On Thu, 1 Feb 2024 at 17:25, Alex Bennée <alex.ben...@linaro.org> wrote: > > Jonathan Cameron <jonathan.came...@huawei.com> writes: > >> > #21 0x0000555555ca3e5d in do_st8_mmu (cpu=0x5555578e0cb0, addr=23937, > >> > val=18386491784638059520, oi=6, ra=140736029817822) at > >> > ../../accel/tcg/cputlb.c:2853 > >> > #22 0x00007fffa9107c63 in code_gen_buffer () > >> > >> No thats different - we are actually writing to the MMIO region here. > >> But the fact we hit cpu_abort because we can't find the TB we are > >> executing is a little problematic. > >> > >> Does ra properly point to the code buffer here? > > > > Err. How would I tell? > > (gdb) p/x 140736029817822 > $1 = 0x7fffa9107bde > > seems off because code_gen_buffer starts at 0x00007fffa9107c63
The code_gen_buffer doesn't *start* at 0x00007fffa9107c63 -- that is our return address into it, which is to say it's just after the call insn to the do_st8_mmu helper. The 'ra' argument to the helper function is going to be a number slightly lower than that, because it points within the main lump of generated code for the TB, whereas the helper call is done as part of an out-of-line lump of common code at the end of the TB. The 'ra' here is fine -- the problem is that we don't pass it all the way down the callstack and instead end up using 0 as a 'ra' within the ptw code. -- PMM
