP 11438) exited]
> [New Thread 0x7fffe5bf1700 (LWP 11443)]
> [Thread 0x7fffe5bf1700 (LWP 11443) exited]
> qemu-system-ppc: /home/build/src/qemu/git/qemu/tcg/optimize.c:212:
> tcg_opt_gen_mov: Assertion `temps[src].state != TCG_TEMP_CONST' failed.
> 
> Program received signal SIGABRT, Aborted.
> [Switching to Thread 0x7fffe53f0700 (LWP 11439)]
> 0x00007ffff22ec165 in *__GI_raise (sig=<optimized out>) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> 64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) bt
> #0  0x00007ffff22ec165 in *__GI_raise (sig=<optimized out>) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #1  0x00007ffff22ef3e0 in *__GI_abort () at abort.c:92
> #2  0x00007ffff22e5311 in *__GI___assert_fail (assertion=0x555555a819e0
> "temps[src].state != TCG_TEMP_CONST", file=<optimized out>, line=212,
> function=0x555555a82460 "tcg_opt_gen_mov") at assert.c:81
> #3  0x0000555555632701 in tcg_opt_gen_mov (s=0x555555f3bc80,
> op=0x555555f82f00, args=0x555555f84350, old_op=INDEX_op_or_i32, dst=9,
> src=189) at /home/build/src/qemu/git/qemu/tcg/optimize.c:212
> #4  0x0000555555634e5c in tcg_constant_folding (s=0x555555f3bc80) at
> /home/build/src/qemu/git/qemu/tcg/optimize.c:984
> #5  0x0000555555636295 in tcg_optimize (s=0x555555f3bc80) at
> /home/build/src/qemu/git/qemu/tcg/optimize.c:1356
> #6  0x000055555562c30c in tcg_gen_code_common (s=0x555555f3bc80,
> gen_code_buf=0x7fffe8840770 "", search_pc=-1) at
> /home/build/src/qemu/git/qemu/tcg/tcg.c:2277
> #7  0x000055555562c67a in tcg_gen_code (s=0x555555f3bc80,
> gen_code_buf=0x7fffe8840770 "") at
> /home/build/src/qemu/git/qemu/tcg/tcg.c:2385
> #8  0x000055555561e068 in cpu_ppc_gen_code (env=0x7ffff7fdf260,
> tb=0x7fffe65ead30, gen_code_size_ptr=0x7fffe53ef890) at
> /home/build/src/qemu/git/qemu/translate-all.c:182
> #9  0x000055555561f49c in tb_gen_code (cpu=0x7ffff7fd7010,
> pc=3373291568, cs_base=0, flags=0, cflags=0) at
> /home/build/src/qemu/git/qemu/translate-all.c:1064
> #10 0x0000555555621403 in tb_find_slow (env=0x7ffff7fdf260,
> pc=3373291568, cs_base=0, flags=0) at
> /home/build/src/qemu/git/qemu/cpu-exec.c:299
> #11 0x000055555562158c in tb_find_fast (env=0x7ffff7fdf260) at
> /home/build/src/qemu/git/qemu/cpu-exec.c:327
> #12 0x00005555556219dd in cpu_ppc_exec (env=0x7ffff7fdf260) at
> /home/build/src/qemu/git/qemu/cpu-exec.c:485
> #13 0x00005555556684e9 in tcg_cpu_exec (env=0x7ffff7fdf260) at
> /home/build/src/qemu/git/qemu/cpus.c:1354
> #14 0x0000555555668600 in tcg_exec_all () at
> /home/build/src/qemu/git/qemu/cpus.c:1387
> #15 0x0000555555667929 in qemu_tcg_cpu_thread_fn (arg=0x7ffff7fd7010) at
> /home/build/src/qemu/git/qemu/cpus.c:1032
> #16 0x00007ffff264bb50 in start_thread (arg=<optimized out>) at
> pthread_create.c:304
> #17 0x00007ffff239595d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
> #18 0x0000000000000000 in ?? ()
> (gdb)
> 
> 
> Any ideas? I can easily reproduce here if any further information is
> required.

A quick bisection with git points to the following commit:


$ git bisect bad
951c6300f74ace35d87c079affc57cfc513a6a35 is the first bad commit
commit 951c6300f74ace35d87c079affc57cfc513a6a35
Author: Richard Henderson <r...@twiddle.net>
Date:   Fri Sep 19 11:39:20 2014 -0700

    tcg: Move some opcode generation functions out of line

    Some of these functions are really quite large.  We have a number of
    things that ought to be circularly dependent, but we duplicated code
    to break that chain for the inlines.

    This saved 25% of the code size of one of the translators I examined.

    Reviewed-by: Bastian Koppelmann <kbast...@mail.uni-paderborn.de>
    Signed-off-by: Richard Henderson <r...@twiddle.net>


ATB,

Mark.