[Just adding Sean Bruno in case the information is new to him.
I top post a note for that.]
Sean: The below reports on what I've found for what is
happening for qemu-ppc64-static (and possibly others) when
it gets stuck eating CPU time (and leaking memory), at least
for the example I ran into (that basically blocks all use
of qemu-ppc64-static it happens very early in all(?)
attempted uses that load.
The content reflects my exploration order. The summary is:
A) I've found an example context where the emulated
pc does not progress and it ends up looping repeating
a syscall.
B) Given that is involved: I've found that env->gpr[3]
handling for failed syscall attempts contributes to the
detailed failure behaviors. (This part is, of course,
likely very powerpc specific.)
But I found (B) before finding (A) as its context and
(A) might be the only problem for all I know: having the
emulated program counter progress correctly might end
up dealing with env->gpr[3] correctly in the newly
executed code.
At this point I've no clue where the emulated PC should
be adjusted in the code or what the detailed adjustment
rules should be for the context, only that the PC is not
being adjusted now but needs to be adjusted.
===
Mark Millard
markmi at dsl-only.net
On 2017-Aug-31, at 12:13 PM, Mark Millard <markmi at dsl-only.net> wrote:
[Turns out that the emulated program counter is not progressing
for syscall emulation, at least for [some] syscall [failure] cases.]
On 2017-Aug-30, at 8:43 PM, Mark Millard <markmi at dsl-only.net> wrote:
> On 2017-Aug-30, at 4:32 PM, Don Lewis <truckman at FreeBSD.org> wrote:
>
>> On 30 Aug, Mark Millard wrote:
>>> On 2017-Aug-30, at 4:00 AM, Mark Linimon <linimon at lonesome.com> wrote:
>>>
>>>> On Wed, Aug 30, 2017 at 03:09:40AM -0700, Mark Millard wrote:
>>>>> It appears that qemu-ppc64-static and qemu-ppc-static from
>>>>> emulators/qemu-user-static are broken.
>>>>
>>>> Correct, and known for some time. (fwiw sparc64 hangs as well.)
>>>
>>> Looks like qemu-ppc64-static is stuck in a loop, calling
>>> repeatedly:
>>>
>>> do_freebsd_syscall (cpu_env=0x860ea3ac0, num=58, arg1=14, arg2=35995509911,
>>> arg3=1024, arg4=268435904, arg5=281494784, arg6=35985701568, arg7=515,
>>> arg8=35985668288)
>>> at
>>> /wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/syscall.c:210
>>> 210
>>> /wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/syscall.c:
>>> No such file or directory.
>>>
>>> Which is for:
>>>
>>> 58 AUE_READLINK STD { ssize_t readlink(char *path, char *buf, \
>>> size_t count); }
>>>
>>> As confirmed by (note the "callq 0x60207360 <readlink>" ):
>>>
>>> (gdb)
>>> lock_user_string (guest_addr=14) at
>>> /wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/qemu.h:508
>>> 508
>>> /wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/qemu.h:
>>> No such file or directory.
>>>
>>> (gdb) x/64i 0x0000000060045d3e
>>> => 0x60045d3e <do_freebsd_syscall+3246>: callq 0x6004fd20
>>> <target_strlen>
>>> 0x60045d43 <do_freebsd_syscall+3251>: test %rax,%rax
>>> 0x60045d46 <do_freebsd_syscall+3254>: js 0x6004b99c
>>> <do_freebsd_syscall+26892>
>>> 0x60045d4c <do_freebsd_syscall+3260>: inc %rax
>>> 0x60045d4f <do_freebsd_syscall+3263>: mov $0x1,%edx
>>> 0x60045d54 <do_freebsd_syscall+3268>: mov %rbx,%rdi
>>> 0x60045d57 <do_freebsd_syscall+3271>: mov %rax,%rsi
>>> 0x60045d5a <do_freebsd_syscall+3274>: callq 0x6003c430
>>> <page_check_range>
>>> 0x60045d5f <do_freebsd_syscall+3279>: test %eax,%eax
