git.proxmox.com Git - mirror

author	Richard Henderson <richard.henderson@linaro.org>
	Fri, 15 Jun 2018 05:57:03 +0000 (19:57 -1000)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Wed, 18 Jul 2018 16:44:56 +0000 (11:44 -0500)
commit	78747264b96113810c1743b4019c301c4317196c
tree	b832af374576c03f66afbc485aee36fdf64486ca	tree
parent	d8a7ec1deb2fb9283b420c4ac5601f873e93879a	commit \| diff

tcg: Reduce max TB opcode count

Also, assert that we don't overflow any of two different offsets into
the TB. Both unwind and goto_tb both record a uint16_t for later use.

This fixes an arm-softmmu test case utilizing NEON in which there is
a TB generated that runs to 7800 opcodes, and compiles to 96k on an
x86_64 host.  This overflows the 16-bit offset in which we record the
goto_tb reset offset.  Because of that overflow, we install a jump
destination that goes to neverland.  Boom.

With this reduced op count, the same TB compiles to about 48k for
aarch64, ppc64le, and x86_64 hosts, and neither assertion fires.

Cc: qemu-stable@nongnu.org
Reported-by: "Jason A. Donenfeld" <Jason@zx2c4.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 9f754620651d3432114f4bb89c7f12cbea814b3e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

tcg/aarch64/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/arm/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/i386/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/mips/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/ppc/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/s390/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/sparc/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/tcg.c		diff \| blob \| blame \| history
tcg/tcg.h		diff \| blob \| blame \| history
tcg/tci/tcg-target.inc.c		diff \| blob \| blame \| history