Bug 120315

Summary: Backing store switch in exception_save_restart leaves ar.rnat undefined
Product: Base System Reporter: Christian Kandeler <christian.kandeler>
Component: ia64Assignee: freebsd-ia64 (Nobody) <ia64>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Christian Kandeler 2008-02-06 11:50:02 UTC 
The move to bspstore in exception_save_restart (file ia64/ia64/exception.S) invalidates ar.rnat, which has to be recovered from r19, but isn't. This is the same problem that existed in epc_syscall (see this thread: http://lists.freebsd.org/pipermail/freebsd-ia64/2007-June/001391.html). It will most likely crash Itanium processors that define the "undefined()" value as used in the SDM as something else than zero, which is perfectly possible.

Fix: 

Insert a mov ar.rnat=r19 after the move to bspstore. I am not including a patch because I don't want to mess with the hand-crafted bundles.
Comment 1 dfilter service freebsd_committer freebsd_triage 2009-12-08 00:44:36 UTC 
Author: marcel
Date: Tue Dec  8 00:44:23 2009
New Revision: 200240
URL: http://svn.freebsd.org/changeset/base/200240

Log:
  In exception_save, write-back ar.rnat after switching the backing-
  store. Writing to ar.bspstore is defined to leave ar.rnat undefined.
  
  PR:		ia64/120315
  MFC after:	3 days

Modified:
  head/sys/ia64/ia64/exception.S

Modified: head/sys/ia64/ia64/exception.S
==============================================================================
--- head/sys/ia64/ia64/exception.S	Mon Dec  7 21:30:54 2009	(r200239)
+++ head/sys/ia64/ia64/exception.S	Tue Dec  8 00:44:23 2009	(r200240)
@@ -228,43 +228,42 @@ exception_save_restart:
 (p13)	dep		r20=r20,r21,0,9		// align dirty registers
 	;;
 }
-	// r20=bspstore, r22=iip, r23=ipsr
+	// r19=rnat, r20=bspstore, r22=iip, r23=ipsr
 {	.mmi
 	st8		[r31]=r23,16		// psr
 (p13)	mov		ar.bspstore=r20
 	nop		0
 	;;
 }
-{	.mmi
+{	.mmb
+(p13)	mov		ar.rnat=r19
 	mov		r18=ar.bsp
-	;;
-	mov		r19=cr.ifs
-	sub		r18=r18,r20
+	nop		0
 	;;
 }
 {	.mmi
+	mov		r19=cr.ifs
 	st8.spill	[r30]=gp,16		// gp
-	st8		[r31]=r18,16		// ndirty
-	nop		0
+	sub		r18=r18,r20
 	;;
 }
 	// r19=ifs, r22=iip
-{	.mmi
+{	.mmb
+	st8		[r31]=r18,16		// ndirty
 	st8		[r30]=r19,16		// cfm
-	st8		[r31]=r22,16		// iip
 	nop		0
 	;;
 }
 {	.mmi
-	st8		[r30]=r17		// ifa
 	mov		r18=cr.isr
+	st8		[r31]=r22,16		// iip
 	add		r29=16,r30
 	;;
 }
-{	.mmi
-	st8		[r31]=r18		// isr
-	add		r30=8,r29
-	add		r31=16,r29
+{	.mmb
+	st8		[r30]=r17,24		// ifa
+	st8		[r31]=r18,24		// isr
+	nop		0
 	;;
 }
 {	.mmi
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 2 Marcel Moolenaar freebsd_committer freebsd_triage 2009-12-08 00:46:03 UTC 
State Changed
From-To: open->patched

Fix committed to 9-CURRENT. merge to 8-STABLE will happen in 
a few days. Thanks for the PR, and sorry for the delay.
Comment 3 dfilter service freebsd_committer freebsd_triage 2009-12-11 01:26:40 UTC 
Author: marcel
Date: Fri Dec 11 01:26:26 2009
New Revision: 200386
URL: http://svn.freebsd.org/changeset/base/200386

Log:
  MFC rev 200240:
  In exception_save, write-back ar.rnat after switching the backing-store.
  
  PR:		ia64/120315

Modified:
  stable/8/sys/ia64/ia64/exception.S
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/xen/xenpci/   (props changed)

Modified: stable/8/sys/ia64/ia64/exception.S
==============================================================================
--- stable/8/sys/ia64/ia64/exception.S	Fri Dec 11 01:26:09 2009	(r200385)
+++ stable/8/sys/ia64/ia64/exception.S	Fri Dec 11 01:26:26 2009	(r200386)
@@ -219,43 +219,42 @@ exception_save_restart:
 (p13)	dep		r20=r20,r21,0,9		// align dirty registers
 	;;
 }
-	// r20=bspstore, r22=iip, r23=ipsr
+	// r19=rnat, r20=bspstore, r22=iip, r23=ipsr
 {	.mmi
 	st8		[r31]=r23,16		// psr
 (p13)	mov		ar.bspstore=r20
 	nop		0
 	;;
 }
-{	.mmi
+{	.mmb
+(p13)	mov		ar.rnat=r19
 	mov		r18=ar.bsp
-	;;
-	mov		r19=cr.ifs
-	sub		r18=r18,r20
+	nop		0
 	;;
 }
 {	.mmi
+	mov		r19=cr.ifs
 	st8.spill	[r30]=gp,16		// gp
-	st8		[r31]=r18,16		// ndirty
-	nop		0
+	sub		r18=r18,r20
 	;;
 }
 	// r19=ifs, r22=iip
-{	.mmi
+{	.mmb
+	st8		[r31]=r18,16		// ndirty
 	st8		[r30]=r19,16		// cfm
-	st8		[r31]=r22,16		// iip
 	nop		0
 	;;
 }
 {	.mmi
-	st8		[r30]=r17		// ifa
 	mov		r18=cr.isr
+	st8		[r31]=r22,16		// iip
 	add		r29=16,r30
 	;;
 }
-{	.mmi
-	st8		[r31]=r18		// isr
-	add		r30=8,r29
-	add		r31=16,r29
+{	.mmb
+	st8		[r30]=r17,24		// ifa
+	st8		[r31]=r18,24		// isr
+	nop		0
 	;;
 }
 {	.mmi
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 4 Marcel Moolenaar freebsd_committer freebsd_triage 2009-12-11 01:30:57 UTC 
State Changed
From-To: patched->closed

Fix merged to 8-STABLE.