[panda-users] [PATCH]tcg_llvm:an obvious bug when generating llvm ir

Sat Jan 21 03:32:00 EST 2017

There was an obvious bug when PANDA generating the 16th basic block on
system booting.Following command could trigger that：

[da2din9o at VBT ~/panda]$./build_panda/i386-softmmu/qemu-system-i386  -llvm


Turn on the llvm_ir log option,IR generated are as following:

define private i64 @tcg-llvm-tb-16-ef1c5(%struct.CPUX86State*) {
entry:
  %1 = alloca i32
  %2 = ptrtoint %struct.CPUX86State* %0 to i64, !host !0
  %rrgic = load volatile i64* inttoptr (i64 0x5555572AEF98 to i64*), !host
!1
  %3 = add i64 %2, -4
  %4 = inttoptr i64 %3 to i32*
  %tmp11_v = load i32* %4
  %5 = icmp ne i32 %tmp11_v, 0
  br i1 %5, label %17, label %6

; <label>:6                                       ; preds = %entry
  store volatile i64 0xEF1C5, i64* inttoptr (i64 0x555556D3D0F0 to i64*),
!host !2
  store volatile i64 0xEF1C5, i64* inttoptr (i64 0x5555572AEFA0 to i64*),
!host !2
  %rrgic1 = add i64 %rrgic, 1, !host !1
  store volatile i64 %rrgic1, i64* inttoptr (i64 0x5555572AEF98 to i64*),
!host !1
  %7 = add i64 %2, 0x2c
  %cc_src_ptr = inttoptr i64 %7 to i32*
  store i32 37, i32* %cc_src_ptr
  %8 = add i64 %2, 0x8
  %edx_ptr = inttoptr i64 %8 to i32*
  %edx_v = load i32* %edx_ptr
  %tmp-25_v = sub i32 %edx_v, 0x25
  %9 = add i64 %2, 0x28
  %cc_dst_ptr = inttoptr i64 %9 to i32*
  store i32 %tmp-25_v, i32* %cc_dst_ptr
  store volatile i64 0xEF1C8, i64* inttoptr (i64 0x555556D3D0F0 to i64*),
!host !2
  store volatile i64 0xEF1C8, i64* inttoptr (i64 0x5555572AEFA0 to i64*),
!host !2
  %rrgic2 = add i64 %rrgic1, 1, !host !1
  store volatile i64 %rrgic2, i64* inttoptr (i64 0x5555572AEF98 to i64*),
!host !1
  %10 = trunc i32 %tmp-25_v to i8
  %tmp0_v = zext i8 %10 to i32
  %11 = add i64 %2, 0x34
  %cc_op_ptr = inttoptr i64 %11 to i32*
  store i32 14, i32* %cc_op_ptr
  %12 = icmp ne i32 %tmp0_v, 0
  br i1 %12, label %16, label %13

; <label>:13                                      ; preds = %6
  %14 = add i64 %2, 0x20
  %15 = inttoptr i64 %14 to i32*
  store i32 0xEF1CE, i32* %15
  ret i64 140737050397200

; <label>:16                                      ; preds = %6
  store i32 0xEF268, i32* %15
  ret i64 140737050397201

; <label>:17                                      ; preds = %entry
  ret i64 140737050397203
}


Note that the variable%15, which is used as the destination address by
operator “store” directly in label16 but initialized in label 13，and the
label 13 has never been excuted.
I try to fix that issue by following patch:

[da2din9o at VBT ~/panda/panda]$git diff a3c024 871b3d

diff --git a/panda/llvm/tcg-llvm.cpp b/panda/llvm/tcg-llvm.cpp
index 56bbcf0..0ecc797 100644
--- a/panda/llvm/tcg-llvm.cpp
+++ b/panda/llvm/tcg-llvm.cpp
@@ -117,7 +117,6 @@ struct TCGLLVMContextPrivate {
     /* Pointers to in-memory versions of globals or local temps */
     Value* m_memValuesPtr[TCG_MAX_TEMPS];

-    std::map<int64_t, Value *> m_envOffsetValues;
     Value *m_envInt;

     /* For reg-based globals, store argument number,
@@ -433,19 +432,12 @@ Value* TCGLLVMContextPrivate::getPtrForValue(int idx)
 }

 Value* TCGLLVMContextPrivate::getEnvOffsetPtr(int64_t offset, TCGTemp
&temp) {
-    auto it = m_envOffsetValues.find(offset);
-    llvm::Type *tempType = tcgPtrType(temp.type);
-    if (it == m_envOffsetValues.end() || tempType !=
it->second->getType()) {
-        Value *v;
-        v = m_builder.CreateAdd(m_envInt, ConstantInt::get(wordType(),
offset));
-        v = m_builder.CreateIntToPtr(
-                v, tcgPtrType(temp.type),
-                temp.name ? StringRef(temp.name) + "_ptr": "");
-        m_envOffsetValues[offset] = v;
-        return v;
-    } else {
-        return it->second;
-    }
+    Value *v;
+    v = m_builder.CreateAdd(m_envInt, ConstantInt::get(wordType(),
offset));
+    v = m_builder.CreateIntToPtr(
+            v, tcgPtrType(temp.type),
+            temp.name ? StringRef(temp.name) + "_ptr": "");
+    return v;
 }

 static inline void freeValue(Value *V) {
@@ -1410,11 +1402,6 @@ void TCGLLVMContextPrivate::generateCode(TCGContext
*s, TranslationBlock *tb)
     for(int i=0; i<TCG_MAX_LABELS; ++i)
         delLabel(i);

-    for (auto &it : m_envOffsetValues) {
-        freeValue(it.second);
-    }
-    m_envOffsetValues.clear();
-
     // run all specified function passes
     m_functionPassManager->run(*m_tbFunction);



PANDA excuting normally,but I'm not sure whether that patch could cause
other unexpected problems.
So could you confirm if that patch can be accepted or issue a new patch to
solve the beginning problem？
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20170121/9fc064ac/attachment.html