>>> 0x60045d61 <do_freebsd_syscall+3281>: jne 0x6004bce4
>>> <do_freebsd_syscall+27732>
>>> 0x60045d67 <do_freebsd_syscall+3287>: add 0x26d91b2(%rip),%rbx
>>> # 0x6271ef20 <guest_base>
>>> 0x60045d6e <do_freebsd_syscall+3294>: je 0x6004bce4
>>> <do_freebsd_syscall+27732>
>>> 0x60045d74 <do_freebsd_syscall+3300>: mov $0x3,%edx
>>> 0x60045d79 <do_freebsd_syscall+3305>: mov -0x2a8(%rbp),%r14
>>> 0x60045d80 <do_freebsd_syscall+3312>: mov %r14,%rdi
>>> 0x60045d83 <do_freebsd_syscall+3315>: mov %r12,%rsi
>>> 0x60045d86 <do_freebsd_syscall+3318>: callq 0x6003c430
>>> <page_check_range>
>>> 0x60045d8b <do_freebsd_syscall+3323>: test %eax,%eax
>>> 0x60045d8d <do_freebsd_syscall+3325>: jne 0x6004bce4
>>> <do_freebsd_syscall+27732>
>>> 0x60045d93 <do_freebsd_syscall+3331>: add 0x26d9186(%rip),%r14
>>> # 0x6271ef20 <guest_base>
>>> 0x60045d9a <do_freebsd_syscall+3338>: mov -0x294(%rbp),%r10d
>>> 0x60045da1 <do_freebsd_syscall+3345>: mov $0xfffffffffffffff2,%r13
>>> 0x60045da8 <do_freebsd_syscall+3352>: je 0x6004bcf2
>>> <do_freebsd_syscall+27746>
>>> 0x60045dae <do_freebsd_syscall+3358>: mov $0x602b93da,%esi
>>> 0x60045db3 <do_freebsd_syscall+3363>: mov %rbx,%rdi
>>> 0x60045db6 <do_freebsd_syscall+3366>: callq 0x60230af0 <strcmp>
>>> 0x60045dbb <do_freebsd_syscall+3371>: test %eax,%eax
>>> 0x60045dbd <do_freebsd_syscall+3373>: je 0x6004c566
>>> <do_freebsd_syscall+29910>
>>> 0x60045dc3 <do_freebsd_syscall+3379>: mov %rbx,%rdi
>>> 0x60045dc6 <do_freebsd_syscall+3382>: callq 0x60158660 <path>
>>> 0x60045dcb <do_freebsd_syscall+3387>: mov %rax,%rdi
>>> 0x60045dce <do_freebsd_syscall+3390>: mov %r14,%rsi
>>> 0x60045dd1 <do_freebsd_syscall+3393>: mov %r12,%rdx
>>> 0x60045dd4 <do_freebsd_syscall+3396>: callq 0x60207360 <readlink>
>>>
>>> But note that the "lock_user_string (guest_addr=14)" and
>>> "do_freebsd_syscall (cpu_env=0x860ea3ac0, num=58, arg1=14,"
>>> indicate that the "readlink(char *path," is using a really
>>> small address for the path string.
>>>
>>>
>>> I've not figured a way for poudriere bulk builds to leave
>>> behind the source code automatically. So far I've not
>>> looked at the qemu-bsd-user source code. I do build with
>>> both debug and optimization turned on via bsd.port.mk
>>> having:
>>
>> The -w option will create a tarball of the work directory if the
>> package build fails. I also often use the testport -i option I want to
>> poke around in the WRKDIR after a build.
>
> I've been using -w right along. But I'd not used testport at all.
>
> It looks to me like the syscall errno handling is messed
> up. The details that I've observed follow. It follows
> a simplified sequence of discovery as far a presentation
> order goes.
>
> The looping code is:
>
> static inline void target_cpu_loop(CPUPPCState *env)
> {
> CPUState *cs = CPU(ppc_env_get_cpu(env));
> target_siginfo_t info;
> int trapnr;
> target_ulong ret;
>
> for(;;) {
> cpu_exec_start(cs);
> trapnr = cpu_exec(cs);
> cpu_exec_end(cs);
> process_queued_cpu_work(cs);
>
> switch(trapnr) {
> . . .
> case POWERPC_EXCP_SYSCALL_USER:
> /* system call in user-mode emulation */
> /* WARNING:
> * PPC ABI uses overflow flag in cr0 to signal an error
> * in syscalls.
> */
> env->crf[0] &= ~0x1;
> ret = do_freebsd_syscall(env, env->gpr[0], env->gpr[3], env->gpr[4],
> env->gpr[5], env->gpr[6], env->gpr[7],
> env->gpr[8], env->gpr[9], env->gpr[10]);
> if (ret == (target_ulong)(-TARGET_QEMU_ESIGRETURN)) {
> /* Returning from a successful sigreturn syscall.
