+Harsh Harsh, would you be the right person to do the pull on this PPC TCG fix? If so, maybe we should go ahead and make it official in the MAINTAINERS file?
Thanks, Glenn On Tue, 2026-02-24 at 11:28 +0000, Peter Maydell wrote: > Thanks for the code review -- is anybody going to take this via a > PPC pull request? If not, I can take it via target-arm.next as a > one-off -- let me know if you'd prefer that. > > thanks > -- PMM > > On Thu, 12 Feb 2026 at 15:07, Peter Maydell <[email protected]> wrote: > > The test case in the ppe42 functional test triggers a TCG debug > > assertion, which causes the test to fail in an --enable-debug > > build or when the sanitizers are enabled: > > > > #6 0x00007ffff4a3b517 in __assert_fail > > (assertion=0x5555562e7589 "!temp_readonly(ots)", file=0x5555562e5b23 > > "../../tcg/tcg.c", line=4928, function=0x5555562e8900 > > <__PRETTY_FUNCTION__.23> "tcg_reg_alloc_mov") at ./assert/assert.c:105 > > #7 0x0000555555cc2189 in tcg_reg_alloc_mov (s=0x7fff60000b70, > > op=0x7fff600126f8) at ../../tcg/tcg.c:4928 > > #8 0x0000555555cc74e0 in tcg_gen_code (s=0x7fff60000b70, > > tb=0x7fffa802f540, pc_start=4294446080) at ../../tcg/tcg.c:6667 > > #9 0x0000555555d02abe in setjmp_gen_code > > (env=0x555556cbe610, tb=0x7fffa802f540, pc=4294446080, > > host_pc=0x7fffeea00c00, max_insns=0x7fffee9f9d74, ti=0x7fffee9f9d90) > > at ../../accel/tcg/translate-all.c:257 > > #10 0x0000555555d02d75 in tb_gen_code (cpu=0x555556cba590, s=...) at > > ../../accel/tcg/translate-all.c:325 > > #11 0x0000555555cf5922 in cpu_exec_loop (cpu=0x555556cba590, > > sc=0x7fffee9f9ee0) at ../../accel/tcg/cpu-exec.c:970 > > #12 0x0000555555cf5aae in cpu_exec_setjmp (cpu=0x555556cba590, > > sc=0x7fffee9f9ee0) at ../../accel/tcg/cpu-exec.c:1016 > > #13 0x0000555555cf5b4b in cpu_exec (cpu=0x555556cba590) at > > ../../accel/tcg/cpu-exec.c:1042 > > #14 0x0000555555d1e7ab in tcg_cpu_exec (cpu=0x555556cba590) at > > ../../accel/tcg/tcg-accel-ops.c:82 > > #15 0x0000555555d1ff97 in rr_cpu_thread_fn (arg=0x555556cba590) at > > ../../accel/tcg/tcg-accel-ops-rr.c:285 > > #16 0x00005555561586c9 in qemu_thread_start (args=0x555556ee3c90) at > > ../../util/qemu-thread-posix.c:393 > > #17 0x00007ffff4a9caa4 in start_thread (arg=<optimized out>) at > > ./nptl/pthread_create.c:447 > > #18 0x00007ffff4b29c6c in clone3 () at > > ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 > > > > This can be reproduced "by hand": > > > > ./build/clang/qemu-system-ppc -display none -vga none \ > > -machine ppe42_machine -serial stdio \ > > -device > > loader,file=$HOME/.cache/qemu/download/03c1ac0fb7f6c025102a02776a93b35101dae7c14b75e4eab36a337e39042ea8 > > \ > > -device loader,addr=0xfff80040,cpu-num=0 > > > > (assuming you have the image file from the functional test > > in your local cache). > > > > This happens for this input: > > > > IN: > > 0xfff80c00: 07436004 .byte 0x07, 0x43, 0x60, 0x04 > > > > which generates (among other things): > > > > not_i32 $0x80000,$0x80000 > > > > which the TCG optimization pass turns into: > > > > mov_i32 $0x80000,$0xfff7ffff dead: 1 pref=0xffff > > > > and where we then assert because we tried to write to a constant. > > > > This happens for the CLRBWIBC instruction which ends up in > > do_mask_branch() with rb_is_gpr false and invert true. In this case > > we will generate code that sets mask to a tcg_constant_tl() but then > > uses it as the LHS in tcg_gen_not_tl(). > > > > Fix the assertion by doing the invert in the translate time C code > > for the "mask is constant" case. > > > > Cc: [email protected] > > Fixes: f7ec91c23906 ("target/ppc: Add IBM PPE42 special instructions") > > Signed-off-by: Peter Maydell <[email protected]> > > --- > > target/ppc/translate/ppe-impl.c.inc | 12 ++++++++---- > > 1 file changed, 8 insertions(+), 4 deletions(-) > > > > diff --git a/target/ppc/translate/ppe-impl.c.inc > > b/target/ppc/translate/ppe-impl.c.inc > > index 0a0590344e..1c27facb89 100644 > > --- a/target/ppc/translate/ppe-impl.c.inc > > +++ b/target/ppc/translate/ppe-impl.c.inc > > @@ -424,11 +424,15 @@ static bool do_mask_branch(DisasContext *ctx, arg_FCB > > * a, bool invert, > > shift = tcg_temp_new(); > > tcg_gen_andi_tl(shift, cpu_gpr[a->rb], 0x1f); > > tcg_gen_shr_tl(mask, tcg_constant_tl(0x80000000), shift); > > + if (invert) { > > + tcg_gen_not_tl(mask, mask); > > + } > > } else { > > - mask = tcg_constant_tl(PPC_BIT32(a->rb)); > > - } > > - if (invert) { > > - tcg_gen_not_tl(mask, mask); > > + target_ulong mask_const = PPC_BIT32(a->rb); > > + if (invert) { > > + mask_const = ~mask_const; > > + } > > + mask = tcg_constant_tl(mask_const); > > } > > > > /* apply mask to ra */ > > -- > > 2.43.0 > >
