On Tue, Jun 26, 2018 at 03:26:01PM -0700, Richard Henderson wrote:
> On 06/26/2018 03:07 PM, Stafford Horne wrote:
> > Hello,
> >
> > I think I found out something.
> >
> > in: target/openrisc/sys_helper.c:92
> >
> > When we write to `env->tlb.dtlb[idx].tr` in helper_mtspr():
> > 93 case TO_SPR(1, 640) ... TO_SPR(1, 640 + TLB_SIZE - 1):
> > /* DTLBW0TR 0-127 */
> > 94 idx = spr - TO_SPR(1, 640);
> > 95 env->tlb.dtlb[idx].tr = rb;
> >
> >
> > Somehow we are overlapping with `cpu->tb_jmp_cache`, these are both
> > pointing to the same spot in memory.
> >
> > (gdb) p &cs->tb_jmp_cache[3014]
> > $9 = (struct TranslationBlock **) 0x55555608b300
> > (gdb) p &env->tlb.dtlb[idx].tr
> > $10 = (uint32_t *) 0x55555608b304
>
> That is definitely weird. How about
>
> (gdb) p openrisc_env_get_cpu(env)
> $1 = xxxx
> (gdb) p &$1->parent_obj
> (gdb) p &$1->env
> (gdb) p cs->env_ptr
>
> There should be 4096 entries in tb_jmp_cache, so there should
> be no way that overlaps. I can only imagine either CS or ENV
> is incorrect somehow. How that would be, I don't know...
Nothing looks strange there... but this does... :)
(gdb) p &cs->tb_jmp_cache[3014]
$56 = (struct TranslationBlock **) 0x55555606c570
(gdb) p &env->tlb.dtlb[idx].tr
$57 = (uint32_t *) 0x55555606c574
(gdb) p &env->tlb.dtlb[idx].mr
$58 = (uint32_t *) 0x55555606c570
(gdb) p idx
$59 = -1502
The index is negative... this patch should fix that.
@@ -78,6 +78,7 @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr,
target_ulong rb)
case TO_SPR(0, 1024) ... TO_SPR(0, 1024 + (16 * 32)): /* Shadow GPRs */
idx = (spr - 1024);
env->shadow_gpr[idx / 32][idx % 32] = rb;
+ break;
case TO_SPR(1, 512) ... TO_SPR(1, 512 + TLB_SIZE - 1): /* DTLBW0MR 0-127 */
idx = spr - TO_SPR(1, 512);
-Stafford
