dotnet for mips64 的 ea 版本已经发布
https://github.com/gsvm/loongson-dotnet/releases
在龙芯上调试CoreCLR
由于lldb在龙芯上工作不正常[1],只有gdb可以用来调试CoreCLR。
因为需要调试JIT代码,所以我们关上gdb分页,不处理SIG34信号:
$ cat ~/.gdbinit
set pagination off
handle SIG34 nostop noprint
调试JIT代码
export CORE_LIBRARIES=/home/loongson/corefx-3.1-Linux.mips64.Debug
export COMPlus_JitFunctionTrace=1
export COMPlus_JitHalt="Main"
gdb -ex=r --args ./bin/Product/Linux.mips64.Debug/corerun /home/loongson/Hello.dll | tee gdb.log
JitHalt="Main"可以在Main方法的序言处插入break指令,然后我们跳过break指令:
(gdb) set $pc+=4
(gdb) x/22i $pc-44
0xff7c983aac: li zero,0x73
0xff7c983ab0: nop
0xff7c983ab4: 0xf20000
0xff7c983ab8: sdc1 $f2,-6100(s6)
0xff7c983abc: dsra32 zero,zero,0x3
0xff7c983ac0: 0x7cc11db8
0xff7c983ac4: dsra32 zero,zero,0x3
0xff7c983ac8: 0x7cc49458
0xff7c983acc: dsra32 zero,zero,0x3
0xff7c983ad0: nop
0xff7c983ad4: break
=> 0xff7c983ad8: daddiu sp,sp,-32
0xff7c983adc: sd s8,0(sp)
0xff7c983ae0: sd ra,8(sp)
0xff7c983ae4: move s8,sp
0xff7c983ae8: sd a0,24(s8)
0xff7c983aec: lui a0,0xff
0xff7c983af0: ori a0,a0,0x7caf
0xff7c983af4: dsll a0,a0,0x10
0xff7c983af8: ori a0,a0,0x7a88
0xff7c983afc: lw a0,0(a0)
0xff7c983b00: sltiu at,a0,1
查看一下传参整型寄存器的值:
(gdb) i r a0
a0: 0xff5800fa28
(gdb) x/g 0xff5800fa28
0xff5800fa28: 0x000000ff7caf7c30
然后用si指令级的单步跟踪。
还可以使用“硬”watchpoint[2]调试GC相关问题:
(gdb) watch *0xff68001bf8
Hardware watchpoint 1: *0xff68001bf8
(gdb) c
Continuing.
...
Thread 1 "corerun" hit Hardware watchpoint 1: *0xff68001bf8
Old value = 0
New value = 1476465840
JIT_WriteBarrier () at /home/loongson/coreclr/src/vm/mips64/asmhelpers.S:206
(gdb) c
Continuing.
...
Thread 1 "corerun" hit Hardware watchpoint 1: *0xff68001bf8
Old value = 1476465840
New value = 1476577368
JIT_WriteBarrier () at /home/loongson/coreclr/src/vm/mips64/asmhelpers.S:206
如何跟踪是“谁”生成的JIT代码?
测试用例:JIT/Methodical/Invoke/thiscall/dbgthisnull/dbgthisnull.exe[3]
加压JIT、GC的时候,该测试用例复现段错误:
export CORE_LIBRARIES=/home/loongson/corefx-3.1-Linux.mips64.Debug
export COMPlus_JitFunctionTrace=1
export COMPlus_JitStress=2
export COMPlus_GCStress=1
export COMPlus_HeapVerify=1
gdb -ex=r --args ./bin/Product/Linux.mips64.Debug/corerun ./bin/tests/Linux.mips64.Debug/JIT/Methodical/Invoke/thiscall/_dbgthisnull/_dbgthisnull.exe | tee gdb.log
我们发现该测试用例“故意”造空指针访存:
Program received signal SIGSEGV, Segmentation fault.
