loongarch64 crashes caused by lenient instruction decoding of vldi and xvldi

Host environment

• Operating system: Linux Mint 22 Cinnamon
• OS/kernel version: Linux lorenz-IdeaPad-5-15ALC05 6.8.0-38-generic #38-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 7 15:25:01 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
• Architecture: x86
• QEMU flavor: qemu-user-static
• QEMU version: qemu-loongarch64 version 8.2.2 (Debian 1:8.2.2+ds-0ubuntu1.6)
• QEMU command line:

  qemu-loongarch64-static ./test_inv_vldi

Emulated/Virtualized environment

• Architecture: loongarch64 (default one)

Description of problem

Lenient instruction decoding of vldi and xvldi leads to Qemu crashes.

The decoding of vldi and xvldi instruction allows for instructions with illegal immediates.

target/loongarch/insns.decode:

vldi             0111 00111110 00 ............. .....     @v_i13
xvldi            0111 01111110 00 ............. .....     @v_i13

This is considered in target/loongarch/tcg/insn_trans/trans_vec.c.inc:

    /*
     * imm bit [11:8] is mode, mode value is 0-12.
     * other values are invalid.
     */

However, an assertion error is raised when this condition is violated and qemu crashes:

**
ERROR:target/loongarch/insn_trans/trans_vec.c.inc:3574:vldi_get_value: code should not be reached
Bail out! ERROR:target/loongarch/insn_trans/trans_vec.c.inc:3574:vldi_get_value: code should not be reached

On hardware (Loongson 3A5000), these instructions cause a SIGILL.

Steps to reproduce

1. compile the test_inv_vldi test program for loongarch64 (see additional information)
2. run qemu-loongarch64-static ./test_inv_vldi

Additional information

I will post a patch for this issue to the mailing list soon.

test_inv_vldi source code:

int main(int argc, char** argv) {
    asm volatile(".4byte 0x73e3a000");    
}