or1k tcg SIGILL

qemu master (v7.0.0-1429-g7077fcb9) running on a Linux v5.17 arm64 host (Apple M1). The issue does not happen when running on an amd64 host.

Running Linux under the or1ksim machine:

$ qemu-system-or1k -nographic -kernel vmlinux 
Thread 3 "qemu-system-or1" received signal SIGILL, Illegal instruction.
[Switching to Thread 0xfffff5b5c9d0 (LWP 3373353)]
0x0000ffffb01db228 in code_gen_buffer ()
(gdb) bt
#0  0x0000ffffb01db228 in code_gen_buffer ()
#1  0x0000aaaaaacf2e88 in cpu_tb_exec
    (cpu=cpu@entry=0xaaaaab1db410, itb=itb@entry=0xffffb01db100 <code_gen_buffer+1945780>, tb_exit=tb_exit@entry=0xfffff5b5bf20) at ../accel/tcg/cpu-exec.c:358
#2  0x0000aaaaaacf3e38 in cpu_loop_exec_tb
    (tb_exit=0xfffff5b5bf20, last_tb=<synthetic pointer>, tb=0xffffb01db100 <code_gen_buffer+1945780>, cpu=0xaaaaab1db410) at ../accel/tcg/cpu-exec.c:848
#3  cpu_exec (cpu=cpu@entry=0xaaaaab1db410) at ../accel/tcg/cpu-exec.c:1007
#4  0x0000aaaaaad0e090 in tcg_cpus_exec (cpu=cpu@entry=0xaaaaab1db410)
    at ../accel/tcg/tcg-accel-ops.c:67
#5  0x0000aaaaaad0e9f4 in rr_cpu_thread_fn (arg=arg@entry=0xaaaaab1db410)
    at ../accel/tcg/tcg-accel-ops-rr.c:223
#6  0x0000aaaaaae88be8 in qemu_thread_start (args=<optimized out>)
    at ../util/qemu-thread-posix.c:504
#7  0x0000fffff7267f3c in start_thread (arg=0x0) at pthread_create.c:481
#8  0x0000fffff6b57cdc in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:79

Running with debugging enabled:

$ qemu-system-or1k -nographic -kernel or1ksim/vmlinux -d exec,cpu,out_asm,in_asm
IN: clocks_calc_mult_shift
0xc0074ee8:  l.ori     r30, r0, 31
0xc0074eec:  l.srli    r25, r28, 1
0xc0074ef0:  l.ori     r16, r0, 32
0xc0074ef4:  l.srli    r23, r24, 1
0xc0074ef8:  l.addi    r26, r22, -32
0xc0074efc:  l.sub     r14, r30, r22
0xc0074f00:  l.addi    r19, r16, -32
0xc0074f04:  l.sub     r17, r30, r16
0xc0074f08:  l.sfgesi  r19, 0
0xc0074f0c:  l.sll     r21, r24, r19
0xc0074f10:  l.srl     r17, r23, r17
0xc0074f14:  l.bnf     52
0xc0074f18:  l.sll     r19, r24, r16

OUT: [size=168]
  -- guest addr 0xc0074ee8 + tb prologue
0xffff441db1c0:  b85f0274  ldur     w20, [x19, #-0x10]
0xffff441db1c4:  7100029f  cmp      w20, #0
0xffff441db1c8:  5400048b  b.lt     #0xffff441db258
0xffff441db1cc:  528003f4  movz     w20, #0x1f
0xffff441db1d0:  b9007a74  str      w20, [x19, #0x78]
  -- guest addr 0xc0074eec
0xffff441db1d4:  b9407274  ldr      w20, [x19, #0x70]
0xffff441db1d8:  53017e94  lsr      w20, w20, #1
0xffff441db1dc:  b9006674  str      w20, [x19, #0x64]
  -- guest addr 0xc0074ef0
0xffff441db1e0:  52800414  movz     w20, #0x20
0xffff441db1e4:  b9004274  str      w20, [x19, #0x40]
  -- guest addr 0xc0074ef4
0xffff441db1e8:  b9406274  ldr      w20, [x19, #0x60]
0xffff441db1ec:  53017e95  lsr      w21, w20, #1
0xffff441db1f0:  b9005e75  str      w21, [x19, #0x5c]
  -- guest addr 0xc0074ef8
0xffff441db1f4:  b9405a75  ldr      w21, [x19, #0x58]
0xffff441db1f8:  510082b6  sub      w22, w21, #0x20
0xffff441db1fc:  b9006a76  str      w22, [x19, #0x68]
  -- guest addr 0xc0074efc
0xffff441db200:  528003f6  movz     w22, #0x1f
0xffff441db204:  4b1502d5  sub      w21, w22, w21
0xffff441db208:  b9003a75  str      w21, [x19, #0x38]
  -- guest addr 0xc0074f04
0xffff441db20c:  b9082a76  str      w22, [x19, #0x828]
0xffff441db210:  52800035  movz     w21, #0x1
0xffff441db214:  b9082675  str      w21, [x19, #0x824]
  -- guest addr 0xc0074f08
0xffff441db218:  52800035  movz     w21, #0x1
0xffff441db21c:  b9082275  str      w21, [x19, #0x820]
  -- guest addr 0xc0074f0c
0xffff441db220:  b9005674  str      w20, [x19, #0x54]
  -- guest addr 0xc0074f10
0xffff441db224:  b900467f  str      wzr, [x19, #0x44]
  -- guest addr 0xc0074f18
0xffff441db228:  53207e94  .byte    0x94, 0x7e, 0x20, 0x53
0xffff441db22c:  b9004e74  str      w20, [x19, #0x4c]
0xffff441db230:  5289e314  movz     w20, #0x4f18
0xffff441db234:  72b800f4  movk     w20, #0xc007, lsl #16
0xffff441db238:  b9080674  str      w20, [x19, #0x804]
0xffff441db23c:  5289e394  movz     w20, #0x4f1c
0xffff441db240:  72b800f4  movk     w20, #0xc007, lsl #16
0xffff441db244:  b9080274  str      w20, [x19, #0x800]
0xffff441db248:  aa1303e0  mov      x0, x19
0xffff441db24c:  580000be  ldr      x30, #0xffff441db260
0xffff441db250:  d63f03c0  blr      x30
0xffff441db254:  d61f0000  br       x0
0xffff441db258:  70fff540  adr      x0, #0xffff441db103
0xffff441db25c:  17f89374  b        #0xffff4400002c
  data: [size=8]
0xffff441db260:  .quad  0x0000aaaae9be36c4

Linking TBs 0xffff441db080 [c0075014] index 0 -> 0xffff441db1c0 [c0074ee8]
Trace 0: 0xffff441db1c0 [00000000/c0074ee8/00000065/ff000000] clocks_calc_mult_shift
PC=c0074ee8
R00=00000000 R01=c046bf14 R02=c046bf50 R03=00000000
R04=00000000 R05=00000000 R06=00000000 R07=000000d6
R08=ffffffff R09=c0074eb8 R10=c046a000 R11=00000000
R12=ff1b9e00 R13=00000008 R14=00000000 R15=98968000
R16=00000001 R17=00000000 R18=c0474d90 R19=00000010
R20=c0474d8c R21=00000000 R22=00000020 R23=00000000
R24=3b9aca00 R25=00000131 R26=c04b74c4 R27=00000010
R28=01312d00 R29=00000000 R30=c0498880 R31=00000000
Illegal instruction (core dumped)

The crash happens on this generated instruction:

0xffff441db228:  53207e94  .byte    0x94, 0x7e, 0x20, 0x53

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information