0x000000ff7c985948 in ?? ()
(gdb) x/22i $pc-44
0xff7c98591c: dext a0,a0,0x0,0x8
0xff7c985920: sltiu at,a0,1
0xff7c985924: beqz at,0xff7c985944
0xff7c985928: nop
0xff7c98592c: b 0xff7c98596c
0xff7c985930: nop
0xff7c985934: nop
0xff7c985938: nop
0xff7c98593c: nop
0xff7c985940: nop
0xff7c985944: ld a0,32(s8)
=> 0xff7c985948: ldc1 $f0,8(a0)
0xff7c98594c: sdc1 $f0,24(s8)
0xff7c985950: nop
0xff7c985954: b 0xff7c9859a0
0xff7c985958: nop
0xff7c98595c: nop
0xff7c985960: nop
0xff7c985964: nop
0xff7c985968: nop
0xff7c98596c: bal 0xff7c985974
0xff7c985970: nop
(gdb) i r a0
a0: 0x0
那么ldc1 $f0,8(a0)这条指令是由“谁”生成的呢?
0x000000ff7c985948 in ?? ()
(gdb) x/76i 0x000000ff7c915948-152
0xff7c9158b0: daddiu sp,sp,-48 <-------- CodeGen::genFnProlog -> CodeGen::genAllocLclFrame
0xff7c9158b4: sd s8,0(sp) -> CodeGen::genPushCalleeSavedRegisters
0xff7c9158b8: sd ra,8(sp) -> ...
0xff7c9158bc: move s8,sp
0xff7c9158c0: sd a0,32(s8)
0xff7c9158c4: sw a1,40(s8) <-------- CodeGen::genFnProlog
0xff7c9158c8: lui a0,0xff <----- set_Reg_To_Imm
0xff7c9158cc: ori a0,a0,0x7ca8
0xff7c9158d0: dsll a0,a0,0x10
0xff7c9158d4: ori a0,a0,0x7b50 <----- set_Reg_To_Imm end
0xff7c9158d8: lw a0,0(a0)
0xff7c9158dc: sltiu at,a0,1 <---------- CodeGen::genCodeForCompare
0xff7c9158e0: beqz at,0xff7c915900
0xff7c9158e4: nop
0xff7c9158e8: b 0xff7c915918
0xff7c9158ec: nop
0xff7c9158f0: nop
0xff7c9158f4: nop
0xff7c9158f8: nop
0xff7c9158fc: nop <----------- CodeGen::genCodeForCompare
0xff7c915900: lui a0,0xff
0xff7c915904: ori a0,a0,0xf6a0
0xff7c915908: dsll a0,a0,0x10
0xff7c91590c: ori a0,a0,0x8fa8
0xff7c915910: jalr a0
0xff7c915914: move t9,a0
0xff7c915918: lw a0,40(s8)
0xff7c91591c: dext a0,a0,0x0,0x8
0xff7c915920: sltiu at,a0,1 <---------- CodeGen::genCodeForCompare
0xff7c915924: beqz at,0xff7c915944
0xff7c915928: nop
0xff7c91592c: b 0xff7c91596c
0xff7c915930: nop
0xff7c915934: nop
0xff7c915938: nop
0xff7c91593c: nop
0xff7c915940: nop <----------- CodeGen::genCodeForCompare
0xff7c915944: ld a0,32(s8)
=> 0xff7c915948: ldc1 $f0,8(a0)
0xff7c91594c: sdc1 $f0,24(s8)
0xff7c915950: nop
0xff7c915954: b 0xff7c9159a0
0xff7c915958: nop
0xff7c91595c: nop
0xff7c915960: nop
0xff7c915964: nop
0xff7c915968: nop
0xff7c91596c: bal 0xff7c915974
0xff7c915970: nop
0xff7c915974: li at,0x44
0xff7c915978: daddu a0,at,ra
0xff7c91597c: ldc1 $f0,0(a0)
0xff7c915980: sdc1 $f0,24(s8)
0xff7c915984: nop
0xff7c915988: b 0xff7c9159a0
0xff7c91598c: nop
0xff7c915990: nop
0xff7c915994: nop
0xff7c915998: nop
0xff7c91599c: nop
0xff7c9159a0: ldc1 $f0,24(s8)
0xff7c9159a4: ld ra,8(sp) <---------- CodeGen::genFnEpilog -> CodeGen::genPopCalleeSavedRegisters
0xff7c9159a8: ld s8,0(sp) -> ...
