On Sat, Feb 7, 2026 at 11:06 AM Brian Cain <[email protected]> wrote:
> When decoding a duplex instruction, if the slot0 sub-instruction fails > to decode after slot1 succeeds, QEMU was leaving the packet in a > partially-decoded state. This allowed invalid duplex encodings (where > one sub-instruction doesn't match any valid pattern) to be executed > incorrectly. > > Fix by resetting the decoder state when slot0 fails, returning an empty > instruction that triggers an exception. > > Add gen_exception_decode_fail() for raising exceptions when decode fails > before ctx->next_PC is initialized. This keeps gen_exception_end_tb() > semantics unchanged (it continues to use ctx->next_PC for the exception > PC after successful decode). > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3291 > Signed-off-by: Brian Cain <[email protected]> > Reviewed-by: Pierrick Bouvier <[email protected]> > --- > linux-user/hexagon/cpu_loop.c | 4 ++ > target/hexagon/decode.c | 13 ++++- > target/hexagon/translate.c | 18 ++++++- > tests/tcg/hexagon/invalid-encoding.c | 81 ++++++++++++++++++++++++++++ > tests/tcg/hexagon/Makefile.target | 1 + > 5 files changed, 113 insertions(+), 4 deletions(-) > create mode 100644 tests/tcg/hexagon/invalid-encoding.c > > > diff --git a/target/hexagon/decode.c b/target/hexagon/decode.c > index b5ece60450..69ba1ec96c 100644 > --- a/target/hexagon/decode.c > +++ b/target/hexagon/decode.c > @@ -509,8 +509,14 @@ decode_insns(DisasContext *ctx, Insn *insn, uint32_t > encoding) > insn->iclass = iclass_bits(encoding); > return 2; > } > + /* > + * Slot0 decode failed after slot1 succeeded. This is an > invalid > + * duplex encoding (both sub-instructions must be valid). > + */ > + ctx->insn = --insn; > Why is this needed? Otherwise Reviewed-by: Taylor Simpson <[email protected]>
