On 11/6/25 16:57, Peter Maydell wrote:
On Thu, 6 Nov 2025 at 15:48, Gustavo Romero <[email protected]> wrote:
Hi folks,
On 11/6/25 15:49, Richard Henderson wrote:
Currently an unpredictable movw such as
movw pc, 0x123
bah, how did you get this insn.? Are you using any fuzzer? :P
results in the tinycode
and_i32 $0x123,$0x123,$0xfffffffc
mov_i32 pc,$0x123
exit_tb $0x0
which is clearly a bug, writing to a constant is incorrect and discards
the result of the mask. Fix this by adding a temporary in store_reg().
The difference between v1 and v2 is:
v1:
mov_i32 tmp3,$0x123
and_i32 tmp3,tmp3,$0xfffffffc
mov_i32 pc,tmp3
v2 (this version)
and_i32 pc,$0x123,$0xfffffffc
I think we need only a v3 that updates the commit message since we
are not adding a temporary anymore.
Interestingly, I was not able to crash the host when native code
was generated from:
and_i32 $0x123,$0x123,$0xfffffffc
The commit message doesn't say this crashes, it says it
discards the result of the mask. (That is, we intended to
clear the low bits of the guest PC but don't.)
Should there be a TCG debug assert for "TCGv for the
result of an operation is a constant" ?
There is, at least with --enable-debug-tcg.
I assumed there was a crash from the description,
but I haven't yet tried the test case Gustavo put together.
r~