0xff7c9159ac: daddiu sp,sp,48
0xff7c9159b0: jr ra
0xff7c9159b4: nop <---------- CodeGen::genFnEpilog
...
ldc1 $f0,8(a0)是由emitter::emitInsLoadStoreOp和emitter::emitIns_R_R_I生成。你可以“故意”修改src/jit/codegenmips64.cpp[4]的CodeGen::genCodeForIndir,添加冗余的nop指令:
diff --git a/src/jit/codegenmips64.cpp b/src/jit/codegenmips64.cpp
index ef18106..465bc17 100644
--- a/src/jit/codegenmips64.cpp
+++ b/src/jit/codegenmips64.cpp
@@ -8290,6 +8290,7 @@ void CodeGen::genCodeForIndir(GenTreeIndir* tree)
}
getEmitter()->emitInsLoadStoreOp(ins, emitActualTypeSize(type), targetReg, tree);
+ instGen(INS_nop);
if (emitBarrier)
{
重新编译,就可以看到“故意”生成的冗余nop指令:
(gdb) x/22i $pc-44
0xff7c936560: dext a0,a0,0x0,0x8
0xff7c936564: sltiu at,a0,1
0xff7c936568: beqz at,0xff7c936588
0xff7c93656c: nop
0xff7c936570: b 0xff7c9365b4
0xff7c936574: nop
0xff7c936578: nop
0xff7c93657c: nop
0xff7c936580: nop
0xff7c936584: nop
0xff7c936588: ld a0,32(s8)
=> 0xff7c93658c: ldc1 $f0,8(a0)
=> 0xff7c936590: nop
0xff7c936594: sdc1 $f0,24(s8)
0xff7c936598: nop
0xff7c93659c: b 0xff7c9365e8
0xff7c9365a0: nop
0xff7c9365a4: nop
0xff7c9365a8: nop
0xff7c9365ac: nop
0xff7c9365b0: nop
0xff7c9365b4: bal 0xff7c9365bc
0xff7c9365b8: nop
还可以通过grep ldc1 -rn src/jit/来了解访存相关的代码生成。因为ldc1 $f0,8(a0)属于RRI指令形式,所以可以在emitter::emitIns_R_R_I“故意”加入断言:
diff --git a/src/jit/emitmips64.cpp b/src/jit/emitmips64.cpp
index 06b574d..9d19a52 100644
--- a/src/jit/emitmips64.cpp
+++ b/src/jit/emitmips64.cpp
@@ -2513,6 +2513,7 @@ void emitter::emitIns_R_R_I(
assert((-32768 <= imm) && (imm <= 32767));
assert(isFloatReg(reg1));
assert(isGeneralRegisterOrR0(reg2));
+ assert(imm != 8 && reg1 != REG_F0 && reg2 != REG_A0);
break;
case INS_c_f_s:
gdb bt一下就能知道具体的函数(例如:emitter::emitInsLoadStoreOp)以及行数。
1. https://github.com/dotnet/runtime/issues/37405
2. https://hev.cc/2758.html
3. https://github.com/gsvm/coreclr/blob/mips64-port/tests/src/JIT/Methodical/Invoke/thiscall/_dbgthisnull.ilproj
4. https://github.com/gsvm/coreclr/blob/mips64-port/src/jit/codegenmips64.cpp
相关文章: