aboutsummaryrefslogtreecommitdiff
path: root/accel/tcg
diff options
context:
space:
mode:
authorAlex Bennée <alex.bennee@linaro.org>2022-02-04 20:43:35 +0000
committerAlex Bennée <alex.bennee@linaro.org>2022-02-09 13:26:29 +0000
commit6f15c076dae07c2438eb488d71fa332e2b8d0963 (patch)
tree4d88cbdafdb546272a5cbc886181e5de4245b8e5 /accel/tcg
parent346cd004f65edf2e55dfd8333cb0f63e08423791 (diff)
downloadqemu-6f15c076dae07c2438eb488d71fa332e2b8d0963.zip
qemu-6f15c076dae07c2438eb488d71fa332e2b8d0963.tar.gz
qemu-6f15c076dae07c2438eb488d71fa332e2b8d0963.tar.bz2
plugins: move reset of plugin data to tb_start
We can't always guarantee we get to the end of a translator loop. Although this can happen for a variety of reasons it does happen more often on x86 system emulation when an instruction spans across to an un-faulted page. This caused confusion of the instruction tracking data resulting in apparent reverse execution (at least from the plugins point of view). Fix this by moving the reset code to plugin_gen_tb_start so we always start with a clean slate. We unconditionally reset tcg_ctx->plugin_insn as the plugin_insn_append code uses this as a proxy for knowing if plugins are enabled for the current instruction. Otherwise we can hit a race where a previously instrumented thread leaves a stale value after the main thread exits and disables instrumentation. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/824 Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20220204204335.1689602-27-alex.bennee@linaro.org>
Diffstat (limited to 'accel/tcg')
-rw-r--r--accel/tcg/plugin-gen.c31
1 files changed, 20 insertions, 11 deletions
diff --git a/accel/tcg/plugin-gen.c b/accel/tcg/plugin-gen.c
index 22d95fe..3d0b101 100644
--- a/accel/tcg/plugin-gen.c
+++ b/accel/tcg/plugin-gen.c
@@ -854,10 +854,20 @@ static void plugin_gen_inject(const struct qemu_plugin_tb *plugin_tb)
bool plugin_gen_tb_start(CPUState *cpu, const TranslationBlock *tb, bool mem_only)
{
- struct qemu_plugin_tb *ptb = tcg_ctx->plugin_tb;
bool ret = false;
if (test_bit(QEMU_PLUGIN_EV_VCPU_TB_TRANS, cpu->plugin_mask)) {
+ struct qemu_plugin_tb *ptb = tcg_ctx->plugin_tb;
+ int i;
+
+ /* reset callbacks */
+ for (i = 0; i < PLUGIN_N_CB_SUBTYPES; i++) {
+ if (ptb->cbs[i]) {
+ g_array_set_size(ptb->cbs[i], 0);
+ }
+ }
+ ptb->n = 0;
+
ret = true;
ptb->vaddr = tb->pc;
@@ -868,6 +878,9 @@ bool plugin_gen_tb_start(CPUState *cpu, const TranslationBlock *tb, bool mem_onl
plugin_gen_empty_callback(PLUGIN_GEN_FROM_TB);
}
+
+ tcg_ctx->plugin_insn = NULL;
+
return ret;
}
@@ -904,23 +917,19 @@ void plugin_gen_insn_end(void)
plugin_gen_empty_callback(PLUGIN_GEN_AFTER_INSN);
}
+/*
+ * There are cases where we never get to finalise a translation - for
+ * example a page fault during translation. As a result we shouldn't
+ * do any clean-up here and make sure things are reset in
+ * plugin_gen_tb_start.
+ */
void plugin_gen_tb_end(CPUState *cpu)
{
struct qemu_plugin_tb *ptb = tcg_ctx->plugin_tb;
- int i;
/* collect instrumentation requests */
qemu_plugin_tb_trans_cb(cpu, ptb);
/* inject the instrumentation at the appropriate places */
plugin_gen_inject(ptb);
-
- /* clean up */
- for (i = 0; i < PLUGIN_N_CB_SUBTYPES; i++) {
- if (ptb->cbs[i]) {
- g_array_set_size(ptb->cbs[i], 0);
- }
- }
- ptb->n = 0;
- tcg_ctx->plugin_insn = NULL;
}