git.proxmox.com Git - mirror

tcg: Reduce max TB opcode count

Also, assert that we don't overflow any of two different offsets into
the TB. Both unwind and goto_tb both record a uint16_t for later use.

This fixes an arm-softmmu test case utilizing NEON in which there is
a TB generated that runs to 7800 opcodes, and compiles to 96k on an
x86_64 host.  This overflows the 16-bit offset in which we record the
goto_tb reset offset.  Because of that overflow, we install a jump
destination that goes to neverland.  Boom.

With this reduced op count, the same TB compiles to about 48k for
aarch64, ppc64le, and x86_64 hosts, and neither assertion fires.

Cc: qemu-stable@nongnu.org
Reported-by: "Jason A. Donenfeld" <Jason@zx2c4.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

author	Richard Henderson <richard.henderson@linaro.org>
	Fri, 15 Jun 2018 05:57:03 +0000 (19:57 -1000)
committer	Richard Henderson <richard.henderson@linaro.org>
	Fri, 15 Jun 2018 19:39:53 +0000 (09:39 -1000)
commit	9f754620651d3432114f4bb89c7f12cbea814b3e
tree	7450e7708caa0ef187fc4fb66d62695e33a2c82b	tree
parent	0ac20318ce16f4de288969b2007ef5a654176058	commit \| diff

tcg/aarch64/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/arm/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/i386/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/mips/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/ppc/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/s390/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/sparc/tcg-target.inc.c		diff \| blob \| blame \| history
tcg/tcg.c		diff \| blob \| blame \| history
tcg/tcg.h		diff \| blob \| blame \| history
tcg/tci/tcg-target.inc.c		diff \| blob \| blame \| history