> Avoid corrupting register state. */
> break;
> }
> if (ret > (target_ulong)(-515)) {
> env->crf[0] |= 0x1;
> ret = -ret;
> }
> env->gpr[3] = ret;
> break;
> . . .
> }
> process_pending_signals(env);
> }
> }
>
> The observed env->gpr[3] == 14 is from a prior loop
> iteration having ret == 14 in the:
>
> env->gpr[3] = ret;
>
> Prior to this were the values (as seen via
> lock_user_string):
>
> guest_addr=278408977
> guest_addr=2
>
> That 2 also came from the prior ret == 2 in the:
>
> env->gpr[3] = ret;
>
> from when the 278408977 was in being attempted.
>
> For both the ret == 2 and ret == 14 were from:
>
> ret = -ret;
>
> so the return values from do_freebsd_syscall were
> -2 and -14 (interpreted as signed).
>
> The return values trace back to the following code,
> where TARGET_EFAULT == 14 :
>
> static inline abi_long do_bsd_readlink(CPUArchState *env, abi_long arg1,
> abi_long arg2, abi_long arg3)
> {
> abi_long ret;
> void *p1, *p2;
>
> LOCK_PATH(p1, arg1);
> p2 = lock_user(VERIFY_WRITE, arg2, arg3, 0);
> if (p2 == NULL) {
> UNLOCK_PATH(p1, arg1);
> return -TARGET_EFAULT;
> }
> #ifdef __FreeBSD__
> if (strcmp(p1, "/proc/curproc/file") == 0) {
> CPUState *cpu = ENV_GET_CPU(env);
> TaskState *ts = (TaskState *)cpu->opaque;
> strncpy(p2, ts->bprm->fullpath, arg3);
> ret = MIN((abi_long)strlen(ts->bprm->fullpath), arg3);
> } else
> #endif
> ret = get_errno(readlink(path(p1), p2, arg3));
> unlock_user(p2, arg2, ret);
> UNLOCK_PATH(p1, arg1);
>
> return ret;
> }
>
> The 2 is from:
>
> ret = get_errno(readlink(path(p1), p2, arg3));
>
> At the time the p1 points to "/etc/malloc.conf":
>
> (gdb) step
> path (name=0x10982f11 "/etc/malloc.conf") at util/path.c:173
>
> 169 const char *path(const char *name)
> 170 {
> 171 /* Only do absolute paths: quick and dirty, but should mostly be OK.
> 172 Could do relative by tracking cwd. */
> (gdb)
> 173 if (!base || !name || name[0] != '/')
> 174 return name;
> 175
> 176 return follow_path(base, name) ?: name;
> 177 }
>
> (gdb) print base
> $8 = (struct pathelem *) 0x0
>
> So name is returned unchanged.
>
>
> The 2 is in turn from:
>
> #define __ENOENT 2 /* No such file or directory */
>
>
> Overall one oddity is that this code structure
> seems to use -ret from:
>
> ret = do_freebsd_syscall(env, env->gpr[0], env->gpr[3], env->gpr[4],
> env->gpr[5], env->gpr[6], env->gpr[7],
> env->gpr[8], env->gpr[9], env->gpr[10]);
>
> to retry the same operation again the next iteration,
> but with env->gpr[3] == -ret (as ret was on the return
> of do_freebsd_syscall ).
>
> Once abs(ret) == 14 it is fully stuck repeating itself.
>
> I've no clue if:
>
> env->gpr[3] = ret;
>
> even makes sense here.
>
> I've not tried to track down the memory leak activity
> that is associated.
>
> Nor have I checked anything for the:
>
> cpu_exec_start(cs);
> trapnr = cpu_exec(cs);
> cpu_exec_end(cs);
> process_queued_cpu_work(cs);
>
> activity. It likely contributes to why the loop
> retries the readlink again (with a junk address
> for the path).
I do not see activity advancing the emulated
program counter as this looping/retrying happens.
Nor anything that is adjusting the problematical
re-used env->gpr[3] other than the:
516 env->gpr[3] = ret;
after the negation of ret for the syscall failure
handling.
This is confirmed by the following:
(gdb) bt
#0 cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340
<static_code_gen_buffer+17488>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:141
#1 0x0000000060039cb5 in cpu_loop_exec_tb (cpu=<optimized out>, tb=<optimized
out>, last_tb=<optimized out>, tb_exit=<optimized out>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:574
#2 cpu_exec (cpu=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:672
#3 0x000000006003c988 in target_cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/ppc/target_arch_cpu.h:139
#4 cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:121
#5 0x000000006003e003 in main (argc=<optimized out>, argv=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:516
. . .
