Hi Glenn, Peter,
Thanks for the reminder on this.
I have been planning to prepare next pull-req for 11.0 by this weekend
and shall take care of this fix as well.
On 25/02/26 3:15 am, Miles Glenn wrote:
+Harsh
Harsh, would you be the right person to do the pull on this PPC TCG
fix? If so, maybe we should go ahead and make it official in the
MAINTAINERS file?
Yeh, I have been thinking about it, will add myself as a reviewer for
powernv, tcg to enable listing via get_maintainers.pl to be CC'ed.
Glenn,
Would you be willing to volunteer as a reviewer for ppc tcg as well? Thanks!
regards,
Harsh
Thanks,
Glenn
On Tue, 2026-02-24 at 11:28 +0000, Peter Maydell wrote:
Thanks for the code review -- is anybody going to take this via a
PPC pull request? If not, I can take it via target-arm.next as a
one-off -- let me know if you'd prefer that.
thanks
-- PMM
On Thu, 12 Feb 2026 at 15:07, Peter Maydell <[email protected]> wrote:
The test case in the ppe42 functional test triggers a TCG debug
assertion, which causes the test to fail in an --enable-debug
build or when the sanitizers are enabled:
#6 0x00007ffff4a3b517 in __assert_fail
(assertion=0x5555562e7589 "!temp_readonly(ots)", file=0x5555562e5b23 "../../tcg/tcg.c",
line=4928, function=0x5555562e8900 <__PRETTY_FUNCTION__.23> "tcg_reg_alloc_mov") at
./assert/assert.c:105
#7 0x0000555555cc2189 in tcg_reg_alloc_mov (s=0x7fff60000b70,
op=0x7fff600126f8) at ../../tcg/tcg.c:4928
#8 0x0000555555cc74e0 in tcg_gen_code (s=0x7fff60000b70, tb=0x7fffa802f540,
pc_start=4294446080) at ../../tcg/tcg.c:6667
#9 0x0000555555d02abe in setjmp_gen_code
(env=0x555556cbe610, tb=0x7fffa802f540, pc=4294446080,
host_pc=0x7fffeea00c00, max_insns=0x7fffee9f9d74, ti=0x7fffee9f9d90)
at ../../accel/tcg/translate-all.c:257
#10 0x0000555555d02d75 in tb_gen_code (cpu=0x555556cba590, s=...) at
../../accel/tcg/translate-all.c:325
#11 0x0000555555cf5922 in cpu_exec_loop (cpu=0x555556cba590, sc=0x7fffee9f9ee0)
at ../../accel/tcg/cpu-exec.c:970
#12 0x0000555555cf5aae in cpu_exec_setjmp (cpu=0x555556cba590,
sc=0x7fffee9f9ee0) at ../../accel/tcg/cpu-exec.c:1016
#13 0x0000555555cf5b4b in cpu_exec (cpu=0x555556cba590) at
../../accel/tcg/cpu-exec.c:1042
#14 0x0000555555d1e7ab in tcg_cpu_exec (cpu=0x555556cba590) at
../../accel/tcg/tcg-accel-ops.c:82
#15 0x0000555555d1ff97 in rr_cpu_thread_fn (arg=0x555556cba590) at
../../accel/tcg/tcg-accel-ops-rr.c:285
#16 0x00005555561586c9 in qemu_thread_start (args=0x555556ee3c90) at
../../util/qemu-thread-posix.c:393
#17 0x00007ffff4a9caa4 in start_thread (arg=<optimized out>) at
./nptl/pthread_create.c:447
#18 0x00007ffff4b29c6c in clone3 () at
../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
This can be reproduced "by hand":
./build/clang/qemu-system-ppc -display none -vga none \
-machine ppe42_machine -serial stdio \
-device
loader,file=$HOME/.cache/qemu/download/03c1ac0fb7f6c025102a02776a93b35101dae7c14b75e4eab36a337e39042ea8
\
-device loader,addr=0xfff80040,cpu-num=0
(assuming you have the image file from the functional test
in your local cache).
This happens for this input:
IN:
0xfff80c00: 07436004 .byte 0x07, 0x43, 0x60, 0x04
which generates (among other things):
not_i32 $0x80000,$0x80000
which the TCG optimization pass turns into:
mov_i32 $0x80000,$0xfff7ffff dead: 1 pref=0xffff
and where we then assert because we tried to write to a constant.
This happens for the CLRBWIBC instruction which ends up in
do_mask_branch() with rb_is_gpr false and invert true. In this case
we will generate code that sets mask to a tcg_constant_tl() but then
uses it as the LHS in tcg_gen_not_tl().
Fix the assertion by doing the invert in the translate time C code
for the "mask is constant" case.
Cc: [email protected]
Fixes: f7ec91c23906 ("target/ppc: Add IBM PPE42 special instructions")
Signed-off-by: Peter Maydell <[email protected]>
---
target/ppc/translate/ppe-impl.c.inc | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/target/ppc/translate/ppe-impl.c.inc
b/target/ppc/translate/ppe-impl.c.inc
index 0a0590344e..1c27facb89 100644
--- a/target/ppc/translate/ppe-impl.c.inc
+++ b/target/ppc/translate/ppe-impl.c.inc
@@ -424,11 +424,15 @@ static bool do_mask_branch(DisasContext *ctx, arg_FCB *
a, bool invert,
shift = tcg_temp_new();
tcg_gen_andi_tl(shift, cpu_gpr[a->rb], 0x1f);
tcg_gen_shr_tl(mask, tcg_constant_tl(0x80000000), shift);
+ if (invert) {
+ tcg_gen_not_tl(mask, mask);
+ }
} else {
- mask = tcg_constant_tl(PPC_BIT32(a->rb));
- }
- if (invert) {
- tcg_gen_not_tl(mask, mask);
+ target_ulong mask_const = PPC_BIT32(a->rb);
+ if (invert) {
+ mask_const = ~mask_const;
+ }
+ mask = tcg_constant_tl(mask_const);
}
/* apply mask to ra */
--
2.43.0
