On 06/11/25, Richard Henderson wrote: > On 11/6/25 16:57, Peter Maydell wrote: > > On Thu, 6 Nov 2025 at 15:48, Gustavo Romero <[email protected]> > > wrote: > > > > > > Hi folks, > > > > > > On 11/6/25 15:49, Richard Henderson wrote: > > > > Currently an unpredictable movw such as > > > > > > > > movw pc, 0x123 > > > > > > bah, how did you get this insn.? Are you using any fuzzer? :P
Not the most familiar with arm myself, but I noticed assemblers aren't happy with producing this instruction. We use QEMU primarily for lifting code for decompilation, and found this instruction when lifting some android binary. Looking back at the instructions it might be incorrectly identified thumb code on our end, so I doubt you'd encounter this instruction in the wild. Still I think the code transformation from Richard makes sense since store_reg() is used with TCG constants. > > > > > > > > > > results in the tinycode > > > > > > > > and_i32 $0x123,$0x123,$0xfffffffc > > > > mov_i32 pc,$0x123 > > > > exit_tb $0x0 > > > > > > > > which is clearly a bug, writing to a constant is incorrect and discards > > > > the result of the mask. Fix this by adding a temporary in store_reg(). > > > > > The difference between v1 and v2 is: > > > > > > v1: > > > mov_i32 tmp3,$0x123 > > > and_i32 tmp3,tmp3,$0xfffffffc > > > mov_i32 pc,tmp3 > > > > > > v2 (this version) > > > and_i32 pc,$0x123,$0xfffffffc > > > > > > > > > I think we need only a v3 that updates the commit message since we > > > are not adding a temporary anymore. > > > > > > Interestingly, I was not able to crash the host when native code > > > was generated from: > > > > > > and_i32 $0x123,$0x123,$0xfffffffc > > > > The commit message doesn't say this crashes, it says it > > discards the result of the mask. (That is, we intended to > > clear the low bits of the guest PC but don't.) > > > > Should there be a TCG debug assert for "TCGv for the > > result of an operation is a constant" ? > > There is, at least with --enable-debug-tcg. > I assumed there was a crash from the description, > but I haven't yet tried the test case Gustavo put together. > > > r~ > -- Anton Johansson rev.ng Labs Srl.