(gdb) list
569 {
570 uintptr_t ret;
571 int32_t insns_left;
572
573 trace_exec_tb(tb, tb->pc);
574 ret = cpu_tb_exec(cpu, tb);
575 tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
576 *tb_exit = ret & TB_EXIT_MASK;
577 if (*tb_exit != TB_EXIT_REQUESTED) {
578 *last_tb = tb;
. . .
cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340 <static_code_gen_buffer+17488>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:141
141 CPUArchState *env = cpu->env_ptr;
(gdb) print/x itb->pc
$16 = 0x1074d784
(gdb) c
Continuing.
Thread 1 hit Breakpoint 9, cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340
<static_code_gen_buffer+17488>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:141
141 CPUArchState *env = cpu->env_ptr;
. . .
(gdb) print/x itb->pc
$18 = 0x1074d784
(gdb) c
Continuing.
Thread 1 hit Breakpoint 9, cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340
<static_code_gen_buffer+17488>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:141
141 CPUArchState *env = cpu->env_ptr;
(gdb) print/x itb->pc
$19 = 0x1074d784
(gdb) c
Continuing.
Thread 1 hit Breakpoint 9, cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340
<static_code_gen_buffer+17488>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:141
141 CPUArchState *env = cpu->env_ptr;
(gdb) print/x itb->pc
$20 = 0x1074d784
and so on.
So it appears that syscall emulation does not progress the
emulated instruction pointer and so the syscall repeats
over and over.
(I've still not tracked down what is leaking memory
during this looping. But that is probably a secodnary
concern at this point.)
So how does the code get from:
139 trapnr = cpu_exec(cs);
to (re-)trying the failed syscall (readlink) attempt?
(gdb) bt
#0 0x00000000601e25c0 in siglongjmp ()
#1 0x000000006003a1aa in cpu_loop_exit_restore (cpu=<optimized out>,
pc=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec-common.c:77
#2 0x00000000600e0eeb in raise_exception_err_ra (env=<optimized out>,
exception=<optimized out>, error_code=0, raddr=0)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/target/ppc/excp_helper.c:905
#3 helper_raise_exception_err (env=<optimized out>, exception=<optimized out>,
error_code=0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/target/ppc/excp_helper.c:928
#4 0x00000000607233e6 in static_code_gen_buffer ()
#5 0x0000000060039ffa in cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340
<static_code_gen_buffer+17488>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:166
#6 0x0000000060039cb5 in cpu_loop_exec_tb (cpu=<optimized out>, tb=<optimized
out>, last_tb=<optimized out>, tb_exit=<optimized out>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:574
#7 cpu_exec (cpu=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:672
#8 0x000000006003c988 in target_cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/ppc/target_arch_cpu.h:139
#9 cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:121
#10 0x000000006003e003 in main (argc=<optimized out>, argv=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:516
It does a siglongjmp via helper_raise_execption_err :
(gdb) up
#1 0x0000000060039ffa in cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340
<static_code_gen_buffer+17488>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:166
166 ret = tcg_qemu_tb_exec(env, tb_ptr);
(gdb) list
161 qemu_log_unlock();
162 }
163 #endif /* DEBUG_DISAS */
164
165 cpu->can_do_io = !use_icount;
166 ret = tcg_qemu_tb_exec(env, tb_ptr);
167 cpu->can_do_io = 1;
168 last_tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
169 tb_exit = ret & TB_EXIT_MASK;
170 trace_exec_tb_exit(last_tb, tb_exit);
(gdb) print tb_ptr
$11 = (uint8_t *) 0x607233c0 <static_code_gen_buffer+17616>
"A\213n\354\205\355\017\214\037"
0x607233c0 <static_code_gen_buffer+17616>: mov -0x14(%r14),%ebp
0x607233c4 <static_code_gen_buffer+17620>: test %ebp,%ebp
0x607233c6 <static_code_gen_buffer+17622>: jl 0x607233eb
<static_code_gen_buffer+17659>
0x607233cc <static_code_gen_buffer+17628>: movq $0x1074d784,0x3c8(%r14)
0x607233d7 <static_code_gen_buffer+17639>: mov %r14,%rdi
0x607233da <static_code_gen_buffer+17642>: mov $0x203,%esi
0x607233df <static_code_gen_buffer+17647>: xor %edx,%edx
0x607233e1 <static_code_gen_buffer+17649>: callq 0x600e0ed0
<helper_raise_exception_err>
=> 0x607233e6 <static_code_gen_buffer+17654>: jmpq 0x6071ef06
<static_code_gen_buffer+22>
0x607233eb <static_code_gen_buffer+17659>: mov $0x60723343,%eax
0x607233f0 <static_code_gen_buffer+17664>: jmpq 0x6071ef08
<static_code_gen_buffer+24>
The exception is exception==515 . 515 is the
figure matching up with POWERPC_EXCP_SYSCALL_USER .
(gdb) stepi
helper_raise_exception_err (env=0x860ea3ac0, exception=515, error_code=0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/target/ppc/excp_helper.c:927
927 {
(gdb) bt
#0 helper_raise_exception_err (env=0x860ea3ac0, exception=515, error_code=0)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/target/ppc/excp_helper.c:927
#1 0x00000000607233e6 in static_code_gen_buffer ()
#2 0x0000000060039ffa in cpu_tb_exec (cpu=0x860e9b8c0, itb=0x60723340
<static_code_gen_buffer+17488>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:166
#3 0x0000000060039cb5 in cpu_loop_exec_tb (cpu=<optimized out>, tb=<optimized
out>, last_tb=<optimized out>, tb_exit=<optimized out>)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:574
#4 cpu_exec (cpu=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:672
#5 0x000000006003c988 in target_cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/ppc/target_arch_cpu.h:139
#6 cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:121
#7 0x000000006003e003 in main (argc=<optimized out>, argv=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:516
Later there is:
raise_exception_err_ra (env=0x860ea3ac0, exception=515, error_code=0, raddr=0)
at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/target/ppc/excp_helper.c:903
903 cs->exception_index = exception;
and then:
(gdb) s
cpu_loop_exit_restore (cpu=0x860e9b8c0, pc=0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec-common.c:74
74 if (pc) {
(gdb) n
77 siglongjmp(cpu->jmp_env, 1);
(gdb) n
0x00000000600398e9 in cpu_exec (cpu=0x860e9b8c0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:645
645 if (sigsetjmp(cpu->jmp_env, 0) != 0) {
(gdb) bt
#0 0x00000000600398e9 in cpu_exec (cpu=0x860e9b8c0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/accel/tcg/cpu-exec.c:645
#1 0x000000006003c988 in target_cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/ppc/target_arch_cpu.h:139
#2 cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:121
#3 0x000000006003e003 in main (argc=<optimized out>, argv=<optimized out>) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/main.c:516
(gdb) n
651 cpu = current_cpu;
(gdb)
652 cc = CPU_GET_CLASS(cpu);
(gdb)
658 cpu->can_do_io = 1;
(gdb)
659 tb_lock_reset();
(gdb)
660 if (qemu_mutex_iothread_locked()) {
(gdb)
661 qemu_mutex_unlock_iothread();
(gdb)
666 while (!cpu_handle_exception(cpu, &ret)) {
(gdb)
679 cc->cpu_exec_exit(cpu);
(gdb) n
680 rcu_read_unlock();
(gdb) n
683 }
(gdb) n
target_cpu_loop (env=0x860ea3ac0) at
/wrkdirs/usr/ports/emulators/qemu-user-static/work/qemu-bsd-user-17977d0/bsd-user/ppc/target_arch_cpu.h:140
140 cpu_exec_end(cs);
And it sends up back in:
141 process_queued_cpu_work(cs);
142
143 switch(trapnr) {
. . .
497 case POWERPC_EXCP_SYSCALL_USER:
498 /* system call in user-mode emulation */
499 /* WARNING:
500 * PPC ABI uses overflow flag in cr0 to signal an error
501 * in syscalls.
502 */
(gdb)
503 env->crf[0] &= ~0x1;
504 ret = do_freebsd_syscall(env, env->gpr[0], env->gpr[3],
env->gpr[4],
505 env->gpr[5], env->gpr[6], env->gpr[7],
506 env->gpr[8], env->gpr[9], env->gpr[10]);
507 if (ret == (target_ulong)(-TARGET_QEMU_ESIGRETURN)) {
508 /* Returning from a successful sigreturn syscall.
509 Avoid corrupting register state. */
510 break;
511 }
512 if (ret > (target_ulong)(-515)) {
(gdb)
513 env->crf[0] |= 0x1;
514 ret = -ret;
515 }
516 env->gpr[3] = ret;
517 break;
===
Mark Millard
markmi at dsl-only.net
_______________________________________________
freebsd-toolchain@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-toolchain
To unsubscribe, send any mail to "freebsd-toolchain-unsubscr...@freebsd.org"
